Anyone with AT and a CAN sniffer? - Toyota Yaris Forums

dj92 · 10-08-2013, 07:23 PM

Hi there,
I would like to use the unused parts of my instrument cluster, e.g. gear number by injecting packets on the CAN bus.

I have hardware to do so, however, I don't know anyone who has an XP9 with AT (it's rather seldom ordered with AT here in Germany).
I can't afford a gauge to fiddle around with (the one I'd like with VFD costs even used almost always at least 150€, about 200$; I guess the one with electromechanical tachometer would accept the same commands, but it would cost me still >50€ due to shipment costs), and even if I had one, I'm sure it would be a hard job to feed it manually with thousands of possible IDs before getting a reaction.

So I would like to ask if someone with an AT XP9 and a CAN sniffer (available at ebay from China for ~25€) would be so kind to try to find out where the gear information hides or at least make a log with the IDs used by the ECU

Hopefully someone can help me ;)

CTScott · 10-08-2013, 08:45 PM

I developed my own CAN sniffer and have reverse engineered a significant portion of the Toyota communications (beyond the simple OBD compliant comm.)

I can definitely help you out with this.

CTScott · 10-08-2013, 11:09 PM

OK - Here's what you can command the AT indicator to show. There is a 5 second timeout, so if you don't send another command within that time the indicator will go off.

blank 07C0:0530090000000000
L 07C0:0530090001000000
2 07C0:0530090002000000
3 07C0:0530090004000000
4 07C0:0530090008000000
D 07C0:0530090010000000
N 07C0:0530090020000000
R 07C0:0530090040000000
P 07C0:0530090080000000
5 07C0:0530090000020000
6 07C0:0530090000040000
7 07C0:0530090000080000
(CVT SPORT) 07C0:0530090000100000
(M) 07C0:0530090000200000
S 07C0:0530090000400000
B 07C0:0530090000800000

*tk-421* · 10-09-2013, 12:40 AM

dj92 · 10-09-2013, 06:49 AM

CTScott, you guy definitely rock!

Sadly, I could not manage to get it working yet with my CAN sniffer, maybe it needs some initialization.
However, I'll program my PIC32 and check whether it makes the job better than the crappy chinese software (sad to have to say it so)

CTScott · 10-09-2013, 07:42 AM

Just to verify, the 07C0 is what you have to set your transmitter address to.

I have a European digital cluster on hand. This morning I will try it with that to verify that it will respond to those same commands. I am fairly certain that it will, as it works as a direct replacement for the US cluster.

dj92 · 10-09-2013, 08:40 AM

Yup, I set it that way.
I think the sniffer is innocent, I remember having injected packets where I got responses that made sense (the same like when I accessed some ECUs with Techstream)

CTScott · 10-09-2013, 09:20 AM

I just tried the European digital cluster and it does not support these commands. It supports ones where I can make all of the digits (including the speedometer and odometer) indicate the numbers 0-9, but not commands to just tickle the gear indicator.

For the heck of it try the following:

07C0:05300A0000200000 (should put the gear indicator as 9 and the odo as all 9's)
07C0:05300A0000400000 (should put the gear indicator as 8 and the odo as all 8's)
07C0:05300A0000800000 (should put the gear indicator as 7 and the odo as all 7's)

dj92 · 10-09-2013, 11:49 AM

Yeah, I've already wondered why there was no way to control the gear display in Techstream, just the entire display test was available there.

Mine does not accept these above commands either, perhaps it wants to be initialized.
Edit: Nope, the sniffer's software punk'd me :D
Sadly setting the CAN filters is a pain in the a$$ with that cheapo software, but I can't afford a better one.

Quite funny that they omit features for the european versions.
Seemingly it's not just the cruise control (not even an indicator light in the cluster)

However, thanks for your efforts

EDIT: the gear commands are even rejected:
07c8 03 7f 30 12 00 00 00 00

CTScott · 10-09-2013, 12:21 PM

Quote:

Originally Posted by dj92

Yeah, I've already wondered why there was no way to control the gear display in Techstream, just the entire display test was available there.

Mine does not accept these above commands either, perhaps it wants to be initialized.
Edit: Nope, the sniffer's software punk'd me :D
Sadly setting the CAN filters is a pain in the a$$ with that cheapo software, but I can't afford a better one.

Quite funny that they omit features for the european versions.
Seemingly it's not just the cruise control (not even an indicator light in the cluster)

However, thanks for your efforts

EDIT: the gear commands are even rejected:
07c8 03 7f 30 12 00 00 00 00

Interesting. I might have to work on getting you one of my devices to experiment with. It would actually be very handy for me to have access to data from European Yaris for comparison.

dj92 · 10-09-2013, 12:25 PM

That'd be great!
I have already worked on some basic parameters which are easy to poke:
http://www.fingers-wiki.de/yarisforschung_xp9
Hopefully it's understandable for you ;)
If not, don't hesitate to ask me :)
It is especially about which doors are opened and whether the door locks are operated and especially in what direction and how (fob, lock on door, knob inside the car).

We have an entirely different engine controller here in europe (no cruise control), it might be just because I have the 1l engine (1KR-FE), on the other hand side I can't imagine that the european yaris with the VFD has a CC which would mean that it'd need a different cluster.

However, a friend of mine has a Yaris with the 1.33 dual-vvt-engine (from 2010 or 2011) where seemingly the same cluster as in the canadian Yaris is used.
IIRC it's an MT, just to mention it ;)

CTScott · 10-09-2013, 01:54 PM

Quote:

Originally Posted by dj92

That'd be great!
I have already worked on some basic parameters which are easy to poke:
http://www.fingers-wiki.de/yarisforschung_xp9
Hopefully it's understandable for you ;)
If not, don't hesitate to ask me :)
It is especially about which doors are opened and whether the door locks are operated and especially in what direction and how (fob, lock on door, knob inside the car).

We have an entirely different engine controller here in europe (no cruise control), it might be just because I have the 1l engine (1KR-FE), on the other hand side I can't imagine that the european yaris with the VFD has a CC which would mean that it'd need a different cluster.

However, a friend of mine has a Yaris with the 1.33 dual-vvt-engine (from 2010 or 2011) where seemingly the same cluster as in the canadian Yaris is used.
IIRC it's an MT, just to mention it ;)

Very good - Those all correspond with ours as well. I am glad to see that the primary messaging is likely pretty much all the same.

In that case, when I have a chance, I will sniff out the packets from the ECM to the cluster in regards to shifter position, as they will likely be the same as well (even though the diagnostic mode packets were not).

dj92 · 10-09-2013, 02:42 PM

Last night I also found this:
https://github.com/fabiobaltieri/toy...er/toyothack.c
I checked the 0x398 (fuel usage) and the values while driving seemed legitimate :)
However I still need to see how it's dimensioned

Edit:
New findings!

Techstream says A/D value of fuel sensor is 122dec, that is 7ahex.
I had a look at the log, and, surprise:
7c0 02 21 24 00 00 00 00 00 is the request
7c8 03 61 24 74 00 00 00 00 is the answer.
Task for those new to this course: find the location of the interesting byte :D
It looks like a pid-21-obd-command.
EDIT3: could also be 63 instead of 24.
further investigation to do.

EDIT2: Battery voltage is 144=14,4V =90hex
7c0 02 21 11 00 00 00 00 00 is the request
7c8 03 61 11 *90* 00 00 00 00 is the answer

More to come ;)

CTScott · 10-10-2013, 01:10 AM

OK - The ECM message to the cluster for the AT indicator is CAN ID: 03B4. A MT ECM still sends messages on this ID, so you have to frequently (~ every second) send your message to override the blank.

P: 03B4:0000324C80000000
R: 03B4:0000324C40000000
N: 03B4:0000324C20000000
D: 03B4:0000314C00400000

dj92 · 10-10-2013, 04:10 PM

Sadly this wasn't successful, neither with the always crashing sniffer nor with the PIC32 :(
Seems like the ECU initializes the cluster in a special way or there are collisions because of the same ID.
The only way out would be a filter using two transceivers, but this would mean a critical modification to my car, so I fear that I reached a dead end :(

However, this does not mean the end of CAN bus research to me ;)
I'm about to build a bus node that plays a sound whenever the doors are (un)locked via fob :D
Way cooler than blinking ;)

CTScott · 10-10-2013, 04:45 PM

Quote:

Originally Posted by dj92

Sadly this wasn't successful, neither with the always crashing sniffer nor with the PIC32 :(
Seems like the ECU initializes the cluster in a special way or there are collisions because of the same ID.
The only way out would be a filter using two transceivers, but this would mean a critical modification to my car, so I fear that I reached a dead end :(

However, this does not mean the end of CAN bus research to me ;)
I'm about to build a bus node that plays a sound whenever the doors are (un)locked via fob :D
Way cooler than blinking ;)

Did you by any chance sniff for 03B4 packets on your car? If you can find someone over there with an AT, it would also be interesting to see if 03B4 is used on European Yaris as well.

If you can find me a cheap AT ECM from a junkyard over there (here I can often pick up ECMs for under $50 from Junkyards) I can do much more analysis on my test bench. I have a complete and fully functional Yaris CAN bus network wired up on my test bench.

dj92 · 10-10-2013, 06:16 PM

Quote:

Originally Posted by CTScott

Did you by any chance sniff for 03B4 packets on your car? If you can find someone over there with an AT, it would also be interesting to see if 03B4 is used on European Yaris as well.

Here we go:
000003b4 00 00 24 b4 00 00 00 00

Quote:

Originally Posted by CTScott

If you can find me a cheap AT ECM from a junkyard over there (here I can often pick up ECMs for under $50 from Junkyards) I can do much more analysis on my test bench.

I'm afraid this is a hard job :(

Although the Yaris is quite common here (I see about 5 each day), it is quite hard to find used spare parts because it is still rather new.

Additionally, cars are more expensive here than in the US, and so are the parts.
I can only dream about a cluster for 50$...

Last but not least: AT is rare here, especially in such small cars it is ordered seldom.
Including anything from Mercedes A-Class over BMW whatever to VW Golf I had to do with up to now, just about 5% had AT.

I have had a look but did not find something acceptable, but maybe you're lucky:
(Fasten seat belts, I can't be held responsible for fallen out eyeballs

)
http://www.ebay.de/sch/i.html?_sacat..._skc=200&rt=nc

If a seller doesn't want to ship to the US, I can of course do this for you.

Quote:

Originally Posted by CTScott

I have a complete and fully functional Yaris CAN bus network wired up on my test bench.

Quite a nice thing

You used crashie parts, am I right?

One short extra question:
Do you, by accident, know how the PWM-dimmed dome light is switched?
I did not manage to take the ECU apart or at least out.
I expect a n-channel type Mosfet to be in there, but without any knowledge about the part number, I am unsure how much current I can let it switch without risking damage.
Of course, I could add an external transistor, but I like to keep it as simple as possible.
My plan is to stick LED stripes to the under the seat frames, just if you wondered.

@Management:
I hope the deviation from the thread title is tolerable ;)

CTScott · 10-10-2013, 06:45 PM

Ah, I was just checking the electronic parts catalog for Europe, and it shows that there were no second generation automatic transmission Yaris built in France, so it may be that your cluster completely ignores those AT related commands.

That made me just think to try my European cluster on my test bench and it does not respond to the AT commands.

For the dome light, the Body ECU drives it and although I can't identify the 3 terminal driving device, I would say that by its size that it should be able to handle 1A.

10-08-2013, 07:23 PM	#1
dj92 Embracing Curves View User's Garage Drives: '14 Prius Executive Join Date: Aug 2013 Location: mid-western Germany Posts: 256	Anyone with AT and a CAN sniffer? Hi there, I would like to use the unused parts of my instrument cluster, e.g. gear number by injecting packets on the CAN bus. I have hardware to do so, however, I don't know anyone who has an XP9 with AT (it's rather seldom ordered with AT here in Germany). I can't afford a gauge to fiddle around with (the one I'd like with VFD costs even used almost always at least 150€, about 200$; I guess the one with electromechanical tachometer would accept the same commands, but it would cost me still >50€ due to shipment costs), and even if I had one, I'm sure it would be a hard job to feed it manually with thousands of possible IDs before getting a reaction. So I would like to ask if someone with an AT XP9 and a CAN sniffer (available at ebay from China for ~25€) would be so kind to try to find out where the gear information hides or at least make a log with the IDs used by the ECU Hopefully someone can help me ;)

10-08-2013, 08:45 PM	#2
CTScott ULTIMATE View User's Garage Drives: 09 5dr LB, 2x 08 3dr LB Join Date: Oct 2008 Location: USA, CT Posts: 13,460	I developed my own CAN sniffer and have reverse engineered a significant portion of the Toyota communications (beyond the simple OBD compliant comm.) I can definitely help you out with this. __________________

10-08-2013, 11:09 PM	#3
CTScott ULTIMATE View User's Garage Drives: 09 5dr LB, 2x 08 3dr LB Join Date: Oct 2008 Location: USA, CT Posts: 13,460	OK - Here's what you can command the AT indicator to show. There is a 5 second timeout, so if you don't send another command within that time the indicator will go off. blank 07C0:0530090000000000 L 07C0:0530090001000000 2 07C0:0530090002000000 3 07C0:0530090004000000 4 07C0:0530090008000000 D 07C0:0530090010000000 N 07C0:0530090020000000 R 07C0:0530090040000000 P 07C0:0530090080000000 5 07C0:0530090000020000 6 07C0:0530090000040000 7 07C0:0530090000080000 (CVT SPORT) 07C0:0530090000100000 (M) 07C0:0530090000200000 S 07C0:0530090000400000 B 07C0:0530090000800000 __________________

10-09-2013, 12:40 AM	#4
tk-421 Super Moderator View User's Garage Drives: 5D-07-LB Join Date: Jan 2007 Location: Dagobah Posts: 4,263	__________________ --[ FORUM RULES ]--[ SEARCHING TIPS ]--[ EYELIDS PICS ]--[ RBK SPOILER ]--[ BEST/WORST INVESTMENTS ]--

10-09-2013, 07:42 AM	#6
CTScott ULTIMATE View User's Garage Drives: 09 5dr LB, 2x 08 3dr LB Join Date: Oct 2008 Location: USA, CT Posts: 13,460	Just to verify, the 07C0 is what you have to set your transmitter address to. I have a European digital cluster on hand. This morning I will try it with that to verify that it will respond to those same commands. I am fairly certain that it will, as it works as a direct replacement for the US cluster. __________________

10-09-2013, 06:49 AM	#5
dj92 Embracing Curves View User's Garage Drives: '14 Prius Executive Join Date: Aug 2013 Location: mid-western Germany Posts: 256	CTScott, you guy definitely rock! Sadly, I could not manage to get it working yet with my CAN sniffer, maybe it needs some initialization. However, I'll program my PIC32 and check whether it makes the job better than the crappy chinese software (sad to have to say it so)

10-09-2013, 08:40 AM	#7
dj92 Embracing Curves View User's Garage Drives: '14 Prius Executive Join Date: Aug 2013 Location: mid-western Germany Posts: 256	Yup, I set it that way. I think the sniffer is innocent, I remember having injected packets where I got responses that made sense (the same like when I accessed some ECUs with Techstream)

10-09-2013, 09:20 AM	#8
CTScott ULTIMATE View User's Garage Drives: 09 5dr LB, 2x 08 3dr LB Join Date: Oct 2008 Location: USA, CT Posts: 13,460	I just tried the European digital cluster and it does not support these commands. It supports ones where I can make all of the digits (including the speedometer and odometer) indicate the numbers 0-9, but not commands to just tickle the gear indicator. For the heck of it try the following: 07C0:05300A0000200000 (should put the gear indicator as 9 and the odo as all 9's) 07C0:05300A0000400000 (should put the gear indicator as 8 and the odo as all 8's) 07C0:05300A0000800000 (should put the gear indicator as 7 and the odo as all 7's) __________________

10-09-2013, 11:49 AM	#9
dj92 Embracing Curves View User's Garage Drives: '14 Prius Executive Join Date: Aug 2013 Location: mid-western Germany Posts: 256	Yeah, I've already wondered why there was no way to control the gear display in Techstream, just the entire display test was available there. Mine does not accept these above commands either, perhaps it wants to be initialized. Edit: Nope, the sniffer's software punk'd me :D Sadly setting the CAN filters is a pain in the a$$ with that cheapo software, but I can't afford a better one. Quite funny that they omit features for the european versions. Seemingly it's not just the cruise control (not even an indicator light in the cluster) However, thanks for your efforts EDIT: the gear commands are even rejected: 07c8 03 7f 30 12 00 00 00 00 Last edited by dj92; 10-09-2013 at 12:14 PM.

10-09-2013, 12:25 PM	#11
dj92 Embracing Curves View User's Garage Drives: '14 Prius Executive Join Date: Aug 2013 Location: mid-western Germany Posts: 256	That'd be great! I have already worked on some basic parameters which are easy to poke: http://www.fingers-wiki.de/yarisforschung_xp9 Hopefully it's understandable for you ;) If not, don't hesitate to ask me :) It is especially about which doors are opened and whether the door locks are operated and especially in what direction and how (fob, lock on door, knob inside the car). We have an entirely different engine controller here in europe (no cruise control), it might be just because I have the 1l engine (1KR-FE), on the other hand side I can't imagine that the european yaris with the VFD has a CC which would mean that it'd need a different cluster. However, a friend of mine has a Yaris with the 1.33 dual-vvt-engine (from 2010 or 2011) where seemingly the same cluster as in the canadian Yaris is used. IIRC it's an MT, just to mention it ;) Last edited by dj92; 10-09-2013 at 12:47 PM.

10-09-2013, 02:42 PM	#13
dj92 Embracing Curves View User's Garage Drives: '14 Prius Executive Join Date: Aug 2013 Location: mid-western Germany Posts: 256	Last night I also found this: https://github.com/fabiobaltieri/toy...er/toyothack.c I checked the 0x398 (fuel usage) and the values while driving seemed legitimate :) However I still need to see how it's dimensioned Edit: New findings! Techstream says A/D value of fuel sensor is 122dec, that is 7ahex. I had a look at the log, and, surprise: 7c0 02 21 24 00 00 00 00 00 is the request 7c8 03 61 24 74 00 00 00 00 is the answer. Task for those new to this course: find the location of the interesting byte :D It looks like a pid-21-obd-command. EDIT3: could also be 63 instead of 24. further investigation to do. EDIT2: Battery voltage is 144=14,4V =90hex 7c0 02 21 11 00 00 00 00 00 is the request 7c8 03 61 11 90 00 00 00 00 is the answer More to come ;) Last edited by dj92; 10-09-2013 at 06:08 PM.

10-10-2013, 01:10 AM	#14
CTScott ULTIMATE View User's Garage Drives: 09 5dr LB, 2x 08 3dr LB Join Date: Oct 2008 Location: USA, CT Posts: 13,460	OK - The ECM message to the cluster for the AT indicator is CAN ID: 03B4. A MT ECM still sends messages on this ID, so you have to frequently (~ every second) send your message to override the blank. P: 03B4:0000324C80000000 R: 03B4:0000324C40000000 N: 03B4:0000324C20000000 D: 03B4:0000314C00400000 __________________

10-10-2013, 04:10 PM	#15
dj92 Embracing Curves View User's Garage Drives: '14 Prius Executive Join Date: Aug 2013 Location: mid-western Germany Posts: 256	Sadly this wasn't successful, neither with the always crashing sniffer nor with the PIC32 :( Seems like the ECU initializes the cluster in a special way or there are collisions because of the same ID. The only way out would be a filter using two transceivers, but this would mean a critical modification to my car, so I fear that I reached a dead end :( However, this does not mean the end of CAN bus research to me ;) I'm about to build a bus node that plays a sound whenever the doors are (un)locked via fob :D Way cooler than blinking ;)

10-10-2013, 06:45 PM	#18
CTScott ULTIMATE View User's Garage Drives: 09 5dr LB, 2x 08 3dr LB Join Date: Oct 2008 Location: USA, CT Posts: 13,460	Ah, I was just checking the electronic parts catalog for Europe, and it shows that there were no second generation automatic transmission Yaris built in France, so it may be that your cluster completely ignores those AT related commands. That made me just think to try my European cluster on my test bench and it does not respond to the AT commands. For the dome light, the Body ECU drives it and although I can't identify the 3 terminal driving device, I would say that by its size that it should be able to handle 1A. __________________