|
| sickd |
|
|||
|
s it possible to unlock a locked icc stereo, i sold my color screen unit and swapped it for a standard one, i removed and swapped them into the cars, and mine comes up with code, can it be removed with obd tool
car is a ba ute 2004
_________________ BA XR8 BOSS 260
|
|||
| Top | |
|||
| Lukeyson |
|
|||
|
In theory yes. In practice no. Ford use some sort of security algorithm that works like this:
OBD Tool requests a value in a Mode22 PID from ICC ICC responds with a value from that PID OBD Tool sends a custom high-mode message with a multibyte value (the 'unlock' message) The algorithm that converts the data from the PID into an 'unlock' message is what we don't yet know. Similar to the process used to 'unlock' a PCM for writing a custom tune. If you have a J2534 tool and a subscription to the FMP software mentioned a few times in this thread, then yes, you can unlock your own ICC. But since the cheapest J2534 that I know of is over $300, it would probably be cheaper for you to go to Ford and get them to do it for $50 or so. I've been able to do it a few times now with a J2534 tool. Luke |
|||
| Top | |
|||
| aumatt |
|
|||
|
It would be possible with the right amounts of reverse engineering
Matt
_________________ 2004 Harvest Green XR6
|
|||
| Top | |
|||
| sickd |
|
|||
|
bugga no worries thanks for the help i will go fraud and get them to
unlock it, one ford place told me 110 bucks, thats why i thought i trie this. thanks 
_________________ BA XR8 BOSS 260
|
|||
| Top | |
|||
| Lukeyson |
|
|||
|
Pity you're not near Newcastle....
Lukeyson |
|||
| Top | |
|||
| aumatt |
|
|||
|
Geez I really should get my new scan tool. Hurry up aussie dollar go back to 98c
Matt
_________________ 2004 Harvest Green XR6
|
|||
| Top | |
|||
| Lukeyson |
|
|||
|
Yeah, those were the days.
Lukeyson |
|||
| Top | |
|||
| wheee |
|
|||
|
Hey there.
I'm working on developing a custom ICC for my 2006 BF XR8 using some custom built hardware, and will be using the OBD-II connector to receive and display the status of the HVAC controls. While I am at it I thought I would see what else I could intercept through the broadcast messages that may be of interest to display on the screen. Here's what I've found in the last couple of hours (FYI- This is from a 2006 BF XR8 Auto MCC Prem Sound) Code: $3E9 AA BB ?? ?? ?? ?? CC DD AA seems to indicate the current status of the transmission Code: AA = 3F (Transmission Is Changing Between Any Of Gears 1-6) AA = 31 (1st Gear Engaged) AA = 32 (2nd Gear Engaged) AA = 33 (3rd Gear Engaged) AA = 34 (4th Gear Engaged) AA = 35 (5th Gear Engaged) AA = 36 (6th Gear Engaged) AA = 1F (Transmission Is Changing Into Reverse) AA = 1C (Reverse Engaged) AA = 20 (Neutral) AA = 00 (Park) BB seems to indicate the chosen shift mode (Adaptive/Performance) Code: BB = 00 (Adapative Shift) BB = 01 (Performance Shift - Automatic) BB = 06 (Performance Shift - Tiptronic Mode) CC seems to indicate the drivers currently selected gear Code: CC = 00 (Neutral/Park Selected) CC = 01 (1st Gear Selected) CC = 02 (2nd Gear Selected) CC = 03 (3rd Gear Selected) CC = 04 (4th Gear Selected) CC = 05 (5th Gear Selected) CC = 06 (6th Gear Selected) CC = 0C (Reverse Selected) AA & CC seem to be interrelated, while BB seems to be totally seperate. A typical drive seems to read like this: Code: AA = 3F CC = 01 : Transmission changing into 1st gear AA = 31 CC = 01 : Transmission in 1st gear AA = 3F CC = 02 : Transmission changing into 2nd gear AA = 32 CC = 02 : Transmission in 2nd gear AA = 3F CC = 03 : Transmission changing into 3rd gear AA = 33 CC = 03 : Transmission in 3rd gear AA = 3F CC = 04 : Transmission changing into 4th gear AA = 34 CC = 04 : Transmission in 4th gear AA = 3F CC = 05 : Transmission changing into 5th gear AA = 35 CC = 05 : Transmission in 5th gear AA = 3F CC = 06 : Transmission changing into 6th gear AA = 36 CC = 06 : Transmission in 6th gear AA = 3F CC = 05 : Transmission changing into 5th gear AA = 35 CC = 05 : Transmission in 5th gear There are a number of other values that come through for AA when the gear selector is pushed half-way between the different gears. I haven't worked out what these fully mean yet. For example when AA reads: FF : Started moving from reverse into park F0 : Holding gear selector between reverse and park (but not in either gear fully) FF : Started moving from drive into neutral F1 : Holding gear selector between drive and neutral (but not in either gear fully) FF : Started moving from reverse into neutral 2F : Holding gear selector between reverse and neutral (but not in either gear fully) Whenever AA reads any of these values the gear indicator on the dashboard goes blank. My best guess is that these values indicate the transmission is in transition between gears. The value DD I cannot work out either, but it seems to always be accompanied by a noticable rise/fall in the rear of the car- for example when changing between reverse and neutral. Code: 3E9 2F 00 68 82 00 00 00 B2 << SELECTOR MOVED FROM NEUTRAL TO REVERSE
3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 B2 3E9 2F 00 68 82 00 00 00 AF << DD BEGINS CHANGING ACCOMPANIED BY CHANGE IN HEIGHT OF REAR OF CAR 3E9 2F 00 68 82 00 00 00 AE 3E9 2F 00 68 82 00 00 00 AD 3E9 2F 00 68 82 00 00 00 AB 3E9 2F 00 68 82 00 00 00 AA 3E9 2F 00 68 82 00 00 00 A8 3E9 2F 00 68 82 00 00 00 A7 3E9 2F 00 68 82 00 00 00 A5 3E9 2F 00 68 82 00 00 00 A4 3E9 2F 00 68 82 00 00 00 A3 3E9 2F 00 68 82 00 00 00 A1 3E9 2F 00 68 82 00 00 00 9E 3E9 2F 00 68 82 00 00 00 9C 3E9 2F 00 68 82 00 00 00 9A 3E9 2F 00 68 82 00 00 00 98 3E9 2F 00 68 82 00 00 00 97 3E9 2F 00 68 82 00 00 00 94 3E9 2F 00 68 82 00 00 00 93 3E9 2F 00 68 82 00 00 00 90 3E9 2F 00 68 82 00 00 00 8E 3E9 2F 00 68 82 00 00 00 8C 3E9 2F 00 68 82 00 00 00 8A 3E9 2F 00 68 82 00 00 00 88 3E9 2F 00 68 82 00 00 00 88 3E9 2F 00 68 82 00 00 00 87 3E9 2F 00 68 82 00 00 00 85 3E9 2F 00 68 82 00 00 00 84 3E9 2F 00 68 82 00 00 00 83 3E9 2F 00 68 82 00 00 00 82 3E9 2F 00 68 82 00 00 00 81 3E9 2F 00 68 82 00 00 00 80 3E9 2F 00 68 82 00 00 00 7F 3E9 2F 00 68 82 00 00 00 7E 3E9 2F 00 68 82 00 00 00 7D 3E9 2F 00 68 82 00 00 00 7D 3E9 2F 00 68 82 00 00 00 7C 3E9 2F 00 68 82 00 00 00 7B 3E9 2F 00 68 82 00 00 00 7A 3E9 2F 00 68 82 00 00 00 79 3E9 2F 00 68 82 00 00 00 78 3E9 2F 00 68 82 00 00 00 78 3E9 2F 00 68 82 00 00 00 77 3E9 2F 00 68 82 00 00 00 76 3E9 2F 00 68 82 00 00 00 75 3E9 2F 00 68 82 00 00 00 75 3E9 2F 00 68 82 00 00 00 74 3E9 2F 00 68 82 00 00 00 72 3E9 2F 00 68 82 00 00 00 71 3E9 2F 00 68 82 00 00 00 71 3E9 2F 00 68 82 00 00 00 71 3E9 2F 00 68 82 00 00 00 70 3E9 2F 00 68 82 00 00 00 70 3E9 2F 00 68 82 00 00 00 6F 3E9 2F 00 68 82 00 00 00 6F 3E9 2F 00 68 82 00 00 00 6D 3E9 2F 00 68 82 00 00 00 6D 3E9 20 00 68 82 00 00 00 6C << REVERSE ENGAGED 3E9 20 00 68 82 00 00 00 6B 3E9 20 00 68 82 00 00 00 69 3E9 20 00 68 82 00 00 00 69 3E9 20 00 68 82 00 00 00 68 3E9 20 00 68 82 00 00 00 66 3E9 20 00 68 82 00 00 00 65 3E9 20 00 68 82 00 00 00 64 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 3E9 20 00 68 82 00 00 00 63 I'm not sure that this is of any use to anybody- but thought i'd put my 2 cents in. Must give a special thanks to Lukeyson, your posts have saved me considerable work deciphering the HVAC messages.
_________________ 2006 BF XR8 Ego - Pod Filter, Air Box, Twin Throttle Body, Yella Terra Plenum, Herrod Cams, Oil Pump & Gears, 25% Underdrive, Extractors, High Flow Cats, 3" DPE Exhaust, 3.9 Diff Gears, 245/40/18 Kuhmo KU36, Custom Tune @ HP-F. |
|||
| Top | |
|||
| aumatt |
|
|||
|
Some nice work, but im in no state to do any reversing as I can barely even type this, will probably read this again when i am actually sober. That might help.
Matt
_________________ 2004 Harvest Green XR6
|
|||
| Top | |
|||
| Lukeyson |
|
|||
|
Yikes. That's awesome. Back on page 20 of this thread I had access to an SY 6 Sp Terry and managed to determine that 3E9 was a ZF message, but didn't have the chance to do any more than that. The ZF has a separate ECU to control the transmissinon, as opposed to the 4A's which are controlled direct from the PCM. I have one car with a 5M and the other with a 4A so long-term analysis of ZF messages are off limits to me. Both cars have Blackoak PCM's as well, so the extra Spanish-Oak broadcasts messages are also a mystery to me.
0C9 seems to be a ZF message as well if you ever have the chance to look into that one. I suspect that the extra Spaish Oak messages are there so that the ZF can make intelligent shift decisions. The extra PCM messages I don't know anything about are 097, 0FC, 120, 12D, 44D, 4C0, and 650. I've done some analysis on the other PCM stuff - 200, 207, 230, 623, 640, 6F6, 6F8 - and have maybe 1/3 to 1/2 of it worked out. But some stuff will forever be beyond me, like the Smartshield messages in 6F6 and 6F8. Lukeyson |
|||
| Top | |
|||
| Lukeyson |
|
|||
|
Datamine was doing some work on a 6A tiptronic shifter, so might have some more info.
The ZF sections on the BF WOrkshop Manual talks about a 3-bit code for the 'Selected' gear and the 'Actual' gear which lines up with your AA and CC. But the manual specifically says that the Shifter PCB converts this code to a CAN bus message and transmits this information to the TCM via the CAN bus. Now, since I don't see the An lines diverging to the Shifter, I have my doubts on this, but will accept it for now. So I wonder if 0C9 is the message from the Shifter to the TCM via the CAN bus? I'd expect to see that 'gear selected' (CC) value replicated in there, whereas AA is 'Gear Actual' right? Lukeyson |
|||
| Top | |
|||
| Lukeyson |
|
|||
|
Page 303-14-86 of the BF Workshop Manual is the only place so far that I have found what messages get sent from the TCM. They include:
Transmission Fault Transmission Gear - Selected Tranmissions Gear - Actual Transmission Mode Transmission Temperature Could the Temp be your DD value? Lukeyson |
|||
| Top | |
|||
| wheee |
|
|||
|
Now that you mention temperature...
Code: 3E9 AA BB TT ?? ?? ?? CC DD Code: AA = Actual Gear
BB = Transmision Mode TT = ??? Temperature CC = Selected Gear DD = ??? Something ...the value of TT does slowly creep up (and occasionally down) making me think its a temperature. I've seen it as low at 67 (hex) while driving, and go up to about 88 (hex) when i'm changing down gears like the car was stolen. I'm not sure where on the car this would be measured if it was a temperature, so I'm not sure how to even start testing this hypothesis, or working out any sort of scale if it is indeed a temperature. I'm trying to write some software to make it easier for me to try and interpolate the messages in real time on a laptop. (Basically highlighting values that are changing, and showing messages broken up into hex, decimal and binary at the same time). So once I've got that going I'll have a closer look at the message. It would be nice if there was an wasier way to drive and read CAN broadcasts at the same time. And Lukey, while I've got ur attention, I don't suppose you have your research into the other codes written down nicely in one place somewhere so that I don't waste time doubling up?
_________________ 2006 BF XR8 Ego - Pod Filter, Air Box, Twin Throttle Body, Yella Terra Plenum, Herrod Cams, Oil Pump & Gears, 25% Underdrive, Extractors, High Flow Cats, 3" DPE Exhaust, 3.9 Diff Gears, 245/40/18 Kuhmo KU36, Custom Tune @ HP-F. |
|||
| Top | |
|||
| Lukeyson |
|
|||
|
Yeah, I have some info here that might be useful to you. PM me.
Looking up some other data, PID 1674 is the TCM Transmission fluid temp (Set your header to 7E1 and issue mode 22 query to PID 1674) The converter for that is nasty. It has an offset of -512, A multiplier of 5 and a divisor of 72. I'm not sure of the order of operation though. The PCM has a similar PID to measure Engine Oil Temp (EOT). PCM is header 7E0 (default on the ELM), and the EOT is a Mode 22 query to PID 0907. It has the same scaling (-512, x5, /72). Having said all this, the PID is a double-byte value, whereas the field in that broadcast is only a single byte. But it might be useful to issue queries to the PID and see if it makes any sense temperature wise, then try and play with a similar converter that might make sense for the broadcast. Keep in mind that there's a chance everything might be sampled and stored in Degrees F and need this nasty conversion for Degrees C. Lukeyson |
|||
| Top | |
|||
| Lukeyson |
|
||||||||
|
Just when I thought there was no more left to learn, I made a new discovery the other day.
In the same way that we know how to toy with the Dials on an ICC using an OBD2 tool (ELM, J2534 etc), I found that there are settings in nearly ALL modules that can be fiddled with the same way. I already knew some of the BEM stuff - like turning on wipers and the wiper washers etc. But my recent discovery included settings in the Airbag Module, the ABS Module, the HIM, the Park Aid Module and the ICC. The ICC was the most interesting of all, because it uncovered a Display Diagnostics mode. The Ford Tech boys probably knew about this all along, but now we know how to trigger it funnally with the ELM style tools. I could also trigger pretty much all of the audio buttons - including the 6 screen presets and the steering-wheel buttons. It was fun ejecting CD's, changing the volume and powering the thing off and on all from by lab pc. But then small things usually do amuse me.... I have only tried this on a DZ High Series ICC, I've yet to see what's available in the Low Series MCC units. The Display Diagnostics has a few modes - All White, All Black, Coloured Bars, Test Pattern and Navigation Diag. I'll load up pics of each. Lukeyson
|
||||||||
| Top | |
||||||||
| Who is online |
|---|
Users browsing this forum: No registered users and 6 guests |
