CwazyWabbit Posted July 5, 2011 Share Posted July 5, 2011 So are you saying for example that these pairs didn't work, or did you omit them for brevity? 0x1003--0x5DFF 0x1002--0x5EFF 0x1001--0x5FFF Similarly, the run between 0x0847--0x01FF and 0x0804--0x44FF Kev Sorry, I omitted those for brevity although in all honesty I didn't test all the ones omitted, but tested quite a few as I was trying to find how far the sequence carried on. The sequence seems to be predictable for the following ranges 0x1000 to 0x105F 0x09F4 and 0x09F5 0x0800 to 0x0847 Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 5, 2011 Share Posted July 5, 2011 Some new ones for you MrKev including the 0x2008 you asked for obviously I slipped up the first time I looked for it 0x206F--0x01FF . . . 0x2008--0x68FF 0x2007--0x69FF 0x2000--0x70FF 0x105F--0x01FF 0x105E--0x02FF . . . 0x1006--0x5AFF 0x1005--0x5BFF 0x1004--0x5CFF . . . 0x1000--0x60FF 0x0FFF--0xC0FF 0x09F5--0xB4FF 0x09F4--0xB3FF 0x0847--0x01FF . . . 0x0804--0x44FF 0x0803--0x45FF 0x0802--0x46FF 0x0801--0x47FF 0x0800--0x48FF The current list of known pairs (three full stops indicate I'm to lazy to write them all in), those in bold are new pairs. For those of you reading in decimal we can now program the following pulses per mile (well actually it's per unit as the speedo has no concept of miles or km, it just counts the pulses) 2048 to 2119 2548 to 2549 <--- 2548 is the factory set pulses per km 4095 to 4191 <--- 4100 is the factory set pulses per mile 8192 to 8303 Ideally we need to expand the 4000ish range significantly more in the downward direction to make things more useful. apparently I have reprogrammed my test KPH speedo about 500 times this evening Quote Link to comment Share on other sites More sharing options...
MrKev Posted July 5, 2011 Share Posted July 5, 2011 Ok, I think I've spotted something. Try these then: either both of these will work 0x300C -- 0x74FF 0x4010 -- 0x80FF or this pair will work 0x4010 -- 0x70FF Kev Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 5, 2011 Share Posted July 5, 2011 Ok, I think I've spotted something. Try these then: either both of these will work 0x300C -- 0x74FF 0x4010 -- 0x80FF or this pair will work 0x4010 -- 0x70FF Kev Sorry for the late reply I got carried away trying to automate some stuff, there are now relays and switches all over the place connecting the speedo to the PC 0x300C -- 0x74FF works but neither of the others do Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 5, 2011 Share Posted July 5, 2011 Sorry for the late reply I got carried away trying to automate some stuff, there are now relays and switches all over the place connecting the speedo to the PC 0x300C -- 0x74FF works but neither of the others do I just got the 0x4010 if thats any help with your theory? 0x40E0 -- 0xF0FF . . . 0x4080 -- 0x90FF . . . 0x4010 -- 0x20FF . . . 0x4000 -- 0x10FF Cheers for the help ... remind me to never play cards with you for money Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 6, 2011 Share Posted July 6, 2011 0x0DF1 -- 0xB4FF . . . 0x0DC1 -- 0x84FF 0x0DCO -- 0x83FF 0x0DBF -- 0xFEFF 0x0DBE -- 0xFDFF 0x0DBD -- 0x00FF 0x0DBC -- 0xFFFF . . . . 0x0DAD -- 0xF0FF 0x0DAC -- 0xEFFF . . . 0x0D00 -- 0x43FF Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 Ok, I think I've spotted something. Try these then: either both of these will work 0x300C -- 0x74FF 0x4010 -- 0x80FF or this pair will work 0x4010 -- 0x70FF Kev I have a pattern emerging, I find it difficult to put into words but this list should make it more obvious. 0x40E0 -- 0xF0FF . . . 0x4000 -- 0x10FF 0x3080 -- 0x00FF . . . 0x3000 -- 0x80FF 0x2F00--0x61FF 0x2E00--0x62FF 0x2D00--0x63FF 0x2C00--0x64FF 0x2B00--0x65FF 0x2A00--0x66FF 0x2900--0x67FF 0x2800--0x68FF 0x2700--0x69FF 0x2600--0x6AFF 0x2500--0x6BFF 0x2401--0x6BFF 0x2400--0x6CFF 0x2301--0x6EFF 0x2300--0x6DFF 0x2201--0x6DFF 0x2200--0x6EFF 0x2101--0x70FF 0x2100--0x6FFF 0x206F--0x01FF . . . 0x2000--0x70FF 0x1F00--0x51FF 0x1200--0x5EFF 0x1100--0x5FFF 0x105F--0x01FF . . . 0x1000--0x60FF 0x0FFF--0xC0FF 0x0F00--0x41FF 0x0E00--0x42FF 0x0DF1 -- 0xB4FF . . . 0x0DC1 -- 0x84FF 0x0DCO -- 0x83FF 0x0DBF -- 0xFEFF 0x0DBE -- 0xFDFF 0x0DBD -- 0x00FF 0x0DBC -- 0xFFFF . . . 0x0D00 -- 0x43FF 0x0C00--0x44FF 0x0B00--0x45FF 0x0A00--0x46FF 0x09F5--0xB4FF 0x09F4--0xB3FF 0x0900--0x47FF 0x0847--0x01FF . . . 0x0800--0x48FF Quote Link to comment Share on other sites More sharing options...
MrKev Posted July 7, 2011 Share Posted July 7, 2011 0x0DF1 -- 0xB4FF . . . 0x0DC1 -- 0x84FF 0x0DCO -- 0x83FF 0x0DBF -- 0xFEFF 0x0DBE -- 0xFDFF 0x0DBD -- 0x00FF 0x0DBC -- 0xFFFF . . . 0x0D00 -- 0x43FF Yeah, I see, but can't explain the pattern. I can't explain why it jumps an extra 'count' at 0x0DBD to 0xDBE, for example, which I believe is key to understanding the algorithm. I wouldn't mind betting, that if you take any other complete block that you've found, e.g. 0x3080 -- 0x00FF . . . 0x3000 -- 0x80FF then 0x3081, for example might pair with 0xFEFF (missing out 0xFFFF) It would seem that 0x8200, 0x8100 are missing (are these never seen..?) and are substituted with 0xFEFF and 0xFDFF. 0xFFFF is generally missing, so my thinking goes along the lines of 'the programmer wanted to make sure that he was pointing to a real number, and not an erased (0xFFFF) word in EEPROM). Occam hasn't fetched his razor out on this little project yet though Kev Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 Yeah, I see, but can't explain the pattern. I can't explain why it jumps an extra 'count' at 0x0DBD to 0xDBE, for example, which I believe is key to understanding the algorithm. I wouldn't mind betting, that if you take any other complete block that you've found, e.g. 0x3080 -- 0x00FF . . . 0x3000 -- 0x80FF then 0x3081, for example might pair with 0xFEFF (missing out 0xFFFF) It would seem that 0x8200, 0x8100 are missing (are these never seen..?) and are substituted with 0xFEFF and 0xFDFF. 0xFFFF is generally missing, so my thinking goes along the lines of 'the programmer wanted to make sure that he was pointing to a real number, and not an erased (0xFFFF) word in EEPROM). Occam hasn't fetched his razor out on this little project yet though Kev The following one works along the lines of the 0x0DBD pattern, I'm thinking that pattern only works on the upcount ones ISWIM as it doesn't work for 0x3081. 0x2193--0xFEFF 0x2192--0xFDFF 0x2191--0x00FF 0x2190--0xFFFF . . . 0x2101--0x70FF 0x2100--0x6FFF Your question about 0x8200 and 0x8100 (I assume you meant 0x82FF and 0x81FF) got me thinking as I hadn't tested all values in ranges but jumped a few till I found a pattern to save my sanity, then the more we saw patterns I tended more to checking the extremes. The above range should include them as it's an up count and the pattern should cover that range.... so I thought I should check them and strangely they don't work 0x2112 and 0x2113. I'm going to have to do a complete run for my assumed values, bugger. Sorry about this. Quote Link to comment Share on other sites More sharing options...
MrKev Posted July 7, 2011 Share Posted July 7, 2011 No probs. I think we do need exact sequences - possibly not many, but the small jumps I'm sure will be periodic, and thus can be mathematically defined. June! Hold of re-programming the machine Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 My apologies again, the following range are all verified 0x0dc9 -- 0x8CFF 0x0dc8 -- 0x8BFF 0x0dc7 -- 0x86FF 0x0dc6 -- 0x85FF 0x0dc5 -- 0x88FF 0x0dc4 -- 0x87FF 0x0dc3 -- 0x82FF 0x0dc2 -- 0x81FF 0x0dc1 -- 0x84FF 0x0dc0 -- 0x83FF 0x0dbf -- 0xFEFF 0x0dbe -- 0xFDFF 0x0dbd -- 0x00FF 0x0dbc -- 0xFFFF Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 These are all verified I will jump to another area to see if pattern repeats 0x0dcb -- 0x8AFF 0x0dca -- 0x89FF 0x0dc9 -- 0x8CFF 0x0dc8 -- 0x8BFF 0x0dc7 -- 0x86FF 0x0dc6 -- 0x85FF 0x0dc5 -- 0x88FF 0x0dc4 -- 0x87FF 0x0dc3 -- 0x82FF 0x0dc2 -- 0x81FF 0x0dc1 -- 0x84FF 0x0dc0 -- 0x83FF 0x0dbf -- 0xFEFF 0x0dbe -- 0xFDFF 0x0dbd -- 0x00FF 0x0dbc -- 0xFFFF 0x0dbb -- 0xFAFF 0x0dba -- 0xF9FF 0x0db9 -- 0xFCFF 0x0db8 -- 0xFBFF 0x0db7 -- 0xF6FF 0x0db6 -- 0xF5FF 0x0db5 -- 0xF8FF 0x0db4 -- 0xF7FF 0x0db3 -- 0xF2FF 0x0db2 -- 0xF1FF 0x0db1 -- 0xF4FF 0x0db0 -- 0xF3FF 0x0daf -- 0xEEFF 0x0dae -- 0xEDFF 0x0dad -- 0xF0FF 0x0dac -- 0xEFFF Quote Link to comment Share on other sites More sharing options...
MrKev Posted July 7, 2011 Share Posted July 7, 2011 Well that's changed things a little! Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 Well that's changed things a little! Yeah, sure has! It looks like when I did my initial checks to see if it followed a sequence I was always jumping over the anomolies a few more that are verified and following the pattern 0x0d0f -- 0x4EFF 0x0d0e -- 0x4DFF 0x0d0d -- 0x50FF 0x0d0c -- 0x4FFF 0x0d0b -- 0x4AFF 0x0d0a -- 0x49FF 0x0d09 -- 0x4CFF 0x0d08 -- 0x4BFF 0x0d07 -- 0x46FF 0x0d06 -- 0x45FF 0x0d05 -- 0x48FF 0x0d04 -- 0x47FF 0x0d03 -- 0x42FF 0x0d02 -- 0x41FF 0x0d01 -- 0x44FF 0x0d00 -- 0x43FF going off in search of a crossover point now. Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 and just to confuse you some 0x1006 -- 0x5AFF 0x1005 -- 0x5BFF 0x1004 -- 0x5CFF 0x1003 -- 0x5DFF 0x1002 -- 0x5EFF 0x1001 -- 0x5FFF 0x1000 -- 0x60FF Quote Link to comment Share on other sites More sharing options...
Mo Murphy Posted July 7, 2011 Share Posted July 7, 2011 You mean you're not confused already ? Mo Quote Link to comment Share on other sites More sharing options...
kiwi_110 Posted July 7, 2011 Share Posted July 7, 2011 Wabbit, I'm looking forward to you getting your Bus Pirate and posting how you use it, I've ordered one too. Just waiting for it and my VDO speedo to turn up. I had worked out that I need to set my Pulse Per Km rate to around 2400 based on my T/Case ratio, diffs, wheel size etc and was pleased to see that your KPH speedo had revealed a similar value. I will be able to set it through the push-button on the VDO, but I need the bus-pirate to set the Odo to my current distance. I was quoted $160 by a shop to do it and the Pirate is less than half that and should be a bit of fun! Good work guys! Ray. Quote Link to comment Share on other sites More sharing options...
MrKev Posted July 7, 2011 Share Posted July 7, 2011 Well, Ray, it is not guaranteed that the EEPROM in the aftermarket (which you can setup via the pushbutton, apparantly) gauge is the same layout as the TD5 standard one, but it will certainly be interesting to see the EEPROM dump from it, it might be helpful in understanding more how the TD5 one works if it is the same layout. Kevin Quote Link to comment Share on other sites More sharing options...
MrKev Posted July 7, 2011 Share Posted July 7, 2011 and just to confuse you some 0x1006 -- 0x5AFF 0x1005 -- 0x5BFF 0x1004 -- 0x5CFF 0x1003 -- 0x5DFF 0x1002 -- 0x5EFF 0x1001 -- 0x5FFF 0x1000 -- 0x60FF You mean you're not confused already ? Mo It was beginning to make sense again until that! Kev Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 a few more 0x1066 -- 0x3AFF 0x1065 -- 0x3BFF 0x1064 -- 0x3CFF 0x1063 -- 0x3DFF 0x1062 -- 0x3EFF 0x1061 -- 0x3FFF 0x1060 -- 0x40FF 0x105f -- 0x01FF 0x105e -- 0x02FF 0x105d -- 0x03FF 0x105c -- 0x04FF Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 Wabbit, I'm looking forward to you getting your Bus Pirate and posting how you use it, I've ordered one too. Just waiting for it and my VDO speedo to turn up. I had worked out that I need to set my Pulse Per Km rate to around 2400 based on my T/Case ratio, diffs, wheel size etc and was pleased to see that your KPH speedo had revealed a similar value. I will be able to set it through the push-button on the VDO, but I need the bus-pirate to set the Odo to my current distance. I was quoted $160 by a shop to do it and the Pirate is less than half that and should be a bit of fun! Good work guys! Ray. My Bus Pirate turned up yesterday, initial results seem to suggest it doesn't have enough power to drive the memory chip whilst it is still in circuit. I only had a quick play but I should be able to get around the issue one way or the other. Sledge hammer method would be to remove the memory chip (not that difficult tbh). Other ideas are just a case of changing to external pull up resistors that are lower value or just sticking a driver chip in between.... I'll work something out ;-) Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 A bigger run on a 'down count', every 0x20 it jumps by 0xC0 0x10a4 -- 0xFCFF 0x10a3 -- 0xFDFF 0x10a2 -- 0xFEFF 0x10a1 -- 0xFFFF 0x10a0 -- 0x00FF 0x109f -- 0xC1FF 0x109e -- 0xC2FF 0x109d -- 0xC3FF 0x109c -- 0xC4FF 0x109b -- 0xC5FF 0x109a -- 0xC6FF 0x1099 -- 0xC7FF 0x1098 -- 0xC8FF 0x1097 -- 0xC9FF 0x1096 -- 0xCAFF 0x1095 -- 0xCBFF 0x1094 -- 0xCCFF 0x1093 -- 0xCDFF 0x1092 -- 0xCEFF 0x1091 -- 0xCFFF 0x1090 -- 0xD0FF 0x108f -- 0xD1FF 0x108e -- 0xD2FF 0x108d -- 0xD3FF 0x108c -- 0xD4FF 0x108b -- 0xD5FF 0x108a -- 0xD6FF 0x1089 -- 0xD7FF 0x1088 -- 0xD8FF 0x1087 -- 0xD9FF 0x1086 -- 0xDAFF 0x1085 -- 0xDBFF 0x1084 -- 0xDCFF 0x1083 -- 0xDDFF 0x1082 -- 0xDEFF 0x1081 -- 0xDFFF 0x1080 -- 0xE0FF 0x107f -- 0x21FF 0x107e -- 0x22FF 0x107d -- 0x23FF 0x107c -- 0x24FF 0x107b -- 0x25FF 0x107a -- 0x26FF 0x1079 -- 0x27FF 0x1078 -- 0x28FF 0x1077 -- 0x29FF 0x1076 -- 0x2AFF 0x1075 -- 0x2BFF 0x1074 -- 0x2CFF 0x1073 -- 0x2DFF 0x1072 -- 0x2EFF 0x1071 -- 0x2FFF 0x1070 -- 0x30FF 0x106f -- 0x31FF 0x106e -- 0x32FF 0x106d -- 0x33FF 0x106c -- 0x34FF 0x106b -- 0x35FF 0x106a -- 0x36FF 0x1069 -- 0x37FF 0x1068 -- 0x38FF 0x1067 -- 0x39FF 0x1066 -- 0x3AFF 0x1065 -- 0x3BFF 0x1064 -- 0x3CFF 0x1063 -- 0x3DFF 0x1062 -- 0x3EFF 0x1061 -- 0x3FFF 0x1060 -- 0x40FF 0x105f -- 0x01FF 0x105e -- 0x02FF 0x105d -- 0x03FF 0x105c -- 0x04FF Quote Link to comment Share on other sites More sharing options...
MrKev Posted July 7, 2011 Share Posted July 7, 2011 Reassuringly, your new values also follow my 'pattern' Using the pair '0x105c -- 0x04FF' as as example... 1. Take the High byte and the Low byte from the calibration word, e.g. 0x105c gives 0x10 and 0c5c 2. XOR them together. In this example: 0x4c 3. Add the value in the Check byte, 0x04 in this example, gives 0x50. The result will be one of the following, for all the values you've given me so far: 0x50, 0x70, 0x90, 0xB0 I would imagine from that that results of 0x10, 0x30, 0xD0 and 0xF0 are also possible, and you just havn't come up with them yet. So that means for any specified value for the calibration, I can calculate back to 1 of 8 possible values for the check byte, but I'm sure there's a way of working out which of the 8 it should be. How's that looking so far? Kev Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 Reassuringly, your new values also follow my 'pattern' Using the pair '0x105c -- 0x04FF' as as example... 1. Take the High byte and the Low byte from the calibration word, e.g. 0x105c gives 0x10 and 0c5c 2. XOR them together. In this example: 0x4c 3. Add the value in the Check byte, 0x04 in this example, gives 0x50. The result will be one of the following, for all the values you've given me so far: 0x50, 0x70, 0x90, 0xB0 I would imagine from that that results of 0x10, 0x30, 0xD0 and 0xF0 are also possible, and you just havn't come up with them yet. So that means for any specified value for the calibration, I can calculate back to 1 of 8 possible values for the check byte, but I'm sure there's a way of working out which of the 8 it should be. How's that looking so far? Kev That's looking very good as it covers both styles of pattern It also looks like the sort of algorithm that would have been simple for the original developer to immplement with a low performance overhead. Now if only we can work out how to decide which one of 8 it should be, when I brute forced some of the values I tried nearly all of the 256 values before getting the right one, so I think we can safely assume there aren't multiple valid checksums for one value. Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 7, 2011 Share Posted July 7, 2011 0x1080 -- 0xE0FF apply algorithm = 0x170 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.