Jump to content

TD5 Speedo Mileage run up circuit

aaron_h
 Share

Recommended Posts

CwazyWabbit

CwazyWabbit

Posted
Posted

So are you saying for example that these pairs didn't work, or did you omit them for brevity?

0x1003--0x5DFF

0x1002--0x5EFF

0x1001--0x5FFF

Similarly, the run between 0x0847--0x01FF and 0x0804--0x44FF

Kev

Sorry, I omitted those for brevity although in all honesty I didn't test all the ones omitted, but tested quite a few as I was trying to find how far the sequence carried on.

The sequence seems to be predictable for the following ranges

0x1000 to 0x105F

0x09F4 and 0x09F5

0x0800 to 0x0847

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Some new ones for you MrKev including the 0x2008 you asked for :) obviously I slipped up the first time I looked for it :huh:

0x206F--0x01FF

.

.

.

0x2008--0x68FF

0x2007--0x69FF

0x2000--0x70FF

0x105F--0x01FF

0x105E--0x02FF

.

.

.

0x1006--0x5AFF

0x1005--0x5BFF

0x1004--0x5CFF

.

.

.

0x1000--0x60FF

0x0FFF--0xC0FF

0x09F5--0xB4FF

0x09F4--0xB3FF

0x0847--0x01FF

.

.

.

0x0804--0x44FF

0x0803--0x45FF

0x0802--0x46FF

0x0801--0x47FF

0x0800--0x48FF

The current list of known pairs (three full stops indicate I'm to lazy to write them all in), those in bold are new pairs.

For those of you reading in decimal ;) we can now program the following pulses per mile (well actually it's per unit as the speedo has no concept of miles or km, it just counts the pulses)

2048 to 2119

2548 to 2549 <--- 2548 is the factory set pulses per km

4095 to 4191 <--- 4100 is the factory set pulses per mile

8192 to 8303

Ideally we need to expand the 4000ish range significantly more in the downward direction to make things more useful.

apparently I have reprogrammed my test KPH speedo about 500 times this evening :blink:

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Ok, I think I've spotted something. Try these then:

either both of these will work

0x300C -- 0x74FF

0x4010 -- 0x80FF

or this pair will work

0x4010 -- 0x70FF

Kev

Sorry for the late reply I got carried away trying to automate some stuff, there are now relays and switches all over the place connecting the speedo to the PC :blink:

0x300C -- 0x74FF works :)

but neither of the others do :(

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Sorry for the late reply I got carried away trying to automate some stuff, there are now relays and switches all over the place connecting the speedo to the PC :blink:

0x300C -- 0x74FF works :)

but neither of the others do :(

I just got the 0x4010 if thats any help with your theory?

0x40E0 -- 0xF0FF

.

.

.

0x4080 -- 0x90FF

.

.

.

0x4010 -- 0x20FF

.

.

.

0x4000 -- 0x10FF

Cheers for the help :D ... remind me to never play cards with you for money ;)

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Ok, I think I've spotted something. Try these then:

either both of these will work

0x300C -- 0x74FF

0x4010 -- 0x80FF

or this pair will work

0x4010 -- 0x70FF

Kev

I have a pattern emerging, I find it difficult to put into words but this list should make it more obvious.

0x40E0 -- 0xF0FF

.

.

.

0x4000 -- 0x10FF

0x3080 -- 0x00FF

.

.

.

0x3000 -- 0x80FF

0x2F00--0x61FF

0x2E00--0x62FF

0x2D00--0x63FF

0x2C00--0x64FF

0x2B00--0x65FF

0x2A00--0x66FF

0x2900--0x67FF

0x2800--0x68FF

0x2700--0x69FF

0x2600--0x6AFF

0x2500--0x6BFF

0x2401--0x6BFF

0x2400--0x6CFF

0x2301--0x6EFF

0x2300--0x6DFF

0x2201--0x6DFF

0x2200--0x6EFF

0x2101--0x70FF

0x2100--0x6FFF

0x206F--0x01FF

.

.

.

0x2000--0x70FF

0x1F00--0x51FF

0x1200--0x5EFF

0x1100--0x5FFF

0x105F--0x01FF

.

.

.

0x1000--0x60FF

0x0FFF--0xC0FF

0x0F00--0x41FF

0x0E00--0x42FF

0x0DF1 -- 0xB4FF

.

.

.

0x0DC1 -- 0x84FF

0x0DCO -- 0x83FF

0x0DBF -- 0xFEFF

0x0DBE -- 0xFDFF

0x0DBD -- 0x00FF

0x0DBC -- 0xFFFF

.

.

.

0x0D00 -- 0x43FF

0x0C00--0x44FF

0x0B00--0x45FF

0x0A00--0x46FF

0x09F5--0xB4FF

0x09F4--0xB3FF

0x0900--0x47FF

0x0847--0x01FF

.

.

.

0x0800--0x48FF

Link to comment
Share on other sites
MrKev

MrKev

Posted
Posted

0x0DF1 -- 0xB4FF

.

.

.

0x0DC1 -- 0x84FF

0x0DCO -- 0x83FF

0x0DBF -- 0xFEFF

0x0DBE -- 0xFDFF

0x0DBD -- 0x00FF

0x0DBC -- 0xFFFF

.

.

.

0x0D00 -- 0x43FF

Yeah, I see, but can't explain the pattern. I can't explain why it jumps an extra 'count' at 0x0DBD to 0xDBE, for example, which I believe is key to understanding the algorithm.

I wouldn't mind betting, that if you take any other complete block that you've found, e.g.

0x3080 -- 0x00FF

.

.

.

0x3000 -- 0x80FF

then 0x3081, for example might pair with 0xFEFF (missing out 0xFFFF)

It would seem that 0x8200, 0x8100 are missing (are these never seen..?) and are substituted with 0xFEFF and 0xFDFF. 0xFFFF is generally missing, so my thinking goes along the lines of 'the programmer wanted to make sure that he was pointing to a real number, and not an erased (0xFFFF) word in EEPROM).

Occam hasn't fetched his razor out on this little project yet though ;)

Kev

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Yeah, I see, but can't explain the pattern. I can't explain why it jumps an extra 'count' at 0x0DBD to 0xDBE, for example, which I believe is key to understanding the algorithm.

I wouldn't mind betting, that if you take any other complete block that you've found, e.g.

0x3080 -- 0x00FF

.

.

.

0x3000 -- 0x80FF

then 0x3081, for example might pair with 0xFEFF (missing out 0xFFFF)

It would seem that 0x8200, 0x8100 are missing (are these never seen..?) and are substituted with 0xFEFF and 0xFDFF. 0xFFFF is generally missing, so my thinking goes along the lines of 'the programmer wanted to make sure that he was pointing to a real number, and not an erased (0xFFFF) word in EEPROM).

Occam hasn't fetched his razor out on this little project yet though ;)

Kev

The following one works along the lines of the 0x0DBD pattern, I'm thinking that pattern only works on the upcount ones ISWIM as it doesn't work for 0x3081.

0x2193--0xFEFF

0x2192--0xFDFF

0x2191--0x00FF

0x2190--0xFFFF

.

.

.

0x2101--0x70FF

0x2100--0x6FFF

Your question about 0x8200 and 0x8100 (I assume you meant 0x82FF and 0x81FF) got me thinking as I hadn't tested all values in ranges but jumped a few till I found a pattern to save my sanity, then the more we saw patterns I tended more to checking the extremes. The above range should include them as it's an up count and the pattern should cover that range.... so I thought I should check them and strangely they don't work :blink: 0x2112 and 0x2113.

I'm going to have to do a complete run for my assumed values, bugger. Sorry about this. :(

Link to comment
Share on other sites
MrKev

MrKev

Posted
Posted

No probs. I think we do need exact sequences - possibly not many, but the small jumps I'm sure will be periodic, and thus can be mathematically defined.

June! Hold of re-programming the machine

bombe2.jpg

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

My apologies again, the following range are all verified

0x0dc9 -- 0x8CFF

0x0dc8 -- 0x8BFF

0x0dc7 -- 0x86FF

0x0dc6 -- 0x85FF

0x0dc5 -- 0x88FF

0x0dc4 -- 0x87FF

0x0dc3 -- 0x82FF

0x0dc2 -- 0x81FF

0x0dc1 -- 0x84FF

0x0dc0 -- 0x83FF

0x0dbf -- 0xFEFF

0x0dbe -- 0xFDFF

0x0dbd -- 0x00FF

0x0dbc -- 0xFFFF

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

These are all verified I will jump to another area to see if pattern repeats

0x0dcb -- 0x8AFF

0x0dca -- 0x89FF

0x0dc9 -- 0x8CFF

0x0dc8 -- 0x8BFF

0x0dc7 -- 0x86FF

0x0dc6 -- 0x85FF

0x0dc5 -- 0x88FF

0x0dc4 -- 0x87FF

0x0dc3 -- 0x82FF

0x0dc2 -- 0x81FF

0x0dc1 -- 0x84FF

0x0dc0 -- 0x83FF

0x0dbf -- 0xFEFF

0x0dbe -- 0xFDFF

0x0dbd -- 0x00FF

0x0dbc -- 0xFFFF

0x0dbb -- 0xFAFF

0x0dba -- 0xF9FF

0x0db9 -- 0xFCFF

0x0db8 -- 0xFBFF

0x0db7 -- 0xF6FF

0x0db6 -- 0xF5FF

0x0db5 -- 0xF8FF

0x0db4 -- 0xF7FF

0x0db3 -- 0xF2FF

0x0db2 -- 0xF1FF

0x0db1 -- 0xF4FF

0x0db0 -- 0xF3FF

0x0daf -- 0xEEFF

0x0dae -- 0xEDFF

0x0dad -- 0xF0FF

0x0dac -- 0xEFFF

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Well that's changed things a little! :blink:

Yeah, sure has! It looks like when I did my initial checks to see if it followed a sequence I was always jumping over the anomolies :(

a few more that are verified and following the pattern

0x0d0f -- 0x4EFF

0x0d0e -- 0x4DFF

0x0d0d -- 0x50FF

0x0d0c -- 0x4FFF

0x0d0b -- 0x4AFF

0x0d0a -- 0x49FF

0x0d09 -- 0x4CFF

0x0d08 -- 0x4BFF

0x0d07 -- 0x46FF

0x0d06 -- 0x45FF

0x0d05 -- 0x48FF

0x0d04 -- 0x47FF

0x0d03 -- 0x42FF

0x0d02 -- 0x41FF

0x0d01 -- 0x44FF

0x0d00 -- 0x43FF

going off in search of a crossover point now.

Link to comment
Share on other sites
kiwi_110

kiwi_110

Posted
Posted

Wabbit, I'm looking forward to you getting your Bus Pirate and posting how you use it, I've ordered one too. Just waiting for it and my VDO speedo to turn up. I had worked out that I need to set my Pulse Per Km rate to around 2400 based on my T/Case ratio, diffs, wheel size etc and was pleased to see that your KPH speedo had revealed a similar value. I will be able to set it through the push-button on the VDO, but I need the bus-pirate to set the Odo to my current distance. I was quoted $160 by a shop to do it and the Pirate is less than half that and should be a bit of fun!

Good work guys!

Ray.

Link to comment
Share on other sites
MrKev

MrKev

Posted
Posted

Well, Ray, it is not guaranteed that the EEPROM in the aftermarket (which you can setup via the pushbutton, apparantly) gauge is the same layout as the TD5 standard one, but it will certainly be interesting to see the EEPROM dump from it, it might be helpful in understanding more how the TD5 one works if it is the same layout.

Kevin

Link to comment
Share on other sites
MrKev

MrKev

Posted
Posted

and just to confuse you some

0x1006 -- 0x5AFF

0x1005 -- 0x5BFF

0x1004 -- 0x5CFF

0x1003 -- 0x5DFF

0x1002 -- 0x5EFF

0x1001 -- 0x5FFF

0x1000 -- 0x60FF

You mean you're not confused already ? :blink:

Mo

It was beginning to make sense again until that!

Kev

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Wabbit, I'm looking forward to you getting your Bus Pirate and posting how you use it, I've ordered one too. Just waiting for it and my VDO speedo to turn up. I had worked out that I need to set my Pulse Per Km rate to around 2400 based on my T/Case ratio, diffs, wheel size etc and was pleased to see that your KPH speedo had revealed a similar value. I will be able to set it through the push-button on the VDO, but I need the bus-pirate to set the Odo to my current distance. I was quoted $160 by a shop to do it and the Pirate is less than half that and should be a bit of fun!

Good work guys!

Ray.

My Bus Pirate turned up yesterday, initial results seem to suggest it doesn't have enough power to drive the memory chip whilst it is still in circuit. I only had a quick play but I should be able to get around the issue one way or the other. Sledge hammer method would be to remove the memory chip (not that difficult tbh). Other ideas are just a case of changing to external pull up resistors that are lower value or just sticking a driver chip in between.... I'll work something out ;-)

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

A bigger run on a 'down count', every 0x20 it jumps by 0xC0

0x10a4 -- 0xFCFF

0x10a3 -- 0xFDFF

0x10a2 -- 0xFEFF

0x10a1 -- 0xFFFF

0x10a0 -- 0x00FF

0x109f -- 0xC1FF

0x109e -- 0xC2FF

0x109d -- 0xC3FF

0x109c -- 0xC4FF

0x109b -- 0xC5FF

0x109a -- 0xC6FF

0x1099 -- 0xC7FF

0x1098 -- 0xC8FF

0x1097 -- 0xC9FF

0x1096 -- 0xCAFF

0x1095 -- 0xCBFF

0x1094 -- 0xCCFF

0x1093 -- 0xCDFF

0x1092 -- 0xCEFF

0x1091 -- 0xCFFF

0x1090 -- 0xD0FF

0x108f -- 0xD1FF

0x108e -- 0xD2FF

0x108d -- 0xD3FF

0x108c -- 0xD4FF

0x108b -- 0xD5FF

0x108a -- 0xD6FF

0x1089 -- 0xD7FF

0x1088 -- 0xD8FF

0x1087 -- 0xD9FF

0x1086 -- 0xDAFF

0x1085 -- 0xDBFF

0x1084 -- 0xDCFF

0x1083 -- 0xDDFF

0x1082 -- 0xDEFF

0x1081 -- 0xDFFF

0x1080 -- 0xE0FF

0x107f -- 0x21FF

0x107e -- 0x22FF

0x107d -- 0x23FF

0x107c -- 0x24FF

0x107b -- 0x25FF

0x107a -- 0x26FF

0x1079 -- 0x27FF

0x1078 -- 0x28FF

0x1077 -- 0x29FF

0x1076 -- 0x2AFF

0x1075 -- 0x2BFF

0x1074 -- 0x2CFF

0x1073 -- 0x2DFF

0x1072 -- 0x2EFF

0x1071 -- 0x2FFF

0x1070 -- 0x30FF

0x106f -- 0x31FF

0x106e -- 0x32FF

0x106d -- 0x33FF

0x106c -- 0x34FF

0x106b -- 0x35FF

0x106a -- 0x36FF

0x1069 -- 0x37FF

0x1068 -- 0x38FF

0x1067 -- 0x39FF

0x1066 -- 0x3AFF

0x1065 -- 0x3BFF

0x1064 -- 0x3CFF

0x1063 -- 0x3DFF

0x1062 -- 0x3EFF

0x1061 -- 0x3FFF

0x1060 -- 0x40FF

0x105f -- 0x01FF

0x105e -- 0x02FF

0x105d -- 0x03FF

0x105c -- 0x04FF

Link to comment
Share on other sites
MrKev

MrKev

Posted
Posted

Reassuringly, your new values also follow my 'pattern' :D

Using the pair '0x105c -- 0x04FF' as as example...

1. Take the High byte and the Low byte from the calibration word, e.g. 0x105c gives 0x10 and 0c5c

2. XOR them together. In this example: 0x4c

3. Add the value in the Check byte, 0x04 in this example, gives 0x50.

The result will be one of the following, for all the values you've given me so far: 0x50, 0x70, 0x90, 0xB0

I would imagine from that that results of 0x10, 0x30, 0xD0 and 0xF0 are also possible, and you just havn't come up with them yet.

So that means for any specified value for the calibration, I can calculate back to 1 of 8 possible values for the check byte, but I'm sure there's a way of working out which of the 8 it should be.

How's that looking so far?

Kev

Link to comment
Share on other sites
CwazyWabbit

CwazyWabbit

Posted
Posted

Reassuringly, your new values also follow my 'pattern' :D

Using the pair '0x105c -- 0x04FF' as as example...

1. Take the High byte and the Low byte from the calibration word, e.g. 0x105c gives 0x10 and 0c5c

2. XOR them together. In this example: 0x4c

3. Add the value in the Check byte, 0x04 in this example, gives 0x50.

The result will be one of the following, for all the values you've given me so far: 0x50, 0x70, 0x90, 0xB0

I would imagine from that that results of 0x10, 0x30, 0xD0 and 0xF0 are also possible, and you just havn't come up with them yet.

So that means for any specified value for the calibration, I can calculate back to 1 of 8 possible values for the check byte, but I'm sure there's a way of working out which of the 8 it should be.

How's that looking so far?

Kev

That's looking very good as it covers both styles of pattern :) It also looks like the sort of algorithm that would have been simple for the original developer to immplement with a low performance overhead.

Now if only we can work out how to decide which one of 8 it should be, when I brute forced some of the values I tried nearly all of the 256 values before getting the right one, so I think we can safely assume there aren't multiple valid checksums for one value.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We use cookies to ensure you get the best experience. By using our website you agree to our Cookie Policy

  I accept