Add to collection(s) Add to saved
  1. No category
Uploaded by Ihab Osman

2004 Jeep Grand Cherokee VPW J2178 1

advertisement 
2004 Jeep Grand Cherokee VPW J2178 1 & 2 Byte Header Format Messaging
Physical HEX Addresses of known Modules (used for 2nd byte in 2 byte header
commands and some 1 byte header messages):
A0 = Drivers Door Module (DDM)
A1 = Passenger Door Module (PDM))
68 = Electronic Vehicle Information Center (EVIC)
40 = Body Control Module (BCM)
One byte header HEX messages used by EVIC (CRC byte not shown):
Note: These can be sent over the OBD2 interface with an ELM327 device, by setting the
first 3 bytes as “header” bytes using the AT SH command, but require more than 3 bytes
total to allow sending the remainder as data bytes. There are other OBD2 hardware
devices, such as the Multiplex Engineering T21 interface, that will allow sending less
than 4 bytes. Not all modules will react upon receiving these 1 byte header messages.
Those modules that do react may put additional data on the bus in response but it will not
be a “response message”. These are the type of messages that modules use to send data
on the PCI bus and are what will be seen when monitoring the bus with an ELM327
using the AT MA command. Injecting a single message, on a live bus over OBD2, may
not produce a noticeable result because it may be overwhelmed by similar periodic
messages that are present. For instance sending a new outdoor temperature (ODT)
message may get lost among those being sent by the BCM from the actual ODT sensor.
A repetitive loop may be needed to see the result.
Turn Signal Status (2nd byte)
1F A0 00 = Left turn signal on
1F 60 00 = Right turn signal on
1F E0 00 = Return to center (required to cancel previous turn msgs)
1F 20 00 = Inactive (20 = Parking Brake ON, this will also cancel previous turn msgs)
Odometer
72 00 00 00 00 = 0 miles
72 37 62 2A 01 = (High word*65536 + Low word)/8000 = 116,147 miles
Ignition Elapsed ON Time
7E 02 10 16 = (HR:MIN:SEC) = 2:16:22 (since last battery disconnect?)
Outside Air Temperature
CC 4B 7B = (High byte*256 + Low byte)/256 –70 C = 5.48 degC = 41.86 degF
Distance to Empty
A0 02 52 = (High byte*256 + Low byte)/10 = 60 miles
1
Fuel Efficiency
90 00 77 00 00 = High word/10 = 11.9 mpg avg
= 0 mpg inst = Low word/10 (not used by EVIC)
Liquid Level Status (2nd byte)
54 80 00 = Coolant low
54 40 00 = Washer fluid low
54 00 00 = Fluid levels OK
The liquid level msgs also work with four bytes, the last being 00
Ignition Switch Status (4th byte)
5A 00 00 00 = Ign Sw OFF
5A 00 00 02 = Ign Sw ACC
5A 00 00 08 = Ign Sw ON
Light and Dimming
60 FF 84 = Lighting (FF = Max Brightness, 84 = Electronic Display ON (bit 3 = 1))
Rear Door Ajar Status (2nd byte)
5A 00 00 00 = All rear doors closed
5A 04 00 00 = LR Door Open
5A 08 00 00 = RR Door Open
5A 0C 00 00 = LR + RR door Open
5A 10 00 00 = Lift gate open
5A 20 00 00 = Lift glass open
5A 30 00 00 = Lift gate + Lift glass open
5A 3C 00 00 = All rear doors open
Front Door Ajar Status (4th byte)
23 A0 00 0C = Driver door opened (does 04 also work?)
23 A0 00 08 = Driver door closed
23 A0 00 00 = No change
23 A1 00 0C = Passenger door opened (does 04 also work?)
23 A1 00 08 = Passenger door closed
23 A1 00 00 = No change
Turn signal ‘ON’ will display in EVIC after 1 mile of driving. To simulate this first issue
an Odometer message of 0 miles to initialize the EVIC. Then issue a turn signal msg
followed by an Odometer message of >= 1 mile followed by another turn signal msg as
follows:
72 00 00 00 00
1F A0 00
72 00 00 1F 41
1F A0 00
2
To cancel the display, issue a turn signal message of either:
1F E0 00
1F 20 00
To repeat the above it is necessary to turn the EVIC off and then on to reinitialize it or
advance Odometer msg by one mile. However, the display can be toggled from left turn
signal to right turn signal by issuing the message 1F 60 00 or 1F A0 00 prior to the cancel
message.
To display a liquid level low warning, issue the appropriate liquid level message at any
time. To turn off the display, issue the msg 54 00 00. The Coolant low warning will
display any time but the Washer low warning will only display once for each time the
EVIC is initialized by turning off and then on.
A door ajar ‘OPEN’ can be displayed any time but must be followed by a closed message
to cancel the display.
EVIC display status messages (4th byte)
45 FB 00 00 = Trip miles
45 FB 00 01 = Avg mpg
45 FB 00 03 = Miles to empty
45 FB 00 04 = Time elapsed
45 FB 00 05 = C/T
45 FB 00 07 = Blank
45 FB 00 08 = Miles to service
45 FB 00 09 = Warning display (Door ajar, Low liquid levels, Turn signal on)
45 FB 00 0A = Menu of user programmable options
Passenger door module messages:
The PDM power window function, including hard wired switch, requires an Ign Sw ON
and a Window Lock OFF msg as prerequisites.
Ign Sw ON (4th byte)
5A 00 00 08
Window Lock Status (4th byte)
23 A0 00 00 = OFF
23 A0 00 01 = ON
23 A0 00 02 = OFF
The above prerequisites must be present in a repeating loop (50 ms/line and 50 ms/loop
works well) in order for the hard wired PDM window switch to be operable.
The following ELM327 commands work well for this loop:
3
AT R0 (necessary to prevent the interface from locking up)
AT SH 5A 00 00
08
AT SH 23 A0 00
00
AT R1
This command loop closes a relay in the PDM that powers the rear window switch UP
and DOWN wires (allowing window operation with those switches) and illuminates the
LEDs in the passenger and rear door window switches.
DDM to PDM Window message (3rd byte)
23 A0 10 00 = Pass Window Up (last byte can also be 02)
23 A0 20 00 = Pass Window Down (last byte can also be 02)
23 A0 40 00 = Pass Rear Window Up (last byte can also be 02)
23 A0 80 00 = Pass Rear Window Down (last byte can also be 02)
The Ign Sw ‘ON’ msg must be present in a repeating loop (50 ms/line and 50 ms/loop
works well) in order for the PDM to respond to a DDM window msg.
The PDM lock/unlock function is always available and responds to the following msgs
from the DDM:
DDM to PDM Lock Function (3rd byte)
22 A0 01 00 = Lock
22 A0 04 00 = Unlock
The PDM is responsible for locking/unlocking all doors except the driver’s door.
PDM Power Mirror messages from DDM (2nd byte)
47 00 00 = Neutral (no voltage present)
47 01 00 = Horizontal Left (- voltage relative to white common wire)
47 02 00 = Horizontal Right (+ voltage relative to white common wire)
47 04 00 = Vertical Up (- voltage relative to white common wire)
47 08 00 = Vertical Down (+ voltage relative to white common wire)
RKE Module Key Fob Messages
Key Fob message IDs (Lock/Unlock/Panic):
00/10/20 = 1st key fob
40/50/60 = 2nd key fob
80/90/A0 = 3rd key fob
C0/D0/E0 = 4th key fob
4
Key fob messages (3rd byte where ## = ID from above)
22 A1 ## 00 = Panic button first press
22 A1 00 00 = Panic button second press
22 A1 (##+9) 00 = Lock button pressed
22 A1 (##+4) 00 = Unlock button pressed
When the panic button is first pressed it adds 20 to any lock/unlock messages that are
issued until the button is pressed again or otherwise canceled. The panic mode will be
automatically canceled if a vehicle speed >= 25 mph is reached. This can be simulated
with the following message:
10 5d c0 19 00 60 = (RPM word/4, VSS word/128, MAP) = 6000 rpm, 50 kph, 96 kPa
RKE Key Fob Programming (adds up to four key fobs)
See separate document for detailed method, but the following are the commands:
Step 1) 24 A1 31 00 YY ZZ (puts PDM into programming mode)
Step 2) 24 A1 31 XX YY ZZ (selects memory slot 1 thru 4)
Step 3) Press key fob Lock or Unlock button until locks respond (adds key fob to selected
memory slot and completes programming for that key fob)
01 <= XX <= 04
YY and ZZ can be anything and don’t appear to be used
Entering anything greater than 04 for XX results in Not Supported response:
26 A1 7F 31 12 00
The ZZ value does not matter but something must be entered or msg will be ignored and
NO DATA will be returned.
Responses to above commands are:
26 A1 71 00 YY E0 followed by CRC byte
26 A1 71 XX YY E0 followed by CRC byte
Repeat the above three steps for each key fob to be added, incrementing XX accordingly.
The following RKE command may be useful (I don’t know for what) but isn’t needed:
24 A1 33 XX YY ZZ
00 <= XX <= 04
YY and ZZ can be anything
5
Response to the above command is:
26 A1 73 XX YY VV
VV is initially 00 until programming mode has been entered. VV may be 00, 08,
28, E3 or E4 depending on value of XX and something else that I haven’t figured
out.
Entering anything greater than 04 for XX results in Not Supported response:
26 A1 7F 33 12 00
When the programming command is first issued the assigned key fob ID is initially 00/10
but will revert, eventually, to whatever was previously programmed ???.
Other messages of interest
EVIC Chime message (3rd byte)
45 FA 20 05 = Chime ON
45 FA 00 05 = Chime OFF
5A (Door ajar status) (Unknown) (Ign sw status)
“Unknown” has been observed to be 40 or 41
A4 56 = Fuel tank level = 34% = Byte/256
1A 00 00 00 83 = Cruise control = (TPS%, MPH Setpoint, Status, Unknown)
Status: Cruise ON = 02, Brake ON = 04
5D XX YY YY ZZ ZZ = Distance & Engine running data
XX = Distance pulses
YY YY = Injector pulse width
ZZ ZZ = Fuel used
C0 BC 00 2E 2E = Engine gauge data =
45 00 00 XX = EVIC display state msgs (4th byte)
XX = 00 Trip miles
XX = 01 Avg mpg
XX = 03 Miles to empty
XX = 04 Time elapsed
XX = 05 C/T
XX = 07 Off (i.e. no display)
XX = 08 Miles to service
XX = 09 Warning messages such as Door ajar
XX = 0A Menu mode
6
33 00 = Driver Seat belt status: Buckled =21, Unbuckled = 20
Note: Pass Seat belt is not wired for detection and monitoring
42 00 00 = Last Ign OFF duration
Radio msgs:
8D 0F XY = Radio status:
X = 2 when ON, X = 0 when OFF
Y = 0, 1, 3 depending on mode (AM, FM, CD, etc)
3D 11 XX YY = Steering Wheel Radio Buttons
YY = 02 Change mode, 80 Change channel, 00 no change
XX = 02 Dec volume, 04 Inc volume, 00 no change
XX = 10 Fine tune +, 20 Fine tune -, 00 no change
7
When the user programmable features of the EVIC are manually selected the module
sends the following messages:
Auto door lock (3rd byte)
D3 01 5A 52 54 = Yes (lnb = 1010) (lnb = low nibble bits)
D3 01 56 52 54 = No (lnb = 0110)
Remote unlock (3rd byte)
D3 01 55 52 54 = Driver door 1st (lnb = 0101)
D3 01 56 52 54 = All doors (lnb =
0110)
Sound horn with lock (3rd byte)
D3 01 96 52 54 = Yes (hnb = 1001) (hnb = high nibble bits)
D3 01 56 52 54 = No (hnb = 0101)
Auto unlock on exit (5th byte)
D3 01 56 52 A4 = Yes (hnb = 1010)
D3 01 56 52 94 = No (hnb = 1001)
Flash lights with locks (4th byte)
D3 01 56 52 54 = Yes (lnb = 0010)
D3 01 56 51 54 = No (lnb = 0001)
Headlamp delay (4th byte)
D3 01 56 52 54 = Off (bits = 0101 0010)
D3 01 56 66 54 = 30 s (bits = 0110 0110)
D3 01 56 6A 54 = 60 s (bits = 0110 1010)
D3 01 56 6E 54 = 90 s (bits = 0110 1110)
Low fuel chime (5th byte)
D3 01 56 52 94 = Yes (hnb = 1001)
D3 01 56 52 54 = No (hnb = 0101)
The following user programmable features are internal to the EVIC and don’t result in a
message being sent:
Service interval (2000, 4000, 6000)
Language (English, )
Units (US, Metric) ??? (the service manual states that this affects the Instrument gauge
display)
Reset service interval YES/NO
Upon initialization, when first powered on the EVIC sends the above message for the
current state of programming.
8
If everything was at its lowest state the message would be:
D3 01 55 51 54
If everything was at its highest state the message would be:
D3 01 9A 6E A4
In addition the following message is sent:
D3 02 00 01 00
Brake messages:
35 01 08 = Brake OFF
35 01 0C = Brake ON
Park/Neutral Shifter Position:
35 01 00 = Park/Neutral
35 01 40 = Other
4 Wheel Drive Shifter Position:
92 21 00 = 2 Wheel
92 22 00 = 4 Wheel PT
92 23 00 = 4 Wheel FT
92 24 00 = Neutral
92 25 00 = 4 Wheel LO
Parking brake msg:
1F 00 00 = ON
1F 20 00 = OFF
Speed Control msg:
1A 00 00 XX YY
XX = 00 Brake OFF, 04 Brake ON, 02 Cruise ON
YY = 6F Park/Neutral, 67 Other
Also:
35 01 08 = Cruise OFF
35 05 08 = Cruise ON
Seat Heaters:
D5 00 = OFF
D5 03 = Pass High
D5 05 = Pass Low
D5 30 = Drivers High
D5 50 = Drivers Low
9
Front Wipers (there are no msgs generated by Rear Wiper):
33 00
33 02
33 04
33 20 = OFF ?
33 24
Also
6A 00 00 = OFF (this is always 00 except when front wipers have been actuated)
6A 00 10
6A 00 20
6A 00 40 (related to Washer + Wiper)
Headlights:
60 FF 84 = OFF
60 FF C4 = ON
60 FF E4 = Auto ?
Various 2 byte Header Format Request Messages and Responses
EVIC Compass Heading
24 68 22 26 00 00 00
26 68 62 00 XX 08
XX = 00 or FB (N)
XX = E9 (NW)
XX = 15 (NE)
XX = 71 (S)
XX = 61 (SE)
XX = 81 (SW)
PDM door ajar count
24 A1 22 28 3D 00
26 A1 62 XX YY 00
PDM lock switch count
24 A1 22 28 30 00
26 A1 62 XX YY 00
PDM PCL
24 A1 22 20 05 00
26 A1 62 41 00 00 (41 = ‘A’)
DDM request msgs are the same as PDM except substitute A0 for A1
10
Related documents
take-home test
take-home test
Name: ID: King Fahd University of Petroleum & Minerals
Name: ID: King Fahd University of Petroleum & Minerals
Download
advertisement