Communication Protocols

KWP2000
Notes: - Everything posted here is based on a USDM 2006 Nissan 350z 5AT. While I doubt that anything here will be incorrect, there's always a chance that something might be different across vehicles. - It would appear that all modules communicate with a tester address of 0xFC - Do NOT attempt to send these commands yourself. These SIDs are only listed here for reference when programming applications that will communicate with the ECU. - The KWP2000 Full SID Tree is a GENERAL TREE! So not every listed SID will be supported by one of the following modules.

Following Modules Communicate via KWP2000;  ECU - Destination Address 
 * ECU - 0x10
 * TCM - 0x18
 * ABS - 0x28
 * SRS - 0x58

Full SIDs Tree

 * $09 - Request VIN (and more?)
 * $10 - Diagnostic Session Control
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $13 - Read DTCs
 * $14 - Clear DTC Information
 * $17 - Read Status of DTCs
 * $18 - Read DTCs by Status
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by LID
 * $22 - Read Data by CID
 * $23 - Read Memory by Address
 * $26 - Set Data Rates
 * $27 - Security Access
 * $2C - Dynamically Define Data
 * $2E - Write Data by CID
 * $2F - I/O Control by CID
 * $30 - I/O Control by LID
 * $31 - Start Routine by LID
 * $32 - Stop Routing by LID
 * $33 - Request Routine Results by LID
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $38 - Start Routine by Address
 * $39 - Stop Routine by Address
 * $3A - Request Routine Results by Address
 * $3B - Write Data by LID
 * $3D - Write Memory by Address
 * $3E - Tester is Present
 * $80 - "Escape Code (Not Part of DSS; KWP2000 Only)"
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A0 - Unknown EEPROM Functionality
 * $A2 - Read DTCs
 * $A3 - Read DTCs
 * $A4 - ?
 * $AC - Request Dynamic LID
 * $BF - RAM Jump

SID Tree

 * $09 - Request VIN
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $14 - Clear DTC Information
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by LID
 * $22 - Read Data by CID
 * $27 - Security Access
 * $30 - I/O Control by LID
 * $31 - Start Routine by LID
 * $32 - Stop Routing by LID
 * $33 - Request Routine Results by LID
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $3B - Write Data by LID
 * $3E - Tester is Present
 * $80 - ?
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A0 - Unknown EEPROM Functionality
 * $A3 - Read DTC's
 * $A4 - ?
 * $AC - Request Simply Dynamic LID
 * $BF - RAM Jump

SID Analysis
Abbreviations;
 * TID - Tester ID
 * DA - Destination Address
 * LID - Local ID
 * CID - Common ID

 $09 - Request VIN (And more?) 
 * $09 ? -

 $11 - ECU Reset 
 * $11 80 - Backup RAM Reset

 $12 - Read Freeze Frame Data 
 * $12 ? -

 $14 - Clear DTCs 
 * $14 - Clear all Temporary and Permanent DTCs

 $1A - Request ECU ID 
 * $1A 80 - Returns ECU Distinction Flags : These are ROM flags, not sure on functionality.
 * $1A 81 - Request ECU ID : Ex. Returns "Z1CF48D"
 * $1A 82 - Returns ECU ID and "A Hard Distinction Number"
 * $1A 83 - Sets the RAM flag that allows you to request the CVN. : After sending 83, you can then send just $1A and it will return the CVN. (Figure out why it's not happy)

 $20 - Stop Diagnostic Session 

 $21 - Read Data by LID 
 * $21 LID XX XY - XX = 4 or 6 | XY = 1?

 $22 - Read Data by CID 

 $27 - Security Access 
 * $27 01 - RequestSeed : ECU returns 32bit seed
 * $27 02 - SendKey : host sends back key calculated with algorithm 01

 $30 - I/O Control by LID 
 * $30 LID XX XY - [XX = Value | XY = 00(BEGIN) or FF(END)]

LIDs:
 * 01 - Coolant Temperature Control
 * 02 - AFR Base (STFT or LTFT?) Control
 * 03 - Ignition Timing Control
 * 09 - Purge Volume Control Valve Control
 * 0A - Fuel Temperature Control
 * 19 - Intake VVT Control
 * 2D - Fuel Pump Control

Notes; - You must END each control before changing the value. (Unconfirmed)

 $31|$32|$33 - Start/Stop Routine and Request Results by LID 
 * $31 LID FF FF - Starts the Routine. [LID has upper limit of 0x0C | Do note that key reprogramming requires you to replace "FF FF" with the PIN Code.]
 * $32 LID - Stops the Routine.
 * $33 LID - Returns the Results from the Routine.

LIDs:
 * 01 - Key Reprogramming
 * 02 - Clear Learned Idle Data
 * 03 - Idle Relearn
 * 04 - Clear Learned ETC Data
 * 05 - Clear Backup Freeze Frame Data
 * 06 - Clear ECU Self Learns
 * 07 - Factory Idle Relearn
 * 08 - Stop AFR Learning and AFR Feedback Control [Caution: Uncertain Functionality]

Notes; - You MUST request $32 after sending $31. The routine control will not end until you stop the request with $32. While not confirmed, it's possible that the routine control will continue operating until either $32 is sent OR a hard reset occurs.

- After Reprogramming Keys: 1. Turn key off and remove key 2. Insert key and turn to on position for 5 seconds 3. Turn key off for 5 seconds 4. Remove key and repeat step for any other keys you want to pair

- Idle Relearn Errors: 1. "7F 32 78" - ECU Busy 2. "62 11 01 3C" - Coolant Temperature Too Low

 $34 - Request Download 
 * $34 80 - RequestDownload : prepare stuff
 * $34 81 - Only available inside BL kernels ? Or just some ECUIDs ?
 * $34 82 - Only available inside BL kernels ? Or just some ECUIDs ?
 * $34 83 - ?

 $35 - Request Upload 

 $36 - Transfer Data 
 * $36 BLOCKNO_H BLOCKNO_L 20 ... - TransferData

 $37 - Request Transfer Exit 
 * $37 CKS_H CKS_L - RequestTransferExit. Returns "7F 37 91" if the checksum is bad.

 $3B - Write Data by LID 
 * $3B LID XX XY - [XX = Value | XY = 00(1st Step), 55(2nd Step), or FF(Final Step)]

LIDs:
 * 01 - Ignition Timing Adjustment
 * 02 - Idle RPM Adjustment

Notes: - $3B requires three requests, with XY going through each value listed above. (UNCONFIRMED)

 $3E - Tester is Present 
 * $3E - Keeps the ECU communicating with the tester, needs to be periodically sent. (Interval???)

 $80 - ? 

 $81 - Start Communication 
 * $81 10 FC 81 - CF48D Start Communication Sequence
 * $81 DA TID 81 - DA = Destination Address (0x10 for ECU) | TID = Tester ID (0xFC)

 $82 - Stop Communication 

 $83 - Access Timing Parameters 
 * $83 FC 10 C1 5D 8F - CF48D Access Timing Parameters Sequence
 * $83 TID DA XX XY XZ - Formatting [WIP]

 $A0 - Unknown EEPROM Functionality 
 * $A0 01 - Returns "0xE0 0x01 0x55"
 * $A0 02 - Returns two messages "0x7F 0xA0 0x78" and "0xE0 0x02 0x55"
 * $A0 03 - Caused the fuel pump to prime continuously, CC light to start flashing, TCS OFF SLIP lights to turn on, and threw a bunch of DTC's for the ECU that could be cleared without cycling ignition. (intake VVT solenoid DTC's too)
 * $A0 05 - ECU Reset maybe?
 * $A0 01 -
 * $A0 02 -
 * $A0 03 -
 * $A0 05 -
 * $A0 06 -
 * $A0 31 -
 * $A0 33 -
 * $A0 35 -
 * $A0 36 -
 * $A0 37 -
 * $A0 50 -
 * $A0 61 -
 * $A0 70 -

 $A3 - Read DTCs 
 * $A3 - Read all Temporary and Permanent DTCs

''' $A4 - ? '''

 $AC - Create Custom LID 
 * $AC LID FieldType FieldData - Full Example Formatting.
 * $AC 81 02 CIDH CIDL - Adds CID to LID.
 * $AC 81 83 XX XY XZ XX1 - Adds ROM/RAM Address to LID. Formatting is a full (four bytes) address. so 0xFFFF1234 or 0x00001234 for RAM/ROM.
 * $AC 81 02 11 02 83 FF FF 12 34 - Example: Adds CID 1102 and RAM Address 0xFF1234 to LID 81.

LIDs:
 * 81

Field Types:
 * 01 - LID (Appears like it's not limited to 0x0C)
 * 02 - CID
 * 83 - Memory Address (ROM/RAM)

 $BF - RAM Jump 
 * $BF 00 - RAM Jump Check
 * $BF 01 - RAM Jump

SID Trees
Notes: - Since the TCM supports $10 - Diagnostic Session Control, different SIDs will be made available for different diagnostic modes. - Until stated otherwise, the following lists are NOT ACCURATE. I need to go out and manually verify which SIDs are supported in which modes.

Full SID Tree

 * $10 - Diagnostic Session Control
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $14 - Clear DTC Information
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by LID
 * $22 - Read Data by CID
 * $23 - Read Memory By Address
 * $27 - Security Access
 * $2C - Dynamically Define Data
 * $31 - VERIFY
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $3B - VERIFY
 * $3E - Tester is Present
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A2 - Read DTCs
 * $A3 - Read DTCs (VERIFY!)
 * $A4 -
 * $AC - Request Dynamic LID

$10 81 SID Tree

 * $10 - Diagnostic Session Control
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $14 - Clear DTC Information
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by LID
 * $22 - Read Data by CID
 * $23 - Read Memory By Address
 * $27 - Security Access
 * $2C - Dynamically Define Data
 * $31 - VERIFY
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $3B - VERIFY
 * $3E - Tester is Present
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A2 - Read DTCs
 * $A3 - Read DTCs (VERIFY!)
 * $A4 -
 * $AC - Request Dynamic LID

 $10 81 SID Analysis  Abbreviations;
 * TID - Tester ID
 * DA - Destination Address
 * LID - Local ID
 * CID - Common ID

 $10 - Diagnostic Session Control 
 * $10 81 - Normal Diagnostic Session
 * $10 84 - ?
 * $10 85 - ECU Reprogramming Session
 * $10 86 - ?
 * $10 87 - ?
 * ...Any others?

 $11 - ECU Reset 
 * $11 01 - Hard ECU Reset

 $14 - Clear DTCs 
 * $14 - Clear all DTCs

 $27 - Security Access 
 * $27 81 - Request Seed
 * $27 82 - Request Key

 $A2 - Read DTCs 
 * $A2 - Read all Temporary and Permanent DTCs

$10 84 SID Tree

 * $10 - Diagnostic Session Control
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $14 - Clear DTC Information
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by Local Identifier
 * $22 - Read Data by Common Identifier (Data Identifiers (DID) Range From 0 - 65535)
 * $23 - Read Memory By Address
 * $27 - Security Access
 * $2C - Dynamically Define Data
 * $31 - VERIFY
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $3B - VERIFY
 * $3E - Tester is Present
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A2 - Read DTCs
 * $A3 - Read DTCs (VERIFY!)
 * $A4 -
 * $AC - Request Dynamic LID

 $10 84 SID Analysis  Abbreviations;
 * TID - Tester ID
 * DA - Destination Address
 * LID - Local ID
 * CID - Common ID

 $10 - Diagnostic Session Control 
 * $10 81 - Normal Diagnostic Session
 * $10 84 - ?
 * $10 85 - ECU Reprogramming Session
 * $10 86 - ?
 * $10 87 - ?
 * ...Any others?

$10 85 SID Tree

 * $10 - Diagnostic Session Control
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $14 - Clear DTC Information
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by LID
 * $22 - Read Data by CID
 * $23 - Read Memory By Address
 * $27 - Security Access
 * $2C - Dynamically Define Data
 * $31 - VERIFY
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $3B - VERIFY
 * $3E - Tester is Present
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A2 - Read DTCs
 * $A3 - Read DTCs (VERIFY!)
 * $A4 -
 * $AC - Request Dynamic LID

 $10 85 SID Analysis  Abbreviations;
 * TID - Tester ID
 * DA - Destination Address
 * LID - Local ID
 * CID - Common ID

 $10 - Diagnostic Session Control 
 * $10 81 - Normal Diagnostic Session
 * $10 84 - ?
 * $10 85 - ECU Reprogramming Session
 * $10 86 - ?
 * $10 87 - ?
 * ...Any others?

 $27 - Security Access 
 * $27 01 - Request Seed
 * $27 02 - Request Key

$10 86 SID Tree

 * $10 - Diagnostic Session Control
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $14 - Clear DTC Information
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by Local Identifier
 * $22 - Read Data by Common Identifier (Data Identifiers (DID) Range From 0 - 65535)
 * $23 - Read Memory By Address
 * $27 - Security Access
 * $2C - Dynamically Define Data
 * $31 - VERIFY
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $3B - VERIFY
 * $3E - Tester is Present
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A2 - Read DTCs
 * $A3 - Read DTCs (VERIFY!)
 * $A4 -
 * $AC - Request Dynamic LID

 $10 86 SID Analysis  Abbreviations;
 * TID - Tester ID
 * DA - Destination Address
 * LID - Local ID
 * CID - Common ID

 $10 - Diagnostic Session Control 
 * $10 81 - Normal Diagnostic Session
 * $10 84 - ?
 * $10 85 - ECU Reprogramming Session
 * $10 86 - ?
 * $10 87 - ?
 * ...Any others?

$10 87 SID Tree

 * $10 - Diagnostic Session Control
 * $11 - ECU Reset
 * $12 - Read Freeze Frame Data
 * $14 - Clear DTC Information
 * $1A - Request ECU ID
 * $20 - Stop Diagnostic Session
 * $21 - Read Data by Local Identifier
 * $22 - Read Data by Common Identifier (Data Identifiers (DID) Range From 0 - 65535)
 * $23 - Read Memory By Address
 * $27 - Security Access
 * $2C - Dynamically Define Data
 * $31 - VERIFY
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Transfer Data
 * $37 - Request Transfer Exit
 * $3B - VERIFY
 * $3E - Tester is Present
 * $81 - Start Communication
 * $82 - Stop Communication
 * $83 - Access Timing Parameters
 * $A2 - Read DTCs
 * $A3 - Read DTCs (VERIFY!)
 * $A4 -
 * $AC - Request Dynamic LID

 $10 87 SID Analysis  Abbreviations;
 * TID - Tester ID
 * DA - Destination Address
 * LID - Local ID
 * CID - Common ID

 $10 - Diagnostic Session Control 
 * $10 81 - Normal Diagnostic Session
 * $10 84 - ?
 * $10 85 - ECU Reprogramming Session
 * $10 86 - ?
 * $10 87 - ?
 * ...Any others?

Possible Steps for Reflashing
Notes: - Outside of programming mode, (only?)ARB ID's 81 and 82 are accessible for $27. Inside of programming mode, (only?) ARB ID's 01 and 02 are accessible. $27 81 - Request Security Seed $27 82 - Request Security Key $10 85 - Put TCM in Reprogramming Mode npdisc - You have to disconnect and reconnect to the TCM nc - Connect $27 01 - Request Security Seed $27 02 - Request Security Key $31 E1 - RAM Download Check Routine (???) $31 E1 - Flash Download Check Routine (???) $31 E0 - Flash Erase Routine $3B 9A - Write Software Fingerprint (Not sure on functionality here) $34 - Request Download (Request transfer of new data to TCM) $36 - Transfer Data (Actually transfer said data) $37 - Request Transfer Exit (End transfer of data, might need to repeat $34, $36, $37 until all the data has been sent.) $11 01 - ECU Reset (Hard reset is required after the TCM has been put into reprogramming mode)

SID Tree

 * $14 - Clear DTC Information
 * $1A - Read ECU ID
 * $21 - Read Data by LID
 * $22 - Read Data by CID
 * $30 - I/O Control by LID
 * $3E - Tester is Present
 * $A3 - Read Time of DTC's
 * $A4 - ?
 * $AC - Request Dynamic LID

Notes; - Not the official list

Safety Restraint System (SRS)
Notes: - Nisprog can't maintain a connection yet. Not sure why, when NDS2 has no issues.

SID Tree

 * $14 - Clear DTC Information
 * $1A - Read ECU ID
 * $22 -
 * $A2 - Read DTC's

SID Analysis
Abbreviations;
 * TID - Tester ID
 * DA - Destination Address
 * LID - Local ID
 * CID - Common ID
 * CIDH - CID High Byte (12 for CID 1200)
 * CIDL - CID Low Byte (00 for CID 1200)

 $14 - Clear DTCs 
 * $14 - Clear all Temporary and Permanent DTCs

Notes - Cannot clear recorded faults (According to NDS2)

 $1A 
 * $1A 80' - Returns "30 00"

 $22 - Read Data by CID 
 * $22 12 01 04 01 - Returns "FA 51"
 * $22 CIDH CIDL 04 01 - Formatting

 $A2 - Read DTCs 
 * $A2 00 - Current Faults?
 * $A2 01 - Past Faults?
 * $A2 02 - Recorded Faults?

UDS on CAN
Following modules communicate via UDS on CAN (Presumably); ECU - CAN ID - Tester
 * BCM - 0x745 - 0x765
 * IPDM - 0x74D - 0x76D
 * ? - 0x71E - ?
 * ? - 0x75B - ?

UDS Full SID Tree

 * $10 - Diagnostic Session Control
 * $11 - Reset ECU
 * $19 - Read DTCs
 * $21 - Read Data by LID
 * $22 - Read Data by CID
 * $27 - Security Access
 * $2E - Write Data by DID
 * $31 - Start Routine by LID
 * $32 - Stop Routine by LID
 * $33 - Request Routine Results by LID
 * $34 - Request Download
 * $35 - Request Upload
 * $36 - Request Transfer Data
 * $37 - Request Transfer Exit

MISC

 * 1) 1st row = KWP address
 * 2) 2nd row = Tester to ECU CANID corresponding to ECU KWP address
 * 3) 3rd row = ECU to Tester CANID corresponding to ECU KWP address

03,7E4,7EC 05,7E4,7EC 09,7E3,7EB 0A,784,78C 12,7E0,7E8

14,7E0,7E8 15,7E0,7E8 16,7E0,7E8 19,7E1,7E9 1E,748,768

24,75D,77D 27,707,727 2B,740,760 2D,70E,70F 2E,73F,761

30,742,762 33,73D,73E 35,753,773 36,701,721 3A,73D,73E

41,710,730 44,78E,78F 47,74D,76D 48,745,765 4B,75B,77B

55,723,735 5C,754,774 63,743,763 67,792,793 6F,74E,76E

72,75C,77C 77,790,791 7A,7E0,7E8

83,747,767 85,708,728 90,7E5,7ED 93,79B,7BB 95,797,79A 9B,744,764

A1,74C,76C A2,74F,76F A3,709,729 A4,759,779 A7,713,733

C8,73C,73D

F8,70B,72B