Description Protocol KW-71

1. Background

Protocol exchange, called KeyWord Protocol KW-71, describes the interaction of diagnostic tools (DS) with electronic blocks BMW cars produced before 1995. These include model E30, E32, E34, E36.

The physical implementation of the Protocol (-9141) is based on the interaction of two lines, called K and L. In doing so, K-Line - bidirectional data on it can be transferred as of DS in the car, and from the car in the DS. Line L - unidirectional. Its data is transmitted only from diagnostic system in the car.
The manner consistent data on the K and L - lines compatible with the common protocol RS232C. Levels of these signals in other lines: logical "0" corresponds to the line-circuiting "land", as a logical "1" - brace in line to the 12.

2. Getting started. Wake-Up - procedure


2.1. Request for availability of diagnostics unit

Q diagnostic car tyres are connected in parallel, all diagnosed electronic blocks - EBU (ECM), ABS, dash panel, airbag, etc. All of them are inactive until the DS is not that activates the block, which is going to make diagnosis.
The procedure intensify the desired unit (Wake-Up) is as follows:

Each car has diagnostiruemy block and knows its unique code (address). For example, the EBU has addressed 0x10 engine.
If the DS is going to connect with the EBU, the "awakening" to block the line of L EBU issued this address in a sequential code. In doing so, then the (DS) must ensure the appearance of a very low speed. Address issued with the following settings channel exchange:

Speed bauds 5, 7 bits of data, an odd parity, 1 stop bit.

It is not difficult to understand that "listening" L-line treatment with DS EBU to show the following:

1. Closing on the "land" at the time of 1000 msec;
2. Unclosing for 200 ms;
3. Closing at 600 ms;
4. Waiting in the open condition ...

This is the form tsiklogrammu diagnostic system, in which the L-line is connected through to the signal-level converter DTR (or RTS) COM port.

Now, we know why that was the case, but not otherwise.

All units permanently inactive "listen" L-line. If the unit takes the address does not coincide with his own, it continues to listen to that line, without taking any action. If it takes a block address, and this address is the same as his own address, the block grants for the K-bytes of three lines, the essence of which is explained below.

2.2. The response diagnostics unit. Controlling speed line.

So, the electronic unit vehicle, which was trying to establish a link DS, issues on the K-line service three bytes. Setting K-line treatment for anything following:

Speed 9600 bauds, 8 data bits, no parity, 1 stop bit.

All further exchanges between the DS and diagnoses unit will be for K-Line with these settings until completion.
 This applies at least to block DME / DDE, but some blocks (forl example, AIRBAG) require treatment by the DS through L, and Q line used to transfer data to the DS.

Consider now three bytes in length, which informs the DS block its availability. For those KW-71/BMW byte are as follows:
Number byte content Appointment
Marker 1 0x55 speed control through 01010101
2 0x00 KeyWord - LSB (Jr. byte)
3 0x81 KeyWord - MSB (Senior byte)

So, the first bit - a marker speed control lines - "shahmatka". Characterized by an importance that any discrepancy reception-transmission speeds lead to a distortion of the bytes. Thus, having received the first bit, DS satisfied that the unit diagnostiruemy "wake" and gives information on the speed at which the DS is going to work.
Two bytes - keyword protocol-71 KW. This is a confirmation that the block diagnostiruemy really works on the protocol. For other car manufacturers keyword may be different. The specified for BMW.

Diagnostic system, receiving from the three bytes of the device and making sure that their content is consistent with the expected, should issue a confirmation - one byte, which is an inversion pobitnuyu last of the three received bytes - 0x7E.

At the initialization process starts and ends with the exchange of information between the DS and package unit.


l should be noted that the "block" awake expects confirmation premise is not forever, but only a short time (half a second). If the response is not received from the DS in that time, the block again diagnostiruemy "sleeps".





3. The structure of the information package

As described above, after the initialization diagnostics unit began sharing information packages. Information packets transmitted both by the DS, and from the diagnostics unit, have the same structure.
At the same time, each party lines to exchange a package of grants in response to a package on the other side. Neither side has begun issuing regular package of reception they get a package from the other party.

The general structure of the data packet protocol KW-71 is the following:

Number of bytes in a packet Designation Description
1 length packet number of bytes transmitted, followed by byte
2 Number package Through serial number in connection session in a package
3 Cod team Cod team, or the type of data
4 .. N data packet data (if available)
N +1 Marker end of the package has always value 0x03

Why appointment of each byte in the package:

The length of the package: it contains the byte value per unit less the actual length of the package (that is the number of bytes in this package, following the byte);
Number package: the value of this byte in each package, the transmitted in the channel of exchange, one more than the previous (since transferred in a single byte, the number for the package with 255 package should be numbered 0);
Cod commands: byte determines that the appointment of the package and has a predefined value, which will be discussed below;
Data: the required number of bytes of data transferred in a package. The package without the data is not transmitted, and the length of the field contains the value of this package of 3;
Marker end of the package: 0x03 constant, meaning the end of the package.

4. Interaction between the parties in the award package

In order to protect against possible disruptions then the package does not extradite continuous stream of bytes of data exchange is a more complex manner.
Issuance of each byte packet ends waiting confirmation of his reception from the host country. In doing so, the host country is responsible for every byte adopted its pobitnoy inversion. This algorithm ensures accurate delivery of a package of consumers. On the other hand, it leads to a reduction in the overall speed of that and has one of the reasons for the transition in 1995 a new protocol, but we talk about it is not at this time.
Answer reception parties should be made with some delay (about 5 ms), but the delay should not exceed 250 ms - otherwise, then the exchange should cease.

Issuance next byte packet is made only after taking the confirmation of the issuance of the previous byte.

It should be noted that the party does not extradite reception after confirmation of receipt of the last byte packet - 0x03 marker. Instead, it should hand over the first bit for a packet.

5. The process of maintaining connections


Illustrate the interaction sides simple example: the exchange of "empty" commands (code 0x09).

This exchange provides for the maintenance diagnostics unit active (maintaining the connection) until the DS will not issue the command to carry out any action - such as reading, or erasing mistakes condition parameters, self-fulfilment.

Empty command - this package, a length of four bytes:

<0x03> <NN> <0x09> <0x03>

The first byte - 0 h03 length packet 4-1 = 3;
The second byte - packet sequence number (increases by 1 in each packet);
The third byte - code 0 h09 (blank command);
Fourth bytes - 0 h03 marker end package.


Interaction DS and EBU in this exchange is as follows:

BO EBU Commentary
Length 03 teams
FC Confirmation
Number 22 package
Confirmation numbers DD package
Code 09 empty team
F6 Confirmation
03 Marker end package
DC expects regular EBU package of no more than 250 ms
Length 03 teams
FC Confirmation
Number 23 package
DC Confirmation
Code 09 empty team
F6 Confirmation
03 Marker end package
Pc expects another package from DS no more than 250 ms
03
FC Confirmation
Number 24 package
And so on ...
 


6. The command system protocol

Description Format command code package
Requests issued by the diagnostic computer (DS)
09 Continue extradition empty team, ACK 03 NN 09 03
Reading TC 07 (faults) 03 NN 07 03
05 TC 03 Clears NN 05 03
00 Request for identity
SG-03 ID NN 00 03
01 Reading 06 RAM NN 01 LEN AH AL 03
LEN-how to read AH, AL - two bytes of address in the RAM / ROM
03 Reading ROM
19 Reading EEPROM
02 Recording RAM VarLen NN 02 LEN AH AL <DATA> 03
1A Recording EEPROM
04
(17) Activation actuators (feedback)
Closure of 06 compounds 03 NN 06 03
08 Reading 04 NN channel DAC 08 CH 03
10 Reading parametric data
The list of 11 parametric data
12 Request Snapshot 03 NN 12 03
Answers issued by the testing unit
09 Issuance finished, a blank response, confirmation ACK 03 NN 09 03
0A
(0B) command is not supported, NACK 04 NN 0A ID 03
ID - NN package with the wrong team
EC Parametric data
EB Confirmation record parametric data
F4 SnapShoot
FD contents of RAM VarLen NN FD <DATA> 03
EF contents of EEPROM VarLen NN EF <DATA> 03
FE content ROM VarLen NN FE <DATA> 03
FB value of the parameter DAC 05 NN FB DH DL 03
F6 ASCII string - characters VarLen NN F6 <string> 03
FC Binary data TC 08 NN FC <5 byte code> 03
04 NN FC 00 03 - TS missing
In the Code of fatty Teams are audited to date.

Why format each team:

00 - Reading the identity of the diagnostics unit

The team is used to obtain the identity of the flow of text block.

In response to this command unit gives the first line - your ID.

Format command:

03 NN 00 03

Answer block - F6 package containing ASCII string identifier:

PLEN NN +1 F6 <string> 03

For the next identity issue a command line is 09 - ACK.
Block meets next in line F6 package until the issue is not all lines. If all lines issued, the command unit 09 by the same team responsible 09 - ACK, thereby breaking the retention mode connection.

At the beginning of the connection, after the issuance of diagnosing block three bytes 55 00 81
and the receipt of confirmation DS 7E last byte, block grants on its own initiative, the first package containing the first line identification.
For example, 3.1 BOSH MOTRONIC give something like that

0D 01 76 35 30 34 30 30 32 31 36 32 30 03

We see here ASCII codes "5040021620". In fact, a string is written "backwards advance" and should be read as follows: 0261200405. This identifier for a version 3.1 for MOTRONIC E34. Depending on the manufacturer block identification number and length of lines are different. For those described above M3.1 rows 5.

0261200405 - BOSH Hardware Nr
1267356203 - BOSH Software Nr
1730575 - BMW Hardware Nr
001 - BMW Software Nr
849 - Production Code

To block DME Siemens MS40 - only two such lines.

• Do not forget that the numbers of packets transmitted backwards advance.
      

 

01 - Reading RAM

The team is used to obtain the contents of internal memory diagnostics unit

Format command:

06 NN 01 LEN AH AL 03

Options:
 
LEN - How many bytes RAM we want to read;
       AH - Senior byte RAM addresses, which are about to read data;
AL - Junior byte address.

The response diagnostics unit at the command:

If the command works, in response to block it sends the package type FE containing the read data, as follows:
 
PLEN NN +1 FE <DATA> 03

It is clear that the length of the package will depend on how much data we requested in the team.
If the unit is unable (or unwilling) to report the contents of their memory on the addresses indicated, instead, it gives 0A package - it is not supported:

04 NN 0A 01 03

The penultimate byte packet NACK (01) means that a response issued on the 01 team.





03, 19 - Reading EEPROM, Progressive reading EEPROM

These teams have a format similar to a team 01. Format response diagnostics unit matches as well. The difference in what we are going to a zone of memory read.