[rimwall]

Fantastic! Thanks for helping out @badbutte, @seagrass, @aero901 !

Follow these steps:
1. Download Freediag
2a. Edit the freediag.ini file so it contains the following:

set
interface dumb
port \\.\COM1 (this needs to be the COM port that is assigned to your USB cable)
speed 10400
l1protocol iso14230
l2protocol iso14230
initmode fast
testerid 0xf0
destaddr 0x40
addrtype phys
up
help
debug l1 0x8c (only include this if you want detailed debugging info)

2b. Connect the cable to your laptop (USB) and the car (OBD port). Turn the key in the ignition to 'on' (no need to start it). No need to worry about green connectors.
3. Run freediag using a command prompt (run 'cmd' from windows start menu, navigate to the folder that holds freediag and enter 'freediag')
4. Enter 'diag'
5. Enter 'connect'
6. To send a command to the BIU enter 'sr [command]' where command is described below.
7. When finished, enter 'disconnect' and 'quit'

Sending commands.

• the commands and responses are described here
• freediag will tell you the hexadecimal response from the BIU

You can help by
a) seeing if the command works (do you get the expected response?) and
b) going through the bytes and bits of the response data to see if it matches the current state of your car, then change something (eg: open a door) and run the command again. Does the response change? Which bytes/bits?
c) by doing the above helping to figure out some of the bytes/bits that are still unknown

In particular try command 0x21 0x53 because once we figure out what the bytes / bits mean, we will then be able to use a different command to customise your car setup (eg: do you want to turn on/off the horn beep that happens with central locking, or do you want to turn on/off the seatbelt buzzer)

@badbutte - freediag (the freeware comms software) won't work with a Tactrix. The good news is that it will work with any cheapo VAG-COM USB to OBD cable from eBay. Just need to get the cable, install its drivers and then freediag should work fine.

@seagrass - you're all good to go. It will be really interesting to see whether the responses across Outbacks, Imprezas etc are consistent. So far I've only been able to try a Gen3 Outback.

@aero901 - you should be good to go when the VAG-COM cable arrives.

Once we get these more boring commands/responses working and accurate we can move on to more exciting ones like registration of new parts and keys.

 

[badbutte]

I do have a vag com cable somewhere, but Tactrix lives on the odb atm.
I have 2 cars we can work on, both 05s. 2.5 NA 5sp and an XT with the slush box.

 

[kiwisix]

@rimwall I’m happy to help so will try these steps out. Wondering if it would help or is possible to sniff data from another app that reads the BIU to correlate addresses? The app I’m thinking of is Cascade that I have on an old laptop that can read albeit not write BIU some notes at Software Scan Tool - Cascade 0.9.4.

 

[TheCaddyMan99]

You wouldn't happen to know where the immobilizer data in a 2010 Imprezza gauge cluster is, would you?

 

[rimwall]

Thanks @kiwisix! Let me know what sort of BIU responses you get.

I had a quick look at the github source of Cascade. Not much documentation, but I searched the code to find the details of the serial commands / responses. Couldn't find anything. Why? At a guess, this looks like a software emulation of the CPU in the HiScan Pro tool. Perhaps they extracted the tool's ROM and then they feed the ROM into a software emulation of the tool's CPU. Does that sound right? If so, this unfortunately means all the commands / responses are still 'hidden' in the tool's ROM. If so, then, yes, sniffing would get the commands. Sniffing an SSM-III unit should also work. I don't have a sniffing setup, but someone else might?

 

[rimwall]

On the question from @TheCaddyMan99 ... from what I've worked out so far, the BIU and CM (combination meter) share a 'pairing code', but it doesn't seem like this has any relevance to the immobilizer. The BIU and ECU also share a different 'pairing code', and this one does influence the immobilizer. If the BIU / ECU pairing code doesn't match then the ECU cuts the fuel (aka 'the immobilizer').

 

[kiwisix]

@rimwall I was able to connect to the BIU with FreeDiag using your steps which was neat. Tried to grab DTC's with sr 0x18 I may have that wrong but received an error which I didn't keep unfortunately. However other commands worked. Is there any script or such to render the output bytes for analysis?

freediag/diag> sr 0x21 0x50
msg 00 src=0x40 dest=0xF0
msg 00 data: 0x61 0x50 0x00 0x00 0x41 0x20 0x44 0x00 0x00 0x40 0x00 0x10 0x01 0x00 0x17 0x00 0x00 0x80

freediag/diag> sr 0x21 0x40
msg 00 src=0x40 dest=0xF0
msg 00 data: 0x61 0x40 0x90 0x90 0x8E 0x90 0xF9 0xFA 0x45 0x80 0x1A 0x16 0x00 0x00

freediag/diag> sr 0x21 0x41
msg 00 src=0x40 dest=0xF0
msg 00 data: 0x61 0x41 0x00 0x00 0x15 0x01 0x00 0x40 0x16 0x00 0x00 0x43 0x01 0x00 0x07

freediag/diag> sr 0x21 0x52
msg 00 src=0x40 dest=0xF0
msg 00 data: 0x61 0x52 0x02 0x03 0x04

freediag/diag> sr 0x21 0x53
msg 00 src=0x40 dest=0xF0
msg 00 data: 0x61 0x53 0x30 0x1F 0x34 0x36

 

[rimwall]

Great stuff @kiwisix! Eventually I will customise freediag or nisprog to do all the response parsing automatically. In the meantime, here is an excel sheet. Just need to copy paste the response (as text) into the yellow boxes. I've done this for your data above. See Google Drive File

Let me know if any of the switches or values seem wrong. And try opening / closing doors, putting seatbelt on, turning lights on / off etc to see what changes and whether it matches. You can also get a passenger to run the commands while driving.

Is there a byte missing from the end of the response to 0x21 0x53?

 

[TheCaddyMan99]

On the question from @TheCaddyMan99 ... from what I've worked out so far, the BIU and CM (combination meter) share a 'pairing code', but it doesn't seem like this has any relevance to the immobilizer. The BIU and ECU also share a different 'pairing code', and this one does influence the immobilizer. If the BIU / ECU pairing code doesn't match then the ECU cuts the fuel (aka 'the immobilizer').

A pairing code? is that why the car won't start without cluster, or with a cluster that isn't paired to the BIU? You wouldn't happen to know anything about this pairing code and how I might be able to move it from one cluster to another. I'm trying to upgrade to the Impreza GT cluster with the coolant temp gauge, otherwise I'd just copy the contents of the original EEPROM to the new one. I've modified mileage to match what it was, it's just this hang up now

 

[rimwall]

@TheCaddyMan99 - copying the EEPROM is the current approach to set up a new CM. Editing the EEPROM is also typically how the mileage is set. I suppose that once the EEPROM of the new CM matches that of the old CM, the car will start.

I have found the BIU commands which I suspect are used to register a new CM. You can help out by trying them if you want. There are a few different commands which I am guessing is for different generations of CMs. Just need to be aware that trying out the commands may result in your BIU no longer being paired with your existing cluster.

To avoid this risk, best approach is probably a) make sure you can send / receive from the BIU using the approach above b) remove the existing CM c) copy the EEPROM contents of the existing CM as a backup d) copy the EEPROM contents of the existing BIU as a backup e) install the new CM f) try out the BIU commands g) if we can't get BIU commands to work, then use the BIU backup to restore the BIU EEPROM and the existing CM backup for the new CM EEPROM.

Some fiddling around, but probably no worse than the current approach. And potentially makes it far simpler for everyone that follows. Let me know if you want to try.

 

[rimwall]

Some examples from the FSM of what BIU comms should make possible...

 

[kiwisix]

Thanks @kiwisix! Let me know what sort of BIU responses you get.

I had a quick look at the github source of Cascade. Not much documentation, but I searched the code to find the details of the serial commands / responses. Couldn't find anything. Why? At a guess, this looks like a software emulation of the CPU in the HiScan Pro tool. Perhaps they extracted the tool's ROM and then they feed the ROM into a software emulation of the tool's CPU. Does that sound right? If so, this unfortunately means all the commands / responses are still 'hidden' in the tool's ROM. If so, then, yes, sniffing would get the commands. Sniffing an SSM-III unit should also work. I don't have a sniffing setup, but someone else might?

Yes that makes sense it seems Cascade emulates a hardware device in Windows. I had a look inside the 8MB Cascade/HiScan file ( "Asian Pack 2.bin") that works with my Subaru BIU as it contains most all the parameter wording when viewed with a hex editor. I know very little about reverse engineering binaries but anyways for fun tried to load this .bin file into Ghidra as Intel MCS-96 family (a guess from Cascade's Github page) but seems the file is the wrong size expected. I was hoping to see some reference between the parameter description addresses and the de-complied functions. Also ran the binary through BinWalk which produced nothing I understood aside 2779 .lha files (?) and 29 .bmp graphic illustrations to instruct auto techs how to connect diagnostic cables and such. After that I worked through the Cascade app to type out all of the parameters and values into a .txt file which is attached here if it helps. I'll continue to try out FreeDiag over the coming weeks too.

 

[rimwall]

Thanks @kiwisix. That's interesting. The txt file list of parameters is similar to what I had worked out. Some match exactly (like the volts, speed data) and some are similar but in a different order (like the list of input/output switches). The Cascade order looks exactly like the SSM-III order so I'm guessing whoever built the HiScan product did it by sniffing an SSM-III unit.

I couldn't find the file "Asian Pack 2.bin" on Cascade's repo - can you send a copy. MCS-96 looks like the right family. I can see if I can get Ghidra to unravel it.

A good way to compare would be to run Cascade, record the values and then immediately run the various freediag commands. Then we can compare switches etc to check for differences. I can do this too…where can I get a copy of the correct version of Cascade?

 

[kiwisix]

That's strange @rimwall I think I downloaded those files from the Cascade authors original fishpond website site that is no longer available however someone has re-shared on the first link of this Tiburon page including the .bin file referenced earlier. The same BIU parameter data can be found on GitHub in file C1_GK10B0ENG_101122_CD.HIS_EN.DAT which I've tested on the car. Yes I'm happy to compare to freediag are there any particular params to focus on?

 

[rimwall]

Thanks @kiwisix. Got Cascade and tried it, but no luck, probably because my cheapo cable has a CH340 chip (not FTDI). Ah well. Maybe I’ll get another cable - do you know any eBay sources that actually send a cable with an FTDI chip and not a knock-off? Plenty of them say FTDI but often they are not.

I managed to get Ghidra to load the whole file. After a quick look, I think this will be much slower than just running both cascade and freediag commands and comparing.

If you could try 0x21 0x50 first, that would be great. Thanks.

 

[TheCaddyMan99]

@TheCaddyMan99 - copying the EEPROM is the current approach to set up a new CM. Editing the EEPROM is also typically how the mileage is set. I suppose that once the EEPROM of the new CM matches that of the old CM, the car will start.

I have found the BIU commands which I suspect are used to register a new CM. You can help out by trying them if you want. There are a few different commands which I am guessing is for different generations of CMs. Just need to be aware that trying out the commands may result in your BIU no longer being paired with your existing cluster.

To avoid this risk, best approach is probably a) make sure you can send / receive from the BIU using the approach above b) remove the existing CM c) copy the EEPROM contents of the existing CM as a backup d) copy the EEPROM contents of the existing BIU as a backup e) install the new CM f) try out the BIU commands g) if we can't get BIU commands to work, then use the BIU backup to restore the BIU EEPROM and the existing CM backup for the new CM EEPROM.

Some fiddling around, but probably no worse than the current approach. And potentially makes it far simpler for everyone that follows. Let me know if you want to try.

I'd love to give it a shot, I can't see any harm. What interface/software do I need to communicate with this car? I have an FTDI cable that I used to use with my BMWs, If I need a different cable or interface for subarus, I'll get that.

 

[rimwall]

@TheCaddyMan99 - cool, sounds good, try the steps listed in post #161 above to see if the laptop / cable / car combination works for basic comms with the BIU (with the existing CM installed). @kiwisix has been using an FTDI cable (I think?) with freediag so hopefully your current cable works. One other thing - how different is the new CM to the original one? Is it from a higher spec car from the same model / generation? Just want to make sure it's not so different that it will be fundamentally incompatible. Once you have established basic comms with the BIU, we can try the specific BIU commands.

 

[rimwall]

@kiwisix - I had another look at the Asian Pack 2 ROM hoping that the order of items in the ROM would give clues as to the order the data is reported by the BIU. However, the ROM is in alphabetical order, so that feels like a dead end. It seems like comparing Cascade to freediag / Excel spreadsheet is the fastest option. Let me know how you go with this. I'll also try with whatever FTDI cable I can find on eBay.

 

[kiwisix]

Sorry meant to post this earlier, I'm using this USB cable with both FreeDiag and Cascade.

 

[rimwall]

Thanks @kiwisix. Checked out their site. Looks like a good quality cable... reasonably priced, FTDI based... but 47 Euros for shipping Did you get it from a supplier in Oz/NZ?