AVT 852 Commands and Trifecta Tuning

For discussion and distribution of custom code and hacks
morecircles
Posts: 4
Joined: Mon Mar 02, 2015 2:07 am
cars: 2010 Cobalt SS LNF

AVT 852 Commands and Trifecta Tuning

Post by morecircles »

Hello, I come from the land of Cobalt SS's. We have a tuner, Trifecta performance, that does remote tuning for our vehicles. The interface box they provide is an AVT 852 unit, which is used for both flashing our ECUs and datalogging. Unfortunately, the logs provided by the software are encrypted and only viewable by Trifecta.

I sniffed the serial stream the Trifecta software sends to the AVT-852 to understand what the software is doing. Some of the commands it sends were cross referenced to the AVT-852 manual. However, a lot of the commands Trifecta sends are not documented. I know there is a supposed to be a second volume to the AVT-852 documentation. Does anybody have this?

This is what Trifecta sends to the AVT-852: http://pastebin.com/PYLNUPPJ
and the corresponding responses to the commands above: http://pastebin.com/BFauv3SJ

Further, I have pasted below what I believe is the stream of CAN frames sent by the vehicle, via the AVT-852 interface. Where can I find documentation on the CAN bus frame structure so I can successfully parse this data into meaningful information? I noticed within the data there are a lot of repeating patterns. I believe each represents a CAN bus frame, correct?

Code: Select all

22 5F 3B 06 00 07 E8 7F AA 78 22 5F 13 0B 00 05
 E8 FE 00 0C A2 00 E1 89 00 22 5F 13 0B 00 05 E8
 FD 31 01 5D 0D 2A 77 00 22 5F 13 0B 00 05 E8 FC
 11 03 02 0B 00 00 00 22 5F 13 0B 00 05 E8 FB 64
 07 7E 2A 37 00 00 22 5F 13 0B 00 05 E8 FA 00 01
 3C 28 7F 00 00 22 5F 13 0B 00 05 E8 F9 00 00 32
 F7 8D 00 00 22 5F 13 0B 00 05 E8 F8 00 80 00 00
 86 00 00 22 5F 13 0B 00 05 E8 F7 92 00 5B 5E 32
 00 00 22 5F 13 0B 00 05 E8 F6 28 01 95 32 00 00
 00 22 5F 13 0B 00 05 E8 F5 28 01 07 24 3E 00 00
 22 5F 13 0B 00 05 E8 FE 00 0C 83 00 E0 8A 00 22
 5F 13 0B 00 05 E8 FD 31 01 5D 0D 2A 77 00 22 5F
 13 0B 00 05 E8 FC 11 03 04 0B 00 00 00 22 5F 13
 0B 00 05 E8 FB 64 07 73 2A 37 00 00 22 5F 13 0B
 00 05 E8 FA 00 01 3C 28 7E 00 00 22 5F 13 0B 00
 05 E8 F9 00 00 32 F7 8D 00 00 22 5F 13 0B 00 05
 E8 F8 00 80 00 00 86 00 00 22 5F 13 0B 00 05 E8
 F7 93 00 5B 5E 32 00 00 22 5F 13 0B 00 05 E8 F6
 28 01 95 32 00 00 00 22 5F 13 0B 00 05 E8 F5 28
 00 DC 24 3E 00 00 22 5F 13 0B 00 05 E8 FE 00 0C
 83 00 E1 8A 00 22 5F 13 0B 00 05 E8 FD 31 01 5D
 0D 2A 77 00 22 5F 13 0B 00 05 E8 FC 11 03 07 0B
 00 00 00 22 5F 13 0B 00 05 E8 FB 64 07 85 2A 37
 00 00 22 5F 13 0B 00 05 E8 FA 00 01 3C 28 7E 00
 00 22 5F 13 0B 00 05 E8 F9 00 00 32 F7 8D 00 00
 22 5F 13 0B 00 05 E8 F8 00 80 00 00 86 00 00 22
 5F 13 0B 00 05 E8 F7 93 00 47 5E 32 00 00 22 5F
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: AVT 852 Commands and Trifecta Tuning

Post by antus »

What commands are you trying to figure out?

Yes that block does look like a bunch of small can packets, including length byte from the AVT. Ive got less experience with can than vpw but it should batch the doco.

Code: Select all

0B 00 05 E8 FE 00 0C A2 00 E1 89 00 22 5F 13 
0B 00 05 E8 FD 31 01 5D 0D 2A 77 00 22 5F 13
I think it'll be something like 0B=payload length, 000 is an address (broadcast?), 5E8 is another address (tool or pcm?) FE 00 0C A2 00 E1 89 00 22 5F 13 is the 0B bytes. Thats just off the top of my head, but it'll be something like that.

I do have the second AVT manual but I was asked not to release it. It covers the security API of the cable and has nothing to do with normal vehicle bus access.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Jayme
Posts: 2585
Joined: Sun Mar 01, 2009 8:59 am
Location: North Coast, NSW

Re: AVT 852 Commands and Trifecta Tuning

Post by Jayme »

22 5F 13.JPG
22 5F 13.JPG (21.18 KiB) Viewed 9936 times
the 22 5F 13 is an error code relating to the avt having trouble with multi frame responses.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: AVT 852 Commands and Trifecta Tuning

Post by antus »

Beat me to it. Just getting ready for work and thinking the 22 5F sounded like an error code.

So
0B = length
00 = another status code?

05 E8 FE 00 0C A2 00 E1 89 00 = 0B bytes payload where

05E = source can ID?
8FE = target can ID (or vice versa)

and followed by 22 5F 13 = Can0 Unknown frame error.

And the AVT has processed and stripped the checksums.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Jayme
Posts: 2585
Joined: Sun Mar 01, 2009 8:59 am
Location: North Coast, NSW

Re: AVT 852 Commands and Trifecta Tuning

Post by Jayme »

nah. its
0B length
00 Avt config Byte (00 means 11 bit ID's Can 0 Channel)
05 E8 = destination.
FE = this packet is the contents of DPID FE
rest = Data from PID's


so its just a logging packet. the software sets up the DPID's and tell the pcm what PID's to put into each DPID Byte. then it asks the pcm to send them non-stop and it listens.

Code: Select all

22 5F 3B 
06 00 07 E8 7F AA 78 
22 5F 13 
0B 00 05 E8 FE 00 0C A2 00 E1 89 00 
22 5F 13 
0B 00 05 E8 FD 31 01 5D 0D 2A 77 00 
22 5F 13 
0B 00 05 E8 FC 11 03 02 0B 00 00 00 
22 5F 13 
0B 00 05 E8 FB 64 07 7E 2A 37 00 00 
22 5F 13 
0B 00 05 E8 FA 00 01 3C 28 7F 00 00 
22 5F 13 
0B 00 05 E8 F9 00 00 32 F7 8D 00 00 
22 5F 13 
0B 00 05 E8 F8 00 80 00 00 86 00 00 
22 5F 13 
0B 00 05 E8 F7 92 00 5B 5E 32 00 00 
22 5F 13 
0B 00 05 E8 F6 28 01 95 32 00 00 00 
22 5F 13 
0B 00 05 E8 F5 28 01 07 24 3E 00 00
22 5F 13 
0B 00 05 E8 FE 00 0C 83 00 E0 8A 00 
22 5F 13 
0B 00 05 E8 FD 31 01 5D 0D 2A 77 00 
22 5F 13 
0B 00 05 E8 FC 11 03 04 0B 00 00 00 
22 5F 13
0B 00 05 E8 FB 64 07 73 2A 37 00 00 
22 5F 13 
0B 00 05 E8 FA 00 01 3C 28 7E 00 00 
22 5F 13 
0B 00 05 E8 F9 00 00 32 F7 8D 00 00 
22 5F 13 
0B 00 05 E8 F8 00 80 00 00 86 00 00 
22 5F 13 
0B 00 05 E8 F7 93 00 5B 5E 32 00 00 
22 5F 13 
0B 00 05 E8 F6 28 01 95 32 00 00 00 
22 5F 13 
0B 00 05 E8 F5 28 00 DC 24 3E 00 00 
22 5F 13 
0B 00 05 E8 FE 00 0C 83 00 E1 8A 00 
22 5F 13 
0B 00 05 E8 FD 31 01 5D 0D 2A 77 00 
22 5F 13 
0B 00 05 E8 FC 11 03 07 0B 00 00 00 
22 5F 13 
0B 00 05 E8 FB 64 07 85 2A 37 00 00 
22 5F 13 
0B 00 05 E8 FA 00 01 3C 28 7E 00 00 
22 5F 13 
0B 00 05 E8 F9 00 00 32 F7 8D 00 00
22 5F 13 
0B 00 05 E8 F8 00 80 00 00 86 00 00 
22 5F 13 
0B 00 05 E8 F7 93 00 47 5E 32 00 00
User avatar
Jayme
Posts: 2585
Joined: Sun Mar 01, 2009 8:59 am
Location: North Coast, NSW

Re: AVT 852 Commands and Trifecta Tuning

Post by Jayme »

also, those pastebins you sent. at a glance, they look like the software trying to ID the pcm. every command that doesnt start with zero, is a command to the AVT to set it up. it goes through a whole lot of CAN setup stuff, then tries to talk to the pcm for a few packets, then gives up and resets the AVT, then goes through a different CAN config, then talks a bit more.
morecircles
Posts: 4
Joined: Mon Mar 02, 2015 2:07 am
cars: 2010 Cobalt SS LNF

Re: AVT 852 Commands and Trifecta Tuning

Post by morecircles »

Hello everyone. Thank you for your responses.

As all of you can figure, I am fairly ignorant in these matters but definitely up for learning. Can you guys recommend some literature for me to flip through to gain a better understanding of what is going on?

Right now, at the very minimum, I would like to understand in detail what the Trifecta software is sending to the AVT-852 interface so that I can replicate it in my own software. Afterwards, I'd obviously like to parse the data into something human readable.

A bit of background about myself: I am an mechanical engineering student that has taken a few electronics courses on control theory, analog electronics, basic programming, microcontrollers.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: AVT 852 Commands and Trifecta Tuning

Post by antus »

I cant recommend anything better than the AVT manual and reading the data off the wire. Its all in there. Google any terms and protocols as you need and you should be able figure it out.

Keep in mind that the flash process is probably proprietary though, so you may be able to figure out the initialisation, but then its going to get hard.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
morecircles
Posts: 4
Joined: Mon Mar 02, 2015 2:07 am
cars: 2010 Cobalt SS LNF

Re: AVT 852 Commands and Trifecta Tuning

Post by morecircles »

Hello Antus, I have been cross referencing the manual with the packets Trifecta sends to the unit. The following commands were not listed in the AVT-852 manual, but I found traces of information in the Master Commands and Responses PDF. I am not sure whether or not these descriptions are accurate as the file seems to pertain to their older interfaces. If you can provide more information, please let me know.

Code: Select all

 
 94 01 12 17 08	Command Acknowledged???
 51 60	Reserved ???
 55 60 09 DC 6A 0F	Reserved ???
 54 61 00 80 04	Read User Space ???
 54 61 00 84 04	Read User Space ???
 54 61 00 88 04	Read User Space ???
 54 61 00 8C 04	Read User Space ???
 52 60 00	Reserved ???

User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: AVT 852 Commands and Trifecta Tuning

Post by antus »

How are you collecting that data? I dont think you are interpreting it correctly. I think you might have lost sync and be looking a mid parts of can messages, not AVT commands. 50 60 and 50 60 00 look like the same fragment, just with the break in different places. Just the same I dont think you can rely on the start being the start either. The AVT commands are in the manual, so if they dont line up then there is a problem with your process.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Post Reply