az1324 said:Will devices such as 4001,5001 only respond to certain addresses? Anyone written a tool to brute force dump all possible "table headers"?
In my testing, devices will respond to any address. Syd wrote something to scan all the tables, but I've never used it myself. He did a lot of the first work injecting data on the bus, where I did a lot of the work just listening to it. If someone writes something, you can scan addresses 00XX01 to get the table format, as I mentioned before. Then you'll know how big that table is, rather than scanning rows that don't exist. Some tables seem to be in common with all devices (tables 02 and 03) and some tables seem to be for specific devices. The tables we know of are:
2001: 01, 02, 03, 04, 04, 30, 31, 32, 34, 39, 3b, 3c, 3d, 3e, 3d
5001: 01, 02, 03, 05, 3e
4001: 01, 02, 03, 04
We'll need to compare all of these between people's different devices.
I suggest timing your requests so they don't overwhelm the network, and I think when I experimented with it I had an adjustable "quiet" timer where I would wait for 500-1000ms before injecting anything.