Software On ELM Street - OBD2 Software Development

Programs / Tools / Scripts
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ELM327 Software Development

Post by antus »

Did you know that you can read a calibration with an elm, but that nobody has implemented it yet? I found this while poking around in the factory bins. Factory tunes include a mode 23 request that returns 4 bytes from the requested address. The address must be in the calibration space. This can be done without vpw 4x, and without unlocking the pcm and uploading code and the replies are small enough to work with the elm. So the process would be something like:

1. read the OSID (block 10)
2. load a bin on the pc with the same OSID in to your buffer
3. send mode 23 requests for each block of 4 bytes through the whole calibration space, and overwrite the data in your buffer
4. save the buffer as complete bin

HPT COS have mode 23 removed (I think thats what os mod lock is) and Efi live COS allow the read, but the addresses have not been extended to cover the whole calibration space so its impossible to get a complete and correct read. Thus factory tunes only (even though they are usually not locked anyway).

send: 0x6D, 0x10, 0xF0, 0x23, AA, BB, CC, 0x01 - where AA BB CC is the address
if you get back 0x6C, 0xF0, 0x10, 0x7F then the request was denied (blocked address).

I implemented this on the AVT and it did work (very slowly). But I canned the idea as it seemed problematic when it was possible to do a much faster read with 4k packets at 4x (15 minutes for cal area only vs 1.5 mins for a whole bin). For a cheap way to read a tune on an elm though it might be worth it.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

Yeaaa no wonder I couldnt get the vin function working. So that sorts it out for the VPW protocol.. Bit confused on whats happening to the CAN one, what Iv done setting it up should work fine.

That calibration pull is pretty cool ant! Slow as all hell.. but at least it works! If the pcm is locked, can easily just unlock (with supplied key or brute force) then do the calibration read.. guess its suited for anyone wanting to see what was actually done.

Wouldnt even need to load up a bin, just save as new .bin
But first up, will need to chuck in that vin read and OSID read. Make sure that the VPW enabled cars are actually reading correctly. After that will need to suss this damn CAN out.

Bit of a side topic. But when it comes to unlocking the pcm.. theres a limited about of trys that can be done before the pcm lockouts and requires a hard reboot right?. To prevent this, a 10sec delay is used between unlocks? This is essentially what the basic "brute forcer" for a pcm unlock does.
Implementing a simple switch/relay design with a microcontroller/arduino to turn off/on the switch then repeat unlock, could really speed up the process using a bit of basic equipment a programming. The wait time would be say 500ms wait on the reset, then repeat cycle. Effectively speeding the process up by 20times. All assuming that the pcm doesnt have some monster capacitor and holds it charge for a while.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Jayme
Posts: 2585
Joined: Sun Mar 01, 2009 8:59 am
Location: North Coast, NSW

Re: ELM327 Software Development

Post by Jayme »

Thats the beauty of the mode 23..... there is no need to unlock the pcm as it works even if the pcm is locked! the catch is you cant read anything except the cal area as ant said, so you have to load a standard bin with the correct osid into your windows software so you can insert the cal into it. otherwise you will end up with a file with no O/S in it that nothing will open.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ELM327 Software Development

Post by antus »

The timer starts at power on to prevent that attack. and there is no hard lockout, you just keep trying. when the security is unlocked you dont get access to the whole address range, you need to upload your own kernel to run the pcm to provide the functionality to read the bin.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

oooh I see, you need a bin with a corresponding osid to load up into in, write all the info to and save. Then this can be used in other tuning software? Fair enough! Do I dare ask how many OSID's there are? lol

Yeah, I wasnt looking to grab all the info after unlocking ect. Iv just seen mention from a whole lot of people saying how long it takes to brute force. As they said after 3 incorrect tries, the pcm needs to be turned off/ on to repeat the cycle? I think I was reading up on what planethax said he was doing, since he implemented the 10sec delay so no interruptions would be required between tries. Even if the pcm is cycled after each retry to unlock, id say that would still be quicker again. Might put the pcm under bit of stress through.

Elms been sent.. with tracking this time. Also sourced out a pcm ill be picking up on the weekend. Theres a VZ v6 and a VY V8 that Ill try pickup.

So.. the VPW process for pulling the bins from pcm seems to be well worked out.. what about vehicles with CAN? Much know about the process required for them? Or is it quite similar.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ELM327 Software Development

Post by antus »

i dont know yet. I need to complete my vpw software before looking at can. it'll be a similar process. pass a security challenge, upload code to take over the pcm, drive the can functionality and flash chip directly. of course its easier said than done without hardware docs. as for loading a complete bin, have a search directory where users can drop a bin in there, and then in your app open up each one and look for a match to find the right one to load. theres a couple of main OSs for each manufacturer and year range, and plenty more less common ones.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

No worries, whole bunch of stuff to add now!.

VX, I found out why you couldnt monitor anything after clicking the "Monitor chatter" button. The program timed out after not receiving anything after 2seconds... Iv removed that limitation now so if the scantool communicates over vpw.. itll pick it up!

It "should" work the same for CAN, if the CAN network decides to work..

Will post it up soonish
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
VX L67 Getrag
Posts: 2877
Joined: Sun Aug 02, 2009 9:16 pm
Location: Bayside, Melbourne, Victoria
Contact:

Re: ELM327 Software Development

Post by VX L67 Getrag »

Ah cool sounds promising!!
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

Looks like the OSID is found by (from the limited info around!):
Send:3C 0A
Receive:7C 0A 00 13 AF 15
OSID = 13AF15h or 1290005

Example Vin:
Request GM VIN
Send: $6C,$10,$F1,$3C,$01,$F2
Recv: $6C,$F1,$10,$7C,$01,$00,$36,$48,$38,$56,$54,$18
Send: $6C,$10,$F1,$3C,$02,$F3
Recv: $6C,$F1,$10,$7C,$02,$4B,$36,$39,$46,$59,$4C,$5E
Send: $6C,$10,$F1,$3C,$03,$F4
Recv: $6C,$F1,$10,$7C,$03,$30,$31,$32,$33,$34,$35,$F6
Vin: 6H8VTK69FYL012345
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

Vin function has been added... 5th times a charm? :thumbup:

The logger should also work, it will display when its started, if it is quite, and also simple display everything that the elm passes through. If the elm sends "Buffer Full", it will restart the log session and continue on.

Will probs add the OSID and PCM# too.

Something else that Iv seen is that GM like to make use of the enhanced pids, dont know much about the locations yet but might be what the tech2 uses for those manufacture specific PIDs and fault code look ups ect.
Send: $6C,$10,$F1,$22,$PID-msb,$PID-lsb,$01
Recv: $6C,$F1,$10,$62,$PID-msb,$PID-lsb,up to 5 data bytes

On the topic of tech2 reversing, Im not feeling as confident as I was before with developing the fake pcm. Trial runs show that the elm doesnt swap between the "monitor" function and then sending info very quickly/efficiently. Im hoping the tech2 has a good 500-1000ms delay before retry/failure.
Basic setup is monitor all traffic, if a "desired" frame is found it will exit monitor all mode and send off the fake module response then return back to monitoring traffic. Really wish elm had a "raw data" mode.. Be a tonne easier to just send anything and receive anything.
Last edited by Tazzi on Tue Jul 21, 2015 9:39 am, edited 1 time in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply