Software On ELM Street - OBD2 Software Development

[Tazzi]

what makes you say 44 mins? does the VZ v6 ecu not have a lockout timer for an incorrect attempt?

Found it in 5mins
It does have a timeout, but Im attempting all 256 gm algos at once to see which one works hence all 256 algos can be attempted in ~44mins haha

2 seed-keys I have for E55 are;3E 49 seed = 67 34 key
& 89 84 seed = DD CA key

I hope that helps?

Thanks mate! that reconfirmed my findings.

VZ V6 pcm seed/key algo is now coded up

[Tazzi]

Accepted key:
7E8 02 67 02 00 00 00 00 00

Seed = 64 E4
Key = 9D 81

Id assume the VZ genIV will be different again.. maybe? They communicate over CAN11bit, but since its a different pcm, probably be a different algo again.

VX L67 Getrag... anychance you have V8 genIV seed/keys laying around?

[monaro308]

Tazzi,probably wont mean much but when I was doing the V6 to LS1 conversion for the VT track car I kept my low level BCM and key but used a PIM from one wrecker and the ECU from another wrecker.
I linked the BCM to the ECU with no problems but had headaches linking the PIM.
Stupid me kept pressing the wrong "enter" key on the tech2 even though the * was selected next to "Learn PIM"

[Tazzi]

Tazzi,probably wont mean much but when I was doing the V6 to LS1 conversion for the VT track car I kept my low level BCM and key but used a PIM from one wrecker and the ECU from another wrecker.
I linked the BCM to the ECU with no problems but had headaches linking the PIM.
Stupid me kept pressing the wrong "enter" key on the tech2 even though the * was selected next to "Learn PIM"

I actually do appreciate that info!.. it means that you managed to sort it out using 3 different components into the one car.

From what I can see in the docos.. and tech2 instructions. Is before the ECU or PIM are removed, they need to be "reset" to clear the link between the modules for that device. This can be done under the devices programming heading in the tech2 (eg PIM->programming->reset PIM)

It also mentions you must know the bcm security code.. Im assuming this would be the code from the bcm in the car. Im still not 100% if the tech2 will ask the bcm for that info.. or if the PIM and ECU actually store the security number.

The docos say also.. that if an incorrect bcm security number is entered when trying to reset the PIM, it will lock out for 10s,30s,1min,10min,20min,40min,80min

[antus]

Keys can be calc'd like this. yes gen iv are different.

Code: Select all

sub vz($){
    my $seed=shift;
    my $key=$seed-0x3808;
    $key &= 0xFFFF;
    $key  = swapab($key);
    $key += 0xF294;
    $key &= 0xFFFF;
    $key  = rotateright($key, 2);
    $key  = rotateleft($key, 3);
    return $key;
}

$ ./key 64E4
64E4: 9D81

[Tazzi]

Keys can be calc'd like this. yes gen iv are different.

Code: Select all

sub vz($){
    my $seed=shift;
    my $key=$seed-0x3808;
    $key &= 0xFFFF;
    $key  = swapab($key);
    $key += 0xF294;
    $key &= 0xFFFF;
    $key  = rotateright($key, 2);
    $key  = rotateleft($key, 3);
    return $key;
}
$ ./key 64E4
64E4: 9D81

Cheers Antus.

Bit shifting.. I really should start doing that for the algos.
Generally theres a nice little pattern to follow via multiplication/subtraction which is what Iv done for the ls1,vz v6, vz gen4, ve v6 ect.

[retrotuner]

Hi guys - I have ELM327 interface (Ebay Special) ....It is showing it as Firmware Ver 1.4 and Baud Rate 38400 ...However

When I plug it into the logger it displays as a Version 1 ....

It seems to findthe unit but when the logger requests the high baud rate ...nil response and the ELm times out

[16:24:50:595] Attempting to Connect to Comport...
[16:24:50:630] Searching for Device...
[16:24:50:714] Testing Comport: COM3 at Baudrate: 9600
[16:24:51:270] Testing Comport: COM3 at Baudrate: 38400
[16:24:51:489] ELM Device Successfully Found!
[16:24:51:496] Requesting Fast 115200 Baud..
[16:24:51:505] ELM Device Sent back '?'
[16:24:51:507] ELM Device Did Not Answer Baud Timeout Parameter!

Any way I can get this to work at lower baud rate? - or just buy another ELM?

Cheers
Kyle

[Tazzi]

Hi guys - I have ELM327 interface (Ebay Special) ....It is showing it as Firmware Ver 1.4 and Baud Rate 38400 ...However

When I plug it into the logger it displays as a Version 1 ....

It seems to findthe unit but when the logger requests the high baud rate ...nil response and the ELm times out

[16:24:50:595] Attempting to Connect to Comport...
[16:24:50:630] Searching for Device...
[16:24:50:714] Testing Comport: COM3 at Baudrate: 9600
[16:24:51:270] Testing Comport: COM3 at Baudrate: 38400
[16:24:51:489] ELM Device Successfully Found!
[16:24:51:496] Requesting Fast 115200 Baud..
[16:24:51:505] ELM Device Sent back '?'
[16:24:51:507] ELM Device Did Not Answer Baud Timeout Parameter!

Any way I can get this to work at lower baud rate? - or just buy another ELM?

Cheers
Kyle

Gday mate,
In that connection screen, there is a check box setting that says "115200 baud" or something like that, Just untick that box and then try it out.
So your ELM should be on COM3, Baud 38400.

Taz.

TurnOffFastBaud.png (25.04 KiB) Viewed 3717 times

[Tazzi]

Stupid CAN multiline reading/writing on the elm is bloody painful. Im sure I have some little bug in the coding thats causing the issues.. but its there.. and its causing havok!. Or Im missing a vital multiframe setup command.. hmmmm

Multiline receiving seems to be straight forward.. but mutiline sending seems to be a bit more of a task. This is what others had to say about writing multiline responses:

Code: Select all

There isn't a straightforward way to do this. You can hack it as follows:

Set up CAN filters to accept flow control frames.
Turn off CAN autoformatting (ATCAF0).
Send the first frame, specifying that you are expecting one response.
Receive the flow control frame.
Send the rest of the frames, this time specifying that you are expecting zero responses.

[Tazzi]

Well.. Im now officially stumped!

Setting up the CAN flow control frames is supposedly done like this:
ATSH7E0 ->set our header
ATSDXXYYZZ ->Set the data bytes that will respond on multiline first frames.
ATSM1 -> set mode to 1, which allows for custom data (above line).

But everytime I send ATSM1, I get a "?" back. The documentation says that I will receive a "?" if the CAN header and Data are not set first.. BUT THEY ARE!!!!
I can set it to mdoe 0 (automatic.. no custom frame by us) and also mode 2 (custom data bytes.. but header is exactly the same as the received first frame).

Im honestly.. completely and utter stumped on this. Iv tried the example in the ELM documentation and do not get the same results!

Anyone have ideas? or has played with this?