Software On ELM Street - OBD2 Software Development

Programs / Tools / Scripts
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Software On ELM Street - OBD2 Software Development

Post by Tazzi »

Software on ELM Street
SOE_Mainmenu.PNG
SOE_Mainmenu.PNG (83.3 KiB) Viewed 16120 times
Download the latest version from here (v0.0.1.9)


Licenses are FREE to members who contributed to its development. Please contact me for your unique (one time use) serial.
For everyone else, please contact me for more details!

ChangeLog
29/10/2015 -v0.0.1.9
• Added more ECM/TCM fauly definitions
• HUGE speed increase on engine/transmission data reading.

23/9/2015 -v0.0.1.8
• Fixed automatic updating (No need for run as admin from v1.8 onwards)
• Added detect TCM at startup (Disable this for Manuals as there is no TCM!)
• Added a whole bunch of DTC's!
• Small tweaks to the max value of the gauges

29/07/2015 - v0.0.1.7
• LS1 (VPW) fault code reading bug fixed (Not all faults displayed but counted correctly)
• LS1 (VPW) engine and transmission data replay bug fixed (Graph info did not display)

16/06/2015 - v0.0.1.6
• Automatic updating implemented.
• Transmission data replay tweak
• Small changes to visuals

11/06/2015 - v0.0.1.5b
• Fixed up small replay issue
• Fixed up replay gauge load issue
• Added implementations for "update check" (80% completed)
• Skips Trans ECU if not detected
• Fixed faults detected if skipping

10/06/2015 - v0.0.1.5a
• Removed MX wifi (still work to be done!)
• Removed Freeze data from startup connection
• Rewritten ELM327 communication handler
• Added Transmission fault/PID reads to startup connection
• Rewritten Engine logging routines
• Added more supported Engine PIDs!
• Fixed a couple LS1 PID calculations
• Added TRANSMISSION Logging capabilities
• Added TRANSMISSION fault reading (No definitions added just yet)
• Added Save/Load and replay options
• Disabled seed/key (Not yet completed with new routines)

14/03/2015 - v0.0.1.4
• Added support for the amazing OBDLink MX WIFI - Complete custom connectionroutines down pack!
• MAJOR change to how ALL error catching is made in program
• Fixed issue with failing freeze frame causes error on other startup info
• Refined various routines
• More major changes to Freeze frame capture. Loops through different timeout values

07/03/2015 - v0.0.1.3
• New vehicles supported added: VZ LS2 V8, VE V6, VE V8
• Refined Freeze frame for CAN vehicles further.
• Begun adding Advanced Freeze frame screen (See freeze frame codes and data)
• New support for OBDLink MX tool (May be the newly recommended tool)
• Overall changes to application to reduce "False" antivirus reports (Norton has no issues)
• Clearing faults on both VPW and CAN vehicles implented

22/02/2015 - v0.0.1.2
• MAJOR update on LS1 fault code reading. Significant error in obtaining correct fault code. This has now been resolved!

22/02/2015 - v0.0.1.1
• CAN Freeze frame complete rework
• Repair minor bug with LS1 freeze frame
• Added LS1 PID's (Calculations still being added)
• Slight changes on serial/vin reading for LS1.

22/02/2015 - v0.0.1.0
• Fixed small mistake with new 500,000 baud update.
• Small changes to "auto detect" sequence, including delays and also timeout parameter to prevent hangning
• Completely redid fault code definitions for LS1 and VZ V6. All GM faults for these ecus have been added.
• Fault clearing routine completed, not yet added to the clear button (next release)
• Remodelled VIN and Serial receive routines. Should work on E38,E40 and other ecus now (Untested change!)

8/02/2015 - v0.0.0.9
• Added 500,000baud option for the fastest possible logging experience.
• Tweaks to cosmetics

4/02/2015 - v0.0.0.8
• Added icons to side navigation bars
• Complete reconstruction of side bar UI to prevent "flashing" controls
• Reworked "Auto Detect" function. Works very well and fast.
• Removed "Restore to defaults" on connection (caused more problems then helped)
• Removed "Disable Chatter" function in startup vehicle data reading to prevent warnings on dash
• Added more detailed error reporting
• Tweaks to the Engine Data reading
• Added other CAN protocols back in for "raw logging"
• Added GMLAN protocol (Standard ELM device does not work!)

9/01/2015 - v0.0.0.7
• Added Save/backup log for key searching routine
• Retry/Skip/Cancel messagebox applied to connection procedure to bypass any unknown faults
• Tweaked the 115200baud enable routine.. for greater stability
• Minor changes to Engine data logging routine
• Additional error captures for freeze frame section applied to narrow down unknown responses in both LS1 and VZ vehicles
Last edited by Tazzi on Wed Dec 21, 2016 8:13 pm, edited 28 times in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
delcowizzid
Posts: 5493
Joined: Sat Feb 28, 2009 8:38 pm
Location: Wellington NZ
Contact:

Re: ELM327 Software Development

Post by delcowizzid »

good to see someone tackling this issue my elm is pretty much a paper weight only works with one paid program none of the free ones work
If Its Got Gas Or Ass Count Me In.if it cant be fixed with a hammer you have an electrical problem
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

delcowizzid wrote:good to see someone tackling this issue my elm is pretty much a paper weight only works with one paid program none of the free ones work
Yeah, thats exactly what Im hearing. Just hoping that its a software limitation rather then a hardware limitation from the elm device thats made those free obd readers useless.


*My original first post is below:

Iv seen alot of posts and threads recently on various sites asking about OBD2 software to look up engine faults. Although always ends in the device throwing a "buffer full" or a very "generic" fault description is displayed.. which seems fairly useless if I say myself. So after trolling the internet looking at the available , it looks like there isnt much reliable software from the ELM327 (correct me if im wrong!)
The only recommended software that Iv seen so far is the "Torque" Android app. But.. Im a iphone and pc software kinda guy, so thats not an option.

So the aim here is to make a very..very basic application to read faults from commodores. Iv done some research on OBD2 protocol (j1850.. for those interested on the frame breakdown... read http://www.fastfieros.com/tech/vpw_comm ... otocol.htm) and looks fairly straight forward. At least its methodical and the fault mode is always the same.

I only have a basic understanding of all this, and will be learning as we go!. First up, understanding the protocol.

Lets look at an example frame to break it down... (First 3 bytes are the header)
Send: $68,$6A,$F1,$01,$PID
Recv: $48,$6B,$10,$41,$PID,[up to 5 data bytes]
For the Send:
68 = Request Legislated Diagnostics
6A = Physical ID of destination (Sent to here 6A generic engine data source)
F1 = ELM Device (Or scantool) Is the Physical ID for source (Sent from Us)
01 = Mode, Request Current Powertrain Diagnostic Data
PID = Request the desired data eg engine temp ect.(PID = Parameter IDs)

For the Receive:
48 = Request Legislated Diagnostics
6B = Physical ID of Destination (To us)
10 = Physical ID of Source (PCM), notice its now the source (Sent from pcm)
41 = Is always 0x40 more then our request mode eg 40 + 1 = 41
PID = Our request PID
Then next can be up to 5 bytes of data for our request PID.

Now we have a basic understanding of the protocol.. now we need to understand the elm device, its commands and how to setup the headers and request info. Id recommend reading through the data sheet (http://elmelectronics.com/DSheets/ELM327DS.pdf).
Looks like the elm does the bulk of the work for us which is good if it works the way it is described. Setsup the headers by its self and all that is needed is send the required request.
If the "buffer full" issue is due to the device filling its buffer quicker then its spitting it out, it may be a solution to get the device to constantly empty buffer till we request faults, or to set it to "logging" mode so reads all present bytes continuously. Or set a event handler in vb to clear buffer once its full. Dunno, will see.

The Datasheet is quite.. long.. So best just searching for key words really.
How to set up out device..Need to set up COMport (easy), set the baud rate to 38400 (easy), set to 8 bits, no parity bits,1 stop bit and set it to the correct line end mode (single carriage return character). When we connect to the comport.. we should get: "ELM327" which lets us know we are connected.

Also before I forget, As you can see, everythig is setup and sent as "ASCII" character. Now from page 30, has a good explanation on sending frames.
Using the elm with its stock settings, its protocol is set to j1850 vpw, headers off and pretty much everything automatic.
So now if we want to do a mode 1 request for PID = 0, all we send is: >01 00
And the elm will display "Searching" and finally answer back with: 41 00 BE 1F B8 10
Alright.. so doesnt seem to bad. sending everything via serialport in ASCII format. Get response then interpret data.

So applying this all to our "Fault request", we would want to do a mode 3 request, so: >03
And typical response will be: 43 01 33 00 00 00 00
Where the 43 is the response to the mode3 request (3 + 40 = 43) and the next 6 bytes are read in pairs for the fault present. Eg 0133 0000 0000. Therefore, only fault present is 0133, where the 0 = P0.. thus the fault is P0133 which is the code for "oxygen sensor circuit slow response"

Doesnt seem to bad, what if we want to look up how many faults are present? Easy, fire off: >01 01 which is mode1 request of PID=1. Typical response is: 41 01 81 07 65 04
Where the 81 is the faults present.. Where 80 means "Check engine On", therefore the total amount of trouble codes preset would be 0x80-0x80 = 1 fault.

Now, if faults were to come from other modules, there would have been multiple lines of responses from each module with faults, and the only way to determine which modules have responded is to turn the headers on (Send:AT H1) and also have to know what the "source ID's" are for the modules eg PCM = 10.

So.. now the BASICS have been covered.. and thats it for now. Next is some basic coding to attempt the above. Hopefully will get some positive results.
Im hoping I can mimic the responses that we receive so that I can Send these off to the tech2 and extract all the trouble codes that the tech2 spits out, including all the holden specific codes.
Only thing Im slightly iffy on is if I send the info as ASCII characters for the OBD specific frames, or if I send those as hexadecimal values(0x00).. trial and error shall see, but fairly certain its ASCII and elm will only accept that.
Last edited by Tazzi on Fri Jan 09, 2015 6:23 pm, edited 1 time in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Charlescrown
Posts: 1831
Joined: Sat Aug 06, 2011 7:58 am
cars: V8 VR Commodore BT1
LB Lancer 2L turbo & Delco
Starion TBI with Delco
Mitsubishi Lancer EVO4 track car
NA MX5
3 vintage motor bikes
Location: Padstow NSW

Re: ELM327 Software Development

Post by Charlescrown »

I use an ELM 327 for all my OBD2 work and use OBDwiz, Scantool.net and EasyOBD2. They all work fine. I have a few loder ELM Chinese copies that will not work with the later Scantool.net or OBDwiz. The software producer did something to prevent it working with a copy ELM327 so I bought a genuine one for about $40 with the OBDwiz software and it works a treat. I am seriously looking at a Launch X431 Diag. There is a new one out which works with an Ipad or Iphone and for a few hundred your up and running. The software cost of $65 US for each type of car and of course I will get the Holden. It covers all models with the Holden badge including OBD1 and 2 eng trans srs key programing etc.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

Charlescrown wrote:I use an ELM 327 for all my OBD2 work and use OBDwiz, Scantool.net and EasyOBD2. They all work fine. I have a few loder ELM Chinese copies that will not work with the later Scantool.net or OBDwiz. The software producer did something to prevent it working with a copy ELM327 so I bought a genuine one for about $40 with the OBDwiz software and it works a treat. I am seriously looking at a Launch X431 Diag. There is a new one out which works with an Ipad or Iphone and for a few hundred your up and running. The software cost of $65 US for each type of car and of course I will get the Holden. It covers all models with the Holden badge including OBD1 and 2 eng trans srs key programing etc.
Ah really? I guess it makes sense that scantool.net would implement such an act.. although not too sure how they have done it since the device outputs a standard message.. unless they have a "special" command they send off?.. dunno.

Iv looked at those "launch" devices. Seem pretty damn good! Really is just an updated tech2 with touch/colour screen ect. Although dont think they can do the advanced features such as software updates.. but hey how often does anyone do that.
I went for the tech2 a while back. Very much worth while, does everything I want/need and also been good for reversing commy modules since Iv been reversing the aldl side of it. Am looking to do the OBD2 side now.

As for progress, been doing some research and some messing around..
So far, iv put a simple interface together, got the comports available.. let the user connect.. if Device fires off "ELM327 VX.X" Then device is successfully connected, where the X.X is the software version.
Also, communication seems pretty easy.. send everything as characters eg. SerialPort1.Write(Chr(65)&chr(13) & vbnewline) or SerialPort1.Write("String Here" & vbnewline). Am yet to test but seems pretty basic.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Charlescrown
Posts: 1831
Joined: Sat Aug 06, 2011 7:58 am
cars: V8 VR Commodore BT1
LB Lancer 2L turbo & Delco
Starion TBI with Delco
Mitsubishi Lancer EVO4 track car
NA MX5
3 vintage motor bikes
Location: Padstow NSW

Re: ELM327 Software Development

Post by Charlescrown »

The Launch can be upgraded as new model cars come out but it's $50 per manufacturer. With most new cars going to 5 years warranty I guess you only need to update every five years and let the manufacturers worry about the warranty problems. I do know that manufacturers are selling their software to scantool companies but doubt they will give them all of it. Not sure what scantool.net did to protect their turf. All I can say is you use their later software with Chinese box it say it's not a genuine ELM and will not link. Early versions work fine but I think they took it off the net because of all the Chinese copies using their software. I also use a program called Galletto and scantool to read OBD2 software. Problem is trying to identify maps and write ADX files. I downloaded my Hyundai I30 ECU software and using Winols it identified 130 odd maps. Right out of my league. just a dump motor mechanic. I also use a Tactrix unit to read and write to Mitsubishi EVO's. That works great an is so easy to use.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

Yeah, only real way of mapping a car efficiently is to either a) be employed in the engineering group or b) reverse the messages off a scantool. Which is my goal here.

Alot of the data right now is available to the public. Although its all "Generic" stuff, and not much manufacture specific stuff has been sorted since that requires reverse engineering!. Meaning there is definitely not a "Holden Specific" application available.

Might have to have a looksy at the scantool.net software, see if they mention anything about it.


Iv purchased an elm device.. this time from an aussie seller. Last one I bought was for $7.. and first one rocked up dead and didnt work.. and next one never showed!. Until then, anyone game to test anything I throw up?
Will be chucking up some coding soon if anyones interested. ELM says it sends off a "newline" character when its finished, since the device does the hardwork.. should be able to fire off the message, then wait till data is in the buffer, then perform a serialport1.readline.. which will pick up the newline as the end.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ELM327 Software Development

Post by antus »

Tazzi wrote:Ah really? I guess it makes sense that scantool.net would implement such an act.. although not too sure how they have done it since the device outputs a standard message.. unless they have a "special" command they send off?.. dunno.
The earlyer clone ones had a bug that randomly spat out extra 00 packets. Ive seen it recommended that people who write software detect and discard the extra bytes so they do work with clones, but i guess they might instead use it to detect clones and lock them out.

I can test things on the bench for you.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ELM327 Software Development

Post by Tazzi »

Cheers, Alright, ill have to think about that one.

Random extra 00 bytes.. hmm. I guess if I know the length of the message to expect then I can simply filter the message, if its not the correct length, then resend.
Iv currently sent it to ignore the "echo" of whatever is sent to the device. Ignores any bytes available that are less than 2 and ignores null bytes. Should be enough to get responses so far.. I think. :hmm:
Guess Ill also need to get it to check the "Search.." message and also filter whatever else it also outputs.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ELM327 Software Development

Post by antus »

i just did a bit more research, they say its the uart in the early pics, and is a microchip bug. so probably affects genuine and clones. but wikipedia (must be true, then :lol: ) states that the pirated elm software is based on firmware revision 1.0 and has known bugs but a faked version number. Perhaps the 00s arnt much of a problem any more, and they instead look for known bugs vs version numbers that shouldnt have those bugs or versions that dont officialy exist. Anyway i shouldnt speculate further, I dont have any solid information. Its just an interesting topic.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Post Reply