Gm bcm and cluster can bus messages through eml327 script

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by 04colyZQ8 »

ok all I did was
atz
AT SH 00 07 E0
AT CRA 00 00 07 E8
atsp6
1a90

and it works on the pcm

>1a90
013
0: 5A 90 33 47 4E 43
1: 4A 52 53 42 35 46 4C
2: 31 36 33 35 37 39 AA


but try on bcm..
>1a90
013
0: 5A 90 33 47 4E 43

thats all i get
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by ironduke »

04colyZQ8 wrote:ok all I did was
atz
AT SH 00 07 E0
AT CRA 00 00 07 E8
atsp6
1a90

and it works on the pcm

>1a90
013
0: 5A 90 33 47 4E 43
1: 4A 52 53 42 35 46 4C
2: 31 36 33 35 37 39 AA


but try on bcm..
>1a90
013
0: 5A 90 33 47 4E 43

thats all i get
This might have been gone over already but what are you sending for SH and cra messages for the bcm? Looks like something is glitchy with the elm327 if your setting it up correctly?
I think it should be ATSH 00 06 41 and I don't think I ever even set up the cra command unless I was going to use atma..

Do you have another device to log and a Y cable? By that BCM log it looks like the BCM is receiving the VIN request and even sends the first line but the elm is NOT sending the 00 00 06 41 01 30 reply??? It would be interesting to see if the elm is sending the command but the BCM isn't getting it for some reason, maybe the bcm needs to see a full 12 byte message and the elm isn't doing that??

I do remember having to wait between at commands with the elm using a delay command in c#, then i started waiting for the response and making sure it said ok before sending the next command..
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by Gampy »

ironduke wrote:Do you have another device to log and a Y cable? By that BCM log it looks like the BCM is receiving the VIN request and even sends the first line but the elm is NOT sending the 00 00 06 41 01 30 reply??? It would be interesting to see if the elm is sending the command but the BCM isn't getting it for some reason, maybe the bcm needs to see a full 12 byte message and the elm isn't doing that??
It is not the responsibility of the VCI to send the continuation frame, that is up to the receiver of the first frame.
ironduke wrote: I do remember having to wait between at commands with the elm using a delay command in c#, then i started waiting for the response and making sure it said ok before sending the next command..
That is the only way ... command and response.

-Enjoy
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by ironduke »

Gampy wrote:
ironduke wrote:Do you have another device to log and a Y cable? By that BCM log it looks like the BCM is receiving the VIN request and even sends the first line but the elm is NOT sending the 00 00 06 41 01 30 reply??? It would be interesting to see if the elm is sending the command but the BCM isn't getting it for some reason, maybe the bcm needs to see a full 12 byte message and the elm isn't doing that??
It is not the responsibility of the VCI to send the continuation frame, that is up to the receiver of the first frame.
ironduke wrote: I do remember having to wait between at commands with the elm using a delay command in c#, then i started waiting for the response and making sure it said ok before sending the next command..
That is the only way ... command and response.

-Enjoy
What do you mean that it is up to the receiver of the first frame and not the vci?? Is the vci not the elm?? Please elaborate if you could?? I have experienced firsthand with the elm that when can formatting is turned on somebody is sending the 01 30 command back to the ecu when the vin is requested and the ecu has send the first line of data back.. It wasn't me or any of the code I wrote so I am assuming it was the elm.. When can formatting is turned on then all I have to send is the 1a 90 request with the correct header and the entire 3 line message shows up like magic.

As far as there being only one way to do something, we can debate that for years.. I'm not debating on a wrong way or a right way to do something, lmao.. I easily admit that it was not the correct way to do it, but it sure did work just fine.. Thank you for pointing out the obvious in an attempt to provide a slight amount of help someone.. smh
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by 04colyZQ8 »

ironduke wrote:Very surprised you can wait 5 seconds between asking for seed and sending key..

I was never able to get any of my elm devices to send long messages.. What I did was turn off can formatting and send the "long message" line by line.. You'll have to research how they're formatted and then copy the formatting..

basically with CAN formatting ON the length byte and counter bytes are done for you.. If you turn it off you have to do it yourself.. for example 00 00 02 41 27 01 would need to be send as 00 00 02 41 02 27 01 where the 02 is the length byte..

It gets harder with messages longer than 7 bytes.. The 1st message has 10 for length but to say that it's going to be multiline and then the next byte is number of bytes..
After that each line has a counter instead of byte length byte.. starts at 0x21 and goes up to 0x2f and then resets to 0x20 and loops repeatedly..
This is from memory but to write the vin it's something like

00 00 02 41 10 13 3B 90 01 02 03 04
>> Here is where the ecu would send a 00 00 06 41 01 30 back in response for you to send the rest of the data..
00 00 02 41 21 05 06 07 08 09 10 11
00 00 02 41 22 12 13 14 15 16 17 00

Also maybe get in the habit of adding zero's at the end to make up a complete 12 bytes.. With CAN on I have seen some elms do it for you and other didn't.. With it off it is up to you to do it..
Some modules work ok without the message being 12 bytes, others not so happy..
So I’d send at caf0 turn of can formating

Then 10 0E 3B DF 01 02 03 04
Then 21 05 06 07 08 09 10 11
Then 22 12 00 00 00 00 00 00

If the log I have is like this
5A DF 00 03 1E 04 00 03 1E 04 00 03 1E 04

Or do I send

Then 10 0E 3B DF 01 02 03 04
Then 10 21 05 06 07 08 09 10
Then 10 22 11 12 00 00 00 00

Cause it doesn’t seem to send the elm message at all
In caf0 mode unless I put the 10 in front
?
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by ironduke »

Your writing to 0xdf? for mileage??
If the message is going to be less than 7 bytes than it can go on one line.. the 3b df is 2 bytes so you have 5 bytes left for the rest of the message.
with CAN formatting off you need to write the message length byte, sorry I didn't go over the format if it fits on one line.

00 00 07 e0 07 3b df 01 02 03 04 05 Should be a valid message.. The 07 is telling the ecu to look for and count the next 7 bytes.. the 01-05 would be the data your trying to write to 0xdf.

The messages below are also valid.. See how the length byte changes.. The AA's at the end are not always needed.. That's called 'padding' I believe. Sometimes it's turned on with the j2534 devices, sometimes not. Some ecu's respond ok without the padding, sometimes they don't see the message/command unless it's a full 12 bytes..
00 00 07 e0 06 3b df 01 02 03 04 AA
00 00 07 e0 05 3b df 01 02 03 AA AA
00 00 07 e0 04 3b df 01 02 AA AA AA

Now the tough part will be figuring out how the message is formatted.. is it 3 bytes? 4 bytes?? Does it need to be unlocked first? Even with all that it may just have oxdf locked out from changes once it's written to..
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by 04colyZQ8 »

ironduke wrote:Your writing to 0xdf? for mileage??
If the message is going to be less than 7 bytes than it can go on one line.. the 3b df is 2 bytes so you have 5 bytes left for the rest of the message.
with CAN formatting off you need to write the message length byte, sorry I didn't go over the format if it fits on one line.

00 00 07 e0 07 3b df 01 02 03 04 05 Should be a valid message.. The 07 is telling the ecu to look for and count the next 7 bytes.. the 01-05 would be the data your trying to write to 0xdf.

The messages below are also valid.. See how the length byte changes.. The AA's at the end are not always needed.. That's called 'padding' I believe. Sometimes it's turned on with the j2534 devices, sometimes not. Some ecu's respond ok without the padding, sometimes they don't see the message/command unless it's a full 12 bytes..
00 00 07 e0 06 3b df 01 02 03 04 AA
00 00 07 e0 05 3b df 01 02 03 AA AA
00 00 07 e0 04 3b df 01 02 AA AA AA

Now the tough part will be figuring out how the message is formatted.. is it 3 bytes? 4 bytes?? Does it need to be unlocked first? Even with all that it may just have oxdf locked out from changes once it's written to..

Yes but the type 4 app sent it 3 times repeated
16:07:07.1>[.H..] 00 00 06 41 67 02 [0006] //successful unlock
16:07:07.2<[.H..] 00 00 02 41 AE 3F 01 01 00 00 00 [0011] FramePad //what is this???? How to send this?
16:07:07.2>[.H..] 00 00 02 41 [0004] TxDone TxMsgType
16:07:07.3>[.H..] 00 00 06 41 EE 3F [0006]
16:07:07.3<[.H..] 00 00 02 41 3B DF 00 9C 40 00 00 9C 40 00 00 9C 40 00 [0018] FramePad //three times repeated
16:07:07.4>[.H..] 00 00 02 41 [0004] TxDone TxMsgType
16:07:07.4>[.H..] 00 00 06 41 7B DF [0006]
16:07:07.4<[.H..] 00 00 02 41 AE 3F 01 00 00 00 00 [0011] FramePad what is this???? How to send this?
16:07:07.4>[.H..] 00 00 02 41 [0004] TxDone TxMsgType
16:07:07.5>[.H..] 00 00 06 41 7F AE 78 [0007]
16:07:07.5>[.H..] 00 00 06 41 EE 3F [0006]
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by 04colyZQ8 »

Nope not working I don't know why! it worked in the car but not on the bench using type 4 app to change used bcm so we know it it possible, using the type 4 app. But it first checks that the cluster is on board, then proceeds if no cluster on LS can it fails, and stops. That's why I am tying to do it on my own. Now see the log below from putty
I think I have done everything to the T this time, according to the sps log. So I think the cluster must be online or the bcm won't allow a 3b df write?


>2701 //request seed
67 01 70 47 EB 7C 06 //5byte seed

>27 02 E7 89 01 EA A9 //send 5 byte key
67 02 //unlocked

>atcaf0 //turn off can formatting
OK

>07 AE 3F 01 01 00 00 00 //not sure what this is enable 1x programming mode?
05 7F AE E3 00 16 7C 06 // this should be EE 3F so must be an error? why does part of this match the seed? does it mean it's sayin unlock first?


>10 0E 3B DF 00 33 4E 13 //send in first 4 bytes 00 33 4E 13
30 00 14 E3 00 16 7C 06 //response from bcm again the strange repeated reply

>10 21 00 33 4E 13 00 33 //send in next 6 bytes 00 33 4E 13 00 33
30 00 14 E3 00 16 7C 06 //response from bcm again the strange repeated reply

>10 22 4E 13 00 00 00 00 //send in next 6 bytes 4E 13 00 00 00 00 padded with zeros
30 00 14 E3 00 16 7C 06 //response from bcm again the strange repeated reply

>07 AE 3F 01 00 00 00 00 //not sure what this is close 1x programming mode?
03 7F AE 78 00 16 7C 06 //response from bcm again the strange repeated reply
05 7F AE E3 00 16 7C 06 //response from bcm again the strange repeated reply

>atcaf1 //turn back on can formatting
OK
//powered of bcm 30 seconds
>1adf //read millage
00E //msg length 14
0: 5A DF 00 33 4E 14 //not changed this should be 0E 5A DF 00 33 4E 14 00 33 4E 14 00 33 4E 14 but it is not reading correctly
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by ironduke »

ok..
AE is device control, but I do not know what it's doing? It's commanding 3F 01 01 but then commanding 3F 01 00 afterwards??

You could try copying it with 00 00 02 41 11 ae 3f 01 01 00 00 00. BUT...
I don't know if those zero's at the end are just padding.. If you don't get the expected EE 3F response then you might need to send something like
00 00 02 41 04 ae 3f 01 01 00 00 00


I don't know why it's sending it 3 times? are you seeing the same 7B DF response each time? It might not be needed but you could copy it and write it 3 times if needed?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Gm bcm and cluster can bus messages through eml327 scrip

Post by 04colyZQ8 »

logical next step try this in my car but need putty for mac.. trying to use port, not working yet!

I tired screen but it does the stupid thing were it just stays on one line and rewrites it's self without going to a newline! just like putty does
before you turn off auto wrap mode and turn on implicit LF in every CR.

otherwise your screen does this when you type atz

>LM327 v1.5

typing in next command atsp6

>atsp6 v1.5

after turning off auto wrapp mode and turning on implicit LF in every CR. putty now looks like this much better!!

atz


ELM327 v1.5

>atsp6
OK

>

any recommendations on a telnet terminal for mac? or how to adjust the settings for "screen" to work better?
Post Reply