Gm bcm and cluster can bus messages through eml327 script

[ironduke]

you only send the 10 for the 1st line..
2nd line starts with 21,
3rd line starts with 22,
4th line WOULD start with 23 but you don't have a 4th line for this.. each line would go all the way to 0x2f and then the next line would be 0x20.. then 21.. etc..

your 1st set pasted below is good to go just like that.. the vin would be the first 17 xx's and the last xx would be anything.. I always use 00..
10 13 3B 90 xx xx xx xx
21 xx xx xx xx xx xx xx
22 xx xx xx xx xx xx xx

you are seeing a 30 after sending the 1st vin write command so it's reading it.. try sending the 1st vin write command and then as soon as you see that 30 response send the next 2 as fast as you can.. Try writing the same vin that's already there and see if you get a 7B 90 response..
just need to ATCAF0 and ATSH241, maybe ATAL... Need to make sure you know what settings the elm is at, I always perform the atz reset starting a program and set everything as I want it, just in case I left it with incompatible settings from before..

[antus]

Just FYI unused bytes are normally sent as AA in can which is 1010 1010 - 1010 1010. Makes no practical difference but it's convention so might as well use it. Makes it easy to see what's what when your reading it too.

[04colyZQ8]

you only send the 10 for the 1st line..
2nd line starts with 21,
3rd line starts with 22,
4th line WOULD start with 23 but you don't have a 4th line for this.. each line would go all the way to 0x2f and then the next line would be 0x20.. then 21.. etc..

your 1st set pasted below is good to go just like that.. the vin would be the first 17 xx's and the last xx would be anything.. I always use 00..
10 13 3B 90 xx xx xx xx
21 xx xx xx xx xx xx xx
22 xx xx xx xx xx xx xx

you are seeing a 30 after sending the 1st vin write command so it's reading it.. try sending the 1st vin write command and then as soon as you see that 30 response send the next 2 as fast as you can.. Try writing the same vin that's already there and see if you get a 7B 90 response..
just need to ATCAF0 and ATSH241, maybe ATAL... Need to make sure you know what settings the elm is at, I always perform the atz reset starting a program and set everything as I want it, just in case I left it with incompatible settings from before..

Well I do not know how else to explain it I've wrote it feels like two or three times ?? But my elm won't allow me to send something beginning with 21, 22, 23 etc.. all it says is no DATA, which in my experience means the message isn't formatted correctly, or the incorrect protocol is set, I know it is sp6, so I am good there! See my putty session bellow



ELM327 v1.5

>atcaf0
OK

>atsh241
OK

>atal
OK

>1a90
?

>021a90
NO DATA

>atcra641
?

>atcra641
OK

>021a90
NO DATA

>1a90
NO DATA

>atcra00641
?

>atcra
?

>AT CRA 00 00 06 41
OK

>021a90
NO DATA

>atsp6
OK

>021a90
?

>1a90
30 00 14 00 00 00 00 00

>1a90
30 00 14 00 00 00 00 00

>ath1
OK

>1a90
641 30 00 14 00 00 00 00 00

>021a90
641 10 13 5A 90 31 47 43 50

>10 13 5A 90 31 47 43 50
641 30 00 14 90 31 47 43 50

>AT FC SH 241
OK

>AT FC SD 30 00 00
OK

>AT FC SM 1
OK

>021a90
641 10 13 5A 90 31 47 43 50
641 21 54 45 45 31 32 4A 31
641 22 32 32 33 36 30 38 31

>641 10 13 5A 90 31 47 43 50
?

>S▒▒▒▒▒31
?

>▒▒▒▒▒▒▒▒▒
?

>10 13 3B 90 31 47 43 50
641 30 00 14 33 36 30 38 31

>21 54 45 45 31 32 4A 31
NO DATA

>22 32 32 33 36 30 38 31
NO DATA

>atz


ELM327 v1.5

>atsp6
OK

>atcaf0
OK

>atsh241
OK

>atal
OK

>10 13 3B 90 31 47 43 50
NO DATA

>21 54 45 45 31 32 4A 31
NO DATA

>22 32 32 33 36 30 38 31
NO DATA

>atcra00000641
OK

>10 13 3B 90 31 47 43 50
30 00 14 33 36 30 38 31

>21 54 45 45 31 32 4A 31
NO DATA

>10 21 54 45 45 31 32 4A
?

>10 21 54 45 45 31 32 4A
30 00 14 33 36 30 38 31

>

See all the failed attempts without a length byte in front!

See when I add length byte in front it sends it, but I also have to trim off one byte on the end, which is why
I was using 4 lines instead of 3.

Please, please someone show me a log of sending 21 54 45 45 31 32 4A 31 natively and it actually working on a elm?

[ironduke]

no data means it didn't receive anything in response.. Again, being able to log this with another tool would be a fantastic way to do it.
The session you just posted is also being tried without unlocking it??

I wonder if you have to turn off responses for the multiline.. I've been digging into some of my older work but haven't found some some good examples..
After the 1st line you will get a response of 30..
after the second line you won't get a response, if you wait for one then it will error out.. You NEED to send the 3rd line..
After the 3rd line you would get a response..


Looking at your "log"..
Interesting to see how the flow control worked, at least I think I see.. I never used it. Just write my own send and response code for the elm that send the 30 for me..

vin write attempt has some blocked out commands? Replies were question marks so you didn't unlock it.. the multiline commands still should have been accepted even though it would fail in the end but again if your typing these out then they will fail.. simply takes too long and the ecu gives up waiting..

2nd attempt


I know for a fact I have changed the vin on an e38 with nothing more than an eclm327 and termite. termite is just a serial port program that has "function keys' that can be programmed.. so I programmed F1 to get seed, F2 to send key, F3 for 1st vin line, F4 for 2nd and F4 for 3rd and just tapped them in a row..

If you post up what your working with in c# I can set it up in the home garage and work along with you a bit, I'm sure some others would help as well.. I do have a silverado BCM I can connect to on the bench as well.. I'm sure the seed key is different but the vin write would be the same..

again, I also don't really use the elm anymore because of these limitations and problems, it is interesting to see someone else giving it a go, I do understand the frustration.. I rememember having to hack quite a bit and simply add delays in between commands, yeah, totally the wrong way to do things.. I'm gonna get yelled at for sure, lol.. Major problem I had is I would try another elm and the "timings" would be off for that one, lol.. circles and circles since I was working on the code from multiple locations..

[04colyZQ8]

no data means it didn't receive anything in response.. Again, being able to log this with another tool would be a fantastic way to do it.
The session you just posted is also being tried without unlocking it??

I wonder if you have to turn off responses for the multiline.. I've been digging into some of my older work but haven't found some some good examples..
After the 1st line you will get a response of 30..
after the second line you won't get a response, if you wait for one then it will error out.. You NEED to send the 3rd line..
After the 3rd line you would get a response..


Looking at your "log"..
Interesting to see how the flow control worked, at least I think I see.. I never used it. Just write my own send and response code for the elm that send the 30 for me..

vin write attempt has some blocked out commands? Replies were question marks so you didn't unlock it.. the multiline commands still should have been accepted even though it would fail in the end but again if your typing these out then they will fail.. simply takes too long and the ecu gives up waiting..

2nd attempt


I know for a fact I have changed the vin on an e38 with nothing more than an eclm327 and termite. termite is just a serial port program that has "function keys' that can be programmed.. so I programmed F1 to get seed, F2 to send key, F3 for 1st vin line, F4 for 2nd and F4 for 3rd and just tapped them in a row..

If you post up what your working with in c# I can set it up in the home garage and work along with you a bit, I'm sure some others would help as well.. I do have a silverado BCM I can connect to on the bench as well.. I'm sure the seed key is different but the vin write would be the same..

again, I also don't really use the elm anymore because of these limitations and problems, it is interesting to see someone else giving it a go, I do understand the frustration.. I rememember having to hack quite a bit and simply add delays in between commands, yeah, totally the wrong way to do things.. I'm gonna get yelled at for sure, lol.. Major problem I had is I would try another elm and the "timings" would be off for that one, lol.. circles and circles since I was working on the code from multiple locations..

Yes I don’t bother unlocking at this point because I’m certain I’m not sending the messages correctly for the 19 byte long message.

Ounce I get that sorted out then I’ll try unlocking it.

So am I getting a correct response?

I allways get 30 00 14
Back everyone keeps saying it should just be 30?

So does that mean the 00 14 is some kind of error?

There must be a way to send the message including the header without using atsh ?

If only I could send the direct full message myself
Like this ..
>at 00 00 02 41 21 .............
But that doesn’t neither does

>00 00 02 41 21 .............

[antus]

Maybe have a look at vin changer and elm scripter here: https://www.customecm.com/custom-software
elmscripter might be a better tool to work in and get up and running. and the $50 fee for the vin changer, which includes bcm vin, might be a cheap way to get a working example.

[Tazzi]

Alot of it comes down to if the ELM even supports the required commands. Alot of the knockoffs dont support changing the timeout time, and also don't support disabling responses. It effectively makes it near impossible to send chunks of data with canbus since you have to do the formatting yourself when using an ELM. A genuine ELM will allow making those edits which allows jerry rigging it enough to work for basic things like that.

An OBDX or OBDLink scantool can handle all the auto formatting so a large frame can be sent in just one message, rather then trying to handle all the formatting yoursef.

ie.. on OBDX, you could send: DXSD 00 02 41 3B 90 31 47 43 50 21 54 45 45 31 32 4A 31 32 32 33 36 30
Of course you still need to set the filter and flow control headers in a previous command, but it would be a single line to send.

[ironduke]

Welp, I goofed around with a bluetooth elm I have at the shop, that one has the same trouble with multiline that your having.. I know I've done it, just can't find my old code with it, spent some time digging thru some old processing code to see how I did it and I think it was the fact I usd a different elm device..

I can turn off can formatting(AT CAF0) and turn on flow control( AT CFC1) and I can ask for the vin and get all 3 lines.
I cannot turn off flow control and can formatting and ask for the vin and send my own 30..
This elm is funny.. Leaving headers off for simplicity..
if I send 01 30 it is actuallly sending 130.. so my mdi logging sees 00 00 07E0130 instead of 7E00130...
I'll try turning headers on to see if it is still doing that??
Definitely rememebring why I stopped playing with the elm's


I'll do some more digging, but honestly it's looking like you might be better off getting your J2534 device to work, then make sure you can actually write the vin to the bcm as I'm wondering if it's going to be locked out.. If you want to do the elm afterwards then at least you'll have a much better idea of doing it..

later on in the night....
It took a bit of digging to figure out how the hell I did it..
for writing multiline messages with my elm at home.. Might work on the one at the shop too but??
Problem is the elm, go figure..
if I send "10 13 3b 90 11 22 33 44" as the first line it gets sent ok.. 11 22 33 44 is the vin digits 1-4

if I send "21 55 66 77 88 99 aa bb" as the second line it only sends "1 55 66 77 88 99 aa bb" Do you see how it's missing the 2 at the start of the message?

So all I did back then was send "221 55 66 77 88 99 aa bb" .... it makes no sense but it actually sends "21 55 66 77 88 99 aa bb"
the first digit can be anything, it appears it gets thrown out and not sent.. code below is an 8 and a 9, lol..

Timing is critical with the elm and the ecu.. for writing I use System.threading.Thread.Sleep(10) in between sends..
I know it is not correct, it's not right, go ahead and flame me.. This may very easily cause problems depending on speed of computer? and the elm hardware..

If your trying to write the vin I used System.threading.Thread.Sleep(600) and then I read existing AFTER sending the 3 lines.. Then I got the 027B90 reply that it was successful..

below is a successful vin write log with an elm..

25:22.640 : 7E010133B9031323334
25:22.642 : 7E830000A
25:22.650 : 7E02135363738394142
25:22.665 : 7E022434445464748AA
25:22.667 : 7E8027B90AAAAAAAAAA

Below is literally the code that did it.. Again, no grading on my code.. This is old hacked code from 3 years ago I changed around a little to clean it up very slightly..

public static void WriteVin()
{
string Vinresponse = "";

if (!Isconnected) Elmsetup();
_serialPort.Write("10133b9031323334" + "\r");
System.Threading.Thread.Sleep(10);
_serialPort.Write("82135363738394142" + "\r");
System.Threading.Thread.Sleep(10);
_serialPort.Write("922434445464748AA" + "\r");
System.Threading.Thread.Sleep(550);
try { vin2 = _serialPort.ReadExisting(); }
catch { }


Console.WriteLine(Vinresponse);

Menu();
}

there are much better ways do this, much cleaner.. but with the elm it's fitting, lol.. I do not check to see if it sent, I do not look to see how many bytes are there to read, etc..

Reading the vin is a whole different ball game.. Much better simply using flow control and can formatting to get it than this way.. You can do it with CAN formatting and flow control off but you need to send 130 back.. or 230 or 330.. 1st digit doesn't matter but it needs to be there to send the 30..
Writing might be possible with flow control and/or can formatting turned on, I just couldn't do it back then and don't feel like trying now.. this hurt my head just getting this to work again.. lmao..

Good luck and I forsee some J2534 work in your future, lol..

[Tazzi]

On ELMs, it was basically a matter of turning off all formatting, and also turning off responses until sending the last frame where you search for a response. If you get a response, then you know it at least all sent. If you don't get a response, then you know it certainly failed.
I found clone ELMs never worked for this, at least I struggled to make it work. It was only the genuine firmware which actually worked.

[04colyZQ8]

Welp, I goofed around with a bluetooth elm I have at the shop, that one has the same trouble with multiline that your having.. I know I've done it, just can't find my old code with it, spent some time digging thru some old processing code to see how I did it and I think it was the fact I usd a different elm device..

I can turn off can formatting(AT CAF0) and turn on flow control( AT CFC1) and I can ask for the vin and get all 3 lines.
I cannot turn off flow control and can formatting and ask for the vin and send my own 30..
This elm is funny.. Leaving headers off for simplicity..
if I send 01 30 it is actuallly sending 130.. so my mdi logging sees 00 00 07E0130 instead of 7E00130...
I'll try turning headers on to see if it is still doing that??
Definitely rememebring why I stopped playing with the elm's


I'll do some more digging, but honestly it's looking like you might be better off getting your J2534 device to work, then make sure you can actually write the vin to the bcm as I'm wondering if it's going to be locked out.. If you want to do the elm afterwards then at least you'll have a much better idea of doing it..

later on in the night....
It took a bit of digging to figure out how the hell I did it..
for writing multiline messages with my elm at home.. Might work on the one at the shop too but??
Problem is the elm, go figure..
if I send "10 13 3b 90 11 22 33 44" as the first line it gets sent ok.. 11 22 33 44 is the vin digits 1-4

if I send "21 55 66 77 88 99 aa bb" as the second line it only sends "1 55 66 77 88 99 aa bb" Do you see how it's missing the 2 at the start of the message?

So all I did back then was send "221 55 66 77 88 99 aa bb" .... it makes no sense but it actually sends "21 55 66 77 88 99 aa bb"
the first digit can be anything, it appears it gets thrown out and not sent.. code below is an 8 and a 9, lol..

Timing is critical with the elm and the ecu.. for writing I use System.threading.Thread.Sleep(10) in between sends..
I know it is not correct, it's not right, go ahead and flame me.. This may very easily cause problems depending on speed of computer? and the elm hardware..

If your trying to write the vin I used System.threading.Thread.Sleep(600) and then I read existing AFTER sending the 3 lines.. Then I got the 027B90 reply that it was successful..

below is a successful vin write log with an elm..

25:22.640 : 7E010133B9031323334
25:22.642 : 7E830000A
25:22.650 : 7E02135363738394142
25:22.665 : 7E022434445464748AA
25:22.667 : 7E8027B90AAAAAAAAAA

Below is literally the code that did it.. Again, no grading on my code.. This is old hacked code from 3 years ago I changed around a little to clean it up very slightly..

public static void WriteVin()
{
string Vinresponse = "";

if (!Isconnected) Elmsetup();
_serialPort.Write("10133b9031323334" + "\r");
System.Threading.Thread.Sleep(10);
_serialPort.Write("82135363738394142" + "\r");
System.Threading.Thread.Sleep(10);
_serialPort.Write("922434445464748AA" + "\r");
System.Threading.Thread.Sleep(550);
try { vin2 = _serialPort.ReadExisting(); }
catch { }


Console.WriteLine(Vinresponse);

Menu();
}

there are much better ways do this, much cleaner.. but with the elm it's fitting, lol.. I do not check to see if it sent, I do not look to see how many bytes are there to read, etc..

Reading the vin is a whole different ball game.. Much better simply using flow control and can formatting to get it than this way.. You can do it with CAN formatting and flow control off but you need to send 130 back.. or 230 or 330.. 1st digit doesn't matter but it needs to be there to send the 30..
Writing might be possible with flow control and/or can formatting turned on, I just couldn't do it back then and don't feel like trying now.. this hurt my head just getting this to work again.. lmao..

Good luck and I forsee some J2534 work in your future, lol..

That’s probably what’s going on with mine as well I can’t send 21... or 22 .... I haven’t tried 222 or 223, only way I got it to go was 10 21... or 10 22... maybe your trick will also work.