Open source GM OBD2 flash tool using a ELM327 device

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Locked
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

The 4x code is just 4x faster. Its for reflashing where the data requirements are higher, and the tool (or pc app) tells all devices on the bus to be quiet, then it tells the pcm to enter high speed mode, which it does. From there the tool/app sends period message broadcasts proclaiming "test tool present" this stops normal traffic from resuming. Traffic on the bus also keeps the bus in this mode, but the correct way is to fire off the test tool present message. More advanced devices like the AVT can be programmed to send the periodic message automatically, but its not required as the PC app can do this manually. As we are planning to support such a variety of hardware I think we'll need to support it on the app side.

The 4x timings are so quick, and cable capacitence can mess with the timings a bit, so its good to have slightly tweaked min and max receive timings to make the mode more reliable, but transmit should be by the book. The DSLogic protocl analyser I wrote has the tweaked timings I settled on to get 4x decoding reliably on my bench setup. viewtopic.php?f=3&t=4761&p=67146
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Tazzi »

Something else to take into consideration is an option to clear buffer on serial port before performing next actions.
Maybe not so much an issue with an ELM, since thats a one request one response kinda deal. But all other devices may have data already waiting to process due to new bus messages passing through (like on an AVT).

An example for this that I can think of is where an ECU responds back with something like (This is CAN Im referring) 7E8 01 60 after its been left idle without a tester present message for more then 5seconds after a logging or programming session. The ECU automatically sends out a message indicating its returning to normal communication without anything being sent to it. For a passthrough style device like AVT or J2534, this additional message will be picked up and processed. An ELM device will miss that as it doesnt work as a free flowing passthrough.

Just something that popped into my head while working on the J2534 is all :)
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

Yeah flush buffers and the ability to handle stream type devices would be helpful. Or perhaps the AVT driver will need to replace the whole IPort class. Ive been trying to add response length as a starting point but its getting tangled up with the other drivers.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by NSFW »

I pushed up a change to the ScantoolDevice class so that it will loop around Port.Receive until it detects the "\r\r>" end-of-message marker. I'm going to be revising that so it will be more reliable than what's there right now (as per the to-do comment that's in there now), but the idea will stay the same.

It makes me wonder if every Device class will end up with a private method that knows how to receive a message from the PCM using whatever that device's protocol is. For ELM/STN devices, you read until \r\r>, for AVT you read a header and then you know how many bytes to expect, so you can loop around Port.Receive until that many bytes have been received... Not sure what the protcol will look like for Thaniel's Arduino, or for the Macchina M2, but I assume that each device's protocol must have its own way to deterministically read a message.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

Arduino Interface is now able to "Monitor" in 4x mode. Still working on being able to transmit in 4x mode.
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

There has been a lot of discussion with the other devs about threads and approch and how to layer the logic, and now the AVT driver is working to the point of pulling OSID and VIN from the PCM. Depending how much we need to change, this might be close to whats needed. Work will continue here and on other drivers.

The amount of debug is currently overkill but it was useful to identify some threading issues encountered with the newest way of doing c# tasks. Those issues have now been resolved :thumbup:
Initialize called
Initializing AVT 852 V1
Flushing serial buffers
Sending 'reset' message.
ConfirmResponse called
Trace: ReadAVTPacket
RX: Header 91
RX: AVT Type 9 (no status) length 1
Length=1 RX: 27
[09:00:32:032] AVT device reset ok
Looking for Firmware message
ConfirmResponse called
Trace: ReadAVTPacket
RX: Header 92
RX: AVT Type 9 (no status) length 2
Length=2 RX: 04 15
[09:00:32:032] AVT Firmware 1.5
ConfirmResponse called
Trace: ReadAVTPacket
RX: Header 91
RX: AVT Type 9 (no status) length 1
Length=1 RX: 07
Set VPW Mode
[09:00:32:032] Set VPW Mode
AVTFilter called
Trace: ReadAVTPacket
RX: Header 62
RX: AVT Type 6 (no status) length 2
Length=2 RX: 40 00
AVT Acks disabled
Trace: ReadAVTPacket
RX: Header 62
RX: AVT Type 6 (no status) length 2
Length=2 RX: 5B F0
AVTFilter enabled
Sendrequest called
TX: 6C 10 F0 3C 01
Trace: SendAVTPacket
Trace: ReadAVTPacket
RX: Header 0C
RX: AVT Type 0 (with status) length 12
Length=11 RX: 6C F0 10 7C 01 00 36 48 38 56 54
RX: 6C F0 10 7C 01 00 36 48 38 56 54
Sendrequest called
TX: 6C 10 F0 3C 02
Trace: SendAVTPacket
Trace: ReadAVTPacket
RX: Header 0C
RX: AVT Type 0 (with status) length 12
Length=11 RX: 6C F0 10 7C 02 4B 36 39 46 58 4C
RX: 6C F0 10 7C 02 4B 36 39 46 58 4C
Sendrequest called
TX: 6C 10 F0 3C 03
Trace: SendAVTPacket
Trace: ReadAVTPacket
RX: Header 0C
RX: AVT Type 0 (with status) length 12
Length=11 RX: 6C F0 10 7C 03 34 37 38 37 35 37
RX: 6C F0 10 7C 03 34 37 38 37 35 37
[09:00:36:036] VIN: 6H8VT69FX7875
Sendrequest called
TX: 6C 10 F0 3C 0A
Trace: SendAVTPacket
Trace: ReadAVTPacket
RX: Header 0A
RX: AVT Type 0 (with status) length 10
Length=9 RX: 6C F0 10 7C 0A 00 BA 8A 32
RX: 6C F0 10 7C 0A 00 BA 8A 32
[09:00:36:036] OS: 12225074
Sendrequest called
TX: 6C 10 F0 27 01
Trace: SendAVTPacket
Trace: ReadAVTPacket
RX: Header 08
RX: AVT Type 0 (with status) length 8
Length=7 RX: 6C F0 10 67 01 4F 99
RX: 6C F0 10 67 01 4F 99
Sendrequest called
TX: 6C 10 F0 27 02 F9 FE
Trace: SendAVTPacket
Trace: ReadAVTPacket
RX: Header 07
RX: AVT Type 0 (with status) length 7
Length=6 RX: 6C F0 10 67 02 34
RX: 6C F0 10 67 02 34
[09:00:38:038] Unlock succeeded.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Tazzi »

Winner winner chicken dinner!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

The Scantool and AllPro (custom firmware) driver is now working as intended but the debugging is overkill while its a work in progress. We might need to hide some messages from the debug window before the formatting is cleaned up, but the proof of concept is working nicely. Im considering instead of removing line breaks converting them to a space. That'd go a long way to tidy the display of multi line text up while still converting them to single line responses.

Code: Select all

Initializing ScanTool OBDLink MX or SX or OBDDiag.net Allpro
Sending AT Z
Read "ELM327 v2.1"
ELM327 v2.1
Sending AT E0
Read "AT E0OK"
AT E0OK
Sending AT S0
Read "OK"
OK
Sending AT I
Read "ELM327 v2.1"
[09:45:54:4554]  Device supports ELM327 v2.1
Sending ST I
Read "?"
[09:45:54:4554]  Device supports ?
Sending AT #1
Read "Copyright (c) 2009-2017 ObdDiag.Net, PCMHacking.netThis is free software; see the source for copying conditions. There is NOwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
[09:45:55:4555]  All Pro: Copyright (c) 2009-2017 ObdDiag.Net, PCMHacking.netThis is free software; see the source for copying conditions. There is NOwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Sending AT RV
Read "13.5V"
[09:45:55:4555]  Voltage: 13.5V
Sending AT AL
Read "OK"
OK=OK
Sending AT SP2
Read "OK"
OK=OK
Sending AT DP
Read "SAE J1850 VPW"
SAE J1850 VPW=SAE J1850 VPW
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 01
Read "7C0100364838565403"
hexResponse: 7C0100364838565403
deviceResponseBytes: 7C 01 00 36 48 38 56 54 03
Recieved: 6C F0 10 7C 01 00 36 48 38 56 54 03
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 02
Read "7C024B363946584C"
hexResponse: 7C024B363946584C
deviceResponseBytes: 7C 02 4B 36 39 46 58 4C
Recieved: 6C F0 10 7C 02 4B 36 39 46 58 4C
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 03
Read "7C03343738373537"
hexResponse: 7C03343738373537
deviceResponseBytes: 7C 03 34 37 38 37 35 37
Recieved: 6C F0 10 7C 03 34 37 38 37 35 37
[09:45:59:4559]  VIN: 6H8VT69FX7875
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 0A
Read "7C0A00BA8A32"
hexResponse: 7C0A00BA8A32
deviceResponseBytes: 7C 0A 00 BA 8A 32
Recieved: 6C F0 10 7C 0A 00 BA 8A 32
[09:45:59:4559]  OS: 12225074
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 04
Read "7C0400F781C2"
hexResponse: 7C0400F781C2
deviceResponseBytes: 7C 04 00 F7 81 C2
Recieved: 6C F0 10 7C 04 00 F7 81 C2
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 05
Read "7C0532444730"
hexResponse: 7C0532444730
deviceResponseBytes: 7C 05 32 44 47 30
Recieved: 6C F0 10 7C 05 32 44 47 30
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 06
Read "7C0648304C36"
hexResponse: 7C0648304C36
deviceResponseBytes: 7C 06 48 30 4C 36
Recieved: 6C F0 10 7C 06 48 30 4C 36
[09:45:59:4559]  Serial Number: 2DG0H0L6
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C 14
Read "7C144352554D"
hexResponse: 7C144352554D
deviceResponseBytes: 7C 14 43 52 55 4D
Recieved: 6C F0 10 7C 14 43 52 55 4D
[09:45:59:4559]  Broad Case Code: CRUM
Sending AT SH 6C 10 F0 
Read "OK"
Sending 3C A0
Read "7CA000"
hexResponse: 7CA000
deviceResponseBytes: 7C A0 00
Recieved: 6C F0 10 7C A0 00
[09:45:59:4559]  MEC: 0
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Thaniel
Posts: 7
Joined: Wed Dec 20, 2017 4:09 am
cars: 2006 BMW 325i
2001 BMW 330i
2001 BMW X5
2003 GSXR
Thos are my main rides currently

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Thaniel »

Wow. Lot added to this post since I've been here last. Well I feel like I've spent a couple months reinventing the wheel. But at least I learned a lot.

I need a few components to validate the 4x mode works reliably. With the components I have it works but not 100%. Once I get the new parts I'll test and can say for certain if the circuit I'm using works for 4x mode (was working fine for 1x mode). In the mean time I've started documenting a few things I've learned on my blog. here:
https://e46canbus.blogspot.com


Thaniel
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

Just looking at your post, you seem to be searching for an electrical solution but havnt mentioned evaluation of the allpro or elm electrionics. There are also voltage tolerances in the official J1850 spec.

Most devices dont follow the spec 100% and just generate a square wave, rather than the slope which is a documented part of the official standard.
allpro schematic version may 2016.png
elm327 reference.png
elm327 reference.png (66.81 KiB) Viewed 4599 times
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Locked