Open source GM OBD2 flash tool using a ELM327 device

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Locked
redheadedrod
Posts: 4
Joined: Tue Apr 18, 2017 1:46 am
cars: '03 GM truck, '09 GM car, '94 GM car

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by redheadedrod »

Hello, NSFW mentioned this thread on an M2 thread I have been active on.

I am an active student working on my Computer Science Degree and am somewhat tied up until end of April but I certainly would like to help with this.

I have an O-Scope, a couple M2's which I have been tinkering around on for a while, A Tech 2 and probably some other stuff.

The current M2 Arduino Library was pulled from a different Arduino but Ben seems to have disappeared after getting this library working. Getting the 4x mode should be simple as it is just changing the timing on it. But I need some more information on how this integrates in with the normal VPW.

I have not read this whole thread yet but the M2 certainly has more than enough power to do whatever you want.

Down the road if it doesn't have enough power there is a beta version M2 running on a pocketbeagle too. I have not used that one but might be another option.

Basically the M2 has 2 boards, the Interface board and the Processor board. The processor board on the released version is an Arduino. Beta one is based on the PocketBeagle and would run Linux. I will likely grab one of their beta pocketBeagle boards later this year to help work on that once I am further along with what I am doing now.

To work on programming an ECM I would probably want to go the same route as you guys have done with the Socketed PCM. If there is information on how to do that or if someone has one that they want to sell me already setup? I actually would prefer the PCM that is used in the GM full sized trucks from 2003-2005 since I have an '03 Avalanche.

I do have some spare '94 Caprice PCM's but those are ALDL..

I also have a bunch of modules I pulled from a ~2002 Trailblazer (S10 type). Have not been successful in getting the BCM talking to the IP and the ODBII port but haven't messed with it much yet. I could probably socket this BCM if I knew what I was doing with it.

I do have some Assembly experience so figuring out the 68xxx shouldn't be too hard. If I get some traction on this and get my summer projects going I could also add 68xxx support to an open source reverse engineering program I have helped expand support for ARM processors on. Which would help dramatically with figuring out the code in the BCM etc... I understand all of the GM modules are based on the 68xxx processor to keep the module programming simple.

My Tech 2 has the t2000 software with it too and I was told it has firmware up through 2005 with it. Not sure how to pull it off to read it though yet.

I should probably add that my projects this summer include getting BlueTooth and WiFi working with the M2. Since they support Xbee you could also add Cellular support as well. I will be picking up a cellular Xbee at some point this year once I get the rest working so I can connect via Cellular although that will likely not be something useful for THIS project. I can also add a Nextion HMI which would allow programming from a hand held device without need of a computer. (Basically it is a serially controlled touch display with a PIC processor on board. You setup a program on the Nextion and it communicates with the Arduino. You can have a GUI setup on the screen to communicate with the Arduino. Basically when you press a button on the screen it can send the request to the Arduino and the Arduino can send it back stuff to display or whatever.

Rodney
pgbpro2.0@gmail.com
Posts: 6
Joined: Thu Mar 08, 2018 4:07 pm
cars: 2005 Cadillac CTS-V
2005 Mercedes Benz SLK350

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by pgbpro2.0@gmail.com »

Rodney,
Welcome!
I take it you already have a bench harness made up for the 80 pin GM PCM's? I made one last weekend for $10 by basically just following https://sites.google.com/site/sloppywik ... ch-harness
I did find that he mislabeled the OBDII port - serial data / purple - pin number incorrectly so just watch out for that.

The goal of this project - as originally stated - was to read/write a 12200411 PCM. They are nice and cheap on ebay https://www.ebay.com/itm/Chevrolet-GM-P ... 2937269424
The '0411' PCM is 512 kB .

You and I share the goal to support the later PCM's too (I have an 05 CTS-V w/ 12570558), but worst case scenario we don't get there and have to swap the 0411 into our vehicles as well.

This is a good overview of the different Gen II PCMS: https://www.lsenginediy.com/comparing-g ... ntrollers/
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

The interface should not be aware of block checksums, that comes from the PC side. I think the due is a better option, more processor power makes things a lot easier and the price difference isnt anything to worry about between a mega and something arm based. The tech2 does not read bins, at all. It only pulls known updates from GM and writes to the car. It can set a lot of car options though and logging that data and reproducing that in software (as tazzi has done) is useful.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

pgbpro2.0@gmail.com wrote:
You and I share the goal to support the later PCM's too (I have an 05 CTS-V w/ 12570558), but worst case scenario we don't get there and have to swap the 0411 into our vehicles as well.
Don't worry it'll get there one way or another ;)
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

Biggvl has just donated a 1mbyte pcm to the cause so I can develop and test against that. It'll be great having one on hand. Thanks Biggvl! It will get there.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

The name Thaniel has come up in this thread a couple of times, if you look close you will see he did actually make one post well over a month ago.

I have been working with him in great detail to "Create" a suitable VPW interface and to unravel the mystery's of how to read and writing a pcm. After several attempts to convince Thaniel to make some type of "Public" post regarding the project we have been working on; he has chosen to remain in the shadows and has tasked me with "passing on" and sharing the details of the work being done.

With that being said I feel Thaniel and his Son have done some amazing work here with very few tools and almost nothing to work with. While I have contributed to the code and done extensive testing Thaniel and his son are responsible for the vast majority of the programming that got this working.

There are also a number of other people that have contributed to this both directly and indirectly, with out their contributions this likely would never have made it this far in the first place.

NSFW - With out his conversion Software we would have never been able to turn the hex we read out into a bin file

Tazzi - I'm going to say your what inspired me to purse this for as long as I have. I nearly gave up on this idea a couple of times but somehow you always found a way to change my mind.

Antus - I'm not even sure where to begin.......with out your help this would have died a long time ago.


Once the program is stable and working with 4x for read and write the full sketch and circuit diagram will be posted to the Github project.

In 1x mode the best read time I have been able to get was just a touch under 8 minutes on the 512K pcm. It can read any where from 1 byte blocks all the way up to 4096 byte blocks. Well....it's actually capable of larger blocks but the P1 and P59 pcm's max out reading 4096 byte blocks. Perhaps that's just the limit of the flash kernel we are using right now or it may be a hardware limit of the pcm. The sketch can be modified to interact the same way as an Elm, so once the program Nsfw is working on gets a bit further along we'll start pulling the "Program" if you will out of the Arduino sketch we have and change the setup so that it is directly interchangeable with what ever driver the Allpro use's.

4X mode is working for monitoring currently but we are experiencing trouble transmitting larger blocks over 4x. We are getting an incorrect byte translation when we send the third part of the flash kernel we've been using. Some more tweaking of the circuit and timings and there's a good chance we'll have 4x working in the next week or two. While in 4x mode we can "Poke" the pcm so to speak to keep it in 4x mode and even after running for quite sometime the smaller blocks are still working fine so we figure it's close.
VPW_MEGA_V015
Set to 1x
enter any character to continue

E8 FF 10 03 B3 - ECU to All - Diagnostic Trouble Codes (03)
6C 10 F0 27 01 B0 - Tester to ECU - Requesting Seed **********************************************************
6C F0 10 67 01 00 6C 8F - ECU to Tester - Seed is: 6C ****************************************************
6C 10 F0 27 02 10 F0 F1 - Tester to ECU - Attempting Key: 10 F0 ****************************************************
6C F0 10 67 02 34 4B - ECU to Tester - Key Accepted ********************************************************************************************
6C FE F0 A0 97 - Tester to All Request High Speed Mode: **********
6C F0 10 E0 AA 7F - ECU to Tester Ready for High Speed Mode: **************
E8 FF 10 03 B3 - ECU to All - Diagnostic Trouble Codes (03)
6C FE F0 A1 8A - Tester to All Begin High Speed Mode: **********Set to 4x

6C F0 10 74 00 44 1E - ECU to Tester Read to Receive write resp. (74):
boot1 send
6D F0 10 76 00 73 42 - ECU to Tester Data Received- Transfer request resp. (76):
boot2 send
6D F0 10 76 00 72 5F - ECU to Tester - Transfer request resp. (76):
76 00 72 5F is not the response we should get.....

512K Pcm Full Bin Read




1Mb Pcm Full Bin Read
*This has been posted on a number of other forums for several weeks
[youtube]https://www.youtube.com/watch?v=_lN201rOZqE[/youtube]
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

Interesting stuff. Got any pics of the hardware?
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

antus wrote:Interesting stuff. Got any pics of the hardware?
This is a hacked up version of the original 2 Arduino Vpw circuit that I sent Nsfw for testing just so he wasn't using a bread board. Once we have 4x working I'll have another round of pcb's made for people to use while working on this project. We've have somewhere around 40 notable program revisions and some significant hardware revisions over the course of this.
20180306_220536 (1).jpg


This was most recent version on a bread board I was working with over the weekend, however the design has changed again slightly since starting on the 4x mode.
20180313_001237 (1).jpg


The simple version of the circuit
Schematic_elmv2_my-draw-elm-j1850vpw_20180313002450.png
User avatar
Gareth
Posts: 2505
Joined: Fri Mar 14, 2014 8:37 pm
Location: Bacchus Marsh, Vic

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Gareth »

antus wrote:Biggvl has just donated a 1mbyte pcm to the cause so I can develop and test against that. It'll be great having one on hand. Thanks Biggvl! It will get there.
If there is any other hardware anyone requires please just let me know :thumbup:
According to chemistry, alcohol is a solution...
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Tazzi »

160plus wrote: 4X mode is working for monitoring currently but we are experiencing trouble transmitting larger blocks over 4x. We are getting an incorrect byte translation when we send the third part of the flash kernel we've been using. Some more tweaking of the circuit and timings and there's a good chance we'll have 4x working in the next week or two. While in 4x mode we can "Poke" the pcm so to speak to keep it in 4x mode and even after running for quite sometime the smaller blocks are still working fine so we figure it's close.
This was what I was referring to, where timings become so small and critical, that a single bit that is out will ruin an entire block send as then the VPW crc checksum will be invalid. Whether its the sending or receiving at 4x, its likely both are causing dramas, as your in the low microsecond level of timing :shock:

Id rather wait 8mins, then risk reliability for 4x.
Last edited by Tazzi on Tue Mar 13, 2018 3:44 pm, edited 1 time in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Locked