Software On ELM Street - OBD2 Software Development

[Tazzi]

Alright.. Sending the previous values back lets us get past the indentifying screen.

All the above was done under "2004 WK Commodore".

Now I have a whole heap of stuff to go through

Anything in particular anyone wants? Im sure some of this stuff can be useful for the backyarder without a scantool?






Also, I clicked on the "detect faults"
And got this back: 6C 10 F1 19 52 FF 00 F3
Now.. I just need an example frame to start reversing. Can anyone set there header to 6C 10 F1, and send off 19 52 FF 00?
Looks like the "52" byte is a request for:Pending trouble codes (0x40), history code with freeze frame data(0x10) and current codes(0x10). Thus 40+10+2 = 0x52

May have found an answer

read back 6c 10 f1 xx 59 yy zz qq where
xx = node id of responding device
yy zz = dtc code (see elm electronics paper for your chip, 322 page 10 for me)
qq = misc checksum

Will attempt sending back 6C 10 F1 10 59 01 33 XX
..Well that didnt work haha.. I just get a blank blue screen.. so almost right but obviously missing something somewhere. Definately need someone to read out a value ASAP! Those holden specific codes are within reach!

[VX L67 Getrag]

If no one gets to do it before tomorrow I can do it then!

[Tazzi]

I think I sorted it, tech2 doesnt automatically update like I was hoping, I have to pause my fake elm to make the new dtc's pop up.
I am sending: 6C F1 10 59 01 33 XX
Or can replace 0133 with whatever really.

Ahh.. there.. So to get the tech2 to update the error, must sent the fault eg: 6C F1 10 59 01 33 XX
Then reupdate with 6C F1 10 59 00 00 XX

Now.. Might need to make a loop to go through each value with a 3second delay so I can write the fault number.

Not sure what the manufacture specific codes are.. hmm.. Be good if I could just "flag" all faults present at once lol And work back from there

[delcowizzid]

about time an elm made it LOL.ide laugh if all of them you ordered turned up that might be the first one you ordered LOL

[Jayme]

yeah mate thats easy... ive got it defined in my adx if you go back and have a look

I send off 0x6C 0x10 0xF1 0x19 0x82 0xFF 0x00 (request currently set DTC's)
and get back one packet for each DTC set. if none you will get back one packet with a DTC of 0000. 0x08 0x00 0x6C 0xF1 0x10 xx xx xx xx (the xx's being the DTC)
so if you have four DTC's set you will get back 4 packets

0x08 0x00 0x6C 0xF1 0x10 xx xx xx xx
0x08 0x00 0x6C 0xF1 0x10 xx xx xx xx
0x08 0x00 0x6C 0xF1 0x10 xx xx xx xx
0x08 0x00 0x6C 0xF1 0x10 xx xx xx xx

I also use 0x6C 0x10 0xF1 0x19 0x40 0xFF 0x00 (request PEnding DTC's)
and 0x6C 0x10 0xF1 0x19 0x10 0xFF 0x00 (request Historical DTC's)

[Tazzi]

about time an elm made it LOL.ide laugh if all of them you ordered turned up that might be the first one you ordered LOL

Well who knows which one this is, all it has is my address on the front haha


cheers Jayme, I just sussed that out. But, Im noticing the tech2 doesnt seem to update unless I send through a no faults present afterwards, otherwise it sits there with a blue screen waiting.

Iv tried pausing it so it doesnt respond but doesnt seem to make a difference!

[Jayme]

maybe send one packet with error 6C F1 10 59 01 33 XX
then one packet straight after with 6C F1 10 59 00 00 XX

I think you normally get an 00 00 packet after the actual DTC's

[Tazzi]

maybe send one packet with error 6C F1 10 59 01 33 XX
then one packet straight after with 6C F1 10 59 00 00 XX

I think you normally get an 00 00 packet after the actual DTC's

Yeah thats what Iv been doing.. annoying as to do!.. Have to add a couple checkbox's. One to enable the fault send back. And the other to send a 00 packet.

Looks like I can capture 30 different faults in one shot.
And P1,C1,C2,B1,B2,U1,U2 faults are manufacture specific

Will Start with P1, and see if I find anything.

[Tazzi]

Ok found one,

P1133 02 Sensor - Too Few Rick/Lean And Lean/Rich Switches (Bank 1 Sensor)

hmmm, looks like running through a loop will need to be done.. Takes too long doing this 1 by 1.

Also on the todo list is to understand these data messages: 6C 10 F1 2C FE 4B 12 55 11 92 F3
Since we have logs previously of the responses, I should be able to build responses, and increment there values 1 by 1 to decipher whats going on.

Also most "function checks/tests" have the format of: 6C 10 F1 22 12 55 01 B9 that is for 02-loop Status

IAC Circuit was: 6C 10 F1 22 00 0D 01 A6


huh... something I didnt know... I can perfrom a SPS service programing request/download of data.
Can also see a download request for the telematics module.. May be interesting to see how they download the modules info over ALDL

VZ has a Instrument cluster option.. WOOOOOOOOOOOOOOOOOOOOO!

If theres anything anyone wants me to log/test.. let me know!
Will be pretty much adding everything I can find in the tech2 to the software anyways.

[Jayme]

nevermind about that one I adlready know whats going on...... this took me a while to figure out and will save you a bunch of time.

check out the last page of my adx thread, I posted a new avt adx there not long ago that uses this method. it is a "Dynamic PID" basically a DPID has 6 free bytes and you load those 6 bytes up with anything you want, then request it all in one hit. there are 8 DPID's with 6 bytes free each.


6C 10 F0 2C FE 8E 00 80 00 FF
2C = mode 2C
FE = dynamic PID ID (there are 8 of them F7 to FE)
8E = config byte Binary config 10 001110 : 10 = use address (not PID), 001 start at byte 1, 110 load 6 bytes
00 80 00 = address to load
FF = padding

Above means load 6 bytes of address 00 80 00 starting at byte 1 of FE DPID

Success looks like 6C F0 10 6C FE 8E



So loading up our DPID with real pid data that we want:

6C 10 F0 2C FE 4A 00 0C FF FF
Load 2 bytes of data to position 1
4A = 01001010 : 01 = use pid, 001 = byte position 1, 010 = load 2 bytes
00 0C : pid = rpm (2 bytes)
FF FF : padding

6C 10 F0 2C FE 59 00 05 FF FF
As above but load 1 byte to position 3 pid = coolant temp

6C 10 F0 2C FE 61 00 11 FF FF
Load 1 byte to position 4 pid = tps

6C 10 F0 2C FE 69 00 0B FF FF
Load 1 byte to position 5 pid = MAP

6C 10 F0 2C FE 71 00 0F FF FF
Load 1 byte to position 6 PID = IAT



To see your packet you can either do
6C 10 F0 2A 14 FE 00 00 00
this will make it continually send packets for about 3 seconds till it times out unless you keep sending test tool present packets to keep it alive. I suspect the 14 might be a bit flag config byte

OR you can do a one time request (this is what my adx does)
0x6C 0x10 0xF0 0x2A 0x01 0xFE
response: 2013-10-16 22:38:33:8876 RX: 6C F0 10 6A FE 00 00 01 00 0A 01
So here we have in one packet
00 00 = rpm
01 = coolant temp
00 = TPS
0A = MAP
01 = IAT