Gm bcm and cluster can bus messages through eml327 script

[04colyZQ8]

ok..
AE is device control, but I do not know what it's doing? It's commanding 3F 01 01 but then commanding 3F 01 00 afterwards??

You could try copying it with 00 00 02 41 11 ae 3f 01 01 00 00 00. BUT...
I don't know if those zero's at the end are just padding.. If you don't get the expected EE 3F response then you might need to send something like
00 00 02 41 04 ae 3f 01 01 00 00 00


I don't know why it's sending it 3 times? are you seeing the same 7B DF response each time? It might not be needed but you could copy it and write it 3 times if needed?

I wrote my own dps utility file to read the millage this looks great.. see it is repeated 3 times also repeated 3 times in the actual eeprom chip as well.
also repeated 3 times to change my cars kms successfully as well.

>> GM 5-byte Security: Algo 23, Chal 7047EB7C06, Resp E78901EAA9 >> Status Success
20:01:25.7<[.H..] 00 00 02 41 27 02 E7 89 01 EA A9 [0011] FramePad
20:01:25.7>[.H..] 00 00 02 41 [0004] TxDone TxMsgType
20:01:25.7>[.H..] 00 00 06 41 67 02 [0006]
Utility File Step=04 Opcode=1A
20:01:25.7<[.H..] 00 00 02 41 1A DF [0006] FramePad
20:01:25.7>[.H..] 00 00 02 41 [0004] TxDone TxMsgType
20:01:25.7>[.H..] 00 00 06 41 [0004] StartOfMessage
20:01:25.7>[.H..] 00 00 06 41 5A DF 00 33 4E 14 00 33 4E 14 00 33 4E 14 [0018] //repeated 3 times

[04colyZQ8]

ok..
AE is device control, but I do not know what it's doing? It's commanding 3F 01 01 but then commanding 3F 01 00 afterwards??

You could try copying it with 00 00 02 41 11 ae 3f 01 01 00 00 00. BUT...
I don't know if those zero's at the end are just padding.. If you don't get the expected EE 3F response then you might need to send something like
00 00 02 41 04 ae 3f 01 01 00 00 00


I don't know why it's sending it 3 times? are you seeing the same 7B DF response each time? It might not be needed but you could copy it and write it 3 times if needed?

I wrote my own dps utility file to read the millage this looks great.. see it is repeated 3 times also repeated 3 times in the actual eeprom chip as well.
also repeated 3 times to change my cars kms successfully as well.

>> GM 5-byte Security: Algo 23, Chal 7047EB7C06, Resp E78901EAA9 >> Status Success
20:01:25.7<[.H..] 00 00 02 41 27 02 E7 89 01 EA A9 [0011] FramePad
20:01:25.7>[.H..] 00 00 02 41 [0004] TxDone TxMsgType
20:01:25.7>[.H..] 00 00 06 41 67 02 [0006]
Utility File Step=04 Opcode=1A
20:01:25.7<[.H..] 00 00 02 41 1A DF [0006] FramePad
20:01:25.7>[.H..] 00 00 02 41 [0004] TxDone TxMsgType
20:01:25.7>[.H..] 00 00 06 41 [0004] StartOfMessage
20:01:25.7>[.H..] 00 00 06 41 5A DF 00 33 4E 14 00 33 4E 14 00 33 4E 14 [0018] //repeated 3 times

this seems no good

>04 ae 3f 01 01 00 00 00
03 7F AE 12 47 EB 7C 06 //why is it sending back the seed again? almost seems like it's trying to tell me it's not unlocked?

[04colyZQ8]

also....


>04 ae 3f 01 01
03 7F AE 12 47 EB 7C 06

>07 ae 3f 01 01 00 00 00
?

>07 ae 3f 01 01 00 00 00
03 7F AE 78 47 EB 7C 06
05 7F AE E3 00 16 7C 06

[ironduke]

Sorry I do not have a mac or know much about them..

Edited.. sorry I missed that last response, kinda ignore most of what's below.. lol


The first command might be wring still unless you changed it after my last post?
Looks like you sent 07 AE 3F 01 01 00 00 00 ??
Try 00 00 02 24 04 AE 3F 01 01 00 00 00. The last 3 sets of zero's may not be needed but they've never hurt when I padded every message to 12 bytes.

As far as that weird message after trying to write the first mileage message.. What is the ENTIRE response??
you are showing "30 00 14 E3 00 16 7C 06" but I am expecting data in front of that..

Can you do me a huge favor and post the entire message in full.. I suspect your not reading the length byte and the end of the message is just crap left in the elm327 buffer... When can formatting is turned off it's up to you to read the length byte and read only those bytes as the message.. I have no idea where those extra bytes are coming from but I assume they're leftover trash left in the buffer of the elm..

[Gatecrasher]

Look at your length bytes. Anything after that is just garbage that was left over in the buffer.

05 7F AE E3 00 16 7C 06 // this should be EE 3F so must be an error? why does part of this match the seed? does it mean it's sayin unlock first?

03 7F AE 12 47 EB 7C 06 //why is it sending back the seed again? almost seems like it's trying to tell me it's not unlocked?

7F AE E3 means device control failed, or some device control limit was exceeded. The failure code is 0016. No idea what that means though. If you disassemble the DLL you may be able to find a string with a description.

7F AE 12 just means the sub-function isn't supported, or it's in the wrong format. It seems like most of the AE messages need all 7 bytes. Again, pay attention to the length bytes.

07 AE 3F 01 01 00 00 00

[04colyZQ8]

Sorry I do not have a mac or know much about them..

Edited.. sorry I missed that last response, kinda ignore most of what's below.. lol


The first command might be wring still unless you changed it after my last post?
Looks like you sent 07 AE 3F 01 01 00 00 00 ??
Try 00 00 02 24 04 AE 3F 01 01 00 00 00. The last 3 sets of zero's may not be needed but they've never hurt when I padded every message to 12 bytes.

As far as that weird message after trying to write the first mileage message.. What is the ENTIRE response??
you are showing "30 00 14 E3 00 16 7C 06" but I am expecting data in front of that..

Can you do me a huge favor and post the entire message in full.. I suspect your not reading the length byte and the end of the message is just crap left in the elm327 buffer... When can formatting is turned off it's up to you to read the length byte and read only those bytes as the message.. I have no idea where those extra bytes are coming from but I assume they're leftover trash left in the buffer of the elm..

I don’t know how to send 00 00 02 24 04 AE 3F 01 01 00 00 00 the whole thing along with header
It doesn’t let me! Just gives back the ?
So I allways use at sh to set it to 00 00 02 41

And if I don’t also set at cra 00 00 00 06 41 then I don’t get any responses what se ever

How come we send one extra byte for cra header ? This seems to work

But that’s why I just send the message without the header

[04colyZQ8]

Look at your length bytes. Anything after that is just garbage that was left over in the buffer.

05 7F AE E3 00 16 7C 06 // this should be EE 3F so must be an error? why does part of this match the seed? does it mean it's sayin unlock first?

03 7F AE 12 47 EB 7C 06 //why is it sending back the seed again? almost seems like it's trying to tell me it's not unlocked?

7F AE E3 means device control failed, or some device control limit was exceeded. The failure code is 0016. No idea what that means though. If you disassemble the DLL you may be able to find a string with a description.

7F AE 12 just means the sub-function isn't supported, or it's in the wrong format. It seems like most of the AE messages need all 7 bytes. Again, pay attention to the length bytes.

07 AE 3F 01 01 00 00 00

Ok that makes good sense how to flush or clear the buffer?

[04colyZQ8]

I’d love to connect to the mongoose gm cable while it’s sending some dps messages, I tried with my y splitter and no computers on board.

How ever I don’t see it sending the base matrix request it’s something like
00 00 01 01 3F 00 00 00 00

I set my header to 00 01 01
And my cra to 00 00 00 01 01

And then do read info in dps and I see nothing!

Even the the dps logs showing the mongoose sending 00 00 01 01 3F message

And visa a versa I send a return message in for ever while loop which also never
Shows in dps log?

How to get the elm 327 to communicate to the dps “tool” mongoose?

Then I could potentially simulate a module

[ironduke]

I’d love to connect to the mongoose gm cable while it’s sending some dps messages, I tried with my y splitter and no computers on board.

How ever I don’t see it sending the base matrix request it’s something like
00 00 01 01 3F 00 00 00 00

I set my header to 00 01 01
And my cra to 00 00 00 01 01

And then do read info in dps and I see nothing!

Even the the dps logs showing the mongoose sending 00 00 01 01 3F message

And visa a versa I send a return message in for ever while loop which also never
Shows in dps log?

How to get the elm 327 to communicate to the dps “tool” mongoose?

Then I could potentially simulate a module

If you want to see what DPS is doing then reset the elm, don't sent the header and use atma.. The data rate of most elm's is waaay under the 500kb that the high speed bun runs at but it will let you see at least some of it.
try setting atcra000007e0 to see what is being sent to and ecm and try atcra000007e8 to see what the ecm is saying back..
Can do the same for the BCM... I'm beginning to remember why I stopped using the elm devices, lol
I kind of doubt you'll ever get the elm to simulate a module.. the elm is kinda made for send and recieve.. You could use atma and then crawl thru every single message looking for one to respond to but you can't do that with the elm at the speed of the high speed canbus..

Simulating a module can be done with another J2534 device, and then it can be done at the software level down the road with no hardware device used, just takes lots of practice.

Actually just plugged one in..
I like
atsh1
atcaf0 << can use atcaf1 if you want the extra bytes at the end removed for you..
atcra000007e0 or atcra000007e8 or atcra00000241 or atcra00000641
and then atma..

ok, wow.. Just learned something I did not know, or if I did know I don't remember.. See if you can use the atmr and atmt commands.. atmr07 shows any message starting with 00 00 07 so I can see ecm send and receive messages..

If you have something simply in c# and want to send it or post it up, I might be able to modify it a little to use a J2534 dll that should work with your mongoose.. Or take a look at https://github.com/IronDuke123/Canbus-logger or the brute force code and see if that's something you could use to get you started writing code for use with the mongoose instead of the elm.. Course if your fixated on using the elm then just continue the way your working, lol.. Not trying to make you give up on the elm, but it does have limitations, especially with the 500kbps high speed bus your working with..

Some elm's can be sped up to 500k, but it is very hit or miss.. I have some code somewhere in c# that takes an elm at 115,200 and tries to switch it to 500,000 and if successful then you can make it part of your start code and that will help a lot with buffer full errors..

[04colyZQ8]

I’d love to connect to the mongoose gm cable while it’s sending some dps messages, I tried with my y splitter and no computers on board.

How ever I don’t see it sending the base matrix request it’s something like
00 00 01 01 3F 00 00 00 00

I set my header to 00 01 01
And my cra to 00 00 00 01 01

And then do read info in dps and I see nothing!

Even the the dps logs showing the mongoose sending 00 00 01 01 3F message

And visa a versa I send a return message in for ever while loop which also never
Shows in dps log?

How to get the elm 327 to communicate to the dps “tool” mongoose?

Then I could potentially simulate a module

If you want to see what DPS is doing then reset the elm, don't sent the header and use atma.. The data rate of most elm's is waaay under the 500kb that the high speed bun runs at but it will let you see at least some of it.
try setting atcra000007e0 to see what is being sent to and ecm and try atcra000007e8 to see what the ecm is saying back..
Can do the same for the BCM... I'm beginning to remember why I stopped using the elm devices, lol
I kind of doubt you'll ever get the elm to simulate a module.. the elm is kinda made for send and recieve.. You could use atma and then crawl thru every single message looking for one to respond to but you can't do that with the elm at the speed of the high speed canbus..

Simulating a module can be done with another J2534 device, and then it can be done at the software level down the road with no hardware device used, just takes lots of practice.

Actually just plugged one in..
I like
atsh1
atcaf0 << can use atcaf1 if you want the extra bytes at the end removed for you..
atcra000007e0 or atcra000007e8 or atcra00000241 or atcra00000641
and then atma..

ok, wow.. Just learned something I did not know, or if I did know I don't remember.. See if you can use the atmr and atmt commands.. atmr07 shows any message starting with 00 00 07 so I can see ecm send and receive messages..

If you have something simply in c# and want to send it or post it up, I might be able to modify it a little to use a J2534 dll that should work with your mongoose.. Or take a look at https://github.com/IronDuke123/Canbus-logger or the brute force code and see if that's something you could use to get you started writing code for use with the mongoose instead of the elm.. Course if your fixated on using the elm then just continue the way your working, lol.. Not trying to make you give up on the elm, but it does have limitations, especially with the 500kbps high speed bus your working with..

Some elm's can be sped up to 500k, but it is very hit or miss.. I have some code somewhere in c# that takes an elm at 115,200 and tries to switch it to 500,000 and if successful then you can make it part of your start code and that will help a lot with buffer full errors..

That thing is quite interesting I mean mostly I want to log with another device other than the J2534 because that's the one I want to use to see things:) The avt-852 is my best alt. but I can never figure out how to do decant logs or send commands with it.


This J2534 logger does the same thing that alot of devices do that only work with the mid or bosch imitation the mdi window pops up with a red x on it that's all I get. If you know how to get it to recognize the mongoose that would fix several other programs I have as well lol!