NEED HELP Reverse Engineering

Roudter

Original poster
Member
Apr 5, 2021
12
NJ
So, I've written some software to talk to those cheapo OBD2 wireless dongle things. Actually, two android apps. One is a CAN terminal thing, the other more of a standard obd2 scanner thing. I'm not here to push my apps so much as to find information. Of course, you are welcome to them if you want, you can find them at thoughtpill.com. I'm a very small time operation - like tiny.

Ok, so there's a CAN app that I wrote that allows you to play around like a terminal - but a little better (i think). Well, it is good enough for me to have blow out my learned crank variation (P0315) and mess up my oil life index. I also alienated one of my keys... I'm searching for the elusive, actual code specification...(like byte structure of messages) to do the crank relearn...to do ANYTHING interesting....My app does basic obdII functions...

My very last resort is to actually purchase one of these expensive tools and reverse engineer the comm. I've already got the hardware and a raspberry pi w/linux to do it......But, maybe someone has some info???...Anything I learn goes into that software and becomes available for everyone....Anyway, thanks!
 

Mooseman

Moderator
Dec 4, 2011
25,262
Ottawa, ON
Moved the thread over to the scan tools section.

@TJBaker57 is our resident SME on these things but he's currently on a cross country hike, or something like that. He has a fairly lengthy thread on this stuff using a terminal app.

 
  • Like
Reactions: mrrsm

Roudter

Original poster
Member
Apr 5, 2021
12
NJ
Moved the thread over to the scan tools section.

@TJBaker57 is our resident SME on these things but he's currently on a cross country hike, or something like that. He has a fairly lengthy thread on this stuff using a terminal app.

Ok great. Thanks. Some additional info...I'm working with 15765-4 protocol. I guess that's the next step from J1850. Of course everything is different. headers are 4(29 bit) or 1.5 bytes (11 bit)....for example, headers are like (7E0 - engine, 7E2- trans, etc)...so, to talk to the engine ecu would be
"ATSH7E2"
...or for diag. functional address 7DF...
"ATSH7DF"

In J1850, all the processors' addresses are pretty clear - as are the pids. But, to me, I can't identify the ecus on my 15765-4 bus...and I can't find a map, like we have with j1850...

I'll post more details as I encounter them...
 

Roudter

Original poster
Member
Apr 5, 2021
12
NJ
Just in case anybody reads this...I ended up getting a Tech2 clone and did the relearn. I used a Rasberry pi and a CAN module to sniff out the comm. Found some cool stuff along the way....

Here's some actual bi-directional coding info on that 2006 impala:
Body Controller ECU is 241
Engine Controller ECU is 7E0

Commands you send will only remain for a few seconds, unless the car receives the 'tool present' command which is simply 3E repeatedly sent to header 7E0 - and you have a second or so to send the command...and then the commanded state will remain (at least for the radiator fans )

some commands...
Notice how the bit values are laid out when translated from the hex.
You can see the 0 vs 1 values explicitly.
Radiator Fans: Turn Fan1 On (AE20000000C000) header:7E0
C0 = 1100 0000 as bits
Turn Fan1 and 2 On (AE20000000A000) header: 7E0
A0 = 1010 0000 as bits
Turn Fans Off (AE200000008000) header:7E0
80 = 1000 0000 as bits

BE VERY CAREFUL WITH ANY MODE $3B COMMANDS MODE $3B is a MEMORY WRITE mode. (likely how I reset my crankshaft calibration)

Set Oil Life (3B6DXX) header: 7E0 note this is mode $3B where XX is (00 - FF), or 0 to 255 in regular decimal numbers (hex avoids 3 columns)

So, the commands to header/canid 7E0 to set oil life would be
3B6D00 = 0%
3B6D81 = 50%
3B6DFF = 100%

Oh yeah, to read oil life (remember doing that) the pid is (1A6D) header:7E0

I'm thinking mode $1A is a GM 'read' mode concurrent with $3B write mode - here $6D is the oil life pid value. (We read and write to pid $6D)

BCM (body control module) ECU 241 - still investigating
dome light off
(AE1A0100000000) header:241
lock all doors
(AE100202000000) header:241 - solenoid on
(AE100200000000) header:241 - solenoid off (not unlock)
 

Roudter

Original poster
Member
Apr 5, 2021
12
NJ
A 2006 Chevrolet Impala 3.9l (9c3):

BCM (body control module) ECU 241 (not like J1850 6 digit addresses)
Low Beam
(AE124040000000) header:241 - off
(AE124000000000) header:241 - on
Fog Lamp
(AE121010000000) header:241 - off
(AE121000000000) header:241 - on
dome light
(AE1A0100000000) header:241 - off
(AE1A01FF000000) header:241 - on
lock all doors
(AE100202000000) header:241 - solenoid on
(AE100200000000) header:241 - solenoid off (not unlock)
Unlock Driver door
(AE100000020200) header:241 - solenoid on
(AE100000020000) header:241 - solenoid off (not unlock)
Unlock Passenger doors
(AE100404000000) header:241 - solenoid on
(AE100400000000) header:241 - solenoid off (not unlock)
Trunk
(AE101010000000) header:241 - solenoid on
(AE101000000000) header:241 - solenoid off

(Note that 'AE' is NOT an elm327 command, it's raw data to the ecu)
Here's a terminal example direct to an ELM327 (<Enter> = 0x13, carriage return)
Line1: ATSH241<Enter>
Line2: AE101000000000<Enter>
 
  • Like
Reactions: santon

Forum Statistics

Threads
23,273
Posts
637,498
Members
18,472
Latest member
MissCrutcher

Members Online

No members online now.