Reset adaptive values

robertf · Nov 18, 2016

Injuhneer said:
Calculating all possible values then correlate to the values in the trace you took?

No

Wrote a program to emulate the Ecu side of the communications and record key responses to a file. Increment the seed value by 1 from 0 to 65535. Repeat.

It takes about 20 seconds to get a value. So 20 * 2^16 ~=16 days. Haven't started it yet, still verifying the responses are valid.

robertf · Nov 28, 2016

EricTyrrell said:
It appears 3 encoded bytes stand between us and reset freedom. I took a look at it, but haven't been able to determine the coding method yet.

So it looks like there is a pattern that sort of repeats the MSB every 145 keys and the LSB every 256, but too many anomalies to figure out with the limited keys I've gotten so far.

got another week or so of running it and I'll have 100%, at 14% now.

chris snell · Nov 28, 2016

I'm busy with the other site and totally miss out on this thread.

Holy shit, this is awesome. One of the best technical threads I've ever seen here.

If these bytes can be written over standard RS232 or something supported as a standard Linux/Windows/Mac comm device, I can write you something in Go that does it. I can cross-compile to Linux, Windows, and Mac on x86, amd64, and ARM architectures.

robertf · Nov 28, 2016

chris I'm really hoping to get it to work with the elm327 compatible bluetooth plugs. Should be easy to source one of those and enough cell phone coverage to download an app in the middle of nowhere if the alarm decides to unsynch to the ecm.

In the meantime I'm just using a l9637D chip with a controller in the middle to handle standard bps speeds to the 10400 that iso9141 obd2 runs at.

Everything I've read about the elm327 shows it SHOULD work, with some trickery like frequently changing the idle header and having it dump all responses, not just those addressed to the reader.

a nice thing about the elm327 compatible stuff is there are BLE versions out there that work just fine on iOS, so thats one less thing (android tablet or laptop) to throw in the car that is unlikely to get used.

and if you really like watching paint dry: http://gems.flyinghorsesolutions.com/

Injuhneer · Nov 30, 2016

robertf said:
and if you really like watching paint dry: http://gems.flyinghorsesolutions.com/

I think paint may be just a bit faster (LOL).

Injuhneer · Nov 30, 2016

robertf said:
So it looks like there is a pattern that sort of repeats the MSB every 145 keys and the LSB every 256, but too many anomalies to figure out with the limited keys I've gotten so far.

got another week or so of running it and I'll have 100%, at 14% now.

Would you mind posting the (incomplete) data set here or via PM? Or a link on the web page to dump it? Those graphs hint that regression might yield an answer. It looks like linear may hold an answer but how good is the fit of the anomalies^2? Or convert hex to binary for logistic?

I dunno. I am a bit rusty at analytics.

robertf · Nov 30, 2016

sent you a PM with the link to the data

Injuhneer · Dec 1, 2016

robertf said:
sent you a PM with the link to the data

Sweet. Wish me luck.

robertf · Dec 1, 2016

keyMSB = ((16723*SEED) / 256) % 256;
keyLSB = (83 * SEED) % 256;

ERover82 · Dec 2, 2016

Excellent. What method did you use to determine the function?

robertf · Dec 2, 2016

Started looking at the MSB first. Listed 20% or so that I had collected sorted by the seed value in excel. Plotted. Noticed it's linear with a rollover to 0 if it exceeds 256. That's when I figured the 2 keys were independent formulas and both were linear.

Plotted my best guess at the formula - the actual result and played with the numbers until the slope was 0.

It was a hack and I got lucky with it being relatively easy. And I was only half paying attention since the Cowboys were on

The data was collected by having a raspberry pi with a serial port and a really shitty python script to send the commands to the serial port of the scan tool to start a scan, bypassing the laptop. The scan tool talked to an arduino pretending to be a GEMS Ecu and output the key values to another serial port that was logged to a file

robertf · Dec 5, 2016

So unfortunately there is no way to get one of the cheap ELM 327 interfaces to work. The reason is that the elm327 automatically appends the checksum to the message to the Ecu. This is fine for everything except the initialization where the scan tool must send 2 single byte messages.

This one is elm327 compatible and contains an extended command set. One of those is to disable the checksum. Got one on the way. Once it gets here I'll try it out.

https://www.scantool.net/obdlink-lxbt/

Injuhneer · Dec 5, 2016

robertf said:
So unfortunately there is no way to get one of the cheap ELM 327 interfaces to work. The reason is that the elm327 automatically appends the checksum to the message to the Ecu. This is fine for everything except the initialization where the scan tool must send 2 single byte messages.

This one is elm327 compatible and contains an extended command set. One of those is to disable the checksum. Got one on the way. Once it gets here I'll try it out.

https://www.scantool.net/obdlink-lxbt/

So it's that or hack the firmware on a cheap ELM327 based adapter?

robertf · Dec 9, 2016

Since all the other scantool threads were bumped today why not this one too

Got the Bluetooth module and was successful in issuing the commands to reset the adaptive values. It still needs tweaking on the synch portion, then port it to android.

There is no way a standard elm327 module will work, I'm using several of th extended commands in the scantool.net version.

Injuhneer · Dec 10, 2016

robertf said:
Since all the other scantool threads were bumped today why not this one too

Got the Bluetooth module and was successful in issuing the commands to reset the adaptive values. It still needs tweaking on the synch portion, then port it to android.

There is no way a standard elm327 module will work, I'm using several of th extended commands in the scantool.net version.

Wouldn't that be dependent on the module? I have been researching the ELM devices ( micro-controller and a UART). It seems that many of these inexpensive ELM327 based OBD interfaces are running on pirated 1.0 ELM code. That means most of these units are basically a micro-controller and UART inside the box.

I am wondering now, for the sake of argument, if one of these could be cracked open and the micro-controller de-soldered, replaced with a socket (28pin PDIP), and be able to swap in reprogrammed controllers (betting that is the case with the one your are using).

Anyway, sorry I didn't get to look at the data and help. Work got in the way.

robertf · Dec 14, 2016

so here it is. Mac and PC binaries are both in the zip

first pair the bluetooth module to the computer, then figure out what comm port or tty port its using (ls /dev/tty.* lists them on a mac)

go to a command prompt or terminal and run the following

PC:
GEMS com#

MAC:
./GEMS /dev/tty*

where com# or /dev/tty* is the port for the bluetooth module.

to reset it add "reset" at the end of the command line

its probably buggy, but it works for me. I'm busy for a while so I'll clean it up next year.

And you MUST use a scantool.net chipset module

so this one:https://www.scantool.net/obdlink-lxbt/

or this one: https://www.scantool.net/obdlink-mxbt/

or even this one: https://www.scantool.net/obdlink-sx/

I'm not responsible if it breaks your car or computer. Use only at your own risk.
http://www.flemcodesign.com/files/GEMS.zip

hrhoward · Feb 2, 2017

Yep, I'm interested in this alright.

robertf · Feb 2, 2017

Let me know your results. Haven't done any android development yet so it's stuck on macOS and windows for now via the above links

hrhoward · Feb 2, 2017

If i understand correctly, all i need to buy is this, https://www.scantool.net/obdlink-sx/.
Going to try with Win7. Also have an older XP machine.
Might be a silly question but am I going to need to set a certain baud rate for the com?

robertf · Feb 2, 2017

The program automatically sets the baudrate

Tested on windows 10. Should work on 7 No idea about xp

Reset adaptive values

Well-known member

Well-known member

Administrator

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Attachments

Well-known member

Well-known member

Member

Well-known member

Member

Well-known member