HACKING 101, omg, what a complex topic.... /?
ok, i can comment on general practices, OBD1. (again there are no OBD1 standards) but there USA OBD2, JOBD (Japan) and EOBD (Europe
not knowing which of the 4 it might be, makes this job , complex to vast degree, (OBD2 has 4 class inputs , ISO, etc)
the connection (communications) are usually serial. (modified bi-directional too)
and are usually 1 pin only, (before OBD2 , 1 line is common,)
that means its a bidirectional serial line. (unlike most computers on earth, but sames the car maker copper wire , cheap skates they are.....)
So who to communicate.
that means you send a command , and wait a fixed time (no handshaking used, just waits)
the serial line is Asynchronous, (means very exact timings, used or you get, Framing errors. (into ECU )
so the first step is to learn the serial rates, (ill assume levels are good now,,, oops?)
there is a start bit, and at least one stop bit. and 7 or 8 bits of data. (note the variances here possible)
so, this one line has a Transmitter and receiver in the ECU. (and so do you at your end)
the ECU transmitter is usually quiet, until you ask it a question (a command.) keep in mind ECU quite for garbage commands is good, keeping transmission noise to a minimum. (but who knows, there is no standards here,period, they did as the chose )
so there is nothing at all to see. just putting a scope or (logic analyzer ) (its quite now) (the are exceptions, some cars send data full time never ending,broad caste)
that means you get to guess, the many possible baud-rates, it might use, and and 1 start bit, and 2 stop bits and guess baud.
but wait, the ECU will ignore, illegal framed transmissions to its receiver. (in most cases , the UART frame error pin is ignored)
not only that, many ECU do not respond at all until you send it the proper, vehicle type number, (this wakes it up) The secret code...
usually your transmitter will be TTL signals, going out. and the response can be TTL or weaker. 0 to 4v.
may ECU send back illegal TTL levels, weak. (like ours) and takes a well designed receiver to recieve this weak single, (0urs is 1.2v for logical 1)
It's not like mainframe computer or some (name one) brand of computer. with real RS-232C and real ASCII communications. at all.
(in fact the only commonality is the core UART , design)
in that case we send 12v signals and all transmissions are responded to, with legit responses or and error codes or just a carriage return transmission.
in the case of ECU there is only 1 wire. not 2. RX/TX on one wire.
point 2 is that there is no STANDARD for one wire serial comms. used on ECUs.
The problem is knowing the transmitted (by you) commands in advance,
so how was this done. (one solution easy)
well, we take a real scan tool "tech1"? and connect our scope and see the baud rate. (we measure it)
then we take or "communications analyzer", (yes, they make those or you can make one using a real PC with Rs232 ports and 2wire to 1 wire converter.)
we then capture the live transmissions from the real scan tool !, to see all commands (rx/tx), and preamble codes,etc (wake up commands) to the ECU
and see all responses.. !
the responses are not a standard, and are complex, all you see is ASCII, or simple hex data. but what does it mean.?
well with a scan tool real , you know what was asked, say i scanned ECT , then you get back and answer and decode that the hard way.
I won't go beyond hard way, for each sensor, and PID.
ill say most are a voltage and using ohms law we get 1/2 the answer, R= E/I
the R value resistance is in a table (we make it) and it returns temperature....
To solve this you have to know the ECU pull up resistor value on the ECT pin, (hardware) also a secret i can find using my meter, and popping the ecu lid.
how is that>>?
IMHO:
i'd not do that, i'd , find what scan tool works with your car and buy one used.
or live with flash codes.
but no lie, hacking ECUs is fun,,,, great for late night insomniacs like me... (was)
This is been done on all Honda's. and many Toyota's (they race them and add Turbo)
but who does this on kia, ( nobody.....?)
my dead files (hacking) is here.
http://www.fixkick.com/hacking/hacked/ad...acked.html
our baud rate was found to be
Baud: 15625 N,8,1 serial parameters.
all serial computer folks know what that means.
N = no parity bit. 1 stop bit , 8 bits data framed with 1 start and 1 stop bit.
and some UARTS JUST HATE the baud rate. (30 years worth until year 2000)
in fact most do, old.
the modern one (USB virtual UART) has no trouble at all...
it's like fishing , blindfolded.
you drop the line (serial tx)
the line drops, and something bites and catches. (RX) (if lucky)
the line comes up, the fisher man, he is blindfolded.
but can feel the object, only,... touching it, scared.(lol)
it's slimy? or is at an old license plate or shoe? no it wiggles strongly...
it's alive (might be real data) but what is this?,,, i've no clue. it's impossible... shark or bass. or crab., or?
YMMV , our your fish may vary.... good luck.
not knowing the commands in advance, is like fishing every lake there is to find a specific fish type. and endless process.
but you could send all command possible, and see which hit (easy to do on any computer made,using a "FOR" loop)
0000 to FFFF (hex)
65k possible with 2byte command fields... some well be error codes, (if true) and makes this insanely impossible task to discover that.
ok, i can comment on general practices, OBD1. (again there are no OBD1 standards) but there USA OBD2, JOBD (Japan) and EOBD (Europe
not knowing which of the 4 it might be, makes this job , complex to vast degree, (OBD2 has 4 class inputs , ISO, etc)
the connection (communications) are usually serial. (modified bi-directional too)
and are usually 1 pin only, (before OBD2 , 1 line is common,)
that means its a bidirectional serial line. (unlike most computers on earth, but sames the car maker copper wire , cheap skates they are.....)
So who to communicate.
that means you send a command , and wait a fixed time (no handshaking used, just waits)
the serial line is Asynchronous, (means very exact timings, used or you get, Framing errors. (into ECU )
so the first step is to learn the serial rates, (ill assume levels are good now,,, oops?)
there is a start bit, and at least one stop bit. and 7 or 8 bits of data. (note the variances here possible)
so, this one line has a Transmitter and receiver in the ECU. (and so do you at your end)
the ECU transmitter is usually quiet, until you ask it a question (a command.) keep in mind ECU quite for garbage commands is good, keeping transmission noise to a minimum. (but who knows, there is no standards here,period, they did as the chose )
so there is nothing at all to see. just putting a scope or (logic analyzer ) (its quite now) (the are exceptions, some cars send data full time never ending,broad caste)
that means you get to guess, the many possible baud-rates, it might use, and and 1 start bit, and 2 stop bits and guess baud.
but wait, the ECU will ignore, illegal framed transmissions to its receiver. (in most cases , the UART frame error pin is ignored)
not only that, many ECU do not respond at all until you send it the proper, vehicle type number, (this wakes it up) The secret code...
usually your transmitter will be TTL signals, going out. and the response can be TTL or weaker. 0 to 4v.
may ECU send back illegal TTL levels, weak. (like ours) and takes a well designed receiver to recieve this weak single, (0urs is 1.2v for logical 1)
It's not like mainframe computer or some (name one) brand of computer. with real RS-232C and real ASCII communications. at all.
(in fact the only commonality is the core UART , design)
in that case we send 12v signals and all transmissions are responded to, with legit responses or and error codes or just a carriage return transmission.
in the case of ECU there is only 1 wire. not 2. RX/TX on one wire.
point 2 is that there is no STANDARD for one wire serial comms. used on ECUs.
The problem is knowing the transmitted (by you) commands in advance,
so how was this done. (one solution easy)
well, we take a real scan tool "tech1"? and connect our scope and see the baud rate. (we measure it)
then we take or "communications analyzer", (yes, they make those or you can make one using a real PC with Rs232 ports and 2wire to 1 wire converter.)
we then capture the live transmissions from the real scan tool !, to see all commands (rx/tx), and preamble codes,etc (wake up commands) to the ECU
and see all responses.. !
the responses are not a standard, and are complex, all you see is ASCII, or simple hex data. but what does it mean.?
well with a scan tool real , you know what was asked, say i scanned ECT , then you get back and answer and decode that the hard way.
I won't go beyond hard way, for each sensor, and PID.
ill say most are a voltage and using ohms law we get 1/2 the answer, R= E/I
the R value resistance is in a table (we make it) and it returns temperature....
To solve this you have to know the ECU pull up resistor value on the ECT pin, (hardware) also a secret i can find using my meter, and popping the ecu lid.
how is that>>?
IMHO:
i'd not do that, i'd , find what scan tool works with your car and buy one used.
or live with flash codes.
but no lie, hacking ECUs is fun,,,, great for late night insomniacs like me... (was)
This is been done on all Honda's. and many Toyota's (they race them and add Turbo)
but who does this on kia, ( nobody.....?)
my dead files (hacking) is here.
http://www.fixkick.com/hacking/hacked/ad...acked.html
our baud rate was found to be
Baud: 15625 N,8,1 serial parameters.
all serial computer folks know what that means.
N = no parity bit. 1 stop bit , 8 bits data framed with 1 start and 1 stop bit.
and some UARTS JUST HATE the baud rate. (30 years worth until year 2000)
in fact most do, old.
the modern one (USB virtual UART) has no trouble at all...
it's like fishing , blindfolded.
you drop the line (serial tx)
the line drops, and something bites and catches. (RX) (if lucky)
the line comes up, the fisher man, he is blindfolded.
but can feel the object, only,... touching it, scared.(lol)
it's slimy? or is at an old license plate or shoe? no it wiggles strongly...
it's alive (might be real data) but what is this?,,, i've no clue. it's impossible... shark or bass. or crab., or?
YMMV , our your fish may vary.... good luck.
not knowing the commands in advance, is like fishing every lake there is to find a specific fish type. and endless process.
but you could send all command possible, and see which hit (easy to do on any computer made,using a "FOR" loop)
0000 to FFFF (hex)
65k possible with 2byte command fields... some well be error codes, (if true) and makes this insanely impossible task to discover that.
http://www.fixkick.com