Bus signal documentation

[jummama]

So I recently received an bluetooth ELM327 clone to use with Torque for Android on my Aurora. That's been working great, and I decided to dig a little deeper using a terminal program with this dongle. So far I have the steering wheel controls figured out completely, and can receive or send the signals for them over the OBD2 port on my 2001 3.5L. YMMV if you want to try this on other models, but I assume it would be the same on the 2G cars at least.

- The car uses J1850VPW for its communication bus.
- My ELM327 is a chinese clone, and communicates at 115200-8-n-1. Official or other clone devices may vary on this, but probably not.

Initializing the ELM327:
This device uses Hayes modem style AT commands. Send the following 4 commands to get it initialized in a sane, usable way in your terminal program
ATL1
ATH1
ATS1
ATAL

After that, you'll want to set it to use the J1850VPW protocol:
ATSP2

Now, you should be able to issue an ATMA command to see everything that's happening on the bus. There's still quite a bit that I haven't decoded yet, such as this (surprisingly lengthy) dump from opening the driver door with the key off:
68 FF A0 02 93
8A C7 A0 A3 22 E0
28 FF 40 06 03 F2
AB C6 42 63 22 66
68 CF A0 07 01 E4
6A DB 40 06 08 72
88 93 42 06 02 02
6A F3 41 15 1C F2
68 97 80 11 5D 00 85
8A C7 A0 A3 22 E0
49 FE 97 06 87
88 87 41 05 75
8A C7 A0 23 26 5D
88 DF 41 11 FF 7B
28 FF 40 06 03 F2
8A C7 A0 23 2A C1
88 DF 41 2A 02 CA
8A C7 A0 23 2E B5
8A DE 42 01 22 73
AA 95 80 16 A1 27 E6
A9 DE 42 6A A2
6C FE C0 60 63
28 FF 40 06 03 F2
AA DF A0 01 22 BC
8A DB 40 04 00 7F
AB C6 42 63 22 66
AB DA 41 44 00 2C
AB C6 42 63 26 12
AB F2 40 55 1C DC
AB C6 42 63 2A 8E
E8 FF 80 03 CE
AB C6 42 63 2E FA
CA EA 42 A0 9E 50 51
AA EB 60 A0 9E 50 2E
88 93 42 06 02 02
C9 72 80 08 93
A8 73 40 08 04 E8 95

If you wish to send any of these messages back out to verify your hypothesis on what they may do, you'll need to tell the ELM device what header to send out. This is the first 3 bytes of the message. You do this with the ATSH command, such as the following, which sets the header for steering wheel control messages:
ATSH 88A940

So, that was the basics on how to get around with your ELM327 inside a terminal program, here's the raw data I've discovered so far:
VOL UP
Press- 88 A9 40 90 94 11 6F
Release- 88 A9 40 10 94 11 AF
Notes: You probably don't want to play around with sending this one with a stock radio installed, as you have to send a press AND a release. Sending just the press message will crank your radio within seconds!

VOL DOWN
Press- 88 A9 40 90 94 10 72
Release- 88 A9 40 10 94 10 B2

FAN UP
Press- 88 A9 40 90 B2 14 C6
Release- 88 A9 40 10 B2 14 06

FAN DOWN
Press- 88 A9 40 90 B2 0C E3
Release- 88 A9 40 10 B2 0C 23

TEMP UP
Press- 88 A9 40 90 B2 0E D9
Release- 88 A9 40 10 B2 0E 19

TEMP DOWN
Press- 88 A9 40 90 B2 0F C4
Release- 88 A9 40 10 B2 0F 04

DRIVER DOOR UNLOCK
This one is going to take a bit more experimentation to really figure out. Pressing the unlock button on the power locks results in both these messages being sent, in the same order I've listed here, but either one seems to unlock the doors.
6A C5 A0 A1 22 22 - ALARM STILL SET, doors unlocked
6A C4 42 8B 00 26 - alarm disable?

DRIVER DOOR LOCK
This one is interesting, as it sends a press message, and a release message, while the unlock does not. Based on other GM cars, the fact that it has a separate button release message tells me that there MAY actually be a way to go to keyfob programming mode after all, though the usual keydance doesn't seem to work. More research needed on this.
Press:
6A C5 A0 A0 22 6E - Lock Doors
6A C4 42 8A 00 6A - alarm arm?
Release:
6A C5 A0 20 22 A7

So far, this is should be more than enough data to be able to interface a tablet with the steering wheel controls, though there would be conflicts with a stock radio. I will update this thread as I discover more on this bus.

[guy48065]

Thanks for posting this. I recently got the ELM327 and Torque and have yet to figure out what it can do for me. I didn't know you could use it to command actions. The codes & protocols are greek to me but maybe someday...
For now--Bookmarked.

[jummama]

I may scale this up and make a Torque plugin to do some extra stuff for the Aurora, such as radio controls, door locks, and whatever other things I can find the right message for.

If anyone in the northwest area has a Tech2, it may be helpful if we can set up a jig to sniff the messages that happen between that and the car for some of the extra stuff like diagnostic switching of emissions controls, and radio programming. It may be easiest to tap the lines in the radio harness to the ELM327, and then plug in the Tech 2 normally and run through some of these OEM functions.

For that matter, I still have not seen the Field Service Manual for this car. Is there any bus documentation in that, perhaps in an appendix, such as what addresses the various modules and sensors take on this bus, or does it just say "Using your TECH-II(R) tool, perform these steps"?

[jummama]

Sorry for the lack of updates on this, but I have just found the signals for the key fob functions:

A8 C7 B0 A0 12 73 - Fob lock
A8 C7 B0 A0 11 54 - Fob unlock
A8 C7 B0 A0 15 20 - Fob double tap unlock
A8 C7 B0 A0 13 6E - Fob trunk
A8 C7 B0 A0 14 3D - Panic

It is interesting that the fob double tap for unlock is a different signal.

I'm thinking of making a supplementary module out of an arduino plugged into the OnStar harness. For example, it would be nice to be able to open the fuel door by triple tapping the unlock button, and some sequence (like, lock then unlock) to roll down the front auto windows and open the sunroof, just to confuse people

I also think it would be neat to have an RFID transceiver in the car so it can send the lock and unlock signals when you're in range of the vehicle, and maybe autopanic if someone starts it when out of range.

[tigger]

Mar 29, 2015 20:12:47 GMT -6 jummama said:

I also think it would be neat to have an RFID transceiver in the car so it can send the lock and unlock signals when you're in range of the vehicle...

I think sall did this during his push to start project, sweet mod!

[sall]

Yes, my remote start/push button system has built in RFID for locking/unlocking within range. It is very convenient but can be disabled as well as which is nice to only use the systems remote or keys. Before hand I did test with an RFID standalone system and it worked very well but the range was not very good. It was good for a supplement to the pass-key system though. Which is what I initially used it for in my 98 since the ignition quit reading the key.

Here is arduino version but again 60mm range. I am sure you could get an antenna though or coil some wire up and solder directly to that PCB.

www.ebay.com/itm/RC522-RFID-Module-Keychain-ID-Card-Kit-RF-SPI-13-56Mhz-Arduino-PI-USA-/111096562696?pt=LH_DefaultDomain_0&hash=item19dddf0408

[jummama]

Mar 30, 2015 6:31:29 GMT -6 sall said:

Yes, my remote start/push button system has built in RFID for locking/unlocking within range. It is very convenient but can be disabled as well as which is nice to only use the systems remote or keys. Before hand I did test with an RFID standalone system and it worked very well but the range was not very good. It was good for a supplement to the pass-key system though. Which is what I initially used it for in my 98 since the ignition quit reading the key.

Here is arduino version but again 60mm range. I am sure you could get an antenna though or coil some wire up and solder directly to that PCB.

www.ebay.com/itm/RC522-RFID-Module-Keychain-ID-Card-Kit-RF-SPI-13-56Mhz-Arduino-PI-USA-/111096562696?pt=LH_DefaultDomain_0&hash=item19dddf0408

Nice! I'm not quite to a point of experimenting with hardware yet, but I'll keep that part in mind. I do have an STN1110 chip which I plan to use to set up the Class2 -> Arduino interface on the OnStar harness however.
( www.obdsol.com/solutions/chips/stn1110/ )

I've discovered more info about the key fob signals through experimentation:

First 3 bytes: standard j1850vpw headers for the modules involved in this signal
Byte 4 - Likely a command to the bcm saying "this is a keyfob event" (A0 is the only value that did something for me, though I didn't exactly try all of 00-FF)
Byte 5 - This one gets interesting. It seems to be logically split into nibbles:

    Nibble 1: Driver ID
        1: Driver 1
        2: Driver 2
        3-F: Unknown Driver prints on DIC
        I experimented with the Unknown Driver, and was able to save HVAC settings, but it only saves one setting to use for Driver 3 - Driver 15. If you try to enter feature programming mode as Unknown Driver, then as soon as you try to scroll down through options, it says you're done setting it. I just now realized while writing this up that I did not try to tell my Aurora to do anything as Driver 0, but I expect that it would handle it as unknown driver. I wonder if this is how valet mode works? I don't have a valet key for this car, so I'm not sure any of the details on that.

    Nibble 2: Fob command
        0: "NOP" - Does nothing, but shows driver id on DIC and restores settings
        1: Single press unlock
        2: Single press lock
        3: Trunk
        4: Panic
        5: Unlock doubletap
        6-F: Undefined (Didn't seem to do anything)

    So, for example, 15 in this byte would be Driver 1 Unlock doubletap, and 34 would be Unknown Driver Panic
Byte 6: Standard J1850VPW checksum. When replaying commands on my ELM327 device, this can be omitted, as it will be computed when the command is sent.

There's a pretty decent intro to the way these signals work at www.fastfieros.com/tech/vpw_communication_protocol.htm, which has been pretty helpful in getting me this far. There's something cool to me about unlocking my car via bluetooth by typing in a command in a terminal. Like I'm a hacker in a movie or something, haha.

TL;DR: The Aurora could have theoretically supported 15 drivers, and 15 switches on the keyfob.

[jummama]

Found a couple other commands:

8A EA 28 A0 9B 00 DB - Turns TRAC OFF
    Returns AA EB 60 A0 9B 00 91
8A EA 28 20 9B 00 1B - Turns TRAC ON
    Returns AA EB 60 20 9B 00 51

So I guess address EB is the EBCM? Maybe we can find a way to pull ABS codes on an ELM bluetooth module?

While I was out there poking around with this, I tried identifying as driver 0 with the keyfob codes, and found that it did use the same UNKNOWN DRIVER profile as 3-F do. It does seem to store separate radio settings for this as well.

[jummama]

Been a while since I did much work on this, but I have a Tech2 clone on the way from AliExpress, and an OBD2 splitter from Amazon, which should help me figure out a few more neat tricks, such as steering firmness settings and driver name customization. It would be nice to add these to Torque Pro via a plugin.

[bobsblue95]

One thing I'd like to see is the ability to trick the radio into thinking a CD is playing from the changer in the trunk, but actually being fed audio from phone or MP3 player. I no longer need this functionality as the tape deck is easy to fool, but it would be nice for those without the cassette player.

Good work, keep it up!

[jummama]

That would be nice. I had a CD changer in the 2002 that got totaled, but not in my 2001. Too bad I didn't think of this before that fateful day I never even tested or used it.

I'm sure it would be possible to simulate the response of a CD player in the trunk with this, but I'd need to intercept the signals from one in order to decipher it. I don't think I have the harness in my car to hook one up, but I'll double check and maybe look on eBay for the stuff I need. I would assume that there's class 2 signals sent to check if a CD player is present, and likely signals from the cd player to send back the status (e.g. which slots are loaded, how many tracks on the current disc, how long each track is). For something like this, it may be that you would only be able to have it running for 80 or 99 minutes at a time, based on the response back from the emulated changer.

That said, I think I saw a converter harness at one point that would convert the changer harness into a general purpose line in, but I'm not sure how that worked. They were not very common and fairly expensive if I remember correctly.

[jummama]

I'm pretty sure I've deciphered how to read and set the driver 1 name from the output of the Tech2. I will do some more testing to confirm, and will look at what changes when setting driver 2.

How many of you have a 2G car, an OBD bluetooth dongle, and an Android phone? I was thinking I might make an app specifically for this functionality on our cars.

I have no idea if this would work the same on the 1G cars or not, and I don't know anyone in the area with one that I can probe with the Tech2.

For those following this, the DIC does appear to use 7-bit ASCII to store the names. More detailed info to come once I have tested and confirmed my findings by programming a name via the Bluetooth dongle.

[jummama]

Also, this thread was created back before there was a divide between 1st Gen and 2nd Gen Electrical. Since I'm doing this work on a 2nd Gen, it should probably go in 2nd Gen electrical. Can I have a mod move this please?

[tigger]

Are you using a terminal emulator on an Android device or a laptop/tablet? I have Hyperterminal on an old XP laptop, but I seriously doubt it would survive the trip to the garage unless I pack it in ice, haha!

Keep up the good work!

[jummama]

May 6, 2016 20:59:19 GMT -6 tigger said:

Are you using a terminal emulator on an Android device or a laptop/tablet? I have Hyperterminal on an old XP laptop, but I seriously doubt it would survive the trip to the garage unless I pack it in ice, haha!

Keep up the good work!

Yeah, I have my ELM327 hooked up to a splitter alongside the Tech2, so I can sniff what the Tech2 is doing. I'm using Bluetooth Serial Controller for Android currently, it lets you configure some buttons to do things, so that's been useful.

[jummama]

I have deciphered how to set the driver name in DIC.

First off, here's how to read what the DIC has set for Driver 1's name:

This has to be done with 4 separate messages, as the names are 20 bytes long.

The basic command here is like this:
6C 61 F1 3C (address) (checksum)

Where address is A1, A2, A3, or A4 for Driver 1, or A7, A8, A9, or AA for Driver 2. Checksum is the standard checksum for our messages, and you can omit it completely on ELM hardware, as it will compute it for you.

For example:

> 6C 61 F1 3C A1 C2

You will get a response like this:
6C F1 61 7C A1 20 20 20 20 46 75 D2

Ignore the first 5 bytes, and the last byte, then look it up in ASCII, you'll see that this comes out to a string, " Fu"

Then:
> 6C 61 F1 3C A2 E5
Response:
6C F1 61 7C A2 63 6B 20 79 65 61 1A

I'll leave the ASCII lookup as an exercise, because the driver name that was set at this time has a bad word in it

On a car that has never had the name set, the name returned will be all FF bytes,


Now that we know how to read the current name, how to we change it?

Let's say we want to change the name to " Oldsmobile Aurora " (padded with spaces so that it's centered, and yes, the DIC supports lower case)

First, make sure you pad it to exactly 20 bytes, then you'll need it in hexadecimal ASCII. One quick way to do that is here: www.swingnote.com/tools/texttohex.php

So for " Oldsmobile Aurora " we get this:
20 4F 6C 64 73 6D 6F 62 69 6C 65 20 20 41 75 72 6F 72 61 20

This needs to be split into 6 byte chunks. The last one will be 2 bytes:
1. 20 4F 6C 64 72 6D
2. 6F 62 69 6C 65 20
3. 20 41 75 72 6F 72
4. 61 20

With these 4 chunks, use this command:
6C 61 F1 3B (Address) (string as hex) (checksum)

For the above example, this becomes these 4 commands to set Driver 1 (omitting checksum):
6C 61 F1 3B A1 20 4F 6C 64 72 6D
6C 61 F1 3B A2 6F 62 69 6C 65 20
6C 61 F1 3B A3 20 41 75 72 6F 72
6C 61 F1 3B A4 61 20

After each command, the DIC will respond back confirming the input:
6C F1 61 7B (Address) (checksum)

These 4 commands need to be input quite quickly, as the DIC will restart itself a few seconds after the first message. If you send all 4 before the DIC restarts though, you will have the name set, and should see it once the restart happens.

I would like to make an Android app around this feature in particular, but I'm sure some of you can do this without the app to make it easy.

[jummama]

I should add to that, I see no way in the Tech 2 to revert back to unnamed drivers, other than manually setting it to " DRIVER 1 ". That said, if you're using this method, use a string of FF's and it will be back to stock factory settings.

[jummama]

I have also sniffed out how to get a display test, this one is much simpler:

Display test (ON): E8 EB F1 86 01 B1
Display test (OFF): E8 EB F1 86 00 AC

With Display test (ON), all the indicator lights on the IPC will turn on, the gauges will all go to their max setting, the DIC will illuminate all segments, all lights in the HVAC controls will turn on, and the radio will illuminate all segments. After a brief delay, the gauges will go back down, and then the displays will all go back to normal.

Similarly, Display test (OFF) will turn off all the same stuff, and bring the gauges down to the bottom. Probably not quite as useful as turning them all on, but oh well, it was amusing to play with anyway

[jummama]

I have an app working on Android specifically for this, I just want to polish a few things before I release it. It will be free by the way.

[Paulaurora]

will it work for 2001??

[jummama]

I'm working with a 2001 to develop it, so yes

It should work the same on the 2002 or 2003 cars too, but I have no idea if it will work on 95-99.

Sorry I haven't released it yet by the way.

[tigger]

Haha, I'm liking this!

I'd love to know the string that puts the remote door lock receiver into "program" mode...

54 68 61 6e 6b 73 2c
74 69 67 67 65 72

[RCA1186]

May 6, 2016 16:07:53 GMT -6 jummama said:

Also, this thread was created back before there was a divide between 1st Gen and 2nd Gen Electrical. Since I'm doing this work on a 2nd Gen, it should probably go in 2nd Gen electrical. Can I have a mod move this please?

Done.

[jummama]

May 11, 2016 22:17:16 GMT -6 tigger said:

Haha, I'm liking this!

I'd love to know the string that puts the remote door lock receiver into "program" mode...

54 68 61 6e 6b 73 2c
74 69 67 67 65 72

Yeah, that would be a great thing to add to my Aurora Companion app. I think I'll release the app after work today. I'm thinking of releasing it under GPL on GitHub, but the code is fairly messy, as it's the first time I've really done anything with Java/Android. For starters, I'm doing all the communication on the main thread, which is a big no-no, but hey, it works for now.

What's that hex string do? I haven't really done any sniffing with key fob programming mode. Is this string related to that?

Edit: Haha, never mind, as soon as I submitted, I realized that it was all in the ASCII range... You're welcome, I'm just glad there's something I can add to this community.

[Hurricane87]

Mar 29, 2015 20:12:47 GMT -6 jummama said:

Sorry for the lack of updates on this, but I have just found the signals for the key fob functions:

A8 C7 B0 A0 12 73 - Fob lock
A8 C7 B0 A0 11 54 - Fob unlock
A8 C7 B0 A0 15 20 - Fob double tap unlock
A8 C7 B0 A0 13 6E - Fob trunk
A8 C7 B0 A0 14 3D - Panic

It is interesting that the fob double tap for unlock is a different signal.

I'm thinking of making a supplementary module out of an arduino plugged into the OnStar harness. For example, it would be nice to be able to open the fuel door by triple tapping the unlock button, and some sequence (like, lock then unlock) to roll down the front auto windows and open the sunroof, just to confuse people

I also think it would be neat to have an RFID transceiver in the car so it can send the lock and unlock signals when you're in range of the vehicle, and maybe autopanic if someone starts it when out of range.

Doesn't suprise me that the double tap is a different signal.  Every 4-door GM car I've had has ignored the double tap at least half the time, while the single tap is never an issue.

[tigger]

May 12, 2016 10:19:18 GMT -6 jummama said:

...I think I'll release the app after work today.

Is it out? Can't find it...

[jummama]

Sorry I disappeared like that.

I have the apk file uploaded to a webserver, and about 30 minutes from now when the DNS records update, I will post a link here.
I just checked again, and it turns out that the DNS records updated quicker than I expected.

Aurora Companion (Release 1)
The basics:

• As this program is not on the Google Play Store, you will need to enable Unknown Sources so that you can sideload the app. This can be done in settings on your phone, though the exact location may vary.
  
• After the disclaimer dialog, you will need to connect to your bluetooth device with the connect button. A toast will pop up at the bottom of the screen when this is successful.
• Tap on either of the buttons for setting a driver name, with the key on, engine off. The app will query the DIC to find out what name is set currently (if any)
• You will see a text box with any previously set name already in it. You have 20 characters of space to use for the new name. If you want to clear it back to factory defaults, leave this box blank, and the app will clear the name back to default. After pressing OK, a few seconds will pass, and your DIC will restart itself. You should then see the new name (unless you programmed Driver1 while on Driver2 of course). Do not turn your key off until the DIC restarts. I did that once and it garbled the name that got written. That's probably the worst thing that would happen, but I wouldn't risk it.
• As an added bonus, there is a display test button. The radio gets stuck in this mode until you turn the key back off however. (See the known issues below)

Known issues:

• The buttons for setting names and doing a display test will enable themselves even if the bluetooth connection fails. Attempting to use them will cause a force close error. Pay attention for the toast at the bottom of the screen to make sure it succeeds.
  
• The display test seems to be missing something that the Tech2 sends. It basically works, but on my car, the radio gets stuck in display test mode until you turn the key back off.
• Bluetooth settings are not saved and have to be selected each time you run the app.
• There is certainly room for performance improvement. All communication is done on the same thread as the UI, so it does become unresponsive when reading out data, or sending it.
  
• Some symbols you can enter in the text box are not supported properly by the DIC, and may cause strange results. Eventually, these should be filtered. That said, you can have some interesting results from these unsupported characters.
  
• Key fob programming mode is not implemented yet (sorry Tigger!)

Planned features for a future version:

• Remote programming support
  
• Speaker diagnosis (enable/disable individual speakers on the stock system)
  
• Lighting tests (headlight, reverse, parking lamp, drl, interior lighting, etc)
• DIC feature programming (the same stuff you can already do by holding the select buttons, but in a list on the phone)
• ?
• No profit

Download Aurora Companion

Have fun with it everyone!

[tigger]

Thanks!

[Paulaurora]

What kind of adapter for the car compute works with this app?

[jummama]

May 21, 2016 17:20:28 GMT -6 Paulaurora said:

What kind of adapter for the car compute works with this app?

It should work with any ELM327 compatible bluetooth adapter, such as the cheap ones on Amazon.