ELM327 hacking

A few months ago (ok, almost a year) I decided to disassemble an ELM327 to see how the generic OBD reader works.  To my surprise the component selection and layout was very similar to what I would have hacked together.  They are based around a Microchip PIC with integrated CAN using a standard Microchip CAN Transceiver and what looks to be a standard HC-05 or HC-06 bluetooth module.  Apparently due to the cheapness of my generic ELM units, they don’t appear to support all the protocols.  If you take a look at the picture of the bottom side of the larger unit, there are a number of empty pads.  My assumption is that these are for the other (non CAN) OBDII protocols.  This didn’t bother me because I primarily wanted a CAN bridge. I wouldn’t be surprised if the generic readers don’t work with all of the cars.

Given that I have a PICKit3 and the knowledge of programming the PIC in question, I set out with my multimeter to figure out if I could reprogram the boards.  It turns out that the designer of this board is just as lazy as I am.  The 5 pin unpopulated header is the standard pinout for the PICKit3 (red circles in the images).  On the large board, I put male to male pins in my PICKit and let gravity hold the PICKit at an angle.  It was a more engaged affair with the smaller board because I had to apply pressure to the surface mount pads.  I assume in the factory when they program the devices, they have a clip that is used.  Once I found the programmer, I dove in and probed around to ensure that my assumption was correct that the hardware periperhals were used for CAN and serial.  I used my cheap logic analyzer to ascertain that the bluetooth module was talking at 38400.

Once I understood the hardware, it was a simple matter of tweaking the ds30 bootloader to run with the crystal.  I decided to run with the external crystal and the 4X PLL. To do this, I set the booloader up for 16Mhz clock speed and 38400 serial.  After flashing the bootloader, I was able to easily reprogram the unit over bluetooth.  There is a bit of a race to get the bluetooth connected before the processor exits the bootloader but it isn’t too bad if the bootloader timeout is 5 seconds.

Now on to some more useful firmware.  What I really wanted out of this hack is to have a generic bluetooth to CAN bridge I could embed in my electric Miata.  Without any other guidance for a serial protocol, I decided to emulate the Lawicel protocol.  This turns out to have been a fortunate choice since this protocol is used by a number of different cheap serial CAN devices.  I have not gotten all of the protocol done but I am willing to accept forks / pull requests of my bitbucket repository.