A few months ago (ok, almost a year) I decided to disassemble an ELM327 to see how the generic OBD reader works. To my surprise the component selection and layout was very similar to what I would have hacked together. They are based around a Microchip PIC with integrated CAN using a standard Microchip CAN Transceiver and what looks to be a standard HC-05 or HC-06 bluetooth module. Apparently due to the cheapness of my generic ELM units, they don’t appear to support all the protocols. If you take a look at the picture of the bottom side of the larger unit, there are a number of empty pads. My assumption is that these are for the other (non CAN) OBDII protocols. This didn’t bother me because I primarily wanted a CAN bridge. I wouldn’t be surprised if the generic readers don’t work with all of the cars.
Given that I have a PICKit3 and the knowledge of programming the PIC in question, I set out with my multimeter to figure out if I could reprogram the boards. It turns out that the designer of this board is just as lazy as I am. The 5 pin unpopulated header is the standard pinout for the PICKit3 (red circles in the images). On the large board, I put male to male pins in my PICKit and let gravity hold the PICKit at an angle. It was a more engaged affair with the smaller board because I had to apply pressure to the surface mount pads. I assume in the factory when they program the devices, they have a clip that is used. Once I found the programmer, I dove in and probed around to ensure that my assumption was correct that the hardware periperhals were used for CAN and serial. I used my cheap logic analyzer to ascertain that the bluetooth module was talking at 38400.
Once I understood the hardware, it was a simple matter of tweaking the ds30 bootloader to run with the crystal. I decided to run with the external crystal and the 4X PLL. To do this, I set the booloader up for 16Mhz clock speed and 38400 serial. After flashing the bootloader, I was able to easily reprogram the unit over bluetooth. There is a bit of a race to get the bluetooth connected before the processor exits the bootloader but it isn’t too bad if the bootloader timeout is 5 seconds.
Now on to some more useful firmware. What I really wanted out of this hack is to have a generic bluetooth to CAN bridge I could embed in my electric Miata. Without any other guidance for a serial protocol, I decided to emulate the Lawicel protocol. This turns out to have been a fortunate choice since this protocol is used by a number of different cheap serial CAN devices. I have not gotten all of the protocol done but I am willing to accept forks / pull requests of my bitbucket repository.