Thread: Raspberry Pi - Virtual Sensors for Car Computers

Code:

I am changing the name of the thread to fit the direction it is going. 
In earlier models there is no CAN-BUS, looks like maybe around 05 for our cars. 
So really it looks like I need to better understand the systems. 
To acomplish this by creating a function system of PCM/BCM and emulating the sensors with a Raspberry PI. 
I will start a thread on the Pi forum for this purpose. I will replace this with the URL once I get it started. 
So I am changing the name from "Reverse Engineer the CAN-BUS" to "Raspberry Pi - Virtual Sensors for Car Computers"

I tried searching this forum and could not find any post on how to connect to the ECU's for the Pontiac Grand Prix. There are several web sites started on how to hack the communication network of cars, but nothing dedicated to Grand Prix. So I thought I would start this thread for the sharing of information. I will post several links that has inspired me to start this project. I wish I would started it while there was snow on the ground, now that it is starting to warm up I should be getting the project car on the road. If this takes off then maybe we can move it to the technical forum. If someone has started a thread, please let me know. If not then here we go!

30,000 Foot View
As I start this discussion, keep in mind I am learning, so if there is any misinformation given, I am open to correction. A CAN-BUS is basically a network. http://en.wikipedia.org/wiki/CAN_bus It is used in a lot of different industries and one of them being automotive. We are all familiar with ODBII. ODBII is a published standard, of some sort, that uses the CAN network to query information. What you can do with ODBII is limited to what the car manufactures publish. There is are areas that are not published, or have to buy expensive manuals for the protocols. This company has done a lot of research into car network hacking, reason being the more information out there, the better aware we will be about protecting our car's networks from hacking. Just as in home computers, now most people know not to click on that URL in some email we not know where it came from. Here is their thread releasing the tools they used. http://blog.ioactive.com/2013/08/car...g-content.html
This is the video that got me interested. https://www.youtube.com/watch?v=oqe6S6m73Zw
The purpose is not to play games, but be able to master our cars and maybe even flash some settings. To do that we have to know what bytes are what, before that we need to read and write to the memory, before that we have to get past the security, before that we have to communicate with the systems. The good news I found some white papers to get us started, bad news is, sounds like all cars are different. Even within the same manufacture/model it changes from year to year. This will take a lot of time, hence the need for a place to share so we don't have to reinvent the wheel every time.

WARNING!!!
As mentioned in the white papers, we don't want to be hacking around on our daily driver, and all of them over and over stressed, "DO NOT HACK ON A MOVING CAR". I think the reasons for NOT hacking on a moving car is obvious. Try everything at your own risk, I read in a paper that in all the testing they never bricked an ECU, but knowing my luck....

Phase 1.
One of the first links will be to a pdf about creating a test bed. http://www.ioactive.com/pdfs/IOActiv...ng_Poories.pdf
Also, here is the link to http://blog.ioactive.com/2013/08/car...g-content.html At the start of the blog is a link to a zip file with all the tools and pdf explaining some of it. They used a ECon cable https://www.cancapture.com/buy-now.html right now all you need is the cable, not the capture software. The zip files have some home grown tools.

As I researched I found some other interfaces. Next I found one called "Canberry" http://www.industrialberry.com/canberry-v-2-0/ which goes onto a Raspberry PI http://www.raspberrypi.org/products/...-pi-2-model-b/.
This web page has a homegrown interface, that is self contained and he put a display on it for a simple gauge readout. Look at the two videos at the bottom. https://sites.google.com/site/hobbyd...sed-obd-reader
Hopefully this week I will get by out local pull a part and get a couple of ECU. Looks like they charged $25 for PCM or BCM, so I thought I would start there. Looks like they have a 97 GP, which is what I will start with. I also have some old PC boxes laying around for my power supply. So it may be some time before the rubber meets the road so to speak, but I thought I would start the post and see what interest is out there.


Here are all the links I have saved, not in any order or meaning. Some of them seem to be the same paper but dressed up. Not sure if there is a nugget that is in one but not the other so I am posting all.
http://en.wikipedia.org/wiki/CAN_bus
https://www.cancapture.com/buy-now.html
http://illmatics.com/car_hacking.pdf
http://www.canbushack.com/blog/index.php
http://www.canbushack.com/blog/index...&c=1&tb=1&pb=1
http://www.autosec.org/pubs/cars-usenixsec2011.pdf
http://www.ioactive.com/pdfs/IOActiv...trol_Units.pdf
http://www.ioactive.com/pdfs/IOActiv...k_Surfaces.pdf
http://www.ioactive.com/pdfs/IOActiv...ng_Poories.pdf
https://www.youtube.com/watch?v=ANFXBaQmceU
https://sites.google.com/site/hobbyd...sed-obd-reader
http://www.raspberrypi.org/forums/vi...718682#p718682 (last link at this posting)
http://elinux.org/RPi_CANBus

not sure what your after here? if you want to tune you pcm, theres already tuner programs and interfaces. like HP tuners, and DHP.

if you want scan live data on the cheap theres the torque app that gets used with a obd2 blue tooth and a droid phone or tablet.

Dhp ftw

I understand your questions. I was not sure how to articulate what I am talking about. Thanks for asking questions as maybe I can refine what I am trying to do. Also, once I get the test bed set up and get the Raspberry PI talking on it then it might make more sense. Getting to that point "cheap" maybe a challenge. There the cable for $190 that will work with their tools, but I saw some boards that with

Originally Posted by Scottydoggs

not sure what your after here? if you want to tune you pcm, theres already tuner programs and interfaces.

That was just an example. Others would be unlock doors, start car, etc....

Originally Posted by Scottydoggs

f you want scan live data on the cheap theres the torque app that gets used with a obd2 bluetooth and a droid phone or tablet.

No, this is a lot deeper than that. ODBII (For example ELM327 chip) is limited to the commands you can put on the bus, whereas the MCP2515 can get down to the raw commands.

Watch this video and you can see how deep I am talking about. https://www.youtube.com/watch?v=oqe6S6m73Zw


Here is what they have documented for a 2010 Pirus and a 2010 Ford Escape. Of course a 97 is not going to have some of the ECU that a 2010 have, but hey thats the point. What can we do. And not just limited to a 97.

Code:

#2010 Toyota Prius ECU Information

#Flashing information
(RcvAckData, RcvAckDataAck) = range(0,2)


#Prius encryption keys (These should stay in the same order due to the algo)
PriusSecrets = [0xA441, 0x2172, 0xA421, 0x4172]


#coalesced versions of above for easy XOR'ing
PriusSecret1 = 0xA4412172
PriusSecret2 = 0xA4214172


#EffectiveKeys same as doing the XORs with the above
#but less steps
PriusEffectiveKey = 0x00606000
PriusABSKey = 0x00252500


#Sometimes starting a diagnostic session is
#done with 0x5F, rather than the standard of 0x2
PriusDiagCode = 0x5F


PriusMainBodyID = 0x750


#Toyota Prius 2010 ECU IDs (a.k.a. wid) 
TP_Transmission = 0x727
TP_AirBag = 0x780
TP_PreCollision1 = 0x781
TP_Radar = 0x790
TP_PreCollision2 = 0x791
TP_EPMS = 0x7A1
TP_APGS = 0x7A2
TP_ABS = 0x7B0
TP_ComboMeter = 0x7C0
TP_AC = 0x7C4
TP_Nav = 0x7D0
TP_ECT = 0x7E0
TP_Hybrid = 0x7E2


#NEEDED 0xE0
#Sub-ECU IDs for Prius 'Main Body' ECU (0x750)
TP_LKA = 0x02
TP_MainBody = 0x40
TP_PM1 = 0x57
TP_PM2 = 0x58
TP_HLAutoLevel = 0x70
TP_DDoor = 0x90
TP_PDoor = 0x91
TP_RRDoor = 0x92
TP_RLDoor = 0x93
TP_SR = 0xAD
TP_SmartKey = 0xB5
TP_RemoteStart = 0xB6
TP_MainSwitch = 0xEC
TP_PowerSource = 0xE9


#Prius ECU to String name table (Main body is in another section)
PriusECU = {}
PriusECU[TP_Transmission] = "Transmission"
PriusECU[TP_AirBag] = "AirBag"
PriusECU[TP_PreCollision1] = "Pre-Collision"
PriusECU[TP_Radar] = "Radar"
PriusECU[TP_PreCollision2] = "Pre-Collision 2"
PriusECU[TP_EPMS] = "EPMS"
PriusECU[TP_APGS] = "APGS - Park Assist"
PriusECU[TP_ABS] = "ABS - Anti-Lock Braking"
PriusECU[TP_ComboMeter] = "Combo Meter"
PriusECU[TP_AC] = "Air Conditioning"
PriusECU[TP_Nav] = "Navigation"
PriusECU[TP_ECT] = "ECT - Engine"
PriusECU[TP_Hybrid] = "Hybrid System"


PriusMainECU = {}
PriusMainECU[TP_LKA] = "Lane Keep Assist (LKA)"
PriusMainECU[TP_MainBody] = "Main Body"
PriusMainECU[TP_PM1] = "PM1 Gateway"
PriusMainECU[TP_PM2] = "PM2 Gateway"
PriusMainECU[TP_HLAutoLevel] = "Headlamp Autolevel"
PriusMainECU[TP_DDoor] = "Driver Door"
PriusMainECU[TP_PDoor] = "Passenger Door"
PriusMainECU[TP_RRDoor] = "Rear Right Door"
PriusMainECU[TP_RLDoor] = "Rear Left Door"
PriusMainECU[TP_SR] = "Sliding Roof"
PriusMainECU[TP_SmartKey] = "Smart Key"
PriusMainECU[TP_RemoteStart] = "Remote Engine Starter"
PriusMainECU[TP_MainSwitch] = "Main Switch"
PriusMainECU[TP_PowerSource] = "Power Source Control"


#Diagnostic custom payloads
PriusDiagData = {}
PriusDiagData[TP_ABS] = [0x10, 0x01]


#SecurityAccess custom payloads
PriusSAData = {}
PriusSAData[TP_ABS] = [0x27, 0x01, 0x00]


#Hopefully 
PriusEffectiveKeys = {}
PriusEffectiveKeys[TP_ABS] = 0x00252500


#These are InputOutputControlByLocalIdentifier (0x30). See 14230-3.pdf 
#Prius Commands
PriusCMD = {}
PriusCMD["Seat_Belt_Drive"] = {'Desc':"Engage driver's seatbelt motor", 'ID':TP_PreCollision1, 'Data':[0x30, 0x01, 0x00, 0x01]}
PriusCMD["Fuel_Cut_All"] = {'Desc':"Cut fuel to all cylinders", 'ID':TP_ECT, 'Data':[0x30, 0x1C, 0x00, 0x0F, 0xA5,0x01]} #does not work at speed


#These are InputOutputControlByLocalIdentifier (0x30). See 14230-3.pdf 
#These all use WID 0x750 with the first data byte being the SubID
PriusMBCMD = {}
PriusMBCMD["Headlamps_On"] = {'Desc':"Turn off the head lamps", 'SubID':TP_MainBody, 'Data':[0x30, 0x15, 0x00, 0x40, 0x00]}
PriusMBCMD["Headlamps_Off"] = {'Desc':"Turn off the head lamps (Only works if in Auto-Mode)", 'SubID':TP_MainBody, 'Data':[0x30, 0x15, 0x00, 0x00, 0x00]}
PriusMBCMD["Horn_On"] = {'Desc':"Horn activated for several seconds", 'SubID':TP_MainBody, 'Data':[0x30, 0x06, 0x00, 0x20]}
PriusMBCMD["Horn_Off"] = {'Desc':"Deactivate Horn", 'SubID':TP_MainBody, 'Data':[0x30, 0x06, 0x00, 0x00]}
PriusMBCMD["Lock_All_Doors"] = {'Desc':"Lock All Doors", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x80, 0x00]}
PriusMBCMD["Unlock_All_Doors"] = {'Desc':"Unlock All Doors", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x40, 0x00]}
PriusMBCMD["Unlock_Hatch"] = {'Desc':"Unlock the Hatch", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x00, 0x80]}


#2010 Ford Escape
FordDiagCode = 0x02


#Escape ECU to string name table
FordECU = {}
FordECU[0x0701] = "GPSM"
FordECU[0x0720] = "IC"
FordECU[0x0726] = "SJB"
FordECU[0x0727] = "ACM"
FordECU[0x0730] = "PSCM"
FordECU[0x0733] = "HVAC"
FordECU[0x0736] = "PAM"
FordECU[0x0737] = "RCM"
FordECU[0x0760] = "ABS"
FordECU[0x0761] = "4x4"
FordECU[0x0765] = "OCSM"
FordECU[0x07A6] = "FDIM"
FordECU[0x07A7] = "FCIM"
FordECU[0x07D0] = "APIM"
FordECU[0x07E0] = "PCM"

Originally Posted by penright

I understand your questions. I was not sure how to articulate what I am talking about. Thanks for asking questions as maybe I can refine what I am trying to do. Also, once I get the test bed set up and get the Raspberry PI talking on it then it might make more sense. Getting to that point "cheap" maybe a challenge. There the cable for $190 that will work with their tools, but I saw some boards that with


That was just an example. Others would be unlock doors, start car, etc....


No, this is a lot deeper than that. ODBII (For example ELM327 chip) is limited to the commands you can put on the bus, whereas the MCP2515 can get down to the raw commands.

Watch this video and you can see how deep I am talking about. https://www.youtube.com/watch?v=oqe6S6m73Zw


Here is what they have documented for a 2010 Pirus and a 2010 Ford Escape. Of course a 97 is not going to have some of the ECU that a 2010 have, but hey thats the point. What can we do. And not just limited to a 97.

Code:

#2010 Toyota Prius ECU Information

#Flashing information
(RcvAckData, RcvAckDataAck) = range(0,2)


#Prius encryption keys (These should stay in the same order due to the algo)
PriusSecrets = [0xA441, 0x2172, 0xA421, 0x4172]


#coalesced versions of above for easy XOR'ing
PriusSecret1 = 0xA4412172
PriusSecret2 = 0xA4214172


#EffectiveKeys same as doing the XORs with the above
#but less steps
PriusEffectiveKey = 0x00606000
PriusABSKey = 0x00252500


#Sometimes starting a diagnostic session is
#done with 0x5F, rather than the standard of 0x2
PriusDiagCode = 0x5F


PriusMainBodyID = 0x750


#Toyota Prius 2010 ECU IDs (a.k.a. wid) 
TP_Transmission = 0x727
TP_AirBag = 0x780
TP_PreCollision1 = 0x781
TP_Radar = 0x790
TP_PreCollision2 = 0x791
TP_EPMS = 0x7A1
TP_APGS = 0x7A2
TP_ABS = 0x7B0
TP_ComboMeter = 0x7C0
TP_AC = 0x7C4
TP_Nav = 0x7D0
TP_ECT = 0x7E0
TP_Hybrid = 0x7E2


#NEEDED 0xE0
#Sub-ECU IDs for Prius 'Main Body' ECU (0x750)
TP_LKA = 0x02
TP_MainBody = 0x40
TP_PM1 = 0x57
TP_PM2 = 0x58
TP_HLAutoLevel = 0x70
TP_DDoor = 0x90
TP_PDoor = 0x91
TP_RRDoor = 0x92
TP_RLDoor = 0x93
TP_SR = 0xAD
TP_SmartKey = 0xB5
TP_RemoteStart = 0xB6
TP_MainSwitch = 0xEC
TP_PowerSource = 0xE9


#Prius ECU to String name table (Main body is in another section)
PriusECU = {}
PriusECU[TP_Transmission] = "Transmission"
PriusECU[TP_AirBag] = "AirBag"
PriusECU[TP_PreCollision1] = "Pre-Collision"
PriusECU[TP_Radar] = "Radar"
PriusECU[TP_PreCollision2] = "Pre-Collision 2"
PriusECU[TP_EPMS] = "EPMS"
PriusECU[TP_APGS] = "APGS - Park Assist"
PriusECU[TP_ABS] = "ABS - Anti-Lock Braking"
PriusECU[TP_ComboMeter] = "Combo Meter"
PriusECU[TP_AC] = "Air Conditioning"
PriusECU[TP_Nav] = "Navigation"
PriusECU[TP_ECT] = "ECT - Engine"
PriusECU[TP_Hybrid] = "Hybrid System"


PriusMainECU = {}
PriusMainECU[TP_LKA] = "Lane Keep Assist (LKA)"
PriusMainECU[TP_MainBody] = "Main Body"
PriusMainECU[TP_PM1] = "PM1 Gateway"
PriusMainECU[TP_PM2] = "PM2 Gateway"
PriusMainECU[TP_HLAutoLevel] = "Headlamp Autolevel"
PriusMainECU[TP_DDoor] = "Driver Door"
PriusMainECU[TP_PDoor] = "Passenger Door"
PriusMainECU[TP_RRDoor] = "Rear Right Door"
PriusMainECU[TP_RLDoor] = "Rear Left Door"
PriusMainECU[TP_SR] = "Sliding Roof"
PriusMainECU[TP_SmartKey] = "Smart Key"
PriusMainECU[TP_RemoteStart] = "Remote Engine Starter"
PriusMainECU[TP_MainSwitch] = "Main Switch"
PriusMainECU[TP_PowerSource] = "Power Source Control"


#Diagnostic custom payloads
PriusDiagData = {}
PriusDiagData[TP_ABS] = [0x10, 0x01]


#SecurityAccess custom payloads
PriusSAData = {}
PriusSAData[TP_ABS] = [0x27, 0x01, 0x00]


#Hopefully 
PriusEffectiveKeys = {}
PriusEffectiveKeys[TP_ABS] = 0x00252500


#These are InputOutputControlByLocalIdentifier (0x30). See 14230-3.pdf 
#Prius Commands
PriusCMD = {}
PriusCMD["Seat_Belt_Drive"] = {'Desc':"Engage driver's seatbelt motor", 'ID':TP_PreCollision1, 'Data':[0x30, 0x01, 0x00, 0x01]}
PriusCMD["Fuel_Cut_All"] = {'Desc':"Cut fuel to all cylinders", 'ID':TP_ECT, 'Data':[0x30, 0x1C, 0x00, 0x0F, 0xA5,0x01]} #does not work at speed


#These are InputOutputControlByLocalIdentifier (0x30). See 14230-3.pdf 
#These all use WID 0x750 with the first data byte being the SubID
PriusMBCMD = {}
PriusMBCMD["Headlamps_On"] = {'Desc':"Turn off the head lamps", 'SubID':TP_MainBody, 'Data':[0x30, 0x15, 0x00, 0x40, 0x00]}
PriusMBCMD["Headlamps_Off"] = {'Desc':"Turn off the head lamps (Only works if in Auto-Mode)", 'SubID':TP_MainBody, 'Data':[0x30, 0x15, 0x00, 0x00, 0x00]}
PriusMBCMD["Horn_On"] = {'Desc':"Horn activated for several seconds", 'SubID':TP_MainBody, 'Data':[0x30, 0x06, 0x00, 0x20]}
PriusMBCMD["Horn_Off"] = {'Desc':"Deactivate Horn", 'SubID':TP_MainBody, 'Data':[0x30, 0x06, 0x00, 0x00]}
PriusMBCMD["Lock_All_Doors"] = {'Desc':"Lock All Doors", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x80, 0x00]}
PriusMBCMD["Unlock_All_Doors"] = {'Desc':"Unlock All Doors", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x40, 0x00]}
PriusMBCMD["Unlock_Hatch"] = {'Desc':"Unlock the Hatch", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x00, 0x80]}


#2010 Ford Escape
FordDiagCode = 0x02


#Escape ECU to string name table
FordECU = {}
FordECU[0x0701] = "GPSM"
FordECU[0x0720] = "IC"
FordECU[0x0726] = "SJB"
FordECU[0x0727] = "ACM"
FordECU[0x0730] = "PSCM"
FordECU[0x0733] = "HVAC"
FordECU[0x0736] = "PAM"
FordECU[0x0737] = "RCM"
FordECU[0x0760] = "ABS"
FordECU[0x0761] = "4x4"
FordECU[0x0765] = "OCSM"
FordECU[0x07A6] = "FDIM"
FordECU[0x07A7] = "FCIM"
FordECU[0x07D0] = "APIM"
FordECU[0x07E0] = "PCM"

Honestly I do not quite understand what you are trying to do here...

The 97-04 and some 05 are not CAN Bus ( There is LIMITED CAN Communication for the ABS Module and other random bits like the radio for some odd reason), they are VPW and the deep level communication is based on J1850-VPW. The main chips are a motorola processor and intel EEPROM. 06+ I have not done any research on so I can not speak for those.

As for the ELM, the ELM is fully capable of any command you can dream up as long as it falls under the max sizes limited by the firmware, a better chip to use is the STN1110 as the firmware can be placed into a mode where it will let you blast anything down the pipe as long as it is smaller than 1K TX or 3K RX. OBD is not limited by commands, it is governed by ISO Standards that is is required to have across every US Car which are your more common commands and modes; however, GM and other manufactures have deep level integration abilities and can and will place commands that they do not publicly document for things like documentation or flashing to the PCM.

Again I ask what are you trying to accomplish?

Originally Posted by ADecker

The 97-04 and some 05 are not CAN Bus ( There is LIMITED CAN Communication for the ABS Module and other random bits like the radio for some odd reason)

I was afraid of that. Looking at this post http://www.grandprixforums.net/threa...pin-out-needed I did not see the Hi/Low for CAN. Looking at thumbnail 2 it had VSS Hi/Low. I was assuming vehicle speed would be a range and that might be a CAN. I have not found a BCM pin out yet, maybe because 97 does not have one! Without probing we don't learn. :-)

Originally Posted by ADecker

they are VPW and the deep level communication is based on J1850-VPW.

Option #1

AE J1850 VPW (Variable Pulse Width at 10.4/41.6 Kpbs, single wire) Pin 2: BUS+ signal Idle bus level is low High signal voltage level: +7V (min/max 6.25 to 8.00) Low signal voltage level: 0V (min/max 0.00 to 1.50) Up to 12 message bytes, excluding frame delimiters Bit Timing; "1" Bit: Signal low for 128uS or high for 64uS "0" Bit: Signal low for 64uS or high for 128uS Start-Of-Frame: Signal high for 200uS

Option #2

ISO 15765 CAN (250kbit/sec or 500kbit/sec) Pin 6: CAN high (CANH) Pin 14: CAN low (CANL) Dominant or active bus state: CANH driven high while CANL driven low Recessive or idle bus state: CANH and CANL signals are not driven CANH signal voltage level: 3.5V (min/max 2.75 to 4.50) CANL signal voltage level: 1.5V (min/max 0.5 to 2.25)

I have not looked at my DLC yet to see what pins are available. Sounds like I going to see option one and not two. :-(
On one hand that is ok because the papers say something about not all CAN are exposed at the DLC. They also said for example the PCM is built from a lot of ECU's in one box. The CAN bus maybe internal. Again :-(

Originally Posted by ADecker

GM and other manufactures have deep level integration abilities and can and will place commands that they do not publicly document for things like documentation or flashing to the PCM.

Hence the reverse engineering. :-)

Originally Posted by ADecker

a better chip to use is the STN1110

Interesting, I may have to digest this a bit. The interesting thing on the MCP2515 is it had a version that is "SPI" standard. The new Raspberry PI kernel has "SPI" integrated into it, and there are python examples already existing. Not sure how much latency would be added by using the "ST" commands. The specs on the processor sound interesting.

Originally Posted by ADecker

Again I ask what are you trying to accomplish?

Just to learn, and hack around. Not sure what I can accomplish yet without knowing what I can do. If I did not ask, I would not have known about the STN1110 option.
Maybe the ultimate goal would be to have a Raspberry PI, touch screen LCD stack, in my 97 GP, that could display/control various functions. Maybe even be able to create a "Ad Hock" wan to phone app to remote control and get sensors reading. I mean that is way, way, way down the path. I have several pieces to go before that. It just feels like they are there if can be strung together. I have a remote start kit that uses relays for the remote start and doors. I could use the PI to control relays if can not be done through existing communications.
This is just learning what can be done.

still not sure what your after either? this vid is a joke.https://www.youtube.com/watch?v=oqe6S6m73Zw who would want to mess with stuff like that? and why? whats the point?

There really isn't much reverse engineering to be done, most of it has been done and can be found. I have about 99% of the really important stuff documented but unfortunately I can't share it, yet, as it is all being used for ATuner. If you have any specific questions ask ill see what I can answer.

Originally Posted by Scottydoggs

still not sure what your after either? this vid is a joke.https://www.youtube.com/watch?v=oqe6S6m73Zw who would want to mess with stuff like that? and why? whats the point?

Not sure if by joke you mean impossible or why would you want to mess with .... I am assuming the latter.
Same as mountains or modding cars, just because they are there. :-)

What I see in the video is hidden capabilities, not the just ones on the video in particular.

Hate to burst your bubble but none of the stuff that is done is that video will be possible on our cars. The PCM only controls the engine and nothing else. Not a CAN system. You can maybe do simple things like turn on fans or mess with timing or EGR but nothing major will be possible. Not even ONSTAR can control that stuff because it just isn't built like that. If you want to mess with that stuff then get a 2015 car.

id put my efforts somewhere else, like trying to save man kind. lol lot of effort to do a whole lot of nothing.

if your cars a 97, its got a different os then a 98 up gp. 97 is its own animal. so you'll need to research just a 97 workings. most electronics are non compatible with anything but a 97 year car. its a model change year, aka the bastard year gtp.

This is interesting

Originally Posted by ADecker

ATuner

That explains a lot. I totally understand where you are coming from now. Let me phrase it this way, although I mentioned flashing and busting the bin apart, it was just an example of sharing. As I said, there is not a need for reinventing the wheel, just learning. :-)
It also explains your knowledge and why I have a lot to learn from you. :-)

Originally Posted by ADecker

There really isn't much reverse engineering to be done, most of it has been done and can be found.

Most of what I have found so far has been on 2010 and newer cars. Is there any links you can share without violating either ethical or legal?

Originally Posted by ADecker

If you have any specific questions ask i will see what I can answer.

Thanks you been a big help already. In this link it http://www.ioactive.com/pdfs/IOActiv...ng_Poories.pdf it discusses building a test bench.
1. Do you think there is anything to learn building a 97 with a PCM/BCM?
2. By themselves will they wake up enough to respond to anything?

Also, in your information, I notice "schooner tuner". Being from Oklahoma, is that anything to do with OU? I assuming the "where winter never ends" is Canada, but the last few weeks could apply to Oklahoma. The joke is, "The reason I love living in OK, because you can get all 4 seasons in one week."

Originally Posted by Scottydoggs

its a model change year, aka the bastard year gtp.

I get that a lot, for those who have not hear me say it, "It was cheap". :-)

Naw Im from South Dakota, Bill Boost just gets all funny with my names and stuff lol.

Links on what specifically? OBD Communication?
http://elmelectronics.com/DSheets/ELM327DS.pdf
That is a good thing to read it explains quite a bit about the OBD protocol and how the elm works... Great place to start
Then just google....

By test bench I assume you mean an off-board... Yeah, the PCM runs well on an Off Board if you hook it up right, really there is only Two power wires, 3 grounds (?), and a data line you have to worry about the rest are sensors and inputs to the PCM. There is a thread on how to make an off board for our PCMs somewhere on this forum.... The 97 will work, but I would recommend when you go get the plugs for your Off Board, going and picking up a few 2000-2003 and a 2004 PCM or something like that if you are serious about learning and playing around....

http://www.grandprixforums.net/threa...light=offboard

Link for offboard build.

Originally Posted by ADecker

http://www.grandprixforums.net/threa...light=offboard
Link for offboard build.

Yes, that is exactly what I am calling a test bed. "offboard", never would have thought to google that.
BTW, I found this neat white paper on GM Networks. http://tomboynton.com/GMnetworks.pdf

Originally Posted by ADecker

Naw Im from South Dakota

Oh, so you have them president's looking over your shoulder? :-)

Originally Posted by ADecker

Hate to burst your bubble but none of the stuff that is done is that video will be possible on our cars.

I am with you, just probing. I also want to get a BCM. Might even use the GPIO of the R-PI to tickle some inputs and see what happens. And for using R-PI as remote start/doors, wire it in like an alarm with remote start. Then using the GPIO to control relays. Just thinking out loud.

Originally Posted by ADecker

The 97 will work, but I would recommend when you go get the plugs for your Off Board, going and picking up a few 2000-2003 and a 2004 PCM or something like that if you are serious about learning and playing around....

I hear you, the old 97 stepchild thing. I gave $350 for it and tried things on it that I would not have done on my driver. Like, bought cheap on-line front wheel bearings. When it came time to do my 06 GP daily driver, I went to parts store. The interesting thing, they were the same, even the packaging was identical (other than sensors, the 06 does not have ABS). I bet the pallet from China was sitting on the dock, they picked these to go to the parts stores and the others went to the online store. As I said, the PCM and BCM are only $25 each at our local pull a part, so might do a "offboard" for the 06 also. :-)

05 and up GXP definitely have canbus right? . onstar read check engine light and reset them remotely. Also hacking into these cars for the ability to one one day maybe reprogram the ebcm or like Hinson motorapists is already doing is using a module to display any engine parameter through your hud.

I don't think its all CAN,I think there are CAN aspects but I haven't actually dug into those PCMs/BCMs yet

Made it by Pull-A-Part today. Cool thing, the 97 had a DIC and Hud. The DIC I found for the project car came off of a newer model. I thought there was a hack to make newer ones work, but I missed read. So now I have one for the 97. :-)
The fuse box came off of a 05, I thought as I finish, I could protect some of the modules with fuses. I was hoping the headlight module that goes out all the time is good, help justify the cost. Maybe I keep a spare in my daily driver. That alone may be worth the $15 if keeps me from getting a ticket. My small town is speed trap USA. Grabbed the gauge cluster also, maybe fun to see if can emulate some of the signals. Maybe I can recoup some cost if I don't smoke anything. If both HUD work, I only need one and I can pedal the other DIC.

I figured it all may be worth the $150, should keep me out of trouble for a while. Well, except for when the wife sees how much I spent. :-)

I guess next is to start finding pinouts. I know where some of them are. I will start a list and update it with pinouts as I find them or if anyone shares.
If I put a question mark by the information, that means I found it somewhere, edited this post, but have not tested it on my test bench yet.

1. 97 DIC
2. 97 HUD
I found this thread on the w-body.
http://www.w-body.com/showthread.php...f-my-knowledge
94-03 HUD switch
GM P/N #10249411
[pinouts courtesy of StockGP]
(row A)
Pin# Wire color Purpose(connection/source) ?
A PNK fused ignition feed (shares cluster feed) ?
B GRY interior lamp dim signal (splices into headlight switch output) ?
C WHT display dimmer switch signal, (goes directly to HUD unit B8 94-96, ? 97-03) ?
D --- not used
(row B)
E YEL motor up, (direct to HUD unit B1 94-96, ? 97-03) ?
F BRN HUD switch output, (direct to HUD unit A1 94-96, ? 97-03) ?
G BLK ground(shares cluster ground) ?
H BRN motor down, (direct to HUD unit B2 94-96, ? 97-03) ?


97-03 GP HUD UNIT (has radio info in the display)
(row 1)
Pin# Wire color Purpose(connection/source)
A1 BRN HUD switch output ?
A2 BRN charge indicator ?
A3 TAN oil pressure indicator ?
A4 DK GRN coolant temp indicator ?
A5 DK GRN entertainment and comfort serial data communicator (radio info!) ?
A6 WHT display dimmer signal switch, HUD switch C ?
A7 DK GRN vss ?
A8 BLK ground ?
(row 2)
B1 YEL motor up, HUD switch E ?
B2 BRN motor down, HUD switch H ?
B3 LT BLU english/metric, grounded=metric ?
B4 DK GRN/WHT fuel (+) ?
B5 LT GRN high beam (+) ?
B6 --- not used
B7 LT BLU left turn signal (+) ?
B8 DK BLU right turn signal (+) ?

3. 97 PCM
I posted it in it own post because of size
4. 97 BCM
5. 97 Gauge Cluster
Note: 97 uses a 0-90 ohm fuel sender, the 98 uses a 40-250 ohm fule sender. This maybe a BCM category, but I can not find and pinouts for BCM, yet.
6. Misc modules attached to the BCM, yet to be identified.
7. ODBII connector.
Option #1

AE J1850 VPW (Variable Pulse Width at 10.4/41.6 Kpbs, single wire)Pin 2: BUS+ signal Idle bus level is low High signal voltage level: +7V (min/max 6.25 to 8.00) Low signal voltage level: 0V (min/max 0.00 to 1.50) Up to 12 message bytes, excluding frame delimiters Bit Timing;"1" Bit: Signal low for 128uS or high for 64uS "0" Bit: Signal low for 64uS or high for 128uS Start-Of-Frame: Signal high for 200uS

The one I pulled off the car, matches the above with two extra wires. There is a brown in 9 and green in 14. I wonder what they are for?


Identify the Misc parts. #1 though #5.




Here is a snapshot of the "mess"