Translate this page to:  

HUD ECU Hacker

HUD ECU Hacker is a universal OBD scanner software for ECU's with K-Line or CAN bus.
It can even be used with ECU's which are not OBD2 compliant.
HUD ECU Hacker is charityware.

Supported ECU's

HUD ECU Hacker can scan all ECU's from all motorbikes, ATV's, cars and trucks if they support the OBD2 protocol.
OBD2 also permits to see and clear the fault codes (DTC = Diagnostic Trouble Codes) that the ECU is signaling.
OBD2 is supported by all newer vehicles, but gives few details for the service technician
because it's only purpose is to control the compliance of exhaust emission laws.
Parameter FileConnectionOBD2 ParametersFault CodesDocumentation
Autodetect OBD2.xmlK-Line or CAN bus1942435Wikipedia OBD2

Additionally HUD ECU Hacker has implemented the vendor specific (proprietary) parameters of the following ECUs.
These give more details than the OBD2 parameters, but they are a secret of each vendor and not published anywhere.
The vendor specific parameters can only be found by analyzing the data traffic.
Implementing flashing support for a new ECU (calibration upload / download / editing) is a huge work of an entire year.
ECU ModelConnectionVendor ParametersFlashingManualMore Details
Delphi MT05 and MT05.2 K-Line 115 YES Delphi MT05 & MC21 Manual.pdf
Kohler Engines MT05 K-Line 136 YES Delphi MT05 & MC21 Manual.pdf
Briggs & Stratton MT05 K-Line 136 YES Delphi MT05 & MC21 Manual.pdf
Rongmao MT05 K-Line 115 NO Delphi MT05 & MC21 Manual.pdf See Appendix 2
Chinese Fake MT05 K-Line + CAN ISO Only OBD2 NO Delphi MT05 & MC21 Manual.pdf See Appendix 3
Bosch MSE 3.0 K-Line 41 NO Bosch MSE 3.0 Manual.pdf
Bosch MSE 6.0 K-Line 70 NO Bosch MSE 6.0 Manual.pdf
Deni E1700 CAN Raw 55 NO Deni EXX00 Manual.pdf
Lifan EFI 9 Euro 4 K-Line 40 NO Lifan EFI 9 Euro 4 Manual.pdf
Liteon MC21 K-Line 80 NO Delphi MT05 & MC21 Manual.pdf
Yeson 28S-06 and 28S-16 K-Line 51 NO Yeson 28S Manual.pdf

The vendor specific parameters of the following ECU's are currently not implemented but a manual is available.
ECU ModelConnectionParametersFlashingManualMore Details
Delphi MT05.3 CAN ISO (K-Line optional) OBD2 only NO Delphi MT05 & MC21 Manual.pdf See Appendix 1
Deni E0900 K-Line + CAN Raw OBD2 only NO Deni EXX00 Manual.pdf
Deni E1900 K-Line OBD2 only NO Deni EXX00 Manual.pdf
Rojo GY6-125 CAN Raw Proprietary NO Rojo GY6 Manual.pdf
FAI CAN Raw Proprietary NO Fai Manual.pdf

The Delphi MT05.3 is a completely new development (new processor). It has nothing in common with the predecessors.

More ECU models will be added in the future. You can also add your own ECU.
HUD ECU Hacker can be extended by the user by adding XML files.
By defining the commands, parameters and formulas it can be adapted to other ECU's. See below.

OBD2 Scanner

I have a Regal Raptor 350 motorbike (still sold in 2021) which always ran perfectly...
Motorbike Regal Raptor 350
Show Full Size
...until one day the EFI light turned on, which indicates a fault. (EFI = Electronic Fuel Injection)
On other motorbikes it is named MIL (Malfunction Indicator Lamp) or CEL (Check Engine Light) or FI (Fault Indicator).
Regal Raptor EFI Lamp
Show Full Size

Although the engine was running without noticeable problem, something was wrong.

I read in internet that all modern cars and motorbikes have an OBD2 plug (OBD = On Board Diagnostics).
The ECU (Engine Control Unit) of the vehicle informs about the cause of the fault by returning a DTC (Diagnostic Trouble Code).

I searched for OBD2 software which shows me this error code.
I found that nearly all software is paid software and not working without buying a license.
Or even worse: Some companies sell software together with hardware which acts as a dongle.

I tested for example PCMScan from Palmer and found that it is not able to read one single parameter of my motorbike:
PCMScan cannot scan Delphi MT05 ECU
Show Full Size

The software told me that it has connected, but all parameters were marked with a red cross inidicating that the ECU does not support this parameter.
Not even such a basic parameter like 'Engine RPM' was displayed, nor did I see any fault code.
I analyzed the data traffic and found that the ECU answered all commands with 0x7F, which is an error code.
What a luck that I did not purchase a license for this software, which is completely useless for me!

All OBD2 software that I tested was not able to communicate with my motorbike.
The Regal Raptor 350 uses a Delphi MT05 ECU.

The older MT05 ECU is not OBD 2 compliant.
The newer Delphi MT05.2 implements a basic OBD2 support.
But OBD2 was designed to check that a vehicle complies the emission laws.
OBD2 data has a limited usefulness for the service technician.
HUD ECU Hacker can display the OBD2 data from any vehicle,
but much more useful is the vendor specific scan data.
HUD ECU Hacker displays 90 detailed scan parameters with vendor-specific information
of the Delphi MT05 which you will not find in any "universal" OBD2 scantool.


To scan the MT05 you would normally have to buy an expensive scantool like this.
On Youtube there is a video showing how to use it.
Scantool Motorscan KF90121
Show Full Size
Scantool Motorscan KF90121
It comes in a suitecase which is bigger than a notebook. Price is approx $200 - $300 US.
It is very primitive: It has only 5 buttons and the LCD display displays only 2 parameters at once.
You have a much better display of all 90 parameters at once by using a notebook with HUD ECU Hacker.

ECU's from Delphi Electronics

Delphi MT05 ECU and PCB
Show Full Size
The Liteon MC21 is used in Quads from Hercules and CECTEC. It has a Motorla MC9S12D64 processor.

The Delphi MT20, MT22, MT60, MT80 control 4 cylinders. They are used in cars.
Great Wall Pickup
Chevrolet Sail & Cruze
JAC Motors J3, J6
Lifan 320, 520
Nanjing Yuejin Soyat NJ7150
The Delphi MT05 controls 1 or 2 cylinders. It is used mainly in motorbikes, ATV's and UTV's.
MotorbikesATV's (All Terrain Vehicles)Other
Benelli BN600 (Italy)
Bullit Hero 125
Geon Invader 350
Hanway NK125S
Hawk DLX
Hunter Bobber 350 (Australia)
Hyosung GT650RC
Jawa Bobber 350 (Argentina)
Jialing JH200-8
Johnny Pag Spyder 300 (USA)
Junak M16 320 (Polonia)
Keeway RKF 125
Leonart Daytona 350 (Spain)
Lifan LF250-P
Mash Seventy Five
Mondial 100 SFC Snapy XI
Regal Raptor 350
Revolt RS7
Riya scooters
RKS Spontini
Scomadi scooters
Quadro scooters
Zhejiang TR125
Zongshen RX3
Zontes 250
Aeon Cobra
Baltmotors Jumbo
Bennche Bighorn 400
CFmoto Terralander X8
Hytrack (french rebranding)
Linhai T-BOSS 550
Masai (french rebranding)
Massimo Alligator 700
Odes 800
Qlink FrontRunner 700
Speed Gear Buggy 600
Stels 800 Guepard
Trapper 500
Wels ATV 800
Briggs & Stratton (Lawn Mowers, Marine motors, Generators)
Kohler Engines (Lawn mowers)

The Delphi MT05 & MC21 Manual (PDF) shows how these ECU's are connected.

The older Liteon MC21 connects with 9600 baud.
The MC21 diagram can be found in the Delphi Manual. You will not find a pin for the MAP sensor.
The MC21 has the MAP Sensor built into the ECU. The ECU is connected with a hose to the manifold.

Page 76 shows the 6 pin diagnostic plug (ECM connector)
The Delphi MT05 and MT05.2 use the ISO 14230 protocol over K-Line at 10400 baud and Fast Init.
The Delphi MT05.3 uses CAN bus while K-Line is optional and it's functionality is crippled.

I added several missing details to the following MT05 diagram:
Delphi MT05 circuit diagram
Show Full Size
The following table shows the pins of the MT05.3 which may be configured by the manufacturer in the calibrations.
Some pins may also be configured for testing purposes.
PinTypeUsage Options
J1-2 OutputECP valve or Start motor disable relay or AC cooling fan relay or Head light relay or Second air injection valve
J1-3 OutputMIL Lamp or Misfire generation status of cylinder 1
J1-4 OutputO2 heater B or AC cooling fan relay or Head light relay or Second air injection valve
J1-5 Input O2 Sensor B or Analog input 1
J1-6 OutputTacho (RPM) or Toggle signal when MAP is read or Output of TPS duty cycle signal to second ECU (4 cylinder engines)
J1-14 InputRollover Sensor Input or Power adding switch input
J1-15 InputO2 Sensor B or Analog input 2 or Input for TPS duty cycle signal from first ECU (4 cylinder engines)
J1-16 InputReset EEprom by short to ground or Idle RPM adjust or Differential lock
J1-18 InputPark/Neutral switch or Reverse gear switch
J2-3 OutputK-Line communication or Head light relay or Second air injection valve
J2-6 OutputInjector B or Second air injection valve or Cooling fan relay
J2-12 InputTPS sensor input or MAP sensor only system
4 cylinder engines have 2 ECUs where the first ECU is connected to the analog TPS sensor and sends a digital TPS signal to the second ECU (J1-6 to J1-15).

Connecting to the MT05

HUD ECU Hacker supports the following adapters to connect with the ECU, which are described in the following chapters:
 1. K-Line (VAG) adapter (only K-Line)
 2. J2534 (e.g. Tactrix Openport) adapter (K-Line + CAN bus)
 3. ELM327 / OBDLink (USB, Bluetooth, WIFI) adapter (K-Line + CAN bus)
 4. ZLG (Polaris) UsbCAN adapter (only CAN bus)
All these adapters have a standardized plug with 16 pins: The J1962 plug.
ATTENTION: These adapters are never connected directly to the plugs at the ECU.
Motorbikes and ATV's have a separate diagnostic plug which is normally under the seat.
Most motorbikes and ATV's with the Delphi MT05 use the original ECM plug from Delphi (a black / yellow plastic plug with 6 pins).
AJP uses it's proprietary DB9 plug.

Connecting J1962 to Delphi ECM diagnostic plug or AJP DB9 plug

You only have to connect 3 wires between the J1962 plug of the adapter and the motorbike: Ground, +12V and K-Line.
There are also 2 pins for CAN bus. But the firmware does not use them. They are only for the Delphi developers.

Normally pin 5 (Diag) is connected to the MT05 pin J1-16 (diagnostic switch) which enables Diagnostic Mode when switched to ground.
You can prove this easily in the dashboard. The blue ball must appear when you connect pin 5 (Diag) and pin 2 (Ground):
Delphi MT05 Diagnostic Mode
The meaning of 'Diagnostic Mode' depends on scalar 'J1-16 Input Usage' in the calibrations:
Some Benelli motorbikes put a dummy plug with a jumper between 4 and 5 onto the ECM plug.
The LCD display in the dashboard is connected to pin 5 and sends commands over K-Line to obtain the coolant temperature from the ECU.

Which adapter to buy?

 K-Line / VAG AdapterJ2534 AdapterELM327 / OBDLink Adapter
Connection Only K-Line K-Line + CAN bus K-Line + CAN bus
Advantage As there is no intelligence in the adapter even the counterfeit are working perfectly. You can also make your own cheap DIY adapter with 2 transitors. Professional adapters for scanning and flashing. They are technically the best choice. Hobbyist adapters. Bluetooth and WIFI versions available. There is no advantage over J2534 adapters.
Disadvantage No support for CAN bus.
Cannot measure battery voltage. Timing depends on computer speed.
The genuine are expensive but chinese clones exist which do work. Misdesigned (see below)
ECU Emulator and CAN Raw protocol do not work. All ELM327 adapters in internet are fake, except genuine OBDLink, ScanTool.
Summary OK (limited use) recommended deprecated
Price Genuine$5 USD$180 ... $500 USD OBDLink: $40 USD
Price Counterfeit $5 USD
Do NOT buy Ross-Tech
Do NOT buy Mini-VCI fake
$10 USD
Do NOT buy cheap fake!


The following shows the order of most recommended to least recommended adapters:
  1. Genuine Tactrix J2534   (100% recommended)
  2. Chinese J2534   (not Mini-VCI fake!)
  3. K-Line   (not if your ECU uses CAN bus)
  4. Genuine Scantool OBDLink USB
  5. Genuine Scantool OBDLink Bluetooth
  6. Chinese fake ELM327 USB
  7. Chinese fake ELM327 Bluetooth
  8. Chinese fake ELM327 Wifi   (most stupid design of all)
If your ECU uses the CAN Raw protocol the ONLY adapter which will work is J2534.
Read the following chapters for more details.

Option 1: K-Line Adapter

The cheapest (but not perfect) option to connect to an ECU with K-Line protocol is using a VAG KKL adapter (approx $5 USD).

The ISO 14230 fast initialization requires a very precise timing.
K-Line adapters do not have a microprocessor, so the timing depends on the computer.
Windows is not a real-time operating system and delays are normal.
But K-Line adapters work very well on most computers. Only a few users have reported connection problems.
In case of a connection error close all software on your computer which consumes much CPU and try to connect multiple times.
See chapter Trouble Shooting.
VAG KKL Adapter
VAG KKL adapter photo
VAG KKL Adapter
VAG KKL Adapter circuit diagram
Show Full Size
The +12V on the diagnostic plug are always present, even when the ignition key is off.
If you don't need the adapter anymore don't let it connected for hours because it permanently draws current from the battery.

In the HUD ECU Hacker toolbar (button "Install USB driver") you can install the drivers for all types of K-Line adapters.

For Electronic Experts Only

You can also build your own K-Line adapter with a cheap (approx $1 USD) USB to RS232 adapter and 2 transistors.
For a quick testing this can be built on a breadboard.

IMPORTANT: Build your own adapter ONLY if you have experience with electronics!
I receive emails from beginners who fail to build their own circuit. I will not give you support for this.
Buy a complete adapter if you do not understand how a transistor works.
Simply forget it if you do not have an oscilloscope.
You will need a digital oscilloscope when you get the error "Timeout waiting for response from the ECU".

Option 1:
If you already have an USB to RS232 adapter you can use it.
But cheap adapters contain the chinese CH340 chip which may produce problems.
ISO14230 RS232 to K-Line Adapter circuit
Show Full Size

The signal must be inverted from RS232 to K-Line and back.
The RS232 lines TxD and RxD are low when idle, while K-Line is high when idle.

Option 2:
You can also use a breakout board with the high quality FTDI chip.
In this case the Rx and Tx signals must not be inverted.
The Tx and Rx pins of the FTDI chip are high when idle.
This board has two LED's which are flashing when data is transferred on Rx and Tx.
ISO14230 RS232 to K-Line Adapter circuit with FTDI chip
Show Full Size

K-Line is half duplex, so only the computer or the ECU can send data alternately, but not at the same time.
All data sent from the computer via TxD is then received as echo on RxD.
The computer will always first receive the echo of it's own command and then, after a pause, the response from the ECU.
This allows to easily detect connection problems. If no echo is received, there is always a hardware problem.
HUD ECU Hacker always verifies the echo but it does not show the echo in the Trace pane, except the echo is corrupt.

1a) Build your own ECM Cable (for Delphi MT05)

You can buy a J1962 Female Connector and solder the 3 wires to 3 pin headers which perfectly fit into the ECM plug.
J1962 plug to Delphi ECM plug diagnostic cable
Show Full Size

Or you buy the 6 Pin Furukawa FW090 Male Connector FW-C-6M-B at Cycleterminal: here or at Taobao: here or here or here.
Or you search on Google for more companies selling this plug on eBay, Alibaba or AliExpress.

Then you can either use a crimping plier or solder the wires to the contacts and build your cable as shown in this video.

1b) Buy a complete ECM Cable (for Delphi MT05)

If you have time you can also buy a complete cable in China. Shipping may take between 1 and 3 months.
Cable USB to ECM from Taobao
Taobao USB to ECM adapter
Show Full Size
Cable J1962 to ECM from AliExpress
AliExpress J1962 to ECM adapter
Show Full Size
The red cable from Taobao has a very limited support of baudrates.
In the window "Configure Adapter" you must switch to Fast Init Mode 2 otherwise you get a timeout when connecting.

K-Line Adapter Echo Test

I discovered 2 severe problems with cheap chinese USB to RS232 adpaters containing the widely used CH340 chip.
Problem: The defective driver from the manufacturer WinChipHead produced a blue screen.
This happend when the computer went to sleep or was shut down while the USB cable of the adapater was plugged in.
Solution: I found that the latest driver version 3.5 from 2019 (which is WHQL certified) fixes this problem.
I implemented the installation of the driver version 3.5 into HUD ECU Hacker (toolbar button "Install USB driver").
Problem: I found that several of my CH340 adapters sometimes send crippled data. Mostly they send 0x00 instead of 0xFA.
Solution: There is no solution. These adapters are garbage and must be thrown into the dustbin.
The faulty adapters have firmware version 2.54. I found another one with firmware version 2.63 which works correctly.
Therefore I implented the Echo Test into HUD ECU Hacker. It sends data to the K-Line adapter and verifies the echo.
Here you see the test result of a faulty CH340 adapter:

Echo test detects CH340 bug

You can execute the echo test after connecting the K-Line / VAG adapter to the motorbike.
But turn the ingnition key OFF so the ECU switches to sleep mode.
The echo test will fail if you connect only the adapter over USB to the computer. The +12V are required.
The +12V at the ECM plug are connected directly to the battery and are not affected by the ignition key.

You can also test the pure USB to RS232 adapter by connecting RxD (pin 2) directly to TxD (pin 3).

Option 2: J2534 Adapter (recommended)

J2534 adapters are the recommended choice. They support K-Line and CAN bus.
J2534 (PassThru) is an international standard for reprogramming ECU's.
If you are interested in the details read the API Documentation (PDF) for programmers.
The genuine J2534 adapters (for example Tactrix OpenPort or Drewtech Mongoose) are very expensive ($180 ... $500 USD).
There are also chinese clones like the VISLONE Tactrix Scanner for 30€ which have been reported to work fine.
ATTENTION: Do not buy XHorse Mini-VCI adapters. They are Chinese fake garbage.
J2534 Tactrix OpenPort adapter
Show Full Size
Genuine Adapter
J2534 Tactrix OpenPort PCB
Show Full Size
Genuine Adapter
J2534 Tactrix OpenPort PCB
Show Full Size
When you plug in the adapter for the first time Windows installs a default driver and assigns a COM port.
ATTENTION: This is the wrong driver and the COM port will never work.
In the HUD ECU Hacker toolbar (button "Install USB driver") you can install the original Tactrix driver.
After installing the correct driver the COM port will disappear and a J2534 device will show up in Control Panel:

Option 3: ELM327 Adapters (deprecated)

ELM327 / ObdLink /Scantool adapters support K-Line and CAN bus.
There are 3 types of ELM327 adapters:
  1. Chinese ELM327 clones:
    The internet is full of fake ELM327 adapters. You find them on eBay, Amazon, AliExpress, etc.
    All these adapters are garbage. The Chinese did not even implement half of the command set.
    You send a command to the adapter, it answers with 'OK' but it does not execute the command.
    These adapters are fraud. All adapters for less than $40 USD are fake!
    If you already have one you can use it to scan the parameters, but ECU Emulator and Data Slewing and Flash Up/Download will not work.
  2. Genuine ELM327 adapters:
    Genuine ELM327 adapters have the ELM327 chip inside. Download Datasheet (PDF)
    Elm Electronics ELM327 chip
    ELM Electronics sells only the ELM327 chip ($21 CAD), but they do not offer an own adapter.
    Genuine adapters are difficult to find because very few companies offer them: WGsoft (105€), Warenhuis (109€).
    But even if you have a genuine adapter, Flash Upload will not work because they do not support to set a long timeout.
  3. Genuine OBDLink adapters:
    Genuine OBDLink adapters have a STN11XX chip inside. Download Datasheet (PDF) STN1110 chip
    They are sold by Scantool and ObdLink ($40 USD).
    They implement the same AT commands as genuine ELM327 adapters and have additional ST commands.
    If you want to use an ELM327 adapter you should ONLY buy it from Scantool or OBDLink.
    My adapter was sold with a very old firmware. Don't forget to update the firmware.
    Even in a genuine OBDLink adapter I found a severe bug. But I also found a workaround.
    Even with the genuine OBDLink adapters the ECU Emulator will not work.
ELM327 adapters are a misdesign.
They have too many commands which makes programming complicated.
Instead of leaving the intelligence in the controlling software (as J2534 adapters do) all the intelligence is in the chip.
The chip must be configured with hundreds of commands.
Instead of transmitting binary data directly (as J2534 adapters do), they use ASCII strings, which is simply a bad design.
ISO 15765 data is passed by the adapter with missing CAN ID or must be parsed in the controlling software (STUPID design!)
Instead of using internally an USB capable processor (as J2534 adapters do) they convert USB first to RS232 which is slower
and the COM port must be configured with the correct baudrate, while J2534 adapters neither need COM ports nor baudrates.
Another issue is that the ELM327 can store configuration in non-volatile memory resulting in not predetermined behaviour.
None of the ELM327 adapters (not even the genuine) supports the CAN Raw protocol.
So, if you already have a ELM327 or OBDLink adapter study the Trace pane to see how many errors you get.
But if you don't have an adapter yet, do not buy it. See summary above.

Diagrams of a genuine adapters:
Original ELM327 circuit diagram
Show Full Size
Original OBDLink circuit diagram
Show Full Size

Counterfeit ELM327 Adapters

Do NOT buy any of the cheap Chinese ELM327 adapters which are sold on Amazon or eBay!
They are all fake and work only partially. Many ELM327 commands are buggy or even not implemented at all.
If you see one of the following errors in the HUD ECU Hacker Trace pane, the Chinese have betrayed you:

Chinese fake ELM327 adapter errors

The buffer of the fake adapters is so tiny that it cannot even receive a 128 byte ECU response!
So you can only scan the OBD2 commands which give few information, but not the detailed vendor specific commands.
You will see none of the above errors if you use a genuine OBDLink adapter.

Counterfeit ELM327 USB Adapters

Chinese Clone
ELM327 adapter USB
Show Full Size
Chinese Clone
ELM327 adapter USB PCB chinese clone
Show Full Size
Some chinese USB adapters use a counterfeit PL2303 chip (right photo) which converts from USB to RS232.
On Windows XP and Windows 7 this works perfectly.
But on Windows 8 and 10 the latest drivers from Prolific detect the counterfeit chip and refuse to work.
The driver returns the undocumented Error 433: "A device which does not exist was specified."

If you connect the adapter and Windows 10 does not find an installed driver it downloads the latest version 3.8
from Windows Update and you will see a yellow exclamation mark or a 'PHASED OUT' error:

Device Manager Error Prolific counterfeit PL2303 chip

Do not use the drivers from a CD or from Windows Update.
I have implemented the driver installation into the toolbar at the top of HUD ECU Hacker.
Install the Prolific driver version 3.3 from 2008 which also works on Windows 8 and 10.

Counterfeit ELM327 Bluetooth Adapters

Chinese Clone
ELM327 adapter Bluetooth
Show Full Size
Chinese Clone
ELM327 adapter Bluetooth PCB chinese clone
Show Full Size
On the right photo you see that there are several SMD parts missing (4 transistors and 16 passive components).
This means that the J1850 bus will not work. Only CAN and K-Line are implemented.
If a vendor sells this as a universal ELM327 adapter, this is a fraud.
However, the J1850 bus was used by older GM and Ford vehicles, but is not used in modern cars anymore.

Installing a Bluetooth Adapter

Follow these steps on Windows 10 to add a bluetooth adapter: (on Windows 7 it is similar)
Configure Windows 10 for Bluetooth
Show Full Size
If it was successful you see 2 COM ports in device manager:

Device Manager Bluetooth ELM327 COM ports

One of the COM ports will work while the other one will not be functional.
Simply open the COM ports in HUD ECU Hacker and try them (the LED "PC" on the adapter should flash).

Counterfeit ELM327 WIFI Adapters

These adapters are the most stupid design because they represent a WIFI access point.
Mostly they respond on the fix IP address and port 35000 without WIFI password.
The problem is that you must disconnect your notebook from your router to connect it to the adapter.
So after connecting to the OBD adapter you lose internet access.
The signal strength and maximum distance between computer and adapter are worse than with Bluetooth adapters.
The adapter uses the most used Wifi Channel 11. So conficts with your or your neighbour's router are probable.
There is absolutely no reason why should buy these adapters.

Option 4: UsbCAN Adapters (deprecated)

ZLG Polaris UsbCAN Adapter
Show Full Size
If you already have a Chinese ZLG (Polaris) UsbCAN adapter, you can use it with HUD ECU Hacker.
However, do not buy one because it supports only CAN bus and the driver is worst Chinese 'quality' with many bugs.
Most of the pins are fake. Only the uppermost (CAN0H and CAN0L) are connected internally.
The LED's are extremely stupid: Red LED blinking means OK. Green LED illuminated means CAN bus error.
To install the driver click the toolbar button Install USB driver in HUD ECU Hacker.

ISO 9141 Protocol

The ISO 9141 protocol is quite old and primitive.
The data transfer on K-Line (Pin 7) is like RS-232, sending the least significant bit first, but the voltage is inverted.
ISO9141 K-Line 5-Baud Init
Show Full Size
ISO 9141 uses the extremely slow 5 Baud Init to wake up the ECU. It takes 2 seconds to transmit the address byte (0x33).
Some ECU's require this 5 Baud Init to be sent additionally on L-Line (Pin 15).
5-Baud Initialization
Sender Data Baudrate Meaning
Tester 0x33 5 Baud Address
ECU 0x55 10400 Baud Synchronization
ECU 0x08 (0x94) 10400 Baud Keyword 1
ECU 0x08 (0x94) 10400 Baud Keyword 2
Tester 0xF7 (0x6B) 10400 Baud Keyword 2  (inverted: F7 = 08 XOR FF)
ECU 0xCC 10400 Baud Address     (inverted: CC = 33 XOR FF)
Tester Packet 10400 Baud First Command

Here you see the first OBD2 command 01 00 (Request supported PID's) and the response from the ECU.
The command is embedded into a packet which starts with a header and ends with a checksum.

Command (from PC): 68 6A F1 01 00 C4
Response (from ECU):48 6B 11 41 00 BE 36 B0 03 A9
OBD2 Command '01 00' Response (1...7 data bytes)
Header 1 68 Fix value Header 1 48 Fix value
Header 2 6A Fix value Header 2 6B Fix value
Header 3 F1 Source address (Tester) Header 3 11 Source address (ECU)
Data 1 01 OBD2 Service 1 Data 1 41 Service confirmation = 01 + 40
Data 2 00 PID 0 Data 2 00 PID confirmation
Checksum C4 68+6A+F1+01+00 = C4 Data 3 BE Payload byte 1
Data 4 36 Payload byte 2
Data 5 B0 Payload byte 3
Data 6 03 Payload byte 4
Checksum A9 48+6B+11+41+00+BE+36+B0+03 = A9
ISO 9141 does not define error codes.
The ECU simply does not respond when it does not understand a command.

ISO 14230 Protocol

The Keyword 2000 protocol (KWP 2000) is defined in ISO 14230. It offers much more functionality than ISO 9141.
ISO 14230 normally uses Fast Init to wake up the ECU.
Fast Init means that the K-Line goes low for exactly 25 ms and then high for 25 ms. After that the communication starts with 10400 baud.
However, there are a few ECU's which combine the ISO 14230 protocol with 5-Baud Init.

On the left you see the fast init, followed by the command 'Start Communication' and the response from the ECU.
On the right you see that ISO 14230 demands long pauses between the bytes because some old ECUs are very slow.

ISO14230 K-Line 'Start Communication' on oscilloscope
Show Full Size
ISO14230 K-Line inter byte delays on oscilloscope
Show Full Size
In detail the command 'Start Communication' (Service = 81) looks like this:

Command (from PC): 81 11 F1 81 04
Response (from ECU):83 F1 11 C1 EF 8F C4

The Delphi MT05 uses the address 11. The application on the PC (the tester) uses the address F1.
The MT05 responds with 2 key bytes EF and 8F which define how the ECU wants the commands to be formatted.
They define how to transmit the packet length and if the source/target addresses are to be sent.
You see the meaning of the key bytes in the Trace pane in magenta when connecting.
Command 'Start Communication' Response Short (1...63 data bytes)
Header 1 81 80 + length of data (1 byte) Header 1 83 80 + length of data (3 bytes)
Header 2 11 Destination address (ECU) Header 2 F1 Destination address (tester)
Header 3 F1 Source address (tester) Header 3 11 Source address (ECU)
Data 1 81 Service 'Start Communication' Data 1 C1 Service confirmation = 81 + 40
Checksum 04 81+11+F1+81 = 04 Data 2 EF Payload byte 1 (bit flags)
Data 3 8F Payload byte 2 (always 0x8F)
Checksum C4 83+F1+11+C1+EF+8F = C4

The first header byte is called format byte.
It may contain the packet length and it's bits define if addresses are sent and the type of addresses (physical, functional).

To simplify reading the binary data HUD ECU Hacker displays the data bytes in parenthesis in the Trace pane:
81 11 F1 ( 81 ) 04
83 F1 11 ( C1 EF 8F ) C4
The other bytes are not really interesting as they are generated automatically.

The following table shows a long response (102 data bytes) which contains an additional length byte (header 4).
Command 'Read Data' Response Long (64...255 data bytes)
Header 1 82 80 + length of data (2 byte) Header 1 80 Extra length byte follows
Header 2 11 Destination address (ECU) Header 2 F1 Destination address (tester)
Header 3 F1 Source address (tester) Header 3 11 Source address (ECU)
Data 1 21 Service 'Read Data' Header 4 66 Length of data (102 byte)
Data 2 01 Subfunction 1 Data 1 61 Service confirmation = 21 + 40
Checksum A6 82+11+F1+21+01 = A6 Data 2 01 Subfunction confirmation = 01
Data 3 ... Payload byte 1
Data 102 ... Payload byte 100
Checksum ... 80+F1+11+66+61+01+...
HUD ECU Hacker tries first to connect with the physical address defined in the parameter XML file (Default = 0x11).
If this fails it waits 5 seconds and tries again with the functional address 0x33.
A physical address (format byte contains 0x80) means that one specific device on a bus is addressed.
A functional address (format byte contains 0xC0) is like a broadcast address to a group of devices.
There are functional addresses for Steering Controllers, ABS Systems, Air Condition, Audio, Lightning, etc.
The functional address 0x33 is used to address "Engine Controllers" (ECUs).
As normally only one ECU is connected this can be used when the physical ECU address is unknown.
As you see here the ECU responds to the functional address 0x33 with it's physical address 0x11:
C1 33 F1 ( 81 ) 66
83 F1 11 ( C1 EF 8F ) C4
The Delphi MT05 does not need functional addressing, but there are strange ECU's which do not respond to their own physical address!


ISO 14230 defines several error codes which the ECU can return.
If the ECU does not understand a command it sends 7F (failure) followed by the service and the error code.


If the ECU does not receive commands it switches to sleep mode after 5 seconds.
While HUD ECU Hacker is polling data this will never happen because polling takes place 3 to 5 times per second.
Only if you switch to manually enter commands (in the Trace pane), polling stops and HUD ECU Hacker sends a Keep-Alive every 3 seconds.

Command (from PC): 81 11 F1 3E C1
Response (from ECU):81 F1 11 7E 01



Newer vehicles are equipped with CAN bus which uses 2 wires (CAN Hi and CAN Lo) and runs mostly at 250 or 500 kbaud.
Many controllers and sensors may be connected to the same bus. Each endpoint has a unique ID.
The neutral voltage on CAN bus is 2.5 Volt. Each endpoint has a transmitter which pulls CAN Hi up and CAN Lo down.
The receiver measures the difference between CAN Hi and CAN Lo which makes CAN robust against electromagnetic interference.

CAN Bus termination
Show Full Size
CAN Bus transceiver MCP2551
Show Full Size
Below you see a raw CAN frame which contains the identifier (11 bit or 29 bit) and max 8 data bytes.
Data transfer is very robust because a 15 bit CRC assures that each frame is received without error.

CAN Bus packet on oscilloscope
Show Full Size
CAN Bus data frame
Show Full Size

ISO 15765

The ISO 15765 protocol can transmit a payload of up to 4095 bytes in multiple raw CAN frames of 8 bytes.
It occupies the first data byte of each CAN frame as a control byte.
The first byte may define that the frame is a SF (Single Frame) which transmits only 7 data bytes.
Or a FF (First Frame) followed by multiple CF (Consecutive Frames) and FC (Flow Control Frames) transport a larger payload.
ISO 15765 Data Transfer
Show Full Size

CAN Filter

Mostly (but not always) ECU's use 2 different CAN ID's: One for receiving and one for sending.
OBD2 compliant ECU's with 11 bit ID should respond to the functional broadcast ID 7DF.
They use a phyical ID between 7E0 ... 7E7 for receiving commands and 7E8 ... 7EF for sending the response.

If only HUD ECU Hacker and the ECU are connected to the CAN bus you do not need CAN filters.
But if you sniff the CAN bus traffic in a car or a truck you may get a tremendous amount of data.
A filter and a mask can be used to exclude all the other traffic on the CAN bus except to the ECU.

The filtering also tells the adapter which packets to acknowledge (set the bit in the ACK slot of the CAN frame).
If HUD ECU Hacker runs in sniff mode it will never modify the ACK bit.
Otherwise, when communicating with the ECU or in Emulator mode the received packets must be ACKnowledged.
If a CAN packet is not ACK'ed by the receiver the sender assumes that it was not received and sends it again.
If a CAN packet is not ACK'ed mutiple times the sender generates an error and stops the communication.

For Can Raw protocol you must enter RespFilter and RespMask in the parameter XML file.
For ISO 15765 these are not needed. You enter a fix RespID instead.

For Sniffing you can use the following window to define the filter and mask:

In the field 'Response ID' enter an ID on which the ECU responds and the filter and mask will be calculated automatically.
Example 1.)
  If you know the ECU ID enter it into the field 'Response ID'.
  If you enter 7E8, the filter and mask will be calculated as 7E8 and 7FF.
Example 2.)
  Otherwise use the letter 'X' to specify that a digit does not matter (e.g. 7EX). A digit corresponds to 4 bits.
  If you enter 7EX, the filter and mask will be calculated as 7E0 and 7F0.
Example 3.)
  If the precision of 1 digit = 4 bits = 16 matches is not enough you must enter filter and mask manually.
Example 1Example 2Example 3
Response ID 7E8 = 111 1110 1000 7EX = 111 1110 XXXX empty
Response Filter 7E8 = 111 1110 1000 7E0 = 111 1110 0000 7E8 = 111 1110 1000
Response Mask 7FF = 111 1111 1111 7F0 = 111 1111 0000 7FC = 111 1111 1100
Received ID's
that match the
filter and mask
7E8 = 111 1110 1000

only 1 ID matches
7E0 = 111 1110 0000
7E1 = 111 1110 0001
7E2 = 111 1110 0010
7E3 = 111 1110 0011
7E4 = 111 1110 0100
7E5 = 111 1110 0101
7E6 = 111 1110 0110
7E7 = 111 1110 0111
7E8 = 111 1110 1000
7E9 = 111 1110 1001
7EA = 111 1110 1010
7EB = 111 1110 1011
7EC = 111 1110 1100
7ED = 111 1110 1101
7EE = 111 1110 1110
7EF = 111 1110 1111

16 ID's match
7E8 = 111 1110 1000
7E9 = 111 1110 1001
7EA = 111 1110 1010
7EB = 111 1110 1011

4 ID's match
Each bit in the mask which is one defines that the same bit in the filter must match the same bit in the ID of the received CAN frame.
Each bit in the mask which is zero defines that the same bit does not matter, neither in the filter nor in the ID of the received CAN frame.

PCHUD & Diag Tool

The Delphi manuals for MT05 and for MT20 explain a software PCHUD.
PCHUD ('Heads Up Display' for PC) is a very old program from Delco Electronics written in 1993 for Windows 3.
The manual for the MC21 explains a software Diag Tool from LITEON written in 2009.
Previously these were the only programs that could communicate with these ECU's.

Delco Electronics PCHUD software
Show Full Size
DiagTool (MC21)
LITEON Diag Tool Software
Show Full Size
Today it is practically impossible to find this software in internet.
I found lots of dead links and a fake PCHUD download on a chinese website which was a trojan.
But in the forum China Riders I found a thread from the (ex)user 'katflap' talking about PCHUD.
Only thanks to 'katfalp' I could still in the year 2020 download and analyze this software.

The ancient 16 bit program PCHUD does not run on 64 bit Windows because Microsoft has removed the support for 16 bit applications on 64 bit platforms.
Running it on a 32 bit Windows in the 16 bit emulator (NTVDM.exe) I notice that it permanently occupies 100% of one CPU core.

While PCHUD is displaying the data from the ECU it sends every 200 ms the same command (21 01) which the ECU responds with a data block of 100 bytes.
This 'parameter polling' looks like this:
MT05 parameter polling on oscilloscope
Show Full Size
It was a lot of work to analyze which meaning has each of the 100 bytes in the response
and to find the formulas which convert the raw values into temperature, voltage and pressure.

HUD ECU Hacker

The ancient PCHUD from Delco is obsolete because
The Diag Tool from LITEON is obsolete because
The new HUD ECU Hacker from ElmüSoft
In contrast to all other OBD2 software HUD ECU Hacker is not commercial paid software.
Also, HUD ECU Hacker will never show you any advertising.
HUD ECU Hacker is the result of more than a year intense programming.
There is absolutely no documentation about the internals of the MT05.
All information you see in HUD ECU Hacker is based on a huge work which costs a lot of time.
However, this program is charityware, which means that the author does not earn any money with it.
But if this program has helped you saving money by not needing expensive commercial software
or an expensive scan tool you are asked to give a donation to a non-profit organization of your choice.
Like for example Shanti Bavan, a project which gives education for free to the poorest of the poor in India.
There is an excellent documentary about this very special residential school on Netflix: Daugthers of Destiny

Apart from that HUD ECU Hacker has been designed to be community software.
Every user can adapt the program to his needs.
When you have adapted the XML parameter file for another ECU, you are asked to send it to me for publishing it.

HUD ECU Hacker - Control

HUD ECU Hacker Screenshot - Control
This screenshot shows the playback of the logfile Regal Raptor 350 - Error Clearing.xml
  1. I disconnected the plug of one oxygen sensor.
    The plug has 4 pins: Two for the sensor and two for the heater. (See circuit diagram of MT05 above)
  2. After turning on the ignition key the ECU immediately alerted error P0037. I did not even start the motor.
    HUD ECU Hacker translates the fault codes into human understandable messages.
  3. The error was first reported as Current.
  4. Then I turnd off the ignition, reconnected the oxygen sensor and turned on ignition again.
  5. Now the ECU detected that the error is not present anymore and reported it as Historic.
  6. Then I recorded the logfile
  7. At 00:00:10.200 I clicked the button Clear Fault Codes which removed the fault code.

Clearing Fault Codes (DTC)

The button "Clear Fault Codes" clears the historic fault code(s) from the non-volatile ECU memory.
But if a fault is still present it will not be cleared: You click the button and nothing happens.
This button will clear only historic fault codes which are not present anymore.
The MIL / EFI lamp is only on if there is a current fault present. It is off if there are only historic DTC's.
Some current faults disapear immediately when the fault has been fixed (e.g. Oxygen sensor cable disconnected).
Other current faults will disapear alone after driving some minutes.
Some historic fault codes are erased automatically after driving 30 times without further faults.

The ECU can report multiple Current DTC's at once and it can store multiple Historic DTC's.
If there are multiple DTC's present, they are displayed alternating once a second in the Dashboard.
You see all faults at once with their status when you click the button Show Fault Codes.

If you get the fault codes P0171 or P0172 please read the chapter Self-Learning.

HUD ECU Hacker - Data Grid

HUD ECU Hacker Screenshot - DataGrid

This screenshot shows the playback of the logfile Regal Raptor 350 - Starting Motor.xml
At 00:00:16.831 I turned the throttle up to the maximum with the motor not running.
At 00:00:32.712 I started the motor. You see that the ignition voltage drops down to 9.2 Volt.
At 00:01:55.106 I turned the throttle again, now with the motor running.
At 00:02:25.260 I pressed the kill switch (red button). The ignition voltage goes down to 0 Volt.
While recording this logfile the motorbike was standing still (not driving).

For each parameter you see the raw value and it's meaning and the minimum and maximum values.
A gauge displays the value graphically. If the value can also be negative, the gauge starts in the middle.
Values that have changed since the previous sample have a yellow background. You can turn off this highlighting.

HUD ECU Hacker - Dashboard

Delphi MT05.2
HUD ECU Hacker Screenshot - Dashboard Delphi MT05.2
Show Full Size
HUD ECU Hacker Screenshot - Dashboard OBD2
Show Full Size
The left screenshot shows the playback of the logfile Regal Raptor 350 - Driving.xml
At 00:00:35.878 I started the motor. The ignition voltage drops down to 7.7 Volt
At 00:00:39.488 the motor turned off alone because it ran too slow.
At 00:00:42.113 I started the motor again and drove around the block (not fast, ony first and second gear).
At 00:02:57.941 I pressed the kill switch.

On the screenshot above you see a tooltip which appears when you hold the mouse over a parameter.
Some parameters have a wrench icon. You can click on it and modify these values in the ECU. See Data Slewing.

The dashboard can be configured 100% by the user after checking the checkbox Edit Mode below.
You can create, edit and delete groups and assign parameters to them.
You can move around the groups, change the order of parameters and drag and drop them to another group.

HUD ECU Hacker Screenshot - Gauge Configuration

In this dialog you can configure a value parameter.
The ignition voltage has a minimum of 0 Volt and a maximum of 32 Volt.
You can restrict the range of the gauge to something more useful like 7 V to 16 V.
When you set an alarm the parameter will be displayed in red if the value exceeds the given limits.

HUD ECU Hacker - Graph

HUD ECU Hacker Screenshot - Graph
Show Full Size
HUD ECU Hacker Screenshot - Graph
Show Full Size

These images are graphs created from the logfile Regal Raptor 350 - Driving.xml
You can chose the parameters that you want to include.

If you want more sophisticated graphics you can export the data to CSV and load it into the LiveLink Gen-II software (70 MB).

HUD ECU Hacker - Manual Command Injection

HUD ECU Hacker Screenshot - Trace
Show Full Size
HUD ECU Hacker allows to send commands manually to the ECU and study the response.
For the purpose of hacking you can also enter XX, YY, which will be replaced with all values from 00 to FF.
In the example above entering '21 XX' has sent 256 commands from '21 00' to '21 FF' to the ECU.
Here the ECU (a Delphi MT05) has only answered 4 of the 256 commands, for the others it has returned an error.
Entering '22 XX YY' will send 65536 commands from '22 00 00' to '22 FF FF' to the ECU.

For the CAN Raw protocol you must also specify the Tx CAN ID for sending the command and the Rx ID for receiving the response.
Some ECU's send multiple responses on multiple CAN ID's to one command. In this case enter all Rx ID's separated by commas.

Recording Logfiles

Below in the Trace pane with the button Start Logging you can create logfiles after connecting to the ECU.
You can also record a log file while you are driving.
Connect the cables and put a notebook into a saddlebag or backpack.
HUD ECU Hacker recording on the road
Show Full Size

Data Slewing

The MT05 allows to manually modify some of the parameter values which have been measured or calculated.
The purpose of data slewing is to analyze an engine which is not running correctly.
You can set absolute (fix) preset values or you can add a delta (± offset) to the current ECU values.
First set all the preset values that you want to change in the list then click 'Send all presets to ECU'.
These changes have effect on the running motor.

Idle Speed

When the motor is runing idle and you set Idle RPM Target to 2500 rpm you will hear how it slowly becomes faster.
Delphi MT05 Data Slewing Idle RPM Target
Show Full Size

This graph shows the logfile Regal Raptor 350 - Data Slewing.xml where the engine was running idle with 1400 rpm.
At 00:00:29.806 I have set the slew parameter Idle RPM Target to 2500 rpm. The ECU slowly adapted the idle speed.
At 00:01:12.480 I have clicked the button Reset all presets in ECU.

NOTE: On a Benelli TRK251 (1 cylinder) you can set the idle speed target but the engine speed is not adjusted correctly.

Fuel Pump

When the engine is off and you set Fuel Pump Duty Cycle to 15% you will hear the fuel pump running quietly.


You can control the Idle Air Control Valve with the slew parameter IACV Target Step.
If you have problems with the idle speed read appendix IACV Calibration.

The modified slew values are not stored in the non-volatile memory of the ECU.
However this feature is for experts only. Wrong values can produce knocking or stall the motor.
I saw that the ECU does not go to sleep mode after changing some of the values.
Do not forget to click 'Reset all presets in ECU' when you are finished with your testing.

Data Slewing does not work with my chinese ELM327 adapters. But J2534 and K-Line adapters do work.
The ELM327 Datasheet says (page 31) that the ELM327 limits the bytes that can be sent to the maximum for OBD2.
Therefore HUD ECU Hacker sends the command ATAL which allows longer commands.
My chinese adapter answers ATAL with 'OK', but it still refuses to send more than 4 data bytes.
You will see a timeout error in HUD ECU Hacker.

ELM327 Terminal

HUD ECU Hacker Screenshot - ELM327 Terminal

As there are so many problems with chinese ELM327 clones I implemented the ELM327 Terminal.
Here you can test your adapter by sending commands and studying the responses.
The screenshot shows that my ELM327 clone sends commands only up to 4 data bytes.
If I send 5 data bytes or more (like the Slewing commands) there is no response, no error and no prompt.
I verified on the oscilloscope that the adapter indeed does not send anything.
The command ATAL is simply ignored although it was answered with a fake 'OK'.
It is a fraud to sell this crap.
By the way: It is completely irrelevant if a chinese adapter claims to be version 1.5 or 2.1. They are all crap.
And I saw people complaining in internet about ELM327 adapters which have even less functionality than mine.

CAN Bus Debugger

CAN Bus Debugger / CAN Raw Terminal
Show Full Size
HUD ECU Hacker can also be used as CAN Bus Analyzer / CAN Bus Debugger / CAN Bus Terminal.
In Sniff Mode you can see the entire traffic on the CAN Bus (not only to the ECU) in real time.
You can set filters to show only the packets which you are interested in.
And the CAN Raw Terminal allows to send commands directly to any device on the CAN bus.

Normally you must buy expensive proprietary adapters for professional CAN bus analyzer software.
HUD ECU Hacker allows to use a cheap chinese J2534 clone or a UsbCAN adpter.

Download / Upload Flash Memory (MT05 only)

The heart of the the Delphi MT05 is a 16 bit Infineon processor.
The flash memory in the processor is divided into 4 areas:
  1. The Bootloader is required to start up the ECU.
    It will never be overwritten when flashing. This is a protected area.
  2. The Configuration Data will always change when you turn off the ignition key.
    The ECU stores non-volatile data here when you turn the ignition key off, like:
    fault codes, ignition counter, statistics, fuel learning (BLM), airflow learning and throttle learning.
    HUD ECU Hacker does not write into this area, but you can erase the content of this erea. See Reset EEPROM.
  3. The Calibration Tables are used to calculate the optimal operation of the motor depending on
    factors like speed, engine load and temperature, etc. They control fuel injection, spark timing, etc.
  4. The Firmware area contains the executable program code.
    You should normally not overwrite this area except you know exactly what you are doing.
Processor Delphi MT05 Delphi MT05.2
Model SAK-XC164CM-16F40F SAK-XC164CS-32F40BB
Flash Memory 128 kB 256 kB
RAM 8 kB 12 kB
Clock 32 MHz 32 MHz
Flash Memory Delphi MT05 Delphi MT05.2
Bootloader 000000 - 003FFF16 kB 000000 - 003FFF16 kB
Configuration Data 004000 - 004FFF4 kB 004000 - 004FFF4 kB
Calibration Tables 005000 - 007FFF12 kB 005000 - 00AFFF24 kB
Firmware 008000 - 01FFFF96 kB 00B000 - 03FFFF212 kB

HUD ECU Hacker can download the flash memory into a file (flash download).
HUD ECU Hacker can also program the flash memory from a file (flash upload).
In the main window you see the versions and the checksums of the flash memory areas.
Green means the checksum is correct. Red means it is wrong and will be fixed when uploading.

If you use a K-Line adapter execute the Echo Test to assure that it works correctly.
If you use an ELM327 adapter it must be a genuine OBDLink adapter.
Before flashing for the first time store your original flash file in a secure place!
If flashing of only the calibration tables goes wrong your ECU may still communicate over K-Line.
But if flashing the firmware area goes wrong your ECU will probably be bricked.

Tuning (MT05 only)

Tuning with Commercial Software

Tuning means to modify the calibration tables to get more power, cleaner emissions, or better fuel efficiency.
For tuning you normally have to purchase 2 expensive programs:

One program which only downloads and uploads the flash memory:
BitBox (250€, english) or CombiLoader (base: 21500 rouble + MT05: 8000 rouble)

Another program for editing the calibration tables:
BitEdit (100€, english) or ChipTuningPro (base: 2400 rouble + MT05: 10000 rouble)

Additionally you have to buy an USB dongle (30€) which protects their software from piracy.
BitEdit does not support all MT05 versions. Click here for a list of supported calibration versions.

While BitEdit shows 36 tables for the MT05 (in english), ChipTuningPro shows more than 200 tables.
BitEdit is compared with ChipTuningPro like a toy. It has bugs and shows some data and axis wrongly.

Other tuning software like ECM Titanium is even more expensive (> $1000 USD).

If you have a MT05 from Kohler or from Briggs & Stratton they sell you diagnostic software that is very restricted.
You are forced to buy their proprietary adapter (> $300 USD) which acts like a dongle.
Each time you start the software, it connects with their server and checks if you have a valid license.
The license is only valid for one year.

As you see clearly: All the tuning and even ECU scanning is a very profitable business. All these companies want your money.

IMPORTANT: A time consuming analysis must be done to get the correct meaning of scalars, tables, maps and their axes.
The companies which sell expensive tuning software do not invest the required time to do this tremendous work.
Doing a real analysis of each and every firmware version of each and every ECU model would result in a price that nobody is willing to pay.
So they enter much of the data by guessing and by copying it from other firmware versions, which results in a lot of wrong information.

Tuning with HUD ECU Hacker

With the charityware HUD ECU Hacker you save a lot of money by not having to buy commercial software.
Flash download, checksum correction and flash upload can also be done with HUD ECU Hacker.
Please do not forget to give a donation for using HUD ECU Hacker.

An issue with the MT05 is that each ECU firmware version stores the calibration tables at another address in the flash memory.
This means that there is no easy way to know how many tables exist and where each table starts and where it ends.
But HUD ECU Hacker analyzes the ECU assembler code and finds automatically 200 calibration tables and 500 scalar values.
It even finds the values and meaning of the axes of nearly all tables and maps by auto detection.
This works with all firmware versions and takes less than one second. The result is 100% reliable.
Calibration Editor
HUD ECU Hacker Delphi MT05 Calibration Editor
Show Full Size
3D Editor
HUD ECU Hacker Delphi MT05 3D Map Editor
Show Full Size
Hex Viewer
HUD ECU Hacker Delphi MT05 Hex Viewer
Show Full Size
Whenever you load a new flash memory BIN file it will be automatically analyzed and the result is written into a file.
This file has a name like "Firmware_5D06BA79.definitions" and contains the maps, tables, scalars and axes that were found.
The hex number in the filename "5D06BA79" is a CRC (similar to a checksum) of the firmware area in the flash memory.
Each firmware version will generate it's own definition file because each firmware version stores the calibrations at different addresses.
HUD ECU Hacker also detects the count of rows and columns and if the table data is 8 bit or 16 bit and if the data is signed or unsigned.

The auto-detection analyzes the assembler code in the ECU which gives reliable results independent of the firmware version.
The assembler code in the ECU is eternally long (printed on paper it would be one kilometer).
However HUD ECU Hacker does this analysis in less than a second. Here you see a snippet of the huge Delphi code:

c1768e f2 fc f8 f7     mov        r12,[0xF7F8]
c17692 f2 fd fc f7     mov        r13,[0xF7FC]
c17696 d7 40 01 03     extp       #0x301, #1  
c1769a f2 fe 22 29     mov        r14,[0x2922]
c1769e da c1 f8 14     calls      FUN_c114f8
c176a2 f0 c4           mov        r12,r4
c176a4 f6 fc f8 f7     mov        [0xF7F8],r12
c176a8 f2 fd fc f7     mov        r13,[0xF7FC]
c176ac 42 fd f8 f7     cmp        r13,[0xF7F8]
c176b0 fd 08           jmpr       cc_ULE,LAB_c176c2
c176b2 22 fd f8 f7     sub        r13,[0xF7F8]
c176b6 f6 fd f6 f7     mov        [0xF7F6],r13
c176ba e1 12           movb       RL1,#0x1
c176bc f7 f2 e6 f7     movb       [0xF7E6],RL1
c176c0 0d 08           jmpr       cc_UC,LAB_c176d2
As you see, assembler code is extremely cryptic. I spend several weeks in understanding what the ECU does internally.
I hope that you honor this tremendous work and be so honest to respect the charityware policy of HUD ECU Hacker.

Hex Viewer

The Hex Viewer shows how scalars, tables and maps are lined up in the calibration area of the flash memory.
Reverse Lookup tables appear with bold text.
Axis values are calculated by a formula. The parameters for the formula are not stored in the calibration area.

You will see mostly two white areas of approx 30 bytes at the beginning of the calibration area.
All white areas contain tables which are never used by the firmware or they are filled with zeroes.
These tables are orphans. They contain data, that may be used in other firmware versions.

There are other tables which don't have a header, so the length and type of data cannot be auto-detected.
They appear purple in the Hex Viewer.

The Hex Viewer can also compare two BIN files and show the differences.

Delphi Calibration Data

Please read this chapter in the help file.

Completing Auto-Detection Results

Please read this chapter in the help file.

Editing Calibrations

Please read this chapter in the help file.

Working with Patches

Please read this chapter in the help file.

Adapting to other ECU's

HUD ECU Hacker can be adapted to any ECU which uses the ISO 9141 / 14230 / 15765 protocol.
This is a process in 5 steps.
You need the ECU and a scantool or software from the vendor which understands the vendor specific ECU data.
The traffic between ECU and scantool must be captured and reverse engineered. Doing this is not illegal.

IMPORTANT: A Universal OBD2 Scantool which only shows OBD2 data is useless. HUD ECU Hacker can already display OBD2 data.
The OBD2 standard has been designed to verify that a vehicle complies the emission laws.
OBD2 gives very limited information because the manufacturers implement only few commands, just the minimum to fulfil the law.
OBD2 may only show you Vehicle Speed, Engine Speed, Coolant Temperature, O2 Sensor and Throttle Position, and that's it.
Generally ECU's can report much more details to the service technician, but in a proprietary and secret data format of the manufacturer.
Only an expensive scantool or software from the ECU vendor may give you this information, but not a "universal" OBD2 scantool for all vehicles.

For example for the Delphi MT05 the vendor specific command 30 allows data slewing.
And the vendor specific command 21 returns details like crankshaft errors, stepper motor position, block learning (BLM) and much more.
These details (90 scan parameters) can not be obtained with a "universal" OBD2 scantool or OBD2 computer software.
The response of command 21 01 is a proprietary and undocumented data packet from Delphi.
I obtained the meaning of this 100 byte packet by analyzing the ancient PCHUD software.
You can do the same for any other ECU if you have a scantool or software which shows these details.

Step 1. Sniff Data

When you enable the checkbox 'Sniff Mode' you can capture the traffic between the ECU and a scantool / OBD software.

Connecting an additional sniff adapter over a splitter cable to the K-Line will mostly not work.
The reason is that each adapter has a pull-up resistor (mostly 510 Ω) between K-Line and +12V.
When you connect 2 adapters the parallel pull-up resistor becomes 255 Ω.
Adapters and ECU have a current limitation to protect them from shortcuts.
Most adapters don't provide enough current (50 mA) to pull K-Line to ground over 255 Ω.
Depending on the pull-up resistor and the current limitation you will not capture anything or the scantool stops working.
Here you see the result of connecting two adapters at the same time. The voltage does not reach 0V anymore.
OBD2 Splitter Cable
Show Full Size
ISO14230 K-Line sniffing with 510 Ohm resistor
Show Full Size
It may also happen that you can sniff data as long as the motor is off.
But when the motor runs the battery voltage rises to 15V and now you don't capture data anymore or get crippled data.
The higher the battery voltage the more current is required to pull K-Line to ground.
However, there are also adapters with an internal pull up resistor of 1 kΩ. They may function unchanged.

The only bullet-proof solution is to modify an adapter and remove the SMD pull-up resistor between pin 7 and 16.
You can either convert an adapter into a sniff adapter by removing this resistor completely
or you can insert a switch into the adapter which allows to chose between normal mode and sniff mode.
Sniffing K-Line data with HUD ECU Hacker
Show Full Size
Sniffing CAN Bus data with HUD ECU Hacker
Show Full Size
No modification in the adapter is required for CAN bus sniffing.
The J2534 and ObdLink adapters require 4 pins to be connected.
If you use the UsbCAN adapter only 2 pins must be connected: CAN0H and CAN0L.

Store the sniffed data into a logfile by clicking the button 'Start Logging' in the Trace pane.
Navigate through all menus of the scantool to capture all commands.
IMPORTANT: If the logfile has many "Invalid Data" you have the wrong baudrate or the wrong protocol.

Step 2. Test the ECU Emulator

Connect HUD ECU Hacker to it's own Emulator to learn how to use it.
You can use a battery or the 12 Volt from a cheap computer power supply (yellow wire).

ELM327 / OBDLink adapters do not have the functionality required for the emulator.
J2534 adapters will not work with any protocol that uses the 5-baud initialization.
Use a K-Line adapter for K-Line Emulation.

For CAN Bus an additional 100 Ω or 120 Ω resistor between CAN Hi and CAN Lo is indispensable because adapters do not have it built-in.
K-Line ECU Emulator
Show Full Size
CAN Bus ECU Emulator
Show Full Size
For K-Line select "Delphi + Rongmao MT05.xml". For CAN bus select "Delphi MT05.3.xml".
Then in the Emulator window click "Open", then in the main window click "Connect".
Now you should see the data coming from the emulated ECU in the dashboard.
Change the values of command 21 01 or 22 21 01 in the emulator and study their effect on the display in the dashboard.

Step 3. Simulate the ECU

Please read this chapter in the help file.

Step 4. Enter the XML Commands and Parameters

Please read this chapter in the help file.

Step 5. Enter the XML Names and Descriptions

Please read this chapter in the help file.

Download and Installation

  HUD ECU Hacker version 4.8    (16 MB)

Windows may block the installer in the downloaded ZIP file because it has no digital certificate.
Please right click the ZIP file, select 'Properties' and check 'Unblock'.

You need the .NET framework 4.0 or higher. On Windows 10 this is already installed.

HUD ECU Hacker Toolbar

In the toolbar at the top you can then install the drivers.
The toolbar also has a button that brings you with one click to the Device Manager, where you see all COM ports.
The toolbar has a tooltip for each button which appears when you hold the mouse over it.
HUD ECU Hacker Screenshot - Install drivers
Show Full Size

Trouble Shooting

First try to connect with the parameter file Autodetect OBD2.xml which auto-detects the ECU's protocol, init mode and address.
All newer ECUs will respond to OBD2 commands.
Errors when connecting to the ECU:
If you have any problem you can send me a log file of the Trace pane with the error message.
You can write me in english, german or spanish.
But first read this help!
You find my email at the end of the help file.


Delphi MT05.3

Delphi does not produce the MT05 and MT05.2 anymore because the very old microprocessor is end of life.
Delphi sells now the successor MT05.3 which is Euro 5 compliant and uses CAN bus.
This ECU is a complely new development, using a modern 32 bit processor.
The consequence is that all my endless work for flashing the MT05 / MT05.2 is completely useless now for the MT05.3
May be some day in the future I will add support for flashing the MT05.3.
But this requires the work of another entire year of reverse engineering!

Rongmao MT05

The Rongmao MT05 sends the same scan parameters as the Delphi MT05, so it can be scanned with HUD ECU Hacker.
But apart from the identical case and the scan parameters this ECU has absolutely NOTHING in common with the Delphi MT05.
It has another PCB, different chips and processor and logically also another firmware than the Delphi MT05.
Rongmao MT05 ECU Board
Show Full Size
Rongmao has cut away the text on the processor so the model is unknown and reverse engineering is more difficult.
As you see this is a COMPLETELY different ECU, so flashing the Rongmao MT05 is not possible.
Rongmao has also changed the commands for flash upload/download and the security key.
Until today nobody was able to flash this ECU. I never heard of any PC software nor any scantool which can do this.

Chinese Fake MT05

Chinese fake clones of the MT05 or MT05.2 have appeared in the market which are garbage.
They are full of bugs and only the very basic OBD2 commands are implemented.
These ECU's are so extremely buggy that they are not even able to send a correctly formatted DTC response!
Detailed scan data is not available, Data Slewing and flashing are not supported.
There are even fake MT05 which respond only on CAN bus instead of K-Line. (The real MT05 / MT05.2 does not respond on CAN bus)
HUD ECU Hacker will detect when you have connected a fake ECU and show an error message.
On the real ECU's you see that "DELPHI" is engraved in the plastic of the cover. The fake does not have this.
Delphi MT05 Chinese FAKE ECU
Show Full Size

Overheating Risk

A big problem of all combustion motors is overheating. If cooling fails, the motor will be damaged.
A water cooled motor will reach 80 degree Celsius, max 95 degree.
If the motor is air cooled the temperature may reach 140 degree.
  1. The first damaged part will be the cylinder head gasket. As a result coolant will enter into the cylinders and vaporize.
    You will lose coolant through the exaust pipe. A vicious circle accelerating the damage.
    Replacing the gasket is expensive because the motor must be opened.
  2. If you drive longer with an overheated motor the cylinders will be ruined and you need a new motor.
The cause of overheating is a failure in the cooling system. This may be due to a defective ventilator or lack of coolant.
Some motorbikes (like my Regal Raptor) neither have a temperature display nor an overheating lamp.
This is a severe problem because the owner has no chance to check the temperature of the motor.
ATTENTION: The Delphi MT05 is so stupidly programmed that it does NOT protect the motor from overheating!
Although the ECU has a temperature sensor and knows the exact temperature, it will not turn the motor off when it becomes too hot.
The MIL/EFI light may turn on when it is already too late (Error P0117 at approx 200 degree) or it never turns on.
Check regularly if your motorbike has sufficient coolant! Use HUD ECU Hacker to check the current temperature.
If coolant disappears within a few days or weeks without a leak your motor is probably already damaged.

IACV Calibration

The IACV (Idle Air Control Valve) is like a bypass for the throttle valve.
It allows a small amount of air to enter into the engine while the throttle is closed.
If the IACV does not work correctly you may have the following problems:
The IACV has a stepper motor which moves a pintle precisely to a position between 0 and 255.

Position 0Position 255
Idle Air Control Valve IACV Idle Air Control Valve IACV
To maintain the stepper motor in the desired position a current must flow permanently which generates a magnetic field.
Therefore the stepper motor becomes warm although it does not move.
You can use the Data Slewing window to test the IACV while the engine runs.
If you enter a delta value of +30 steps, more air enters and you notice that the idle speed increases.
If you enter a delta value of -30 steps, less air enters, the idle speed decreases and the engine may stall.
Aprox 5 seconds after turning the ignition key off the ECU parks the IACV and stores the pintle position in flash memory.
The IACV has no sensor which reports the current mechanical position to the ECU.
The ECU simply trusts that the position stored in the flash memory is the same as the real mechanical position.
But the range which the stepper motor can move is wider than the programmable range from 0 to 255.
So if the ECU loses synchronisation with the mechanical position you will have one of the problems listed above.
I found the following way to calibrate the IACV (while the engine is off) with the older MT05 ECU.
  1. Take the IACV out so you can see the pintle position.
  2. Connect HUD ECU Hacker.
  3. In the Data Slewing window move the IACV to the absolute position 255.
  4. Now disconnect the battery so the ECU cannot store this position in the flash memory.
  5. Reconnect the battery. You should hear the fuel pump running. Now the ECU assumes the IACV in parking position.
  6. Repeat steps 2 to 5 until the pintle does not move anymore. The spring must be completely compressed.
  7. Now you have the pintle in the real mechanical position 255.
  8. In the Data Slewing window click Reset all presets in ECU which moves the pintle to the parking position.
  9. Turn off the ignition key. Now the ECU stores the correct parking position in flash memory.
  10. Mount the IACV back into it's place.
  11. When driving the next time the airflow self-learnig will adapt to the new conditions.
The newer MT05.2 already has the EEPROM Reset, which also adjusts the IACV, but in a different way.
The ICAV must be mounted in the throttle body while executing the EEPROM Reset.
The ECU will move the stepper motor until the pintle is mechanically blocked when the IACV is fully closed.
This will be the new position 0.
Play the logfile Regal Raptor 350 - IACV Idle Warmup.xml and create a graph with the preset IACV and Idle.
Here you see how the MT05 slowly adjusts the IACV during a 12 minute idle warm-up from 18 °C to 80 °C:

Idle Air Control Valve Target Position

Self Learning

The ECU adapts to changing load, atmospheric pressure and fuel quality to keep the emissions at a minimum while running in closed loop.
It also compensates a worn out fuel pump or a dirty air filter.
Based on the O2 sensor feedback, the short term adaption increases (> 0) or decreases (< 0) the amount of fuel to get the optimal air/fuel mix.
If the short term adaption (Integrator) deviates too much, the long term adaption will be adjusted.
The long term fuel adjustment is stored in a table which contains Block Learn Multipliers (BLM).
Multipliers have values between 0.0 and 2.0 where values > 1.0 mean more fuel and values < 1.0 mean less fuel.
The Delphi MT05 uses a table with 36 cells (16 bit) for each cylinder which is stored in the flash memory.
MAPTPS< 1900< 2800< 3750< 4500< 5800< 7200< 9000> 9000 rpm
< 30 kPa< 4 %Cell 0Cell 1Cell 2Cell 3Cell 4Cell 5Cell 6Cell 7
< 46 kPa< 10 %Cell 8Cell 9Cell 10Cell 11Cell 12Cell 13Cell 14Cell 15
< 62 kPa< 19 %Cell 16Cell 17Cell 18Cell 19Cell 20Cell 21Cell 22Cell 23
> 62 kPa> 19 %Cell 24Cell 25Cell 26Cell 27Cell 28Cell 29Cell 30Cell 31
Rolling Idle Cells
Cell 32Cell 33Cell 34Cell 35
The X and Y axis values come from the lookup tables 'BLM MAP Boundary', 'BLM TPS Boundary', and 'BLM RPM Boundary'.
The Y axis may be based on MAP compensated pressure or throttle position. This is defined by scalar 'BLM Load Option'.
The rolling idle cells are used when the engine is idling.
While the engine is running you see in the dashboard which cell the ECU is currently using and what is the value of this cell:

Block Learn Multiplier Cell

This capture is from logfile 'Regal Raptor 350 - Driving.xml' at 01:16:246
A long term correction factor of 1.015 means adding 1.5% more fuel.

The ECU also learns automatically which voltage of the throttle sensor corresponds to 0% throttle position (TPS auto-zero).


If some BLM cells reach the minimum or maximum adaption limit, the fault codes P0171 or P0172 will be generated.
These errors mean that there is a defect (IACV, injector, fuel pump, air filter) which the ECU cannot correct anymore.
If you get these errors you must reset the self learning data in the configuration area with the button Reset EEPROM which will:
  1. Erase the fuel self-learning data (BLM Table). All correction factors will be reset to 1.0 (no correction).
  2. Erase the airflow self-learning data (Airflow Table). All correction factors will be reset to 1.0 (no correction).
  3. Erase the throttle self-learning data (Auto-Zero). The throttle zero will be set to the default in the scalar 'TPS Raw Intercept'.
  4. Erase all statistics. This will reset all time counters (except total runtime), max temperature, max batt voltage, max speed,...
  5. Erase all historic DTC fault codes
  6. Reset the IACV pintle position
ATTENTION: If you do not repair the underlying hardware defect the errors P0171 / P0172 will come back soon.

You need the EEPROM reset also after replacing the throttle sensor.
After erasing the configuration data the ECU will write fresh data the next time you turn the ignition key off.

Some older MT05 firmware versions do not implement the command which HUD ECU Hacker uses when you click the button Reset EEPROM.
In this case you may have luck trying one of the following two options:
  1. Turn the ignition key off while pin 5 of the ECM plug is connected to ground (pin 2), then wait 10 seconds.
    This will only work if the scalar 'J1-16 Input Usage' is 1.
  2. Or turn the ignition key off, wait 10 seconds, turn the key 5 times on/off within 5 seconds, then (while off) wait another 10 seconds.
    This will only work if the scalar 'J1-16 Input Usage' is not 1.

Rescue a bricked MT05

If you have uploaded a wrong flash file or interrupted the upload you may have 'bricked' your ECU.
A 'bricked' ECU will neither allow to start the motor nor will it respond on K-Line.
'Bricked' means that your ECU is now as useful as a brick. Congratulations!
In this case you have to switch the ECU into 'bootloader mode' and then you can connect again.
Unplug the plugs J1 and J2 and connect the ECU only to the battery and the K-Line or J2534 or ELM327 adapter:
Rescue a bricked Delphi MT05
Show Full Size
You need one jumper between pins 10 and 17 and another jumper between pins 11 and 16.
This switches the ECU into 'bootloader mode' and allows to upload a valid flash file.
Additionally you connect +12V to pins 15 and 18, Ground to pin 2 and K-Line to pin 3.
The first 16 kB of the flash memory contain the bootloader.
This memory area will never be overwritten when you upload a flash file.
This assures that the bootloader stays always intact even when flashing goes wrong.

Crankshaft Position Sensor

The crankshaft position sensor reports the exact position of the crankshaft to the ECU.
The ECU needs this to calculate the moment of spark generation and of measuring the Intake Air Pressure sensor.
On the crankshaft there is a flywheel with teeth every 15 degree. Each tooth induces a pulse in a fixed pick up coil.
There are 24 positions on the 360 degree rotation. One of them is missing, so there are 23 pulses per rotation.
The gap from the missing tooth indicates the position near BDC (Bottom Dead Center) of cylinder 1.
Example: The motor runs with 1500 rpm. This is 1500 / 60 = 25 rotations per second = 40 ms per rotation.
This oscilloscope capture measured at ECU pin J2-04 shows the 25 * 23 = 575 pulses/second.
Delphi MT05 crankshaft sensor on oscilloscope
Show Full Size
The faster the motor runs the higher becomes the voltage.
The logfile Benelli TRK 251 (1 Cylinder).xml shows several CKP Sensor Errors which are increasing with the time.
But they are still not enough to turn the MIL/EFI indicator light on.


Lead-Acid batteries allow to easily detect their charge status by simply measuring the voltage while the ignition key is off.
At 12.8 Volt it is completely full.

Voltage and Aging of a lead acid battery

Very detailed information about batteries can be found at the Battery University.
The lifetime of a motorbike battery is approx one year when used frequently.
When the voltage of the fully charged battery drops below 9 Volt while cranking the battery should be replaced.
If the alternator / generator works correctly the voltage should be between 13.5 and 14.5 Volt while the engine is running.
If the regulator is defective and the voltage rises to more than 15 Volt the battery will be damaged.
Zurück zur Startseite
Back to start page