Cars
Great Wall Pickup Chevrolet Sail & Cruze JAC Motors (e.g. J3, J6) Lifan (e.g. 320, 520) Nanjing Yuejin Soyat (e.g. NJ7150)

Motorbikes	ATV's (All Terrain Vehicles)	Other
AJP (e.g. PR7) Benelli, Italy (e.g. BN600) Bullit (e.g. Hero 125) Geon (e.g. Invader 350) Hanway (e.g. NK125S) Hawk (e.g. DLX) Hunter, Australia (e.g. Bobber 350) Hyosung (e.g. GT650RC) Jawa, Argentina (e.g. Bobber 350) Jialing (e.g. JH200-8) Johnny Pag, USA (e.g. Spyder 300) Junak, Polonia (e.g. M16 320) Keeway (e.g. RKF 125) Leonart, Spain (e.g. Daytona 350) Lifan (e.g. LF250-P) Mash (e.g. Seventy Five) Regal Raptor (e.g. Raptor 350) Riya scooters Scomadi scooters Quadro scooters Zhejiang (e.g. TR125) Zongshen (e.g. RX3)	Aeon (e.g. Cobra) Baltmotors (e.g. Jumbo) Bennche (e.g. Bighorn 400) CFmoto (e.g. Terralander X8) HiSUN (e.g. 700 EFI) Hytrack (french rebranding) Linhai (e.g. T-BOSS 550) Masai (french rebranding) Massimo (e.g. Alligator 700) Odes (e.g. 800) Qlink (e.g. FrontRunner 700) SMC (e.g. MBX 850) Speed Gear (e.g. Buggy 600) Stels (e.g. 800 Guepard) Trapper (e.g. 500) Wels (e.g. ATV 800)	Briggs & Stratton (Lawn Mowers, Marine motors, generators) Kohler (Lawn mowers)

	K-Line / VAG Adapter	J2534 Adapter	ELM327 / OBDLink Adapter
Advantage	As there is no intelligence in the adapter even the counterfeit are working perfectly. You can also make your own cheap DIY adapter with 2 transitors.	Professional adapters that support K-Line, J1850, CAN. They are technically the best choice.	Hobbyist adapters that support K-Line, J1850, CAN. There is no advantage over J2534 adapters.
Disadvantage	No support for J1850 and CAN bus. But K-Line is sufficient for the MT05. Timing depends on computer speed.	The genuine are expensive. However the chinese counterfeit adapter from VISLONE works fine.	Misdesigned (see below) Most adapters in internet are fake. Sniff Mode and ECU Emulator do not work.
Summary	OK	recommended	deprecated
Price Genuine	$5 USD	$180 ... $500 USD	OBDLink: $40 USD
Price Counterfeit	$5 USD	$33 USD (VISLONE)	$10 USD DO NOT BUY!
Poll Speed	200 ms	280 ms	320 ms (USB), 335 ms (Bluetooth)

Then you can either use a crimping plier or solder the wires to the contacts and build your cable as shown in this video.

1b) Buy a complete ECM Cable

If you have time you can also buy a complete cable in China. Shipping may take between 1 and 3 months.

Cable USB to ECM from Taobao

Show Full Size

Cable J1962 to ECM from AliExpress

Show Full Size

The red cable from Taobao has a very limited support of baudrates.

In the window "Configure Adapter" you must switch to Fast Init Mode 2 otherwise you get a timeout when connecting.

K-Line Adapter Echo Test

I discovered 2 severe problems with cheap chinese USB to RS232 adpaters containing the widely used CH340 chip.

Problem: The defective driver from the manufacturer WinChipHead produced a blue screen.

This happend when the computer went to sleep or was shut down while the USB cable of the adapater was plugged in.

Solution: I found that the latest driver version 3.5 from 2019 (which is WHQL certified) fixes this problem.

I implemented the installation of the driver version 3.5 into HUD ECU Hacker (toolbar button "Install USB driver").

Problem: I found that several of my CH340 adapters sometimes send crippled data. Mostly they send 0x00 instead of 0xFA.

Solution: There is no solution. These adapters are garbage and must be thrown into the dustbin.

The faulty adapters have firmware version 2.54. I found another one with firmware version 2.63 which works correctly.

Therefore I implented the Echo Test into HUD ECU Hacker. It sends data to the K-Line adapter and verifies the echo.

Here you see the test result of a faulty CH340 adapter:

Echo test detects CH340 bug

You can execute the echo test after connecting the K-Line / VAG adapter to the motorbike.

But turn the ingnition key OFF so the ECU switches to sleep mode.

The echo test will fail if you connect only the adapter over USB to the computer. The +12V are required.

The +12V at the ECM plug are connected directly to the battery and are not affected by the ignition key.

You can also test the pure USB to RS232 adapter by connecting RxD (pin 2) directly to TxD (pin 3).

Option 2: J2534 Adapter (recommended)

J2534 adapters are the recommended choice. They support K-Line, J1850, and CAN bus.

J2534 (PassThru) is an international standard for reprogramming ECU's.

If you are interested in the details read the API Documentation (PDF) for programmers.

The genuine J2534 adapters (for example Tactrix OpenPort or Drewtech Mongoose) are very expensive ($180 ... $500 USD).

But there are also chinese clones like the VISLONE Tactrix Scanner for 30€ which works perfectly with HUD ECU Hacker.

Show Full Size

Genuine Adapter

Show Full Size

Genuine Adapter

Show Full Size

When you plug in the adapter for the first time Windows installs a default driver and assigns a COM port.

ATTENTION: This is the wrong driver and the COM port will never work.

In the HUD ECU Hacker toolbar (button "Install USB driver") you can install the original Tactrix driver.

After installing the correct driver the COM port will disappear and a J2534 device will show up in Control Panel:

Option 3: ELM327 Adapters (deprecated)

There are 3 types of ELM327 adapters:

Chinese ELM327 clones:
The internet is full of fake ELM327 adapters. You find them on eBay, Amazon, AliExpress, etc.
All these adapters are garbage. The Chinese did not even implement half of the command set.
You send a command to the adapter, it answers with 'OK' but it does not execute the command.
These adapters are fraud. All adapters for less than $40 USD are fake!
DO NOT BUY THIS CRAP!
If you already have one you can use it to scan the parameters, but Sniff Mode, ECU Emulator, Data Slewing and Flash Up/Download will not work.
Genuine ELM327 adapters:
Genuine ELM327 adapters have the ELM327 chip inside. Download Datasheet (PDF)

ELM Electronics sells only the ELM327 chip ($21 CAD), but they do not offer an own adapter.
Genuine adapters are difficult to find because very few companies offer them: WGsoft (105€), Warenhuis (109€).
But even if you have a genuine adapter, Flash Upload will not work because they do not support to set a long timeout.
Genuine OBDLink adapters:
Genuine OBDLink adapters have a STN11XX chip inside. Download Datasheet (PDF)

They are sold by Scantool and ObdLink ($40 USD).
They implement the same AT commands as genuine ELM327 adapters and have additional ST commands.
If you want to use an ELM327 adapter you should ONLY buy it from Scantool or OBDLink.
My adapter was sold with a very old firmware. Don't forget to update the firmware.
Even in a genuine OBDLink adapter I found a severe bug. But I also found a workaround.
Even with the genuine OBDLink adapters Sniff Mode and ECU Emulator will not work and the command ATSW00 is ignored.

ELM327 adapters are a misdesign.

They have too many commands which makes programming complicated.

Instead of leaving the intelligence in the controlling software (as J2534 adapters do) all the intelligence is in the chip.

The chip must be configured with hundreds of commands.

Instead of transmitting binary data directly (as J2534 adapters do), they use ASCII strings, which is simply a bad design.

Instead of using internally an USB capable processor (as J2534 adapters do) they convert USB first to RS232 which is slower
and the COM port must be configured with the correct baudrate, while J2534 adapters neither need COM ports nor baudrates.

Another issue is that the ELM327 can store configuration in non-volatile memory resulting in not predetermined behaviour.

So, if you already have a genuine OBDLink adapter it will support all functionality except Sniff Mode and ECU Emulator.

But if you don't have an adapter yet, do not buy it. Buy a K-Line or better a J2534 adapter instead.

Diagrams of a genuine adapters:

EML327

Show Full Size

OBDLink

Show Full Size

Counterfeit ELM327 Adapters

Chinese Clone

Show Full Size

Chinese Clone

Show Full Size

Some chinese USB adapters use a counterfeit PL2303 chip (right photo) which converts from USB to RS232.

On Windows XP and Windows 7 this works perfectly.

But on Windows 8 and 10 the latest drivers from Prolific detect the counterfeit chip and refuse to work.

The driver returns the undocumented Error 433: "A device which does not exist was specified."

If you connect the adapter and Windows 10 does not find an installed driver it downloads the latest version 3.8

from Windows Update and you will see a yellow exclamation mark or a 'PHASED OUT' error:

Device Manager Error Prolific counterfeit PL2303 chip

Do not use the drivers from a CD or from Windows Update.

I have implemented the driver installation into the toolbar at the top of HUD ECU Hacker.

Install the Prolific driver version 3.3 from 2008 which also works on Windows 8 and 10.

Counterfeit ELM327 Bluetooth Adapters

Chinese Clone

Show Full Size

Chinese Clone

Show Full Size

On the right photo you see that there are several SMD parts missing (4 transistors and 16 passive components).

This means that the J1850 bus will not work. Only CAN and K-Line are implemented.

If a vendor sells this as a universal ELM327 adapter, this is a fraud.

However, the J1850 bus was used by older GM and Ford vehicles, but is not used in modern cars anymore.

Installing a Bluetooth Adapter

Follow these steps on Windows 10 to add a bluetooth adapter: (on Windows 7 it is similar)

Show Full Size

If it was successful you see 2 COM ports in device manager:

Device Manager Bluetooth ELM327 COM ports

One of the COM ports will work while the other one will not be functional.

Simply open the COM ports in HUD ECU Hacker and try them (the LED "PC" on the adapter should flash).

KWP 2000 Protocol

The Keyword 2000 protocol (KWP) is defined in ISO 14230.

The transfer is like RS-232, sending the least significant bit first, but voltage is inverted.

ISO 14230 describes 2 ways to start the communication with the ECU: fast init and slow init.

With slow init the computer must wake up the ECU by sending a byte 0x33 with 5 baud. This is extremely slow.

With fast init the computer must send a byte 0xF0 with 200 baud.

If you are interested in the details read the K-Line Communication Description (PDF).

The MT05 uses fast init.

This means that the K-Line goes low for exactly 25 ms and then high for 25 ms. After that the communication starts with 10400 baud.

The first command which is sent to the ECU is Start Communication which is the byte 0x81.

This byte is embedded into a packet which starts with a header and ends with a checksum.

Here you see the fast init, followed by the command 'Start Communication' and the response from the ECU.

ISO14230 K-Line 'Start Communication' on oscilloscope

Show Full Size

There are long pauses between the bytes:

ISO14230 K-Line inter byte delays on oscilloscope

Show Full Size

In detail the command 'Start Communication' (Service = 81) looks like this:

Command (from PC):	81 11 F1 81 04
Response (from ECU):	83 F1 11 C1 EF 8F C4

The MT05 uses the address 11. The application on the PC (the tester) uses the address F1.

The MT05 responds with 2 key bytes EF and 8F which define how the ECU wants the commands to be formatted.

They define how to transmit the packet length and if the source/target addresses are to be sent.

You see the meaning of the key bytes in the Trace pane in magenta when connecting.

Command 'Start Communication'			Response Short (1...63 data bytes)
Header 1	81	80 + length of data (1 byte)	Header 1	83	80 + length of data (3 bytes)
Header 2	11	Destination address (ECU)	Header 2	F1	Destination address (tester)
Header 3	F1	Source address (tester)	Header 3	11	Source address (ECU)
Data 1	81	Service 'Start Communication'	Data 1	C1	Service confirmation = 81 + 40
Checksum	04	81+11+F1+81 = 04	Data 2	EF	Payload byte 1 (bit flags)
			Data 3	8F	Payload byte 2 (always 0x8F)
			Checksum	C4	83+F1+11+C1+EF+8F = C4

The first header byte is called format byte.

It may contain the packet length and it's bits define if addresses are sent and the type of addresses (physical, functional).

To simplify reading the binary data HUD ECU Hacker displays the data bytes in parenthesis in the Trace pane:

81 11 F1 ( 81 ) 04

83 F1 11 ( C1 EF 8F ) C4

The other bytes are not really interesting as they are generated automatically.

If the ECU does not understand a command it sends 7F (failure) in the byte 'Data 1' of the response.

The following table shows a long response (102 data bytes) which contains an additional length byte (header 4).

Command 'Read Data'			Response Long (64...255 data bytes)
Header 1	82	80 + length of data (2 byte)	Header 1	80	Extra length byte follows
Header 2	11	Destination address (ECU)	Header 2	F1	Destination address (tester)
Header 3	F1	Source address (tester)	Header 3	11	Source address (ECU)
Data 1	21	Service 'Read Data'	Header 4	66	Length of data (102 byte)
Data 2	01	Subfunction 1	Data 1	61	Service confirmation = 21 + 40
Checksum	A6	82+11+F1+21+01 = A6	Data 2	01	Subfunction confirmation = 01
			Data 3	...	Payload byte 1
			Data 102	...	Payload byte 100
			Checksum	...	80+F1+11+66+61+01+...

HUD ECU Hacker tries first to connect with the physical address defined in the parameter XML file (Default = 0x11).

If this fails it waits 5 seconds and tries again with the functional address 0x33.

A physical address (format byte contains 0x80) means that one specific device on a bus is addressed.

A functional address (format byte contains 0xC0) is like a broadcast address to a group of devices.

There are functional addresses for Steering Controllers, ABS Systems, Air Condition, Audio, Lightning, etc.

The functional address 0x33 is used to address "Engine Controllers" (ECUs).

As normally only one ECU is connected this can be used when the physical ECU address is unknown.

As you see here the ECU responds to the functional address 0x33 with it's physical address 0x11:

C1 33 F1 ( 81 ) 66

83 F1 11 ( C1 EF 8F ) C4

The Delphi MT05 does not need functional addressing, but there are strange ECU's which do not respond to their own physical address!

Keep-Alive

If the ECU does not receive commands it switches to sleep mode after 5 seconds.

While HUD ECU Hacker is polling data this will never happen because polling takes place 3 to 5 times per second.

Only if you switch to manually enter commands (in the Trace pane), polling stops and HUD ECU Hacker sends a Keep-Alive every 3 seconds.

Command (from PC):	81 11 F1 3E C1
Response (from ECU):	81 F1 11 7E 01

PCHUD

The Delphi manuals for MT05 and for MT20 explain a software 'PCHUD'.

Previously this was the only software that could communicate with these ECU's.

PCHUD (Hands Up Display for PC) is a very old program from Delco Electronics written in 1993 for Windows 3.

Show Full Size

Today it is practically impossible to find this software in internet.

I found lots of dead links and a fake PCHUD download on a chinese website which was a trojan.

But in the forum China Riders I found a thread from the (ex)user 'katflap' talking about PCHUD.

Only thanks to 'katfalp' I could still in the year 2020 download and test this software.

This ancient 16 bit program does not run on 64 bit Windows because Microsoft has removed the support for 16 bit applications on 64 bit platforms.

Running it on a 32 bit Windows in the 16 bit emulator (NTVDM.exe) I notice that it permanently occupies 100% of one CPU core.

While PCHUD is displaying the data from the ECU it sends every 200 ms the same command (21 01) which the ECU responds with a data block of 100 bytes.

This 'parameter polling' looks like this:

Show Full Size

It was a lot of work to analyze which meaning has each of the 100 bytes in the response

and to find the formulas which convert the raw values into temperature, voltage and pressure.

HUD ECU Hacker

The ancient PCHUD from Delco is obsolete because

it does not run on 64 bit Windows
it occupies permanently 100% of a CPU core
it cannot be connected over an ELM327 or J2534 adapter (which did not exist in 1993)
it cannot clear the DTC fault codes (the menu is permanently grayed out)
it can only display 36 parameters at the same time
it shows the gauge for negative values wrongly
it is clumsy to use and uses undocumented PAR, HUD, SLW, LGC, LGG, SCR, CFG and PLY files

The new HUD ECU Hacker from ElmüSoft

runs on Windows XP, 7, 8 and 10
runs on 32 bit and 64 bit Windows
uses the .NET framework 4.0 or higher
connects to the ECU via K-Line/VAG or ELM327 / OBDLink or J2534 adapter
shows the entire communication with the adapter in the Trace pane
shows all 90 parameters at once in a user-configurable dashboard
shows detailed tooltips for all parameters and their meaning
can be configured 100% by the user by editing an XML parameter file in a text editor (e.g. Notepad++)
the user can enter formulas to convert raw data into temperature, voltage or pressure
shows fault codes (DTC) with a text explanation
can clear fault codes
can capture the data from the ECU in a logfile
can emulate any ISO 14230 ECU
can export a logfile to a CSV file
can ceate graphs from a logfile
can download the flash memory from the Delphi MT05
can program the flash memory with the calibration tables and ECU firmware
automatically detects the addresses and types of maps, tables, scalars and DTC codes in the flash memory
has a built-in Hex viewer which shows the binary flash memory
has full tuning support (editing calibration maps, tables, scalars), also with 3D Editor
can upload the proprietary Delphi calibration files (CAL, PTP, CUT) to the ECU
the user can create Patch files which contain the changes to be applied to a flash file before uploading
automatically installs the Windows drivers for the USB to RS232 adapter / ELM327 adapter
allows you to manually enter commands and send them to the ECU for testing
can sniff the data traffic on the bus (for example from a scan tool or from another OBD software)
is optimized in each line of it's code for the highest possible speed
can be adapted to any ISO14230 compliant ECU by editing 3 XML files
has multi-language support. You can translate the user interface and scan parameters into any language.

In contrast to all other OBD2 software HUD ECU Hacker is not commercial paid software.

Also, HUD ECU Hacker will never show you any advertising.

HUD ECU Hacker is the result of more than a year intense programming.

There is absolutely no documentation about the internals of the MT05.

All information you see in HUD ECU Hacker is based on reverse engineering which costs a lot of time.

However, this program is sharityware, which means that the author does not earn any money with it.

But if this program has helped you saving money by not needing expensive commercial software
or an expensive scan tool you are asked to give a donation to a non-profit organization of your choice.

Like for example Shanti Bavan, a project which gives education for free to the poorest of the poor in India.

There is an excellent documentary about this very special residential school on Netflix: Daugthers of Destiny

Apart from that HUD ECU Hacker has been designed to be community software.

Every user can adapt the program to his needs.

When you have adapted the XML parameter file for another ECU, you are asked to send it to me for publishing it.

HUD ECU Hacker - Control

This screenshot shows the playback of the logfile Regal Raptor 350 - Error Clearing.xml

I disconnected the plug of one oxygen sensor.
The plug has 4 pins: Two for the sensor and two for the heater. (See circuit diagram of MT05 above)
After turning on the ignition key the ECU immediately alerted error P0037. I did not even start the motor.
HUD ECU Hacker translates the fault codes into human understandable messages.
The error was first reported as Current.
Then I turnd off the ignition, reconnected the oxygen sensor and turned on ignition again.
Now the ECU detected that the error is not present anymore and reported it as Historic.
Then I recorded the logfile
At 00:00:10.200 I clicked the button Clear Fault Codes which removed the fault code.

Clearing Fault Codes (DTC)

The button "Clear Fault Codes" clears the historic fault code(s) from the non-volatile ECU memory.

But if a fault is still present it will not be cleared: You click the button and nothing happens.

This button will clear only historic fault codes which are not present anymore.

The MIL / EFI lamp is only on if there is a current fault present. It is off if there are only historic DTC's.

Some current faults disapear immediately when the fault has been fixed (e.g. Oxygen sensor cable disconnected).

Other current faults will disapear alone after driving some minutes.

Some historic fault codes are erased automatically after driving 30 times without further faults.

The ECU can report multiple Current DTC's at once and it can store multiple Historic DTC's.

If there are multiple DTC's present, they are displayed alternating once a second in the Dashboard.

You see all faults at once with their status when you click the button Show Fault Codes.

If you get the fault codes P0171 or P0172 please read the chapter Self-Learning.

HUD ECU Hacker - Data Grid

This screenshot shows the playback of the logfile Regal Raptor 350 - Starting Motor.xml

At 00:00:16.831 I turned the throttle up to the maximum with the motor not running.

At 00:00:32.712 I started the motor. You see that the ignition voltage drops down to 9.2 Volt.

At 00:01:55.106 I turned the throttle again, now with the motor running.

At 00:02:25.260 I pressed the kill switch (red button). The ignition voltage goes down to 0 Volt.

While recording this logfile the motorbike was standing still (not driving).

For each parameter you see the raw value and it's meaning and the minimum and maximum values.

A gauge displays the value graphically. If the value can also be negative, the gauge starts in the middle.

Values that have changed since the previous sample have a yellow background. You can turn off this highlighting.

HUD ECU Hacker - Dashboard

Show Full Size

This screenshot shows the playback of the logfile Regal Raptor 350 - Driving.xml

At 00:00:35.878 I started the motor. The ignition voltage drops down to 7.7 Volt

At 00:00:39.488 the motor turned off alone because it ran too slow.

At 00:00:42.113 I started the motor again and drove around the block (not fast, ony first and second gear).

At 00:02:57.941 I pressed the kill switch.

On the screenshot above you see a tooltip which appears when you hold the mouse over a parameter.

Some parameters have a wrench icon.

You can click on it and modify these values in the ECU. See Data Slewing.

The dashboard can be configured 100% by the user after checking the checkbox Edit Mode below.

You can create, edit and delete groups and assign parameters to them.

You can move around the groups, change the order of parameters and drag and drop them to another group.

HUD ECU Hacker Screenshot - Gauge Configuration

In this dialog you can configure a value parameter.

The ignition voltage has a minimum of 0 Volt and a maximum of 32 Volt.

You can restrict the range of the gauge to something more useful like 7 V to 16 V.

When you set an alarm the parameter will be displayed in red if the value exceeds the given limits.

HUD ECU Hacker - Graph

Show Full Size

These images are graphs created from the logfile Regal Raptor 350 - Driving.xml

You can chose the parameters that you want to include.

If you want more sophisticated graphics you can export the data to CSV and load it into the LiveLink Gen-II software (70 MB).

HUD ECU Hacker - Trace

Show Full Size

In this screenshot you see the Trace pane which shows all the communication with the adapter.

Blue are the commands sent and green are the responses received.

The KWP packtes show the data bytes in parenthesis: Header ( Data ) Checksum.

With the checkbox Inject Commands at the bottom you can send your own commands to the ECU for testing.

For the purpose of hacking you can also enter XX, which will be replaced with all values from 00 to FF.

For example if you enter '21 XX' HUD ECU Hacker will send 256 commands from '21 00' to '21 FF' to the ECU.

Recording Logfiles

Below in the Trace pane with the button Start Logging you can create logfiles after connecting to the ECU.

You can also record a log file while you are driving.

Connect the cables and put a notebook into a saddlebag or backpack.

Show Full Size

Data Slewing

The MT05 allows to manually modify some of the parameter values which have been measured or calculated.

The purpose of data slewing is to analyze an engine which is not running correctly.

You can set absolute (fix) preset values or you can add a delta (± offset) to the current ECU values.

First set all the preset values that you want to change in the list at the left with the trackbar or with the button 'Set in list'.

Then click 'Send all presets to ECU'. These changes have effect on the running motor.

After setting Idle RPM Target to 2500 rpm you will hear how the motor slowly becomes faster.

Even if the engine is off you can set Fuel Pump Duty Cycle to 15% and you hear the fuel pump running quietly.

And with IACV Target Step you can move the stepper motor of the Idle Air Control Valve.

Delphi MT05 Data Slewing Idle RPM Target

Show Full Size

This graph shows the logfile Regal Raptor 350 - Data Slewing.xml where the engine was running idle with 1400 rpm.

At 00:00:29.806 I have set the preset value Idle RPM Target to 2500 rpm. The ECU slowly adapted the idle speed.

At 00:01:12.480 I switched off the slew preset.

NOTE: On a Benelli TRK251 (1 cylinder) you can set the idle speed target but the engine speed is not adjusted correctly.

The modified values are not stored in the non-volatile memory of the ECU.

However this feature is for experts only. Wrong values can produce knocking or stall the motor.

I saw that the ECU does not go to sleep mode after changing some of the values.

Do not forget to click 'Reset all presets in ECU' when you are finished with your tests.

ATTENTION:

Data Slewing does not work with my chinese ELM327 adapters. But J2534 and K-Line adapters do work.

The ELM327 Datasheet says (page 31) that the ELM327 limits the bytes that can be sent to the maximum for OBD2.

Therefore HUD ECU Hacker sends the command ATAL which allows longer commands.

My chinese adapter answers ATAL with 'OK', but it still refuses to send more than 4 data bytes.

You will see a timeout error in HUD ECU Hacker.

ELM327 Terminal

As there are so many problems with chinese ELM327 clones I implemented the ELM327 Terminal.

Here you can test your adapter by sending commands and studying the responses.

The screenshot shows that my ELM327 clone sends commands only up to 4 data bytes.

If I send 5 data bytes or more (like the Slewing commands) there is no response, no error and no prompt.

I verified on the oscilloscope that the adapter indeed does not send anything.

The command ATAL is simply ignored although it was answered with a fake 'OK'.

It is a fraud to sell this crap.

By the way: It is completely irrelevant if a chinese adapter claims to be version 1.5 or 2.1. They are all crap.

And I saw people complaining in internet about ELM327 adapters which have even less functionality than mine.

Download / Upload Flash Memory

The heart of the the Delphi MT05 is a 16 bit Infineon processor.

The flash memory in the processor is divided into 4 areas:

The Bootloader is required to start up the ECU.
It will never be overwritten when flashing. This is a protected area.
The Configuration Data will always change when you turn off the ignition key.
HUD ECU Hacker does not write into this area. The ECU stores non-volatile data here, like:
fault codes, ignition counter, statistics, fuel learning (BLM), airflow learning and throttle learning.
The Calibration Tables are used to calculate the optimal operation of the motor depending on
factors like speed, engine load and temperature, etc. They control fuel injection, spark timing, etc.
The Firmware area contains the executable program code.
You should normally not overwrite this area except you know exactly what you are doing.

Processor	Delphi MT05		Delphi MT05.2
Model	SAK-XC164CM-16F40F		SAK-XC164CS-32F40BB
Flash Memory	128 kB		256 kB
RAM	8 kB		12 kB
Clock	32 MHz		32 MHz
Flash Memory	Delphi MT05		Delphi MT05.2
Bootloader	000000 - 003FFF	16 kB	000000 - 003FFF	16 kB
Configuration Data	004000 - 004FFF	4 kB	004000 - 004FFF	4 kB
Calibration Tables	005000 - 007FFF	12 kB	005000 - 00AFFF	24 kB
Firmware	008000 - 01FFFF	96 kB	00B000 - 03FFFF	212 kB

HUD ECU Hacker can download the flash memory into a file (flash download).

HUD ECU Hacker can also program the flash memory from a file (flash upload).

In the main window you see the versions and the checksums of the flash memory areas.

Green means the checksum is correct. Red means it is wrong and will be fixed when uploading.

ATTENTION:

If you use a K-Line adapter execute the Echo Test to assure that it works correctly.

If you use an ELM327 adapter it must be a genuine OBDLink adapter.

Before flashing for the first time store your original flash file in a secure place!

If flashing of only the calibration tables goes wrong your ECU may still communicate over K-Line.

But if flashing the firmware area goes wrong your ECU will probably be bricked.

See Rescue a bricked MT05.

Tuning

Tuning with Commercial Software

Tuning means to modify the calibration tables to get more power, cleaner emissions, or better fuel efficiency.

For tuning you normally have to purchase 2 expensive programs:

1.)

One program which only downloads and uploads the flash memory:

BitBox (250€, english) or CombiLoader (base: 21500 rouble + MT05: 8000 rouble)

2.)

Another program for editing the calibration tables:

BitEdit (100€, english) or ChipTuningPro (base: 2400 rouble + MT05: 10000 rouble)

Additionally you have to buy an USB dongle (30€) which protects their software from piracy.

BitEdit does not support all MT05 versions. Click here for a list of supported calibration versions.

While BitEdit shows 36 tables for the MT05 (in english), ChipTuningPro shows more than 200 tables.

BitEdit is compared with ChipTuningPro like a toy. It has bugs and shows some data and axis wrongly.

3.)

Other tuning software like ECM Titanium is even more expensive (> $1000 USD).

4.)

If you have a MT05 from Kohler or from Briggs & Stratton they sell you diagnostic software that is very restricted.

You are forced to buy their proprietary adapter (> $300 USD) which acts like a dongle.

Each time you start the software, it connects with their server and checks if you have a valid license.

The license is only valid for one year.

As you see clearly: All the tuning and even ECU scanning is a very profitable business. All these companies want your money.

IMPORTANT: A time consuming reverse engineering must be done to get the correct meaning of scalars, tables, maps and their axes.

The companies which sell expensive tuning software do not invest the required time to do this tremendous work.

Doing a real reverse engineering of each and every firmware version of each and every ECU model would result in a price that nobody is willing to pay.

So they enter much of the data by guessing and by copying it from other firmware versions, which results in a lot of wrong information.

Tuning with HUD ECU Hacker

With the sharityware HUD ECU Hacker you save a lot of money by not having to buy commercial software.

Flash download, checksum correction and flash upload can also be done with HUD ECU Hacker.

Please do not forget to give a donation for using HUD ECU Hacker.

An issue with the MT05 is that each ECU firmware version stores the calibration tables at another address in the flash memory.

This means that there is no easy way to know how many tables exist and where each table starts and where it ends.

But HUD ECU Hacker analyzes the ECU assembler code and finds automatically 200 calibration tables and 500 scalar values.

It even finds the values and meaning of the axes of nearly all tables and maps by auto detection.

This works with all firmware versions and takes less than one second. The result is 100% reliable.

Calibration Editor

Show Full Size

3D Editor

Show Full Size

Hex Viewer

Show Full Size

Whenever you load a new flash memory BIN file it will be automatically analyzed and the result is written into a file.

This file has a name like "Firmware_5D06BA79.definitions" and contains the maps, tables, scalars and axes that were found.

The hex number in the filename "5D06BA79" is a CRC (similar to a checksum) of the firmware area in the flash memory.

Each firmware version will generate it's own definition file because each firmware version stores the calibrations at different addresses.

HUD ECU Hacker also detects the count of rows and columns and if the table data is 8 bit or 16 bit and if the data is signed or unsigned.

The auto-detection analyzes the assembler code in the ECU which gives reliable results independent of the firmware version.

The assembler code in the ECU is eternally long (printed on paper it would be one kilometer).

However HUD ECU Hacker does this analysis in less than a second. Here you see a snippet of the huge Delphi code:

c1768e f2 fc f8 f7     mov        r12,[0xF7F8]
c17692 f2 fd fc f7     mov        r13,[0xF7FC]
c17696 d7 40 01 03     extp       #0x301, #1  
c1769a f2 fe 22 29     mov        r14,[0x2922]
c1769e da c1 f8 14     calls      FUN_c114f8
c176a2 f0 c4           mov        r12,r4
c176a4 f6 fc f8 f7     mov        [0xF7F8],r12
c176a8 f2 fd fc f7     mov        r13,[0xF7FC]
c176ac 42 fd f8 f7     cmp        r13,[0xF7F8]
c176b0 fd 08           jmpr       cc_ULE,LAB_c176c2
c176b2 22 fd f8 f7     sub        r13,[0xF7F8]
c176b6 f6 fd f6 f7     mov        [0xF7F6],r13
c176ba e1 12           movb       RL1,#0x1
c176bc f7 f2 e6 f7     movb       [0xF7E6],RL1
c176c0 0d 08           jmpr       cc_UC,LAB_c176d2

As you see, assembler code is extremely cryptic. I spend several weeks in understanding what the ECU does internally.

I hope that you honor this tremendous work and be so honest to respect the sharityware policy of HUD ECU Hacker.

Hex Viewer

The Hex Viewer shows how scalars, tables and maps are lined up in the calibration area of the flash memory.

Reverse Lookup tables appear with bold text.

Axis values are calculated by a formula. The parameters for the formula are not stored in the calibration area.

You will see mostly two white areas of approx 30 bytes at the beginning of the calibration area.

All white areas contain tables which are never used by the firmware or they are filled with zeroes.

These tables are orphans. They contain data, that may be used in other firmware versions.

There are other tables which don't have a header, so the length and type of data cannot be auto-detected.

They appear purple in the Hex Viewer.

The Hex Viewer can also compare two BIN files and show the differences.