Close
Translate this page to:  

HUD ECU Hacker

HUD ECU Hacker is a universal OBD scanner software.
It can even be used with ECU's which are not OBD2 compliant.
HUD ECU Hacker is sharityware.
It can be configured 100% by the user in an XML file.
By defining the commands, parameters and formulas it can be adapted to other ECU's.

OBD2 Scanner

I have a Regal Raptor 350 motorbike (still sold in 2020) which always ran perfectly...
Motorbike Regal Raptor 350
Show Full Size
...until one day the EFI light turned on, which indicates a fault. (EFI = Electronic Fuel Injection)
On other motorbikes it is named MIL (Malfunction Indicator Lamp) or CEL (Check Engine Light) or FI (Fault Indicator).
Regal Raptor EFI Lamp
Show Full Size

Although the engine was running without noticeable problem, something was wrong.

I read in internet that all modern cars and motorbikes have an OBD2 plug (OBD = On Board Diagnostics).
The ECU (Engine Control Unit) of the vehicle informs about the cause of the fault by returning a DTC (Diagnostic Trouble Code).

I searched for OBD scanner software which shows me this error code.
I found that nearly all software is paid software and not working without buying a license.
Or even worse: Some companies sell software together with hardware which acts as a dongle.

I tested for example PCMScan from Palmer and found that it is not able to read one single parameter of my motorbike:

PCMScan cannot scan Delphi MT05 ECU
Show Full Size

The software told me that it has connected, but all parameters were marked with a red cross inidicating that the ECU does not support this parameter.
Not even such a basic parameter like 'Engine RPM' was displayed, nor did I see any fault code.
In Wikipedia you find all the OBD2 commands which software like PCMScan sends to the ECU.
I analyzed the data traffic and found that the ECU answered all commands with 0x7F, which is an error code.
What a luck that I did not purchase a license for this software, which is completely useless for me!

All OBD2 software that I tested was not able to communicate with my motorbike.
The Regal Raptor 350 uses a Delphi MT05 ECU.

The MT05 ECU is not OBD 2 compliant.

The Delphi MT05.2 implements a basic OBD2 support. See below

Scantool

To scan the MT05 you would normally have to buy an expensive scantool like this.
On Youtube there is a video showing how to use it.
Scantool Motorscan KF90121
Show Full Size
Scantool Motorscan KF90121
It comes in a suitecase which is bigger than a notebook.
It is very primitive: It has only 5 buttons and the LCD display displays only 2 parameters at once.
You have a much better display of all 90 parameters at once by using a notebook with HUD ECU Hacker.

ECU's from Delphi Electronics

Delphi MT05 ECU and PCB
Show Full Size
The MT20, MT22, MT60, MT80 ECU's control 4 cylinders. They are used in cars.
Cars
Great Wall Pickup
Chevrolet Sail & Cruze
JAC Motors (e.g. J3, J6)
Lifan (e.g. 320, 520)
Nanjing Yuejin Soyat (e.g. NJ7150)
The MT05 ECU controls 1 or 2 cylinders. It is used mainly in motorbikes and ATV's.
MotorbikesATV's (All Terrain Vehicles)Other
AJP (e.g. PR7)
Benelli, Italy (e.g. BN600)
Bullit (e.g. Hero 125)
Geon (e.g. Invader 350)
Hawk (e.g. DLX)
Hunter, Australia (e.g. Bobber 350)
Hyosung (e.g. GT650RC)
Jawa, Argentina (e.g. Bobber 350)
Jialing (e.g. JH200-8)
Johnny Pag, USA (e.g. Spyder 300)
Junak, Polonia (e.g. M16 320)
Keeway (e.g. RKF 125)
Leonart, Spain (e.g. Daytona 350)
Lifan (e.g. LF250-P)
Regal Raptor (e.g. Raptor 350)
Riya scooters
Scomadi scooters
Quadro scooters
Zhejiang (e.g. TR125)
Zongshen (e.g. RX3)
Baltmotors (e.g. Jumbo)
Bennche (e.g. Bighorn 400)
CFmoto (e.g. Terralander X8)
HiSUN (e.g. 700 EFI)
Massimo (e.g. Alligator 700)
Odes (e.g. 800)
Qlink (e.g. FrontRunner 700)
Speed Gear (e.g. Buggy 600)
Stels (e.g. 800 Guepard)
Wels (e.g. ATV 800)
Briggs & Stratton (Marine motors, generators)
Kohler (Lawn mowers)
NOTE: HUD ECU Hacker also works with the MT05 from Rongmao which is used in chinese scooters.
 
The Delphi MT05 Manual (PDF) shows how the ECU is connected.
I added several missing details to the following diagram:
Delphi MT05 circuit diagram
Show Full Size
Page 76 shows the 6 pin diagnostic plug (ECM connector)
The Delphi MT05 uses the Keyword 2000 protocol over K-Line at 10400 baud and Fast Init.

Connecting to the ECU

You can chose among 3 adapters to connect with the ECU, which are described in the following chapters:
1. K-Line (VAG) adapter
2. J2534 (Tactrix Openport) adapter
3. ELM327 / OBDLink (USB or Bluetooth) adapter
 
All these adapters have a standardized plug with 16 pins: The J1962 plug.
ATTENTION: These adapters are never connected directly to the plugs at the ECU.
Motorbikes and ATV's have a separate diagnostic plug which is normally under the seat.
Most motorbikes and ATV's with the Delphi MT05 use the original ECM plug from Delphi (a black / yellow plastic plug with 6 pins).
AJP uses it's proprietary DB9 plug.

Connecting J1962 to Delphi ECM diagnostic plug or AJP DB9 plug

You only have to connect 3 wires between the J1962 plug of the adapter and the motorbike: Ground, +12V and K-Line.
There are also 2 pins for CAN bus. But you don't need them. The Delphi manual says that they are for development only.
Regal Raptor: When you connect pin 5 (Diag) to ground (pin 2) the ECU is switched to diagnostic mode which is required for the ECU Reset Procedure.
Benelli: Pin 5 is connected to the LCD display (speed meter) which obtains the coolant temperature from the ECU over a jumper between pins 4 and 5.

Option 1: K-Line Adapter

The recommended option to connect to the motorbike is using a VAG KKL adapter (approx $5 USD).
 
VAG KKL adapter
 
You can also build your own K-Line adapter with a cheap (approx $1 USD) USB to RS232 adapter and 2 transistors.
For a quick testing this can be built on a breadboard.
ISO14230 RS232 to K-Line Adapter
Show Full Size

The signal must be inverted from RS232 to K-Line and back.
The RS232 lines TxD and RxD are low when idle, while K-Line is high when idle.

K-Line is half duplex, so only the computer or the ECU can send data alternately, but not at the same time.
All data sent from the computer via TxD is then received as echo on RxD.
The computer will always first receive the echo of it's own command and then, after a pause, the response from the ECU.
This allows to easily detect connection problems. If no echo is received, there is a hardware problem.
HUD ECU Hacker always verifies the echo but it does not show the echo in the Trace pane, except the echo is corrupt.

Be careful when connecting to the diagnostic plug because the +12V are always present, even when the ignition key is off.
If you don't need the adapter anymore don't let it connected for hours because it permanently draws current from the battery.

1a) Build your own ECM Cable

You can buy a J1962 Female Connector and solder the 3 wires to 3 pin headers which perfectly fit into the ECM plug.

J1962 plug to Delphi ECM plug diagnostic cable
Show Full Size

Or you buy the 6 Pin Furukawa FW090 Male Connector FW-C-6M-B at Cycleterminal: here or at Taobao: here or here or here.
Or you search on Google for more companies selling this plug on eBay, Alibaba or AliExpress.

Then you can either use a crimping plier or solder the wires to the contacts and build your cable as shown in this video.

1b) Buy a complete ECM Cable

If you have time you can also buy a complete cable in China. Shipping may take between 1 and 3 months.
Cable USB to ECM from Taobao
Taobao USB to ECM adapter
Show Full Size
Cable J1962 to ECM from AliExpress
AliExpress J1962 to ECM adapter
Show Full Size
The red cable from Taobao has a very limited support of baudrates.
In the XML parameter file you must switch to <KLine Init="Fast2"> otherwise you get a timeout when connecting.

K-Line Adapter Echo Test

I discovered 2 severe problems with cheap chinese USB to RS232 adpaters containing the widely used CH340 chip.
1.
Problem: The defective driver from the manufacturer WinChipHead produced a blue screen.
This happend when the computer went to sleep or was shut down while the USB cable of the adapater was plugged in.
Solution: I found that the latest driver version 3.5 from 2019 (which is WHQL certified) fixes this problem.
I implemented the installation of the driver version 3.5 into HUD ECU Hacker (toolbar button "Install USB driver").
2.
Problem: I found that several of my CH340 adapters sometimes send crippled data. Mostly they send 0x00 instead of 0xFA.
Solution: There is no solution. These adapters are garbage and must be thrown into the dustbin.
The faulty adapters have firmware version 2.54. I found another one with firmware version 2.63 which works correctly.
Therefore I implented the Echo Test into HUD ECU Hacker. It sends data to the K-Line adapter and verifies the echo.
Here you see the test result of a faulty CH340 adapter:

Echo test detects CH340 bug

You can execute the echo test after connecting the K-Line / VAG adapter to the motorbike.
But turn the ingnition key OFF so the ECU switches to sleep mode.
The echo test will fail if you connect only the adapter over USB to the computer. The +12V are required.
The +12V at the ECM plug are connected directly to the battery and are not affected by the ignition key.

You can also test the pure USB to RS232 adapter by connecting RxD (pin 2) directly to TxD (pin 3).

Option 2: J2534 Adapter (recommended)

J2534 adapters are the recommended choice. They support K-Line, J1850, and CAN bus.
J2534 (PassThru) is an international standard for reprogramming ECU's.
If you are interested in the details read the API Documentation (PDF) for programmers.
The genuine J2534 adapters (for example Tactrix OpenPort or Drewtech Mongoose) are very expensive ($180 ... $500 USD).
But there are also chinese clones like the VISLONE Tactrix Scanner for 30€ which works perfectly with HUD ECU Hacker.
 
J2534 Tactrix OpenPort adapter
Show Full Size
Genuine Adapter
J2534 Tactrix OpenPort PCB
Show Full Size
Genuine Adapter
J2534 Tactrix OpenPort PCB
Show Full Size
When you plug in the adapter for the first time Windows installs a default driver and assigns a COM port.
ATTENTION: This is the wrong driver and the COM port will never work.
After installing the correct driver from the vendor the COM port will disappear and a J2534 device will show up in Control Panel.

Option 3: ELM327 Adapters (deprecated)

There are 3 types of ELM327 adapters:
  1. Chinese ELM327 clones:
    The internet is full of fake ELM327 adapters. You find them on eBay, Amazon, AliExpress, etc.
    All these adapters are garbage. The Chinese did not even implement half of the command set.
    You send a command to the adapter, it answers with 'OK' but it does not execute the command.
    These adapters are fraud. All adapters for less than $40 USD are fake!
    DO NOT BUY THIS CRAP!
    If you already have one you can use it to scan the parameters, but Sniffing, Data Slewing and Flash Up/Download will not work.
     
  2. Genuine ELM327 adapters:
    Genuine ELM327 adapters have the ELM327 chip inside. Download Datasheet (PDF)
    Elm Electronics ELM327 chip
    ELM Electronics sells only the ELM327 chip ($21 CAD), but they do not offer an own adapter.
    Genuine adapters are difficult to find because very few companies offer them: WGsoft (105€), Warenhuis (109€).
    But even if you have a genuine adapter, Flash Upload will not work because they do not support to set a long timeout.
     
  3. Genuine OBDLink adapters:
    Genuine OBDLink adapters have a STN11XX chip inside. Download Datasheet (PDF)
    Scantool.net STN1110 chip
    They are sold by Scantool and ObdLink ($40 USD).
    They implement the same AT commands as genuine ELM327 adapters and have additional ST commands.
    If you want to use an ELM327 adapter you should ONLY buy it from Scantool or OBDLink.
    My adapter was sold with a very old firmware. Don't forget to update the firmware.
    Even in a genuine OBDLink adapter I found a severe bug. But I also found a workaround.
    Even with the genuine OBDLink adapters data sniffing does not work.
ELM327 adapters are a misdesign.
They have too many commands which makes programming complicated.
Instead of leaving the intelligence in the controlling software (as J2534 adapters do) all the intelligence is in the chip.
The chip must be configured with hundreds of commands.
Instead of transmitting binary data directly (as J2534 adapters do), they use ASCII strings, which is simply a bad design.
Instead of using internally an USB capable processor (as J2534 adapters do) they convert USB first to RS232 which is slower
and the COM port must be configured with the correct baudrate, while J2534 adapters neither need COM ports nor baudrates.
Another issue is that the ELM327 can store configuration in non-volatile memory resulting in not predetermined behaviour.
So, if you already have a genuine OBDLink adapter it will support all functionality except sniffing.
But if you don't have an adapter yet, do not buy it. Buy a K-Line or better a J2534 adapter instead.

Diagram of a genuine ELM327 adapter:
Original ELM327 circuit diagram
Show Full Size

Counterfeit ELM327 Adapters

Chinese Clone
ELM327 adapter USB
Show Full Size
Chinese Clone
ELM327 adapter USB PCB chinese clone
Show Full Size
Some chinese USB adapters use a counterfeit PL2303 chip (right photo) which converts from USB to RS232.
On Windows XP and Windows 7 this works perfectly.
But on Windows 8 and 10 the latest drivers from Prolific detect the counterfeit chip and refuse to work.
The driver returns the undocumented Error 433: "A device which does not exist was specified."
The workaround is to install an older driver which did not have this detection.

To make it easier for you I have implemented the driver installation into HUD ECU Hacker.
With a click in the toolbar you can install the Prolific driver version 3.3 from 2008 which also works on Windows 8 and 10.

Install the Prolific driver version 3.3 before connecting the ELM adapter to Windows 10 for the first time.
Do not use the drivers on the CD if your adapter comes with a CD.

If you connect the adapter and Windows 10 does not find an installed driver it downloads the latest version 3.8
from Windows Update and you will see a yellow exclamation mark or a 'PHASED OUT' error:

Device Manager Error Prolific counterfeit PL2303 chip

Uninstalling the new driver and installing the old driver will NOT work.
Windows 10 will tell you that the best driver is already installed.

Follow these steps to fix this problem:

Fix Windows 10 Proflic PL2303 driver error
Show Full Size

Counterfeit ELM327 Bluetooth Adapters

Chinese Clone
ELM327 adapter Bluetooth
Show Full Size
Chinese Clone
ELM327 adapter Bluetooth PCB chinese clone
Show Full Size
On the right photo you see that there are several SMD parts missing (4 transistors and 16 passive components).
This means that the J1850 bus will not work. Only CAN and K-Line are implemented.
If a vendor sells this as a universal ELM327 adapter, this is a fraud.
However, the J1850 bus was used by older GM and Ford vehicles, but is not used in modern cars anymore.

Installing a Bluetooth Adapter

Follow these steps on Windows 10 to add a bluetooth adapter: (on Windows 7 it is similar)
Configure Windows 10 for Bluetooth
Show Full Size
If it was successful you see 2 COM ports in device manager:

Device Manager Bluetooth ELM327 COM ports

One of the COM ports will work while the other one will not be functional.
Simply open the COM ports in HUD ECU Hacker and try them (the LED "PC" on the adapter should flash).

Which adapter to buy?

 K-Line / VAG AdapterJ2534 AdapterELM327 / OBDLink Adapter
Advantage As there is no intelligence in the adapter even the counterfeit are working perfectly. You can also make your own cheap DIY adapter with 2 transitors. Professional adapters that support K-Line, J1850, CAN. They are technically the best choice. Hobbyist adapters that support K-Line, J1850, CAN. There is no advantage over J2534 adapters.
Disadvantage No support for J1850 and CAN bus.
But K-Line is sufficient for the MT05.
The genuine are expensive. However the chinese counterfeit adapter from VISLONE works fine. Misdesigned (see above)
Most adapters in internet are fake.
Sniffing does not work.
Price Genuine$5 USD$180 ... $500 USD OBDLink: $40 USD
Price Counterfeit$5 USD$33 USD (VISLONE)$10 USD DO NOT BUY!
Poll Speed200 ms280 ms320 ms (USB), 335 ms (Bluetooth)

Sniff Mode

When you enable the checkbox 'Sniff Mode' you can capture the traffic between a scantool (or another OBD software) and the ECU.
HUD ECU Hacker implements sniffing the K-Line with all 3 types of adapters: K-Line/VAG, J2534 and ELM327.
However ELM327 and OBDLink adapters do not capture any data.

Connecting an additional sniff adapter over a splitter cable to the K-Line may not work.
The reason is that each adapter has a pull-up resistor (mostly 510 Ω) between K-Line and +12V.
When you connect 2 adapters the parallel pull-up resistor may become 255 Ω.
Adapters and ECU have a current limitation to protect them from shortcuts.
Most adapters don't provide enough current (50 mA) to pull K-Line to ground over 255 Ω.
Depending on the pull-up resistor and the current limitation you may not capture anything or the scantool stops working.
Here you see the result of connecting two adapters at the same time:
OBD2 Splitter Cable
Show Full Size
 
ISO14230 K-Line sniffing with 510 Ohm resistor
Show Full Size
It may also happen that you can sniff data as long as the motor is off.
But when the motor runs the battery voltage rises to 15V and now you don't capture data anymore or get crippled data.
The higher the battery voltage the more current is required to pull K-Line to ground.
There are also adapters with an internal pull up resistor of 1 kΩ. They may function unchanged.
If it does not work you have 2 options:

Solution 1:
You can use this circuit which does not add an additional pull-up resistor between K-Line and +12V.

Data sniffer K-Line to RS232 to USB

Solution 2:
You can modify a VAG adapter and remove the SMD pull-up resistor which is connected between pin 7 and 16.
You can either convert a VAG adapter into a sniffing adapter by removing this resistor
or you can insert a switch into the adapter which allows to chose between normal mode and sniff mode.

Data sniffer K-Line with VAG adapter

If you want to save the sniffed data to disk use the button Start Logging in the Trace pane.

ATTENTION:
Sniffing neither works with chinese ELM327 clones nor with genuine OBDLink adapters.

KWP Protocol

The Keyword 2000 protocol (KWP) is defined in ISO 14230.
ISO 14230 describes 2 ways to start the communication with the ECU: fast init and slow init.
With slow init the computer must wake up the ECU by sending a byte 0x33 with 5 baud. This is extremely slow.
With fast init the computer must send a byte 0xF0 with 200 baud.
If you are interested in the details read the K-Line Communication Description (PDF).

The MT05 uses fast init.
This means that the K-Line goes low for exactly 25 ms and then high for 25 ms. After that the communication starts with 10400 baud.
The first command which is sent to the ECU is Start Communication which is the byte 0x81.
This byte is embedded into a packet which starts with a header and ends with a checksum.

Here you see the fast init, followed by the command 'Start Communication' and the response from the ECU.

ISO14230 K-Line 'Start Communication' on oscilloscope
Show Full Size
There are long pauses between the bytes:
ISO14230 K-Line inter byte delays on oscilloscope
Show Full Size
In detail the command 'Start Communication' (Service = 81) looks like this:

Command (from PC): 81 11 F1 81 04
Response (from ECU):83 F1 11 C1 EF 8F C4

The MT05 uses the address 11. The application on the PC (the tester) uses the address F1.
The MT05 responds with 2 key bytes EF and 8F which define how the ECU wants the commands to be formatted.
They define how to transmit the packet length and if the source/target addresses are to be sent.
You see the meaning of the key bytes in the Trace pane in magenta when connecting.
Command 'Start Communication' Response Short (1...63 data bytes)
Header 1 81 80 + length of data (1 byte) Header 1 83 80 + length of data (3 bytes)
Header 2 11 Destination address (ECU) Header 2 F1 Destination address (tester)
Header 3 F1 Source address (tester) Header 3 11 Source address (ECU)
Data 1 81 Service 'Start Communication' Data 1 C1 Service confirmation = 81 + 40
Checksum 04 81+11+F1+81 = 04 Data 2 EF Payload byte 1 (bit flags)
Data 3 8F Payload byte 2 (always 0x8F)
Checksum C4 83+F1+11+C1+EF+8F = C4

The first header byte is called format byte. It may contain the length and defines if addresses are sent and the type of addresses.
A physical address (format byte contains 0x80) means that a specific ECU is addressed. There is only one response for each command.
A functional address (format byte contains 0xC0) is like a broadcast address. It means that a group of ECU's is addressed.
It can be used when the physical ECU address is unknown. But there may come multiple responses for one command.

To simplify reading the binary data HUD ECU Hacker displays the data bytes in parenthesis in the Trace pane:
81 11 F1 ( 81 ) 04
83 F1 11 ( C1 EF 8F ) C4
The other bytes are not really interesting as they are generated automatically.

If the ECU does not understand a command it sends 7F (failure) in the byte 'Data 1' of the response.
The following table shows a long response (102 data bytes) which contains an additional length byte (header 4).

Command 'Read Data' Response Long (64...255 data bytes)
Header 1 82 80 + length of data (2 byte) Header 1 80 Extra length byte follows
Header 2 11 Destination address (ECU) Header 2 F1 Destination address (tester)
Header 3 F1 Source address (tester) Header 3 11 Source address (ECU)
Data 1 21 Service 'Read Data' Header 4 66 Length of data (102 byte)
Data 2 01 Subfunction 1 Data 1 61 Service confirmation = 21 + 40
Checksum A6 82+11+F1+21+01 = A6 Data 2 01 Subfunction confirmation = 01
Data 3 ... Payload byte 1
Data 102 ... Payload byte 100
Checksum ... 80+F1+11+66+61+01+...

Keep-Alive

If the ECU does not receive commands it switches to sleep mode after 5 seconds.
While HUD ECU Hacker is polling data this will never happen because polling takes place 3 to 5 times per second.
Only if you switch to manually enter commands (in the Trace pane), polling stops and HUD ECU Hacker sends a Keep-Alive every 3 seconds.

Command (from PC): 81 11 F1 3E C1
Response (from ECU):81 F1 11 7E 01

PCHUD

The Delphi manuals for MT05 and for MT20 explain a software 'PCHUD'.
Previously this was the only software that could communicate with these ECU's.
PCHUD (Hands Up Display for PC) is a very old program from Delco Electronics written in 1993 for Windows 3.
Delco Electronics PCHUD software
Show Full Size

Today it is practically impossible to find this software in internet.
I found lots of dead links and a fake PCHUD download on a chinese website which was a trojan.
But in the forum China Riders I found a thread from the (ex)user 'katflap' talking about PCHUD.
Only thanks to 'katfalp' I could still in the year 2020 download and test this software.

This ancient 16 bit program does not run on 64 bit Windows because Microsoft has removed the support for 16 bit applications on 64 bit platforms.
Running it on a 32 bit Windows in the 16 bit emulator (NTVDM.exe) I notice that it permanently occupies 100% of one CPU core.

While PCHUD is displaying the data from the ECU it sends every 200 ms the same command (21 01) which the ECU responds with a data block of 100 bytes.
This 'parameter polling' looks like this:

MT05 parameter polling on oscilloscope
Show Full Size
It was a lot of work to analyze which meaning has each of the 100 bytes in the response
and to find the formulas which convert the raw values into temperature, voltage and pressure.

PCHUD is superseded by HUD ECU Hacker

The ancient PCHUD from Delco is obsolete because
  • it does not run on 64 bit Windows
  • it occupies permanently 100% of a CPU core
  • it cannot be connected over an ELM327 or J2534 adapter (which did not exist in 1993)
  • it cannot clear the DTC fault codes (the menu is permanently grayed out)
  • it can only display 36 parameters at the same time
  • it shows the gauge for negative values wrongly
  • it is clumsy to use and uses undocumented PAR, HUD, SLW, LGC, LGG, SCR, CFG and PLY files
The new HUD ECU Hacker from ElmüSoft
  • runs on Windows XP, 7, 8 and 10
  • runs on 32 bit and 64 bit Windows
  • uses the .NET framework 4.0 or higher and so should also run on Linux (not tested)
  • connects to the ECU via K-Line/VAG or ELM327 or J2534 adapter
  • shows the entire communication with the adapter in the Trace pane
  • shows all 90 parameters at once in a user-configurable dashboard
  • shows detailed tooltips for all parameters and their meaning
  • can be configured 100% by the user by editing an XML parameter file in a text editor (e.g. Notepad++)
  • the user can enter formulas to convert raw data into temperature, voltage or pressure
  • shows fault codes (DTC) with a text explanation
  • can clear fault codes
  • can capture the data from the ECU in a logfile
  • can export a logfile to a CSV file
  • can ceate graphs from a logfile
  • can download the flash memory from the ECU
  • can program the flash memory with the calibration tables and ECU software
  • automatically installs the Windows drivers for the USB to RS232 adapter / ELM 327 adapter
  • allows you to manually enter commands and send them to the ECU for testing
  • can sniff the data traffic on the bus (for example from a scan tool or from another OBD software)
  • is optimized in each line of it's code to consume a minimum of CPU
  • can be adapted for other ECU's which use different commands and parameters than the MT05 / MT20
  • can be adapted to connect to vehiles with CAN bus or J1850 (only over ELM327 or J2534 adapter)
 
In contrast to all other OBD2 software HUD ECU Hacker is not commercial paid software.
This program is sharityware, which means that the author does not earn any money with it.
But if this program has helped you saving money by not needing an expensive scan tool
you are asked to give a donation to a non-profit organization of your choice.
Like for example Shanti Bavan, a project which gives education for free to the poorest of the poor in India.
There is an excellent documentary about this very special residential school on Netflix: Daugthers of Destiny
 

Apart from that HUD ECU Hacker has been designed to be community software.
Every user can adapt the program to his needs.
When you have adapted the XML parameter file for another ECU, you are asked to send it to me for publishing it.

HUD ECU Hacker - Control

HUD ECU Hacker Screenshot - Control
 
This screenshot shows the playback of the logfile Regal Raptor 350 - Error Clearing.xml
  1. I disconnected the plug of one oxygen sensor.
    The plug has 4 pins: Two for the sensor and two for the heater. (See circuit diagram of MT05 above)
  2. After turning on the ignition key the ECU immediately alerted error P0037. I did not even start the motor.
    HUD ECU Hacker translates the fault codes into human understandable messages.
    If the error message is too long to fit you can hold the mouse over it and you see a tooltip.
  3. The error was first reported as Current.
  4. Then I turnd off the ignition, reconnected the oxygen sensor and turned on ignition again.
  5. Now the ECU detected that the error is not present anymore and reported it as Historic.
  6. Then I recorded the logfile
  7. At 00:00:10.200 I clicked the button Clear Fault Codes which removed the fault code.

Clearing Fault Codes

The button "Clear Fault Codes" sends a command which instructs the ECU to clear the fault code from the memory.
But this does not always result in removing the error message.
If the ECU detects that the error is still present it will not be cleared: You click the button and nothing happens.
If the ECU detects that the error is not present anymore it clears the current error alone after driving several minutes.
On the other hand the historic error stays until you reset the error with the button "Clear Fault Codes".
But the historic error does not affect the EFI / MIL indicator lamp.

HUD ECU Hacker - Data Grid

HUD ECU Hacker Screenshot - DataGrid

This screenshot shows the playback of the logfile Regal Raptor 350 - Starting Motor.xml
At 00:00:16.831 I turned the throttle up to the maximum with the motor not running.
At 00:00:32.712 I started the motor. You see that the ignition voltage drops down to 9.2 Volt.
At 00:01:55.106 I turned the throttle again, now with the motor running.
At 00:02:25.260 I pressed the kill switch (red button). The ignition voltage goes down to 0 Volt.
While recording this logfile the motorbike was standing still (not driving).

For each parameter you see the raw value and it's meaning and the minimum and maximum values.
A gauge displays the value graphically. If the value can also be negative, the gauge starts in the middle.
The description in the last column is from 'katflap'.
Values that have changed since the previous sample have a yellow background. You can turn off this highlighting.

HUD ECU Hacker - Dashboard

HUD ECU Hacker Screenshot - Dashboard
Show Full Size
This screenshot shows the playback of the logfile Regal Raptor 350 - Driving.xml
At 00:00:35.878 I started the motor. The ignition voltage drops down to 7.7 Volt
At 00:00:39.488 the motor turned off alone because it ran too slow.
At 00:00:42.113 I started the motor again and drove around the block (not fast, ony first and second gear).
At 00:02:57.941 I pressed the kill switch.

On the screenshot above you see a tooltip which appears when you hold the mouse over a parameter.
Some parameters have a wrench icon. You can click on it and modify these values in the ECU. See Data Slewing.

The dashboard can be configured 100% by the user after checking the checkbox Edit Mode below.
You can create, edit and delete groups and assign parameters to them.
You can move around the groups, change the order of parameters and drag and drop them to another group.

HUD ECU Hacker Screenshot - Gauge Configuration

In this dialog you can configure a value parameter.
The ignition voltage has a minimum of 0 Volt and a maximum of 32 Volt.
You can restrict the range of the gauge to something more useful like 7 V to 16 V.
When you set an alarm the parameter will be displayed in red if the value exceeds the given limits.

HUD ECU Hacker - Graph

HUD ECU Hacker Screenshot - Graph
Show Full Size
   
HUD ECU Hacker Screenshot - Graph
Show Full Size

These images are graphs created from the logfile Regal Raptor 350 - Driving.xml
You can chose the parameters that you want to include.

If you want more sophisticated graphics you can export the data to CSV and load it into the LiveLink Gen-II software (70 MB).

HUD ECU Hacker - Trace

HUD ECU Hacker Screenshot - Trace
Show Full Size
In this screenshot you see the Trace pane which shows all the communication with the adapter.
Blue are the commands sent and green are the responses received.
The KWP packtes show the data bytes in parenthesis: Header ( Data ) Checksum.
With the checkbox Inject Commands at the bottom you can send your own commands to the ECU for testing.
For the purpose of hacking you can also enter XX, which will be replaced with all values from 00 to FF.
For example if you enter '21 XX' HUD ECU Hacker will send 256 commands from '21 00' to '21 FF' to the ECU.

Data Slewing

The MT05 allows to manually modify some of the parameter values which have been measured or calculated.
The purpose of data slewing is to analyze an engine which is not running correctly.
You can set absolute (fix) preset values or you can add a delta (± offset) to the current ECU values.
First set all the preset values that you want to change in the list at the left with the trackbar or with the button 'Set in list'.
Then click 'Send all presets to ECU'. These changes have effect on the running motor.
After setting Idle RPM Target to 2500 rpm you will hear how the motor slowly becomes faster.
Even if the engine is off you can set Fuel Pump Duty Cycle to 15% and you hear the fuel pump running quietly.

Delphi MT05 Data Slewing Idle RPM Target
Show Full Size

This graph shows the logfile Regal Raptor 350 - Data Slewing.xml where the engine was running idle with 1400 rpm.
At 00:00:29.806 I have set the preset value Idle RPM Target to 2500 rpm. The ECU slowly adapted the idle speed.
At 00:01:12.480 I switched off the slew preset.

NOTE: On a Benelli TRK251 (1 cylinder) you can set the idle speed target but the engine speed is not adjusted correctly.

The modified values are not stored in the non-volatile memory of the ECU.
However this feature is for experts only. Wrong values can produce knocking or stall the motor.
I saw that the ECU does not go to sleep mode after changing some of the values.
Do not forget to click 'Reset all presets in ECU' when you are finished with your tests.

ATTENTION:
Data Slewing does not work with my chinese ELM327 adapters. But J2534 and K-Line adapters do work.
The ELM327 Datasheet says (page 31) that the ELM327 limits the bytes that can be sent to the maximum for OBD2.
Therefore HUD ECU Hacker sends the command ATAL which allows longer commands.
My chinese adapter answers ATAL with 'OK', but it still refuses to send more than 4 data bytes.
You will see a timeout error in HUD ECU Hacker.

ELM327 Terminal

HUD ECU Hacker Screenshot - ELM327 Terminal

As there are so many problems with chinese ELM327 clones I implemented the ELM327 Terminal.
Here you can test your adapter by sending commands and studying the responses.
The screenshot shows that my ELM327 clone sends commands only up to 4 data bytes.
If I send 5 data bytes or more (like the Slewing commands) there is no response, no error and no prompt.
I verified on the oscilloscope that the adapter indeed does not send anything.
The command ATAL is simply ignored although it was answered with a fake 'OK'.
It is a fraud to sell this crap.
By the way: It is completely irrelevant if a chinese adapter claims to be version 1.5 or 2.1. They are all crap.
And I saw people complaining in internet about ELM327 adapters which have even less functionality than mine.

Recording on the Road

You can create logfiles after connecting to the ECU. You can easily record a log file while you are driving.
Connect the cables and put a notebook into a saddlebag or backpack.
HUD ECU Hacker recording on the road
Show Full Size

Delphi MT05.2

The Delphi MT05 does not implement any of the OBD2 commands.
The Delphi MT05.2 is an adapted version to comply the emission laws of some countries (e.g. in Europe).
It has a basic OBD2 support for the following commands:

CommandMeaningComment
01 01DTC Monitor StatusThis information is already contained in the standard data
01 03Open / closed loopThis information is already contained in the standard data
01 04Calculated engine loadThis value is very similar to the Throttle Position
01 05Coolant temperatureThis information is already contained in the standard data
01 06Short term fuel trim Bank 1This information is already contained in the standard data
01 07Long term fuel trim Bank 1This information is already contained in the standard data
01 08Short term fuel trim Bank 2This information is already contained in the standard data
01 09Long term fuel trim Bank 2This information is already contained in the standard data
01 0BIntake manifold pressureThis information is already contained in the standard data
01 0CEngine speedThis information is already contained in the standard data
01 0DVehicle speedThis value is a fake. It is always zero.
01 0ETiming advanceThis information is already contained in the standard data
01 0FIntake air temperatureThis information is already contained in the standard data
01 11Throttle position This information is already contained in the standard data
01 13Oxygen sensors presentDescribes which oxygen sensors the motor has
01 1COBD ComplianceDescribes to which OBD standard the vehicle complies
01 21Distance traveled with MIL lamp onThis value is a fake. It is always zero.
01 4DTime run with MIL lamp onThis value is a fake. It is always zero.
01 7FEngine run timeThis information is already contained in the standard data
03Stored DTCThis is the same as the historic fault code in standard data
07Pending DTCThis is the same as the historic fault code in standard data
04Clear DTCThis is executed with the button "Clear Fault Codes".
09 04Calibration ID (CALID)The version of the calibration tables
09 06Verification No (CVN)The checksum of the calibration tables

By default only the highlighted OBD2 parameters are used by HUD ECU Hacker.
The others are disabled in the parameter XML file.
You can enable the disabled parameters or add more parameters to the XML file.

ATTENTION: The more OBD2 parameters you enable the slower becomes the scanning speed.
The OBD2 protocol is stupidly designed: To transfer 20 bytes it needs 5 data packets with a pause of 25 ms between each.
The OBD2 parameters are transferred one by one and each parameter needs between 100 ms and 500 ms.
If you would scan all the parameters in the table above this would take 2 seconds.
The standard MT05 protocol from Delphi is more intelligent: It sends 90 parameters in one packet of 100 bytes in only 200 ms.
The 4 highlighted parameters do not slow down scanning speed because they are fix values which are loaded only once.

The logfile Benelli TRK 251 (1 Cylinder).xml is from a Delphi MT05.2 which is EOBD (European OBD) compliant.

Download / Upload Flash Memory

The heart of the the Delphi MT05 is a 16 bit Infineon processor.
The flash memory in the processor is divided into 4 areas:
  1. The Bootloader is required to start up the ECU.
    It will never be overwritten when flashing. This is a protected area.
  2. The Configuration Data will always change when you turn off the ignition key.
    The ECU stores non-volatile data here, like fault codes, ignition counter, ECU learning, etc.
    This area is not written when flashing. However the ECU's program code writes frequently here.
  3. The Calibration Tables are used to calculate the optimal operation of the motor depending on
    factors like speed, engine load and temperature, etc. They control fuel injection, spark timing, etc.
  4. The Software area contains the executable program code.
    You should normally not overwrite this area except you know exactly what you are doing.
Processor Delphi MT05 Delphi MT05.2
Model SAK-XC164CM-16F40F SAK-XC164CS-32F40BB
Flash Memory 128 kB 256 kB
RAM 8 kB 12 kB
Clock 40 MHz 40 MHz
Flash Memory Delphi MT05 Delphi MT05.2
Bootloader 000000 - 003FFF16 kB 000000 - 003FFF16 kB
Configuration Data 004000 - 004FFF4 kB 004000 - 004FFF4 kB
Calibration Tables 005000 - 007FFF12 kB 005000 - 00AFFF24 kB
Software 008000 - 01FFFF96 kB 00B000 - 03FFFF212 kB

HUD ECU Hacker can download the flash memory into a file (flash download).
HUD ECU Hacker can also program the flash memory from a file (flash upload).
In the main window you see the versions and the checksums of the flash memory areas.
Green means the checksum is correct. Red means it is wrong and will be fixed when uploading.

ATTENTION:
If you use a K-Line adapter execute the Echo Test to assure that it works correctly.
If you use an ELM327 adapter it must be a genuine OBDLink adapter.

Before flashing for the first time store your original flash file in a secure place!
If flashing of only the calibration tables goes wrong your ECU may still communicate over K-Line.
But if flashing the software area goes wrong your ECU will probably be bricked.

Tuning

For tuning (modifying the calibration tables) you have to purchase commercial software.
Normally you need 2 expensive programs for tuning:

1.)
Normally you need one program which only downloads and uploads the flash memory:
BitBox (250€, english) or CombiLoader (base: 21500 rouble + MT05: 8000 rouble, russian, partly translated)

With the sharityware HUD ECU Hacker you do not need these programs anymore.
Please do not forget to give a donation for HUD ECU Hacker.

2.)
However, you still need the second program for editing the calibration tables:
BitEdit (100€, english) or ChipTuningPro (base: 2400 rouble + MT05: 10000 rouble, only russian)
NOTE: BiteEdit does not support all MT05.2 versions. Click here for a list of supported calibration versions.
ChipTuningPro does not care about the versions.

Additionally you have to buy an USB dongle (30€) which protects their software from piracy.
If you live in the U.S. you have to order from EcuTools. Other companies will not ship to your country.

The file that you have downloaded with HUD ECU Hacker can be displayed and modified in BitEdit or ChipTuningPro.
You can also upload the modified flash file with HUD ECU Hacker. It will correct the checksum automatically.

While BitEdit shows 36 tables for the MT05 (in english), ChipTuningPro shows more than 200 tables (in russian).
They have plans to translate ChipTuningPro to english in the 1st quarter of 2021.
BitEdit is compared with ChipTuningPro like a toy. It has bugs and does not even show the meaning of some table's axis.
BitEdit
BitEdit ECU Tuning Delphi MT05
Show Full Size
 
ChipTuningPro
ChipTuningPro ECU Tuning Delphi MT05
Show Full Size
 
ChipTuningPro
ChipTuningPro ECU Tuning Delphi MT05
Show Full Size
The next version of HUD ECU Hacker will show the calibration tables.

Adapting HUD ECU Hacker to other ECU's

The parameter scanning of HUD ECU Hacker can be adapted to other ECU's by simply editing the parameter XML file.
(The flash download / upload is Delphi only.)
First make a copy of the file Delphi & Rongmao MT05.xml, rename it and open it in Notepad++.
If your car/motorbike/ATV does not connect via K-Line or uses another ECU address or another initialization, adapt the red attributes below.

<Config> <Address ECU="0x11" Tester="0xF1" FiveBaud="0x33"> .... <KLine BaudRate="10400" Init="Fast1" TxByteDelay="0"> .... <Elm327 Protocol="5" BaudSlow="38400" BaudFast="38400"> .... <J2534 Protocol="4" BaudRate="10400" Init="Fast" ConnectFlags="0x00"> .... </Config>

ECU addresses are normally in the range between 0x10 and 0x17 for engine controllers.
You find the protocols for ELM327 adapters in the ELM327 Datasheet on page 26.
You find the protocols for J2534 adapters in the J2534 Documentation on page 19.

If you don't know the protocol or the ECU address, it is easy to find them if you have an ELM327 adapter.
The ELM327 allows to use protocol 0 for auto-detection. It will try all protocols until it gets a response from the ECU.
Open the Terminal and enter the following commands:

Auto detect protocol and ECU address with ELM327 adapter

The command 'Start Communication' (81) may take a while. Wait until you get a response. If you get an error see Trouble Shooting.
The command AT DP shows the name of the protocol and AT DPN shows the protocol number.

STEP 1:
Enter the ECU address and the protocol number into the parameter XML file.
You can convert decimal values to hexadecimal (and vice versa) with the Windows calculator after switching it to programmer mode.
You can enter decimal or hexadecinal values into the XML file as you like. Hexadecimal values must always start with 0x.

If you did it correctly you can now connect to your ECU with the button 'Connect'.
Don't forget to select your new XML file in the combobox 'Parameter File' at the top.
Check in the Trace pane that the command 81 (Start Communication) has executed without error.

STEP 2:
In the next step you have to test the commands which read the parameters:
  1. If your vehicle is OBD2 compliant you find the most commonly used parameters in Wikipedia.
  2. You can get them also by reverse engineering a scan tool or another OBD software using Sniff Mode.

After connecting to the ECU switch to the Trace pane and set the checkbox Inject Commands below.
Now you can send any command to the ECU and see the response.

Let's say you want to get the engine speed from an OBD2 compliant vehicle.
Wikipedia tells you that this is the Service 01 and the PID 0C.
In the field below in the Trace pane you type 01 0C and click the button "Send".
The ECU should answer with Header (3 byte) + Confirmation (2) + Engine RPM (2) + Checksum (1) = total 8 bytes.
So the last two bytes before the checksum are the raw engine speed.
The formula in Wikipedia says that the returned raw value (First byte * 256 + Second byte) must be divided by four.

STEP 3:
If this works successfully you can enter the new command into the XML file:

<Command TxBytes="01 0C" RxPacketSize="2"> <RxParam Offset="0" ByteCount="2" ByteOrder="HL" Type="Unsigned" Formula="$Val/4" Digits="0" Unit=" rpm" UID="VRPM2" DispName="Engine Speed" Description="The current speed of the engine"> </RxParam> </Command>

ATTENTION: Please read the description at the top of the file "Delphi & Rongmao MT05.xml", which explains all attributes!

Installation

  HUD ECU Hacker version 2.8    (6.6 MB)

It may happen that you double click the installer and nothing happens on some Windows 10 versions.
Please right click the downloaded installer executable, select 'Properties' and check 'Unblock'.

You need the .NET framework 4.0 or higher. On Windows 10 this is already installed.

HUD ECU Hacker Toolbar

In the toolbar at the top you can then install the drivers.
The toolbar also has a button that brings you with one click to the Device Manager, where you see all COM ports.
The toolbar has a tooltip for each button which appears when you hold the mouse over it.

HUD ECU Hacker Screenshot - Install drivers
Show Full Size

Trouble Shooting

Errors when connecting to the ECU:
  • The ignition key must be on.
  • The kill switch must be in the position where it allows the motor to run.
  • Switch to the neutral gear.
  • It is not necessary to start the motor before establishing a connection.
  • Check that you have connected the 3 wires correctly as shown in this diagram.
  • The voltage of the K-Line wire MUST be +12 Volt while the adapter is connected to the ECU.
  • If you use the K-Line or VAG adapter ecxecute the Echo Test to check the adapter.
  • There are 2 types of timeout errors which indicate different errors:
    • Timeout waiting for echo means always that you have a hardware problem or the wrong COM port.
    • Timeout waiting for response (or received garbage characters) with ELM327 adapter may mean that the baud rate is wrong.
      You can change the baudrate in the XML parameter file. Normally the ELM327 has a default baudrate of 38400 baud.
      However my genuine OBDLink adapter has a default baudrate of 115200 baud.
    • Timeout waiting for response with K-Line / VAG adapter may happen rarely.
      The reason is that the ISO 14230 protocol is very time critical. It demands 50 ±1 ms for the fast init.
      But Windows as a multitasking OS is not very precise and the interval seen on an oscilloscope may vary from 45 ms up to 70 ms.
      If the interval between fast init and the command 'Start Communication' exceeds the limits the ECU does not respond.
      If you get this type of timeout error, try the following:
      1. Click 'Connect' several times until it works.
      2. Some adapters (red cable from Taobao) do not support the way how HUD ECU normally generates the fast init pulse.
        Try changing <KLine Init="Fast1"> into <KLine Init="Fast2"> in the XML parameter file.
      3. For slow computers you can enter a K-Line timing correction which is added to the 50 ms interval:

        ATTENTION: If you enter a wrong value here you may screw up the fast initialization forever.
        If changing this value did not solve your problem, reset the correction to zero otherwise you may never be able to connect.
  • BUSINIT: ERROR from the ELM327 adapter means that the ELM327 did not receive a response from the ECU.
    The chinese clones of the ELM327 send the Fast Init and then their own 'Start Communication' command C1 33 F1 81 66.
    They always use the hard coded functional ECU address 0x33 for the very first command.
    For the Delphi MT05 this is no problem. It answers this request although it has the physical address 0x11.
    But 0x33 may be an invalid address for other ECU's. The chinese ELM327 clones do not allow to change the ECU address.
    If you have an ECU which does not answer at all use a K-Line or J2534 adapter instead and adapt the ECU address in the XML file.
If you have any problem you can send me a log file of the Trace pane with the error message.
You can write me in english, german or spanish.
But first read this help!
You find my email at the end of the help file.
 

Appendix

ECU Reset Procedure

NOTE: The following procedure may be different depending on the vendor.

  1. Turn the ignition key off.
  2. Install a jumper between pin 2 and 5 of the Delphi ECM plug. (connect ECU pin J1-16 to ground)
  3. Turn the ignition key on and off, then wait 10 seconds.
  4. Turn the ignition key on and off, then wait 10 seconds. (a second time)
  5. Remove the jumper.
  6. Turn the ignition key on and off, then wait 10 seconds. (a third time)
  7. The ECU is reset now. You must execute the TPS Learn Procedure.

TPS Learn Procedure

This must be executed always after replacing the Throttle Position Sensor or the ECU and after ECU Reset.
  1. Turn idle screw clockwise one full turn prior to ignition key on after ECU Reset.
  2. Start engine, run at low idle until engine is warm.
  3. Idle speed must be above 1500 RPM. If below 1500 RPM, turn idle screw up to 1700 RPM and then shut down engine and perform ECU Reset again.
  4. Restart engine, adjust idle speed down to 1500 RPM. Allow engine to dwell at 1500 RPM for about 3 seconds.
  5. After this, adjust idle speed to final specified speed setting.
  6. Turn ignition key off, then wait 10 seconds.
  7. TPS Learn procedure is complete.

Rescue a bricked MT05

If you have uploaded a wrong flash file or interrupted the upload you may have 'bricked' your ECU.
A 'bricked' ECU will neither allow to start the motor nor will it respond on K-Line.
'Bricked' means that your ECU is now as useful as a brick. Congratulations!
In this case you have to switch the ECU into 'bootloader mode' and then you can connect again.
Unplug the plugs J1 and J2 and connect the ECU only to the battery and the K-Line or J2534 or ELM327 adapter:
Rescue a bricked Delphi MT05
Show Full Size
You need one jumper between pins 10 and 17 and another jumper between pins 11 and 16.
This switches the ECU into 'bootloader mode' and allows to upload a valid flash file.
Additionally you connect +12V to pins 15 and 18, Ground to pin 2 and K-Line to pin 3.
 
The first 16 kB of the flash memory contain the bootloader.
This memory area will never be overwritten when you upload a flash file.
This assures that the bootloader stays always intact even when flashing goes wrong.

Crankshaft Position Sensor

The crankshaft position sensor reports the exact position of the crankshaft to the ECU.
The ECU needs this to calculate the moment of spark generation and of measuring the Intake Air Pressure sensor.
On the crankshaft there is a flywheel with teeth every 15 degree. Each tooth induces a pulse in a fixed pick up coil.
There are 24 positions on the 360 degree rotation. One of them is missing, so there are 23 pulses per rotation.
The gap from the missing tooth indicates the position near BDC (Bottom Dead Center) of cylinder 1.
Example: The motor runs with 1500 rpm. This is 1500 / 60 = 25 rotations per second = 40 ms per rotation.
This oscilloscope capture measured at ECU pin J2-04 shows the 25 * 23 = 575 pulses/second.
Delphi MT05 crankshaft sensor on oscilloscope
Show Full Size
The faster the motor runs the higher becomes the voltage.
The logfile Benelli TRK 251 (1 Cylinder).xml shows several CKP Sensor Errors which are increasing with the time.
But they are still not enough to turn the MIL/EFI indicator light on.
 
 
Zurück zur Startseite
Back to start page