You can use this circuit which does not add an additional pull-up resistor between K-Line and +12V.
Solution 2:
You can modify a VAG adapter and remove the SMD pull-up resistor which is connected between pin 7 and 16.
You can either convert a VAG adapter into a sniffing adapter by removing this resistor
or you can insert a switch into the adapter which allows to chose between normal mode and sniff mode.
If you want to save the sniffed data to disk use the button Start Logging in the Trace pane.
ATTENTION:
Sniffing neither works with chinese ELM327 clones nor with genuine OBDLink adapters.
KWP Protocol
The
Keyword 2000 protocol (KWP) is defined in
ISO 14230.
ISO 14230 describes 2 ways to start the communication with the ECU: fast init and slow init.
With slow init the computer must wake up the ECU by sending a byte 0x33 with 5 baud. This is extremely slow.
With fast init the computer must send a byte 0xF0 with 200 baud.
The MT05 uses fast init.
This means that the K-Line goes low for exactly 25 ms and then high for 25 ms. After that the communication starts with 10400 baud.
The first command which is sent to the ECU is Start Communication which is the byte 0x81.
This byte is embedded into a packet which starts with a header and ends with a checksum.
Here you see the fast init, followed by the command 'Start Communication' and the response from the ECU.
 |
| Show Full Size |
There are long pauses between the bytes:
 |
| Show Full Size |
In detail the command 'Start Communication' (Service = 81) looks like this:
| Command (from PC): | 81 11 F1 81 04 |
| Response (from ECU): | 83 F1 11 C1 EF 8F C4 |
The MT05 uses the address 11. The application on the PC (the tester) uses the address F1.
The MT05 responds with 2 key bytes EF and 8F which define how the ECU wants the commands to be formatted.
They define how to transmit the packet length and if the source/target addresses are to be sent.
You see the meaning of the key bytes in the Trace pane in magenta when connecting.
| Command 'Start Communication' |
Response Short (1...63 data bytes) |
| Header 1 |
81 |
80 + length of data (1 byte) |
Header 1 |
83 |
80 + length of data (3 bytes) |
| Header 2 |
11 |
Destination address (ECU) |
Header 2 |
F1 |
Destination address (tester) |
| Header 3 |
F1 |
Source address (tester) |
Header 3 |
11 |
Source address (ECU) |
| Data 1 |
81 |
Service 'Start Communication' |
Data 1 |
C1 |
Service confirmation = 81 + 40 |
| Checksum |
04 |
81+11+F1+81 = 04 |
Data 2 |
EF |
Payload byte 1 (bit flags) |
|
Data 3 |
8F |
Payload byte 2 (always 0x8F) |
| Checksum |
C4 |
83+F1+11+C1+EF+8F = C4 |
The first header byte is called format byte. It may contain the length and defines if addresses are sent and the type of addresses.
A physical address (format byte contains 0x80) means that a specific ECU is addressed. There is only one response for each command.
A functional address (format byte contains 0xC0) is like a broadcast address. It means that a group of ECU's is addressed.
It can be used when the physical ECU address is unknown. But there may come multiple responses for one command.
To simplify reading the binary data HUD ECU Hacker displays the data bytes in parenthesis in the Trace pane:
81 11 F1 ( 81 ) 04
83 F1 11 ( C1 EF 8F ) C4
The other bytes are not really interesting as they are generated automatically.
If the ECU does not understand a command it sends 7F (failure) in the byte 'Data 1' of the response.
The following table shows a long response (102 data bytes) which contains an additional length byte (header 4).
| Command 'Read Data' |
Response Long (64...255 data bytes) |
| Header 1 |
82 |
80 + length of data (2 byte) |
Header 1 |
80 |
Extra length byte follows |
| Header 2 |
11 |
Destination address (ECU) |
Header 2 |
F1 |
Destination address (tester) |
| Header 3 |
F1 |
Source address (tester) |
Header 3 |
11 |
Source address (ECU) |
| Data 1 |
21 |
Service 'Read Data' |
Header 4 |
66 |
Length of data (102 byte) |
| Data 2 |
01 |
Subfunction 1 |
Data 1 |
61 |
Service confirmation = 21 + 40 |
| Checksum |
A6 |
82+11+F1+21+01 = A6 |
Data 2 |
01 |
Subfunction confirmation = 01 |
|
Data 3 |
... |
Payload byte 1 |
| Data 102 |
... |
Payload byte 100 |
| Checksum |
... |
80+F1+11+66+61+01+... |
Keep-Alive
If the ECU does not receive commands it switches to sleep mode after 5 seconds.
While HUD ECU Hacker is polling data this will never happen because polling takes place 3 to 5 times per second.
Only if you switch to manually enter commands (in the Trace pane), polling stops and HUD ECU Hacker sends a Keep-Alive every 3 seconds.
| Command (from PC): | 81 11 F1 3E C1 |
| Response (from ECU): | 81 F1 11 7E 01 |
PCHUD
The Delphi manuals for MT05 and for MT20 explain a software 'PCHUD'.
Previously this was the only software that could communicate with these ECU's.
PCHUD (Hands Up Display for PC) is a very old program from Delco Electronics written in 1993 for Windows 3.
 |
| Show Full Size |
Today it is practically impossible to find this software in internet.
I found lots of dead links and a fake PCHUD download on a chinese website which was a trojan.
But in the forum
China Riders I found a thread from the (ex)user
'katflap' talking about PCHUD.
Only thanks to 'katfalp' I could still in the year 2020 download and test this software.
This ancient 16 bit program does not run on 64 bit Windows because Microsoft has removed the support for 16 bit applications on 64 bit platforms.
Running it on a 32 bit Windows in the 16 bit emulator (NTVDM.exe) I notice that it permanently occupies 100% of one CPU core.
While PCHUD is displaying the data from the ECU it sends every 200 ms the same command (21 01) which the ECU responds with a data block of 100 bytes.
This 'parameter polling' looks like this:
 |
| Show Full Size |
It was a lot of work to analyze which meaning has each of the 100 bytes in the response
and to find the formulas which convert the raw values into temperature, voltage and pressure.
PCHUD is superseded by HUD ECU Hacker
The ancient PCHUD from Delco is obsolete because
- it does not run on 64 bit Windows
- it occupies permanently 100% of a CPU core
- it cannot be connected over an ELM327 or J2534 adapter (which did not exist in 1993)
- it cannot clear the DTC fault codes (the menu is permanently grayed out)
- it can only display 36 parameters at the same time
- it shows the gauge for negative values wrongly
- it is clumsy to use and uses undocumented PAR, HUD, SLW, LGC, LGG, SCR, CFG and PLY files
The new HUD ECU Hacker from ElmüSoft
- runs on Windows XP, 7, 8 and 10
- runs on 32 bit and 64 bit Windows
- uses the .NET framework 4.0 or higher and so should also run on Linux (not tested)
- connects to the ECU via K-Line/VAG or ELM327 or J2534 adapter
- shows the entire communication with the adapter in the Trace pane
- shows all 90 parameters at once in a user-configurable dashboard
- shows detailed tooltips for all parameters and their meaning
- can be configured 100% by the user by editing an XML parameter file in a text editor (e.g. Notepad++)
- the user can enter formulas to convert raw data into temperature, voltage or pressure
- shows fault codes (DTC) with a text explanation
- can clear fault codes
- can capture the data from the ECU in a logfile
- can export a logfile to a CSV file
- can ceate graphs from a logfile
- can download the flash memory from the ECU
- can program the flash memory with the calibration tables and ECU software
- automatically installs the Windows drivers for the USB to RS232 adapter / ELM 327 adapter
- allows you to manually enter commands and send them to the ECU for testing
- can sniff the data traffic on the bus (for example from a scan tool or from another OBD software)
- is optimized in each line of it's code to consume a minimum of CPU
- can be adapted for other ECU's which use different commands and parameters than the MT05 / MT20
- can be adapted to connect to vehiles with CAN bus or J1850 (only over ELM327 or J2534 adapter)
|
In contrast to all other OBD2 software HUD ECU Hacker is not commercial paid software.
This program is sharityware, which means that the author does not earn any money with it.
But if this program has helped you saving money by not needing an expensive scan tool
you are asked to give a donation to a non-profit organization of your choice.
Like for example Shanti Bavan, a project which gives education for free to the poorest of the poor in India. There is an excellent documentary about this very special residential school on Netflix: Daugthers of Destiny |
|
 |
Apart from that HUD ECU Hacker has been designed to be community software.
Every user can adapt the program to his needs.
When you have
adapted the XML parameter file for another ECU, you are asked to send it to me for publishing it.
HUD ECU Hacker - Control
This screenshot shows the playback of the logfile Regal Raptor 350 - Error Clearing.xml
- I disconnected the plug of one oxygen sensor.
The plug has 4 pins: Two for the sensor and two for the heater. (See circuit diagram of MT05 above)
- After turning on the ignition key the ECU immediately alerted error P0037. I did not even start the motor.
HUD ECU Hacker translates the fault codes into human understandable messages.
If the error message is too long to fit you can hold the mouse over it and you see a tooltip.
- The error was first reported as Current.
- Then I turnd off the ignition, reconnected the oxygen sensor and turned on ignition again.
- Now the ECU detected that the error is not present anymore and reported it as Historic.
- Then I recorded the logfile
- At 00:00:10.200 I clicked the button Clear Fault Codes which removed the fault code.
Clearing Fault Codes (DTC)
The button "Clear Fault Codes" clears the historic fault code(s) from the non-volatile ECU memory.
But if the fault is still present it will not be cleared: You click the button and nothing happens.
This button will clear only historic fault codes which are not present anymore.
The MIL / EFI lamp is only on if there is a current fault present. It is off if there are only historic DTC's.
Some current faults disapear immediately when the fault has been fixed (e.g. Oxygen sensor cable disconnected).
Other current faults will disapear alone after driving some minutes.
The historic fault code(s) are also erased automatically after driving 30 times without further faults.
As you see the ECU handles fault codes and MIL lamp alone. You normally don't need this button.
The ECU can report multiple Current DTC's at once and it can store multiple Historic DTC's.
If there are multiple DTC's present, they are displayed alternating once a second.
HUD ECU Hacker - Data Grid
This screenshot shows the playback of the logfile Regal Raptor 350 - Starting Motor.xml
At 00:00:16.831 I turned the throttle up to the maximum with the motor not running.
At 00:00:32.712 I started the motor. You see that the ignition voltage drops down to 9.2 Volt.
At 00:01:55.106 I turned the throttle again, now with the motor running.
At 00:02:25.260 I pressed the kill switch (red button). The ignition voltage goes down to 0 Volt.
While recording this logfile the motorbike was standing still (not driving).
For each parameter you see the raw value and it's meaning and the minimum and maximum values.
A gauge displays the value graphically. If the value can also be negative, the gauge starts in the middle.
The description in the last column is from 'katflap'.
Values that have changed since the previous sample have a yellow background. You can turn off this highlighting.
HUD ECU Hacker - Dashboard
 |
| Show Full Size |
This screenshot shows the playback of the logfile Regal Raptor 350 - Driving.xml
At 00:00:35.878 I started the motor. The ignition voltage drops down to 7.7 Volt
At 00:00:39.488 the motor turned off alone because it ran too slow.
At 00:00:42.113 I started the motor again and drove around the block (not fast, ony first and second gear).
At 00:02:57.941 I pressed the kill switch.
On the screenshot above you see a tooltip which appears when you hold the mouse over a parameter.
Some parameters have a
wrench icon.
You can click on it and modify these values in the ECU. See
Data Slewing.
The dashboard can be configured 100% by the user after checking the checkbox Edit Mode below.
You can create, edit and delete groups and assign parameters to them.
You can move around the groups, change the order of parameters and drag and drop them to another group.
In this dialog you can configure a value parameter.
The ignition voltage has a minimum of 0 Volt and a maximum of 32 Volt.
You can restrict the range of the gauge to something more useful like 7 V to 16 V.
When you set an alarm the parameter will be displayed in red if the value exceeds the given limits.
HUD ECU Hacker - Graph
 |
| Show Full Size |
|
|
 |
| Show Full Size |
|
These images are graphs created from the logfile Regal Raptor 350 - Driving.xml
You can chose the parameters that you want to include.
If you want more sophisticated graphics you can export the data to CSV and
load it into the
LiveLink Gen-II software (70 MB).
HUD ECU Hacker - Trace
 |
| Show Full Size |
In this screenshot you see the Trace pane which shows all the communication with the adapter.
Blue are the commands sent and green are the responses received.
The KWP packtes show the data bytes in parenthesis: Header ( Data ) Checksum.
With the checkbox Inject Commands at the bottom you can send your own commands to the ECU for testing.
For the purpose of hacking you can also enter XX, which will be replaced with all values from 00 to FF.
For example if you enter '21 XX' HUD ECU Hacker will send 256 commands from '21 00' to '21 FF' to the ECU.
Data Slewing
The MT05 allows to manually modify some of the parameter values which have been measured or calculated.
The purpose of data slewing is to analyze an engine which is not running correctly.
You can set absolute (fix) preset values or you can add a delta (± offset) to the current ECU values.
First set all the preset values that you want to change in the list at the left with the trackbar or with the button 'Set in list'.
Then click 'Send all presets to ECU'. These changes have effect on the running motor.
After setting Idle RPM Target to 2500 rpm you will hear how the motor slowly becomes faster.
Even if the engine is off you can set Fuel Pump Duty Cycle to 15% and you hear the fuel pump running quietly.
 |
| Show Full Size |
This graph shows the logfile Regal Raptor 350 - Data Slewing.xml where the engine was running idle with 1400 rpm.
At 00:00:29.806 I have set the preset value Idle RPM Target to 2500 rpm. The ECU slowly adapted the idle speed.
At 00:01:12.480 I switched off the slew preset.
NOTE: On a Benelli TRK251 (1 cylinder) you can set the idle speed target but the engine speed is not adjusted correctly.
|
The modified values are not stored in the non-volatile memory of the ECU.
However this feature is for experts only. Wrong values can produce knocking or stall the motor.
I saw that the ECU does not go to sleep mode after changing some of the values.
Do not forget to click 'Reset all presets in ECU' when you are finished with your tests.
|
ATTENTION:
Data Slewing does not work with my chinese ELM327 adapters. But J2534 and K-Line adapters do work.
The
ELM327 Datasheet says (page 31) that the ELM327 limits the bytes that can be sent to the maximum for OBD2.
Therefore HUD ECU Hacker sends the command ATAL which allows longer commands.
My chinese adapter answers ATAL with 'OK', but it still refuses to send more than 4 data bytes.
You will see a timeout error in HUD ECU Hacker.
ELM327 Terminal
As there are so many problems with chinese ELM327 clones I implemented the ELM327 Terminal.
Here you can test your adapter by sending commands and studying the responses.
The screenshot shows that my ELM327 clone sends commands only up to 4 data bytes.
If I send 5 data bytes or more (like the Slewing commands) there is no response, no error and no prompt.
I verified on the oscilloscope that the adapter indeed does not send anything.
The command ATAL is simply ignored although it was answered with a fake 'OK'.
It is a fraud to sell this crap.
By the way: It is completely irrelevant if a chinese adapter claims to be version 1.5 or 2.1. They are all crap.
And I saw people complaining in internet about ELM327 adapters which have even less functionality than mine.
Recording on the Road
You can create logfiles after connecting to the ECU. You can easily record a log file while you are driving.
Connect the cables and put a notebook into a saddlebag or backpack.
 |
| Show Full Size |
Delphi MT05.2
The Delphi MT05 does not implement any of the OBD2 commands.
The Delphi MT05.2 is an adapted version to comply the emission laws of some countries (e.g. in Europe).
It has a basic OBD2 support for the following commands:
| Command | Meaning | Comment |
|---|
| 01 01 | DTC Monitor Status | This information is already contained in the standard data |
| 01 03 | Open / closed loop | This information is already contained in the standard data |
| 01 04 | Calculated engine load | This value is very similar to the Throttle Position |
| 01 05 | Coolant temperature | This information is already contained in the standard data |
| 01 06 | Short term fuel trim Bank 1 | This information is already contained in the standard data |
| 01 07 | Long term fuel trim Bank 1 | This information is already contained in the standard data |
| 01 08 | Short term fuel trim Bank 2 | This information is already contained in the standard data |
| 01 09 | Long term fuel trim Bank 2 | This information is already contained in the standard data |
| 01 0B | Intake manifold pressure | This information is already contained in the standard data |
| 01 0C | Engine speed | This information is already contained in the standard data |
| 01 0D | Vehicle speed | This value is a fake. It is always zero. |
| 01 0E | Timing advance | This information is already contained in the standard data |
| 01 0F | Intake air temperature | This information is already contained in the standard data |
| 01 11 | Throttle position | This information is already contained in the standard data |
| 01 13 | Oxygen sensors present | Describes which oxygen sensors the motor has |
| 01 1C | OBD Compliance | Describes to which OBD standard the vehicle complies |
| 01 21 | Distance traveled with MIL lamp on | This value is a fake. It is always zero. |
| 01 4D | Time run with MIL lamp on | This value is a fake. It is always zero. |
| 01 7F | Engine run time | This information is already contained in the standard data |
| 03 | Stored DTC | This is the same as the historic fault code in standard data |
| 07 | Pending DTC | This is the same as the historic fault code in standard data |
| 04 | Clear DTC | This is executed with the button "Clear Fault Codes". |
| 09 04 | Calibration ID (CALID) | The version of the calibration tables |
| 09 06 | Verification No (CVN) | The checksum of the calibration tables |
By default only the highlighted OBD2 parameters are used by HUD ECU Hacker.
The others are disabled in the parameter XML file.
You can enable the disabled parameters or add more parameters to the XML file.
ATTENTION: The more OBD2 parameters you enable the slower becomes the scanning speed.
The OBD2 protocol is stupidly designed: To transfer 20 bytes it needs 5 data packets with a pause of 25 ms between each.
The OBD2 parameters are transferred one by one and each parameter needs between 100 ms and 500 ms.
If you would scan all the parameters in the table above this would take 2 seconds.
The standard MT05 protocol from Delphi is more intelligent: It sends 90 parameters in one packet of 100 bytes in only 200 ms.
The 4 highlighted parameters do not slow down scanning speed because they are fix values which are loaded only once.
The logfile Benelli TRK 251 (1 Cylinder).xml is from a Delphi MT05.2 which is EOBD (European OBD) compliant.
Download / Upload Flash Memory
The heart of the the Delphi MT05 is a 16 bit Infineon processor.
The flash memory in the processor is divided into 4 areas:
- The Bootloader is required to start up the ECU.
It will never be overwritten when flashing. This is a protected area.
- The Configuration Data will always change when you turn off the ignition key.
The ECU stores non-volatile data here, like fault codes, ignition counter, etc.
This area is not written when flashing. However the ECU's program code writes frequently here.
- The Calibration Tables are used to calculate the optimal operation of the motor depending on
factors like speed, engine load and temperature, etc. They control fuel injection, spark timing, etc.
- The Software area contains the executable program code.
You should normally not overwrite this area except you know exactly what you are doing.
| Processor |
Delphi MT05 |
Delphi MT05.2 |
| Model |
SAK-XC164CM-16F40F |
SAK-XC164CS-32F40BB |
| Flash Memory |
128 kB |
256 kB |
| RAM |
8 kB |
12 kB |
| Clock |
32 MHz |
32 MHz |
| Flash Memory |
Delphi MT05 |
Delphi MT05.2 |
| Bootloader |
000000 - 003FFF | 16 kB |
000000 - 003FFF | 16 kB |
| Configuration Data |
004000 - 004FFF | 4 kB |
004000 - 004FFF | 4 kB |
| Calibration Tables |
005000 - 007FFF | 12 kB |
005000 - 00AFFF | 24 kB |
| Software |
008000 - 01FFFF | 96 kB |
00B000 - 03FFFF | 212 kB |
HUD ECU Hacker can download the flash memory into a file (flash download).
HUD ECU Hacker can also program the flash memory from a file (flash upload).
In the main window you see the versions and the checksums of the flash memory areas.
Green means the checksum is correct. Red means it is wrong and will be fixed when uploading.
ATTENTION:
If you use a
K-Line adapter execute the
Echo Test to assure that it works correctly.
If you use an ELM327 adapter it must be a genuine OBDLink adapter.
|
Before flashing for the first time store your original flash file in a secure place!
If flashing of only the calibration tables goes wrong your ECU may still communicate over K-Line.
But if flashing the software area goes wrong your ECU will probably be bricked.
|
Tuning with Commercial Software
Tuning means to modify the calibration tables to get more power, cleaner emissions, or better fuel efficiency.
For tuning you normally have to purchase 2 expensive programs:
1.)
One program which only downloads and uploads the flash memory:
BitBox (250€, english) or
CombiLoader (base: 21500 rouble + MT05: 8000 rouble, russian, partly translated)
2.)
Another program for editing the calibration tables:
Additionally you have to buy an USB dongle (30€) which protects their software from piracy.
If you live in the U.S. you have to order from
EcuTools. Other companies will not ship to your country.
BiteEdit does not support all MT05 versions. Click
here for a list of supported calibration versions.
While BitEdit shows 36 tables for the MT05 (in english), ChipTuningPro shows more than 200 tables (in russian).
BitEdit is compared with ChipTuningPro like a toy. It has bugs and surely shows some data and axis wrongly.
3.)
Other tuning software like
ECM Titanium is even more expensive (> $1000 USD).
4.)
If you have a MT05 from Kohler or from Briggs & Stratton they sell you diagnostic software that is very restricted.
You are forced to use their proprietary adapter (> $300 USD) which acts like a dongle.
Each time you start the software, it connects with their server and checks if you have a valid license.
The license is only valid for one year.
As you see clearly: All the tuning and even ECU scanning is a very profitable business for the manufacturer companies.
Tuning with HUD ECU Hacker
With the sharityware HUD ECU Hacker you save a lot of money by not having to buy commercial software. Flash download, checksum correction and flash upload can also be done with HUD ECU Hacker.
Please do not forget to give a donation for using HUD ECU Hacker.
|
The file that you have
downloaded with HUD ECU Hacker can be displayed and modified in BitEdit or ChipTuningPro.
But you can also display the calibration tables in HUD ECU Hacker.
A big issue with the MT05 is that each ECU software version stores the calibration tables at another address in the flash memory.
This means that there is no easy way to know how many tables exist and where each table starts and where it ends.
But HUD ECU Hacker implements an intelligent algorithm which finds automatically 170 calibration tables and 500 scalar values.
This works with all software versions and is lightning fast.
However the meaning of the values in the tables cannot be determined automatically.
| Calibration Map |
|---|
 |
| Show Full Size |
|
|
| 3D Viewer |
|---|
 |
| Show Full Size |
|
|
| Hex Viewer |
|---|
 |
| Show Full Size |
|
Whenever you load a new flash memory BIN file it will be automatically analyzed and the result is written into an XML file.
This XML file has a name like "TableDefinitions_5D06BA79.xml" and contains the maps, tables and scalars that were found.
The hex number in the filename "5D06BA79" is a CRC (similar to a checksum) of the software version of the flash memory.
Each software version will generate it's own XML file because each software version stores the tables at different addresses.
HUD ECU Hacker also detects the count of rows and columns and if the table data is 8 bit or 16 bit and if the data is signed or unsigned.
The calibration data in the Delphi ECU consists only of 1 byte (8 bit) values or 2 byte (16 bit) values:
| Data | Minimum (hex) | Minimum (decimal) | Maximum (hex) | Maximum (decimal) |
|---|
| 8 bit unsigned | 0x00 | 0 | 0xFF | 255 |
| 8 bit signed | 0x80 | -128 | 0x7F | 127 |
| 16 bit unsigned | 0x0000 | 0 | 0xFFFF | 65535 |
| 16 bit signed | 0x8000 | -32768 | 0x7FFF | 32767 |
The raw calibration values must be converted into human readable values with a factor (mostly a division).
The following table shows the most frequently used factors:
| Item | Type | Factor for 16 Bit Data | Minimum | Maximum | Example |
|---|
| Rotations | Unsigned | / 4 | 0 rpm | 16384 rpm | Engine Speed |
| Pressure | Unsigned | / 256 | 0 kPa | 256 kPa | Baro Pressure |
| Temperature | Signed | / 128 | -256 °C | 256 °C | Inlet Air Temperature |
| Crank Angle | Signed | / 128 | -256 °CA | 256 °CA | Spark Advance |
| Crank Angle | Unsigned | / 64 | 0 °CA | 1024 °CA | MAP Read Angle |
| Time | Unsigned | / 64 | 0 ms | 1024 ms | Injector Time |
| Time | Unsigned | x 1 | 0 sec | 65536 sec | Enigne Runtime |
| Factor | Unsigned | / 65536 | 0.000 | 1.000 | Filter Coefficients |
| Factor | Unsigned | / 32768 | 0.000 | 2.000 | Correction Multipliers |
| Percent | Unsigned | / 655.36 | 0 % | 100 % | Fault Thresholds |
| Percent | Unsigned | / 327.68 | 0 % | 200 % | TPS Position |
| Voltage | Unsigned | / 64 | 0 mV | 1024 mV | O2 Sensor Voltage |
| Voltage | Unsigned | / 13107 (= 65535 / 5) | 0 V | 5 V | TPS Sensor Voltage |
| Voltage | Unsigned | / 2048 | 0 V | 32 V | Battery Voltage |
| Air/Fuel Ratio | Unsigned | / 2048 | 0 | 32 | perfect at 14.7 |
Nearly all factors are a power of 2. For 8 bit data obviously other factors must be used.
The Hex Viewer shows how the tables are lined up in the flash memory.
You will see some white areas in the Hex Viewer. These contain orphaned data, which the code never uses.
Some tables don't have a header, so the length and type of data cannot be auto detected. They appear purple in the Hex Viewer.
The Hex Viewer can also compare two BIN files and show the differences.
The next step after auto detection is manual: you can enter names and categories for the tables and values for the X and Y axis.
This is the work of reverse engineering, which is obviously for ECU experts only.
If you are not able to do this you have to buy commercial software.
However there is no guarantee that commercial software shows the correct meaning of the axis and uses correct multiplication factors.
Reverse engineering is always error prone, even if done by a company.
BitEdit is quite sloppy. It may read and write some scalar values at wrong addresses, swap table columns and rows or show wrong axis values.
ATTENTION: The Infineon processor reads 16 bit values only at even addresses.
If you find any tuning software reading or writing 16 bit values at an odd address (BitEdit) this is 100% sure wrong.
Delphi even inserts filler bytes to assure that all tables and 16 bit scalar values will ALWAYS start at an even address.
However 8 bit scalar values may be stored also at odd addresses.
The byte order of 16 bit values is ALWAYS low byte first without any exception.
Delphi does not use 32 bit calibration values. (It's a 16 bit processor and that much precision is not needed.)
Currently HUD ECU Hacker comes with calibration table definitions for very few software versions.
If you have added your own MT05 version and edited the tables you can send me your XML and BIN files for publishing.
HUD ECU Hacker is community software and lives also from your support.
In a future version HUD ECU Hacker will also allow to edit the calibration tables.
Adapting HUD ECU Hacker to other ECU's
The parameter scanning of HUD ECU Hacker can be adapted to other ECU's by simply editing the parameter XML file.
(The flash download / upload is Delphi only.)
First make a copy of the file
Delphi & Rongmao MT05.xml, rename it and open it in
Notepad++.
If your car/motorbike/ATV does not connect via K-Line or uses another ECU address or another initialization, adapt the red attributes below.
| <Config>
<Address ECU="0x11" Tester="0xF1" FiveBaud="0x33">
....
<KLine BaudRate="10400" Init="Fast1" TxByteDelay="0">
....
<Elm327 Protocol="5" BaudSlow="38400" BaudFast="38400">
....
<J2534 Protocol="4" BaudRate="10400" Init="Fast" ConnectFlags="0x00">
....
</Config> |
ECU addresses are normally in the range between 0x10 and 0x17 for engine controllers.
If you don't know the protocol or the ECU address, it is easy to find them if you have an ELM327 adapter.
The ELM327 allows to use protocol 0 for auto-detection. It will try all protocols until it gets a response from the ECU.
Open the Terminal and enter the following commands:
The command 'Start Communication' (81) may take a while. Wait until you get a response. If you get an error see
Trouble Shooting.
The command AT DP shows the name of the protocol and AT DPN shows the protocol number.
STEP 1:
Enter the ECU address and the protocol number into the parameter XML file.
You can convert decimal values to hexadecimal (and vice versa) with the Windows calculator after switching it to programmer mode.
You can enter decimal or hexadecinal values into the XML file as you like. Hexadecimal values must always start with 0x.
If you did it correctly you can now connect to your ECU with the button 'Connect'.
Don't forget to select your new XML file in the combobox 'Parameter File' at the top.
Check in the Trace pane that the command 81 (Start Communication) has executed without error.
STEP 2:
In the next step you have to test the commands which read the parameters:
- If your vehicle is OBD2 compliant you find the most commonly used parameters in Wikipedia.
- You can get them also by reverse engineering a scan tool or another OBD software using Sniff Mode.
After connecting to the ECU switch to the Trace pane and set the checkbox Inject Commands below.
Now you can send any command to the ECU and see the response.
Let's say you want to get the engine speed from an OBD2 compliant vehicle.
Wikipedia tells you that this is the Service 01 and the PID 0C.
In the field below in the Trace pane you type 01 0C and click the button "Send".
The ECU should answer with Header (3 byte) + Confirmation (2) + Engine RPM (2) + Checksum (1) = total 8 bytes.
So the last two bytes before the checksum are the raw engine speed.
The formula in Wikipedia says that the returned raw value (First byte * 256 + Second byte) must be divided by four.
STEP 3:
If this works successfully you can enter the new command into the XML file:
| <Command TxBytes="01 0C" RxPacketSize="2">
<RxParam Offset="0" ByteCount="2" ByteOrder="HL" Type="Unsigned"
Formula="$Val/4" Digits="0" Unit=" rpm"
UID="VRPM2"
DispName="Engine Speed"
Description="The current speed of the engine">
</RxParam>
</Command> |
ATTENTION: Please read the description at the top of the file "Delphi & Rongmao MT05.xml", which explains all attributes!
Installation
It may happen that you double click the installer and nothing happens on some Windows 10 versions.
Please right click the downloaded installer executable, select 'Properties' and check 'Unblock'.
In the toolbar at the top you can then install the drivers.
The toolbar also has a button that brings you with one click to the Device Manager, where you see all COM ports.
The toolbar has a tooltip for each button which appears when you hold the mouse over it.
 |
| Show Full Size |
Trouble Shooting
Errors when connecting to the ECU:
- The ignition key must be on.
- The kill switch must be in the position where it allows the motor to run.
- Some motorbikes require the side stand to be up otherwise the ECU will not respond.
- The voltage at ECU pins J2-18 and J2-15 (black plug) MUST be +12V otherwise you will never connect.
- It is not necessary to start the motor before establishing a connection.
- Check that you have connected the 3 wires correctly as shown in this diagram.
- The voltage of the K-Line wire MUST be +12 Volt while the adapter is connected to the ECU.
- If you use the K-Line or VAG adapter ecxecute the Echo Test to check the adapter.
- There are 2 types of timeout errors which indicate different errors:
- Timeout waiting for echo means always that you have a hardware problem or the wrong COM port.
- Timeout waiting for response (or received garbage characters) with ELM327 adapter may mean that the baud rate is wrong.
You can change the baudrate in the XML parameter file. Normally the ELM327 has a default baudrate of 38400 baud.
However my genuine OBDLink adapter has a default baudrate of 115200 baud.
- Timeout waiting for response with K-Line / VAG adapter may happen rarely.
The reason is that the ISO 14230 protocol is very time critical. It demands 50 ±1 ms for the fast init.
But Windows as a multitasking OS is not very precise and the interval seen on an oscilloscope may vary from 45 ms up to 70 ms.
If the interval between fast init and the command 'Start Communication' exceeds the limits the ECU does not respond.
If you get this type of timeout error, try the following:
- Click 'Connect' several times until it works.
- Some adapters (red cable from Taobao) do not support the way how HUD ECU normally generates the fast init pulse.
Try changing <KLine Init="Fast1"> into <KLine Init="Fast2"> in the XML parameter file.
- For slow computers you can enter a K-Line timing correction which is added to the 50 ms interval:
ATTENTION: If you enter a wrong value here you may screw up the fast initialization forever.
If changing this value did not solve your problem, reset the correction to zero otherwise you may never be able to connect.
- BUSINIT: ERROR from the ELM327 adapter means that the ELM327 did not receive a response from the ECU.
The chinese clones of the ELM327 send the Fast Init and then their own 'Start Communication' command C1 33 F1 81 66.
They always use the hard coded functional ECU address 0x33 for the very first command.
For the Delphi MT05 this is no problem. It answers this request although it has the physical address 0x11.
But 0x33 may be an invalid address for other ECU's. The chinese ELM327 clones do not allow to change the ECU address.
If you have an ECU which does not answer at all use a K-Line or J2534 adapter instead and adapt the ECU address in the XML file.
If you have any problem you can send me a log file of the Trace pane with the error message.
You can write me in english, german or spanish.
But first read this help!
You find my email at the end of the help file.
Appendix
Self-Learning Data
The Delphi MT05 is able to 'learn'.
The oxygen sensors measure the oxygen in the exaust which indicates if the mixture of air and fuel is optimal.
If you have a dirty air filter or a worn out fuel pump the ECU can correct this up to a certain limit.
There are many myths about an ECU reset procedure. You normally don't need that.
Even if such a procedure exists don't expect that it will solve your problems.
The ECU has it's own intelligence how to manage this data and does not need your help.
Apart from that each manufacturer stores his own software version in the ECU.
This means that it depends on the brand and model if such a reset procedure exists and how it is executed.
The only way to know this for sure is by reading the service manual of your vehicle.
If you find nothing about an ECU reset procedure in the manual it probably does not exist.
Rescue a bricked MT05
If you have uploaded a wrong flash file or interrupted the upload you may have 'bricked' your ECU.
A 'bricked' ECU will neither allow to start the motor nor will it respond on K-Line.
'Bricked' means that your ECU is now as useful as a brick. Congratulations!
In this case you have to switch the ECU into 'bootloader mode' and then you can connect again.
Unplug the plugs J1 and J2 and connect the ECU only to the battery and the K-Line or J2534 or ELM327 adapter:
 |
| Show Full Size |
You need one jumper between pins 10 and 17 and another jumper between pins 11 and 16.
This switches the ECU into 'bootloader mode' and allows to upload a valid flash file.
Additionally you connect +12V to pins 15 and 18, Ground to pin 2 and K-Line to pin 3.
The first 16 kB of the flash memory contain the bootloader.
This memory area will never be overwritten when you upload a flash file.
This assures that the bootloader stays always intact even when flashing goes wrong.
Crankshaft Position Sensor
The crankshaft position sensor reports the exact position of the crankshaft to the ECU.
The ECU needs this to calculate the moment of spark generation and of measuring the Intake Air Pressure sensor.
On the crankshaft there is a flywheel with teeth every 15 degree. Each tooth induces a pulse in a fixed pick up coil.
There are 24 positions on the 360 degree rotation. One of them is missing, so there are 23 pulses per rotation.
The gap from the missing tooth indicates the position near BDC (Bottom Dead Center) of cylinder 1.
Example: The motor runs with 1500 rpm. This is 1500 / 60 = 25 rotations per second = 40 ms per rotation.
This oscilloscope capture measured at ECU pin J2-04 shows the 25 * 23 = 575 pulses/second.
 |
| Show Full Size |
The faster the motor runs the higher becomes the voltage.
The logfile Benelli TRK 251 (1 Cylinder).xml shows several CKP Sensor Errors which are increasing with the time.
But they are still not enough to turn the MIL/EFI indicator light on.
