2023-06-15 HUD ECU Hacker

• HUD ECU Hacker is a universal OBD scanner software for ECU's with K-Line or CAN bus.
• It can even be used with ECU's which are not OBD2 compliant.
• HUD ECU Hacker is charityware.
• 

• https://netcult.ch/elmue/HUD%20ECU%20Hacker/

• HUD ECU Hacker is a universal OBD scanner software for ECU's with K-Line or CAN bus.
• It can even be used with ECU's which are not OBD2 compliant.
• HUD ECU Hacker is charityware.

• HUD ECU Hacker can scan all ECU's from all motorbikes, ATV's, cars and trucks if they support the OBD2 protocol.
• OBD2 also permits to see and clear the fault codes (DTC = Diagnostic Trouble Codes) that the ECU is reporting.
• OBD2 is supported by all newer vehicles, but gives few details for the service technician
• because it's only purpose is to control the compliance of exhaust emission laws.

• Additionally HUD ECU Hacker has implemented the vendor specific (proprietary) parameters of the following ECUs.
• These give more details than the OBD2 parameters, but they are a secret of each vendor and not published anywhere.
• The vendor specific parameters can only be found by analyzing the data traffic.
• Implementing full flashing support for a new ECU (calibration upload / download / editing) is a huge work of an entire year.

• The vendor specific parameters of the following ECU's are currently not implemented but a manual is available.

• More ECU models will be added in the future. You can also add your own ECU.
• HUD ECU Hacker can be extended by the user by adding XML files.
• By defining the commands, parameters and formulas it can be adapted to other ECU's. See below.

• I have a Regal Raptor 350 motorbike (still sold in 2021) which always ran perfectly…
• 
  Motorbike Regal Raptor 350
• …until one day the EFI light turned on, which indicates a fault. (EFI = Electronic Fuel Injection)
• On other motorbikes it is named MIL (Malfunction Indicator Lamp) or CEL (Check Engine Light) or FI (Fault Indicator).
• 
  Regal Raptor EFI Lamp
• Although the engine was running without noticeable problem, something was wrong.
• I read in internet that all modern cars and motorbikes have an OBD2 plug (OBD = On Board Diagnostics).
• The ECU (Engine Control Unit) of the vehicle informs about the cause of the fault by returning a DTC (Diagnostic Trouble Code).
• I searched for OBD2 software which shows me this error code.
• I found that nearly all software is paid software and not working without buying a license.
• Or even worse: Some companies sell software together with hardware which acts as a dongle.
• I tested for example PCMScan from Palmer and found that it is not able to read one single parameter of my motorbike:
  • 
    PCMScan cannot scan Delphi MT05 ECU
• The software told me that it has connected, but all parameters were marked with a red cross inidicating that the ECU does not support this parameter.
• Not even such a basic parameter like 'Engine RPM' was displayed, nor did I see any fault code.
• I analyzed the data traffic and found that the ECU answered all commands with 0x7F, which is an error code.
• What a luck that I did not purchase a license for this software, which is completely useless for me!
• All OBD2 software that I tested was not able to communicate with my motorbike.
• The Regal Raptor 350 uses a Delphi MT05 ECU.
• The older MT05 ECU is not OBD 2 compliant.
• The newer Delphi MT05.2 implements a basic OBD2 support.
• But OBD2 was designed to check that a vehicle complies the emission laws.
• OBD2 data has a limited usefulness for the service technician.
• HUD ECU Hacker can display the OBD2 data from any vehicle, but much more useful is the vendor specific scan data.
• HUD ECU Hacker displays 90 detailed scan parameters with vendor-specific information of the Delphi MT05 which you will not find in any “universal” OBD2 scantool.

• To scan the MT05 you would normally have to buy an expensive scantool like this.
• On Youtube there is a video showing how to use it.
• 
  Scantool Motorscan KF90121
• 
  Scantool Motorscan KF90121
• It comes in a suitecase which is bigger than a notebook. Price is approx $200 - $300 US.
• It is very primitive: It has only 5 buttons and the LCD display displays only 2 parameters at once.
• You have a much better display of all 90 parameters at once by using a notebook with HUD ECU Hacker.

• 
  Delphi MT05 ECU and PCB
• The Liteon MC21 is used in Quads from Hercules and CECTEC. It has a Motorla MC9S12D64 processor.
• The Delphi MT20, MT22, MT60, MT80 control 4 cylinders. They are used in cars.

• The Delphi MT05 controls 1 or 2 cylinders. It is used mainly in motorbikes, ATV's and UTV's.

• The Delphi MT05 & MC21 Manual (PDF) shows how these ECU's are connected.
• The older Liteon MC21 connects with 9600 baud.
• The MC21 diagram can be found in the Delphi Manual. You will not find a pin for the MAP sensor.
• The MC21 has the MAP Sensor built into the ECU. The ECU is connected with a hose to the manifold.
• Page 76 shows the 6 pin diagnostic plug (ECM connector)
• The Delphi MT05 and MT05.2 use the ISO 14230 protocol over K-Line at 10400 baud and Fast Init.
• The Delphi MT05.3 uses CAN bus while K-Line is optional and it's functionality is crippled.
• I added several missing details to the following MT05 diagram:
  • 
    Delphi MT05 circuit diagram
• The following table shows the pins of the MT05.3 which may be configured by the manufacturer in the calibrations.
• Some pins may also be configured for testing purposes.

• 4 cylinder engines have 2 ECUs where the first ECU is connected to the analog TPS sensor and sends a digital TPS signal to the second ECU (J1-6 to J1-15).

• HUD ECU Hacker supports the following adapters to connect with the ECU, which are described in the following chapters:
  • 1. K-Line (VAG) adapter (only K-Line)
  • 2. J2534 (e.g. Tactrix Openport) adapter (K-Line + CAN bus)
  • 3. ELM327 / OBDLink (USB, Bluetooth, WIFI) adapter (K-Line + CAN bus)
  • 4. ZLG (Polaris) UsbCAN adapter (only CAN bus)
• All these adapters have a standardized plug with 16 pins: The J1962 plug.
• ATTENTION: These adapters are never connected directly to the plugs at the ECU.
• Motorbikes and ATV's have a separate diagnostic plug which is normally under the seat.
• Most motorbikes and ATV's with the Delphi MT05 use the original ECM plug from Delphi (a black / yellow plastic plug with 6 pins).
• AJP uses it's proprietary DB9 plug.
• 
  Connecting J1962 to Delphi ECM diagnostic plug or AJP DB9 plug
• You only have to connect 3 wires between the J1962 plug of the adapter and the motorbike: Ground, +12V and K-Line.
• There are also 2 pins for CAN bus. But the firmware does not use them. They are only for the Delphi developers.
• Normally pin 5 (Diag) is connected to the MT05 pin J1-16 (diagnostic switch) which enables Diagnostic Mode when switched to ground.
• You can prove this easily in the dashboard. The blue ball must appear when you connect pin 5 (Diag) and pin 2 (Ground):
  • 
    Delphi MT05 Diagnostic Mode
• The meaning of 'Diagnostic Mode' depends on scalar 'J1-16 Input Usage' in the calibrations:
  • 'J1-16 Input Usage' = 0 means that the pin is ignored (disabled).
  • 'J1-16 Input Usage' = 1 resets the EEPROM at next key-off (see Self-Learning).
  • 'J1-16 Input Usage' = 3 applies an alternate fuel cut-off if also scalar 'Alternate Overspeed Fuel Cutoff' is enabled.
• Some Benelli motorbikes put a dummy plug with a jumper between 4 and 5 onto the ECM plug.
• The LCD display in the dashboard is connected to pin 5 and sends commands over K-Line to obtain the coolant temperature from the ECU.

• The following shows the order of most recommended to least recommended adapters:
  1. Genuine Tactrix J2534 (100% recommended)
  2. Chinese J2534 (not Mini-VCI fake!)
  3. K-Line (not if your ECU uses CAN bus)
  4. Genuine Scantool OBDLink USB
  5. Genuine Scantool OBDLink Bluetooth
  6. Chinese fake ELM327 USB
  7. Chinese fake ELM327 Bluetooth
  8. Chinese fake ELM327 Wifi (most stupid design of all)
• If your ECU uses the CAN Raw protocol the ONLY adapter which will work is J2534.
• Read the following chapters for more details.

• The cheapest (but not perfect) option to connect to an ECU with K-Line protocol is using a VAG KKL adapter (approx $5 USD).
• IMPORTANT:
  • The ISO 14230 fast initialization requires a very precise timing.
  • K-Line adapters do not have a microprocessor, so the timing depends on the computer.
  • Windows is not a real-time operating system and delays are normal.
  • But K-Line adapters work very well on most computers. Only a few users have reported connection problems.
  • In case of a connection error close all software on your computer which consumes much CPU and try to connect multiple times.
  • See chapter Trouble Shooting.
  • VAG KKL Adapter
    
  • VAG KKL Adapter
    
    VAG KKL Adapter circuit diagram
• The +12V on the diagnostic plug are always present, even when the ignition key is off.
• If you don't need the adapter anymore don't let it connected for hours because it permanently draws current from the battery.
• In the HUD ECU Hacker toolbar (button “Install USB driver”) you can install the drivers for all types of K-Line adapters.
• If you live in Iran you can request a free K-Line adapter. Contact EfixMotor in China.

• You can also build your own K-Line adapter with a cheap (approx $1 USD) USB to RS232 adapter and 2 transistors.
• For a quick testing this can be built on a breadboard.
• IMPORTANT: Build your own adapter ONLY if you have experience with electronics!
• I receive emails from beginners who fail to build their own circuit. I will not give you support for this.
• Buy a complete adapter if you do not understand how a transistor works.
• Simply forget it if you don't even have an oscilloscope.

• If you already have an USB to RS232 adapter you can use it.
• But cheap adapters contain the chinese CH340 chip which may produce problems.
• ISO14230 RS232 to K-Line Adapter circuit
  
• The signal must be inverted from RS232 to K-Line and back.
• The RS232 lines TxD and RxD are low when idle, while K-Line is high when idle.

• You can also use a breakout board with the high quality FTDI chip.
• In this case the Rx and Tx signals must not be inverted.
• The Tx and Rx pins of the FTDI chip are high when idle.
• This board has two LED's which are flashing when data is transferred on Rx and Tx.
• 
  ISO14230 RS232 to K-Line Adapter circuit with FTDI chip
• K-Line is half duplex, so only the computer or the ECU can send data alternately, but not at the same time.
• All data sent from the computer via TxD is then received as echo on RxD.
• The computer will always first receive the echo of it's own command and then, after a pause, the response from the ECU.
• This allows to easily detect connection problems. If no echo is received, there is always a hardware problem.
• HUD ECU Hacker always verifies the echo but it does not show the echo in the Trace pane, except the echo is corrupt.

• You can buy a J1962 Female Connector and solder the 3 wires to 3 pin headers which perfectly fit into the ECM plug.
• J1962 plug to Delphi ECM plug diagnostic cable
  
• Or you buy the 6 Pin Furukawa FW090 Male Connector FW-C-6M-B at Cycleterminal: here or at Taobao: here or here or here.
• Or you search on Google for more companies selling this plug on eBay, Alibaba or AliExpress.

Then you can either use a crimping plier or solder the wires to the contacts and build your cable as shown in this video.

• If you have time you can also buy a complete cable in China. Shipping may take between 1 and 3 months.
• Cable USB to ECM from Taobao
  
• Cable J1962 to ECM from AliExpress
  
• The red cable from Taobao has a very limited support of baudrates.
• In the window “Configure Adapter” you must switch to Fast Init Mode 2 otherwise you get a timeout when connecting.

• I discovered 2 severe problems with cheap chinese USB to RS232 adpaters containing the widely used CH340 chip.
• 1. Problem: The defective driver from the manufacturer WinChipHead produced a blue screen.
  • This happend when the computer went to sleep or was shut down while the USB cable of the adapater was plugged in.
  • Solution: I found that the latest driver version 3.5 from 2019 (which is WHQL certified) fixes this problem.
  • I implemented the installation of the driver version 3.5 into HUD ECU Hacker (toolbar button “Install USB driver”).
• 2. Problem: I found that several of my CH340 adapters sometimes send crippled data. Mostly they send 0x00 instead of 0xFA.
  • Solution: There is no solution. These adapters are garbage and must be thrown into the dustbin.
  • The faulty adapters have firmware version 2.54. I found another one with firmware version 2.63 which works correctly.
• Therefore I implented the Echo Test into HUD ECU Hacker. It sends data to K-Line and verifies the echo.
• Here you see the test result of a faulty CH340 adapter (green = correct response, red = wrong response):
• 
  Echo test detects CH340 bug
• You can execute the echo test after connecting the K-Line / VAG adapter to the motorbike.
• But turn the ingnition key OFF so the ECU switches to sleep mode.
• The echo test will fail if you connect only the adapter over USB to the computer. The +12V are required.
• The +12V at the ECM plug are connected directly to the battery and are not affected by the ignition key.
• You can also test the pure USB to RS232 adapter by connecting RxD (pin 2) directly to TxD (pin 3).
• Additionally the Echo Test measures the speed of your computer and adapter sending data blocks and single bytes.

• J2534 adapters are the recommended choice. They support K-Line and CAN bus.
• J2534 (PassThru) is an international standard for reprogramming ECU's.
• If you are interested in the details read the API Documentation (PDF) for programmers.
• The genuine J2534 adapters (for example Tactrix OpenPort or Drewtech Mongoose) are very expensive ($180 … $500 USD).
• There are also chinese clones like the VISLONE Tactrix Scanner for 30€ which have been reported to work fine.
• You can buy a cheap J2534 adapter from EfixMotor in China.
• ATTENTION: Do not buy XHorse Mini-VCI adapters. They are Chinese fake garbage. They do NOT work with HUD ECU Hacker!
• Genuine Tactrix
  
  J2534 Tactrix OpenPort adapter
• Genuine Adapter Top
  
  J2534 Tactrix OpenPort PCB
• Genuine Adapter Bottom
  
  J2534 Tactrix OpenPort PCB
• Do NOT buy!
  
  J2534 Mini VCI fake garbage adapter
• When you plug in the adapter for the first time Windows installs a default driver and assigns a COM port.
• ATTENTION: This is the wrong driver and the COM port will never work.
• In the HUD ECU Hacker toolbar (button “Install USB driver”) you can install the original Tactrix driver.
• After installing the correct driver the COM port will disappear and a J2534 device will show up in Control Panel:
  • 

• ELM327 / ObdLink /Scantool adapters support K-Line and CAN bus.
• There are 3 types of ELM327 adapters:
  1. Chinese ELM327 clones:
     • The internet is full of fake ELM327 adapters. You find them on eBay, Amazon, AliExpress, etc.
     • All these adapters are garbage. The Chinese did not even implement half of the command set.
     • You send a command to the adapter, it answers with 'OK' but it does not execute the command.
     • These adapters are fraud. All adapters for less than $40 USD are fake!
     • DO NOT BUY THIS CRAP!
     • If you already have one you can use it to scan the parameters, but ECU Emulator and Data Slewing and Flash Up/Download will not work.
  2. Genuine ELM327 adapters:
     • Genuine ELM327 adapters have the ELM327 chip inside. Download Datasheet (PDF)
     • 
     • Elm Electronics ELM327 chip
     • ELM Electronics sells only the ELM327 chip ($21 CAD), but they do not offer an own adapter.
     • Genuine adapters are difficult to find because very few companies offer them: WGsoft (105€), Warenhuis (109€).
     • But even if you have a genuine adapter, Flash Upload will not work because they do not support to set a long timeout.
  3. Genuine OBDLink adapters:
     • Genuine OBDLink adapters have a STN11XX chip inside. Download Datasheet (PDF)
     • Scantool.net STN1110 chip
     • They are sold by Scantool and ObdLink ($40 USD).
     • 
     • They implement the same AT commands as genuine ELM327 adapters and have additional ST commands.
     • If you want to use an ELM327 adapter you should ONLY buy it from Scantool or OBDLink.
     • My adapter was sold with a very old firmware. Don't forget to update the firmware.
     • Even in a genuine OBDLink adapter I found a severe bug. But I also found a workaround.
     • Even with the genuine OBDLink adapters the ECU Emulator will not work.
• ELM327 adapters are a misdesign. They are also significantly slower than the other adapters.
  • They have too many commands which makes programming complicated.
  • Instead of leaving the intelligence in the controlling software (as J2534 adapters do) all the intelligence is in the chip.
  • The chip must be configured with hundreds of commands.
  • Instead of transmitting binary data directly (as J2534 adapters do), they use ASCII strings, which is simply a bad design.
  • ISO 15765 data is passed by the adapter with missing CAN ID or must be parsed in the controlling software (STUPID design!)
  • Instead of using internally an USB capable processor (as J2534 adapters do) they convert USB first to RS232 which is slower
  • and the COM port must be configured with the correct baudrate, while J2534 adapters neither need COM ports nor baudrates.
  • Another issue is that the ELM327 can store configuration in non-volatile memory resulting in not predetermined behaviour.
  • None of the ELM327 adapters (not even the genuine) supports the CAN Raw protocol.
  • So, if you already have a ELM327 or OBDLink adapter study the Trace pane to see how many errors you get.
  • But if you don't have an adapter yet, do not buy it. See summary above.

• EML327
  
  Original ELM327 circuit diagram
• OBDLink
  
  Original OBDLink circuit diagram

• Do NOT buy any of the cheap Chinese ELM327 adapters which are sold on Amazon or eBay!
• They are all fake and work only partially. Many ELM327 commands are buggy or even not implemented at all.
• If you see one of the following errors in the HUD ECU Hacker Trace pane, the Chinese have betrayed you:
  • 
    Chinese fake ELM327 adapter errors
• The buffer of the fake adapters is so tiny that it cannot even receive a 128 byte ECU response!
• So you can only scan the OBD2 commands which give few information, but not the detailed vendor specific commands.
• You will see none of the above errors if you use a genuine OBDLink adapter.

• Chinese Clone (ELM327 adapter USB)
  
• Chinese Clone (ELM327 adapter USB PCB chinese clone)
  
• Some chinese USB adapters use a counterfeit PL2303 chip (right photo) which converts from USB to RS232.
• On Windows XP and Windows 7 this works perfectly.
• But on Windows 8 and 10 the latest drivers from Prolific detect the counterfeit chip and refuse to work.
• The driver returns the undocumented Error 433: “A device which does not exist was specified.”
• If you connect the adapter and Windows 10 does not find an installed driver it downloads the latest version 3.8 from Windows Update and you will see a yellow exclamation mark or a 'PHASED OUT' error:
  • 
    Device Manager Error Prolific counterfeit PL2303 chip
• Do not use the drivers from a CD or from Windows Update.
• I have implemented the driver installation into the toolbar at the top of HUD ECU Hacker.
• Install the Prolific driver version 3.3 from 2008 which also works on Windows 8 and 10.

• Chinese Clone (ELM327 adapter Bluetooth)
  
• Chinese Clone (ELM327 adapter Bluetooth PCB chinese clone)
  
• On the right photo you see that there are several SMD parts missing (4 transistors and 16 passive components).
• This means that the J1850 bus will not work. Only CAN and K-Line are implemented.
• If a vendor sells this as a universal ELM327 adapter, this is a fraud.
• However, the J1850 bus was used by older GM and Ford vehicles, but is not used in modern cars anymore.

• Follow these steps on Windows 10 to add a bluetooth adapter: (on Windows 7 it is similar)
• Configure Windows 10 for Bluetooth
  
• If it was successful you see 2 COM ports in device manager:
  • 
    Device Manager Bluetooth ELM327 COM ports
• One of the COM ports will work while the other one will not be functional.
• Simply open the COM ports in HUD ECU Hacker and try them (the LED “PC” on the adapter should flash).

• 
• These adapters are the most stupid design because they represent a WIFI access point.
• Mostly they respond on the fix IP address 192.168.0.10 and port 35000 without WIFI password.
• The problem is that you must disconnect your notebook from your router to connect it to the adapter.
• So after connecting to the OBD adapter you lose internet access.
• The signal strength and maximum distance between computer and adapter are worse than with Bluetooth adapters.
• The adapter uses the most used Wifi Channel 11. So conficts with your or your neighbour's router are probable.
• There is absolutely no reason why should buy these adapters.

• 
  ZLG Polaris UsbCAN Adapter
• If you already have a Chinese ZLG (Polaris) UsbCAN adapter, you can use it with HUD ECU Hacker.
• However, do not buy one because it supports only CAN bus and the driver is worst Chinese 'quality' with many bugs.
• Most of the pins are fake. Only the uppermost (CAN0H and CAN0L) are connected internally.
• The LED's are extremely stupid: Red LED blinking means OK. Green LED illuminated means CAN bus error.
• To install the driver click the toolbar button Install USB driver in HUD ECU Hacker.

• The ISO 9141 protocol is the oldest of the standardized OBD protocols. It is quite primitive.
• The data transfer on K-Line (Pin 7) is like RS-232, sending the least significant bit first, but the voltage is inverted.
• 
  ISO9141 K-Line 5-Baud Init
• ISO 9141 uses the extremely slow 5 Baud Init to wake up the ECU. It takes 2 seconds to transmit the address byte (0x33).
• Some ECU's require this 5 Baud Init to be sent additionally on L-Line (Pin 15).

• Here you see the first OBD2 command 01 00 (Request supported PID's) and the response from the ECU.
• The command is embedded into a packet which starts with a header and ends with a checksum.

• Command  (from PC): 	68 6A F1 ( 01 00 ) C4
  Response (from ECU):	48 6B 11 ( 41 00 BE 36 B0 03 ) A9

• ISO 9141 does not define error codes.
• The ECU simply does not respond when it does not understand a command.

• The Keyword 2000 protocol (KWP 2000) is defined in ISO 14230. It offers much more functionality than ISO 9141.
• ISO 14230 normally uses Fast Init to wake up the ECU.
• Fast Init means that the K-Line goes low for exactly 25 ms and then high for 25 ms. After that the communication starts with 10400 baud.
• However, there are a few ECU's which combine the ISO 14230 protocol with 5-Baud Init.
• On the left you see the fast init, followed by the command 'Start Communication' and the response from the ECU.
• On the right you see long pauses between the bytes which are needed if the ECU is old and very slow.
• ISO14230 K-Line 'Start Communication' on oscilloscope
  
• ISO14230 K-Line inter byte delays on oscilloscope
  
• In detail the command 'Start Communication' (Service = 81) looks like this:

  Command  (from PC): 	81 11 F1 ( 81 ) 04
  Response (from ECU):	83 F1 11 ( C1 EF 8F ) C4

• The Delphi MT05 uses the address 11. The application on the PC (the tester) uses the address F1.
• The MT05 responds with 2 key bytes EF and 8F which define how the ECU wants the commands to be formatted.
• They define how to transmit the packet length and if the source/target addresses are to be sent.
• You see the meaning of the key bytes in the Trace pane in magenta when connecting.

• The first header byte is called format byte.
• It may contain the packet length and it's bits define if addresses are sent and the type of addresses (physical, functional).
• To simplify reading the binary data HUD ECU Hacker displays the data bytes in parenthesis in the Trace pane:
  • 81 11 F1 ( 81 ) 04
  • 83 F1 11 ( C1 EF 8F ) C4
• The other bytes are not really interesting as they are generated automatically.
• The following table shows a long response (102 data bytes) which contains an additional length byte (header 4).

• HUD ECU Hacker tries first to connect with the physical address defined in the parameter XML file (Default = 0x11).
• If this fails it waits 5 seconds and tries again with the functional address 0x33.
• A physical address (format byte contains 0x80) means that one specific device on a bus is addressed.
• A functional address (format byte contains 0xC0) is like a broadcast address to a group of devices.
• There are functional addresses for Steering Controllers, ABS Systems, Air Condition, Audio, Lightning, etc.
• The functional address 0x33 is used to address “Engine Controllers” (ECUs).
• As normally only one ECU is connected this can be used when the physical ECU address is unknown.
• As you see here the ECU responds to the functional address 0x33 with it's physical address 0x11:
  • C1 33 F1 ( 81 ) 66
  • 83 F1 11 ( C1 EF 8F ) C4
• The Delphi MT05 does not need functional addressing, but there are strange ECU's which do not respond to their own physical address!

• ISO 14230 defines several error codes which the ECU can return.
• If the ECU does not understand a command it sends 7F (failure) followed by the service and the error code.

• If the ECU does not receive commands it switches to sleep mode after 5 seconds.
• While HUD ECU Hacker is polling data this will never happen because polling takes place 3 to 5 times per second.
• Only if you switch to manually enter commands (in the Trace pane), polling stops and HUD ECU Hacker sends a Keep-Alive every 3 seconds.
  • Command (from PC): 81 11 F1 ( 3E ) C1
  • Response (from ECU): 81 F1 11 ( 7E ) 01

• Newer vehicles are equipped with CAN bus which uses 2 wires (CAN Hi and CAN Lo) and runs mostly at 250 or 500 kbaud.
• Many controllers and sensors may be connected to the same bus. Each endpoint has at least one unique ID.
• The neutral voltage on CAN bus is 2.5 Volt. Each endpoint has a transmitter which pulls CAN Hi up and CAN Lo down.
• The receiver measures the difference between CAN Hi and CAN Lo which makes CAN robust against electromagnetic interference.
  • 
    CAN Bus termination
  • 
    CAN Bus transceiver MCP2551
• Below you see a raw CAN frame which contains the identifier (11 bit or 29 bit) and max 8 data bytes.
• Data transfer is very robust because a 15 bit CRC assures that each frame is received without error.
  • 
    CAN Bus packet on oscilloscope
  • 
    CAN Bus data frame
• Additionally an intelligent arbitration system in each endpoint detects if 2 endpoints try to send data at the same time.
• In case of such a collision it is clearly defined which enpoint has priority.
• The endpoint which loses arbitration must stop transmission and try to send the packet later again.
• The CAN bus Identifier (ID) is similar to the ECU address in ISO 14230 protocol.

• If your ECU uses the CAN Raw protocol you will see completely undocumented and proprietary packets which differ with each vendor.
• Mostly these ECU's have one address (ID) on which they receive commands and multiple addresses on which they send responses.
• There are also ECU's which autonomously send data on some addresses. They are permanently flooding CAN bus with data packets.
• Mostly these data packets contain MIL status, engine speed and temperature which are displayed by the dashboard.

• The ISO 15765 protocol can transmit a payload of up to 4095 bytes in multiple raw CAN frames of 8 bytes.
• It occupies the first data byte of each CAN frame as a control byte.
• The first byte may define that the frame is a SF (Single Frame) which transmits only 7 data bytes.
• Or a FF (First Frame) followed by multiple CF (Consecutive Frames) and FC (Flow Control Frames) transport a larger payload.
  • 
    ISO 15765 Data Transfer
• OBD2 compliant ECU's with 11 bit ID mostly reveive commands on address 7E0 and send responses on 7E8.
• If your vehicle has more than one ECU, the second ECU may use the pair 7E1 / 7E9.
• OBD2 compliant ECU's may use the range 7E0 … 7E7 for receiving and 7E8 … 7EF for responding.
• The tester can send a command to the broadcast address 7DF where all connected ECU's must respond with their own address.
• ECU's with 29 bit ID use 18DB33F1 for broadcast and 18DAF1xx for commands and 18DAxxF1 for responses.
• ECU's with ISO 15765 protocol may additionaly send autonomous CAN Raw packets on other addresses.
• Mostly these data packets contain MIL status, engine speed and temperature which are displayed by the dashboard.

• If you sniff the CAN bus traffic in a car or a truck you get a tremendous amount of data.
• CAN bus traffic comes from ECU, ABS, air bags, seat belts, multimedia, door sensors, window- and mirror control, and more.
• A filter and a mask will be needed to exclude all traffic on the CAN bus except with the ECU.
• But even if you only connect one ECU which autonomously sends packets you may want to exlude them from the sniffed data.
• The filtering also tells the adapter which packets to acknowledge (set the bit in the ACK slot of the CAN frame).
• If HUD ECU Hacker runs in sniff mode it will never modify the ACK bit.
• Otherwise, when communicating with the ECU or in Emulator mode the received packets must be ACKnowledged.
• If a CAN packet is not ACK'ed by the receiver the sender assumes that it was not received and sends it again.
• If a CAN packet is not ACK'ed mutiple times the sender generates an error and stops the communication.
• For CAN Raw protocol you must enter RespFilter and RespMask in the parameter XML file.
• For ISO 15765 these are not needed. You enter a fix RespID instead.
• For Sniffing you can use the following window to define the filter and mask:
  • 
• In the field 'Response ID' enter an ID on which the ECU responds and the filter and mask will be calculated automatically.
• Example 1.)
  • If you know the ECU ID enter it into the field 'Response ID'.
  • If you enter 7E8, the filter and mask will be calculated as 7E8 and 7FF.
• Example 2.)
  • Otherwise use the letter 'X' to specify that a digit does not matter (e.g. 7EX). A digit corresponds to 4 bits.
  • If you enter 7EX, the filter and mask will be calculated as 7E0 and 7F0.
• Example 3.)
  • If the precision of 1 digit = 4 bits = 16 matches is not enough you must enter filter and mask manually.

• Each bit in the mask which is one defines that the same bit in the filter must match the same bit in the ID of the received CAN frame.
• Each bit in the mask which is zero defines that the same bit does not matter, neither in the filter nor in the ID of the received CAN frame.

• The Delphi manuals for MT05 and for MT20 explain a software PCHUD.
• PCHUD ('Heads Up Display' for PC) is a very old program from Delco Electronics written in 1993 for Windows 3.
• The manual for the MC21 explains a software Diag Tool from LITEON written in 2009.
• Previously these were the only programs that could communicate with these ECU's.
  • PCHUD (MT05) Delco Electronics PCHUD software
    
  • DiagTool (MC21) LITEON Diag Tool Software
    
• Today it is practically impossible to find this software in internet.
• I found lots of dead links and a fake PCHUD download on a chinese website which was a trojan.
• But in the forum China Riders I found a thread from the (ex)user 'katflap' talking about PCHUD.
• Only thanks to 'katfalp' I could still in the year 2020 download and analyze this software.
• The ancient 16 bit program PCHUD does not run on 64 bit Windows because Microsoft has removed the support for 16 bit applications on 64 bit platforms.
• Running it on a 32 bit Windows in the 16 bit emulator (NTVDM.exe) I notice that it permanently occupies 100% of one CPU core.
• While PCHUD is displaying the data from the ECU it sends every 200 ms the same command (21 01) which the ECU responds with a data block of 100 bytes.
• This 'parameter polling' looks like this:
  • MT05 parameter polling on oscilloscope
    
• It was a lot of work to analyze which meaning has each of the 100 bytes in the response and to find the formulas which convert the raw values into temperature, voltage and pressure.

• The ancient PCHUD from Delco is obsolete because
  • it supports only one ECU model (MT05)
  • it does not run on 64 bit Windows
  • it occupies permanently 100% of a CPU core
  • it cannot be connected over an ELM327 or J2534 adapter
  • it cannot clear DTC fault codes (the menu is permanently grayed out)
  • it can only display 36 parameters at the same time
  • it shows the gauge for negative values wrongly
  • it is clumsy to use and uses undocumented PAR, HUD, SLW, LGC, LGG, SCR, CFG and PLY files
• The Diag Tool from LITEON is obsolete because
  • it supports only one ECU model (MC21)
  • it is a very sloppy software with ugly bugs
  • it cannot be connected over an ELM327 or J2534 adapter
  • it shows definitely wrong data for some parameters
  • it can only display 36 parameters at the same time
  • in the english version many translations (from Chinese) are missing
• The new HUD ECU Hacker from ElmüSoft
  • runs on Windows XP, 7, 8, 10 and 11 (not on Linux)
  • runs on 32 bit and 64 bit Windows
  • supports K-Line, J2534, ELM327 (USB, Bluetooth, Wifi) and UsbCAN adapters
  • can install the Windows drivers for all supported adapters
  • supports multiple ECU models over K-Line and CAN bus
  • automatically detects protocol, baudrate, bus init when using parameter file 'Autodetect OBD2.xml'
  • shows fault codes (DTC) with a text explanation
  • can clear fault codes (if supported by the ECU model)
  • shows all ECU parameters at once in a user-configurable dashboard (90 params for the MT05)
  • shows detailed tooltips for all parameters and their meaning
  • can be adapted to any ISO 9141 / 14230 / 15765 / CAN Raw ECU by editing 3 XML files
  • the user can enter formulas to convert raw data into temperature, voltage or pressure
  • can capture the parameter data from the ECU in a logfile
  • can export a logfile to a CSV file
  • can create graphs from a logfile
  • shows the entire communication with the adapter in the Trace pane
  • allows you to manually enter commands and send them to the ECU for testing
  • has a built-in CAN bus debugger / analyzer
  • can emulate any ISO 14230 or ISO 9141 or ISO 15765 or CAN Raw ECU
  • the emulator has a built-in formula finder
  • can sniff the data traffic on the bus (for example from a scan tool or from another OBD software)
  • can sniff ISO protocols, CAN Raw, Honda Keihin and KW 1281
  • can extract vendor specific PAC files for MT05, MT05.2, MT05.3, SE08, MSE6.0, MSE8.0, Athena, MC10, MC21
  • can decode hexadecimal S19, CAL, HEX, CUT, PTP, EFT files
  • is optimized in each line of it's code for the highest possible speed
  • has multi-language support. You can translate the user interface and scan parameters into any language.
• MT05 specific:
  • has full tuning support (editing calibration maps, tables, scalars), also with 3D Editor
  • can download the flash memory from the Delphi MT05
  • automatically detects the addresses and types of maps, tables, scalars and DTC codes in the flash memory
  • has a built-in Hex viewer which shows the binary flash memory
  • can program the flash memory with the calibration tables and ECU firmware into the MT05
  • the user can create Patch files which contain the changes to be applied to a flash file before uploading
• In contrast to all other OBD2 software HUD ECU Hacker is not commercial paid software.
  • Also, HUD ECU Hacker will never show you any advertising.
  • HUD ECU Hacker is the result of more than a year intense programming.
  • There is absolutely no documentation about the internals of the MT05.
  • All information you see in HUD ECU Hacker is based on a huge work which costs a lot of time.
  • However, this program is charityware, which means that the author does not earn any money with it.
  • But if this program has helped you saving money by not needing expensive commercial software
  • or an expensive scan tool you are asked to give a donation to a non-profit organization of your choice.
  • Like for example Shanti Bavan, a project which gives education for free to the poorest of the poor in India.
  • There is an excellent documentary about this very special residential school on Netflix: Daugthers of Destiny
  • 
• Apart from that HUD ECU Hacker has been designed to be community software.
• Every user can adapt the program to his needs.
• When you have adapted the XML parameter file for another ECU, you are asked to send it to me for publishing it.

• 
  HUD ECU Hacker Screenshot - Control
• This screenshot shows the playback of the logfile Regal Raptor 350 - Error Clearing.xml
  1. I disconnected the plug of one oxygen sensor.
     The plug has 4 pins: Two for the sensor and two for the heater. (See circuit diagram of MT05 above)
  2. After turning on the ignition key the ECU immediately alerted error P0037. I did not even start the motor.
     HUD ECU Hacker translates the fault codes into human understandable messages.
  3. The error was first reported as Current.
  4. Then I turnd off the ignition, reconnected the oxygen sensor and turned on ignition again.
  5. Now the ECU detected that the error is not present anymore and reported it as Historic.
  6. Then I recorded the logfile
  7. At 00:00:10.200 I clicked the button Clear Fault Codes which removed the fault code.

• The button “Clear Fault Codes” clears the historic fault code(s) from the non-volatile ECU memory.
• But if a fault is still present it will not be cleared: You click the button and nothing happens.
• This button will clear only historic fault codes which are not present anymore.
• The MIL / EFI lamp is only on if there is a current fault present. It is off if there are only historic DTC's.
• Some current faults disapear immediately when the fault has been fixed (e.g. Oxygen sensor cable disconnected).
• Other current faults will disapear alone after driving some minutes.
• Some historic fault codes are erased automatically after driving 30 times without further faults.
• The ECU can report multiple Current DTC's at once and it can store multiple Historic DTC's.
• If there are multiple DTC's present, they are displayed alternating once a second in the Dashboard.
• You see all faults at once with their status when you click the button Show Fault Codes.
• If you get the fault codes P0171 or P0172 please read the chapter [https://netcult.ch/elmue/HUD%20ECU%20Hacker/#BLM|Self-Learning]].

• 
  HUD ECU Hacker Screenshot - DataGrid
• This screenshot shows the playback of the logfile Regal Raptor 350 - Starting Motor.xml
  • At 00:00:16.831 I turned the throttle up to the maximum with the motor not running.
  • At 00:00:32.712 I started the motor. You see that the ignition voltage drops down to 9.2 Volt.
  • At 00:01:55.106 I turned the throttle again, now with the motor running.
  • At 00:02:25.260 I pressed the kill switch (red button). The ignition voltage goes down to 0 Volt.
• While recording this logfile the motorbike was standing still (not driving).
• For each parameter you see the raw value and it's meaning and the minimum and maximum values.
• A gauge displays the value graphically. If the value can also be negative, the gauge starts in the middle.
• Values that have changed since the previous sample have a yellow background. You can turn off this highlighting.

• Delphi MT05.2
  
  HUD ECU Hacker Screenshot - Dashboard Delphi MT05.2
• OBD2
  
  UD ECU Hacker Screenshot - Dashboard OBD2
• The left screenshot shows the playback of the logfile Regal Raptor 350 - Driving.xml
  • At 00:00:35.878 I started the motor. The ignition voltage drops down to 7.7 Volt
  • At 00:00:39.488 the motor turned off alone because it ran too slow.
  • At 00:00:42.113 I started the motor again and drove around the block (not fast, ony first and second gear).
  • At 00:02:57.941 I pressed the kill switch.
• On the screenshot above you see a tooltip which appears when you hold the mouse over a parameter.
• Some parameters have a wrench icon. You can click on it and modify these values in the ECU. See Data Slewing.
• The dashboard can be configured 100% by the user after checking the checkbox Edit Mode below.
• You can create, edit and delete groups and assign parameters to them.
• You can move around the groups, change the order of parameters and drag and drop them to another group.
• 
  HUD ECU Hacker Screenshot - Gauge Configuration
• In this dialog you can configure a value parameter.
• The ignition voltage has a minimum of 0 Volt and a maximum of 32 Volt.
• You can restrict the range of the gauge to something more useful like 7 V to 16 V.
• When you set an alarm the parameter will be displayed in red if the value exceeds the given limits.

• 
  HUD ECU Hacker Screenshot - Graph
• 
  HUD ECU Hacker Screenshot - Graph
• These images are graphs created from the logfile Regal Raptor 350 - Driving.xml
• You can chose the parameters that you want to include.
• If you want more sophisticated graphics you can export the data to CSV and load it into the LiveLink Gen-II software (70 MB).

• 
  HUD ECU Hacker Screenshot - Trace
• HUD ECU Hacker allows to send commands manually to the ECU and study the response.
• For the purpose of hacking you can also enter XX, YY, which will be replaced with all values from 00 to FF.
• In the example above entering '21 XX' has sent 256 commands from '21 00' to '21 FF' to the ECU.
• Here the ECU (a Delphi MT05) has only answered 4 of the 256 commands, for the others it has returned an error.
• Entering '22 XX YY' will send 65536 commands from '22 00 00' to '22 FF FF' to the ECU.
• For the CAN Raw protocol you must also specify the Tx CAN ID for sending the command and the Rx ID for receiving the response.
• Some ECU's send multiple responses on multiple CAN ID's to one command. In this case enter all Rx ID's separated by commas.

• Below in the Trace pane with the button Start Logging you can create logfiles after connecting to the ECU.
• You can also record a log file while you are driving.
• Connect the cables and put a notebook into a saddlebag or backpack.
• 
  HUD ECU Hacker recording on the road

• 
• The MT05 allows to manually modify some of the parameter values which have been measured or calculated.
• The purpose of data slewing is to analyze an engine which is not running correctly.
• You can set absolute (fix) preset values or you can add a delta (± offset) to the current ECU values.
• First set all the preset values that you want to change in the list then click 'Send all presets to ECU'.
• These changes have effect on the running motor.
• Idle Speed
  • When the motor is runing idle and you set Idle RPM Target to 2500 rpm you will hear how it slowly becomes faster.
  • 
    Delphi MT05 Data Slewing Idle RPM Target
  • This graph shows the logfile Regal Raptor 350 - Data Slewing.xml where the engine was running idle with 1400 rpm.
  • At 00:00:29.806 I have set the slew parameter Idle RPM Target to 2500 rpm. The ECU slowly adapted the idle speed.
  • At 00:01:12.480 I have clicked the button Reset all presets in ECU.
  • NOTE: On a Benelli TRK251 (1 cylinder) you can set the idle speed target but the engine speed is not adjusted correctly.
• Fuel Pump
  • When the engine is off and you set Fuel Pump Duty Cycle to 15% you will hear the fuel pump running quietly.
• IACV
  • You can control the Idle Air Control Valve with the slew parameter IACV Target Step.
  • If you have problems with the idle speed read appendix IACV Calibration.
  • The modified slew values are not stored in the non-volatile memory of the ECU.
  • However this feature is for experts only. Wrong values can produce knocking or stall the motor.
  • I saw that the ECU does not go to sleep mode after changing some of the values.
  • Do not forget to click 'Reset all presets in ECU' when you are finished with your testing.
• ATTENTION:
  • Data Slewing does not work with my chinese ELM327 adapters. But J2534 and K-Line adapters do work.
  • The ELM327 Datasheet says (page 31) that the ELM327 limits the bytes that can be sent to the maximum for OBD2.
  • Therefore HUD ECU Hacker sends the command ATAL which allows longer commands.
  • My chinese adapter answers ATAL with 'OK', but it still refuses to send more than 4 data bytes.
  • You will see a timeout error in HUD ECU Hacker.

• 
  HUD ECU Hacker Screenshot - ELM327 Terminal
• As there are so many problems with chinese ELM327 clones I implemented the ELM327 Terminal.
• Here you can test your adapter by sending commands and studying the responses.
• The screenshot shows that my ELM327 clone sends commands only up to 4 data bytes.
• If I send 5 data bytes or more (like the Slewing commands) there is no response, no error and no prompt.
• I verified on the oscilloscope that the adapter indeed does not send anything.
• The command ATAL is simply ignored although it was answered with a fake 'OK'.
• It is a fraud to sell this crap.
• By the way: It is completely irrelevant if a chinese adapter claims to be version 1.5 or 2.1. They are all crap.
• And I saw people complaining in internet about ELM327 adapters which have even less functionality than mine.

• 
  CAN Bus Debugger / CAN Raw Terminal
• HUD ECU Hacker can also be used as CAN Bus Analyzer / CAN Bus Debugger / CAN Bus Terminal.
• In Sniff Mode you can see the entire traffic on the CAN Bus (not only to the ECU) in real time.
• You can set filters to show only the packets which you are interested in.
• And the CAN Raw Terminal allows to send commands directly to any device on the CAN bus.
• Normally you must buy expensive proprietary adapters for professional CAN bus analyzer software.
• HUD ECU Hacker allows to use a cheap chinese J2534 clone or a UsbCAN adpter.

• People have asked me if I plan to make an app for Android or iOS ?
• The anwer is: This will never happen.
• The reason is that all OBD apps for smartphones are toys for children.
• A smartphone does not allow to connect a professional J2534 adapter.
• Only bluetooth adapters can be used, which is the worst option and most of them are fake.
• It is completely impossible to edit complex calibrations with your thick fingers on a touchscreen.
• It is completely impossible to display the amount of parameters that you see in HUD ECU Hacker on a small phone screen.
• Smartphone apps show normally 10 parameters per page. You have to swipe several times to see all parameters.
• And grabbing a logfile or copying BIN files to / from the phone would be a pain.
• Just compare the the professional HUD ECU Hacker with the toy app “Torque” :
  • 96 Parameters
    
    HUD ECU Hacker Screenshot - Dashboard Delphi MT05.2
  • 11 Parameters
    
    Torque Toy Application

• The heart of the the Delphi MT05 is a 16 bit Infineon processor.
• The flash memory in the processor is divided into 4 areas:
  1. The Bootloader is required to start up the ECU.
     It will never be overwritten when flashing. This is a protected area.
  2. The Configuration Data will always change when you turn off the ignition key.
     The ECU stores non-volatile data here when you turn the ignition key off, like:
     fault codes, ignition counter, statistics, fuel learning (BLM), airflow learning and throttle learning.
     HUD ECU Hacker does not write into this area, but you can erase the content of this erea. See Reset EEPROM.
  3. The Calibration Tables are used to calculate the optimal operation of the motor depending on
     factors like speed, engine load and temperature, etc. They control fuel injection, spark timing, etc.
  4. The Firmware area contains the executable program code.
     You should normally not overwrite this area except you know exactly what you are doing.

• HUD ECU Hacker can download the flash memory into a file (flash download).
• HUD ECU Hacker can also program the flash memory from a file (flash upload).
• In the main window you see the versions and the checksums of the flash memory areas.
• Green means the checksum is correct. Red means it is wrong and will be fixed when uploading.
• ATTENTION:
  • If you use a K-Line adapter execute the Echo Test to assure that it works correctly.
  • If you use an ELM327 adapter it must be a genuine OBDLink adapter.
  • Before flashing for the first time store your original flash file in a secure place!
  • If flashing of only the calibration tables goes wrong your ECU may still communicate over K-Line.
  • But if flashing the firmware area goes wrong your ECU will probably be bricked.
  • See Rescue a bricked MT05.

• Tuning means to modify the calibration tables to get more power, cleaner emissions, or better fuel efficiency.
• For tuning you normally have to purchase 2 expensive programs:
  • 1.) One program which only downloads and uploads the flash memory:
    BitBox (250€, english) or CombiLoader (base: 21500 rouble + MT05: 8000 rouble) Also from EcuTools
  • 2.) Another program for editing the calibration tables:
    BitEdit (100€, english) or ChipTuningPro (base: 2400 rouble + MT05: 10000 rouble) Also from EcuTools
    Additionally you have to buy an USB dongle (30€) which protects their software from piracy.
    BitEdit does not support all MT05 versions. Click here for a list of supported calibration versions.
    While BitEdit shows 36 tables for the MT05 (in english), ChipTuningPro shows more than 200 tables.
    BitEdit is compared with ChipTuningPro like a toy. It has bugs and shows some data and axis wrongly.
  • 3.) Other tuning software like ECM Titanium is even more expensive (> $1000 USD).
  • 4.) If you have a MT05 from Kohler or from Briggs & Stratton they sell you diagnostic software that is very restricted.
    You are forced to buy their proprietary adapter (> $300 USD) which acts like a dongle.
    Each time you start the software, it connects with their server and checks if you have a valid license.
    The license is only valid for one year.
• As you see clearly: All the tuning and even ECU scanning is a very profitable business. All these companies want your money.
• IMPORTANT: A time consuming analysis must be done to get the correct meaning of scalars, tables, maps and their axes.
• The companies which sell expensive tuning software do not invest the required time to do this tremendous work.
• Doing a real analysis of each and every firmware version of each and every ECU model would result in a price that nobody is willing to pay.
• So they enter much of the data by guessing and by copying it from other firmware versions, which results in a lot of wrong information.

• With the charityware HUD ECU Hacker you save a lot of money by not having to buy commercial software.
• Flash download, checksum correction and flash upload can also be done with HUD ECU Hacker.
• Please do not forget to give a donation for using HUD ECU Hacker.
• An issue with the MT05 is that each ECU firmware version stores the calibration tables at another address in the flash memory.
• This means that there is no easy way to know how many tables exist and where each table starts and where it ends.
• But HUD ECU Hacker analyzes the ECU assembler code and finds automatically 200 calibration tables and 500 scalar values.
• It even finds the values and meaning of the axes of nearly all tables and maps by auto detection.
• This works with all firmware versions and takes less than one second. The result is 100% reliable.
• Calibration Editor
  
  HUD ECU Hacker Delphi MT05 Calibration Editor
• 3D Editor
  
  HUD ECU Hacker Delphi MT05 3D Map Editor
• Hex Viewer
  
  HUD ECU Hacker Delphi MT05 Hex Viewer
• Whenever you load a new flash memory BIN file it will be automatically analyzed and the result is written into a file.
• This file has a name like “Firmware_5D06BA79.definitions” and contains the maps, tables, scalars and axes that were found.
• The hex number in the filename “5D06BA79” is a CRC (similar to a checksum) of the firmware area in the flash memory.
• Each firmware version will generate it's own definition file because each firmware version stores the calibrations at different addresses.
• HUD ECU Hacker also detects the count of rows and columns and if the table data is 8 bit or 16 bit and if the data is signed or unsigned.
• The auto-detection analyzes the assembler code in the ECU which gives reliable results independent of the firmware version.
• The assembler code in the ECU is eternally long (printed on paper it would be one kilometer).

However HUD ECU Hacker does this analysis in less than a second. Here you see a snippet of the huge Delphi code:

c1768e f2 fc f8 f7     mov        r12,[0xF7F8]
c17692 f2 fd fc f7     mov        r13,[0xF7FC]
c17696 d7 40 01 03     extp       #0x301, #1
c1769a f2 fe 22 29     mov        r14,[0x2922]
c1769e da c1 f8 14     calls      FUN_c114f8
c176a2 f0 c4           mov        r12,r4
c176a4 f6 fc f8 f7     mov        [0xF7F8],r12
c176a8 f2 fd fc f7     mov        r13,[0xF7FC]
c176ac 42 fd f8 f7     cmp        r13,[0xF7F8]
c176b0 fd 08           jmpr       cc_ULE,LAB_c176c2
c176b2 22 fd f8 f7     sub        r13,[0xF7F8]
c176b6 f6 fd f6 f7     mov        [0xF7F6],r13
c176ba e1 12           movb       RL1,#0x1
c176bc f7 f2 e6 f7     movb       [0xF7E6],RL1
c176c0 0d 08           jmpr       cc_UC,LAB_c176d2

• As you see, assembler code is extremely cryptic. I spend several weeks in understanding what the ECU does internally.
• I hope that you honor this tremendous work and be so honest to respect the charityware policy of HUD ECU Hacker.

• The Hex Viewer shows how scalars, tables and maps are lined up in the calibration area of the flash memory.
• Reverse Lookup tables appear with bold text.
• Axis values are calculated by a formula. The parameters for the formula are not stored in the calibration area.
• You will see mostly two white areas of approx 30 bytes at the beginning of the calibration area.
• All white areas contain tables which are never used by the firmware or they are filled with zeroes.
• These tables are orphans. They contain data, that may be used in other firmware versions.
• There are other tables which don't have a header, so the length and type of data cannot be auto-detected.
• They appear purple in the Hex Viewer.
• The Hex Viewer can also compare two BIN files and show the differences.

• Please read this chapter in the help file.

• Please read this chapter in the help file.

• Please read this chapter in the help file.

• Please read this chapter in the help file.

• HUD ECU Hacker can be adapted to any ECU which uses the ISO 9141 / 14230 / 15765 protocol.
• This is a process in 5 steps.
• You need the ECU and a scantool or software from the vendor which understands the vendor-specific ECU data.
• The traffic between ECU and scantool must be captured and reverse engineered. Doing this is not illegal.
• IMPORTANT: A Universal OBD2 Scantool which only shows OBD2 data is useless. HUD ECU Hacker can already display OBD2 data.
• The OBD2 standard has been designed to verify that a vehicle complies the emission laws.
• OBD2 gives very limited information because the manufacturers implement only few commands, just the minimum to fulfil the law.
• OBD2 may only show you Vehicle Speed, Engine Speed, Coolant Temperature, O2 Sensor and Throttle Position, and that's it.
• Generally ECU's can report much more details to the service technician, but in a proprietary and secret data format of the manufacturer.
• Only an expensive scantool or software from the ECU vendor may give you this information, but not a “universal” OBD2 scantool for all vehicles.
• For example for the Delphi MT05 the vendor specific command 30 allows data slewing.
• And the vendor specific command 21 returns details like crankshaft errors, stepper motor position, block learning (BLM) and much more.
• These details (90 scan parameters) can not be obtained with a “universal” OBD2 scantool or OBD2 computer software.
• The response of command 21 01 is a proprietary and undocumented data packet from Delphi.
• I obtained the meaning of this 100 byte packet by analyzing the ancient PCHUD software.
• You can do the same for any other ECU if you have a scantool or software which shows these details.

• When you enable the checkbox 'Sniff Mode' you can capture the traffic between the ECU and a scantool / OBD software.
• Connecting an additional sniff adapter over a splitter cable to the K-Line will mostly not work.
• The reason is that each adapter has a pull-up resistor (mostly 510 Ω) between K-Line and +12V.
• When you connect 2 adapters the parallel pull-up resistor becomes 255 Ω.
• Adapters and ECU have a current limitation to protect them from shortcuts.
• Most adapters don't provide enough current (50 mA) to pull K-Line to ground over 255 Ω.
• Depending on the pull-up resistor and the current limitation you will not capture anything or the scantool stops working.
• Here you see the result of connecting two adapters at the same time. The voltage does not reach 0V anymore.
• 
  OBD2 Splitter Cable
• 
  ISO14230 K-Line sniffing with 510 Ohm resistor
• It may also happen that you can sniff data as long as the motor is off.
• But when the motor runs the battery voltage rises to 15V and now you don't capture data anymore or get crippled data.
• The higher the battery voltage the more current is required to pull K-Line to ground.
• However, there are also adapters with an internal pull up resistor of 1 kΩ. They may function unchanged.
• The only bullet-proof solution is to modify an adapter and remove the SMD pull-up resistor between pin 7 and 16.
• You can either convert an adapter into a sniff adapter by removing this resistor completely or you can insert a switch into the adapter which allows to chose between normal mode and sniff mode.

• No modification in the adapter is required for CAN bus sniffing.
• The J2534 and ObdLink adapters require 4 pins to be connected.
• If you use the UsbCAN adapter only 2 pins must be connected: CAN0H and CAN0L.
• Store the sniffed data into a logfile by clicking the button 'Start Logging' in the Trace pane.
• Navigate through all menus of the scantool to capture all commands.
• IMPORTANT: If the logfile has many “Invalid Data” you have the wrong baudrate or the wrong protocol.

• Connect HUD ECU Hacker to it's own Emulator to learn how to use it.
• You can use a battery or the 12 Volt from a cheap computer power supply (yellow wire).
• ATTENTION:
  • ELM327 / OBDLink adapters do not have the functionality required for the emulator.
  • J2534 adapters will not work with any protocol that uses the 5-baud initialization.
  • Use a K-Line adapter for K-Line Emulation.
• For CAN Bus an additional 100 Ω or 120 Ω resistor between CAN Hi and CAN Lo is indispensable because adapters do not have it built-in.

• For K-Line select “Delphi + Rongmao MT05.xml”. For CAN bus select “Delphi MT05.3.xml”.
• Then in the Emulator window click “Open”, then in the main window click “Connect”.
• Now you should see the data coming from the emulated ECU in the dashboard.
• Change the values of command 21 01 or 22 21 01 in the emulator and study their effect on the display in the dashboard.

• Please read this chapter in the help file.

• Please read this chapter in the help file.

• Please read this chapter in the help file.

• [Download] - HUD ECU Hacker version 4.9 (17 MB)
• Windows may block the installer in the downloaded ZIP file because it has no digital certificate.
• Please right click the ZIP file, select 'Properties' and check 'Unblock'.
• 
• You need the .NET framework 4.0 or higher. On Windows 10 this is already installed.
• 
  HUD ECU Hacker Toolbar
• In the toolbar at the top you can then install the drivers.
• The toolbar also has a button that brings you with one click to the Device Manager, where you see all COM ports.
• The toolbar has a tooltip for each button which appears when you hold the mouse over it.
• 
  HUD ECU Hacker Screenshot - Install drivers

• If your ECU is not listed under “ECU Model” connect with “Autodetect OBD2” which tries multiple protocols, init modes and ECU addresses.
• All newer ECUs will respond to OBD2 commands.
• Errors when connecting to the ECU:
  • The ignition key must be on.
  • The kill switch must be in the position where it allows the motor to run.
  • Some motorbikes (Benelli) require the side stand to be up otherwise the ECU will not respond.
  • It is not necessary to start the motor to establish a connection.
  • Check that you have connected the three wires correctly as shown in the connector diagram.
  • If you have a MT05 ECU verify that the seven voltages are correct that are marked red in the MT05 diagram.
  • The voltage at the K-Line wire MUST be +12 Volt while the adapter is connected to the ECU.
  • Some adapters do not enable the pull up resistor when they are in power safe mode.
  • Measure the voltage while clicking the “Connect” button in HUD ECU Hacker which will activate the adapter.
  • If you use a K-Line or J2534 adapter ecxecute the Echo Test to check the adapter.
  • There are 2 types of timeout errors which indicate different errors:
    • Timeout waiting for echo means always that you have a hardware problem or the wrong COM port.
    • Timeout waiting for response (or received garbage characters) with ELM327 adapter may mean that the baudrate is wrong.
      • You can change the baudrate in the window “Configure Adapter”. Normally ELM327 adapters use 38400 baud or 115200 baud.
    • Timeout waiting for response with K-Line / VAG adapter may happen rarely.
      • The reason is that the ISO 14230 protocol is very time critical. It demands 50 ±1 ms for the fast init.
      • But Windows as a multitasking OS is not very precise and the interval seen on an oscilloscope may vary from 45 ms up to 70 ms.
      • If the interval between fast init and the command 'Start Communication' exceeds the limits the ECU does not respond.
      • K-Line adapters are the only adapters where timing depends on the computer. J2534 and ELM327 adapters create a precise timing.
      • If you get this type of timeout error, try the following:
        1. Click 'Connect' several times until it works. It may work 8 of 10 times.
        2. Some adapters (e.g. some SiliconLabs chips) do not support the way how HUD ECU normally generates the fast init pulse.
           Try switching Fast Init Mode 1 / Fast Init Mode 2 in the window “Configure Adapter”.
        3. For slow computers you can enter in the same window a K-Line timing correction which is added to the 50 ms interval:
           
           ATTENTION: If you enter an invalid value here you may screw up the fast initialization forever.
           If changing this value did not solve your problem, reset the correction to zero otherwise you may never be able to connect.
           To verify the timing you need a digital oscilloscope, otherwise it is pure try and error.
  • BUSINIT: ERROR from an ELM327 adapter means that the adapter did not receive a valid response from the ECU.
  • You can also change the configuration in “Autodetect OBD2.xml”. Some older ECU's use 9600 baud.
  • If you have tried everything and the ECU still does not respond, test your adapter: Connect HUD ECU Hacker to it's own emulator.
    Therefore you need a second adapter. See Emulator
• If you have any problem you can send me a log file of the Trace pane with the error message.
• You can write me in english, german or spanish.
• But first try all the steps above.
• You find my email at the end of the help file.

• Delphi does not produce the MT05 and MT05.2 anymore because the very old microprocessor is end of life.
• Delphi sells now the successor MT05.3 which is Euro 5 compliant and uses CAN bus.
• This ECU is a complely new development, using a modern 32 bit processor.
• The consequence is that all my endless work for flashing the MT05 / MT05.2 is completely useless now for the MT05.3
• May be some day in the future I will add support for flashing the MT05.3.
• But this requires the work of another entire year of reverse engineering!

• The Rongmao MT05 sends the same scan parameters as the Delphi MT05, so it can be scanned with HUD ECU Hacker.
• But apart from the identical case and the scan parameters this ECU has absolutely NOTHING in common with the Delphi MT05.
• It has another PCB, different chips and processor and logically also another firmware than the Delphi MT05.
• 
  Rongmao MT05 ECU Board
• Rongmao has cut away the text on the processor so the model is unknown and reverse engineering is more difficult.
• As you see this is a COMPLETELY different ECU, so flashing the Rongmao MT05 is not possible.
• Rongmao has also changed the commands for flash upload/download and the security key.
• Until today nobody was able to flash this ECU. I never heard of any PC software nor any scantool which can do this.

• Chinese fake clones of the MT05 or MT05.2 have appeared in the market which are garbage.
• They are full of bugs and only the very basic OBD2 commands are implemented.
• These ECU's are so extremely buggy that they are not even able to send a correctly formatted DTC response!
• Detailed scan data is not available, Data Slewing and flashing are not supported.
• There are even fake MT05 which respond only on CAN bus instead of K-Line. (The real MT05 / MT05.2 does not respond on CAN bus)
• HUD ECU Hacker will detect when you have connected a fake ECU and show an error message.
• On the real ECU's you see that “DELPHI” is engraved in the plastic of the cover. The fake does not have this.
• 
  Delphi MT05 Chinese FAKE ECU
• NOTE: There are also Chinese MT05 clones. These are not fake. They are an exact copy of the original Delphi ECU.
• The difference between fake and clone is the processor. The real ECU and the clone use the Infineon processor SAK-XC164CS-32F40BB.
• These ECU's can even be flashed with HUD ECU Hacker. If there is any other processor inside, flashing will be impossible.

• A big problem of all combustion motors is overheating. If cooling fails, the motor will be damaged.
• A water cooled motor will reach 80 degree Celsius, max 95 degree.
• If the motor is air cooled the temperature may reach 140 degree.
  1. The first damaged part will be the cylinder head gasket. As a result coolant will enter into the cylinders and vaporize.
     You will lose coolant through the exaust pipe. A vicious circle accelerating the damage.
     Replacing the gasket is expensive because the motor must be opened.
  2. If you drive longer with an overheated motor the cylinders will be ruined and you need a new motor.
• The cause of overheating is a failure in the cooling system. This may be due to a defective ventilator or lack of coolant.
• Some motorbikes (like my Regal Raptor) neither have a temperature display nor an overheating lamp.
• This is a severe problem because the owner has no chance to check the temperature of the motor.
• ATTENTION: The Delphi MT05 is so stupidly programmed that it does NOT protect the motor from overheating!
• Although the ECU has a temperature sensor and knows the exact temperature, it will not turn the motor off when it becomes too hot.
• The MIL/EFI light may turn on when it is already too late (Error P0117 at approx 200 degree) or it never turns on.
• Check regularly if your motorbike has sufficient coolant! Use HUD ECU Hacker to check the current temperature.
• If coolant disappears within a few days or weeks without a leak your motor is probably already damaged.

• The IACV (Idle Air Control Valve) is like a bypass for the throttle valve.
• It allows a small amount of air to enter into the engine while the throttle is closed.
• If the IACV does not work correctly you may have the following problems:
  • The engine cannot be started
  • The engine goes off alone while running idle (especially when it is cold)
  • The idle speed is irregular
  • The ECU may generate fault code P0505.
• The IACV has a stepper motor which moves a pintle precisely to a position between 0 and 255.

• To maintain the stepper motor in the desired position a current must flow permanently which generates a magnetic field.
• Therefore the stepper motor becomes warm although it does not move.
  • Position 0: The valve is fully closed. Air can only enter through the throttle into the intake manifold.
  • Position 168: The valve is in the parking position for the next cranking. (Defined in the calibration IAC Park Position).
  • Position 200: The maximum position that the ECU will use. (Defined in the calibration IAC Position Max).
  • Position 255: The valve is fully open.
• You can use the Data Slewing window to test the IACV while the engine runs.
• If you enter a delta value of +30 steps, more air enters and you notice that the idle speed increases.
• If you enter a delta value of -30 steps, less air enters, the idle speed decreases and the engine may stall.
• Aprox 5 seconds after turning the ignition key off the ECU parks the IACV and stores the pintle position in flash memory.
• The IACV has no sensor which reports the current mechanical position to the ECU.
• The ECU simply trusts that the position stored in the flash memory is the same as the real mechanical position.
• But the range which the stepper motor can move is wider than the programmable range from 0 to 255.
• So if the ECU loses synchronisation with the mechanical position you will have one of the problems listed above.
• I found the following way to calibrate the IACV (while the engine is off) with the older MT05 ECU.
  1. Take the IACV out so you can see the pintle position.
  2. Connect HUD ECU Hacker.
  3. In the Data Slewing window move the IACV to the absolute position 255.
  4. Now disconnect the battery so the ECU cannot store this position in the flash memory.
  5. Reconnect the battery. You should hear the fuel pump running. Now the ECU assumes the IACV in parking position.
  6. Repeat steps 2 to 5 until the pintle does not move anymore. The spring must be completely compressed.
  7. Now you have the pintle in the real mechanical position 255.
  8. In the Data Slewing window click Reset all presets in ECU which moves the pintle to the parking position.
  9. Turn off the ignition key. Now the ECU stores the correct parking position in flash memory.
  10. Mount the IACV back into it's place.
  11. When driving the next time the airflow self-learnig will adapt to the new conditions.
• The newer MT05.2 already has the EEPROM Reset, which also adjusts the IACV, but in a different way.
• The ICAV must be mounted in the throttle body while executing the EEPROM Reset.
• The ECU will move the stepper motor until the pintle is mechanically blocked when the IACV is fully closed.
• This will be the new position 0.
• Play the logfile Regal Raptor 350 - IACV Idle Warmup.xml and create a graph with the preset IACV and Idle.
• Here you see how the MT05 slowly adjusts the IACV during a 12 minute idle warm-up from 18 °C to 80 °C:
• 
  Idle Air Control Valve Target Position

• The ECU adapts to changing load, atmospheric pressure and fuel quality to keep the emissions at a minimum while running in closed loop.
• It also compensates a worn out fuel pump or a dirty air filter.
• Based on the O2 sensor feedback, the short term adaption increases (> 0) or decreases (< 0) the amount of fuel to get the optimal air/fuel mix.
• If the short term adaption (Integrator) deviates too much, the long term adaption will be adjusted.
• The long term fuel adjustment is stored in a table which contains Block Learn Multipliers (BLM).
• Multipliers have values between 0.0 and 2.0 where values > 1.0 mean more fuel and values < 1.0 mean less fuel.
• The Delphi MT05 uses a table with 36 cells (16 bit) for each cylinder which is stored in the flash memory.

• The X and Y axis values come from the lookup tables 'BLM MAP Boundary', 'BLM TPS Boundary', and 'BLM RPM Boundary'.
• The Y axis may be based on MAP compensated pressure or throttle position. This is defined by scalar 'BLM Load Option'.
• The rolling idle cells are used when the engine is idling.
• While the engine is running you see in the dashboard which cell the ECU is currently using and what is the value of this cell:
• 
  Block Learn Multiplier Cell
• This capture is from logfile 'Regal Raptor 350 - Driving.xml' at 01:16:246
• A long term correction factor of 1.015 means adding 1.5% more fuel.
• The ECU also learns automatically which voltage of the throttle sensor corresponds to 0% throttle position (TPS auto-zero).

• If some BLM cells reach the minimum or maximum adaption limit, the fault codes P0171 or P0172 will be generated.
• These errors mean that there is a defect (IACV, injector, fuel pump, air filter) which the ECU cannot correct anymore.
• If you get these errors you must reset the self learning data in the configuration area with the button Reset EEPROM which will:
  • Erase the fuel self-learning data (BLM Table). All correction factors will be reset to 1.0 (no correction).
  • Erase the airflow self-learning data (Airflow Table). All correction factors will be reset to 1.0 (no correction).
  • Erase the throttle self-learning data (Auto-Zero). The throttle zero will be set to the default in the scalar 'TPS Raw Intercept'.
  • Erase all statistics. This will reset all time counters (except total runtime), max temperature, max batt voltage, max speed,…
  • Erase all historic DTC fault codes
  • Reset the IACV pintle position
• ATTENTION: If you do not repair the underlying hardware defect the errors P0171 / P0172 will come back soon.
• You need the EEPROM reset also after replacing the throttle sensor.
• After erasing the configuration data the ECU will write fresh data the next time you turn the ignition key off.
• Some older MT05 firmware versions do not implement the command which HUD ECU Hacker uses when you click the button Reset EEPROM.
• In this case you may have luck trying one of the following two options:
• Turn the ignition key off while pin 5 of the ECM plug is connected to ground (pin 2), then wait 10 seconds.
• This will only work if the scalar 'J1-16 Input Usage' is 1.
• Or turn the ignition key off, wait 10 seconds, turn the key 5 times on/off within 5 seconds, then (while off) wait another 10 seconds.
• This will only work if the scalar 'J1-16 Input Usage' is not 1.

• If you have uploaded a wrong flash file or interrupted the upload you may have 'bricked' your ECU.
• A 'bricked' ECU will neither allow to start the motor nor will it respond on K-Line.
• 'Bricked' means that your ECU is now as useful as a brick. Congratulations!
• In this case you have to switch the ECU into 'bootloader mode' and then you can connect again.
• Unplug the plugs J1 and J2 and connect the ECU only to the battery and the K-Line or J2534 or ELM327 adapter:
• 
  Rescue a bricked Delphi MT05
• You need one jumper between pins 10 and 17 and another jumper between pins 11 and 16.
• This switches the ECU into 'bootloader mode' and allows to upload a valid flash file.
• Additionally you connect +12V to pins 15 and 18, Ground to pin 2 and K-Line to pin 3.
• The first 16 kB of the flash memory contain the bootloader.
• This memory area will never be overwritten when you upload a flash file.
• This assures that the bootloader stays always intact even when flashing goes wrong.

• The crankshaft position sensor reports the exact position of the crankshaft to the ECU.
• The ECU needs this to calculate the moment of spark generation and of measuring the Intake Air Pressure sensor.
• On the crankshaft there is a flywheel with teeth every 15 degree. Each tooth induces a pulse in a fixed pick up coil.
• There are 24 positions on the 360 degree rotation. One of them is missing, so there are 23 pulses per rotation.
• The gap from the missing tooth indicates the position near BDC (Bottom Dead Center) of cylinder 1.
• Example: The motor runs with 1500 rpm. This is 1500 / 60 = 25 rotations per second = 40 ms per rotation.
• This oscilloscope capture measured at ECU pin J2-04 shows the 25 * 23 = 575 pulses/second.
• 
  Delphi MT05 crankshaft sensor on oscilloscope
• The faster the motor runs the higher becomes the voltage.
• The logfile Benelli TRK 251 (1 Cylinder).xml shows several CKP Sensor Errors which are increasing with the time.
• But they are still not enough to turn the MIL/EFI indicator light on.

• Lead-Acid batteries allow to easily detect their charge status by simply measuring the voltage while the ignition key is off.
• At 12.8 Volt it is completely full.
• 
  Voltage and Aging of a lead acid battery
• Very detailed information about batteries can be found at the Battery University.
• The lifetime of a motorbike battery is approx one year when used frequently.
• When the voltage of the fully charged battery drops below 9 Volt while cranking the battery should be replaced.
• If the alternator / generator works correctly the voltage should be between 13.5 and 14.5 Volt while the engine is running.
• If the regulator is defective and the voltage rises to more than 15 Volt the battery will be damaged.

• 139 person(s) visited this page until now.
• Back