Elm327 Wifi Software

1 view

Skip to first unread message

Nayra Waddles

unread,

Aug 3, 2024, 2:24:16 PM8/3/24

to inmiltato

Last time I dealt with the exhaust system because of some lose/noisy part(s) I noticed that the connector of the 2nd O2 sensor (that just controls if output of catalytic converter is fine) did not latch (came off again by moderate pulling). So, most probably this is caused just by a bad connection easily fixed if there is a ramp, sunshine and +10C instead of night and -3C somewhere on the road.

Long story short, I was given an already rooted ZTE blade Gen1, upgraded it to the last official Cyanogenmod version, put the Torque apk on there (appstore requires google account, I don't want one) and intalled it. Torque connects and detects the wifi obd adapter once set up. Time to connect it to my ECU...

It is possible to get access to the source code of the reference design with the right google queries and some guessing shockingly easy (why do they include the "blabla not for public relase" note only INSIDE the source code and not in the archive file name?)... as this data is not meant to be freely accessible on the web, I won't provide it here and won't provide tips how to find it. There is no "magic" in there, as the regular function of the device is just obvious, and neither the "AppSrv" nor the demoplug source is included.

This does not work, the device does not react. Lets assume the first two bytes are a command, last 6 ones are parameter. As embedded devs usually don't grab numbers from a RNG for enums etc. but use simple patterns... lets try:

Another thing found out: If the payload is shorter than 8 bytes, the message is ignored. At least for the \x12 command the last 6 bytes just seem to be there for alignment and without any particular function.

To this point, it was easy to figure out the protocol, just because there is direct feedback (read: changed or no response) from the device which "asked" for the right answer. Now the connection is there but I don't know what to ask the device for.

The chip with removed label may be an AX220XX compatible device, as its MAC is from this manufactuer. It offers a web interface, but only delivers an empty index.htm on port 80. Port 35000 bridges to the PIC microcontroller. Do not send "+++ return" command over tcp to port 35000, because this leads to message ping-pong between the two controllers.

As a summary, It looks like they locked down the chip to prevent mods from the ethernet side, but it still got an exposed uart and it is possible to dump the flash chip contents.

I won't link to leaked documents from the manufactuer over here, as you can do your own google search. If you try "bootloader" or similar terms together with the chip name, you'll find some pdfs and source code on chinese document sharing platforms ;)

The three electrolytic caps are all 16V rated and on "car +", +5V and +3V3 rails. The chip near the conenctor is a Microchip can controller, the chip on the left is a Microchip pic 18F, which does the CAN-UART translation in the same way as the "original" ELM327 would do. UART is exposed on the pin header in the center to go to the wifi board. The unpopulated parts on the top edge of the board (SO8 IC U11, diode D4, and inductor L1) form a step-down buck converter... but they populated the lm7805 - d'oh!

The Wifi-module consists of just one big SoC (part name removed :( ), passive differential-to-single-ended convertion circuit and a TX/RX switch for RF stuff. Footprints for PI filter is present, but not used.

On the bottom layer, a 4Mbit SPI flash holds the software (interface pins exposed :) ), a quatz drives the clock and a LDO (?) does additional local voltage regulation. A pad to mount an U.FL connector (or similar) is present, but would need a resistor on the top side to be moved one pad.

Hi Rawe great info>
I put mine AP mode it got stuck at HEX 10 digit password instead of ASCII WPA2PSK which the AP kicks it off i tried hours and different combination i came to the conclusion that I need a serial header connection or some sort of factory reset of the WiFi chip< is there anything I can do? its the older version with the PCB separate from the WiFi module .
I tried shorting GND to RST on the WiFi module UARTO , for 30 seconds, and 30 seconds while powering it up.

Through all your explorations of the ELM327 device, have you found any way to enable the web interface like some previous revisions of the ELM327 had? I need to change a specific setting and I don't see that as a UART command.
Serial Framing Timeout or Data Trigger Timeout

I've got a problem with my elm327 wifi interface, maybe you can help me out. I changed the baud rate to 57.6kbps which doesn't work well with this device. I can't send/receive anything any longer except garbage.

Are you aware of any way to factory reset this device? Would it be possible to solder some rs232 cable directly to the device to reset the baud rate? I tried connecting pin28 and ground to reset it but that didn't work. Do you have some idea?

Combining your info leads me to the conclusion that you changed the baud rate of the elm327 via wifi. This lets the elm327 talk faster, but not the wifi-uart bridge chip which runs on the same baud as before = baud mismatch = nonsense output via wifi.

Connecting pin28 to GND and then applying power to the circuit should bring the elm327 back to default configuration of 38400 baud. As this is the default baud of the wifi module everything should be "back to normal". I understand the reset procedure as follows:

As I don't know the tools you have handy the simplest and cheapest way to check what is going on would be to hook up a cheap usb-uart adaptor to a computer and just connect the "RX" pin and ground of it to the elm327. This way you can listen on one of both channels (wifi module to elm327 and the other way round) depending on the signal pin you connect the usb-uart-adaptor RX pin to. This way you know the signal tapping does not modify the communication and the usb-uart-adaptor works right. plugging out the wifi module, connecting the TX pin and sending the elm327 a baud set command would be the next step.

I tried to reset the unit exactly the way you described it but it didn't work. So I think the only way will be to reset the baud rate manually. The question that came to my mind while reading your response was that if I want to continue using the wifi module, will I ever be able to raise the baud rate to something higher than the default one? I'm asking cause the reason I raised it in the first place was that I weren't able to capture all the data from the can bus. I've received data errors followed by the well known 'buffer full' error.

I'm (unfortunatly) not really the hardware/electronical guy, more the software kind, but if I've understood you correctly, the difference between these devices lies in the 'modulation' of the signals? E.g. normal RS232 has different voltage levels than cmos uart?

At the moment I only have a cheap usb to serial converter. If I connect the rx pin of my usb to serial converter to either the rx or tx pin of the elm327 device I should be able to see the data they exchange? Or further thought as you already mentioned, how would it be possible to spare the wifi component out and 'convert' the elm to a usb type one? Must I use an usb-uart adapter or can my usb to serial cable be used? which pins should be connected exactly?

hi mc_stinzel,
You are right about hooking up directly and the "modulation".
If the usb to serial converter does "logic level / cmos uart" this should work.
If it does "rs232" it is not compatible because a logic "0" is 0V and a logic "1" is 3.3V (or 5V) for the ELM327 but a logic "0" is "3V up to 15V" and a logic "1" is "-3V down to -15V" for a computer/rs232 device. If you plug them together they do not understand each other plus too high voltages are applied to a chip that can handle only 3.3 or 5V which might damage it.
See for a list of common usb-uart adaptors.
The "cmos level" or "logic level" adapters contain just one single chip that speaks USB on one side and provide "logic level uart" signals on the other side:

As the GND of the ELM327 board is connected to car chassis and there is no isolation between the uart GND, usb GND and laptop GND it might be problematic to run the laptop on its own power supply powered by an inverter etc.

if it is of any help, I used the following commands: atpp 0c sv 08, atpp 0c on

What can be the reason for this? Maybe the chipset is a cheap one and doesn't work well with this 'high' rate? Any idea how to fix it now? :-)

I tried raising the baud rate in steps and every other rate worked without a problem.

Regarding the factory reset. It may be a dumb question but which PINs exactly do I have to connect? I've got the exact same device as you regarding to the pictures. PIN 28 should be - according to the pinout of the chip - the top left pin? (when holding it with the obd2 plug to the left) And ground can be any ground on the board, so e.g. pin 5 of the odb2 plug or the one from the wifi module (pin 2)? Is this correct?

Hello, excellent project, I hope you can help me since I can not make it work. I have bought an elm327 wifi adapter, which works fine with torque app using the ISO14430-4 protocol, i can also send you at command with telnet from the pc, on the other hand when uploading the sketch to the nodemcu (esp8266) they connect between both, but I receive error 7 or timeout, and I don't know how to continue. Please I need your help, thank you very much in advance.
Sorry bad english i'm translating with google.