OBD II Bike Connector - Pass via bluetooth

Breakthrough! I discovered how to get security access to the ECU!

The procedure is as follows:

1. A seed is requested, which the ECU will provide in its response.
2. You will have to respond by sending a matching key that is checked by the ECU.

However, non of this is described in the ISO 14230 documents as it's manufacturer specific. So I was afraid that the seed-key pairs were matched through complex encryption algorithms. But fortunately I have discovered that it is actually extremely simple.

There are just three hard-coded seed-key pairs.

Seed 13 52 43 64 75
Key  63 27 53 67 42

Seed 57 48 58 49 58
Key  30 20 39 48 74

Seed 58 37 48 45 95
Key  58 49 57 69 84

For example. this is what I did today as a first successful test.

I got 13 52 43 64 75 as a seed.

TX 80 11 F1 02 27 01 AC 
RX 80 F1 11 08 67 01 13 52 43 64 75 34 A7

So, the matching key is 63 27 53 67 42.

TX 80 11 F1 07 27 02 63 27 53 67 42 38 
RX 80 F1 11 03 67 02 34 22

Done!

Wow! Great

I´ve read that functionality somewhere... Must have been somewhere in one of the 3 ISO14230 or the KWP2000 protocol. But too long ago, that I can remember. But it was in there!

From that, they created the OBD standard, which uses a similar functionality. Many manufacturers are sending the very same "seed" all the time, so it also is just a ridiculous safety wall
Someone hacked his Prius and overtook steering and acceleration via OBD2 and CAN-Bus. Everything with a single key, found out after 10 minutes of bruteforcing

Are you now able to use the download function?
Do you have to enter a different mode, that the SID´s dont´t throw an error on a request, any more?

Yes, it follows the ISO 14230 protocol. This is described in the ISO 14230-3 document. What surprised me most is that apparently the seed-key pairs are completely independent of the bike i.e. it should work for all Kawasaki motorcycles.

I have not tried to use other functionality yet. Because I am really focusing to make sense of the decompiled KDS software. At this point I have a decent understanding of the possible requests, which I'm now writing down comprehensively.

For instance, I have found that once you have security access you can start a "programming" diagnostic session, instead of the "workshop" diagnostic session (this terminology is really used in the ISO 14230 documents). This is probably required to access all the other functions like actuator tests and downloading/uploading and so on.

I hope to have a complete understanding of all the possibilities in the following weeks.

Seed 13 52 43 64 75
Key  63 27 53 67 42

Seed 57 48 58 49 58
Key  30 20 39 48 74

Seed 58 37 48 45 95
Key  58 49 57 69 84

Interesting! actually I didn't understood how from 13 52 43 64 75 you extrapolated the 63 27 53 67 42
Could you explain?

I have not tried yet to find out how the seed and key are related. Actually I think I'm not even going to try, as I believe there are most likely no other seed-key pairs.

Because I found that in the KDS software there are literally just three if statements that compare the received seed with the three hardcoded ones. If the match is found, it just sends the corresponding key.

Perhaps there is some connection e.g. it could be ASCII, mathematical operation or maybe some bitwise operation. But in the end it does not matter as I really believe there are just three seed-key pairs.

Did you ever find a waterproof display and case?

TriB:
What do I need:

• Arduino Nano, BlendMicro or similar (included Bluetooth?)
• Bluetooth-Shield (unless already included)
• Waterproof LCD Display - Step II
• Waterproof case - Step II

Hi windoze_killa,

no, I´ve buried the idea of an external display.
All informations (except the gear) would be nice to have or just playing around.
So I decided to focus on the OBD II compatibility, so I can use any app or device.

Currently I´ve created the second version of an unique PCB design. There is an SPI for future purpose, which could probably being used for that.

Since I also got a Suzuki bike for racetracks, many optimizations have to be done in the code to speedup the communication. That´s my work for now

I am actually trying to get the data stream from the ECU to the cluster. I have captured some data but I am having no end of trouble working out what it all means. From what I can work out in is uni directional so there is no handshaking that I know of. I want to play around with a colour display for speed, tach, indicators, gear and clock. I know I can buy one but where is the fun in that.

I´m completely with you ;D
Found my drawings where to put what on a display (Voltage, Gear, etc) and a demo sketch, which was way to slow to update a little oled and handle the KDS.
Probably an ESP32 would be the better solution!

Since I got a small 3D printer, a case could be designed pretty fast. With the right plexiglass and silicone, it should be rain-proof!

Do you want to fetch the data from the ECU or directly from the tachometer?
What´s the struggle with your data? I guess I currently have all data and calculations available 8)

Right now, I create a data class, where I put everything in. Then I can optimize readings from temperature (which does not change so fluently) and speedup rpm, throttle or speed.
Suzuki reads all data at once, so there is even much more potential for performance!
Sadly lots of work and space for issues...

Noob here. Great thread! I am trying to help a friend out who wants to log ECU data from a Kawasaki SX-R 1500 jet ski to an AEM AQ-1 (available in CAN or OBII) versions. Any idea where I should start.

Hi,
I watched the manufacturer video about the AQ-1.
This is made to be connected directly to the ECU via CAN-Bus or OBD II connector.
OBD II is the way to go!

What have I done:
I connected the Kawa-ECU with an Arduino and transfer the Data OBD II compatible via Bluetooth.
Within that, I had to convert the requests and calculations, to be within the official OBD II ranges.

What you need:
Connect the Kawa-ECU with an Arduino and the OBD II AQ-1 on the other side, both via (Software-)Serial.
And you also need to translate between both parties.

Hardware:
So you need to create an adapter, which has an L9637D on both sides, which converts the K-Line (OBD II connector) to a serial signal.
Instead of my Bluetooth-module, you have to use the second L9637D.

Software:
Instead of receiving AT-commands (control commands for OBD II dongles), you will now get the whole initialization sequences and messages.
I´d ignore the initialization request (some high and low on the Serial port) and concentrate on the messages.
After receiving the first request, you can do the initialization yourself.

The requests itself are now with header, length and checksum. My code expects only the SID and PID via bluetooth. So you have to rewrite that part and process that stuff and extract SID & PID.

From my point of view, it´s possible!
Change the hardware layout, delete the bluetooth & AT stuff and optimize the method, which receives the OBD requests to process or ignore the format, header, length and checksum.

Good luck

Hi, I have a problem with connecting to the 2013 Kawasaki ER-6F ECU. When the engine is off, I can connect without any problem, but as soon as I start the engine, communication is interrupted and I cannot re-establish it. The connection is established in the standard way. First, to start communication, after fastInit procedure I send 0x81,0x11,0xF10x81,0x04, after a positive response I send a request to start a diagnostic session (0x80,0x11,0xf1,0x02,0x10,0x80,0x14) again I get the correct answer and then I can query the ECU about information that interests me. However, if at this time I start the engine, the ECU breaks the current connection and no longer responds to the start communication message. I checked different times (2s to 13s) between repeating the startup procedure with no results. What could be the reason for the ECU breaking communication ? I attach a graph from a logic analyzer - opened in Saleae Logic Software (free) - the engine starts in 12.27 seconds of recording.

How did you design/connect the board?
I expect the ERna (How we call it in germany), will give some inteferences on the power, with the alternator running.
Are you sure, the Arduino is still running? When it´s powered with more then 12V for a longer time, it will overheat.

So, I guess it will be related to the powersupply.

I don't use Arduino, but STM32. For power supply I use 7805 stabilizer with 100 uF capacitors on the input and output. Then 5V supplies directly the LCD TFT and the 3.3V stabilizer of the STM32 module. STM works for sure, I have messages on the display informing about subsequent connection attempts.

Good evening everyone.

First thank you all for all those amazing work done one this Global Project. I've tried to read everything to avoid asking stupid question =).

Here is the status of my personal project (getting gear indicator , temperature and angle/accel on my phone) :

My Program is working well, bluetooth connection OK and phone App OK. The remaining is the communication with the bike and there is the reason I'm posting this message. I had few messages on Youtube with Trib (thank you again ! ) , after one twited L9637D, I received a new one and still not working. So I tried to simplify the system at maximum :

One additional thing : The Programme is working very well with the ECU emulator from Trib.
We don't see it very well on the picture , but there is 470 Ohms pull up resistance (to +12V) and 100nF capacitor (to GND).

703×944 950 KB

2nd question : I see on Firsts trib post that 5V isn't connected to the L9637D. Is it working without +5V :

Otherwise I will buy again new chip to be sure I didn't break this one ..

Below my (very simplified ) program using SimpleKDS.h library : to be short : If NOT connected --> Turn on the led (13) if connected turn it off :

#include <SimpleKDS.h> // Include KDS library

byte voltage_req[] = {0x80, 0x11, 0xF1, 0x02, 0x21, 0x0A, 0xAF};

bool ECUconnected = false; // Initially the ECU is not connected (reset flag)
const int resbufsize = 100; // 100 bytes is sufficient to hold all responses
byte resbuf[resbufsize]; // Allocate the byte array in memory
byte resState; // Initialize the state for communication
int i=1; // Counter for number of connection attempts

float voltage; // Float for the battery voltage (in Volts)
SimpleKDS KDS(resbufsize); // Initialize an object of the KDS class
// Setup
void setup() {
pinMode(LED_BUILTIN, OUTPUT);
KDS.setTiming(5, 0, 0, 55); // Set the timing parameters for KDS communication
delay(3000); // Short delay that allows the motorcycle to settle

}

// Infinite loop
void loop() {

// Continuously try to initialize communication with the ECu and show the number of attempts on the screen
if (!ECUconnected) {

digitalWrite(LED_BUILTIN, HIGH);
i++; // Increase counter

ECUconnected = KDS.initECU(); // Attempt to initialize the ECU (usually one attempt is sufficient)

// If the communication is OK, request and parse the desired values from the ECU
} else {
digitalWrite(LED_BUILTIN, LOW);
// Request battery voltage
KDS.sendRequest(voltage_req, sizeof(voltage_req));
resState = BUSY;
while (resState == BUSY) resState = KDS.getResponse(resbuf);
if(resState == SUCCESS) {
// Request completely received, convert the data byte to a voltage
voltage = (float) resbuf[6]/12.75;
} else {
// Something went wrong, reinitialize the ECU
ECUconnected = false;
}

}
}

If you think you see any mistake , don't hesitate ! I'll give it a try. I'm out of solution... Only buy new L9637D...

Thank you again !

Hi, thank you all for a great job!
I ride Kawasaki Z250SL'16 and I also wanted to read the data from the ECU.
First of all, I tried to reproduce the TriB's project - Arduino UNO (instead of Nano, it doesn't matter) and BT-06. As the first step, I didn't do any wiring to ECU, just wanted to check if Torque will recognize my adapter, and somewhy it didn't. Later I'll grab a debug output, but I didn't see in the terminal a lot. Maybe the Bluetooth module was the problem.
So, just now I have a question: will Torque recognize thу module without a physical connection to the ECU?
The chip L9637 I already bought but hadn't time to do the wiring. And, before wiring, I wanted to be sure that it works at all.
What I think that I'll take a Mega board because of 2nd hardware serial - at least, for tests.
Also, I thought to port it to ESP32 (I've seen already that I'm not the first :)) But I discovered that the BluetoothSerial in the ESP32 is enough spartan so it will take a lot of work meanwhile I didn't succeed with connecting to Torque..

PS if someone is still looking for 4-pin connector, I ordered it here and it fits perfect, but you'll need a crimping tool like this.
PPS it seems that I really do something wrong, because I took a demo-sketch from Torque's website and it also didn't work.

UPD: I took a Mega board and connected the BT05 module to its Serial1, changed the reference and it works on the table. Next step - build L9637 adapter and maybe then try to port it to ESP32.

Hi Muzzy,

Torque or any other "ELM327" compatible application will be able to communicate with my solution.

First of all: Bluetooth is not Bluetooth Low Energy (LE). This might be a problem connecting a mobile phone with the BT module. (Older iPhones does not have LE)
When connecting the HC-05 / 06 or the ESP32 module successfully, with your phone via settings, it should be available in Torque.
I´d recommend using an app like "Serial Bluetooth Terminal" to ensure it works as expected! (It supports BT and BT LE).
Just send "ATZ" and see if the Arduino/ESP answers with "ELM327 v1.4".
If it doesn´t check your Baudrate. Most bluetooth modules use 9600 right from the start and can be reconfigured to faster baud rates with AT-Commands.

To test torque without any connected Bike, use my stupid HC06 Sniffer-Sketch. It just responds static values and leaves the Serial Port open for debug purposes.

PS: I´m using several ESP´s but haven´t played around with Bluetooth, yet. But as I saw, you just have to include BluetoothSerial.h and use the same name "BT" instead of the SoftwareSerial.

Hi TriB,
BLE wasn't a problem in my case and won't be a problem. BT05 and BT06 just don't support it, and my phone (Galaxy S9) supports it.
The first time, I'd used a UNO board with BT06 and software serial, and it failed.
The second time, I'd used Mega board with BT05 and hardware serial1, and it worked fine. Torque connected, I'd seen random data from your emulator.

PS Wrap it to BluetoothSerial will bring some problems because BluetoothSerial class hasn't methods Print and PrintLn which are used in your project.

BluetoothSerial has write(), which is the same as print(), but does not shift the variables to chars.

println() is equal to print("\r\n") which is equal to write(13); write(10);

Something like that should work:

void setup() {
  Serial.begin(115200);  

  BtPrintln("Hello world");
  BtPrint("Test");
}

void loop() {  
}

void BtPrint(const String &text) {  
  for (uint8_t i = 0; i < text.length(); i++)    
    Serial.write((char)text[i]);
}

void BtPrintln(const String &text) {
  BtPrint(text);
  BtPrint("\r\n");
  //Or:
  //Serial.write(13);
  //Serial.write(10);    
}

I was wrong again..
after a few compiler warnings, the code was compiled and even downloaded to ESP32.
Torque connects to the chip but doesn't see any parameter (certainly, the module isn't connected).
Then I start your ECU emulator and press connect. The application doesn't show any signs of connection and Torque loses the connection. I suppose that ESP32 has problems with simultaneous transmission over 2 ports..