OBD2 Adaptor Teardown

A number of years back a bought one of those cheap bluetooth OBD diagnostic tools from eBay. I cant remember why I bought it now (obviously for use on the car) but I must have only used it a couple of times. Having found in my desk drawer at work last week I decided to take it apart and have a look inside. From what I recall I only paid around £10 for it so was quite intrigued to see what you get for your money.

The device has “ELM327” written on the top of it. For those who don’t know the ELM327 is a programmed micro controller produced by ELM Electronics for translating messages from a vehicles on-board diagnostics (OBD) interface. According to Wikipedia the ELM327 is implemented on a PIC18F2480 micro controller from Microchip. Vehicles that support OBD communicate over one of a number of protocols. For older vehicles this tends to be either ISO 9141-2, ISO 14230-4 KWP or J1850 pulse width and variable pulse width modulation. Modern cars tend to use the controller area network (CAN) protocol. The ELM327 supports all of these protocols.

Further research reveals that ELM failed to implement any code protection on the original ELM327 chips. These chips were then cloned and form the basis for the majority of the cheap Chinese imports you now find on eBay. The version number in the firmware of these clones also appears to have been modified to report versions newer than the original release even though the functionality remains the same. Most of the adaptors currently on eBay claim to be v1.5. I have been unable to find any reference to a v1.5 on the ELM website.

OBD2 Device

Here is a picture of the PCB after it was removed from the case. The OBD connector which is connected via a 16 pin ribbon cable to the pin header has also been removed. The soldering looks good. All the components appear to be fitted correctly. We can see the main micro controller is indeed a PIC18F2480 the same processor ELM use for their ELM327. No labelling here so its more than likely the PIC18F2480 has been flashed with the ripped off firmware.

Now comparing this PCB with suggested example circuit diagram on the ELM327 datasheet. It quickly becomes clear this example has been adopted with some minor modifications. An off the shelf Bluetooth module (middle right) has been added. The RS232 level shifting has been removed since the TX & RX lines on the PIC connect straight through to pins on the Bluetooth module. I haven’t gone over the board component by component but you can clearly see in addition to the main micro controller, the MCP2551 CAN transceiver, the 78M05 5V regulator (bottom right) used in place of a 78L05 on the schematic. The 1.5A 50V rectifier diode in line with the battery voltage for reverse polarity protection. The LM317 adjustable regulator used to control the J1850 bus voltage. There appears to be additional filtering on the board as well.

ELM327 Datasheet

The bluetooth module looks like the e-Gizmo EGBT-046S. Versions on eBay appear to be known as the HC-05 or HC-06. The difference being the HC-05 can be configured as a master whereas the HC-06 cannot apparently. The main chip on these boards is a CSR BC417143 BlueCore® 4-External single-chip radio and baseband IC. Below it is the 8Mbit of external flash containing the firmware.

After applying power to the header and successfully pairing it with my PC I was able to communicate with it using puTTY. The ELM327 AT commands list contains a list of all of the commands supported by the device. Now obviously I couldn’t issue commands to poll vehicle information but I can send AT commands to perform simple tasks such as reset the device or report the firmware version number.

I reset the device by sending an “ATZ” command to which the device responded with “ELM327 v1.4”. Interesting. Sending the command “AT@1” returned “OBD2 to RS232 Interpreter”. This seems to be valid. However sending the command “AT@2”, which is only supported in firmware versions v1.2 and greater, should display the device identifier. The device returned no response. This indicates to me as expected that this device must be one of the cloned originals.

Still putting this into perspective. The original ELM327 chips from ELM Electronics are priced at $18 and that’s just for the IC. Add in the additional cost of the CAN transceiver, the extra components, the PCB and a case and you could not even build one yourself for less than what I paid for it. And besides it works!

 

Advertisements

5 thoughts on “OBD2 Adaptor Teardown

  1. JGuembel

    Hi, very nice report. A little tip: with the command ‘at@3 xxxxxxxxxxxx’ you can set the response value for the at@2 command.

    Reply
  2. iceman

    Hi, from where you bought this Elm327 adapter? I cannot find a good quality adapter, and this seems to be ok,

    Reply
    1. mikesmodz Post author

      I purchased the adaptor from eBay. There are still some sellers selling these in the UK. Pretty sure all of the cheap ELM327 devices advertised on eBay at the moment are all using the same cloned chips.

      Reply
      1. insanoff

        Recently I bought a Chinese OBD to USB adapter on Ebay to use its cloned ELM chip for hacking purposes. But then after taking it apart I have discovered that it even does not have a cloned ELM chip inside. PCB was almost empty with some CoB chip on it.
        I can share photos if you want.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s