Dissection of a counterfeit ELM327 OBDII Adapter from China

The ELM327 is a popular IC developed by Elm Electronics for communicating with the standard OBDII (On Board Diagnostics) protocols through the OBD2 port on your vehicle. This is used by mechanics and DIY’ers to diagnose and troubleshoot vehicle problems. It is also used by enthusiasts for getting useful information about your vehicle in real-time, such as speed, revs, temperature, air-flow, fuel consumption, etc.

Fake ELM327 adapter from China

I purchased one of these adapters from dx.com (SKU: 126921) , only to realise my mistake later that the adapters sold from China are nearly all counterfeit clones of the original ELM327 by Elm Electronics, and many of them do not work. Taking a look inside the adapter you can see some problems straight away.

Inside a fake ELM327 adapter from China

The inside contains two layers. The top layer has a Beken BK3231 Bluetooth SoC, a Microchip MCP2515 CAN Controller, and a NXP TJA1050 CAN transceiver. There are also three status LED’s which are not visible from the outside. My guess here, is that this design is the same internally as some of the transparent designs sold on the same website which have status LED’s visible. By using different cases, some more closely resembling an official product, they can sell more.

Inside a fake ELM327 adapter from China

The bottom layer is concerning. There are two voltage regulators and solder joints to the ODB2 pins. Only pins 4,5, 6, 7, 14, 15, and 16 are soldered to the bottom board. Pins 1, 2, 3, 8, 9, 10, 11, 12, and 13 are unconnected. The adapter advertises that “All OBDII protocols are supported”. However this is impossible, as pin 2 is required for the Bus Positive Line of SAE J1850 PWM and VPW, while pin 10 is required for the Bus Negative Line of SAE J1850 PWM.

What about the top board? Well the thing about the genuine ELM327 adapter is that it uses a PIC microcontroller, on which the ELM327 firmware is loaded. Nowhere on this adapter is such a PIC microcontoller. In fact, the only IC capable of running code on this adapter is the Beken Bluetooth SoC. According to the Beken datasheet, this SoC has 256 KiB of flash memory, and uses an ARM 968E-S core. This is incompatible with the PIC instruction set. So just what has happened here?

I have to make some guesses about the history of fake ELM327 adapters. Supposedly, the original ELM327 v1.0 did not contain copy protection, and the firmware was cloned in China. The firmware version was changed to report v1.5, and a large number of these fake adapters were made from the pirated ELM327 v1.0 firmware. Keep in mind that Elm Electronics never released a version 1.5 firmware of ELM327. Thus all v1.5 adapters are fake.

However, the version reported on the packaging of my adapter states v1.5, but there is no PIC microcontroller inside. How can this adapter be a clone of the original v1.0 ELM327 firmware?

Perhaps the makers of these fake adapters wanted to save costs by not having to include a PIC microcontroller inside the adapter as well as a Bluetooth controller. Instead they use the Bluetooth controller to run the ELM327 code so they can save cost. The problem is that the ELM327 firmware is written for a PIC microcontoller, and not an ARM CPU, which is what you will find inside Bluetooth SoC devices. It is not easy to re-use the PIC microcode  unless you can emulate the PIC on the ARM.

I guess that the ELM327 firmware had to be re-written, from scratch, perhaps with reference and help from the original PIC microcode. This is no easy task,and it doesn’t seem like they did it correctly. When they finally finished the new “fake” ARM ELM327 firmware, they gave it firmware version 2.1 to keep in line with the latest genuine version from Elm Electronics. The new fake ELM327 v2.1 adapters sold quite well, but there was a problem; there are bugs, and the support of the ELM327 command set is even worse than that of the original v1.0. Word spread around that the v2.1 adapters from China don’t work. To solve this problem they changed the version number back to v1.5. The original clone from China had v1.5 reported, and used a PIC microcontroller, and had full support of the ELM327 v1.0 command set. But this new version only has partial support – as it is a buggy and incomplete re-write of the genuine PIC firmware. The result is that it’s now really hard to tell whether an adapter that states v1.5 firmware is really the original PIC cloned firmware, or the new buggy and incomplete re-write.

To confirm some of this, I connected with Bluetooth to the adapter, and used a terminal application to try out some of the ELM327 command set that should be supported by v1.0 firmware.

>ATZ
ELM327 v1.5
>ATSP5
OK
>ATE0
OK
>ATS0
?
>ATAT1
?
>ATSTT3A
?
>ATAL
?

The fake ELM327 adapter does not even support all the basic commands of the ELM327 v1.0 command set. The ATZ command resets the device, which worked OK, but the ATAL command – to allow long byte messages – failed to be recognized. As did a number of other commands.

This adapter failed completely in my car, even though it has the pins needed for ISO 14230-4 fast-init protocol soldered on the adapter.
I tried a number of android and PC ELM327 reader applications without success.

Advertisements

Casio Calculator RAM Upgrade

This will show you how to upgrade the RAM on a Casio fx-9750G plus graphics calculator from 32 KiB to 64 KiB. This may also work on similar 9750/9850 models which use a 32 KiB RAM module.

casio_9750_RAM_ROM_CPU

If you un-screw the back cover, you can see a RAM module, ROM module, and a CPU under an epoxy blob. In my calculator the RAM module was a Hynix HY62WT081ED70C. From looking up the datasheets online, I found that this was indeed a 32 KiB low-power CMOS SRAM module. More expensive models of this calculator such as the 9850G plus advertise 64 KiB RAM. The hardware between the different models in this series is very similar, and there is space on the PCB to mount a larger RAM chip. So in theory the fx-9750G plus may be expandable to 64 KiB of RAM by de-soldering the existing RAM module and soldering in a larger RAM module. However, the risk is that the firmware may limit the RAM to 32 KiB, in which case the RAM upgrade will fail. Luckily, it seems that Casio has designed their firmware to support both RAM sizes.

casio_9750_RAM_removed

The first step is to de-solder the existing RAM module. I used a heat gun and tweezers to carefully heat up the part until I could flip it off with the tweezers. Be careful not to burn the plastic connections to the LCD above the RAM module. Also be aware that the heat will transfer through the PCB into the LCD behind it, so make sure you apply the heat evenly and quickly. The picture shows the bare circuit board after removing the RAM module. There will be some residual solder left on the pads. This must be removed in order for the new larger RAM module to lay down flat on the PCB. To do this I used some copper braid as a solder wick. Once the area is flat you may want to clean the board with a little flux to ensure that the new RAM module will solder in place properly.

casio_9750_new_RAM

I found a suitable replacement for the RAM module online. The module I ordered was a 128 KiB low power CMOS SRAM, part number AS6C1008-55SIN, which cost a little over $3 NZD. Only up-to 16 bits of the address space is used by the calculator, so unfortunately you cannot use all the 128 KiB of RAM at once, but only 64 KiB at a time. If you really wanted you could solder a switch into your calculator to switch between the two banks of RAM in order to gain access to all 128 KiB of RAM. I decided against this. The picture shows the new larger RAM module soldered in place. Also note that you must solder a short on R20 just above the RAM module. Leave R21 as an open circuit. This connects the extra address pin to the CPU so that it can access 64 KiB of RAM.
The only thing left to do is to put the calculator back together and hope that it still works. In order to test the new RAM you can use the calculators hidden test menu. To gain access to the test menu turn you calculator off, then hold [a b/c], [F6] and press [AC]. Then enter the RAM section and the test will check the RAM is functioning properly over the entire address space. The picture below shows the old and new RAM test menus, confirming that the calculator recognises the new 64 KiB of RAM.

casio_9750_before_after_upgrade