Security of ELM 327 Bluetooth Module

Like I mentioned in an earlier episode in this thread, I am just going to put a switch, relay, whatever, just so Pin 16 is not feeding power to external devices when the car is off. If you have something that needs 24/7 power from that pin, there are other arrangements that will work!

 

No, we didn't try establishing the connection while the car was off. We established the connection in IGN-ON, then turned the car off; the connection kept working. I don't know if that leaves some of the computers on that would otherwise be powered down or not, but it didn't seem any different from being normally powered down.

 

I was not able to conenct via TechStream and Tactrix interface when car is OFF. The Toyota service manual states to turn car to IGN-ON (or Ready) status when working with TS.

 

Pins 16 and 18 on an OBDII plug are 12+ and 12- constant. This is standard.

The BT module (or any other scan tool) can not communicate with the vehicle with the key off due to the CAN networks shutting on/off with the key (though some CAN activity can be seen while the vehicle is off and for a short time after the car has been shut down).

 

Hi ajtozzi :rapture:

In my earlier post (16Apr2012) I confirmed what you say, but I tested that the CAN bus also listens to the ELM327BT connected to the OBD port. My test is as follows:

1. My 2010 Prius parked and off for several hours with the ELM327BT module connnected to the OBD port. The receiver (WindowsMobile 6.1 phone) is out of range of BT communications.

2. I walk to the car, stand at about 4meter (12ft) distance and establish BT communications with the ELM327 module.

3. I send a few ELM327 AT commands to initialize the module (ATWS, ATDP, AT@1) All of them are answered correctly, which means that the OBD port is hot and the ELM327 powered on.

4. I send ATMA command to ELM327 module which monitors the CAN bus, then it shows traffic in the following IDs: 610 611 620 621 622 624 626 630 638 639 and also with 63B which contains a time counter. The traffic lasts 4 seconds at a rate of about 20messages/second, and after those seconds the CAN bus silences.

5. I walk nearer the car, and the car dome light illuminates, then the CAN bus shows four characteristic messages [611 21 00 00 12 00 00 54 38] [620 10 00 02 58 80 00 00 80] [620 10 00 02 57 80 00 00 80] and [626 1C 00 30 00 00 00 00 00] Since this moment, the CAN bus traffic continues at about 20 messages/second repeating these messages, and also earlier ones at 610, 621, 622, 624, 630, 638, 639 and the time stamped 63B

6. I touch the door handle and the car unlocks, then the CAN Bus shows some one hundred messages in some addresses, a new one is 631, and after these, the CAN Bus silences again.

7. I open the driver door and the CAN bus shows traffic for about two seconds with 2 characteristic messages [611 21 00 00 12 00 00 54 38] and [620 10 00 02 57 80 00 00 80] Then the CAN bus silences again until I close the door.

I hope this information is useful.

Big hugs from Frank

 

What is pin 18 ?? my OBDII connector only has 16 pin so does the BT unit ??

Also wondering where does OBD gets -12 ??? the lowest the car 12V system goes is ground (also considered 0V).

This is maybe some misunderstanding ...

 

Sorry I was thinking of something else when I typed that - it's pins 4 and 16!!!

In the DC system in a car we generally refer to 12V+ and 12V- or simply positive and negative.

 

That would indicate 24V difference btw them which clearly not the case. Just to be sure you mean the 0V/ground as 12V-

Pin 4 (and 5) should be ground or 0V basically the car body... I do not think the "negative" terminal is actually wired all over ... with separate wires. Pin 5 actually Signal Ground but for all practical purposes is the same as Pin 4 ... in my cheap BT OBD2 interface pin4 and pin5 simply soldered together ...

 

Just to add to this old thread about battery drain from and OBD II sender with the ignition off:

I just bought this ELM 27 Bluetooth sender from Newegg.com for $17 including shipping. It worked right away with Torque Lite on my Android.

It has three status LEDs including power, so no need to whip out the voltmeter. Haven't tried it on my PiP yet, but on the 2004 Ford I got it for, it is powered with the ignition off.

 

Thanks!

I bought one of those cheap, Harbor Freight, 1.5 W solar panels and some $2 solar buck-boost converters. My plan is to put the solar panel in the car and use a Lowe's RJ-45, wallboard jack to hold the converter and feed power at 13.1-13.2 V using the Scangauge OBD connector. This should keep the battery 'healthy' until I need to it again.

I am using a BMW i3-REx around town so the Prius is sitting unused ... the 12 V battery discharged when I must have left the passenger side door ajar. So this should keep the car ready to go if needed. In a year or so, we'll readdress whether or not we keep it.

Bob Wilson

 

I know I'm replying to a years-old post, but just for the record about ELM 327, it can speak KWP just fine. I was playing with one on my old Gen 1, which has no CAN bus at all.

-Chap

 

So the ELM apparently speaks Gen1 KWP protocol. The Gen2 KWP bus is a slightly different animal which I've never managed to connect to with an ELM. ATMA works, but establishing a connection with the TPMS and key ECUs fails. These are KWP, not CAN, bus devices on Gen2.

 

Gen 1 was a strange hodgepodge. It had ECUs reachable on the same bus but with some of them talking KWP at 9600 baud and some talking 9141-2 at 10.4 kbaud. Depending on the configuration commands sent to the ELM, it could see these and not those, or those and not these, but never at the same time.

If I remember right, I never got any of the KWP boxes to respond to any kind of broadcast; you could poke one directly if you knew its address, and see something was there. I was meaning to do further experimentation before my Gen 1 got crunched.

-Chap