ELM327 Emulator
ELM327-emulator
A Python emulator of the ELM327 OBD-II adapter connected to a vehicle supporting multi-ECU simulation.
ELM327-emulator connects client applications to multiple emulated ECUs via OBD-II interface through different networking systems, including serial communication (where pseudo-terminals are used if supported by the operating systems), or direct interaction with communication devices, or TCP/IP, or Bluetooth. The software simulates an ELM327 adapter connected to a vehicle, includes a command-line interface for extensive monitoring and offers a documented Python development framework to implement ECU emulation objects.
ELM327-emulator is able to support basic ELM327 commands and OBD service requests through stateless request/response method via OBD-II, but can also handle stateful UDS communication with ISO-TP Flow Control and Keyword Protocol 2000, concurrently emulating multiple ECUs. It is designed to be extended via a plugin architecture to allow easy development of specific tasks implementing workflows, including the possibility to simulate anomalies for testing purposes. Many AT commands are supported, as well as some OBDLink AT/ST commands.
ELM327-emulator supports different operating systems including Windows, macOS and UNIX/Linux; it is agnostic of the client application and has been tested with python-OBD as well as with many applications on Windows, Linux and on smartphone devices.
An internal dictionary (named ObdMessage) allows configuring the emulation, which is currently set to reproduce the message flow generated by more ECUs, including the basic communication of a Toyota Auris Hybrid car (through the scenario car
option) and can be easily extended to simulate communication produced by other vehicles or ECUs. In case of more complex interactions (e.g., entering privileged diagnostic sessions and performing reset or flash upload operations), the dictionary can instance tasks, which are implemented through plugins, very simple to be developed by users extending the software. Some example of plugins is already included.
ELM327-emulator also offers a feature that compares the emulation with the direct connection of an OBD-II adapter to allow extending the dictionary by reporting unmatched requests. In addition, it provides an auxiliary scanning tool (obd_dictionary) that builds the ObdMessage dictionary of a specific vehicle by automatically querying all standard OBD service requests one by one (as well as querying additional custom PIDs specified by the user via CSV file); the dictionary can then be used to emulate stateless request/responses of a specific car or ECU.
Installation
Check that the Python version is 3.6 or higher (python3 -V
), then install ELM327-emulator with the following command:
This is enough to run the software.
Prerequisite components: pyyaml, python-daemon, obd; in addition, with Windows also pyreadline3. All needed prerequisites are automatically installed with the package.
obd (python-OBD) is needed for obd_dictionary. It is better to use an updated version of python-OBD package (e.g., the one installed from GitHub with python3 -m pip install --upgrade git+https://github.com/brendan-w/python-OBD.git
).
Alternatively to the above mentioned installation method, the following steps allow installing the latest version from GitHub.
Optional preliminary configuration with Ubuntu (if not already done):
Optional preliminary configuration with Windows:
install the latest version of Python (also available from Microsoft Store);
if you want to install ELM327-emulator from GitHub, install git from Git-scm or using the Git for Windows installer;
if the interface to use is a COM port (e.g., not TCP/IP or Bluetooth), also install com0com (no installation is needed when using TCP/IP or Bluetooth interfaces);
optionally, check that PIP is upgraded (
python3 -m pip install --upgrade pip
).
Run this command:
To uninstall:
Basic use
The emulator allows batch and interactive mode. The latter is the default and can be executed as follows:
or simply:
After starting the program, the emulator is ready to use.
To enable the preconfigured set of OBD service requests of a Toyota Auris Hybrid car, enter scenario car
(or, alternatively, run the emulator with the -s car
option, i.e python3 -m elm -s car
).
By default, ELM327-emulator uses serial communication. The external application interfacing the emulator just needs to connect to the virtual device shown by the emulator and interact with the vehicle as if it was accessing a real ELM327 adapter.
Alternatively to the serial communication, ELM327-emulator supports TCP/IP networking through the -n
option, followed by the port number (wich in most cases is 35000). Example:
All subsequent information is not needed for basic usage of the tool and allows mastering ELM327-emulator, exploiting it to test specific features including the simulation of communication exceptions, which are not always easy to be reproduced with a real link.
Compatibility
ELM327-emulator has been tested with Python 3.6, 3.7, 3.8, 3.9. Previous Python versions are not supported.
When using serial communication, with UNIX/Linux OSs, this code uses pty pseudo-terminals. With Windows, you should first install com0com (a kernel-mode virtual serial port driver), or other virtual serial port software; alternatively, cygwin and Windows Subsystem for Linux (WSL) are supported.
Usage
The description of the ELM327-emulator command-line option is the following:
Description
The communication port to be used by the application interfacing the emulator is displayed when starting the program. E.g. on UNIX/Linux:
When running on Windows, the following message is shown:
Embedded dictionary of AT Commands and OBD service requests
A dictionary named ObdMessage is used to define commands and PIDs. The dictionary includes more sections (named scenarios):
'AT'
: set of default AT and ST commands'default'
: set of default PIDs'car'
: PIDs of a Toyota Auris Hybrid vehicle'mt05'
: basic set of PIDs of an MT05 ECU from Delphi used in many motorbikes and ATV'sany additional custom section can be used to define specific scenarios
Default settings include both the 'AT' and the 'default' scenarios.
The dictionary used to parse each ELM command is dynamically built as a union of three defined scenarios in the following order: 'default', 'AT', custom scenario (when applied). Each subsequent scenario redefines the commands of the previous scenarios. In principle, 'AT' scenario is added to 'default' and, if a custom scenario is used, this is also added on top, and all equal keys are replaced. Then the Priority key defines the precedence to match elements.
If a custom scenario is selected through the scenario command, any key defined in the custom scenario replaces the default settings ('AT' and 'default' scenarios).
The key used in the dictionary consists of a unique identifier for each PID. Allowed case-insensitive values for each key (PID):
'Request'
: received data; a regular expression can be used'Descr'
: string describing the PID'Exec'
: command to be executed'Log'
: logging.debug argument'Info'
: logging.info argument'Warning'
: logging.warning argument'ResponseFooter'
: run a function and returns a footer to the response (a lambda function can be used)'ResponseHeader'
: run a function and returns a header to the response (a lambda function can be used)'Response'
: returned data; can be a string, or a list/tuple of strings; if more strings are included (e.g., if a tuple or a list is used), the emulator selects one of them each time, according to the criteria defined by thechoose
command, which can be either sequential (default) or random.'Action'
: can be set to 'skip' in order to skip the processing of the PID'Header'
: if set, process the command only if the corresponding header (CAN ID) matches'Priority'=number
: when set, the key has higher priority than the default (highest number = 1, lowest = 10 = default)'Task'
: if set, the related header/request activates a specific task referring to an installed plugin.
The emulator provides a monitoring front-end, supporting commands and controlling the backend thread which executes the actual process.
Built-in keywords
At the CMD>
prompt, the emulator accepts the commands described in the following table.
In addition to the previously listed keywords, any Python command is allowed to query/configure the backend thread.
Examples of usage of the choice
command:
At the command prompt, cursors and keyboard shortcuts are allowed. Autocompletion (via TAB key) is active for all previously described commands and also allows Python keywords and namespaces (built-ins, self and global). If the autocompletion matches a single item, this is immediately expanded; Conversely, if more possibilities are matched, none of them is returned, but pressing TAB again a list of available options is displayed.
Testing OBD-II requests
ELM327-emulator allows testing OBD-II requests through the test command directly via the command line, like in this example, where the '010C' pid is tested:
The autocompletion is allowed for the argument, to prompt and select values (PIDs) defined in the dictionary.
The answer (Command output) will be 41 0C 13 FB \r\r>
, OK\r\r>
, 7E8 04 41 0C 09 F6 \r\r>
, which will reflect what ELM327-emulator returns to a real OBD-II application.
Special setters
The counters starting with cmd_... are special setters. They are represented in the following table and store data related to AT/ST commands.
Unhandled setter means that the AT/ST command is recognized, the related counter is valued but no process is currently associated.
echo and linefeed settings are both disabled by default. They can be configured via related AT commands (ATE1 and ATL1). The special setters cmd_echo
and cmd_linefeeds
allow enabling them via command line. Example:
This is the same as:
Possible values of emulator.counters['cmd_linefeeds']
:
Space characters are inserted by default in the ECU response as per specification. To remove them, use the AT command ATS0 or emulator.counters['cmd_spaces'] = 0
.
By default the header (CAN ID) is not included in the ECU response. To add it, use the AT command ATH1 or emulator.counters['cmd_use_header'] = True
.
The default ECU header is ECU_ADDR_E (e.g., "7E0", producing answer "7E8"; ref. obd_message.py). Use cmd_set_header
to customize it, or, alternatively use the command test atsh <header>
.
The last executed request is stored in cmd_last_cmd
. This is used to repeat the command when the 'fast' option is set (command repetition, using a newline). While executing the command, cmd_last_pid
is valued with the PID label referred to the request.
Each time the interface is reset by an ATZ command, the special setters are restored to their default settings and any specific customization needs to be issued again. Use emulator.presets
in order to preset the special setters so that they are applied as default values each time the interface is opened by an application. Example:
The cmd_spaces setting is the same as:
cmd_cra
keeps the value set by ATCRA when setting and resetting the receive address filter. The following metacharacters are accepted:
X for any single hex digit,
W for any sequence of hex digits (one or more).
Example.
It returns cmd_cra = 7X8
.
To switch off autoformatting, set cmd_caf to False, like in the following example:
To test the processing of full CAN messages, set cmd_can as in the following example:
The above setting also implies the following ones, which are automatically changed by each subsequent CAN request:
Example of usage of cmd_can:
To change the ELM version string in ELM commands, use the version
command, which defaults to ELM327 v1.5. Use version reset
to return to the default values of the ELM version string and related header. Check also the "elm_version" setter, which stores the temporary version string within the current session.
Example:
The returned code will be 'ELM327 v2.3\r\r>'.
Through the hexheader argument of the version command, ELM327-emulator also allows to change the header bytes of the version string, which by default are two carriage return characters. The updated string should be composed by a sequence of hex digits. Example:
Any change to the ELM version string and ELM header version bytes can be restored to default with:
Without parameters, version
returns the ELM327-emulator version and ELM version parameters in use.
Other example to reproduce the ATZ output of a ScanTool.net OBDLink SX device:
The returned output is:
The output is then written to the application when using the following command:
Editing answers on the fly
Static answers in the ObdMessage
dictionary can be edited on the fly through the edit
command. It extracts the answer from a PID, stores it into the emulator.answer
dictionary described in the next chapter and performs the editing in its data part. If the command is called with just the PID argument, it resets the emulator.answer
dictionary for the referred PID, returning to the default answer.
Syntax: edit PID <position> <replaced bytes>
PID is an element name in the ObdMessage
dictionary for the current scenario and with an associated static 'Response'
.
Position is a number starting from 0, which can be decimal (e.g., edit VIN 10 AA BB CC DD
) or in any other format (0o
for octal, 0x
for hex, 0b
for binary; example: edit VIN 0x0A AA BB CC DD
).
Replaced bytes is a string of hexadecimal digits in any format.
Note: this command only works for PIDs which have a static 'Response'
in the ObdMessage
dictionary. 'ResponseHeader'
, 'ResponseFooter'
and 'Task'
are not supported.
For more complex actions, the Edit
class can be used with its answer()
method, also allowing the Context Manager. See the related comments in interpreter.py for details on how to use this class.
The following example sets an edited response for 15 seconds, then restores the default answer.
The following is a more complex command where the answer changes every three seconds:
The edit
command uses PIDs in the current scenario. To change scenario, use the scenario
command. Example to change the value of FCLCINT1 (C/L Fuel Corr Int Cyl 1) on the MONITOR pid (2101, Delco "Mode 1 Message") in the "mt05" scenario (Delphi MT05 ECU) to "AA BB" (spaces between hex digits are optional):
Notice that the mt05 scenario is automatically set by the 'UDS_START_COMM' PID (81). The method to dynamically change scenario is self.set_sorted_obd_msg(scenario)
.
Data Link and Network Layers
ELM327-emulator includes a basic processing of the ISO 15765-2 ISO-TP Layer and KWP2000 ISO 14230-2:1999 Data Link layer. The following elements are implemented:
3-byte and 4-byte KWP2000 header with frame length management (the "Format" byte always assumes address information and physical addressing; other cases are ignored),
ISO-TP 11 bit CAN identifier (29 bit CAN identifiers are not supported)
ISO-TP Single frame (SF), First frame (FF), Consecutive frame (CF), Flow control frame (FC),
Basic input flow control of ISO-TP (with generation of FC output frames); output flow control (handling of FC input frames) is ignored,
KWP2000 Checksum byte (CS) at the end of the ISO 14230-2:1999 message block (checksum verification in requests and checksum generation in responses),
ISO-TP P1, P2, P3 and P4 timers.
The KWP2000 format is detected by a header >= three bytes.
Advanced usage
ELM327-emulator allows changing the UDS P1, P2, P3 and P4 timers via the timer
command. The P4 timer controls the max delay between each entered character and by default is not active (e.g., set to 1440 seconds). The P4 timer can either be configured via timer P4 value
, or by setting emulator.counters['req_timeout']
. Decimals are allowed. Some adapters set P4 by default, discarding characters if each of them is not entered within a short time limit (apart from the first one after a CR/Carriage Return). The appropriate emulation for this timeout is to set emulator.counters['req_timeout']=0.015
(e.g., 15 milliseconds). Typing commands by hand via terminal emulator with such adapters is not possible as the allowed timing is too short. The same happens when setting req_timeout to 0.015 (or timer P4 0.015
).
The command prompt also allows configuring the emulator.answer
dictionary (ref. also previous paragraph), which has the goal to dynamically redefine answers for specific PIDs ('Pid': '...'
). Its syntax is:
Example:
The above example forces SPEED and RPM PIDs to always return "NO DATA".
To reset the emulator.answer string to its default value:
To simulate that the adapter is not connected to the vehicle:
As mentioned in the previous paragraph, the edit
command simplifies the usage of emulator.answer
.
The emulator.ELM_R_UNKNOWN
parameter allows customizing the message returned in case of unknown/invalid command. The default message is ?
, with an addition of a trailing . This message can be customized; for example, to just get , set the following:
The dictionary can be used to modify answers within a workflow. The front-end allows implementing basic Python workflows and, when used in batch mode, can also be controlled by a piped external supervisor. The following examples show some simple workflows in interactive mode.
Example of automation which suspends the emulator for 10 seconds:
Example of an automation that simulates the off/on ignition states:
Configuring response strings
Response
, ResponseHeader
, ResponseFooter
, emulator.answer
and emulator.ELM_R_UNKNOWN
support the following XML tags (which shall be produced without the xml envelope):
Strings among tags are allowed and are returned as they are, with no line separator and stripping blank heading and footing characters.
Whenever possible, the usage of pos_answer and neg_answer is suggested, totally relying on ELM327-emulator for the construction of the answer. In such cases, ELM327-emulator builds the final bytestream basing on ISO 14230-2:1999 for the Data Link Layer and ISO 14230-3:1999 for the Application Layer.
The verify
command can be used to test an XML response: the returned message will show what in normal operation is outputted to the communication port. Notice that, in order to check the produced <header>
and <size>
bytes, cmd_use_header
shall be set to True (e.g., test ath1
): these bytes are not returned when cmd_use_header
is False. Besides, bytes included in the <data>
tag will be returned with all spaces stripped out if cmd_spaces
is False (e.g., test atsp0
).
Tag nesting is not allowed.
Unknown tags are skipped.
Some special characters must be escaped within the XML fields, like:
The exec tag for instance can be used to embed real-time delays between strings or to differentiate answers. The return value of a statement is ignored. The evaluation of an expression is substituted. Example: 'Response' = '<string>SEARCHING...</string><exec>time.sleep(4.5)</exec><writeln /><writeln>UNABLE TO CONNECT</writeln>'. Notice that, as
time.sleep` is a statement, the related return value is ignored.
Further processing can be achieved through a lambda function applied to ResponseHeader
, ResponseFooter
. It has to manage the following parameters: self, cmd, pid, uc_val (e.g., lambda self, cmd, pid, uc_val:
).
cmd: the request, received by the client application
pid: the PID identifier (which can be used as key to index
self.counters
andObdMessage
)uc_val:
ObdMessage
dictionary related topid
with all keys converted to uppercase (e.g.,uc_val['RESPONSE']
).
Example of PID definition within the ObdMessage
dictionary:
In the above example, the first time ResponseHeader is executed (self.counters[pid] == 1
), the produced response is SEARCHING...
, followed by a one-second delay and then \rUNABLE TO CONNECT\r
. For all subsequent messages, the response will be different and produces either NO DATA\r
or BUS INIT:ERROR\r
, according to the criteria (sequential or random) defined by the choice
command.
The ability to add dynamic differentiators and delays within responses enables testing specific use cases and exceptions that are difficult to be achieved through a real connection with a car. These not only apply to the ObdMessage
dictionary (by editing obd_message.py), but also to emulator.answer
and emulator.ELM_R_UNKNOWN
, that can be configured through the command line. Consider for instance the following dynamic configuration via command line:
In the above example, which illustrates an in-line expression substitution, the configuration of the ‘SPEED’ PID (Vehicle speed) is replaced with a dynamic answer and the ‘SPEED’ PID will return 7E8 03 41 0D 0A
+ line separator for most of the time. With 20% probability, NO DATA
+ line separator is returned. Notice that the last line separator is common to both options.
The following example shows how to dynamically generate an answer via command line by converting decimal numbers to hex string in order to allow comfortable testing of a PID by specifying decimal input values. Suppose that the PID needs to double the input. We use CUSTOM_FUEL_LEVEL PID in the example, testing the answer related to 15.5 liters.
Preliminarily, test number conversion with the command line:
Apply it to CUSTOM_FUEL_LEVEL PID so that it returns 7C8 03 61 29 1F \r'
:
The output is:
Or, alternatively, use the header variable instead of the header digits:
The following command sets SPEED (Vehicle speed) to 60 km/h via command line (60 can be changed to any integer value between 0 and 255):
The output is:
The following command sets RPM (Engine RPM) to 500 via command line:
or
In both cases, the output is:
To list the configuration, type emulator.answer
, or simply counters
. To remove the dynamic answer and return to the default configuration of the ‘SPEED’ PID, type del emulator.answer['SPEED']
.
Command to configure PID '0100' answer (PIDS_A) to BUS INIT: OK
for its first query and to 48 6B 13 41 00 BE 1F B8 11 AD
for all the subsequent queries:
The output is:
The ELM_PIDS_A counter (emulator.counters["ELM_PIDS_A"]
) can be reset with:
The following example shows how to use the verify
command (without single or double commas) to quickly test the conversion of an XML response; write
does the same and also writes the produced output to the opened device.
The output will be '7E003010203\r\r>'
.
In the next example, we will use the pos_answer tag, that needs the request header and the request data to produce a valid UDS positive response; in normal operation, those data are automatically inserted by ELM327-emulator upon each request; if using verify
(which has no clue about any previous request), they need to be specifically included (as cannot be acquired by the context). As mentioned, test ath1
instructs ELM327-emulator to return header and length.
The result will be 7E8 10 14 49 02 01 53 42 31 \r7E8 21 5A 53 33 4A 45 36 30 \r7E8 22 45 32 38 32 31 30 32 \r\r>
.
The answer tag simply computes the length of the data bytes and adds the header; it does not need the rd tag; using the above example, to generate the same answer we need to add the UDS positive answer data "49 02":
Then the result will be the same: 7E8 10 14 49 02 01 53 42 31 \r7E8 21 5A 53 33 4A 45 36 30 \r7E8 22 45 32 38 32 31 30 32 \r\r>
.
Example of neg_answer tag:
The result will be 7E8 03 7F 01 44 \r\r>
.
Example of flow tag:
The result will be 7E8 30 30 20 00 \r\r>
.
To write the output of a test
command to the application, copy its Raw command output and paste it to a write
command.
Timers
The timer
command allows showing or changing the UDS timers.
Values are in seconds (floating numbers are allowed).
Tasks
ELM327-emulator provides an extendable plugin architecture defining tasks, which are entities allowing the implementation of stateless and stateful procedures, that can be nested and are chainable. Through plugins, ELM327-emulator offers a development framework to easily implement ECU emulation objects, which are able to manage persistent data within the same instance (its namespace) and within the same ECU (shared namespace). Tasks allow emulating multiple ECUs concurrently, where each ECU has its own data space.
In case of stateless requests/responses, an ECU function can be emulated through a simple configuration in the dictionary, without usage of a plugin. Alternatively, if stateful routines or more complex programming are needed, an ECU function leverages the implementation of tasks. The structure of tasks is designed to simplify the development of complex ECU functions, like for instance flash upload/download operations.
When ELM327-emulator starts, it enumerates all available plugins in its plugins subdirectory (elm/plugins). Each plugin defines an own task, named with the file name of the plugin. All the file names of the plugins must start with task_.
A task is invoked in the dictionary through the 'Task'
tag, that refers to the name of an installed plugin. If a request associating a task is matched (including Request and possibly Header tags), its related task is activated by instantiating the Task class of the invoked plugin. After startup and after processing the request, the task can either terminate or remain active; in the latter case, it receives all subsequent requests related to the same header, allowing to implement a dedicated communication flow within a dedicated namespace. All tasks (regardless they terminate or remain active) take also advantage of a shared namespace, common to all requests addressed to the same ECU (see ECU Tasks for further information).
Tasks are interrupted by the following conditions:
task termination performed by the plugin itself after processing the request (e.g, returning a method with
False
or withself.TASK.TERMINATE
as the second value of the return tuple);communication reset (e.g., communication disconnection, or "ATZ", or reset command);
expiration of the P3 timer.
Tasks and plugins can be monitored through the tasks
command.
Multiple tasks can be concurrently instanced with different ECU IDs.
All plugins shall implement a class named Task derived from the Tasks class.
In a plugin, at least the run() method should be implemented, overriding the default method of the Tasks class. Allowed methods:
def start(self, cmd, *_)
: invoked to process the first request of a just created task (not required)def stop(self, cmd, *_)
: invoked to process a request before interrupting the task (not required). Default is to returnTasks.RETURN.ERROR
(do nothing).def run(self, cmd, *_)
: invoked on any request after the first one; if start() is not implemented, run() is always invoked.
Task methods are called after processing the ISO-TP data link, so the request passed to the task methods includes the whole message, where the associated multiframe (consisting of multiple frames received from the communication port) is already assembled and interpreted into a single data string of consecutive hex values, without spaces. Tasks methods return an XML response string as the first value of the return tuple; this XML string will be subsequently processed by the embedded ISO-TP data link, generating the output strings then sent to the communication port.
A multiframe is internally processed as a special temporary task named 'ISO-TP request pending'. It can be monitored through the tasks
command.
All methods return a tuple of three elements:
an XML response string, which will be subsequently interpreted by the ISO-TP processor and then written to the client application; None means nothing to output;
a boolean (True =
Tasks.RETURN.CONTINUE
, or False =Tasks.RETURN.TERMINATE
), to indicate whether the task remains active or terminates;a request string (e.g., cmd) which will be processed by ELM327-emulator after the transmission of the XML response string; the value can be:
None, meaning no subsequent request string to be processed, or
the same unchanged request of the task method invocation, where the returned request is sent to the standard processing of its dictionary response elements (without re-executing the same task), or
a different data than cmd in the task method, so that a full reprocessing of the new request is done (including running a task if defined).
This third element of the return tuple allows a task to also act as a filter or preprocessor, that receives a request (cmd), accounts it, possibly transforms it and forwards it to the standard processor.
Special return values:
Task.RETURN.ANSWER(answer)
, or(answer, Tasks.RETURN.TERMINATE, None)
: used with standard positive or negative answers, terminating the task (without any further request processing after the task is terminated);Task.RETURN.PASSTHROUGH(cmd)
, or(None, Tasks.RETURN.TERMINATE, cmd)
: if the task returns the same unchanged cmd in the request, it is generally used for pure pass-through, like performing some accounting in the task, or logging, and then terminating the task while sending the same request to the standard processing of its dictionary response elements; if the task changes the returned data, a full reprocessing of the request is done;Task.RETURN.ERROR
, or(None, Tasks.RETURN.TERMINATE, None)
: used for error conditions; no output written while terminating the task;Task.RETURN.INCOMPLETE
, or(None, Tasks.RETURN.CONTINUE, None)
, used to allow internal processing of the request, without producing output and keeping the task active, so that the same task will also process all subsequent input requests addressed to the same ECU, until the task is terminated.Tasks.RETURN.TASK_CONTINUE(cmd)
, or(None, Tasks.RETURN.CONTINUE, cmd)
used for instance in ECU Tasks in order to pass the request to the subsequent processor, by keeping the ECU Task active for all subsequent requests, with its ECU namespace.
Task namespaces
A task can exploit its own namespace, which is related to a specific task instance, that can remain active for subsequent requests if handled with Tasks.RETURN.CONTINUE
. A task can also use the shared namespace of the ECU, which is associated to any kind of request referring to the same ECU ID. Notice that requests do not necessarily need to invoke a 'Task'
to access the ECU shared namespace: also 'ResponseFooter'
and 'ResponseHeader'
can reference the ECU shared namespace.
Other than storing local variables, the task namespace is useful to persist class properties if the task terminates with Tasks.RETURN.CONTINUE
, and also to perform preprocessing through the related task methods (start()
, stop()
, run()
), so that any subsequent request of the same ECU will be processed by the same task, until task termination. All subsequent calls of an active task share the same namespace. For instance, if a task is configured as a filter, its namespace can be used while preprocessing all subsequent requests directed to the ECU, which will be sent to the same task until its termination.
The shared namespace for an ECU is named self.shared
and can be associated to an ECU Task. For instance, a task can create a variable named self.shared.my_data = True
, that other tasks can use. The shared namespace can be used by different commands or tasks, if referring the same ECU. This area is created by ELM327-emulator at the first request referring to an ECU (and, if available, the related ECU Task start()
method is executed). The shared namespace is already active when any task method is run. This shared area is reset by a communication disconnection, or "ATZ", or reset command, or expiration of the P3 timer.
The easies way to configure tasks is to use Tasks.RETURN.TERMINATE (so that a task terminates after the execution of the invoked method, e.g., Task.RETURN.ANSWER(answer)
) and to exploit self.shared
to store persistent data, shared by different tasks and functions. The easies way to initialize shared data is through the definition of a start()
method inside the related ECU Task.
ECU Tasks
An ECU Task is an optional request preprocessor which owns the shared namespace for its related ECU and is executed for each request referred to the same ECU, before interpreting the request (or running the task, regardless the request is a task or a simple command).
The plugin of the ECU Task shall be named "task_ecu_" followed by the hex header digits (case-insensitive) of the (source/destination) CAN id of the ECU (then followed by ".py"). For instance, in case of a request directed to an ECU with CAN id "7E0" (ATSH 7E0
), the task ECU plugin shall be named "task_ecu_7E0.py". In case of ATSH 8011F1
, the related ECU task shall be named "task_ecu_11F1.py". Hex digits accept the following metacharacters:
X for any single hex digit,
W for any sequence of hex digits (one or more).
The plugin shall implement a class named Task derived from the EcuTasks class.
Defining an ECU task is not required; if missing, a default shared namespace for the ECU is automatically created when the ECU is first used; no further preprocessing occurs; the task namespace will be anyway usable.
The allowed methods are the same as the normal tasks. The start()
method of the ECU task is executed upon the first request reference of an ECU, when the shared namespace for the ECU is created. It can for instance be used to run one-time procedures like initializing resources used by subsequent commands (e.g., initialize shared variables and mapped memory used by a task). A typical return code is return Tasks.RETURN.TASK_CONTINUE(cmd)
(EcuTask can be used in place of Task), so that the ECU task remains active with its namespace and the request is subsequently processed. Tasks.RETURN.TERMINATE
can be used for testing purpose.
Example of a plugin implementing an ECU Task which fully disables the ECU processing, always returning "NO DATA" ("NO DATA", EcuTasks.RETURN.TERMINATE, None
):
The run()
method of the ECU is invoked on any request after the first one; if start() is not implemented, run() is always invoked.
The ECU tasks is terminated when a method returns with self.TASK.TERMINATE
(or False) in the return tuple, or by the following conditions:
communication reset (e.g., communication disconnection, or "ATZ", or reset command);
expiration of the P3 timer.
With these two termination conditions, the stop()
method is also executed (useful for instance to remove login parameters after P3 timer expiration). The default definition of the stop()
method is to return Tasks.RETURN.ERROR
(do nothing).
All ECU task methods return the same three-element tuple of the tasks, where the first element is generally None (if set to an XML string, its data is written as output response), the second one is either Tasks.RETURN.CONTINUE
or Tasks.RETURN.TERMINATE
(the latter is generally only for testing), the third one is the preprocessing output, or None for no processing. TASK_CONTINUE(cmd)
means None, Tasks.RETURN.CONTINUE, cmd
.
Example
For instance, a plugin named plugins/task_routine.py defines the task task_routine, which is configured in the dictionary element 'A_ROUTINE', like the following example:
The following table shows the UDS protocol sequence for this example:
In such example, a request of type 3101...
will start the task task_routine, which can immediately return (if Tasks.RETURN.TERMINATE
is used), or (in case Tasks.RETURN.CONTINUE
is used) will also be able (not in this example of task) to process any subsequent request (also if not matching 3101...
), until the plugin is terminated. In the above example, the 'Header'
attribute is not set, so any CAN header will be valid.
The following code shows a sample of 7E0 ECU task related to the Python plugin named "task_ecu_7E0.py"; the start()
method is executed the first time the ECU is used, while the stop()
method is executed on expiration of the P3 timer; both reset the login state to False:
Notice that self.auth_successful
in the ECU task can be used in place of self.shared.auth_successful
because the ECU task owns the ECU namespace.
The following code shows a basic task related to the Python plugin named "task_routine.py"; the assumption is that the default self.shared.auth_successful
state (False
) in the ECU shared namespace is already set by the ECU task:
In the above example, the shared self.shared.auth_successful
attribute is checked in order to immediately return either a positive or negative answer (Task.RETURN.ANSWER
uses Tasks.RETURN.TERMINATE
). Notice also that the UDS_SEND_KEY PID sets self.shared.auth_successful
to True if the security key is correct and returns either positive or negative answer, exploiting a ResponseFooter
type lambda function. The example shows that both tasks and response functions are ways to implement process steps (in the specific case shown by the example, the result is similar). While response functions are quick to implement, tasks allow much more flexibility.
Notice that self.shared
is only available within the same ECU. If multiple ECUs are concurrently configured and interacted (each one with its own header), different ECUs will have their own shared namespace.
The tasks
command returns the dump of all the used namespaces, both ECU-shared and in-task ones.
The plugins named task_mt05_read_mem_addr.py and task_mt05_write_mem_addr.py show how to read and write memory by address, mapping the memory space into a file.
The plugin named task_erase_memory.py shows how to use the start()
and run()
methods, as well as Tasks.RETURN.CONTINUE
which simulates a certain function processing time.
Helper functions
Within a task, the helper function self.task_request_matched(request)
checks whether the request in the argument (typically returned by self.multiline_request()
) matches the original request that invoked the task. This is because a task might be called more times if remaining active; this function can for instance differentiate a possible TesterPresent check (which can be forwarded to the standard processor) from the task request (which can be processed within the task, without forwarding it).
The helper functions self.HD(header)
, self.SZ(size)
, self.DT(data)
, self.AW(data)
, self.NA(data)
and self.PA(data)
support the generation of an XML response, similarly to the functions used in the dictionary.
The helper function self.task_get_request()
gets the original request command that initiated the task (used with Tasks.RETURN.CONTINUE
to return the original request while processing consecutive ones).
Available interfaces
ELM327-emulator allows the following interfaces:
serial communication using a pseudo-terminal, as default mode on non Windows operating systems (without options),
TCP/IP networking, when using option
-n
, followed by the TCP/IP port,serial COM port, when using option
-p
, default mode with Windows (the option is followed by the port name and allows setting a baud rate with the-a
option),standard communication, when using option
-P
.
Usage of a pseudo-terminal
On non Windows operating systems, the default mode (without communication options) creates a pseudo-tty driver to be used to connect client applications. It is shown at startup, can be read by applications in batch mode and the port
command returns it at any moment.
Usage of a TCP/IP connection
The -n
options uses a TCP socket; the most commonly used one is 35000.
Usage of a serial communication port
The -p
option exploits the pyserial library. A baud rate can be set with the -a
option (defaulted to 38400 bps). With Windows, the COM port is defaulted to COM3.
To open a specific Windows port:
To open a specific Windows port (which is the same as python3 -m elm -s car
because corresponds to default values):
Usage of the standard communication option
The -P
option uses the standard communication mode allowed by the operating system when opening a read/write device, including a special file (for instance, for Bluetooth serial networking with UNIX/Linux).
Usage of Bluetooth with Windows
We need to pair the client device and add an incoming RFCOMM port. Then ELM327-emulator can access that virtual COM port with the -p
option.
With Windows, run "Settings", "Bluetooth & other devices", "More Bluetooth options", "COM ports" tab, press "Add", select "Incoming", press "OK". For instance, this procedure creates a virtual COM4 port.
Then run:
Note: adding the -l
option may be needed in some cases and is important when the configuration changes the way command lines are sent, closing lines with a newline instead of a CR.
Usage of Bluetooth with UNIX/Linux
After creating a Bluetooth special file on a UNIX/Linux system implementing an RFCOMM port, ELM327-emulator can access that file with the -P
option.
Install Bluetooth tools and daemons:
Pairing the devices:
Run the client application, select the Bluetooth device name, then perform pairing on both systems, answering yes.
Note. In case removing or unpairing a paired address is needed:
After pairing, quit bluetoothctl:
Bluetooth preparation:
Configure the special file /dev/rfcomm0 (see below):
Run ELM327-emulator with bluetooth interface:
Note: the -l
option may be needed in some cases and is important when the Bluetooth configuration changes the way command lines are sent, closing lines with a newline instead of a CR.
The /dev/rfcomm0 device driver can be manually created in order to avoid the error "Can't open RFCOMM device: Permission denied" when running rfcomm as a standard user (an not as root). First run rfcomm as superuser and connect a client:
After a client connection, you should get:
Create the special file with the same major_number and minor_number, using 666 permissions and change ownership:
Note: the Bluetooth error "Can't bind RFCOMM socket: Address already in use" means that the bind()
function used by the command producing the error failed because there is another socket with the same number already bound by a local application. The way to solve this problem is to find the local application binding that socket and terminating it.
Forwarder options
In order to verify and improve its dictionary, ELM327-emulator allows acting as a proxy between a software application and a real OBD-II device. Whenever the OBD-II interface provides data to the application which the dictionary does not include, a warning is shown reporting the answer from the OBD-II interface; besides, a related unknown_<command>_R
element is added to the counters
, with the last returned answer from the OBD-II interface, to allow subsequent verifications. The dictionary can then be manually edited to align the ELM327-emulator behaviour with the answer returned by the OBD-II interface.
To act as a proxy, ELM327-emulator can either expose the virtual serial device or the TCP network port to the application; then it connects the OBD-II interface through an internal forwarder component, allowing serial communication or TCP/IP networking.
The selection of the interface exposed to the application is done via the standard options: by default the pseudo-tty device is used; alternatively, the -n
option allows using a local TCP/IP port (e.g., -n 35000
).
The OBD-II interface is connected through the -S
option (serial device) or the -H
and -N
ones (TCP/IP host and related port). When using the serial device, the -B
option allows indicating a specific baud rate (38400 bps by default).
Data read from the OBD-II port are grouped together basing on a timeout parameter (floating point number) which by default is 0.2 seconds and can be tuned with the -T
option. The higher the number, the more reliant the grouping; anyway, delays produced by high timeout values might compromise the communication quality: if the application does not perform correctly in the forwarder mode (e.g., producing connection drops), is useful to test different timeout periods, like -T 0.1
.
Example.
In a window, run a simulated OBD-II interface connected via TCP network:
python3 -m elm -s car -n 20000
. Then optionally setloglevel debug
.In another window, run ELM327-emulator configured as forwarder to the local TCP port 20000 and exposing a network port 35000:
python3 -m elm -s car -n 35000 -N 20000 -H localhost
.In a third window, run a telnet client:
elnet localhost 35000
. Writeat@1
and press enter. Check the logs in the other windows.Close the telnet client. Run an OBD application, select Wifi communication, IP address 127.0.0.1, port 35000. Check the logs in the other windows. You should succeed in connecting the application.
Logging and monitoring
Logs are written to elm.log, file, rotated to elm.log.1 and elm.log.2 when its size reaches 1 MB. Logging is controlled through the elm.yaml
file (in the current directory by default). Its path can be set through the ELM_LOG_CFG environment variable. This file follows the Python’s builtin logging module format and allows customizing the configuration of the logging process.
The logging level can be dynamically changed through the loglevel
command.
To read the current log level:
To set log level to debug:
Press TAB to get the autocompletion of the available loglevel values (either number or word).
Alternatively, the logging level can be set through logging.getLogger().handlers[n].setLevel()
. To check that console is the first handler (e.g., handlers[0]
), run for n, l in enumerate(logging.getLogger().handlers): print(n, l.name)
. For instance, if console refers to the first handler (default settings of the provided elm.yaml
file), the following commands will change the logging level:
It is possible to add marks in the log file via commands like logging.info("my mark")
To totally disable logging for all handlers: logging.disable(logging.CRITICAL)
. To restore logging: logging.disable(0)
.
To browse the log files, lnav is suggested.
Command to count the number of different PIDs (OBD Commands) used by the client (excluding AT Commands):
The following command returns the total number of OBD Commands (PID queries issued by the client excluding AT Commands):
To only count AT Commands:
Print the average number of processed commands per second within a 5 seconds period:
Same as before, printing the average number of processed commands per second within a 1 second period for 20 times:
To save a CSV file including the emulator.counters dictionary:
ObdMessage Dictionary Generator for "ELM327-emulator" (obd_dictionary)
obd_dictionary is a dictionary generator for "ELM327-emulator".
It queries the vehicle via python-OBD for all available commands and is also able to process custom PIDs described in Torque CSV files.
Its output is a Python ObdMessage dictionary that can either replace the obd_message.py module of ELM327-emulator, or extend the existing dictionary via merge command, so that the emulator will be able to provide the same commands returned by the vehicle.
obd_dictionary can be run as:
or simply:
Command line arguments:
Sample usage: obd_dictionary -i /dev/ttyUSB0 -c car.csv -o AurisOutput.py -v -p 10 -d 1 -n mycar
obd_dictionary exploits the command discovery feature of python-OBD, which autopopulates the set of builtin commands supported by the vehicle through queries performed within the connection phase. Optionally, this set can be further enriched with a list of custom PIDs included in an input csv file in Torque CSV Format. The autopopulation feature can be disabled with -x
option.
The command allows all the python-OBD interface settings (see -B
, -T
, -C
, -F
, -P
command-line options) and a dry-run flag (-r
), which is very useful to test the OBD-II connection.
For instance, the following command tests an OBD-II connection via Bluetooth using the related recommendations described in the python-OBD repository.
See also this post for Bluetooth.
For better analysis, the -r
output can be piped to lnav (the following command tests the USB connection):
When the tests provide successful connection, the -r
option can be removed and the additional obd_dictionary options can be added.
obd_dictionary can be also used to test elm. Run python3 -m elm -s car
. Read the pseudo-tty, say /dev/pts/2 (this mode uses the serial communication). Run obd_dictionary:
(The automation of this process is shown further on.)
In general, ELM327-emulator should already manage all needed AT Commands within its default dictionary, so in most cases it is worthwhile removing them from the new scenario via -t
option.
The file produced by obd_dictionary provides the same information model of obd_message.py. It can be used to replace the default module or can be dynamically imported in ELM327-emulator through the merge
command, which loads an ObdMessage dictionary and merges it to emulator.ObdMessage. Example of merge process:
To help to configure the emulator, autocompletion is allowed (by pressing TAB) when prompting the merge
command, including the merge
argument. Also variables and keywords like scenario
accept autocompletion, including the scenario
argument.
A merged scenario can be removed via del emulator.ObdMessage['<name of the scenario to be removed>']
.
To produce a complete dictionary file that can replace obd_dictionary:
ELM327-emulator batch mode
ELM327-emulator can be run in batch mode to allow automating tests and background execution. The -b FILE
option allows this mode and writes the output to FILE. When using serial communication, the first line in that file will be the virtual serial device, which can be read to a shell variable through read variable_name < output_file
. Commands can be piped in (e.g., within a bash script) to configure the emulator (e.g., via echo -e
). The appropriate way to kill a background instance of the emulator is with the SIGINT signal (kill -2
). To ensure that the external application is started only after correct setup of the emulator, the input commands can be terminated with a string (e.g., "RUNNING") that can then be recognised before starting the application.
elm offers four operation modes:
interactive (providing a command line prompt). This is activated by default, when neither
-b
option nor-d
is used;batch mode with input commands, activated when the
-b
option (-b file
or-b -
e.g.,-b -
for standard log output, or-b output_file_name
). This mode reads the standard input for the same commands that can be issued by the user in interactive mode;batch mode light, only available with UNIX/Linux, without input commands (no separate thread is created and the command interpreter is not used). This is activated when both
-b
and-d
options are used;daemon mode without input commands, only available with UNIX/Linux, allowing starting and stop the process in UNIX/Linux daemon mode, with
-d
option (start) and-t
(terminate).
In daemon mode, a lock file is used to prevent multiple instances.
Note: with Windows, options -d
and -t
are not available.
The following script shows an example of batch mode usage. obd_dictionary is run after starting ELM327-emulator in background and is used here as example of external application interfacing the emulator. The output of the emulator is saved to $FILE and the background process id is saved to $EMUL_PID.
Python API
Instantiating the class
All arguments are optional.
get_pty()
returns the used port.
Interactive mode
Interactive mode uses the Context Manager:
Example of TCP/IP network usage:
Batch/daemon mode
Batch mode without interaction does not need the Context Manager:
Software architecture
When using the Context Manager, a thread is started and the current context is returned to the user. The created thread opens a bidirectional pty-type pipe and processes the related I/O.
When not using the Context Manager, no background thread is created and the pipe is run in the current context.
Testing OBD-II applications
Simple testing
With UNIX/Linux, the serial communication can be tested with screen.
In another terminal:
The TCP/IP networking can be tested via telnet.
In another terminal:
python-OBD
python-OBD is a Python module for handling realtime sensor data from OBD-II vehicle ports supporting ELM327 OBD-II adapters. obd_dictionary (which internally exploits python-OBD) can be used to test it. For instance, with Linux:
open a terminal and run
python3 -m elm -s car
(read the returned pty port)open another terminal and run
python3 -m obd_dictionary -i /dev/pts/0 | less
(use the same port returned by ELM327-emulator)
OBD Auto Doctor
One of the applications which can be used to test ELM327-emulator is OBD Auto Doctor. It supports different operating systems, including Windows, Mac, Linux, Android, iOS and enables communicating with OBD-II to get summary information, trouble codes, advanced diagnostics, real time graphical monitoring and many other in-depth data on the ECUs.
The following instructions explain how to use it with Ubuntu for testing ELM327-emulator:
Download the Linux application from the Obdautodoctor site. Check prerequisites.
Install with sudo dpkg -i obd-auto-doctor....deb
.
Run ELM327-emulator and select the car scenario:
This mode uses the serial communication. Copy the pseudo-tty device reported by ELM327-emulator.
Run OBD Auto Doctor with obdautodoctor
. Then select File, Open connection, Connection method: Serial port. Use manual settings. Paste the pseudo-tty device in the COM port box. Press Connect.
OBD Auto Doctor also supports TCP/IP communication. Run ELM327-emulator using TCP/IP networking:
Run OBD Auto Doctor with obdautodoctor
. Then select File, Open connection, Connection method: WiFi. IP address: 127.0.0.1. Port: 35000. Press Connect.
Scantool
Scantool from ScanTool.net is an old software which can also be used to test ELM327-emulator.
Recent repository: https://github.com/kees/scantool
Software ported to Ubuntu 20.04 LTS: https://github.com/ircama/scantool/tree/pts_support
Installation:
To run the application: ./scantool
This version of scantool allows configuring a pseudo-tty support by editing ~/.scantoolrc. See related readme.txt. With Ubuntu, this can be automated by ELM327-emulator via the following plugin:
Close scantool, save a file named scantool.py including the above reported plugin. Run ELM327-emulator:
To run the application integrated with ELM327-emulator: ./scantool
HUD ECU Hacker
HUD ECU Hacker is a great application developed by ElmüSoft.
It is an OBD-II scanner software specialized to manage ECU's from Delphi Electronics, including flash memory download and upload functions. The application runs on Windows and is very well engineered, extensively using OBD-II and UDS, with wide set of functionalities and robust frame control handling.
ELM327-emulator is already able to provide a basic emulation of the Delphi MT05 ECU and, if needed, can be extended via the development of additional tasks and through the editing of the ObdMessage configuration.
C program sample
When using a C program to connect to the ELM327-emulator, you can optionally configure a raw terminal. Connecting to the ELM327-emulator should look similar to below (error checking ommitted).