The chip with removed label may be an AX220XX compatible device, as its MAC is from this manufactuer. It offers a web interface, but only delivers an empty index.htm on port 80. Port 35000 bridges to the PIC microcontroller. Do not send "+++ return" command over tcp to port 35000, because this leads to message ping-pong between the two controllers.

trying the ethernet vector:

Open ports are:

80, tcp, http (empty index.htm, else http404)

67, udp, dhcps

49153, udp, ???

35000, tcp, uart bridge

For AX220XX there are different reference designs availabe, e.g. over here: http://www.uconnect.com.tw/WMS.html http://www.uconnect.com.tw/files/WiFi_to_serial_command_set_V1.pdf

The AXR2W config tool is availabe in the WA-232B-toolbox.zip over here: http://www.usconverters.com/index.php?main_page=product_info&cPath=70&products_id=404 (requires msports.dll to run under wine), but the chip does not respond. The magic "discovery" string this tool uses is ASIXXISA[0x0e] and is sent over UDP to port 25122.

replaying that magic packet with:

printf "ASIXXISA\x0e" I nc -u 192.168.0.10 49153 -p 25125

did not work...

btw: leaving out the "-u" switch and just running the command on the tcp uart port leads to direct uart/CAM access from shellscripts...

As a summary, It looks like they locked down the chip to prevent mods from the ethernet side, but it still got an exposed uart and it is possible to dump the flash chip contents.

This pdf contains a list of commands the AX220XX accepts over UART, including the "+++" command. As my "unknown" chip reacts to the "+++" command, it is likely that the other commands work, too and -in fact- it is an AX220XX compatible chip.

I won't link to leaked documents from the manufactuer over here, as you can do your own google search. If you try "bootloader" or similar terms together with the chip name, you'll find some pdfs and source code on chinese document sharing platforms ;)

Btw. the whole device consumes 120mA at 12V (1.44 watts), the drop of 12 down to 3,3 V at this current wastes ~1 watt, which makes the linear regulators quite hot. Power safe mode of ELM327 saves about 10mA... as the OBD2-port is connected to the car battery regardless of the ignition switch state, I can only warn to leave these adapters connected while the engine is not running for longer periods of time.

Things to try now:

- wlan is unencrypted, so kismet will show anything the device sends out during startup

- uart access with usb-ttl-uart adaptor

btw. just ordered a cheap 3.50Eur "usb car adaptor" which runs on a step-down converter to replace the lm7805 on the main board, keep the device cool and make it live longer.

• Pin 1: if scope (10meg) is connected, no boot. reset? near GND
• Pin 2: GND, obviously
• Pin 3: TX on 38400 baud, 3V3 level, internal pullup
• Pin 4: RX, 5V level from board (if module not present), PIC sends startup message here
• Pin 5: 3V3, to module (not 5V!)
• Pin 6: 2V8, from module (not present if board not present)
• Pin 7: identical to LED status (low if LED is on, high if LED is off), low if board not present
• Pin 8: jumps to high and stays there
• Pin 9: data line, defaults to high, short data bursts during startup (=flash read)

Pin 1-7 are 2mm pin header.

To get access to the UART (and power the module), a normal 3V3 or 5V ftdi cable is suficcient. Make sure to use 3V3 to power the module.