Saturday, November 3, 2012

Our mysterious friend, CAN bus

First things first:  Researching.


Volvo S80 offers diagnostic interface via the official OBD port, accessible under the dash board.
I bought myself a ELM327 based reader in order to get a first glimpse of messages trafficking in the CAN bus. ELM327 does offer plethora of protocols, including 11 & 29 bit CAN protocols at various speeds. So I plugged it to a laptop running linux, and succesfully connected to the reader via terminal program (minicom in this case). I was able to connect to a car via ISO 9141-2, which is a standard protocol for OBD scanners. I was able to access few parameters the car's CEM (central electronic module) offered (such as error codes), but all attempts to access the CAN bus failed.

According to this OBD connector printout, Volvo cars offer CAN bus on pins 6 & 14. The pinout varies from manufacturer to another, so maybe ELM327 doesn't use correct pins? Said goodbye to the warranty and pried out the cover off the adapter. Pins 6&14 were connected. Damn.

Alright, more research: Found maybe the most important document when thinking about embarking on a quest like this: 2002 S60/S80 electric wiring diagram. According to the diagrams, Volvo has 2 separate CAN buses: Hi-speed (connecting modules responsible for engine, breaks, transmission etc) is on pins 6&14, and low-speed (climate control, audio, window & sunroof control etc) on pins 3 & 11.  Pried ELM327 open again to see that neither of the latter pins were connected. Alright, doesn't still explain why I cannot access hi-speed bus, even if low speed is naturally out of reach.

This time I was starting to get annoyed, so it was time to use the low-level tools.

Interestingly, all of the pins supposedly offering CAN bus access did have digital signal, but it was only on 20-50 millivolt range, instead of somewhere between 5-12 volts that I would expect from a normal CAN signal. More interestingly, they contained exactly the same varying binary signal and at the same speed.  WTF, I might ask.

More googling. Facing the reality: There are a lot of people accessing their cars via Bluetooth OBD dongle and cell phone app (such as Torque), but the amount of serious hackers involved in snooping around proprietary Volvo protocols is incredibly low. However, there are few guys out there who are doing something similar.  I managed to find this conversation, containing advises to send a certain "keep-alive" message every 5 seconds to K-line (pin 7 on OBD-connector) to keep CAN bus interface open. Content is "84 40 13 b2 f0 03 7c", serial settings: 10800 baud, 8N1 and voltage range 0-12V (0V=0b, 12V=1b).

More obstacles.. This wasn't going to work with normal ELM327. However, another member advised to use RTI or AEM connectors, of which the latter at least is accessible in the trunk, rear right corner. According to the electronic diagram, AEM connector pinout is: 1=GND (BLACK), 2=12V (RED), 3=CAN lo-signal (GREEN), 4=CAN hi-signal (WHITE).

Connected the oscilloscope...

and success! 29bit communication @ 125kbit/second. Remind you, this is the low-speed network, but for now, I don't need to access the high-speed can bus connected to engine room modules. Hooked up ELM again to laptop and voila! CAN bus interface is open and messages are firing away at 200-300/sec.

Next step: Intercepting and message analyzing!




17 comments:

  1. Do you have samples of any of the strings you sent your bus?

    ReplyDelete
  2. I have an 2002 s60, i get error "mode $06" when using the regular obd2 diag port, im sure this is the can bus error we are talking about.

    Now, could i get a solderable female obd2 connector and create a useable elm327 port in the trunk? (Idea!!)

    And i was wondering, how can i find some s60 terminal codes to clear an srs sensor error, dealer wants over $1000 to clear it... we know volvos are awesome, but have electrical issues more than any mechanical problems...

    Love my s60

    ReplyDelete
    Replies
    1. I am afraid you just need to buy VIDA DICE device from Alibaba (~150 USD with shipping) and you will forget about spending huge money to your dealer.

      By the way, did you successful in connecting ELM327 into rear trunk?

      thanks!

      Delete
  3. There are 2 relays in the CEM that cut the hi and lo CAN from the OBD port, and only switch on during diagnostic requests. There is a signal sent on the K line to switch them on, from the Volvo diagnostic tool. If you opened up your CEM you could likely just jump those relays and have CAN at the OBD port all the time.

    ReplyDelete
    Replies
    1. Neacail Campbell how would you do that?

      possibly get a couple relay holders whip out relays plug into a loom you made then plug the loom into the cem and do what you need to do then put it all back ?

      Delete
  4. very cool beans! I've been (attempting) reprogramming my volvo xc70 and had some success and of course a good deal of failures. So far I've managed to have the alarm go off when it detects my wifi (when I was making it's features accessible from my network), it auto-steals garage door transponder codes which I thought would be fun to log and correlate with a map... drive through a neighborhood and everyone garage door opens... but I never go around to it. On the positive side I did get it up to 340hp and it's ridiculously fast (but I would never speed)

    ReplyDelete
  5. Hey Olaf. I have been reading all of your posts over and over again and decided to ask some question. I am a student of electronics engineering in Venstspils Univerity collage and I base my bachelor thesis on Volvo programming. So I must start with CAN logging device. How did you manage to use ELM327 as a logging device? What software do you use to receive and transmit messages? Is it fast enough to "catch" all of messages?
    And you said that you checked CAN signal in AEM connector. After that you connected ELM again and everything worked? How the checking of CAN signal in AEM connector helped in opening CAN bus in OBD-II connector?
    Thanks for a great work and very useful information.
    Best regards
    Klavs.

    ReplyDelete
    Replies
    1. About to start building volvo interface also, already have vida and regular obd2/canbus equipment. How far have you gotten?

      Delete
  6. I have vida and a very good general scanner autel, am able to do many functions. Would like to get into the arduino obd2 world. I have an 02 s60, dash is NG, may be canbus issue, may be power supply issue. I also found this site and tools. comments? http://www.instructables.com/id/CAN-Bus-Sniffing-and-Broadcasting-with-Arduino/

    https://www.sparkfun.com/products/13262

    ReplyDelete
  7. Hi can a dual output signal generator create a CAN signal to turn on the instrument cluster on the bench..If not best adapter and software to use thanks...

    ReplyDelete
  8. Hi Olaf and all.
    I'm trying to catch Vehicle Speed from obd2. But on my pid query there is no respond in CAN.
    I am using custom board (with linux). I've connected my board to pins 6 and 14 of OBD. Setted up can to 500kbit and i could see messages in linux.
    But when i'm trying to send speed pid query i have no answer.
    i'm sending id: 0x7df data 0x02 0x01 0x0d
    And no respond with id like 0x78e. Could you guys help me? =)

    ReplyDelete
  9. Oh sorry, the car is Volvo s40 ii 2007

    ReplyDelete
  10. For speed information you can hack HUD obd. Ready wires, ready hardware. Just keep reading right wire from can converter to ttl

    ReplyDelete
  11. It's amazing the brains here. Very bright and smart guys. Noe my problem(don't kick me), my Volvo is starting just fine, but there is no dashboard lights, and no power to the windows, only engine check light up on!

    ReplyDelete
    Replies
    1. I had that problem on my 02 s60, dash needed repair
      There are known issues on certain years

      Delete
  12. I have a few different can bus tools right now, comma ai, arduino with can shield, vida etc etc. I really need a good way to sniff and read and send messages to can bus on my 3 Volvos and other cars I have. I need a good starting point but keep hitting road blocks.

    ReplyDelete
  13. Throw in a hero story where you've got to rescue scr888 deals a princess and you've got the whole package. I could talk about detachment all day long but the upshot is that video games take you to another world at the flick of a button where you can easily forget what your life is really about.

    ReplyDelete