Saturday, December 1, 2012

Success!


It's Saturday night and I feel like partying! :D  After countless hours and ~3500 lines of code later, I finally managed to connect VIDA successfully to Volvo, launch the diagnostic part related to Combustion Preheater Module and turn on the parking heater with my laptop!

Sorry about the poor image quality here:

Vida correctly identifies most of the vehicle features. Only transmission, steering and body style had to be manually entered. Reason for this can be seen in the next picture..
Sardine CAN is connected to low speed network, so all queries relating to CAN modules residing in high-speed network (such as Break Control Module,  Staareing Angle Sensor, Engine Control Module, Transmission Control Module as well as the high speed interface of Central Electronic Module) cannot be reached. For some reason messages from few low speed modules ( Upper Electronic Module, SRS, Rear Electronic Module) are not received correctly either. Accessory Electronic Module and Road Traffic Information module I don't have in my car.
When sniffing the CAN traffic while VIDA scans the modules and their diagnostic error codes, I can infer which module is being queried and which CAN identifier the module uses for replying. Note that this identifier differs from the one the module uses for normal inter-module communications.

Let's refresh our memories of the general format of module query (from past blog post):

000FFFFE CB xx B9 F0 00 00 00 00
          |  |  |  |
          |  |  |  |
          |  |  |  '---- Identify (?)
          |  |  '----------------- Read Data Block By Offset
          |  '-------------------- Module id (list below)
          '----------------------- Message length

00 0F FF FE: The identifier VIDA (or any other diagnostic module) uses for messaging.
Message length: High nibble seems to be always 'C' in command message. Low nibble: Bit 3 is always on. Bits 0-2 is the actual message length (excluding the first byte). Hence A=2, B=3, C=4, D=5, E=6, F=7

I found this command set somewhere on Swedespeed car forum:

A1 No Operation Performed (keep alive)
A3 Security Access Mode 
A5 Read Current Data By Offset 
A6 Read Current Data By Identifier
A7 Read Current Data By Address 
A8 Set Data Transmission
A9 Stop Data Transmission
AA Dynamically Define Record
AB Read Freeze Frame Data By Offset
AC Read Freeze Frame
AD Read Freeze Frame By DTC
AE Read DTC
AF Clear DTC

B0 Input Output Control By Offset
B1 Input Output Control By Identifier
B2 Control Routine By Offset 
B4 Define Read Write ECU data 
B8 Write Data Block By Offset 
B9 Read Data Block By Offset 
BA Write Data Block By Address
BB Read Data Block By Address 


And here's the list of all modules that were queried and identified on Volvo S80 MY02.
CAN diag Id    ID  Description 
00 80 00 03 :: 40  CEM, Central Electronic Module 
                   (also answers queries related to CPM(heater)
00 80 00 09 :: 51  DIM, Driver Information Module
00 80 08 01 :: 48  SWM, Steering Wheel Module
00 80 10 01 :: 29  CCM, Climate Control Module
00 80 00 11 :: 43  DDM, Driver Door Module
00 80 00 81 :: 45  PDM, Passenger Door Module
00 80 01 01 :: 2e  PSM, Power Seat Module
00 80 04 01 :: 46  REM, Rear Electronic Module
00 80 02 01 :: 58  SRS, Air bag
00 80 20 01 :: 47  UEM, Upper Electronic Module
00 80 00 05 :: 60  AUM, Audio Module
00 80 00 21 :: 64  PHM, Phone Module

These module were queried but didn't reply:
ID  Description
50  CEM, Central Electronic Module (Hi-speed interface)
01  BCM, Break Control Module (hi-speed network)
52  AEM, Accessory Electronic Module 
11  ECM, Engine Control Module (hi-speed network)
28  SAS, Steering Angle Sensor (hi-speed network)
6e  TCM, Transmission Control Module (hi-speed network)
62  RTI, Road Traffic Information module



And here's the sweet sight of hard reverse engineering work coming finally to fruition! Only coolant water temp and heater work status are being correctly queried though. Few software glitches still remain, but I don't care about that for now, since the thing I've been hunting for past few weeks has been now identified! Yes, the command for starting the heater :)

Turn on the diesel heater:
00 0f ff fe | cf 40 b1 5f 3b 01 01 84 
And the reply:
00 80 00 03 | cc 40 f1 5f 3b 00 00 00 


Turn off diesel heater:
00 0f ff fe | cf 40 b1 5f 3b 01 01 80 
Reply:
00 80 00 03 | cc 40 f1 5f 3b 00 00 00 


Now, this seems weird, since I had already tried this command before and it didn't work! It is one of the possible permutations of the message I was advised to try earlier by Swedish hackers (thanks again guys!), and I'm quite sure I tried this one before. There are few possible explanations:

1) I somehow managed to screw up sending the message using ELM327 (with its yucky AT command set), but now when using the MCP2515 based Arduino CAN shield the message is constructed correctly.
2)  ECU needs something else in addition to the command message itself. When looking at the message log, I see VIDA sending the following message every 1-5 seconds:
00 0f ff fe | d8 00 00 00 00 00 00 00
Could this be some kind of keep alive message needed by ECU?

Also VIDA keeps querying following stats every 3-4 seconds and their presence could be necesssary (although unlikely):

Cmd:   00 0f ff fe | cd 40 a6 1a 04 01 00 00
Reply: 00 80 00 03 | cd 40 e6 1a 04 1e 00 00 
The 6th databyte of reply seems to coincide with ignition key lock status:
1e = ignition II, 1d=radio (ignition I), 1c=off, 18=key out

Cmd:   00 0f ff fe | cd 40 a6 1a 02 01 00 00 
Reply  00 80 00 03 | cd 40 e6 1a 02 60 00 00 
The sixth databyte of reply fluctuates between 5d and 62, and could be the battery voltage. If we assume bits 0-2 consist of fractional part and bits 3-8 the integer part, then the values here would be interpreted as 11.625 and 12.25, and would fit well in our hypothesis. Actually a battery charger was connected during testing, so voltage over 12 volts would not be strange here.

VIDA needs the key to be in ignition II position in order to launch the heater section, but I did try switching the key position and it didn't have any effect on the result itself: Heater can be turned on with diagnostic command even when key is not in the keylock! This is actually quite a relief - spoofing the keylock position in the remote heater starter would require quite a bit of more work, but luckily this doesn't seem to be needed. However what is little bit alarming, is that any indication on the heater status is NOT shown on DIM, nor does the manual on/off functionality on the control stalk work when turning on the heater using this diagnostic command. Thus I will have to put some other kind of stop functionality and warning system in place when designing the box.

Still this isn't a fully functional J2534 device yet: It doesn't support ISO9141 or any other kind of protocols apart from CAN and ISO 15765, nor does it work when connecting it to OBD port, since it's missing the K-line initialization and keep-alive messaging to keep the diagnostic relay open on CAN bus pins. Maybe I will add some more functionality later, but for now, I'm quite happy with the results that I got. Also, no more Win32 programming for a while :)



11 comments:

  1. Well done!

    Just got myself a J2534 DiCE clone, and been messing around with VIDA.

    Love the inspiration of this project, and also kinda intrigued with the idea of a custom arduino box that could be connected full time to the car. Gotta run now, but love to see your code. I'll be in touch soon!

    ReplyDelete
  2. Hi Shammyh! Great to hear that others are interested on this matter as well. It's too bad there haven't been any effort on open source J2534 diagnostics yet, but that's going to change soon. I've almost finished cleaning up the code and now I'm writing (very short) installation manuals to make the learning curve little bit less steep. It's still far from finished product, sure, but nevertheless it's a kind of break-through: Possibility to connect VIDA to a car with less than 100$ worth of hardware! It is possible to clear error codes with these cheaper OBD readers, but in order to be compatible with special modules such as CPM (not to mention of diagnosing..) a VIDA or more expensive HW with Volvo support is needed.

    You're welcome to join the testing effort, especially now that you have a 100% working J2534 device for comparing the results (something that I don't have :) And if you can code/debug, that's even better!

    Best regards, Olaf


    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi Olaf!

    Just yesterday I've found your story about 'hacking' Volvo. Fantastic success, nice experience hacking into Volvo CAN protocol.

    Within http://volvocesky.cz we're hacking a bit different way (modding DIM and ICM language into Czech/Slovak/Polish/Hungarian/Finnish :] etc.).

    However the aim to create cheap HW tool seems to be quite waste of time. For $150 you can buy functional DiCE (yep, clone of original Volvo's HW, no SD card, no BT connection, the rest is 100% compatible). This could save a lot of your efforts in effectively duplicating DiCE's functionality.

    But back to hacking - as of http://volvocesky.cz - my codes are not open source, but I could give you some guidance where to look for (we've just finished first year of test&trial, reverse engineering, debugging, etc.). I might eventually have some hints for your debugging as well.

    Pavel at volvocesky dot cz




    ReplyDelete
  5. Hello Pavel,

    it's nice to get to know other Volvo hackers as well! I can see you are in the business of car modification, so I can understand why you don't want release your findings or code in open source. But I still admire your work, congrats!

    However I don't agree with you on the matter of usefulness of the Sardine CAN. J2534 is an industry standard and it's about time there is an Open Source alternative to high cost implementations intended for industrial or commercial projects. Sure, I could have bought a cheap chinese DiCE copy, which would have been so much easier and more economical (to me) than to implement a J2534 DLL from the scratch. However there's a huge difference between Open Source implementation that everybody can use, modify, augment and tinker with, and a closed implementation that is fixed and requires manufacturer support when bug fixes or additional features are needed.

    Also there wasn't any need to reverse engineer DiCE at all. I just implemented most of the J2534 protocol according to the specs, and with the current version the low speed bus is fully accessible to be used with VIDA. There's also been talk about adding support for the Lawicel USB CAN module (quite easy to implement), after which people having that device wouldn't need ANY additional hardware. So in a nutshell, my goal is to make the necessary building blocks in order to avoid having to re-invent the wheel or to waste more money than needed. Especially when it comes to hobbyists with limited resources and only occasional use, Open source alternatives would be tempting choice. But of course, if one is really serious about CAN hacking, paying 200-500 euros for good tools wouldn't be a bad investment. So we are talking about different markets here, I think :)

    Having said that, I would be glad to get ahold of any additional information regarding the proprietary Volvo CAN protocol or DiCE, even though it might not directly involve the Sardine CAN itself. Any contributions to the project (that didn't cause any risk to your business model, of course) would be greatly appreciated!

    Best regards,
    Olaf

    ReplyDelete
  6. Hi,

    I can confirm that BSR PPC scanner to keep CAN bus communication open periodically send on K line message: 84 40 13 B2 F0 03 7C

    ReplyDelete
  7. For what its worth, I wouldn't touch volvocesky.cz VDash. Its serious spyware. It even sends home a screenshot as soon as you launch the app.

    The only way these cars can really be maintained is by supporting open source and open standards.

    ReplyDelete
  8. Hello ,
    Maybe know how activate volvo s80 2015 navigation ICM enginering mode menu?

    ReplyDelete
  9. I am curious if it's possible to get the CEM pin code this way.

    ReplyDelete
  10. If you still have any interest in hacking Volvos., check out this CEM Pincode hack. We could use more Volvo hackers to contribute.

    https://www.matthewsvolvosite.com/forums/viewtopic.php?f=10&t=85611&p=573061#p573061

    ReplyDelete
  11. After study a few of the websites on your own site now, i really such as your method of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls have a look at my web site as well and figure out what you consider. white house market

    ReplyDelete