tag:blogger.com,1999:blog-89393235738924640192024-03-14T00:44:09.052-07:00Hacking VolvoOlafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-8939323573892464019.post-76416738712068413362013-01-26T14:42:00.002-08:002013-01-27T10:08:14.193-08:00Ready, set, optimize!Alright, finally I had time to grab my solder iron and punish the naughty GSM shield for being such a greedy pig when it comes to efficiency in power consumption. <br />
<br />
When we look more closely at the <a href="http://www.seeedstudio.com/wiki/images/0/0c/GPRSshield_Schematic.pdf">shield schematic</a>, we can see that NETLIGHT and STATUS pins of SIM900 control the transistors which turn on and off the leds, powered from Arduinos +5V input via 300 ohm resistors R21 and R20. There's also the "shield powered" led that is always on when, as the name implies, the shield receives input power, regardless whether the GSM module is powered or not. Very wasteful when thinking about power efficiency, so I started with that first:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-2FFieYsMtMo/UQQe6PagZQI/AAAAAAAAAJo/XGEcL0KJkiM/s1600/2013-01-26+07.06.29-2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-2FFieYsMtMo/UQQe6PagZQI/AAAAAAAAAJo/XGEcL0KJkiM/s1600/2013-01-26+07.06.29-2.jpg" height="480" width="640" /></a></div>
<br />
Actually I haven't ever done any operations on such a small SMD components before, so after unsoldering the R1 the end result was quite far from satisfactory: both copped pads under the resistor were ripped off because of too high temperature, excess force and prolonged heat exposure. Oh well, not that I need the "shield powered" LED anyway..<br />
<br />
Before removing the R1 the power consumption of the SeeedStudio GSM shield was 12.2 mA (shield powered, but SIM900 not turned on) and 23.4 mA (SIM900 in sleep mode) when powered with external +5V lab supply (HP 6632B). After removal of R1 and thus disabling the LED, power consumption drops to 9.1 mA and 20.3 mA, respectively. This brings savings of 3.1 mA. Nice.<br />
<br />
Wiser from this incident, I practiced desoldering a little bit with old PC motherboard and found a suitable removal procedure consisting of adding liquid flux, new solder and then removing everything with a solder wick. Then add little bit more solder to both ends of the resistor, heat one end with solder iron while lifting it with tweezers. Then repeat this with the other end and finally the resistor can be removed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Y93jKHCMT28/UQQe6XLo2FI/AAAAAAAAAJs/3UmJSOnNNjQ/s1600/2013-01-26+12.06.33.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-Y93jKHCMT28/UQQe6XLo2FI/AAAAAAAAAJs/3UmJSOnNNjQ/s1600/2013-01-26+12.06.33.jpg" height="480" width="640" /></a></div>
I removed the R20 and R21 resistors and soldered a breadboard jump wire to bypass the LEDs. This time no solder pads were harmed and thus the procedure is reversible. The transistors Q3 and Q4 now connect our NETLIGHT and STATUS wires to ground when signaled by SIM900, making it posssible not only to put the GSM power and/or activity leds on the enclosure if needed, but also it's now easy to check the power status of the GSM module. Before this, the only way to see if the module is powered was to send AT commands and wait for the answer. Actually this was one of the things that annoyed me about this shield from the start. Luckily now only one digitalRead is needed.<br />
<br />
It could have been possible to remove the transistor and tap into the NETLIGHT and STATUS pins of the SIM900 directly, but leaving them behind transistors is safer since the module uses lower voltage than rest of the device. It could have been possible to destroy the whole chip or at least the output pins with software by simply switching the pin mode on Atmega side to output and signaling +5V. Puff, there goes the magic smoke.<br />
<br />
Since there isn't a nice way to attach strain relief to the jumper wires, I used hot glue (again) to attach the proximal ends to the PCB to make sure all the vibration and shaking in the car doesn't cause the cables to come loose.<br />
<br />
Now, after bypassing also the STATUS led and rewiring the NETLIGHT led (blinks once every 2800 ms, so not a concern in this case), I've managed to reduce the sleep mode consumption from 23.4 to 10.2 mA! Those LEDs really are gluttonious beasts! Then I tried inputting +12V onto the shield directly via its "low ground current, low-dropout voltage regulator", the MIC29302. Low ground current my ass. Increasing the voltage from +5V to +12V increases the quiescent current (=ground current) linearly from 10.2 mA back to 21.8 mA! And that is even without powering the GSM module! So, in this case it is better to use the 7805 to drop the voltage from +12V to +5V and distribute that to the GSM shield. If someone knows better alternatives, I'm all ears.<br />
<br />
All in all, the ChiliCAN now consumes 14.3 mA when all the chips are sleeping (i.e., when there's no CAN traffic and no calls are being made). That constitutes maybe 90% of the time. When the heater is on (or otherwise CAN bus is active), the consumption wanders between 30 and 55 mA. During phone calls it lies around 100-200 mA having maximum peaks of 1.5 A, but those are quite short bursts, having almost nil effect on battery life. If we assume average consumption of 17.2 mA, it would take almost 4 months for ChiliCAN to deplete my 95 Ah car battery to 50% charge. I could live with those numbers :)<br />
<br />Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com12tag:blogger.com,1999:blog-8939323573892464019.post-32292960121886901402013-01-19T07:46:00.003-08:002013-01-19T10:00:55.007-08:00Soft chippy, warm chippy, little chunk of RAM. Happy chippy, sleepy chippy, purr purr purr..Like Sheldon Cooper, also the ChiliCAN needs a good night's sleep. I've been tinkering power optimization features and I must say the results so far are pretty good!<br />
<br />
Here's the list of tricks that I've found by reading the datasheets and various articles on the web related to Arduino power saving:<br />
<br />
<ul>
<li>MCP2551 CAN transceiver can be put to sleep via the Rs-pin. Just control it via one of the Atmega328 output pins via 10k resistor (+5V in sleep mode, 0V awake), and we can save around 4 milliamps.</li>
<li>Atmega328p has various power saving modes, and I wanted to use the most aggressive one (SLEEP_MODE_PWR_DOWN), which reduces the power consumption to less than few hundred microamps! It can then wake up with an interrupt generated by either the CAN controller or the GSM module.</li>
<li>MCP2515 CAN controller has a sleep mode as well, enabled with SPI command. Before that we must enable the CANINTE.WAKIE interrupt signaling and connect the interrupt pin to INT0/1 on Atmega328p. Then, when a new CAN frame is received, interrupt is generated and the CPU can also kicked out of his silicon bed. Warning: The first CAN frame is always discarded and does not end up into the receive buffer (I think the sleep mode of both the transceiver and controller cause this). However in my setup it doesn't concern me, since the signal from key fob light button is not in the first CAN frame in the burst of messages sent to the bus when button is pressed and the car wakes up from its slumber. Another pitfall can be found in the wake up routine of MCP2515: If we want to wake up the controller (for example when the interrupt is generated by GSM module and not the controller), then it must be done by generating the CANINTF.WAKIF interrupt by ourself, and NOT the operation mode switch by SPI interface. The latter DOES NOT WORK! This is kind of weird, since the SPI interface is specified to be active even when in sleep mode. Reading its registers seems to work, but chancing the CANCTRL has no effect. Anyway, putting the controller to sleep gives us savings of around 3-4 mA.</li>
<li>Ditch the AEM and consequentially, be able to get rid of the grounding relay as well. Naturally, this has no effect on sleep mode power savings directly, but since the relay is a power hog (~ 50mA when switched on!), getting rid of it enables us to use smaller and more efficient voltage regulator (those usually have also lower maximum output current). </li>
<li>Switch from 7805 to LM2936Z-5. The 7805 has in my tests shown quiescent current (waste current generated by the regulator even without any load) of more than 4 mA, where as the LM2936 is much more efficient, having quiescent current measured only in tens or hundreds of microamps, depending on the load. Unfortunately its maximum output current is 50 mA which is way too low if we want to use the GSM module as well. </li>
</ul>
<div>
So, putting all the chips to sleep and using other aforementioned power saving tricks, I managed to get the <b>sleep mode consumption down to 400 MICROamps!</b> :) Now I don't have to worry anymore about accidentally emptying the car battery! </div>
<div>
<br /></div>
<div>
Now, the measurements above are done without the Seeedstudio GSM module, because it is completely another beast: </div>
<div>
<ul>
<li>The SIM900 GSM chip itself doesn't consume that much in sleep, its specified to be around 1-1.5 mA, but then again it has a peak current consumption of 2 amps during network registration and other wireless activity, which makes it little bit difficult to find suitable but efficient power supply. </li>
<li>The GSM shield has its own power regulator MIC29302BU. It is a low voltage drop regulator that can use Arduinos +5V and will provide 4.1 volts (adjustable) for the rest of the GSM shield to use. It is also able to handle the peak currents required by SIM900. Unfortunately it has a quiescent current of around 8 mA when idle, which is not that good.</li>
<li>The shield has a "input power on" LED as well as an actual "power on" LED that is lit when SIM900 is turned on. I'm not sure of their forward voltage drop, so it's hard to guess their current consumption. It's maybe around 2.7 mA + 9 mA when fed with input +5V, if assuming voltage drop of 2.3 V (green SMD led). Also there's a orange GSM activity led, but it's on only intermittently (one blink every 2-3 seconds).</li>
<li>The total consumption of the shield when the SIM900 is not even powered is 12.6 mA! </li>
<li>When powered and in sleep mode, the consumption increases to 23.6 mA, having bursts of 36.2 mA every 3 seconds. </li>
<li>The total consumption of the whole device (7805 as the regulator, since LM2936 doesn't output enough juice for the GPS shield) when all the chips are in sleep mode is<b> 27.4 mA</b> (bursts of up to 40 mA every 3 seconds). </li>
</ul>
<div>
It's quite clear that the SeeedStudio GPRS shield v1.4 is not designed for low power consumption in mind, otherwise it would have included a more efficient power regulator and a way to either disable the LEDs or give a way to control them for example with PWM. Since the MIC29302 is intended for automotive applications and has maximum input voltage of +60V, it should be safe to power the whole device with this regulator. However while Atmega328p and MCP2515 can operate with 4.1V, the MCP2551 CAN controller needs at least 4.5V, which is then too much for the SIM900. So, another regulator is anyway needed. </div>
<div>
<br /></div>
<div>
What about LM2936 for the main board and then power the shield with car battery directly? I looked at the LED configuration in the GSM shield schematics and found out that the LEDs are powered straight from the VIN (i.e. before the regulator), and if we give the shield input voltage of +12V without changing also the resistors, LED consumption would rise to tens of milliamps (probably burning them, if not at idle, but at least when the car alternator is running..) So in this case little bit of resoldering would be needed anyway. </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com1tag:blogger.com,1999:blog-8939323573892464019.post-72886876788857877442013-01-16T18:18:00.003-08:002013-01-26T14:46:39.322-08:00Debugging in -25C...<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: start;">
Howdy!<br />
<br /></div>
<div style="text-align: start;">
The name of this post kind of says it all. Sitting in the car with a laptop and tapping on the keyboard while exhaling visible moisture which might make me look like a living steam engine. Trying to fix relentlessly the few remaining bugs, hoping that the laptop battery would last long enough, even though part of me wishes that the laptop would generate more heat. At least the parking heater works!</div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
For the past few days I've been building the remote heater starter and finally ChiliCAN v0.1 was born! It resembles little bit those implementations that I wrote about in the first post, but don't let the version number confuse you. This one speaks CAN and has multiple additional functions in addition to it's raison d'ĂȘtre: flipping on the relay and making the car a warm haven amidst the hostile environment that the Northern Finland is now at this time of the year.</div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
Let's see what the little controller box has eaten: </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-CNuwofkJIHw/UPc3I8NX3rI/AAAAAAAAAIg/8D2KAYAbVdA/s1600/2013-01-17+00.15.11.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-CNuwofkJIHw/UPc3I8NX3rI/AAAAAAAAAIg/8D2KAYAbVdA/s1600/2013-01-17+00.15.11.jpg" height="480" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Ok, it's not going to win any beauty contests, but it does what it's supposed to do.<br />
<br /></td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both;">
The schematic is quite similar to what Arduino and the CAN shield would be when combined together. On the left is a separate<span style="font-size: 13px;"> </span><a href="http://paeae.com/breakout-board-for-ft232rl-usb-to-serial.html">USB breakout board</a>, since it is not needed unless there is a need for debugging, giving manual test commands via the COM port or re-flashing the firmware. So the list of components is quite familiar: Atmega328p, MCP2515 CAN controller, MCP2551 can transceiver. A relay for grounding the AEM control pin (gives better isolation than grounding it directly via a transistor). The 7805 constant +5V voltage regulator + few passive components. Under the ribbon cable is also a SPI header for easy access to debugging with oscilloscope or maybe BusPirate (actually I ordered it a while back, but haven't yet tested it).</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
There's a extra 5A car fuse, isolated and kept in place with a hot glue, but now it's kind of deprecated since I have a main fuse outside the case for extra safety. Also the connectors are insulated with hot glue, and that with the IP65 protected case should give ample protection against moisture. I still have to spray the board with a coating of protective lacquer, but that's only after extensive testing.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Then there's the female headers, resembling little bit the headers in Arduino board. And what's with the antenna?</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-cE52VPk37Wo/UPc3JDOOvGI/AAAAAAAAAIc/2vxQ3w6P7M0/s1600/2013-01-17+00.17.06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-cE52VPk37Wo/UPc3JDOOvGI/AAAAAAAAAIc/2vxQ3w6P7M0/s1600/2013-01-17+00.17.06.jpg" height="480" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Yup! That's the <a href="http://www.seeedstudio.com/wiki/GPRS_Shield_V1.0">Arduino GPRS shield</a> based on the SIM900 chip. I didn't have guts to start dismantling it, so I installed the Arduino type headers and laid the shield on top of the main board. I didn't want to use the built-in SMA-connector on the right side of the shield since that would cause both placement problems as well as increase my worries of poor insulation. So I used a left over WiFi SMA->U.FL extension wire from the Asus Maximus V Formula motheboard that I recently installed. I didn't have any use for desktop WiFi, so why not put the nice cable to use. Actually quite many of the parts here are left-overs or parts that have been recycled from old devices. There was also a long WiFi antenna included with the mother board, but I decided to use the one shipped with the GPRS shield. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both;">
Sadly after preliminary testing I had to conclude that the Arduino+GRPS shield+CAN shield combination isn't going to work so nicely for two reasons. Separately they work quite fine, but all the combined code requires more memory than the measly 2Kb that theAtmega328p has to offer. This resulted in numerous random crashes, weird behaviour or just lack of functioning. This problem could be solved with optimization tricks, such as better memory utilization by removing unnecessarily large parameters and variables, and moving some parts out of SRAM to flash memory etc. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
However the much bigger problem would emerge when looking at the power consumption. Even when the sleep mode was enabled (in which text messages and calls could still be received) , the total amount of juice sucked by the device was around 80-90 mA. Although the sleep functionality of Atmega and CAN controller are not yet utilized by my code, the portion of power consumption by the SIM900 is almost half of the total even though it is in sleep mode ! Maybe I'm doing something wrong here, since according to the specs the GPRS module should consume only around 1-2 mA when dozing. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
For now as a heater start signal I will be using the yellow light button on the wireless key fob. Luckily the parking spot for my Volvo is almost right below my apartment window, so it is in the wireless range of the key fob and I will be able to use it to start the heater from the warmth of my house :) </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Pressing the light button 4 times (turning the car interior and exterior lights on-off-on-off in a time period of 10 seconds will start the heater. Turning it off is done in the same manner. I can also check the heater status with the fob: When pressing the light button (regardless whether the sequence ends up in starting to heater or not), the car headlights are blinked 1-4 times. One blink means heater is off, two blinks: heater is either starting or stopping, three blinks: heater is on, four blinks: there is an error condition.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<a href="http://3.bp.blogspot.com/-2IKS-pikJOc/UPc3I3ESULI/AAAAAAAAAIk/GI3Un0mkXyw/s1600/2013-01-17+01.10.17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-2IKS-pikJOc/UPc3I3ESULI/AAAAAAAAAIk/GI3Un0mkXyw/s1600/2013-01-17+01.10.17.jpg" height="480" width="640" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Here's the device ready for testing! Leftmost green led is for status. Next (yellow) is CAN traffic indicator (actually it doesn't blink for every CAN frame, since then it would just stay lit when connected to the car because of the huge amount of CAN traffic going on all the time. Instead, it blinks only when sending messages or receiving ones that have some inherent importance to us.).The third LED is a heater status indicator and fourth one is an error LED. I might later print labels and other stuff on the case with silk screen technique.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-scruxz7OR3g/UPc2dHRugFI/AAAAAAAAAHw/0g-QlBCjGDQ/s1600/2013-01-16+18.46.38.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-scruxz7OR3g/UPc2dHRugFI/AAAAAAAAAHw/0g-QlBCjGDQ/s1600/2013-01-16+18.46.38.jpg" height="480" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Here is the wiring harness for extending the AEM connector, nicely sleeved for making it look less like a botch job for what it really is. I tried for quite many hours to find suitable male/female connectors compatible with the 4-pin one that AEM and its harness has, but without any result. So I ended up having 4 separate connectors, one for each AEM pin. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Then there are two DB9 standard CAN connectors. Leftmost has 12V connected to its pin #9 and is meant for connecting the ChiliCAN, and the right one is an extra debugging/tracing/logging CAN cable carrying only CAN-L, CAN-H and ground wires. Then there's extra fuse housing and the screw terminal to put the wires together. That + numerous cable ties give pretty good strain relief. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have to remind you that this is still going to be temporary installation as I may not even keep the AEM beyond the first few days of testing, so this not-so-elaborate setup will have to do for now. Ok, so maybe I'm going to keep these in place until when outside temperatures are easier to count in celcius degrees than Kelvins.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-2tcmRzZKfhA/UPdJNuv2YJI/AAAAAAAAAJA/e2EPZfi4l5U/s1600/2013-01-16+19.17.04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-2tcmRzZKfhA/UPdJNuv2YJI/AAAAAAAAAJA/e2EPZfi4l5U/s1600/2013-01-16+19.17.04.jpg" height="480" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here's the final setup. Installing these separate dangling wires to AEM connector with "relative safety" requires either that the negative wire from the car battery is detached or at least that the AEM fuse is removed. Also good electrical insulation tape is necessary. Did I mention botch job?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Later I might bypass the AEM connector altogether and connect the ChiliCAN directly to the Rear Electronic Module (REM) where the AEM wiring is originated.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-jeO6EJilOBc/UPc2xyUZxiI/AAAAAAAAAII/osMNjVSEHgk/s1600/2013-01-16+23.02.06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-jeO6EJilOBc/UPc2xyUZxiI/AAAAAAAAAII/osMNjVSEHgk/s1600/2013-01-16+23.02.06.jpg" height="480" width="640" /></a></div>
Inspired by the stuff the guys at the Swedish Volvo forum have been doing, I too decided to add menu feature to the ChiliCAN. The menu can be accessed by keeping the cruise zero button pressed for two seconds. The +/- buttons are used in navigating and another zero button press makes a selection. The return button exits the menu.<br />
<br />
Using cruise buttons doesn't interfere with the normal cruise functionality unless we have turned it on before entering the menu. And even then the cruise buttons work normally and are not hijacked in any way. Another, more familiar way of using the DIM menu would have been with SWM control stalk, but then we would have been forced to hijack the control stalk and I'm not sure if that can be done via CAN bus.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-KMyX2tjJh0A/UPdW1k5WU6I/AAAAAAAAAJU/G6OdKBYvQlU/s1600/2013-01-16+22.32.34.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-KMyX2tjJh0A/UPdW1k5WU6I/AAAAAAAAAJU/G6OdKBYvQlU/s1600/2013-01-16+22.32.34.jpg" height="480" width="640" /></a></div>
Heater can be turned on and off via the menu. Here it's status is shown (off / on / starting / stopping / error). It's handy to see the battery voltage without having to go crawl under the hood (or in case of S80, the trunk) with a multi meter. The various bits of information are queried by the ChiliCAN from CEM via diagnostic messages.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-RSCCekOHHm0/UPc2x_oyZDI/AAAAAAAAAIE/DevSMzajdDs/s1600/2013-01-16+23.02.21.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-RSCCekOHHm0/UPc2x_oyZDI/AAAAAAAAAIE/DevSMzajdDs/s1600/2013-01-16+23.02.21.jpg" height="480" width="640" /></a></div>
It can be quite informative to see the coolant temperature here, since it gives rough estimation of how cold the engine is and whether you should start the heater. This makes it much easier to do rough guesses of how long should you keep the heater on to get the cabin and the engine comfortable. And of course, this isn't limited to the diesel/petrol parking heater, but could be used in conjunction with any additional heaters. When my Ardic broke down a while back, I got an electrical block heater (coolant heater) installed, but I wasn't (and still I'm not) quite sure how effective it is in hard metrics. With ChiliCAN I can now easily be able to see how well (or badly) it really works.<br />
<br />
One feature to tinker in the future would be the enabling of the water pump in Ardic in conjuction with the electrical coolant heater. That would give more even spread of the heat, since the block heater doesn't have its own water pump and is just heating one part of the coolant circulation, hoping that the difference in thecoolant temperature itself moves the liquid around a bit.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-lRBvbmS1_tM/UPc2x6rPlxI/AAAAAAAAAIM/aWGmmfVzpcg/s1600/2013-01-16+23.02.38.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-lRBvbmS1_tM/UPc2x6rPlxI/AAAAAAAAAIM/aWGmmfVzpcg/s1600/2013-01-16+23.02.38.jpg" height="480" width="640" /></a></div>
<br />
Here we can see the GSM module status. Code isn't included in the firmware yet, since the memory optimization hasn't been done yet.<br />
<br />
<br />
There is still quite a lot of things to do, but priority is now in lowering the energy consumption. After that, I might start thinking about having features little bit like what Volvo has to offer in their newest models: <a href="http://www.volvocars.com/intl/sales-services/sales/volvo-on-call/pages/mobile-app.aspx">Volvo On Call mobile app</a> :)Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com9tag:blogger.com,1999:blog-8939323573892464019.post-37032516265035388232013-01-14T23:00:00.000-08:002013-01-19T05:41:27.387-08:00Reverse engineering AEM: Part deuxToday I had the appointment with Volvo Service for AEM reprogramming, and it was quite a quick operation. After 20 minutes a hefty sum of 80 euros in my wallet was magically converted into bits and bytes to give breath of life to the module. And alive it was.<br />
<br />
The wizards of the garage were quite amused to see the test setup: AEM was dangling freely in the trunk, its movement restricted only by the AEM cord. I hadn't bothered to drill any holes to vehicle chassis since I had plans to ditch the module anyway after some testing and reverse engineering. As a makeshift remote control signaler, I used a dongle consisting of rs-232 connector with two of its pins connected. When connected to a remote control box cable (substituting the control box itself, since it's not ready yet), the AEM control pin #3 is shorted to ground and the heater is supposed to engage automatically. Against all the odds everything worked out in the first time, and in just few seconds the sweet smell of burning diesel was reaching my olfactory nerves. Yay!<br />
<br />
When hooked up to CAN logger, we can see the AEM broadcast idle with CAN id 01a00006:<br />
<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 : 00 00 00 00 00 04 03 00 <br />01 a0 00 06 : 00 00 00 00 00 00 03 00 <br />01 a0 00 06 : 00 00 00 00 00 06 03 00 </span><br />
<br />
After bit of testing its functionality with VIDA, I managed to pinpoint the most important data locations:<br />
<br />
<ol>
<li>data byte: Always 0x00 ?</li>
<li>data byte: Always 0x00 ?</li>
<li>data byte: Always 0x00 ?</li>
<li>data byte: Always 0x00 ? </li>
<li>data byte: Always 0x00 ?</li>
<li>data byte: High nibble: radio mute signal: 4=initiated by telephone, 8=initiated by parking assistance Low nibble: alternates in idle between 0/4/6. Meaning unknown.</li>
<li>data byte: High nibble: call start (remote parking heater enable): 0=off, 6=start, 4=stop, 2=on. Low nibble: operating mode(?): When powered, one message with 0x00, then several messages with 0x01 until it receives a CAN frame sent by any other Volvo CAN module. After that, the low nibble is always 0x3.</li>
<li>data byte: Parking assistance proximity sensor: ranges from 0x7f (2 meters) to 0x10 (0 meters). 0x00 is off. This sends signal to audio module to play a buzzer/beep signal on the speakers on various intervals depending on the proximity distance.</li>
</ol>
<br />
We can also request various parameters from AEM via diagnostic messages (in the same way as explained in previous blog posts). The module responds with diagnostic CAN id of 0x00810001 and its module id is 0x52.<br />
<br />
AEM voltage:<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 0f ff fe cd 52 a6 1a 01 01 00 00</span><br />
<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cd 52 e6 1a 01 5f 00 00 // 11.88V</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cd 52 e6 1a 01 60 00 00 // 12V</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cd 52 e6 1a 01 61 00 00 // 12.13V</span><br />
<br />
Callstart supply<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 0f ff fe cd 52 a6 5f 21 01 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cd 52 e6 5f 21 02 00 00 // not-active</span><br />
<br />
Callstart active<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 0f ff fe cd 52 a6 5f 20 01 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cd 52 e6 5f 20 01 00 00 // no</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cd 52 e6 5f 20 00 00 00 // yes</span><br />
<br />
Relay: electrical preheater (note: this isn't our remote control relay, but a different heater functionality).<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 0f ff fe cd 52 a6 5f 10 01 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cd 52 e6 5f 10 02 00 00 // not active</span><br />
<br />
And activation functionality for testing (used in our reverse engineering):<br />
<br />
Callstart enable:<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 0f ff fe cc 52 b2 02 01 00 00 00 <- enable</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cb 52 f2 02 00 00 00 00 <- ACK</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 04 63 00 <- AEM: start the heater</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 04 23 00 <- AEM: keep the heater enabled</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 00 23 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 06 23 00 </span><br />
<br />
<span style="color: #9fc5e8;">...</span><br />
<br />
Parking sensor buzzer : simulates proximity from 2m to 0m<br />
<span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;">00 0f ff fe cb 52 b2 01 00 00 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 cb 52 f2 01 00 00 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 04 03 7f <- AEM sensor: 2 meters</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 00 03 7f </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 04 03 7c </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 04 03 79 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">....</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">01 a0 00 06 00 00 00 00 00 04 03 10 <- AEM sensor: 0 meters</span><br />
<br />
<br />
The disable command seems to be the same for all the different activation test functions:<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 0f ff fe ca 52 a0 00 00 00 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 81 00 01 ca 52 e0 00 00 00 00 00 </span><br />
<br />
Remind you that these messages are the result of testing of AEM with VIDA on my lab workbench and I haven't made sure if these values have any real effect in the car. If you have your own CAN transceiver and you are in need of a, say radio mute functionality, but don't want to shell out money for the AEM, it might be worth a try to replicate these messages. Enabling these functionalities normally requires reprogramming the AEM or CEM or both, but for some reason it seems to be possible to turn on some options (for example the audio mute) with diagnostic messages, so maybe it's not the AEM that needs reprogramming any more, but the modules that need to interpret those messages (AUM & CEM in this case).<br />
<br />
Anyway, if you hook up your own CAN module to mimic AEM, in best case scenario you might not need AEM at all, but just the CEM reprogramming. Though it might be interesting to see if someone manages to convince Volvo service to modify the CarConfig to include AEM even though it's not really physically there :)<br />
<br />
"- So you want us to install the application #9499904 to enable AEM in your car?<br />
"-Affirmitive."<br />
"-But according to the ECU scan, there is no AEM installed."<br />
<br />
"-That's correct."<br />
<br />
"- Sigh... Also you want to have the #8690151 remote heater start application as well as the #8637215 parking assistance application?"<br />
"-You got that right."<br />
"-But sir, he AEM has to be installed in order to use those functions!"<br />
"-I'm perfectly aware of that."<br />
"-..?"<br />
<br />
<br />
<span style="color: red;">UPDATE: </span>Starting the heater by emulating AEM does work!Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com7tag:blogger.com,1999:blog-8939323573892464019.post-84214224145180220412013-01-07T14:40:00.004-08:002013-01-07T14:45:01.549-08:00Dissection of AEMHello all!<br />
<br />
As I wrote in earlier post, I had enough of banging head against the wall (or in this case, steering wheel) and after numerous failures regarding controlling the Ardic via CAN bus, I decided to go with the flow and ordered the Accessory Electronic Module (AEM) that simplifies that task quite a bit. All one needs is to connect one of the control pins to ground, after which AEM asks CEM to turn on the heater. In theory, I might be able to emulate the functionality of AEM in this matter, however there's no going around purchasing the AEM anyway, since both the module and CEM need to be programmed at Volvo Service to enable this functionality. Only after they are programmed, I'm (hopefully) able to reverse engineer the AEM messaging and emulate it with my own device, making the AEM useless. Whereas without programming, CEM doesn't understand what AEM is saying, and AEM doesn't know what to say. Sounds like a date between a bimbo and a geek.<br />
<br />
It's been few weeks since I ordered the AEM, and all this time it has been lingering somewhere in the limbo of finnish post services. Last time something like that happened was one year ago when I ordered bunch of electronics from DealExtreme. Turns out it had been waiting for me for three weeks at the nearest post office 200m away - nobody just bothered to scan it when it arrived! Anyway, finally today I received the module, and of course, I had to pry it open!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-JOWrT5285VE/UOtKYXcfSiI/AAAAAAAAAHY/Emho9yjEXhY/s1600/2013-01-08+00.05.24.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-JOWrT5285VE/UOtKYXcfSiI/AAAAAAAAAHY/Emho9yjEXhY/s1600/2013-01-08+00.05.24.jpg" height="640" width="480" /></a></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-sP9QH26GDd4/UOtKrWZ68PI/AAAAAAAAAHg/cYEhciybSqI/s1600/2013-01-08+00.20.02.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-sP9QH26GDd4/UOtKrWZ68PI/AAAAAAAAAHg/cYEhciybSqI/s1600/2013-01-08+00.20.02.jpg" height="480" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Heater (and other functionalities) are controlled by this multi-pin connector. Pin 1: +12V output. Pin 2: Ground. Pin 3: Parking heater enable signal (connect to ground to enable). 4-pin connector is the AEM connector explained in earlier post: Pin 1 (lower left): +12V input. Pin 2 (upper left): ground. Pin 3: (lower right): CAN high signal, Pin 4 (upper right): CAN low signal.</td></tr>
</tbody></table>
<br />
<br />
The main cover can be opened by releasing the clips, so at this stage we can continue the dissection without a fear of voiding the warranty.<br />
<br />
Let's see what it has eaten:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-1hOiqIf-yu0/UOtENhC6bqI/AAAAAAAAAHI/_QjWqw8W6xY/s1600/2013-01-07+23.53.20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-1hOiqIf-yu0/UOtENhC6bqI/AAAAAAAAAHI/_QjWqw8W6xY/s1600/2013-01-07+23.53.20.jpg" height="640" width="480" /></a></div>
<br />
The PCB is covered with lacquer resembling substance, presumably to protect it from moisture and corrosion. However this makes some of the IC markings unreadable.<br />
<br />
Starting for top left corner:<br />
1st row: left: ?. middle: BTS611L1 (smart two channel high side power switch)<br />
2nd row: TLE 4279 (5V low drop voltage regulator)<br />
3rd row: Left: ? Right: ?<br />
4th row: middle: Infineon TLE 6236G (smart octal low side switch) Right: ?<br />
5th row: 2 x CD4010BQ (CMOS hex buffer)<br />
<br />
I didn't feel like removing the metal shield, since that would quite likely leave marks suspicious enough to void the warranty. I might do that later though after AEM has made itself useless :)<br />
<br />
Now, some testing:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-h2S2KQMGg7E/UOs-4dsKxvI/AAAAAAAAAG4/fR2cH1mA49U/s1600/2013-01-07+21.36.03.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://4.bp.blogspot.com/-h2S2KQMGg7E/UOs-4dsKxvI/AAAAAAAAAG4/fR2cH1mA49U/s1600/2013-01-07+21.36.03.jpg" height="640" width="480" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small; text-align: start;">As you can see, it consumes around 30mA when idle. Not bad, at least now I have some kind of reference to use what kind of power consumption is acceptable. </span></td></tr>
</tbody></table>
<br />
I tried to communicate with it via manual diagnostic commands as well as VIDA, but it didn't react in any way, nor did it send any CAN frames when powered on. Just for a fun I grounded the Pin 3 to create a parking heater enable signal, but nothing happened, just as expected for a device without any programming.<br />
<br />
For a moment I thought it might be damanged (either DOA or broken by my endless curiosity) since it just lied there silently, but then I realized it still might be ACKing all CAN bus messages since SardineCAN was sending CAN frames succesfully. In that case it wouldn't be completely dead and might be just lacking suitable firmware. To test this hypothesis I removed the AEM from the bus and immediately SardineCAN went haywire since now there wasn't any device on the network that acknowledges the messages it sends. My assumption is then that the AEM is delivered as tabula rasa condition and it lacks all the functionality except the most basic CAN protocol stuff, such as ACKing messages on the bus. I suppose it doesn't even know it's CAN address yet. How cute.<br />
<br />
Next stop: Volvo Service<br />
<br />
<br />
<br />
<br />Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com2tag:blogger.com,1999:blog-8939323573892464019.post-58967719661404286002012-12-24T02:33:00.002-08:002012-12-24T02:35:21.389-08:00Happy holidays!Ho ho! A new version of SardineCAN is out!<br />
<br />
Due to popular requests, I've added support for Lawicel CANUSB and CAN232 devices for both the Arduino firmware as well as to the Win32DLL. For more information about these devices, see<br />
<a href="http://www.canusb.com/products.htm">Manufacturer page</a> and the <a href="http://www.canusb.com/documents/canusb_manual.pdf">Manual / Command set reference</a>.<br />
<br />
What does this mean?<br />
<br />
- Owners of Lawicel CAN devices are able to use programs supporting J2534 protocol (such as Volvo VIDA) without any hardware modifications!<br />
- Those who have taken the time to construct SardineCAN themselves, are able to use additional diagnostic programs such as <a href="http://www.mictronics.de/projects/usb-can-bus/">CanHacker</a> as well as numerous other programs that support the CANUSB protocol, since SardineCAN now emulates it by default.<br />
<br />
I haven't got any Lawicel devices myself, so I can't be 100% sure that the protocol support works in all cases, but when testing it with CanHacker it seems to function just fine. Please let me know if you come across any problems!<br />
<br />
I haven't yet merged the changes into the main branch, but will do that after I get positive feedback from users and make sure that these major changes don't break anything. Meanwhile, the CANUSB branches can be found <a href="https://github.com/hackingvolvo/SardineCAN-Win32/tree/CANUSB">here</a> and <a href="https://github.com/hackingvolvo/SardineCAN-Arduino/tree/CANUSB">here</a>.<br />
<br />
I've also been informed that there is a problem when opening the Visual Studio solution file with Express 2010 edition. Since I do the developing with the Visual Studio 2012 that uses a newer solution file format, earlier versions get confused and refuse to open it. I heard that Express 2010 Service Pack 1 adds the capability to open 2012 solutions, so you should<a href="http://www.microsoft.com/en-us/download/details.aspx?id=23691"> check it out</a> (much easier than handling separate project files for different Visual studio versions..)<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-lQP2ViSOFsA/UNgvIVYILzI/AAAAAAAAAGg/pPwnNsBnf0g/s1600/christmas-hacking.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="604" src="http://2.bp.blogspot.com/-lQP2ViSOFsA/UNgvIVYILzI/AAAAAAAAAGg/pPwnNsBnf0g/s640/christmas-hacking.jpg" width="640" /></a></div>
<br />
<br />
<br />Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com0tag:blogger.com,1999:blog-8939323573892464019.post-52761620649550307102012-12-13T10:42:00.000-08:002012-12-24T02:35:00.486-08:00Sardine CAN version 0.2 alpha now available!Hello all,<br />
<br />
Sardine CAN is now available as open source software, as promised some time ago. In the past few days I've been cleaning up the code and writing short pieces of documentation to help in installation, but to get more detailed view of the software, one must resort to reading comments that are peppered all over the source code.<br />
<br />
Please note that this is still HIGHLY EXPERIMENTAL software and great care should be taken when using it beyond any test installation on your desktop, such as diagnosing your car or clearing error codes stored in ECUs. Flashing any ECUs or making any other bigger changes in your car is completely beyond the scope of Sardine CAN and even though it might be possible in theory, I wouldn't dare to try it. If you respect your daily commuter at all, please buy a commercial product for that purpose.<br />
For basic diagnosing I do not anticipate any big problems, but still, should you decide to use Sardine CAN, it is done completely on your own risk. I won't be held responsible for any damage caused to you, your property or nearby persons by any attempts to use Sardine CAN in any other ways except than by looking at the source code. Sorry, one more addendum: Should you get a head ache or burst your brain aneurysm while reading the source code, I won't be held responsible. And no reading while driving!<br />
<br />
That being said, installation should be quite straightforward. Just follow the installation instructions and you should be fine.<br />
<br />
The code can be found in GitHub in <a href="https://github.com/hackingvolvo">HERE</a>. You need to download both repositories, the Arduino firmware and the Win32 DLL. If you don't want to install Git (though highly recommended), you can download repositories as complete ZIP files.<br />
<br />
So, what can you do with it?<br />
<br />
I've been able to use it with VIDA to identify my car and all the various ECUs in the low-speed CAN bus. It can read and clear error codes stored in all the available modules. Also with VIDA it is possible to use various diagnostic commands to test ECU functionality (for example to activate wipers, power windows, test heater functionality etc) as well as read various status parameters available on each ECU. Remember, J2534 is just a pass-through protocol. All the functionality depends on the program using the J2534 interface.<br />
<br />
Note that ISO9141 K-line initialization is not yet implemented, so at least in my Volvo S80 (year model 2002) it is not possible to plug this straight into OBD port, because the lack of initialization causes the diagnostic relay to stay closed and thus CAN bus pins on the OBD port remain floating. However any other CAN bus port can be used, such as RTI or AEM connector, or perhaps a connector in the audio module.<br />
<br />
Do also note that Sardine CAN hasn't been tested on the high speed CAN bus yet, but the data rate is hard-coded to 125 KBit/s (speed of low speed CAN bus in my car). Also the PASS filter is hardcoded in Arduino firmware to accept diagnostic messages originating only from addresses of the form 0080xxxx, so if you have problems receiving messages from Arduino, please check with some other CAN reader the diagnostic addresses that ECUs use in your car - they might be different from those that are expected.<br />
<br />
Even though the device works quite well in my car, I'm sure there are bugs and there will be problems, not to mention nuisances caused by missing functionality. Please don't hesitate to contact me, but in case you do, include all the necessary information (your car model and year, software used (Windows version etc)) as well as attach the log files related to the incident along with the description what happened. Also if you have any coding skills, I would be happy to receive patches and bug fixes and maybe even some code to implement functionality that is still missing.<br />
<br />
Happy hacking!<br />
<br />
Best regards,<br />
Olaf<br />
<br />Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com8Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-51107335419303172672012-12-11T17:16:00.000-08:002012-12-13T14:04:53.788-08:00Anatomy of ArdicGreetings from the non-insulated garage of my parents! I don't have any warm facilities to fix my car, so this will have to do. It was a nice warm day of -5 celsius when I decided that it is now or never (actually now or next summer) when I'm going to tear down the Ardic and see what's the problem.<br />
<div>
<br /></div>
<div>
Here's a <a href="http://www.vrcf.fi/foorumi/index.php?topic=12250.0">nice post about removing and servicing Ardic.</a> (Sorry, instructions only in Finnish).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-Ywl4j9XOIlo/UMfYf1MQHrI/AAAAAAAAAGM/YdzEiBeoZgc/s1600/Ardic_2003.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="464" src="http://1.bp.blogspot.com/-Ywl4j9XOIlo/UMfYf1MQHrI/AAAAAAAAAGM/YdzEiBeoZgc/s640/Ardic_2003.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here's an explosion diagram of Ardic. Year is 2003, but seems to be identical to mine. Taken from <a href="http://www.vrcf.fi/foorumi/index.php?topic=491.0">Finnish Volvo forum, topic designated to Ardic problems..</a></td></tr>
</tbody></table>
<br /></div>
<div>
<a href="http://4.bp.blogspot.com/-prAW8_wbrdk/UMfQpB3e18I/AAAAAAAAAF8/WNProt3Pn24/s1600/2012-12-08+21.13.46.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-uzTT0P51A1E/UMe8FPTyulI/AAAAAAAAAD4/8KiavsPfkQE/s1600/2012-12-08+18.19.07.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="http://3.bp.blogspot.com/-uzTT0P51A1E/UMe8FPTyulI/AAAAAAAAAD4/8KiavsPfkQE/s640/2012-12-08+18.19.07.jpg" width="480" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here's the big guy itself after removing the front bumper. Inferring from the rusted screws I would think this thing hasn't been serviced in years, maybe never during the 10 years this thing existed. There has been quite many previous owners and according to the owner history database, each of them had this car only little bit over 2 years.</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-PIbqbpCUolk/UMfDlMnj97I/AAAAAAAAAFM/UZwSODa-TMo/s1600/2012-12-08+20.04.21.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://1.bp.blogspot.com/-PIbqbpCUolk/UMfDlMnj97I/AAAAAAAAAFM/UZwSODa-TMo/s640/2012-12-08+20.04.21.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">After one hour of careful separation process in -6C, we can continue disassembly inside in room temperature! </td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-Mgj8Gbm2GDQ/UMfB-PmTHpI/AAAAAAAAAFE/rsDpLnt0Kus/s1600/2012-12-08+20.49.18.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="http://3.bp.blogspot.com/-Mgj8Gbm2GDQ/UMfB-PmTHpI/AAAAAAAAAFE/rsDpLnt0Kus/s640/2012-12-08+20.49.18.jpg" width="480" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Glow plug, water pump and outer shell removed.</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-6aUzGwSxU4U/UMe8KRGWCUI/AAAAAAAAAEA/z42a3iRp0Hk/s1600/2012-12-08+20.20.04.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://3.bp.blogspot.com/-6aUzGwSxU4U/UMe8KRGWCUI/AAAAAAAAAEA/z42a3iRp0Hk/s640/2012-12-08+20.20.04.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Testing the glow plug. Intact, as I suspected.</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-7oew9fA3WsU/UMfFZRBpIAI/AAAAAAAAAFU/ypr935k51eo/s1600/2012-12-08+20.52.06.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://2.bp.blogspot.com/-7oew9fA3WsU/UMfFZRBpIAI/AAAAAAAAAFU/ypr935k51eo/s640/2012-12-08+20.52.06.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Inner shell shell removed, revealing chunks of soot attached to the walls </td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-prAW8_wbrdk/UMfQpB3e18I/AAAAAAAAAF8/WNProt3Pn24/s1600/2012-12-08+21.13.46.jpg" imageanchor="1" style="clear: left; font-size: medium; margin-bottom: 1em; margin-left: auto; margin-right: auto; text-align: start;"><img border="0" height="480" src="http://4.bp.blogspot.com/-prAW8_wbrdk/UMfQpB3e18I/AAAAAAAAAF8/WNProt3Pn24/s640/2012-12-08+21.13.46.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here's the combustion fan motor, working normally. Little bit to the left under the cap resides the flame sensor that is directed toward the combustion chamber. I managed not to take any pictures from right angle, but there was little bit of soot there as well, blocking the view of the flame and causing the main problem here. After some cleaning, the flame sensor reads ~8 Mohm when in dark and around 430 Kohm when teased with direct light from a flashlight.</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-3jniqCH43gI/UMe8LkFNKdI/AAAAAAAAAEI/r8TtjGFlAPQ/s1600/2012-12-08+20.51.29.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="http://4.bp.blogspot.com/-3jniqCH43gI/UMe8LkFNKdI/AAAAAAAAAEI/r8TtjGFlAPQ/s640/2012-12-08+20.51.29.jpg" width="480" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Quite a bit of soot also under (actually over, since the unit seen here is held upside-down normally) the cup and the turbulator. There's a shadow under it too, but most of it is soot actually.<br />
<br /></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-jcdimHBDALI/UMe8QoNeHXI/AAAAAAAAAEY/-1KhoJz9UOs/s1600/2012-12-08+22.15.43.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://3.bp.blogspot.com/-jcdimHBDALI/UMe8QoNeHXI/AAAAAAAAAEY/-1KhoJz9UOs/s640/2012-12-08+22.15.43.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here's the CPM. It's funny feeling seeing it now here, like meeting somebody in real life after you have spent weeks chatting online :)</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/--ok7CqsCE7E/UMfLvlcotUI/AAAAAAAAAFs/YGscDffpdGw/s1600/2012-12-08+22.18.16.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="http://4.bp.blogspot.com/--ok7CqsCE7E/UMfLvlcotUI/AAAAAAAAAFs/YGscDffpdGw/s640/2012-12-08+22.18.16.jpg" width="480" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">We know each other so well already, so there was no need to be embarrassed. Let's take the cover off and look if there are any unhappy burned parts. None found.</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-B2VV8pGiEj8/UMe8ToLtipI/AAAAAAAAAEo/2NuczAr9IBw/s1600/2012-12-08+22.19.20.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://2.bp.blogspot.com/-B2VV8pGiEj8/UMe8ToLtipI/AAAAAAAAAEo/2NuczAr9IBw/s640/2012-12-08+22.19.20.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Only after putting the whole thing together again and looking this image more carefully when uploading this picture, I noticed this burned looking solder joint little bit from the center to the direction of upper left corner. Weird, since the heater seems to be working now. Maybe it was just the angle, light doing its tricks.</td></tr>
</tbody></table>
<div>
So, I cleaned the heater from all the soot and put the thing back together. Fingers crossed, I started the heater and behold, it works now! It seems that soot builds up as a result of imperfect combustion and eventually blocks the light/flame sensor. When this happens CPM thinks there's a problem with fuel delivery or some other functionality, and then stops the heater. Ardic does need service at least every two years, but some people service it annually, especially when there's a lot of short distance driving and the heater runs cold proportionally greater periods.<br />
<br />
I didn't touch the water pump since it seems to be working and I don't have any spare rubber parts should the pump need any of them changed after opening the thing to prevent leaks. Anyways, I'm going to buy a new pump next summer when I'm servicing this thing again, just in case. It's interesting to see how much soot buildup will occur during the winter months with my personal driving style and preferences. From there it will be possible to estimate how long a relatively safe service period would be. It would be possible perhaps to estimate this based on the voltage reading of flame sensor! Of course, this would require reaching a steady state, maybe after running the heater for one hour until all the temperatures reach equilibrium and then check the sensor voltage. The nearer it is to the 2.5 volt threshold (explained in previous post) when the heater is on, the more the there could be soot covering the eye of the flame sensor. I will have to check the reading soon when it is still clean.<br />
<br />
UPDATE: The flame sensor voltage will fluctuate between 0.6 and 1.0 volts when the furnace has been cleaned. Boys, when it starts to climb over 2.0 volts near the 2.5V threshold, it's time to grab your wrenches and mops and start cleaning!<br />
<br /></div>
Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com14Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-47394364704524741622012-12-09T15:43:00.000-08:002012-12-10T15:49:18.554-08:00FFffuuuuuuu......Succession of failures. What an oxymoron.<br />
<br />
A week ago I continued testing the ignition of parking heater with diagnostic commands. Last time I checked, it worked without the key in ignition using VIDA, so I took another shot with ELM327. No go. Ok, started injecting the periodic keep-alive message to CAN bus and tried again, but without any success. Then I put the key into position I, and what do you know, the heater started. It DOES need the key in the ignition after all, so there goes my plan to implement the remote control using the diagnostic commands. <insert swear words and cursing here/> My previous success with VIDA must have been because of some kind of inherent timeout in the CEM. Diagnostic codes and commands work for some period of time after the key is removed from the ignition, but after a while (maybe because of security reasons) the CEM stops responding to them.<br />
<br />
There is a way to spoof the other modules into thinking that the key is in the ignition by overwriting the continuous status updates made by CEM about the key position, but there's no workaround when it comes to CEM itself. It would be like breaking into you own car. So I folded in front of this another unforeseen obstacle, took the path of less resistance and ordered the AEM module. It's going to cost little bit over 200 euros (including software updates to CEM and AEM itself), sure, but I didn't see any way beyond the key problem and I'd spent enough time tackling this one.<br />
<br />
BTW. Guys in King of Thrones are wrong. The winter isn't coming. It's freaking already here! Few days ago the temperature went down to -22 celsius ( -7 fahrenheit)! And that resulted in the next system failure...<br />
<br />
The parking heater stopped working. The day before this total failure it already gave a hint for the upcoming problem. For some reason it hadn't reacted to previously set timer, but did go off when starting it manually. Next day, I had set the timer again, but when I approached the car, I could see that everything was still frozen. Attempted starting the heater manually, and it did run for a minute or two, but then stopped again. Tried it for the third time, but the same thing happened.<br />
<br />
Now after three unsuccessful start attempts the CPM goes into lock-down that can only be reset with VIDA or other expensive diagnostic device. Poor man's choice, Torque + ELM327 won't do, since they won't be able to query CPMs fault codes and reset them. So, my efforts developing the Sardine CAN and playing around with VIDA weren't total waste of time. Lucky me, except that I was visiting my parents' house and I didn't have the device with me, so I had to resort to firing up the engine in -22C since there isn't any additional heater installed in the car.<br />
<br />
Except now the car would start. Motor would cough for a second or two, but then the start motor just continued to spin. Now I was starting to get pissed off. This sounded more like a battery problem or frozen fuel lines, since a problem in either one of those could affect both the motor and the heater. There was no low voltage light on the DIM lit, but I didn't have my multimeter to check the battery voltage. The artic diesel variety that is offered here in Northern Finland is supposed to handle at least -29C temperatures without gelling/waxing and clogging the fuel filter and the fuel lines. Anyway, I didn't have any way to pinpoint the problem at this stage. Luckily I managed to start the engine after covering it with blankets and letting two powerful heat blowers warm it up from below a bit. Even that took over 2 hours.<br />
<br />
So I got home, connected my dear Sardine CAN, fired up VIDA and started snooping around. First, the fault codes:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-bdImE12HuFY/UMZjb-zL9xI/AAAAAAAAADY/fleXUVG7aOA/s1600/vida-diag-codes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="610" src="http://4.bp.blogspot.com/-bdImE12HuFY/UMZjb-zL9xI/AAAAAAAAADY/fleXUVG7aOA/s640/vida-diag-codes.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Now this is interesting. There's no way simple fuel clogging problem would result fault codes piling up as they do in this list. Especially CEM-6C48 is meaningful in this context. It would indicate there was a communication problem between CEM and the transponder implanted in the ignition key. It could be caused by many different reasons (two different keys next to each other in the keychain, electrical interference, wrong key etc), but end result would be the same: Fuel delivery is inhibited to fuel injectors and motor wouldn't start. However this wouldn't have any effect on the heater, since its fuel input is controlled by heaters own fuel pump which is independent from any security measures related to engine. Anyways, fault codes this many in so many different modules would be unlikely to occur for reasons indicated in each fault code. There must have been some kind of electrical connectivity problem because of the weather, most likely in the CEM or one of its harnesses. If this ever happens again, I will have to dig into this, but for now, I reset the fault codes and wait if any of them should pop up again.<br />
<br />
Now that the fault code for heater (CEM-5F4F : Too many unsuccessful start attempts) was also been cleared, I was free to try starting up the heater, but with this time I had VIDA to guide me with troubleshooting.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-OMvMAfSjK6k/UMZyXtUAggI/AAAAAAAAADo/aIAzv_a1nYk/s1600/vida-heater.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="430" src="http://4.bp.blogspot.com/-OMvMAfSjK6k/UMZyXtUAggI/AAAAAAAAADo/aIAzv_a1nYk/s640/vida-heater.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Glow plug, combustion fan as well as water and fuel pumps were working normally, but the flame sensor read constant voltage. According to VIDA, voltages from 2.5 to 5.0 are interpreted as "no flame" and voltages below 2.5 volts mean there is a flame in the heater. The CPM waits for a while for the diesel to ignite, but after 1-2 mins it gives up, stops the heater and increments the error counter. So, either the flame sensor has broken down or is covered up, or the diesel fuel doesn't reach the heater. Anyway, the problem most likely isn't going to go away magically and repair shops usually ask between 400-600 euros + parts for the repair, so I think you're going guess where I'm going with this..<br />
<br />
Next: Ardic tear-down!<br />
<br />Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com4Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-75583628580524486942012-12-01T15:35:00.001-08:002012-12-02T11:30:30.151-08:00Success!<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-xzICstzNFtc/ULpgmNGTBXI/AAAAAAAAACE/CDzvuU05QTs/s1600/canned-heat2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://4.bp.blogspot.com/-xzICstzNFtc/ULpgmNGTBXI/AAAAAAAAACE/CDzvuU05QTs/s640/canned-heat2.jpg" width="640" /></a></div>
<br />
It's Saturday night and I feel like partying! :D After countless hours and ~3500 lines of code later, I finally managed to connect VIDA successfully to Volvo, launch the diagnostic part related to Combustion Preheater Module and turn on the parking heater with my laptop!<br />
<br />
Sorry about the poor image quality here:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-Pe0rsPSzC8Q/ULplSEH9TjI/AAAAAAAAACU/rzj7OPKCwAc/s1600/vida1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="442" src="http://1.bp.blogspot.com/-Pe0rsPSzC8Q/ULplSEH9TjI/AAAAAAAAACU/rzj7OPKCwAc/s640/vida1.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Vida correctly identifies most of the vehicle features. Only transmission, steering and body style had to be manually entered. Reason for this can be seen in the next picture..</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-5YR-c3EFNys/ULplS5HQShI/AAAAAAAAACY/8LoVaSzfb4c/s1600/vida2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="352" src="http://1.bp.blogspot.com/-5YR-c3EFNys/ULplS5HQShI/AAAAAAAAACY/8LoVaSzfb4c/s640/vida2.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Sardine CAN is connected to low speed network, so all queries relating to CAN modules residing in high-speed network (such as Break Control Module, Staareing Angle Sensor, Engine Control Module, Transmission Control Module as well as the high speed interface of Central Electronic Module) cannot be reached. For some reason messages from few low speed modules ( Upper Electronic Module, SRS, Rear Electronic Module) are not received correctly either. Accessory Electronic Module and Road Traffic Information module I don't have in my car.</td></tr>
</tbody></table>
When sniffing the CAN traffic while VIDA scans the modules and their diagnostic error codes, I can infer which module is being queried and which CAN identifier the module uses for replying. Note that this identifier differs from the one the module uses for normal inter-module communications.<br />
<br />
Let's refresh our memories of the general format of module query (from past blog post):<br />
<span style="font-family: Courier New, Courier, monospace;"><br /><span style="color: #9fc5e8; font-size: x-small;">000FFFFE CB xx B9 F0 00 00 00 00 <br /> | | | |<br /> | | | |<br /> | | | '---- Identify (?)<br /> | | '----------------- Read Data Block By Offset <br /> | '-------------------- Module id (list below)<br /> '----------------------- Message length </span></span><br />
00 0F FF FE: The identifier VIDA (or any other diagnostic module) uses for messaging.<br />
Message length: High nibble seems to be always 'C' in command message. Low nibble: Bit 3 is always on. Bits 0-2 is the actual message length (excluding the first byte). Hence A=2, B=3, C=4, D=5, E=6, F=7<br />
<br />
I found this command set somewhere on Swedespeed car forum:<br />
<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">A1 No Operation Performed (keep alive)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">A3 Security Access Mode </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">A5 Read Current Data By Offset </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">A6 Read Current Data By Identifier</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">A7 Read Current Data By Address </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">A8 Set Data Transmission</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">A9 Stop Data Transmission</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">AA Dynamically Define Record</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">AB Read Freeze Frame Data By Offset</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">AC Read Freeze Frame</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">AD Read Freeze Frame By DTC</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">AE Read DTC</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">AF Clear DTC</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">B0 Input Output Control By Offset</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">B1 Input Output Control By Identifier</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">B2 Control Routine By Offset </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">B4 Define Read Write ECU data </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">B8 Write Data Block By Offset </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">B9 Read Data Block By Offset </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">BA Write Data Block By Address</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">BB Read Data Block By Address </span><br />
<br />
<br />
And here's the list of all modules that were queried and identified on Volvo S80 MY02.<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>CAN diag Id ID Description </b></span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 00 03 :: 40 CEM, Central Electronic Module </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;"> (also answers queries related to CPM(heater)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 00 09 :: 51 DIM, Driver Information Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 08 01 :: 48 SWM, Steering Wheel Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 10 01 :: 29 CCM, Climate Control Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 00 11 :: 43 DDM, Driver Door Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 00 81 :: 45 PDM, Passenger Door Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 01 01 :: 2e PSM, Power Seat Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 04 01 :: 46 REM, Rear Electronic Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 02 01 :: 58 SRS, Air bag</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 20 01 :: 47 UEM, Upper Electronic Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 00 05 :: 60 AUM, Audio Module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">00 80 00 21 :: 64 PHM, Phone Module</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Times, Times New Roman, serif;">These module were queried but didn't reply:</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;"><b>ID Description</b></span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">50 CEM, Central Electronic Module (Hi-speed interface)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">01 BCM, Break Control Module (hi-speed network)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">52 AEM, Accessory Electronic Module </span><br />
<span style="color: #9fc5e8; font-size: x-small;"><span style="font-family: Courier New, Courier, monospace;">11 ECM, Engine Control Module </span><span style="font-family: 'Courier New', Courier, monospace;">(hi-speed network)</span></span><br />
<span style="color: #9fc5e8; font-size: x-small;"><span style="font-family: Courier New, Courier, monospace;">28 SAS, Steering Angle Sensor </span><span style="font-family: 'Courier New', Courier, monospace;">(hi-speed network)</span></span><br />
<span style="color: #9fc5e8; font-size: x-small;"><span style="font-family: Courier New, Courier, monospace;">6e TCM, Transmission Control Module </span><span style="font-family: 'Courier New', Courier, monospace;">(hi-speed network)</span></span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; font-size: x-small;">62 RTI, Road Traffic Information module</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Trlyt5nOoN4/ULplTzNRecI/AAAAAAAAACg/uz0QPQ3zbpQ/s1600/vida3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="420" src="http://4.bp.blogspot.com/-Trlyt5nOoN4/ULplTzNRecI/AAAAAAAAACg/uz0QPQ3zbpQ/s640/vida3.jpg" width="640" /></a></div>
And here's the sweet sight of hard reverse engineering work coming finally to fruition! Only coolant water temp and heater work status are being correctly queried though. Few software glitches still remain, but I don't care about that for now, since the thing I've been hunting for past few weeks has been now identified! Yes, the command for starting the heater :)<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Turn on the diesel heater:</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 0f ff fe | cf 40 b1 5f 3b 01 01 84 </span><br />
<span style="font-family: Courier New, Courier, monospace;">And the reply:</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 80 00 03 | cc 40 f1 5f 3b 00 00 00 </span><br />
<br />
<span style="color: #9fc5e8;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Turn off diesel heater:</span><br />
<span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;">00 0f ff fe | cf 40 b1 5f 3b 01 01 80 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Reply:</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">00 80 00 03 | cc 40 f1 5f 3b 00 00 00 </span><br />
<br />
<br />
Now, this seems weird, since I had already tried this command before and it didn't work! It is one of the possible permutations of the message I was advised to try earlier by Swedish hackers (thanks again guys!), and I'm quite sure I tried this one before. There are few possible explanations:<br />
<br />
1) I somehow managed to screw up sending the message using ELM327 (with its yucky AT command set), but now when using the MCP2515 based Arduino CAN shield the message is constructed correctly.<br />
2) ECU needs something else in addition to the command message itself. When looking at the message log, I see VIDA sending the following message every 1-5 seconds:<br />
<span style="color: #9fc5e8;">00 0f ff fe | d8 00 00 00 00 00 00 00</span><br />
Could this be some kind of keep alive message needed by ECU?<br />
<br />
Also VIDA keeps querying following stats every 3-4 seconds and their presence could be necesssary (although unlikely):<br />
<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Cmd: 00 0f ff fe | cd 40 a6 1a 04 01 00 00</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Reply: 00 80 00 03 | cd 40 e6 1a 04 1e 00 00 </span><br />
The 6th databyte of reply seems to coincide with ignition key lock status:<br />
1e = ignition II, 1d=radio (ignition I), 1c=off, 18=key out<br />
<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Cmd: 00 0f ff fe | cd 40 a6 1a 02 01 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Reply 00 80 00 03 | </span><span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;">cd 40 e6 1a 02 60 00 00 </span><br />
The sixth databyte of reply fluctuates between 5d and 62, and could be the battery voltage. If we assume bits 0-2 consist of fractional part and bits 3-8 the integer part, then the values here would be interpreted as 11.625 and 12.25, and would fit well in our hypothesis. Actually a battery charger was connected during testing, so voltage over 12 volts would not be strange here.<br />
<br />
VIDA needs the key to be in ignition II position in order to launch the heater section, but I did try switching the key position and it didn't have any effect on the result itself: Heater can be turned on with diagnostic command even when key is not in the keylock! This is actually quite a relief - spoofing the keylock position in the remote heater starter would require quite a bit of more work, but luckily this doesn't seem to be needed. However what is little bit alarming, is that any indication on the heater status is NOT shown on DIM, nor does the manual on/off functionality on the control stalk work when turning on the heater using this diagnostic command. Thus I will have to put some other kind of stop functionality and warning system in place when designing the box.<br />
<br />
Still this isn't a fully functional J2534 device yet: It doesn't support ISO9141 or any other kind of protocols apart from CAN and ISO 15765, nor does it work when connecting it to OBD port, since it's missing the K-line initialization and keep-alive messaging to keep the diagnostic relay open on CAN bus pins. Maybe I will add some more functionality later, but for now, I'm quite happy with the results that I got. Also, no more Win32 programming for a while :)<br />
<br />
<br />
<div>
<br /></div>
Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com11Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-54812526489808558062012-11-27T15:30:00.000-08:002012-11-27T15:30:03.609-08:00Introducing J2534..So, I've been down with the flu for the past week and half, and frankly quite tired of it already. But what else can you do than hack when you're confined to the sick bay, even when there's the constant head ache and runny nose making things harder. I think I got the double jack pot: both rhino and adenoviruses at the same time. Anyway, I took this as an opportunity to go extreme and maximize my suffering by starting to learn Win32 APIs, DLL programming, multi-threading, semaphores, COM port handling and of course Hungarian notation. That, combined with unicode type naming etc was the straw that almost broke the back of this camel.<br />
<br />
Ok, why all this Win32 nonsense. I'm totally happy coding on Linux as it is, so why learn all aforementioned stuff? First, I'm gonna tell you a riddle: What's the difference between sardine can and Sardine CAN?<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6WizZ8ZxAJw/ULUwLP7gvOI/AAAAAAAAABk/ReNosR0S2vY/s1600/2012-11-27+22.52.54.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="http://3.bp.blogspot.com/-6WizZ8ZxAJw/ULUwLP7gvOI/AAAAAAAAABk/ReNosR0S2vY/s640/2012-11-27+22.52.54.jpg" width="640" /></a></div>
š<br />
On the right you can see John West sardine can. The sardines are submersed in a delicious tomato sauce and deliver 164kcal per 100g of energy. Good for recuperating from the flu.<br />
<br />
And then on the left there's Sardine CAN by Olaf's Hacking Volvo labs. Included currently is a firmware version 01.00, offering part of SAE J2534-1 functionality and a bit of J2534-2.<br />
<br />
So, what are these useful for? The SAE J2534 is an industry standard that defines how third-party software can be used to communicate with automobile ECUs in a hardware independent way. Buy any (expensive) J2534 flash/diagnostic tools and what you get is their proprietary software for diagnostics, supplemented with a standard J2534 API (Win32 DLL) that uses the hardware supplied to communicate with the car via its OBD port. The API offers various protocols (ISO9141, CAN, ISO 15765, J1850 and so on) and thus lets third party applications to send and receive messages without having to know anything about what happens between the API and the communication stack of ECU - it's all transparent.<br />
<br />
Now, what is interesting is that some car manufacturers (including Volvo) have in their diagnostic software a possibility to use communication tools other than the one supplied. First they parse the Windows registry for entries related to J2534 devices. Usually they offer the user a list of available devices, then load the DLL associated with the device and start using its services. VIDA (Vehicle Information and Diagnostics application) from Volvo is one of these applications, and its J2534 support enables us to use it without the related hardware, the DiCE (Diagnostic Communication Equipment). With VIDA, you can browse all the ECUs in the car (including CPM, the module responsible for the parking heater!) and send diagnostic commands to test their functionality. And the logical conclusion would be, of course, that if these commands could be intercepted, then the command for turning on the parking heater might be found :)<br />
<br />
There are plethora of J2534 devices, most of them quite expensive (1000+ euros). There are also some cheap chinese copies selling for 100-200 euros, but there's no guarantee of them working out of the box, and I wouldn't like the idea of spending my free weekend diagnosing the diagnostic tool. There are absolutely no open source or freeware solutions available, so my last option would be to tackle this beast on my own. I got ahold of J2534-1 and J2534-2 standards documents and started hacking. And after few days full of dizzy coding sessions with viral headache enhanced with nausea from Hungarian notation, this is the result:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Ru4crvdV3cs/ULU-9rrT7UI/AAAAAAAAAB0/VJBS_af8F9A/s1600/2012-11-27+22.42.57.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://4.bp.blogspot.com/-Ru4crvdV3cs/ULU-9rrT7UI/AAAAAAAAAB0/VJBS_af8F9A/s640/2012-11-27+22.42.57.jpg" width="480" /></a></div>
<br />
VIDA can now recognize the Sardine CAN tool and send VIN (Vehicle information number) query via CAN bus :) Actually the command seen in the first picture is one of the messages sent by Vida. However I haven't yet been able to access the diagnostics part of Vida, since it seems to require proper response from ECU in order to function correctly. I've implemented most of the CAN bus related stuff on J2534 (including sending periodic messages), as well as some of the ISO 15765 flow control in order for VIDA to receive long CAN messages, where payload length>8 (such as the VIN), but lower level pass/block filtering is yet to be done. So connecting Sardine CAN to car in its current form would flood the VIDA with unrelated messages. There's still quite a lot to do, but sending and receiving messages using Drewtech's free J2534 tool already works though, so I'm confident that after few days of tinkering I might able to give this monster a shot at the car itself.<br />
<br />
BTW. I'm releasing the software as open source after I get this reasonably stable and functioning. This still needs quite a bit of work to be useful to anybody and frankly, I'm little bit embarrassed at the Win32 specific portions of the software (related to my few days worth of programming experience on the platform), so I'm not yet ready to open this to the world. But anyway, if you're interested in alpha testing and have reasonable debugging skills, I might make an exception and let you test this tool before it hits SourceForge.<br />
<br />
Sardine power!Olafhttp://www.blogger.com/profile/03788027777625220186noreply@blogger.com5Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-67250715719222021562012-11-18T10:44:00.001-08:002012-11-18T16:46:48.806-08:00Wireless fun<div dir="ltr" style="text-align: left;" trbidi="on">
As my attempts at starting the heater have failed again and again, I needed to get my mind off for a while and decided to concentrate on prototyping the wireless connection and CAN controller. ELM327 is too cumbersome to be used as a permanent installation and frankly, I'm not too fond of the AT command interface that it uses. I ordered few things online and now it's time to put them into use:<br />
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>2 XBee modules (XB24-ASI-001 & XB24-AWI-001)</li>
<li>Wireless SD shield for easy XBee prototyping</li>
<li>XBee USB Explorer for transparent testing with terminal emulator</li>
<li>Arduino CAN shield</li>
<li>2 MCP2515 CAN controller chips and 2 MCP2551 CAN transceiver</li>
</ul>
The CAN controller and transceiver chips are identical to those in Arduino CAN shield, so after prototyping with Arduino and aforementioned shields, it's easy to design and build a PCB from those same components.<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
After some weekend hacking, I managed to build a CAN network consisting of ELM327 and Arduino CAN modules with XBee modules routing the CAN traffic and commands quite transparently.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-1BLOpCVUGsg/UKkkd_zn7hI/AAAAAAAAA1M/L9UgcLJUtKg/s1600/2012-11-17+14.44.26.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://3.bp.blogspot.com/-1BLOpCVUGsg/UKkkd_zn7hI/AAAAAAAAA1M/L9UgcLJUtKg/s640/2012-11-17+14.44.26.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here's some early XBee module testing. </td></tr>
</tbody></table>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-WX9npJ0yWzE/UKklWwY2k-I/AAAAAAAAA1s/2dVZCqkOD6g/s1600/2012-11-18+16.15.15.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://3.bp.blogspot.com/-WX9npJ0yWzE/UKklWwY2k-I/AAAAAAAAA1s/2dVZCqkOD6g/s640/2012-11-18+16.15.15.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Here's the CAN network: On the left, Arduino with CAN shield and on the right, ELM327. The network is terminated with two 56 ohm resistors to minimize signal reflection. It might work without them, but I added them just in case.</span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><img border="0" height="480" src="http://4.bp.blogspot.com/--_MfyV5AQ4I/UKklDVXdwnI/AAAAAAAAA1c/1jIhtoxT7nc/s640/2012-11-18+16.10.28.jpg" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here we are sending one message with Xbee module to the Arduino. The XBee USB Explorer allows hassle-free connection with any terminal emulation software. Here we use Minicom.</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-OGb3PI_cVSE/UKkkxlSC3ZI/AAAAAAAAA1U/sT1ltMN1re0/s1600/2012-11-18+16.11.31.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="http://2.bp.blogspot.com/-OGb3PI_cVSE/UKkkxlSC3ZI/AAAAAAAAA1U/sT1ltMN1re0/s640/2012-11-18+16.11.31.jpg" width="480" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Message is received via XBee module and sent through CAN bus using the CAN shield (topmost shield). The antenna used here from old wireless ADSL router. Seems to work quite fine anyway.</td></tr>
</tbody></table>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-gWk5QnErIuI/UKklPHk2QXI/AAAAAAAAA1k/O1erTX2sFpA/s1600/2012-11-18+16.12.38.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="640" src="http://1.bp.blogspot.com/-gWk5QnErIuI/UKklPHk2QXI/AAAAAAAAA1k/O1erTX2sFpA/s640/2012-11-18+16.12.38.jpg" width="480" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Finally the message is received with ELM327 in a "monitor all" mode. The communication works also backwards: A message sent with ELM327 is received on the CAN controller on Arduino, and sent via XBee to the other laptop.</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-irPmdeUlO7M/UKkldtkGrbI/AAAAAAAAA14/cW2-5ylwP9I/s1600/2012-11-18+16.20.58.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://4.bp.blogspot.com/-irPmdeUlO7M/UKkldtkGrbI/AAAAAAAAA14/cW2-5ylwP9I/s640/2012-11-18+16.20.58.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here we can see beautiful symmetrical CAN signaling on the oscilloscope :)</td></tr>
</tbody></table>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I also tested the power consumption of various shields and modules with 12V input power (using HP 6632B lab power supply).</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>Arduino: 52 mA</li>
<li>Wireless SD shield + XBee module: 55 mA</li>
<li>CAN shield: 6 mA</li>
<li>LCD: 27 mA (with backlight), 10 mA (without backlight)</li>
<li>Total: 140 mA</li>
</ul>
As you can see, there's quite a lot of optimization to be done. The 7805 power regulator has some overhead that can be minimized with smarter power supply. Arduino can be put to sleep mode, to be awoken with a signal from either XBee or CAN module, but at minimum, we are talking about 60-70 mA consumption at idle. With my 95 Ah car battery, it would take around (95 Ah/2) / 0.07 A = 678 hours = 28 days for the battery to be depleted to half charge. Not bad, but still potentially harmful, since this device is not the only machine in the car using battery.<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8939323573892464019.post-77364527285552615072012-11-16T08:54:00.000-08:002012-11-18T16:46:35.394-08:00Another try..<div dir="ltr" style="text-align: left;" trbidi="on">
After more researching, I got unexpected help from a <a href="http://www.svxc.se/phpBB2/viewtopic.php?t=23011&postdays=0&postorder=asc&start=0&sid=d747c12aec2674f1f8edb95f18edbf77">Swedish Volvo forum</a>. Now I know why it's so hard to find any hits from Google when searching with keywords relating to Volvo proprietary CAN protocol: All the hackers in that field of expertise are swedish :) So, I spent quite many hours reading the thread via help of Google Translator, but still couldn't find any references to parking heater. Nice guys on the forum did mention few tricks on how the heater could be ignited, but nevertheless they didn't work. When sending commands to CEM to start the heater directly, such as this:<br />
<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Id: 00 0F FF FE<br />Data: CF 40 B1 5F 3B 01 01 04</span><br />
<br />
The result is <br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Id: 00 80 00 03 <br />Data: CC 40 7F B1 22 00 00 00</span> <br />
which indicates "Error: Conditions not correct or request sequence error"<br />
<br />
It seems that starting the heater directly is a process more complicated than expected, involving the need to start perhaps also the water pump and other components via a direct command.<br />
<div>
<br /></div>
<div>
Here's a a command for querying the heater status:</div>
<div>
<br />
<span style="font-family: Courier, Courier New, sans-serif; font-size: xx-small;"><br /></span>
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">000FFFFE CD 40 A6 5F 32 01 00 00 </span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;"> | | | '--| | </span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;"> | | | | '-------- 01=Send the record once </span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;"> | | | '----------- 5F 32=Heater work status </span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;"> | | '----------------- A6=Read Current Data By Identifier </span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;"> | '-------------------- CEM id </span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;"> '----------------------- message length </span><br />
<span style="font-family: Courier, Courier New, sans-serif;"><br /></span>
<span style="font-family: Courier, Courier New, sans-serif;">Heater work status 0x5F32</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x10 Heater is not started</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x20 Heater is starting</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x30 Heater & fuel pump active</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x40 Heater is running</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x50 Heater is stopping</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x60 Heater is cycling</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x70 Heater is stopped</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x80 Blow out occurred</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0x90 Rest heat is running</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0xA0 Operate fuel pump function</span><br />
<span style="font-family: Courier, Courier New, sans-serif;">0xB0 One activation on fuel pump</span><br />
<span style="font-family: Courier, Courier New, sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: Courier, Courier New, sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: Courier, Courier New, sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: inherit;">I did start the heater manually using control stalk and queried the status few times:</span><br />
<br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 0F FF FE cd 40 a6 5f 32 01 00 00</span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 80 00 03 CD 40 E6 5F 32 01 00 00 // before starting (01=not powered?)</span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 0F FF FE cd 40 a6 5f 32 01 00 00</span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 80 00 03 CD 40 E6 5F 32 11 00 00 // turned it on manually: not yet started, but powered?</span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 0F FF FE cd 40 a6 5f 32 01 00 00</span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 80 00 03 CD 40 E6 5F 32 20 00 00 / /after few secs: heater is starting</span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 0F FF FE cd 40 a6 5f 32 01 00 00</span><br />
<span style="color: #9fc5e8; font-family: Courier, Courier New, sans-serif;">00 80 00 03 CD 40 E6 5F 32 30 00 00 // after 1 min: heater & fuel pump active</span><br />
<div>
<br /></div>
<div>
So at least querying works.. This needs more investigation.</div>
<div>
<div>
<span style="background-color: #fafafa; color: #006600; font-family: Courier, 'Courier New', sans-serif; font-size: 10px;"><br /></span></div>
</div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8939323573892464019.post-71779173547187290422012-11-10T15:09:00.000-08:002012-11-18T16:46:26.572-08:00Eye candy<div dir="ltr" style="text-align: left;" trbidi="on">
I've been fervently trying to find the message that starts the parking heater, but without success. Manually one starts it by changing menu options (shown on DIM LCD) using left control stalk, selecting correct one (manual start) and then pressing the RESET-button for longer than half second. After numerous attempts, I still haven't found any new, interesting messages immediately after manually starting the heater, so I suspect this is not going to be as easy as I thought.<br />
<br />
Back to the roots: The electronic diagram. It seems that CPM (Combustion pre-heater module, the one responsible for controlling the whole heater) is not on CAN bus, but is instead controlled by CEM (central electronic module). So, no direct message is being sent from SWM (steering wheel module) or DIM (driver information module) to CPM, but CEM must be the guy in the middle. So, messages sent by SWM or DIM (stimulated by user pressing buttons on the control stalk) must be interpreted by CEM.<br />
<br />
Then I thought, could it be possible to emulate SWM/DIM functionality so that CEM would think that the user is activating the heater manually?<br />
<br />
SWM is constantly sending status messages like this:<br />
<span style="color: #9fc5e8;">header: 02 61 30 0a </span><br />
<span style="color: #9fc5e8;">data: 80 00 00 27 80 c2 00 cf</span><br />
<span style="color: #9fc5e8;">1.byte: high nibble: rolling counter (0,4,8,C)</span><br />
<span style="color: #9fc5e8;">2-3. byte: 0</span><br />
<span style="color: #9fc5e8;">4. byte: always 27?</span><br />
<span style="color: #9fc5e8;">5. byte: low nibble: turn indicators (0=off, 4=right, 8=left)</span><br />
<span style="color: #9fc5e8;">5. byte: high nibble: 8=normal, a=READ-button pressed, c=RESET-button pressed</span><br />
<span style="color: #9fc5e8;">6. byte: always c2?</span><br />
<span style="color: #9fc5e8;">7. byte: windshield wiper: 10=turn wiper once, 01= activate windshield washer, 08=continuous wiper</span><br />
<span style="color: #9fc5e8;">8. byte: control stalk selection ring position (values 0xC1-0xFF)</span><br />
<br />
Now, the eighth byte seems important. Disappointedly, it's not an indicator of which menu item is selected, but is just an arbitrary position counter from which to discern what is the speed and direction of ring movement. So I have no way to know which menu item is now selected on DIM, and thus no way of knowing how many positions to move up/down (i.e. how many messages to send and to which direction) to get to "manual start" item on the menu. Damn.<br />
<br />
Got bored and started playing around with the GSM module. Then it occured to me that there must be messages on the CAN bus where phone module asks DIM to show certain messages (phone number currently dialed etc) on its LCD display. So, I coded more functionality to the filtering program to show the payload of the message as ASCII characters (if they contain alphanumeric content), and thus I was able to quickly trace the module and the messages responsible for sending distinct characters on the LCD. Rest of the reverse engineering task was pretty easy.<br />
<br />
So, here's the example message to control DIM LCD, showing a way to set an arbitrary message on the LCD:<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Header: 00 c0 00 08 (phone module)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Data: </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">e1 fe 00 00 00 00 00 00 (clears the screen)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">a7 00 68 74 74 70 3a 2f (start message, 7 bytes payload)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">21 2f 68 61 63 6b 69 6e (in-between message, 7 bytes payload)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">22 67 76 6f 6c 76 6f 2e </span><span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;">(in-between message, 7 bytes payload)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">23 62 6c 6f 67 73 70 6f </span><span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;">(in-between message, 7 bytes payload)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">65 74 2e 63 6f 6d 00 00 (ending message, 5 bytes)</span><br />
<br />
So there are 6 messages, of which the first one is separately executed by DIM, and messages 2-6 are the content, displayed only after the last message has been transmitted. It seems that the high nibble of 1st byte of every message here contains a signal: e=command, a=begin, 2=in-between-message, 6=end. Low nibble indicates either payload byte count or the index of the message (in case of in-between message). In the latter case the payload is always 7 bytes. Rest of the bytes are just ASCII-characters. In this case it reads "http://hackingvolvo.blogspot.com" :)</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8939323573892464019.post-29266631673363298172012-11-07T14:14:00.000-08:002012-11-18T16:46:17.899-08:00Poking bits<div dir="ltr" style="text-align: left;" trbidi="on">
Ok, today was the first time I tried to duplicate the messages I had previously analyzed. What is there more to science than proving your hypotheses right or wrong: scientific principle!<br />
<br />
I was pretty confident I had managed to unravel the format in the messages SWM (steering wheel module) sends while pressing audio control buttons and playing with cruise control (ignition off, mind you).<br />
<br />
Typical message is:<br />
<br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Header: 00 40 00 66 </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Data: c0 00 00 01 1f 40 40 7f</span><br />
<span style="color: #9fc5e8;"><span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">1st data byte: High nibble: Rolling counter (either 0/4/8/c). This changes every message.</span></span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;"> Low nibble: 0 always</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">2-3: 0x00</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">4: rolling counter (0-7), advances only when there's a change in the message content</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">5-6: cruise control button commands: </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;"> 1f 40 (nothing pressed)</span><br />
<span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;"> 1e 41 (cruise main button)</span><br />
<span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;"> 0f 50 (0/zero)</span><br />
<span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;"> 17 48 (reload/return to previously set speed)</span><br />
<span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;"> 1d 42 (+ speed)</span><br />
<span style="color: #9fc5e8; font-family: 'Courier New', Courier, monospace;"> 1b 44 (- speed)</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">7: 0x40</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">8: audio </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;"> 7f=nothing pressed</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;"> 77 volume up</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;"> 7b<span class="Apple-tab-span" style="white-space: pre;"> </span>volume down</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;"> 7d<span class="Apple-tab-span" style="white-space: pre;"> </span>forward</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;"> 7e backward </span><br />
<br />
With this information, I was ready to construct my first message: Fast-forward to next song in audio-cd. And it worked! God damn that felt good after passive logging for so many days :) Then I tried other audio related commands with success. Only thing that needs to be taken care of is advancing those two counters. Second one is easier, since it changes only after each key press, but first counter advances every new message (dozens of times/sec). Thus sometimes the receiving end dismisses the message (thinking that it was old one, if current latest msg index is 'c' and we tried sending ours with index '4').<br />
<br />
Now, I wasn't going to fiddle with cruise control while driving (after childhood one starts accumulating these boring self-preservative tendencies), but I couldn't resist forging remote fob central locking messages. And with a little bit anxiety, I sent the message. Cold chills went up my spine when I heard the central locking mechanism engage! Then tried the unlocking message, and off the locks went.. I'm not going to describe the messages in detail here (I'm little bit paranoid should they contain specific details of my car security), even if I know one must be physically connected to the CAN bus to send the aforementioned commands. Most likely they are just messages where CEM (central electronic module) is commanding doors to unlock (unencrypted messages) after the more secure encrypted wireless messaging between the remote fob and CEM.<br />
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com1Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-81037123738991744352012-11-06T12:47:00.000-08:002012-11-18T16:46:02.082-08:00Reading between lines<div dir="ltr" style="text-align: left;" trbidi="on">
I have been logging CAN bus messages for the past few days, driving around, fiddling with knobs and settings on the car and seeing what kind of messages are sent in the low speed bus. I wrote a linux program (in C) to assist in filtering, since the amount of traffic in the network is huge even when the ignition is off! After few evenings of tinkering with filtering algorithms and heuristics, I managed to reduce the logging to a sensible amount (1-5 messages/sec), a number that now opens possibility to manually watch the log in real time for suspicious activity while at the same poking around with knobs. Thus, I'm able to deduce which message(s) are being sent according to what kind of stimulus.<br />
<br />
The general format of the messages is as follows:<br />
<h3>
<span style="color: #a2c4c9;">0xaa 0xaa 0xaa 0xaa 0xbb 0xbb 0xbb 0xbb 0xbb 0xbb 0xbb 0xbb</span></h3>
4 header bytes followed by 8 data bytes. ELM327 seems to do some header formatting by itself, and it is not very well documented what is the actual structure of the header bytes that ELM outputs (not even in the <a href="http://elmelectronics.com/DSheets/ELM327DS.pdf">datasheet </a>itself!). According to CAN bus extended frame format (used by 29-bit messaging), there are 2 bits (SRR&IDE) between Identifier A (11-bit ID) and Identified B (18-bit ID) and they both must be 1. None of the messages intercepted contain sequential ones in appropriate positions, so I must assume ELM327 does not output them. This leaves 32-18-11=3 bits up to speculation. Start-of-frame bit is always 0, and this applies to all messages intercepted. But it would seem weird for ELM to include this redundant bit to its output, so I must assume this is ripped. Thus, it would seem that this is the format of CAN 2.0B header, formatted by ELM327 (subject to change)<br />
<br />
<ul>
<li>11 bits (identifier A)</li>
<li>18 bits (identifier B)</li>
<li>RTR bit (remote transmission request)</li>
<li>2 reserved bits </li>
</ul>
<br />
(total of 32 bits = first 4 bytes)<br />
First I didn't understand where the DLC embedded (data length code) is, but after a while I found out how to force ELM327 (via AT D1-command) to show the data length between header and data. However after extensive logging it seems to be always 8 (even though some messages seem to contain leading zeroes), so I must assume Volvo CAN bus always transmits messages with 8 data bytes, and the actual length of the payload is inherent in the upper level protocol definition or transmitted inside payload itself, perhaps consisting of first few bits of the payload.<br />
<br />
According to electronic schematics, there are 14 different electronic modules connected to the low speed bus, of which I have only 12. Here's the list:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Name Id Description</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">AUM 16/1 Audio module<br /> CCM 3/112 Climate control module<br /> CEM 4/56 Central electronic module<br /> DIM 5/1 Combined instrument panel (Driver Information Module)<br /> PDM 3/127 Passenger door module<br /> DDM 3/126 Driver door module<br /> PHM 16/60 Integrated mobile telephone<br /> PSM 4/52 Power driver's seat module<br /> REM 4/58 Rear electronic module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">SRS 4/9 Supplemental restraint system<br /> SWM 3/130 Steering wheel module<br /> UEM 4/70 Upper electronic module</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">Here are the optional modules that I don't have.</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace;">RTI 16/45 Road traffic information control module<br /> AEM 4/78 Accessory eletronic module</span><br />
<br />
<span style="font-family: inherit;">And here's the list of distinct header Ids contained in the millions of messages logged during last few days. </span><br />
<span style="line-height: 18px;"><span style="font-family: inherit;"><br /></span></span>
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;"></span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">00 40 00 66 - 00000000 01000000 00000000 01100110 11-addr: 2 SWM (cruise control and audio) </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">00 61 3d f8 - 00000000 01100001 00111101 11111000 11-addr: 3 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">00 c0 00 08 - 00000000 11000000 00000000 00001000 11-addr: 6 PHM (phone module)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">01 21 3f fc - 00000001 00100001 00111111 11111100 11-addr: 9 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">01 40 04 4a - 00000001 01000000 00000100 01001010 11-addr: 10 CCM (climate control) </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">01 61 3f fc - 00000001 01100001 00111111 11111100 11-addr: 11 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">01 80 00 28 - 00000001 10000000 00000000 00101000 11-addr: 12 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">01 c0 30 a2 - 00000001 11000000 00110000 10100010 11-addr: 14 DDM (left door) </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">01 e0 12 66 - 00000001 11100000 00010010 01100110 11-addr: 15 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 00 10 22 - 00000010 00000000 00010000 00100010 11-addr: 16 PDM (right door)</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 20 20 0e - 00000010 00100000 00100000 00001110 11-addr: 17 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 40 10 2a - 00000010 01000000 00010000 00101010 11-addr: 18 ? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 61 30 0a - 00000010 01100001 00110000 00001010 11-addr: 19 SWM control stalks </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 80 14 2a - 00000010 10000000 00010100 00101010 11-addr: 20 ? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 a0 30 28 - 00000010 10100000 00110000 00101000 11-addr: 21 ? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 c1 34 28 - 00000010 11000001 00110100 00101000 11-addr: 22 CEM->DIM ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">02 e1 0d f4 - 00000010 11100001 00001101 11110100 11-addr: 23 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">03 00 00 92 - 00000011 00000000 00000000 10010010 11-addr: 24 ? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">03 20 00 08 - 00000011 00100000 00000000 00001000 11-addr: 25 ? (gear switch info) </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">03 40 02 4c - 00000011 01000000 00000010 01001100 11-addr: 26 ? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">03 60 00 0a - 00000011 01100000 00000000 00001010 11-addr: 27 ? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">03 80 10 28 - 00000011 10000000 00010000 00101000 11-addr: 28 ? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">03 a0 00 02 - 00000011 10100000 00000000 00000010 11-addr: 29 DIM? </span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">03 c0 00 2a - 00000011 11000000 00000000 00101010 11-addr: 30 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">04 00 00 02 - 00000100 00000000 00000000 00000010 11-addr: 32 ?</span><br />
<span style="color: #9fc5e8; font-family: Courier New, Courier, monospace; line-height: 18px;">04 20 00 02 - 00000100 00100000 00000000 00000010 11-addr: 33 ? </span><br />
<br />
<span style="line-height: 18px;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-family: inherit;"><span style="line-height: 18px;">First 4 bytes are the message header (as shown by ELM327), then binary representation of the same data, followed by the decimal representation of identifier A (first 11 bits of the header). In the last column you can find kind of educated guesses about which module might be transmitting with which id. </span><span style="line-height: 18px;">There seems to be no logical connection to the module ID specified in the electronic diagram, and the header IDs in the list above. </span></span><br />
<br />
<div>
<span style="font-family: inherit;"><br /></span></div>
<br />
<span style="font-family: inherit;">Much of the content on these messages is status updates and keep-alive messages, broadcast by various modules. For example, passenger and driver side doors transmit continuously their button status (if some button is pressed) and if the window is open, and if, by how much. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">I will later add detailed analysis of each module and the structure of messages they send. Be tuned!</span><br />
<br /></div>
Unknownnoreply@blogger.com1Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-9334118667623500262012-11-03T12:22:00.000-07:002012-11-18T16:45:48.989-08:00Our mysterious friend, CAN bus<div dir="ltr" style="text-align: left;" trbidi="on">
First things first: Researching.<br />
<br />
<br />
Volvo S80 offers diagnostic interface via the official <a href="http://en.wikipedia.org/wiki/On-board_diagnostics">OBD</a> port, accessible under the dash board.<br />
I bought myself a <a href="http://en.wikipedia.org/wiki/ELM327">ELM327</a> based <a href="http://www.elekma.com/elm327_adapteri_usb">reader</a> in order to get a first glimpse of messages trafficking in the CAN bus. ELM327 does offer plethora of protocols, including 11 & 29 bit CAN protocols at various speeds. So I plugged it to a laptop running linux, and succesfully connected to the reader via terminal program (minicom in this case). I was able to connect to a car via ISO 9141-2, which is a standard protocol for OBD scanners. I was able to access few parameters the car's CEM (central electronic module) offered (such as error codes), but all attempts to access the CAN bus failed.<br />
<br />
According to <a href="http://pinoutsguide.com/CarElectronics/volvo_obd_connector_pinout.shtml">this</a> OBD connector printout, Volvo cars offer CAN bus on pins 6 & 14. The pinout varies from manufacturer to another, so maybe ELM327 doesn't use correct pins? Said goodbye to the warranty and pried out the cover off the adapter. Pins 6&14 were connected. Damn.<br />
<br />
Alright, more research: Found maybe the most important document when thinking about embarking on a quest like this: <a href="http://www.matthewsvolvosite.com/downloads/2002_S60_S80.pdf">2002 S60/S80 electric wiring diagram</a>. According to the diagrams, Volvo has 2 separate CAN buses: Hi-speed (connecting modules responsible for engine, breaks, transmission etc) is on pins 6&14, and low-speed (climate control, audio, window & sunroof control etc) on pins 3 & 11. Pried ELM327 open again to see that neither of the latter pins were connected. Alright, doesn't still explain why I cannot access hi-speed bus, even if low speed is naturally out of reach.<br />
<br />
This time I was starting to get annoyed, so it was time to use the low-level tools.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-o1vWl1jghcs/UKPxHMVaudI/AAAAAAAAA0U/mgBtcm8Qka8/s1600/2012-10-31+18.16.12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-o1vWl1jghcs/UKPxHMVaudI/AAAAAAAAA0U/mgBtcm8Qka8/s320/2012-10-31+18.16.12.jpg" width="240" /></a></div>
Interestingly, all of the pins supposedly offering CAN bus access did have digital signal, but it was only on 20-50 millivolt range, instead of somewhere between 5-12 volts that I would expect from a normal CAN signal. More interestingly, they contained exactly the same varying binary signal and at the same speed. WTF, I might ask.<br />
<br />
More googling. Facing the reality: There are a lot of people accessing their cars via Bluetooth OBD dongle and cell phone app (such as <a href="http://torque-bhp.com/">Torque</a>), but the amount of serious hackers involved in snooping around proprietary Volvo protocols is incredibly low. However, there are few guys out there who are doing something similar. I managed to find <a href="http://forums.swedespeed.com/showthread.php?136362-Swedespeed-CANfoolery-Project-Understanding-and-using-the-VOLVO-CANBUS">this</a> conversation, containing advises to send a certain "keep-alive" message every 5 seconds to K-line (pin 7 on OBD-connector) to keep CAN bus interface open. Content is "84 40 13 b2 f0 03 7c", serial settings: 10800 baud, 8N1 and voltage range 0-12V (0V=0b, 12V=1b).<br />
<br />
More obstacles.. This wasn't going to work with normal ELM327. However, another member advised to use RTI or AEM connectors, of which the latter at least is accessible in the trunk, rear right corner. According to the electronic diagram, AEM connector pinout is: 1=GND (BLACK), 2=12V (RED), 3=CAN lo-signal (GREEN), 4=CAN hi-signal (WHITE).<br />
<br />
Connected the oscilloscope...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-SbKzklqWzAA/UKP8wPFi-AI/AAAAAAAAA0k/cvsU7AWDVk8/s1600/2012-11-03+15.18.40.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/-SbKzklqWzAA/UKP8wPFi-AI/AAAAAAAAA0k/cvsU7AWDVk8/s320/2012-11-03+15.18.40.jpg" width="320" /></a></div>
<br />
and success! 29bit communication @ 125kbit/second. Remind you, this is the low-speed network, but for now, I don't need to access the high-speed can bus connected to engine room modules. Hooked up ELM again to laptop and voila! CAN bus interface is open and messages are firing away at 200-300/sec. <br />
<br />
Next step: Intercepting and message analyzing!<br />
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com70Suomi61.92411 25.74815154.229326 5.5333070000000006 69.618894 45.962995tag:blogger.com,1999:blog-8939323573892464019.post-10136400480484928172012-11-02T10:29:00.000-07:002012-11-18T16:45:20.513-08:00What's going on here?<div dir="ltr" style="text-align: left;" trbidi="on">
Combine the following attributes:<br />
<ul style="text-align: left;">
<li>Newly acquired Volvo S80 2002 with a diesel heater (Ardic)</li>
<li>Cold and hostile environment.</li>
<li>Moderate amount of free time (but never enough!)</li>
<li>Reasonable coding skills and electronics know-how</li>
<li>Hatred of cold and snow</li>
</ul>
<div>
Mix them in a blender (figuratively) and what you get? Desire to construct a remote control for the diesel heater! Laziness is indeed a major motivator for comfort zone aficionados.</div>
<div>
<br /></div>
<div>
My Volvo does have a timer for starting the heater, but I my schedules are almost never fixed, and what I would rather do in my mornings is to press a button, sip coffee and watch behind a window how my Volvo gets warmer, instead of going there to set it on manually. Hence the project in question.</div>
<div>
<br /></div>
<div>
Now, the quest started with basic Googling: what is already available, have other people done something like this before and how much do they cost? Volvo does offer OEM remote heaters, but they cost shitload of money. Not going pay a hefty amount of 600-1000+ euros for a simple remote control and a box that hits a switch. My hacker soul laughs - challenge accepted.<br />
<br />
I've decided to document this project, not only gather my thoughts, but also to share any bits of information that I might find. I hate re-inventing the wheel as much as any other coder, so if this ends up helping even one person trying to figure out their Volvo innards and hack their Swedish tanks, writing this might not been in vain.</div>
<div>
<br /></div>
<div>
<div>
My plan was to build a prototype using <a href="http://www.arduino.cc/">Arduino</a> (open-source microcontroller) and <a href="http://en.wikipedia.org/wiki/XBee">XBee</a> (low-cost radio module). I've been messing around with Arduino for quite a while, but wireless experience I do not have. However XBee is supposedly quite easy to program and is well documented, so I won't anticipate huge problems in that area. Besides, it's fun to expand your field of expertise. In this case to two new fields: car automation and wireless communication.</div>
</div>
<div>
<br /></div>
<div>
Other DIY guys have been thinking alike: </div>
<div>
<ul style="text-align: left;">
<li>A guy called VP <a href="http://personal.inet.fi/private/vip/">(link here)</a> has made a reasonably nice device: SMS-controlled heater starter which uses AVR microcontroller and GSM-module. </li>
<li><a href="http://hja.servehttp.com/ardic.html">Similar project</a> (finnish only, sorry) using SMS-controller relay (<a href="http://www.celotron.com/new/indexgb.htm">Celotron centro</a>)</li>
<li><a href="http://remotesmart.wikidot.com/webasto">Another one (</a>finnish & english)</li>
</ul>
However to control the actual heater, all of the above mentioned devices rely on AEM (Accessory Electronical Module) to do the dirty work. AEM is a 150-200+ euro Volvo accessory that offers simple voltage-based on/off interface for non-official, non-Volvo external accessories, such as alarm systems, parking assistance, handsfree systems etc, and of course remote heater starters. AEM then connects to the car's internal electronic system (<a href="http://en.wikipedia.org/wiki/CAN_bus">CAN bus</a>) and controls other devices in the car by sending them CAN bus messages. Thus, external devices don't have to know how to talk to the aforementioned devices directly but can use the simple interface offered by AEM.</div>
<div>
<br /></div>
<div>
Again, I was definitely not going to go out and spend money on a device that just turns the heater on when being told so. I'm both cheapskate and stubborn. So, my only choice was to find out how CAN bus works by a humongous task of googling, researching and reverse engineering the message traffic, and ultimately perhaps finding out how to control the heater. Then design and construct a prototype for sending the ignition command. Then add wireless modules and build a remote. Then press button, sip coffee and watch my Volvo get warm.</div>
<div>
<br /></div>
<div>
Sounds like a lot of work? Sure. But even risking having frostbites after hours of hacking outside in cold temperatures, I'd rather do that than empty my bank account and pay a horseload of money to a guy behind the counter in order to fast-forward to the coffee sipping. Did I mention stubborn?</div>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0Suomi65.0126148 25.471452665.00590729999999 25.4517116 65.0193223 25.4911936