Exploring The Can Bus, Searching For and Replicating Specific Messages On A Car

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
modern cars work on their own network and sometimes it's handy to be able to go in there figure out what's going on and possibly analyze that data so it can be used in a different way so we're going to dive in to the canvas [Music] [Music] every way welcome back to the garage and as always make sure and hit that subscribe button if you haven't already that way you don't miss out you can ring that bell if you want any of the notifications whenever new videos come out or whatever we go live we do a lot of giveaways on the live shows and we have one every week at Thursday 8:00 Eastern sometimes we do one on the weekend also so you don't want to miss out your chance to win since we just broke 10,000 subscribers there's going to be a pretty good giveaway on the next live show so make sure that you ring that bell on top of it throw a thumbs up that helps me out that's payment enough for me for doing all this work sharing this information and try to help you guys out but I'll be honest with you you guys help me out as much as I help you out you expose me to new information new problems new solutions I can't do it without you guys this is a community the garage as a whole is a community so I just want to take a moment to thank everybody that participates make sure and hit up the comments if you got any questions solutions answers but today we are diving into the cam bus and it's a little bit of a weird situation misnomer kind of stuff everybody thinks to cam bus is a protocol it's not necessarily a protocol obd2 is actually a protocol and that defines things like message ID message format header links all that kind of stuff we're going to actually go in connect up to one of the e60 7's that i have use the microchip USB a can bus analyzer I love their devices they're a little bit pricey about a hundred bucks but you need a good device that works well and I have a lot of good experience with the microchip Lin bus analyzer from whenever I did the heated seat retrofit on the super auto and the whole idea is to go in see what information is being passed and then try and figure out what that information is and I'll let you in on a little hint as to why we're doing this the idea behind it is is that the holley efi systems talk in their own protocol well if we can figure out how the ECM on the factory one talks to the gauge cluster we should be able to then take the ECM or the holley efi stuff decipher the code use another device to convert from one message format to the other and then have a cheap solution for using a factory gauge cluster on something like a Holley EFI or if for that matter any aftermarket ECU that has Cam bus communications and there's here's kind of what's going on there GM Ford Chrysler Nissan all these guys have obd2 as a protocol that you can hook up into the port underneath see that information a lot of those parameters that we're looking for what are called broadcast parameters and so the ECM is always sending it out to the network that information is is just being blasted constantly and you'll see that as soon as we hooked up I've got the bench harness set up with the ECM out of it so we are just looking for the broadcast messages there's probably going to be about 15 or so and then we'll try and decipher which broadcast messages there's no guarantee that the broadcast messages are the ones that are being used for the gauge cluster in this situation all we can do is decipher those messages and then use the device to go onto the network without the ECM inject those messages onto the can bus Network and see if the gauge cluster responds now modern vehicles have what is considered a gateway on their network generally it's a BCM but in this case we actually have a vehicle communications interface and the reasoning behind that is is that the gauge cluster itself is not on the high-speed bus it's on the low-speed bus so you have a high-speed bus which is your can network and a lot of vehicles have a low-speed bus which is often the Lin bus network so that vehicle communications device is actually taking the information on the can bus network changing it over to the low-speed network and then providing it to things like the gauge cluster or anything else that needs that data that's on the low-speed bus so the idea or the theory is we can take these messages that are being broadcast by the ECM break them down and then we can try and replicate them and see how things respond without that you seem hooked up while we're injecting it straight through the can port so let's dive over to the setup where we can pull everything up I can show you the log stuff like that and we'll go from there okay real quick I just want to show you what we're working with we've got our bench harness set up we've got the bench harness set up to power up the ECM with the standard communication ports on here and then I've got obd2 a afters for both of these and so I'm just strictly jumping the high and low can networks together through these adapters by Jam and pins in here and then here is our microchip USB analyzer I'm using the terminal ports it has a db9 option on there if you want to build out a db9 connector to obd2 or something like that so that being said I'm going to pull up the screen now and we're going to dive into this information okay first things first I've got the obd2 PIDs list pulled up here we're going to see if anything shows up on here specifically we will be looking at PID addresses and we're gonna work in decimal because it's a little bit easier hex if you're our programmer will make more sense to you but if you're not we're going to be scrubbing through and trying to find these parameter IDs in decimal now I've got the candle CANbus analyzer software pulled up this is pretty straightforward this is not the fanciest there is fancy software out here but this is the one that comes with the analyzer itself so it's free that's why we're using it and it shouldn't give us the information that we need now the first thing that we need to do is go into setup and do the hardware setup and adjust the bit rate control this is a 500 KBS cam bus network on this particular platform it might be a 250 on some of the older ones if you're trying to do this but modern ones are going to be 500 normal mode is perfectly fine for right now and then bus termination we have bus termination on because at the the last device on the cam network needs to have a 60 on bus termination on your GM platforms your BCM is going to have a 60 and then your ECM which is always the last device on the network is going to have a 60 on there also that being said though you only need the 60 ohm to talk so if you take the ECM off the can bus network it will still talk but if the BCM is off of it it will not talk without a resistor on that network so that's that and that's kind of the reason why this network will work in a way that it is self diagnosing or fault tolerant basically so whenever we end up doing away with the factory ECM it'll be perfectly fine because the BCM will still be on there it has the proper termination and you don't actually have to have a return because it is a 2 wire network it transmits on one receives on the other wire so all that being said we've got this set up now I'm going to go ahead and turn on our bench analyzer and we've got two options here we've got rolling trace and fixed trace rolling trace is going to show us the data as it comes in let's go ahead and open that up and this is literally everything that the ECM is sending out right now and the nice thing about having the harness is we can only see the ECM now if we were to hook onto the obd2 port of the car and do this we would be inundated with a ton of data so being able to isolate data like this is great and the cool thing about this device having the ability to do termination you can isolate individual modules find the wiring pin outs figure out where the ignition power is where the switch power is and where the can communication lines are and you can sniff individual devices to get the the information that they're broadcasting now remember this is just a broadcast there there is a pole request and return information out there in which the VCI em are the BCM are going to actually say hey I need this parameter same or deal if you hook up your HP tuners or your tech - that thing knows hey I want to see this parameter that's not a broadcast parameter it actually has to send a message out there and say hey give me that information and then the in device responds with it now that's another way that we could do it is we could jump in on a network with the HP tuners scanner on and scan specific parameters that are not broadcast parameters and sniff that network on the bench harness and we should be able to see the command and response off of those once again it's not going to guarantee us that it is the message that we need to interface with other devices but that is the one that is for obd2 the question that's going to be that we have to answer on this is whether or not the OBT obd2 format data is the one that is being translated in the communications module and then being sent out on the low speed bus so now that we've got this pulled up we're actually going to close the rolling one on here and open up the fixed trace this one's going to work a little bit easier for what we're looking at this all of the IDS that are being broadcast so 201 is a good one to start out we're going to come over here scroll down through our list and see what 201 is and it's not on this list so that's very interesting let's flip it over to hex see if it matches up with something on this list can't remember where do that of you go over here show ID and X so X 0 X c9 see if it aligns with anything on here and it may not 0 XC 9 nope so let's just do the old Google search and see 0x c9 I'll try PID so once again this is something that we're going to have to dive into and try and figure out what it is because the information is not readily available which kind of sucks I was hoping that we would be able to find most of the PIDs on here that we were looking for but it doesn't look like we go out to sea for now here is the data itself it is broken up into blocks of messages that is then brought together to show us what it is we can see what the most active stuff is based on the counter this is pulling a lot down here at the bottom we've got a couple that are not pulling quite as often now looking at what we're getting right now where we have active data there's a couple assumptions that we can make there's two of these that are actually working right now the rest of them are remember but the data is flatlines so there's a good chance that those are engine parameters that are the flatlined ones and then 201 and 272 can be something like communication status or you know check sums and then one of them might just be voltage so there's really no way to tell in the format that the data is in right now but what we can do is possibly let's try hooking up HP tuners on this and see if we can't jumper in on this network somewhere and sniff the network while HP tuners is working on it okay so I went ahead and soldered on some flying leads on the bench harness to hook up the microchip analyzer and now we've got the MP VI 2 on the obd2 port so what we're going to do is open up the scanner clear out the parameters and maybe add one or two parameters and see how the data looks whenever we're scanning parameters using a in device okay let's go ahead and open up our rolling turret or actually our fix trace here see that we're getting data if we have additional parameters in here see these parameters down here are coming from the HP tuners very interesting to see right away that we have some data which you could expand this window out if you're watching microchip figure out a way to expand the window out so let's go ahead and open up the scanner here we'll connect up and then we're gonna clear out the parameter list okay there we got a new parameter coming in as we connect it's requesting the P IDs from the ECM okay interesting interesting interesting see the arrows on here determine whether or not this is a request or a broadcast parameter the ones with one arrow is a broadcast the others are request let's clear these out we're looking for engine rpm and we should be pulling engine rpm in as a broadcast which means there shouldn't be a new request on this whenever we start scanning now what we can do is go in here start messing with some of these parameters and sending new messages and seeing if it changes what we're seeing in engine rpm that's how we can determine kind of what we're looking at here so let's drag this down and we will open up transmit and we're going to look for decimal ID 2 8 8 DLC 8 and 2 to 6 2 1 3 1 50 to 65 52 2 and then 1 68 we don't know what this is we can drop our period down see let's repeat this a hundred times one millisecond I've got to go out to a hundred ok and this is just sending the same information that we're already putting out on there so it's not going to necessarily change anything but if we change the data we're going to mess with the last format let's take it out to 256 if it likes that it might be outside the range 255 ok so it's 0 to 255 instead of 1 to 256 and we're not seeing any changes on the RPM so that is probably not our RPM parameter so we can go ahead and stop that one now we'll move down to the 368 one okay so we didn't have any luck so I've gone in and changed our parameter over to SAE which is a pole and respond I've got the pole here of 1296 that is the HP tuner is actually pulling it you can see the pole right there let's slow down the pole right you'll see what I'm talking about we're on 5 Hertz let's make it 10 seconds so we'll start recording that and then let's clear our trace out here and we're looking for a very slow pole so 2016 empty header message poling we're returning 2024 let's see if we can come in here full 2024 into thinking it is something it's not 250 250 250 250 250 250 and send so we finally found the RPM reply parameter on this it is 1512 is the ID and you can see that it's fighting with here I'll show you what let's let's update this we'll go back down to 100 Hertz start recording and it's in the data see if it'll hit it you can see it blinking over whenever we're injecting on the network every once in a while it's catching it we're fighting against the ECM to transmit data at the same time so every once while we get a blip that's where we're injecting the information on this parameter so we know that the request is 15 12 8 254 with open data from data 1 through data 7 that is the poll request this gets the response and so this is what we're looking at for SAE rpm so if we pull sae RPM we're going to get that data back i don't think that that's the one that we're looking for still we're looking for the broadcast one but that being said maybe I don't know about the DLCs I just don't know enough about obd2 that I'm just going to have to keep on doing some digging and see what the DLC parameters line up with both on here and I doubt it makes difference but ok we're getting the top one so we're looking for something that is in the same format is this 1512 good chance that this 1040 is probably going to be it so let's try and mimic the 1040 now and I'm going off the fact that it is the format the message format looks the same as the one that we're sending out so if I come in here and let's make it match the same all the way across maybe we can get the same numbers popping up for both so we'll start broadcasting these both at the same time okay we're getting the first one but we're not getting a second one we might have an issue getting the second one because of the pull speed on the ECM how fast it's actually sending that data I don't think that we have control over that we try and bump it out a little bit see if it makes a difference still getting the first one this thing's just sending out a multitude of messages faster than we can inject messages on here I don't think that we can lower the period on this to try and beat it see if it'll s do ten no now let's see if we disconnect this okay so there is we're still connected up on the HP tuners now that we've disconnected it we can send this message without getting interrupted HP tuners is not crapped out yet surprisingly so this gives us the ability now that we've got a list of these parameters that we can come in here and try and figure out what's going on on some of these possibly we know that 1512 is the one that we wanted for this one and if we come in here and zero this out 1512 should now zero out on our scanner there it goes so we can stop that and we can put in 125 here see how many rpms that bumps us to nothing keep on adding numbers till we start seeing numbers and it might be backwards might need to start at the data one ok there's 8,000 rpms once again we will duplicate this message and see if we can't get a reading on the broadcast so 10:40 is not going to be the broadcast that we thought it was unfortunately looking through here I don't want to necessarily clear the trace okay we found it 272 is our broadcast rpm value in here so as you can see let's go ahead and zero out our top one 125 windows zero zero zero see if this gives us a zero okay now we've got our zero on our polling request one if we do the same for for our 272 401 sorry it was 401 that is it we do the same on 401 0 this out and send it well I thought I had it okay we got 201 201 is our parameter we've got our polling request our P and parameter now we have our broadcast rpm parameter so if we come in here on our 254 and we put some false data in here our 1512 I'm sorry just make it 120 across the board okay we got 77 10 rpms so we're going to try and do the same thing see if we can match it up now you notice this data is not as long so that is because it's a broadcast data it would be my guess there it is 77 10 so we figured out that this data 0 is on a pull request probably the device that's requesting it 254 if I were to put in here 233 and zero this out we'll see if it updates on HP tuners properly and it doesn't because a different device is requesting this information now so that's where we need the address the 254 is hey device 254 is requesting this information from you now that if I change this over to 254 and send it we should go to 0 on it there we go we went to 0 so 254 is HP tuners the npv Ives request message and that is why this data format is actually longer you see that we have one two three four five six seven data parameters in the fields this is the message broken-down because we're looking at very small integers well 8-bit integers 0 to 255 so because of that we're using 8-bit integers to get a number over 255 we have to use multiple 8-bit integers in a row as a full message to get the RPMs that we're looking for now that we know that we don't necessarily care about deciphering the information we're not trying to take the 8-bit integer and break it down per se right now just trying to make sure that we can figure out which amp in what output and as I said the broadcast ones that's gonna be the important one because now we can go over to the car and use the broadcast transmit feature and try and transmit a broadcast message to see if the ECM looked at but for what we don't want to go to 7700 rpm so let's drop this down we'll put a hundred and each of them we don't have to put an address and a 2-0 because this is a broadcast message so we're just using the seven fields here to put output data sending it and that gets us to 64 25 let's drop it down a little bit more we'll just put 50 and everything 32:13 that's a good parameter to work with I'm going to go get set up in the car and we'll try it from there okay so got this kind of setup in a precarious situation but you're gonna be paying attention to the screen more than anything just because they don't have an adapter to hook into the obd2 port directly on the port 4 here and so you can see I've got the messages pulled up right now just a lot of data coming across this is just the data that is naturally on this bus right now with all the end devices so I'm going to inject this and yeah it's not working unfortunately I was hoping that it would be good enough to go over to the gauge cluster but that just means that we are not transmitting data on the broadcast channel to the gauge cluster not surprised now there's some different ways that we can go about working with this in particular we can try using the tech 2 or the VX diag set up send connect it up and sniff it while we're trying to send messages because you to send messages to the gauge cluster to do sweep and things like that through the tech to so that might be our best bet of trying to figure out which message is going there but we're getting it narrowed down that's what's important okay at the risk of making this video too long I'm gonna go ahead and wrap it up for now but there will be more data on this in the future rest assured I'm going to go through and do some more diagnosis and sniffing on the network see if I can figure out how the messages are getting translated over to the low-speed to get to the gauge cluster and if I figure that out I will do an update and let you guys know eventually we should be able to sort all this out it just takes a lot of time patience and just work that's all it is so I'm going to jump back into it remember abt always be tuning and I'll see you guys soon [Music] you
Info
Channel: Goat Rope Garage
Views: 41,322
Rating: undefined out of 5
Keywords: HPTuners, Tuning, Tune, Chevy, Chevrolet, Corvette, Camaro, Silverado, Sierra, hp tuners tutorial, hp tuners silverado, hp tuners 101, goat rope garage, how to tune a car, can bus explained, can bus diagnostics, can bus hacking, can bus tutorial, can bus analyzer, can bus testing, can bus communication, can bus hardware, can bus hacking tools, can bus sniffing, can bus messages, can bus message format, can bus message types, can bus message protocol, obd2 scanner, obd
Id: CS9mnZZk9Mw
Channel Id: undefined
Length: 26min 25sec (1585 seconds)
Published: Tue Jan 14 2020
Related Videos
Hacking The Can Bus, Controlling A Relay With Factory Can Messages!
Goat Rope Garage
22K
Sniffing any CAN-bus on the cheap(5$) with Arduino, Tested on an VW Polo 9N3
Aaron Christophel
141K
CAN-BUS No Communication Diagnostic | Resistance, Voltage, Short Circuit, Pin to Pin Test #canbus
Automotive Diagnosis: Cars Repair &Training Guides
5.2K
CAN Gateway: Monitoring Cars Wirelessly!
MrDIY
125K
I Hacked Into My Own Car
Steve Mould
2.7M
PART-1: I Reverse Engineer the OEM CAN BUS on my R8/Huracan Powertrain!
Dan Dulac
38K
How to hack your car | Part 1 - The basics of the CAN bus
Adam Varga
288K
Reading THE BMW CAN BUS USB to CAN: CUSTOM CLUSTER PLANS
Zero To 60
29K
5 Tips For CAN Bus Diagnostics | Mechanic Mindset
Mechanic Mindset
197K
FORD ESCAPE NO COMMUNICATION CAN BUS DIAGNOSIS
ADVANCED LEVEL AUTO
105K
RANGE ROVER SUSPENSION AND CAN BUS ISSUES | CASE STUDY
Super Mario Diagnostics
18K
Explained! CAN BUS Diagnosis – How to Troubleshoot Faults.
ECU TESTING
240K
LS GEN 3 POWER ENRICHMENT ADJUST AND TEST WITH HP TUNERS! #truck #hptuners #howto #car
Gulf Coast Tuning and Calibration
618
Global B Initial Tune Setup, The First Steps To Start Tuning
Goat Rope Garage
1.9K
Hack Your Car's CAN BUS Pt. 2 You can do it! Tutorial, Tips and Tricks for CAN BUS Programming
Father and Son Fix
12K
Reading an Existing CAN Bus Network | CAN Bus Communications [FREE LESSON]
High Performance Academy
74K
CAN Bus Communication Explained (Part 1)
GoTech
221K
How To Diagnose A Faulty ECU With No Communication
ECU TESTING
435K
Ram 1500 Interior CAN Bus Fault
Automotive Diagnostics & Programming
9.6K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.