Help figure out how other ECU info gets transmitted over CAN bus (also, Binary&Hex Module 3 video posted)
This is a bounty on the heels of my Binary&Hex Module 3 presentation. I have posted a video for Module 3, so now there are videos for all modules: 1, 2, and 3. You can sign up and watch the videos anytime, for details refer to this post.
In Binary&Hex Module 3, to illustrate text data encoding, I showed how ECM info such as VIN and module name are transmitted over CAN bus if the module supports OBD Mode 9. What of interest to me is that this way can be used to check if the module is alive at any given moment.
However, only a few modules seem to support the classic Mode 9. Capable scan tools are able to extract info such as Calibration IDs from other modules, and it is probably done in a similar way, but what CAN message IDs do they use for that, and is the method unified within a car line? This topic seems to be of little interest to reverse engineering community, so I would like to do some research by performing the following experiment.
Even though the bounty of 3DNTs is posted for one car, you will receive DNT tips for any car for which slots are still available.
For MY 2013+ car in this list:
- GM (DONE, no slots available)
- Ford (1 slot available)
- FCA (1 slot available)
- Toyota (DONE, no slots available)
- Honda (1 slot available)
- VW (1 slot available)
- Subaru (1 slot available)
I assume you have an automotive Picoscope, but you can use any other device for continuous capture of CAN packets.
Connect both BOB (break-out-box) and Scan tool to the DLC. For Picoscope, Ch. A (+/-10V) goes to Pin 6 (HS-CAN); Ch. B (+/-10V) can be connected to Pin 3 (MS-CAN in some cars [Ford, GM]) or Pin 7 (K-line in some cars [Toyota, VW]), just in case something interesting flows through there as well.
Connect to the car with the scan or programming service tool, check for which modules ECU info such as Calibration ID can be displayed, and choose 4 (FOUR) or more ECUs that are NOT ECM or TCM, for example:
- ABS / EBCM / VDCCM
- Airbag / SRS
- Gateway Module
- BCM / Comfort Control Module
- EPS (electronic power steering) CM
- RKE / Keyless Entry Module
For each chosen module:
- Run Picoscope in continuous mode (Timebase: 1 s/div, Number of Samples: 50MS, Trigger: Single, moved all the way to the right and down [9 sec, -9V]. Please see attached videos on how to do this in Picoscope 6 and Picoscope 7 software;
- Turn key OFF, then back ON; re-establish communication with the scan tool; request ECU info in the scan tool;
- As soon as the ECU info such as Calibration ID is displayed, stop the Picoscope and save the waveform;
- Take a picture / screenshot of the scan tool showing the ECU info.
Please post all collected waveforms and screenshots here, along with vehicle information. I will take a look and see if there are common patterns. Thank you!
Dmitriy, I'm kind of puzzled about what you wrote. Mode 9 is only supported by legislated or generic OBD from DEC ECUs. It's always a request then response so, theoretically, the module can be “asleep” until the request is made, it responds and then goes back to “sleep”. Sleep is a poor choice of word but the response doesn't tell you if it is “alive” unless I am misunderstanding you. If you…
Hi Randy, very good point that Calibration ID can only be returned for modules that are programmable, but these are the ones I am focusing for now (and the newer the car is, the more modules are expected to be programmable, right?) My assumption is that the module itself returns its Calibration ID, even if the request and response had to go through some sort of a gateway. Thus, if I checked…
Glaring issues: I would say dealing with DCAN, multiple physical layers & protocols (on the same car) and smart sensors will be your toughest hurdles. I don't have a PICO so I am unable to contribute to your effort. Best I could do is send a log file from a CAN bus sniffer.
Randy, I am sure a CAN bus sniffer will work for this task even better than Pico, I described how to use Pico only because many techs have one. If you show how a scan tool pulls CAL IDs out of “other" (non-ECM, non-TCM) ECUs using a sniffer, that would be fantastic!
Hi Dmitriy - Randy is correct (as usual) Service $09 data is only valid for legislated OBD modules. Everything else falls under the “Enhanced Diagnostics” umbrella. Depending on the OEM, they will either use ISO 14229 services or OEM proprietary communications to communicate with other modules. As you correctly pointed out, a CAN bus sniffer like ICS Vehicle Spy will be more useful than…
Thank you for the pointers, Bob! I will be looking out for those.
Any time! Also, remember that the response to a Service (Mode) request @$22 will be $22 + $40 = $62 in the service byte… Cheers, Bob
To recap: you want me scope the data lines, and then use the scan tool to ask for the calibration ID of several modules and capture the waveform when this data is transmitted? How will I know when that specific data is transmitted opposed to other data?
Andrew - if that is Dmitriy's request, I'll try to help. Unfortunately, I'm not so much of an expert with non-Emission-Related ECUs, but do have a working knowledge of ISO 14229 (UDS). Take Randy's example for emission-related or Diagnostic or Emission Critical(DEC) ECUs : 7DF 01 00 - 7DF is the address directed to the ECU(s) from the scan tool, "01 00" is the Service(Mode) $01, PID $00…
Andrew, if you follow the instructions for setting up the scope, you will have around 10 seconds of data captured right before the Calibration ID is displayed on your scantool (you may have to do this for each module separately, unless the scantool can pull Cal IDs for several modules at once). Hopefully, the Cal ID will be transmitted during that time, but you do not need to decode the waveform…
The system requires me posting an Update, so here it is: I am still interested and waiting for the waveforms, Bounty increased to 4DNTs.
I thought I needed the Rotunda XPO to break down what CAN is actually bus packets …= also I just signed bounty & tokens agreement whats that … Itried these links sometime back and got stonewalled .
Hi Robert, how Bounties and Tokens work is explained on these help pages: diag.net/help#bounties diag.net/help#tokens Cheers, Dmitriy.
Here is ONE for GM: 2019 Chevrolet Colorado Modules used: EBCM, PSCM, BCM, TCCM, CCM-A HTHs
William, these captures are pure gold, all the info I needed!