Sunday, October 1, 2017

0x167, byte 5, bit 6

A couple of months ago I found the CAN message on the low-speed CAN bus which would be sent from the CEM (Central Electronic Module) to the CCM (Climate Control Module) if the engine was running. It would enable all the high-power consumers like seat heater, seat ventilator, rear window de-mist. The only caveat was that while I injected the message, the CEM sent the same one about 2-5 per second to switch things off again. I thought about cutting the CAN wires and inserting a filter. But as the SRS (airbag) is also on that bus, I was hesitant - luckily. Because one week ago, I came up with the idea, why not do the same thing between the ECM (Engine Control Module) and the CEM. Instead of faking input signals to make the ECM believe that an engine is running, I could do it at a later stage: "adjust" the CAN signal from the ECM.
So yesterday I dared and started looking for the high-speed CAN wires. I was lucky. I cut the umbilical of the cable tree open - close to the coolant expansion tank. The twisted blue-black (CAN-High) and green-black (CAN-Lo) wires were right on the top - no digging through 30-40 wires. A courageous cut and a Arduino-Due based CAN shield soldered in and I had a filter ready. ECM on bus 1, rest on bus 0. This way it was a piece of cake to find out which messages are coming from the ECM (0x30, 0x125, 0x12a, 0x143, 0x157, 0x167, 0x315, 0x385, 0x392, 0x3d3, 0x4ca) and which are coming from the other devices (at least 23 other messages). This reduced the reverse-engineering efforts dramatically by about 70%. First I suspected it'd be message id 0x30. Usually these low-end numbers are used for basic status information. Wrong! It seems to be the device's ID - which changes when the engine is running - but yet it wasn't the one yet. So, what did I do?
Another friendly S80 MY08 owner, allowed me to grab some logs from his car with ignition on and with engine idling. With these logs, Excel and Collin Kidders SavyCan, I identified which messages contain different data between the two states. Still a lot! So I started replacing the content of messages one message id at a time, first I used the other car's data for 0x30 --> de-mobilizer got activated. Then 0x125 --> DSTC system failure, then 0x12a --> DSTC error and de-mobilizer, and so on and so on. Most of the other messages had no visible effect.
Then once I uploaded a new firmware change to the Arduino, I got partially lucky: I forgot to switch off ignition and during the upload, the CEM obviously lost communication with the ECM and the whole christmas tree lit up: all seat heaters, fans, BLIS (Blind Spot Indicator System) were enabled for a short time. So today, I just pulled the plug of the Arduino - meaning no messages get forwarded anymore. And although many errors appeared on the dashboard, all the desired devices were available to me. Geeee! This looked promising. So assiduously I started filtering out entire messages - again starting with 0x30 and working my way up. With the sixth attempt, I got lucky: 0x167 must be it! Then I added it again but with the contents from the other S80 and the devices still worked. Next step: only replace the contents of the last 4 bytes and leave the first 4 as they come from the ECM: still ok. Then leave the content of byte 5 and 6 unchanged: not working anymore. With the reference data from the other S80 for byte 5 being 0x22 with ignition on and 0x62 with running engine it became clear quickly that it must be bit 6. So now I just do a bytes[4] |= 0x40 to set the bit and Vida now tells me that the ECM's "power state" is no longer "ignition on" but "running". And now instead of just the working seat heater (most important!) and ventilator and de-mist, I also got a running BLIS and the head-lamps swivel again in the direction I steer. Fantastic! :)
There are only 3 issues which need to be resolved now as the engine appears to be running, more signals are verified:
  1. The red "alert" and the battery warning sings light up in the dashboard together with the message that the alternator system has a serious malfunction. The DTC tells me there's a missing message. 
  2. Because I didn't attach a coolant temperature sensor or fake the signal, I get a yellow "warning" sing and a message about an issue in the engine coolant system
  3. The auxiliary brake pressure pump still doesn't come on when braking abruptly. For a real emergency stop, I have to push the brake very hard until ABS kicks in.
  4. Still don't get a RPM reading on the dashboard.
In a daily drive 1. is the most annoying thing. But as the DTC says a message is missing, maybe the ECM just sends one more message containing data from the alternator. Once I find it and inject it, it should go away. Point 2 should be easy to remedy - and even if I can't I could live with it. 
Point 3 is not annoying while driving but it's the most critical in an emergency - especially if other people are driving the car. I don't know what needs to be done to make the BCM (Brake Control Module) switch on the auxiliary pump. Maybe I'll just use the brake pressure which is read in by GEVCU anyway and then send the CAN bus command to turn on/off the auxiliary pump (can grab this from the Vida log as it can be switched on/off from the tool).
Point 4 just needs a bit more fumbling around with the remaining CAN messages. I'm convinced the RPM of the engine is in one of the 11 messages sent from the ECM.

If anyone has information or a good idea on how to resolve these 4 points, I'd appreciate it!

2 comments:

  1. That's just awesome, do you have by any chances, list of CanID's on the file? are they same across volvo brand? would assume that on the S80 model - they would be. But seeing that some of the parts are interchangeable in between models (xc60/v70/s80 - instrument cluster/ac control panel etc...) it is possible that theu are adhere to standard CanID's across volvo's.

    ReplyDelete
  2. Hello Michael, I live close to from Zürich and have an XC90 where I am working on the CAN bus and reverse engineering it to add more functions, all software drivem. I am also a qualified electronics engineer. Your project sounds fascinating. Well done!

    ReplyDelete