Jeep Wrangler Forum banner

Hacking the CAN-Interior Bus

85K views 199 replies 74 participants last post by  Buelligan1203 
#1 ·
(I'm cross-posting this on a few different forums since I assume the audiences are slightly different.)

I've been working on integrating directly with the CAN-Interior bus of my JKU for a few projects. This weekend I finally got enough of the pieces together that I was able to get a lot of data off the bus and figure out what actions generate what messages.

It's possible to generate your own messages on the bus to simulate the same actions, or listen for existing messages and perform your own action based on that, e.g. turning on auxiliary lights when the main lights go on. And of course, you can leverage the messages the Radio uses to send data to the EVIC to send your own messages:


I tapped into the CAN-Interior bus at the radio using a custom wiring harness so I could splice the CAN-H and CAN-L wires without having to alter any OEM wiring:


My extra CAN bus wires run to a Raspberry Pi credit-card-sized computer that I have sitting in the glovebox, for now:


The Raspberry Pi runs a Linux variant and is a pretty easy system to use for embedded projects like this.

See my blog at Hacking the Jeep Interior CAN-Bus | Chad Gibbons' Blog for more details on what I found and how I did it.

For the actual end-results, here are some of the messages I've found on the CAN-Interior bus so far. This list should grow pretty rapidly now that I've got a platform hooked up to the vehicle for further research.

3e6 00 0d 12 ... # hours, minutes, seconds since vehicle turned on
244 81 00 39 C3 80 # Driver's door open, byte 0
244 80 00 39 C3 80 # Driver's door closed, byte 0
208 01 22 6d 5a 1e 01 2c # Left blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Left blinker off, byte 0
208 02 22 6d 5a 1e 01 2c # Right blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Right blinker off, byte 0
1e1 00 00 10 65 00 00 00 00 # Steering wheel position, bytes 3 & 4
2e0 00 01 47 21 ff ff 0c # Brake pedal depressed, byte 4
2e0 00 01 47 20 ff ff 0c # Brake pedal released, byte 4
2e7 84 1c 00 00 00 00 87 # Parking brake on, byte 0
2e7 04 1c 00 00 00 00 87 # Parking brake off, byte 0
292 00 49 33 00 00 48 28 # Throttle pressed, byte 3
2a8 00 01 00 00 00 00 # Windshield wipers, byte 3
2e5 03 # Rear wiper
2d2 01 06 00 # 4WD-HI
2d2 04 04 00 # 4WD-LO
2d2 00 03 00 # 2WD
208 00 22 6d 5a 1e 01 2c # Lights on w/ fogs
208 58 22 6d 51 1e 01 2c
2e1 1a
208 00 22 6d 5a 1e 01 2c # Lights off w/ fogs
2e1 1b
2e1 1b # Fogs on
2e1 0b # Fogs off
2e1 0a # Lights on w/o fogs
2e1 0b # Lights off w/o fogs
29e 00 03 97 20 02 ff ff ff # Change to FM 91.9
291 09 01 05 30 f0 00 07 # Change to satellite, w/ no signal
293 00 00 b8 20 02 ff ff ff
291 01 01 05 10 10 00 07 # Change to FM, 91.5
291 00 03 93 20 02 ff ff ff
291 09 01 05 30 80 00 07 # Change satellite stations
293 00 00 19 23 02 ff ff ff
295 43 65 73 52 65 77 6e 64 # ClsRewnd
29e 00 00 0f 21 02 00 00 00 # Change CD tracks, byte 3
3d9 0a 0a 0a 0a 0a ff # Change volume, byte 0
3d9 08 0a 0a 0a 0a ff # Change volume, byte 0
Message id $295 is the most fun, as that's what you can use to display information on the EVIC.

If you have a request for more information about a certain set of accessories let me know and I'll see if I can find data for them.

You should be able to apply the same trick to the CAN-C power train bus, although the Diagnostic CAN-C bus is less useful for monitoring since it does not broadcast data on it is own without being asked first.

And for those projects coming down the pipeline, if anyone is interested in beta-testing let me know. Extra points if you are somewhere near Colorado :)
 
See less See more
3
#2 ·
I spent a bit more time analyzing the messages I've captured and here's some more details on the message format. Still lots to figure out.

Message Id $3d9 - Audio Settings
Each byte details an individual audio setting, volume, balance, etc. Value $0a is the default level for most settings, except for volume where it is level 10. This is from the RES radio so it may vary with the different ones.
byte 00 = volume
byte 01 = balance
byte 02 = fader
byte 04 = bass
byte 05 = mid-range
byte 06 = treble

Message Id $2eb - Sensor Readings
byte 00 = unknown
byte 01 = unknown
byte 02 = unknown
byte 03 = light sensor, values range from $6a to $ef so far

Message Id $2e3 - Heated Seats
Byte 1 is bitmapped to what each heated set setting is at.
byte 00 = unknown (so far always $00)
byte 01 = bit flags
bit 0 = driver's seat low
bit 1 = driver's seat high
bit 3 = passenger seat low
bit 4 = passenger seat high
byte 02 = unknown (so far always $00)

Message Id $208 - Lights
byte 00 = lights active
bit 00 = left blinker
bit 01 = right blinker
bit 03 = parking lights
bit 04 = low-beams
bit 05 = high-beams
bit 06 = front-fog-lights
bit 07 = rear-fog-lights (an assumption)
bytes 01-06 = unknown

Stay tuned...
 
#3 ·
I finally found the "power-on" message, so you can bench test a OEM radio:

20b#6100 to turn it on, and 20b#0000 to turn it off. The car broadcasts the on message about every 100ms to keep the listening nodes alive, so on a bench you'll need to send it frequently.
 
#4 ·
And here's a good example of the limitations of interfacing with the bus, which is mostly limited to listening to system changes.

Message id 308 is sent out when the interior dimmer is changed. I've seen the following data so far:
308#0000ff # lights off
308#110000 # daytime - lights on bright
308#122200 # lowest dimmer setting
308#124c00 # next highest
308#12a000 # next highest
308#12c800 # all the way up

It is tempting to want to send your own messages to the bus to have these settings take place, but it doesn't quite work that way.

These messages are generated by the Cab Compartment Node (CCN) whenever it detects changes from the user by using the control stalk. Those messages are listened to by the radio and the TIPM nodes who take action as appropriate - such as dimming the radio lights.

The problem is, the CCN isn't listening for those messages even though it controls a large portion of the lights that are being dimmed. Additionally, it keeps broadcasting the current dimming state every 500ms, so it will override any commands you may send out yourself.
 
#5 ·
Thanks very much for this! Very helpful. Keep up the good work, I might be interested in beta testing also. I forget does CAN have a specific data rate or is it application specific. I'm very well versed in msp430 but it's far too slow to communicate on this bus so I'll need a pi as Well I think. Happy sniffing.
 
#6 ·
The CAN-IHS bus is at 125 Kbps, while the Diagnostic-C and CAN-C (power train) buses run at 500 Kbps. These are vendor specific within a few guidelines, and can change from year to year.

An msp430 will be plenty fast enough to handle any of the 3 buses, but you would have it talking to a CAN controller IC, not do the bus directly. Check out the Microchip mcp2515 for the CAN controller and mcp2551 for the CAN transceiver. These are really cheap and talk to the MCU over an SPI interface, so really easy to work with.

I've processed the 500 Kbps bus with an atmega323 running at 16 MHz, so a msp430 would have no issue either. You could probably take this board https://www.sparkfun.com/products/10039 and use it directly with the msp430 or at least take the schematic and build your own using it as a reference.

If you like staying in the TI world, then their C2000 family has some CAN stuff available.
 
#8 ·
I think it just depends upon what your application is. If you were trying to be a power-train node and respond to all those sensors in real-time, yeah, you'd not have enough power. But if you were listening to messages and interacting with only a very few (most applications) it'll be a non-issue.

All of the heavy-lifting with CAN-bus messages takes place on the controller (the checksums and so forth).

Your limiting factor will be the speed of your SPI connection to the CAN controller. If you can run that at 8+ MHz, then you should be fine for processing 500 Kbps of data and reacting to it.

If you want I can get some timing information for you on my 16 MHz atmega323.

And, if you haven't tried it out yet, buy an Arduino kit and give it a try. They're dirt cheap and probably the easiest MCU I've ever had to deal with, just because of the tools around it. You can go anywhere from the lowly atmega168 to the atmega2560 (32-bit) with very little to no change. I love how much open-source software and hardware there is out there to use with them.
 
#9 ·
Gotcha. I didn't realize the can ic did that much of the work. I figured it was just a physical layer like a 485 driver. I've used the Arduino for quite a bit but I like the control, or more thorough understanding that I have of the msp just as a function of work experience.
 
#12 ·
One example: you could have auxiliary accessories that are activated by commands received over the bus rather than tapping into electrical wiring.

Imagine the wiring elegance of the 4x4sPOD but still retain OEM-style functionality.

For example, I have auxiliary driving lights. I want them to come on with the high-beams. Normal way to do that is to tap into the high-beam circuit. That works, but it's fragile and over-time you wind up with a rats nest of wiring.

So instead, have that auxiliary lighting system hooked up to its own control system, and the control system will listen to the car and tell the lights when to turn on. No modifications to the OEM wiring system. Fully integrated functionality.

Same idea can be applied to additional interior lights. Want them to dim properly, turn off when the rest to them do, and not have to worry about tapping into existing circuits? That's why this is useful.

Or how about approach lights that light up and dim properly when the normal approach light timeout happens?

Other applications... car-computers that replace your OEM head-unit AND actually fully integrate with the car. Want to have a music system with 1TB of storage with an 8" touch-screen that displays a nice spectrum analysis of your audio AND shows the current music on the EVIC just like the OEM radio? You could by figuring out these messages.

Other existing examples: pac-audio uses these messages to make their audio interface products like http://www.pac-audio.com/productDetails.aspx?ProductId=277&CategoryID=29 and http://www.pac-audio.com/productDetails.aspx?ProductId=1067&CategoryID=28

Bottom-line, vehicle electrics have changed a long time ago and most of us are still doing things the old way, even though there's a lot of opportunity to do things the way the OEMs do and make modifications work better.

And besides all that, it's just fun to figure out how things work.
 
#14 ·
Wow!!! I have and extra PI laying around? Sounds like a future project. For those not familiar with Raspberry PI, it's a $35 computer.

You gonna OpenSource your work?
 
#19 ·
#20 ·
Discovered something else today.

If you have the connectivity group with the remote USB port (for iPhone etc) then something will send these messages out and the radio will display that data... and you can send all of your own data over that instead:

(1389040747.468564) vcan0 3AC [8] 0B 01 20 20 20 20 20 20 '.. '
(1389040747.497350) vcan0 3AC [8] 1B 03 20 4E 6F 20 49 6E '.. No In'
(1389040747.528932) vcan0 3AC [8] 03 03 66 6F 20 20 20 20 '..fo '
(1389040747.564518) vcan0 3AC [8] 3B 04 20 47 69 76 69 6E ';. Givin'
(1389040747.597491) vcan0 3AC [8] 23 04 27 20 59 6F 75 72 '#.' Your'
(1389040747.633804) vcan0 3AC [8] 13 04 73 65 6C 66 20 41 '..self A'
(1389040747.667984) vcan0 3AC [8] 03 04 77 61 79 20 20 20 '..way '
(1389040747.700881) vcan0 3AC [8] 0B 05 20 52 61 74 74 20 '.. Ratt '
(1389040747.736770) vcan0 3AC [8] 1B 06 20 44 65 74 6F 6E '.. Deton'
(1389040747.760179) vcan0 3AC [8] 03 06 61 74 6F 72 20 20 '..ator '
(1389040747.794957) vcan0 3AC [8] 1B 07 20 4E 6F 20 49 6E '.. No In'
(1389040747.826042) vcan0 3AC [8] 03 07 66 6F 20 20 20 20 '..fo '
(1389040747.855264) vcan0 3AC [8] 3B 08 20 47 69 76 69 6E ';. Givin'
(1389040747.887166) vcan0 3AC [8] 23 08 27 20 59 6F 75 72 '#.' Your'
(1389040747.923526) vcan0 3AC [8] 13 08 73 65 6C 66 20 41 '..self A'
(1389040747.949203) vcan0 3AC [8] 03 08 77 61 79 20 20 20 '..way '
(1389040747.986814) vcan0 3AC [8] 0B 01 20 20 20 20 20 20 '.. '


I'm looking at my 2012 service manual and there is not a single mention of the remote USB port in that manual, so I'm not sure what actual system component is sending the messages, or how its sending the audio for that matter.

My radio only has the 2 antennas, the C2 and the C1 plugs (hands-free). Where's that USB audio coming into it?

EDIT: Ah! The hands-free-module does that work.
 
#22 ·
If it helps - I have Connectivity and when I switched the headunit out I get a 'radio off' message on the EVIC when I have the key on ACC and the radio is on. It's like it doesn't see the new headunit.
 
#26 ·
In case this is useful, too (and a reminder that I really need to write up a post on how to build this thing step-by-step):

I didn't have a cad diagram for the receptacle end of the wiring harness, but you get the idea. It's a straight wiring for the 6 circuits my C2 harness had, plus splicing the 2 CAN connections off so bring to my CAN interface board. I think your harness will vary if you don't have an amplifier etc. There's a few options for that connector looking at the repair information.



For reference: Mopar Connection Repair Kit and 1438759-1 Product Details - TE

I actually bought some aftermarket radio repair harnesses off eBay to get that connector/receptacle cheap, though. TE doesn't make a receptacle mate for that connector that isn't part of a PCB mount solution.
 
#30 ·
Just a few:

Pac-Audio.com Product Details | iPod Integration for your car and More by Pac-Audio - Connecting you to the future - PAC Audio's amplifier integration works with the CAN-IHS bus.

Pac-Audio.com Product Details | iPod Integration for your car and More by Pac-Audio - Connecting you to the future - PAC Audio's radio replacement sends out commands to the CAN-IHS bus to fool the car into thinking the OEM radio still there.

Pac-Audio.com Product Details | iPod Integration for your car and More by Pac-Audio - Connecting you to the future - steering wheel control integration

Not for the Jeep (LX/LC Chryslers), but http://www.zautotech.com/tranzformer.html taps into the CAN-C and CAN-B buses for transmission behavior changes.
 
#35 · (Edited)
Just a few:

Pac-Audio.com Product Details | iPod Integration for your car and More by Pac-Audio - Connecting you to the future - PAC Audio's amplifier integration works with the CAN-IHS bus.

Pac-Audio.com Product Details | iPod Integration for your car and More by Pac-Audio - Connecting you to the future - PAC Audio's radio replacement sends out commands to the CAN-IHS bus to fool the car into thinking the OEM radio still there.

Pac-Audio.com Product Details | iPod Integration for your car and More by Pac-Audio - Connecting you to the future - steering wheel control integration

Not for the Jeep (LX/LC Chryslers), but http://www.zautotech.com/tranzformer.html taps into the CAN-C and CAN-B buses for transmission behavior changes.
I guess none of those would be useful on my jeep then. oh well.

I of course asked because I hadn't seen them and was hoping there might be some really neat stuff out there. Thanks for the reply.

Transmission behavior changes would be cool. The wrangler probably doesnt have a complicated enough transmission for that to work.

I'll probably be building something really neat in the future with the information from this thread though.
 
#31 ·
Have you been able to get into the HVAC controls, specifically the control circuit / coding that is used to automatically switch from outside to inside air without user permission?

(Haven't read your blog yet since I just found your post.)

Good job. Excellent information. I sense a learning curve coming up.
 
#32 ·
I was able to get this data, but I'm unsure yet if you can send those messages back out and have the HVAC system respond. I'll try it out later today.

Turn off Air:
270 04 00

Turn air to auto:
270 44 00 D.

Turn on rear defroster while air on:
270 C4 00

Turn to front defroster
270 45 00
 
#36 ·
proof of concept #1

I finished the 1st proof-of-concept for using the CAN-Bus data to control auxiliary relays. It worked great. Attached is a block diagram of what I used, and a longish video of how the testing went.



If you want to skip all the bench testing, the actual in-car testing happens at the 11:15 mark of the video.
Jeep Bot - Proof of Concept #1 - YouTube

Code for the demo can be found at https://github.com/dcgibbons/jeepbot/tree/poc1

A few hours after I finished, a bluetooth-low-energy board I ordered showed up. The next step will be to throw that on there so that I can use the smartphone to configure each switch and optionally control them by hand.

Each switch will have the following different possible control states:
  • always on
  • manual only
  • on when interior lights are on
  • on when high-beams are on

Right after that, I'll start working on a prototype PCB and housing so I can start testing real versions of this system.

I'll post the design, schematics and code in progress on my blog so anyone can offer feedback as it gets built.
 
Top