<blockquote>I have finally got my VW Amarok to talk to my CBT today, I started streaming packets down. Now i just need to find a decent way to compare Idle Can .CSV files with Active Can .CSV files. Anyone have a suggestion on a good sniffing style program?</blockquote>

A trick I learned from watching my hardware guru is to find a common marker point in both files and then use an online plagiarism tool to compare the data. Those tools will go through and find all the similarities, leaving you with a list of differences that gives you a good place to start in figuring out what is chatter and what is the actual data you're trying to find.

I have an Audi A4 (B7). I've been able to successfully sniff out the DIS messages from my RNS-E using the same method that @jamesatfish wrote up at http://forum.canb.us/discussion/91/identifying-steering-wheel-button-packets-an-example (excellent write up!).

I can successfully send a message to the DIS by using the CBT command 02020261484579205345787908. I see the message for a split second before the RNS-E overwrites it by sending a new command ID 0x0261 with the radio station that's currently selected, but at least I know my setup is working.

If the RNS-E is off and I send my same message using the CBT, nothing is displayed on the DIS. Is there a command that the RNS-E is sending to the DIS to "enable" radio messages? Through all my bus sniffing, I haven't been able to find anything specific.

The RNS-E sends the DIS packets every second (or quicker) so as you've seen if you just inject a new message packet once it'll be over-written fairly quickly.

If you want your messages to persist you'll need to use the CBT in 'man-in-the-middle' mode, with your software passing through all packets except for 0x261, which you replace with your own payload.

Modules that want to communicate with the DIS need to join the 'ring', which is how they register their intent to send data for display. It's how your DIS knows if there is a navigation module attached, or a Bluetooth module etc, and thus displays the relevant pages.

With your RNS-E off, it will not have joined the ring and as the DIS will ignore packets from unregistered modules, your messages don't get displayed.

Do you know how to join the "ring"? That'll be useful if I ever replace the RNSE with an aftermarket radio. My ultimate goal is to display the boost pressure instead of the radio information.

The exact code varies depending on what options you've got in your car, but look for packets with frame IDs from 0x420 - 0x4A0.

You should see a series of packets with a format like:

(0x436) 16 02 C0 04 00 00 (6 bytes)
(0x428) 16 01 00 00 00 00 (6 bytes)
(0x436) 08 01 00 00 00 00 (6 bytes)

The first byte in each packet matches the frameID (420+byte0).

Essentially that series of packets equates to:

ID 436 asking to join the ring
ID 428 is the last device in the ring saying it's OK to join
ID 436 responds back to ID 428 acknowledging the message

Once you're on the ring, you may need to send keep-alives (0x661) on a regular basis if you see them on the bus in your car.

Oh, and if you haven't figured it out already, 0x263 is the ID for the 2nd line at the top of your DIS, if supported on your car.

Yes, I see the 0x436 and 0x428 IDs, along with a few 0x661 keep-alives. Here's a trace that I captured from the moment the ignition was turned on, until the RNS-E started sending 0x261 and 0x263.

<pre><code>436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
436 16 02 C0 01 00 00 00 00
60E C5 00 00 00 00 00 00 00
351 45 01 00 21 1B 75 8F 18 speed
623 00 12 29 46 15 04 20 15 time
653 02 02 04 00 00 00 00 00
436 08 01 00 00 00 00 00 00
428 16 01 00 00 00 00 00 00
604 00 00 00 00 00 00 00 00
661 00 01 12 00 00 00 00 00 audio source
351 45 01 00 21 1B 75 8F 18 speed
353 0F C7 0B C0 7E 22 09 00
436 08 01 00 00 00 00 00 00
625 DB B3 CF 6A 39 00 00 00
428 16 01 00 00 00 00 00 00
604 81 00 00 00 00 00 00 00
661 81 01 12 A0 00 00 00 00 audio source
351 45 01 00 21 1B 75 8F 18 speed
662 00 00 00 00 00 00 00 00
42F 16 01 00 00 00 00 00 00
42F 0F 02 80 00 00 00 00 00
6D1 A1 0F 8A FF 4A FF 00 00
6D0 10 C5 22 10 00 00 00 00
6D1 B1 00 00 00 00 00 00 00
436 08 01 00 00 00 00 00 00
42F 16 01 00 00 00 00 00 00
6D1 20 C6 3C F0 00 2A 20 41
6D1 11 56 58 20 2A 20 00 00
635 00 00 01 00 00 00 00 00 light state
261 20 20 20 20 20 20 20 20 DIS line 1
263 20 20 20 20 20 20 20 20 DIS line 2</code></pre>

So it sounds like the DIS ring has a hierarchy, with the radio station information being lowest priority, maybe bluetooth caller ID or navigation being the next higher priority, and highest priority being things like light bulb or battery low warnings. Instead of doing the man-in-the-middle to filter out the radio station DIS information from the RNS-E, I could probably spoof a bluetooth message using ID 0x265/0x267 because I don't have a bluetooth module--just need to know what the "ring" request from the OEM bluetooth is. Does anyone know?

I have a few more traces that I wanted some help understanding.

When the ignition is turned on, but the radio fuse is pulled, I only see ID 0x428 sending the same payload indefinitely:
<pre><code>ID Len Payload
428 6 08 02 80 00 00 00</code></pre>

When is the ignition is turned on (knowing that the radio would turn on too), I see this (filtered for only items in the 0x420-0x4A0 range, up to the first 0x261 message):
<pre><code>ID Len Payload
428 6 08 02 80 00 00 00 (repeated many times, but truncated here)
428 6 08 01 00 00 00 00
436 6 16 02 80 00 00 00
436 6 16 01 00 00 00 00
428 6 08 02 00 00 00 00
428 6 08 01 00 00 00 00
436 6 08 01 00 00 00 00
428 6 16 01 00 00 00 00
436 6 08 01 00 00 00 00
428 6 16 01 00 00 00 00
261 8 20 20 20 20 20 20 20 20
436 6 08 01 00 00 00 00
428 6 16 01 00 00 00 00
436 6 08 01 00 00 00 00
428 6 16 01 00 00 00 00
261 8 39 39 2E 35 00 20 20 20</code></pre>

Why are there multiple 0x436 being sent, and with different payloads? Looks like the radio continually sends 0x436 with payload '08 01 00 00 00 00' indefinitely.

If I then remove the radio fuse, and with the CBT, send the 0x436 ID with payload '08 01 00 00 00 00', I'm still unable to see any of my custom messages on the DIS. For some reason, if I send the message with 6 bytes (0202043608010000000006), the CBT seems to hang...it works if I pad two more bytes of 00 and change the length to 8 (02020436080100000000000008). Maybe I need to code this into firmware instead of just sending the 0x436 and 0x261 from the serial port because the car's expecting these at a much faster rate?

jamesatfish....thank you for the excellent write up, it certainly helped me make sense of this, I am new to this, I bought Vcds to do repairs on our 2 Vw, and now I have a CBT, I would like to start logging raw data and learn. I have 04 Jetta and 2012 Passat Kessy, I think I'll begin my hack with the Jetta, it is more forgiving, at least it uses a physical key.

Is there an App in the works for Android?

Hi guys! In the past three years as a hobby I'm trying to identify the codes of devices and their meanings.
My car: Skoda Octavia II FL 2011 with VAG CAN BUS.
I made a shield for the Raspberry Pi according to the scheme http://lnxpps.de/rpie/.
<img src="https://dl.dropboxusercontent.com/u/25895838/IMG_4220.JPG" />

I connected to the CAN BUS at door. I think this line is connected only to the comfort bus (may be I'm wrong):
<img src="https://dl.dropboxusercontent.com/u/25895838/IMG_4191.JPG" />

To communicate with CAN BUS I use <a href="https://gitorious.org/linux-can/can-utils">can-utils</a>.
All perfectly work, I can control my windows with commands such as:
cansend can0 181#0200 // Open the driver window fully
cansend can0 181#0800 // Close the driver window fully

For OSX and iOS I wrote a app that displays a data in real time for devices in the individual cells:
<img src="https://dl.dropboxusercontent.com/u/25895838/canbussniffer.png" />

Using this app, I found some CAN devices:
181 - Control/Read status of Windows
381 - Read status of front left Door (open/close)
470 - Read status of front right Door (open/close)
291 - Read status of back right&left Doors (open/close)
531 - Control/Read status of Lights&Winking
5D1 - Read status of Windshield
591 - Read status of CentralLock
67A - Reverse gear engaged

Many IDs I can't define, If someone can help with finding IDs, I'll be glad!
I wan't to found a speed, rpm, distance, parking distance, fuel consumption
and other IDs.

I've read that the Skoda is pretty similar to the Audi/VW, so I'd expect it to have 3 separate canbus's too: comfort, infotainment, and engine. The speed and rpm are on the engine canbus, and I believe the speed is also available on infotainment canbus for the nav to read. Since you're on the comfort bus, you likely don't have the data you're looking for. I tapped into the comfort and infotainment buses behind the instrument cluster, which was pretty easy. I followed this pinout on my B7 A4: http://www.audizine.com/forum/showthread.php/486720-RB4-Cluster-connection-pinout?p=7611852&viewfull=1#post7611852.

Hi to all people here, I have a question about the CAN wiring on my VW Polo 1.4D year 2003.
I try measure the CAN bus on my car with my DSO through the OBD-II connector on the car
connected the DSO CH1 to OBD-II pin 6 ( CAN-H ) and the DSO CH2 to OBD-II pin 14 ( CAN-L )
But I got only a crappy signal like this:
<img src="http://www.code-elektronic.com/tmp/can bus.bmp" />

I try the same measuring on my Renault Clio II 1.5DCI and it work perfect, I can see the CAN communication on my DSO.
I try the same measuring on another VW Polo 1.4MPI year 2008 and I got the same problem like on the older one Polo.

Can somebody tell me why is this happening on the VW cars?

I mean I cant sniff any data from the CAN network or what?

Thanks a lot.

Hi, in my Skoda Octavia OBD-connector connected to gateway and I cant sniff CAN BUS with OBD II, so I connected to CAN BUS in door.
But now, when I know CAN IDs, I can send CAN commands and receive answers with OBD II. СAN BUS Data is transmitted to OBD II only on request.

AhA! that is the trick.
Thanks man!
There are no way to measure the CAN network in the car through the OBDII and a scope?
Is it maybe possible to get a CAN signal on the OBDII connector with an OBD brakeout box?
Hmmm or we can put an ELMA scanner on the OBDII and whit the Hyperterminal send and request the CAN commands
and monitoring the signals whit a DSO to check if there are any disturbing in the CAN network?
I mean is a shorten or not or broken CAN wire...

With a ELM327 you can make polling CAN devices, if you know ID.
See AT command in ELM327 manual, how to work with CAN BUS. I dont remember all commands, but I polled the CAN devices according to OBD.

@jodank - see my post above about connecting to the OBD connector vs tapping a 'real' CAN line elsewhere in the car.

If you're just listening on the OBD2 CAN pins using your scope you won't see very much - that CAN line does not actively send any data unless it has been specifically requested by a device connected to those pins.

If you connect a diagnostic tool to those pins and actively request CAN data from the car then you should be able to watch the traffic go past using your scope.

Note that the VW CAN Gateways are very particular in their data format and packet timing and if you don't send commands exactly per the specification the Gateway will close the 'session' and stop sending data, so sending individual CAN commands by hand doesn't usually work when connected to the diagnostic CAN line via the OBD2 port.

If you tap an actual vehicle CAN line then those are chatty, and you'll pick up traffic on those lines just by listening.

Thank you guys, you helped me a lot.
Problem solved.

@avis, you has a great idea at #Comment_507. I'll try to use that in my experimentations with comfort bus.
@Derek‌, whats the status of the DB you talked about in #Comment_42?

Thanks for all the info so far. I own a VW CrossFox year 2008 and I'm getting things ready to play with its CAN bus. I'll post my results when I get anything.

Some additional info I ran across: <a href="https://jazdw.net/tp20">https://jazdw.net/tp20</a>
Has some good info on how to setup measurements.
I haven't tried anything yet but my CAN board is in transit.
Hoping to be able to poll engine oil temp, boost, coolant, and what not and be able to provide indicators such as LEDs and beepers to warn me when things get dicey or that I need to let the oil cool before shutting off the engine after a long turbo pull.
I'm working with an Arduino but have a Raspberry Pi 2 as well if I need more horsepower.
My car is a 2008 Audi A4.

Has anyone played around with comfort-bus data in A4 (b7 -07) ?
Im able to command passenger side window as well mirror but on driver side theres no specific can-id's to manipulate. Reoccurring id on Dside is 381 but that seems to be some general trigger for locking, alarm as well warningsidelights(?)
Ive tested to dump all data while commanding driverside window buttons and mirror joystick and replayed that back to the bus but nothing happens. Also tested to command D and P side windows together for replaying dumped data, P side works flawlessly but nothing happens on D side...

really frustrating :/

@Ded you're able to influence the door control module to manipulate the mirrors? How so, move the mirror? Fold the mirror?

Thanks,
Pete

  • 30
    Posts
  • 50727
    Views

Looks like your connection to CANBus Triple was lost, please wait while we try to reconnect.