Hacking the CAN-Interior Bus
12-29-2013 | 03:41 PM
#1
Thread Starter
JK Newbie
Joined: Dec 2013
Posts: 24
Likes: 0
From: Tabernash, CO
Hacking the CAN-Interior Bus
I've been working on integrating directly with the CAN-Interior bus of my JKU for a few projects. This weekend I finally got enough of the pieces together that I was able to get a lot of data off the bus and figure out what actions generate what messages.
It's possible to generate your own messages on the bus to simulate the same actions, or listen for existing messages and perform your own action based on that, e.g. turning on auxiliary lights when the main lights go on. And of course, you can leverage the messages the Radio uses to send data to the EVIC to send your own messages:
I tapped into the CAN-Interior bus at the radio using a custom wiring harness so I could splice the CAN-H and CAN-L wires without having to alter any OEM wiring:
My extra CAN bus wires run to a Raspberry Pi credit-card-sized computer that I have sitting in the glovebox, for now:
The Raspberry Pi runs a Linux variant and is a pretty easy system to use for embedded projects like this.
See my blog at Hacking the Jeep Interior CAN-Bus for more details on what I found and how I did it.
For the actual end-results, here are some of the messages I've found on the CAN-Interior bus so far. This list should grow pretty rapidly now that I've got a platform hooked up to the vehicle for further research.
Message id $295 is the most fun, as that's what you can use to display information on the EVIC.
If you have a request for more information about a certain set of accessories let me know and I'll see if I can find data for them.
You should be able to apply the same trick to the CAN-C power-train bus, although the Diagnostic CAN-C bus is less useful for monitoring since it does not broadcast data on it is own without being asked first.
And for those projects coming down the pipeline, if anyone is interested in beta-testing let me know. Extra points if you are somewhere near Colorado
It's possible to generate your own messages on the bus to simulate the same actions, or listen for existing messages and perform your own action based on that, e.g. turning on auxiliary lights when the main lights go on. And of course, you can leverage the messages the Radio uses to send data to the EVIC to send your own messages:
I tapped into the CAN-Interior bus at the radio using a custom wiring harness so I could splice the CAN-H and CAN-L wires without having to alter any OEM wiring:
My extra CAN bus wires run to a Raspberry Pi credit-card-sized computer that I have sitting in the glovebox, for now:
The Raspberry Pi runs a Linux variant and is a pretty easy system to use for embedded projects like this.
See my blog at Hacking the Jeep Interior CAN-Bus for more details on what I found and how I did it.
For the actual end-results, here are some of the messages I've found on the CAN-Interior bus so far. This list should grow pretty rapidly now that I've got a platform hooked up to the vehicle for further research.
Code:
3e6 00 0d 12 ... # hours, minutes, seconds since vehicle turned on 244 81 00 39 C3 80 # Driver's door open, byte 0 244 80 00 39 C3 80 # Driver's door closed, byte 0 208 01 22 6d 5a 1e 01 2c # Left blinker on, byte 0 208 00 22 6d 6a 1e 01 2c # Left blinker off, byte 0 208 02 22 6d 5a 1e 01 2c # Right blinker on, byte 0 208 00 22 6d 6a 1e 01 2c # Right blinker off, byte 0 1e1 00 00 10 65 00 00 00 00 # Steering wheel position, bytes 3 & 4 2e0 00 01 47 21 ff ff 0c # Brake pedal depressed, byte 4 2e0 00 01 47 20 ff ff 0c # Brake pedal released, byte 4 2e7 84 1c 00 00 00 00 87 # Parking brake on, byte 0 2e7 04 1c 00 00 00 00 87 # Parking brake off, byte 0 292 00 49 33 00 00 48 28 # Throttle pressed, byte 3 2a8 00 01 00 00 00 00 # Windshield wipers, byte 3 2e5 03 # Rear wiper 2d2 01 06 00 # 4WD-HI 2d2 04 04 00 # 4WD-LO 2d2 00 03 00 # 2WD 208 00 22 6d 5a 1e 01 2c # Lights on w/ fogs 208 58 22 6d 51 1e 01 2c 2e1 1a 208 00 22 6d 5a 1e 01 2c # Lights off w/ fogs 2e1 1b 2e1 1b # Fogs on 2e1 0b # Fogs off 2e1 0a # Lights on w/o fogs 2e1 0b # Lights off w/o fogs 29e 00 03 97 20 02 ff ff ff # Change to FM 91.9 291 09 01 05 30 f0 00 07 # Change to satellite, w/ no signal 293 00 00 b8 20 02 ff ff ff 291 01 01 05 10 10 00 07 # Change to FM, 91.5 291 00 03 93 20 02 ff ff ff 291 09 01 05 30 80 00 07 # Change satellite stations 293 00 00 19 23 02 ff ff ff 295 43 65 73 52 65 77 6e 64 # ClsRewnd 29e 00 00 0f 21 02 00 00 00 # Change CD tracks, byte 3 3d9 0a 0a 0a 0a 0a ff # Change volume, byte 0 3d9 08 0a 0a 0a 0a ff # Change volume, byte 0
If you have a request for more information about a certain set of accessories let me know and I'll see if I can find data for them.
You should be able to apply the same trick to the CAN-C power-train bus, although the Diagnostic CAN-C bus is less useful for monitoring since it does not broadcast data on it is own without being asked first.
And for those projects coming down the pipeline, if anyone is interested in beta-testing let me know. Extra points if you are somewhere near Colorado
01-02-2014 | 07:12 AM
#3
Thread Starter
JK Newbie
Joined: Dec 2013
Posts: 24
Likes: 0
From: Tabernash, CO
I spent a bit more time analyzing the messages I've captured and here's some more details on the message format. Still lots to figure out.
Message Id $3d9 - Audio Settings
Each byte details an individual audio setting, volume, balance, etc. Value $0a is the default level for most settings, except for volume where it is level 10. This is from the RES radio so it may vary with the different ones.
byte 00 = volume
byte 01 = balance
byte 02 = fader
byte 04 = bass
byte 05 = mid-range
byte 06 = treble
Message Id $2eb - Sensor Readings
byte 00 = unknown
byte 01 = unknown
byte 02 = unknown
byte 03 = light sensor, values range from $6a to $ef so far
Message Id $2e3 - Heated Seats
Byte 1 is bitmapped to what each heated set setting is at.
byte 00 = unknown (so far always $00)
byte 01 = bit flags
bit 0 = driver's seat low
bit 1 = driver's seat high
bit 3 = passenger seat low
bit 4 = passenger seat high
byte 02 = unknown (so far always $00)
Message Id $208 - Lights
byte 00 = lights active
bit 00 = left blinker
bit 01 = right blinker
bit 03 = parking lights
bit 04 = low-beams
bit 05 = high-beams
bit 06 = front-fog-lights
bit 07 = rear-fog-lights (an assumption)
bytes 01-06 = unknown
Stay tuned...
Message Id $3d9 - Audio Settings
Each byte details an individual audio setting, volume, balance, etc. Value $0a is the default level for most settings, except for volume where it is level 10. This is from the RES radio so it may vary with the different ones.
byte 00 = volume
byte 01 = balance
byte 02 = fader
byte 04 = bass
byte 05 = mid-range
byte 06 = treble
Message Id $2eb - Sensor Readings
byte 00 = unknown
byte 01 = unknown
byte 02 = unknown
byte 03 = light sensor, values range from $6a to $ef so far
Message Id $2e3 - Heated Seats
Byte 1 is bitmapped to what each heated set setting is at.
byte 00 = unknown (so far always $00)
byte 01 = bit flags
bit 0 = driver's seat low
bit 1 = driver's seat high
bit 3 = passenger seat low
bit 4 = passenger seat high
byte 02 = unknown (so far always $00)
Message Id $208 - Lights
byte 00 = lights active
bit 00 = left blinker
bit 01 = right blinker
bit 03 = parking lights
bit 04 = low-beams
bit 05 = high-beams
bit 06 = front-fog-lights
bit 07 = rear-fog-lights (an assumption)
bytes 01-06 = unknown
Stay tuned...
01-02-2014 | 10:14 AM
#5
Thread Starter
JK Newbie
Joined: Dec 2013
Posts: 24
Likes: 0
From: Tabernash, CO
In particular, I'm after turning on accessories with commands from the bus rather than tapping into wiring. Examples:
1) turn on the auxiliary driving lights when the high-beams go on
2) turn on any auxiliary interior lighting when the interior lights go on
... and doing all of that without tapping into existing wiring harnesses. That works okay, but you wind up with an electrical mess over time.
1) turn on the auxiliary driving lights when the high-beams go on
2) turn on any auxiliary interior lighting when the interior lights go on
... and doing all of that without tapping into existing wiring harnesses. That works okay, but you wind up with an electrical mess over time.
01-02-2014 | 05:48 PM
#7
JK Super Freak
Joined: Sep 2013
Posts: 1,636
Likes: 6
From: Mentor, OH
Besides changing the text on the speedo display, have you tried sending messages to turn on the lights, etc.? One application I can think if for sure is, here in Ohio, if your wipers are on, the headlights have to be on. There are so many possibilities, I can't even being to think of what I want to do.
Although I am more inclined to get a Gadgeteer as I am a .NET developer and would rather work in the .NET Micro Framework.
Although I am more inclined to get a Gadgeteer as I am a .NET developer and would rather work in the .NET Micro Framework.
Trending Topics
01-03-2014 | 05:46 AM
#9
JK Newbie
Joined: Nov 2011
Posts: 80
Likes: 0
From: Nebraska
This is a very cool concept. I too would be interested to hear if sending other commands were as effective. Things such as rolling windows down or turning lights on.
This could easily be scripted and interfaced with Bash/PHP to have a touchscreen solution hooked up to the Pi to do a bunch of awesome things.
This could easily be scripted and interfaced with Bash/PHP to have a touchscreen solution hooked up to the Pi to do a bunch of awesome things.
01-03-2014 | 06:12 AM
#10
JK Newbie
Joined: Dec 2013
Posts: 10
Likes: 0
From: Edmond, OK
This is a very cool concept. I too would be interested to hear if sending other commands were as effective. Things such as rolling windows down or turning lights on.
This could easily be scripted and interfaced with Bash/PHP to have a touchscreen solution hooked up to the Pi to do a bunch of awesome things.
This could easily be scripted and interfaced with Bash/PHP to have a touchscreen solution hooked up to the Pi to do a bunch of awesome things.
I'd love to see a schematic of the harness you built for the radio.
