This is probably the most ridiculous way to reverse engineer something to date… a Chumby, an EasySync CAN Sniffer, PHP and JavaScript… but it works.
Instead of designing and building my own daughter-board for the Chumby, I bought an EasySync CAN USB converter which only has one CAN interface [and its not worth buying two]. This means I will have to use the Mazda’s MS-CAN bus only [That’s where the fuel/trip computer information is]. Only one problem, I didn’t pay much attention to the MS-CAN bus before and the MS-CAN bus isn’t as interesting as the HS-CAN.
So new mission to find out what else is on the MS-CAN bus now. Problem is, the nature of the information on the MS-CAN is different to the HS-CAN. For example, something like Speed on the HS-CAN was pretty easy to decipher from just logging the data then plotting again. Trying to figure out ‘door open’ for example on the MS-CAN is a lot hard this way.
I needed a tool to help me decipher the secrets of the MS-CAN, and I ended up writing (copy and pasting from old code) a ridiculous combination of PHP scripts for the chumby, a JavaScript/HTML front end. All done and tested in 2 hours (lots of copy and pasting…) it works quite well.
How it works
- A background PHP script talks to the EasySync converter and reads the CAN messages that is being sent on the bus and makes this available to another data retrieval PHP script via sessions.
- The front end HTML/Javascript combination calls upon the data retrieval PHP, which feeds it XML on the messages for example the CAN Identifer and the timestamp.
- The XML is parsed and is rendered into a table for display, data is refreshed at periodic intervals.
- The Javascript compares the XML values with the already rendered values before updating to detect a change in value. If there is a change, the background of the ‘byte’ field changes.
- A keypress monitor allows the user to ‘reset’ the changed background colours.
- Code attached below if you want to peek at the mess…
How I used it
Basically sat in the car with the sniffer running and trying various combinations to see which bit/byte changed. e.g. Run sniffer, open a door, see message ‘433’ byte ‘0’ change colour, write down what changed, reset fields, open another door/do something else.
There were a few useful fields that I found/reconfirmed. Nothing too interesting though and alot is disappointing. For example there is information regarding headlight high beam being on, but not just normal headlights. I suppose that’s because the high beam is displayed on the instrument panel whilst normal headlights doesn’t display/do anything.
Another disappointing thing is that the ‘ass/arse sensor’ (that’s what I call the passenger seat detection gizmo) is only a boolean signal…no pressure sensing in it at all. Would have been useful if it was an analogue signal, could have been good for the mChumby display – “Warning, the girl on the passenger seat weighs 87kg, do not go on another date”.
I’ll be updating the new information to the Mazda CAN Bus page in the next couple of days… check back then to see what’s new.
Download cansniffer.zip (There’s still a bug with the timestamp I’m too lazy to fix… disclaimer this is hobby/crappy code :P)
Hi!! from Spain
I’ve been following your blog for a while, watching all the discovers you have made. Great Job!!!. I have a 2.0 Mazda 3 and I expect to develop a similar project using arduino and arcan http://www.arcan.es/ which is a cheap arduino shield to control can-bus interfaces…
The info you have released will be very usefull. Thanks
Hi,
your post is really cool, however I have a few questions. As I understand it, you need to have two J1962M cables. One where the HS-CAN is wired to DB9 and other where MS-CAN is wired to DB9. Am I right?
HS-CAN is good for regular ODB2 diagnostics but MS-CAN seems to have all the Mazda3 goodies, like the trip comupter.
Thank you very much
-Pavel
Hi Pavel,
There is only one connector on the car for both HS-CAN and MS-CAN, you can then break that out to separate DB9’s as required. The pin-outs are in the comments above or in the comments in another post 😉
Hey great post!
We will be watching closely as we too want to do reverse engineering on a can bus (on a Vauxhall car).
Here is a post about using Wireshark on linux to sniff can packets
http://hackingvectra.blogspot.com/2011/02/can-bus-reverse-engineering-tools.html
What device are you using?
Great work on this. I know these posts are a couple years old, but the data helped me out. I’ve built my own can board with an Atmega 32u4 and two Can busses. It’s working great so far. Just wanted to let you know I wrote a quick logger simliar to yours (html/js) but it runs on node.js and is realtime. It will be available on Github eventually, but if you are still interested in this stuff let me know and I’ll send you a copy.
https://dl.dropbox.com/u/120967/NodeLogger.jpg
Nice 🙂
Can you share some details of your atmega32u4 CAN bus? Which controllers and transceivers did you end up using?
Is it possible to use this software with a different adapter? I currently have this tool: http://www.scantool.net/obdlink-mx.html
So far I’ve manually found out a bunch of things with my car but other things are like pulling teeth. Having a visual aid would rock (your tool).
Hi, what are you trying to do? Those OBD2 adaptors usually interrogate the ECU via OBD2 codes…what exactly are you after?
This module can output can messages as well. What my end goal is is to make a app for my android to emulate a remote controller and to display messages to display.
Here is an example of a few can messages I’ve been able to identify and the output format of the device over the COM bus:
2e0 01 88 00 00 00 00 00 00
2e0 01 48 00 00 00 00 00 00
These messages are what is outputted when I pressed the on-off button on my dash for the radio.
Hi Dan, are you sure those are ‘command’ signals instead of ‘status’ signals. At least on my car, the controls on the steering wheel are wired directly to the passenger junction box and then onto the radio. Whilst there were messages being sent on power on/off, they were actually from the radio unit itself – i.e. status messages 🙁
Try send out those signals and see if there is a response, just warning you that there might not be any…
Thankfully they are control messages. On my 08 focus the buttons are separate module from the “receiver” (Ford calls it a Audio Control unit).
All the commands from the panel are sent over the MS-CAN bus to the ACU. I was able to send messages from my laptop to the car via the scantool obdlink mx module.
When the weather breaks here in NY I’ll have to look into this a bit better to see if the receiver sends back any “confirmation codes” but I do know I was able to change radio stations with a different command set.
Re: Rx-8 instrument Cluster
anyone know how to fool the cluster into thinking the parking light / head light’s are on?
got it working on my desktop simulator but i want the clusters red lights to turn when i turn the lights on.
it’s a CAN signal but dunno which id.