CrossfireForum - The Chrysler Crossfire and SRT6 Resource - View Single Post - CAN Bus Hacking

Jun 7, 2022 | 09:22 AM

#1 (permalink)

nemiro

Administrator

Joined: Mar 2020

Posts: 985

Likes: 633

From: NW FL

CAN Bus Hacking - Crossfire

I have been working for a while on decoding various bits on the CAN-C (powertrain) network inside our Crossfires. The goal is to be able to read data for instrumentation, and to be able to write data to manipulate new functions, and one day add newer/better/more modern conveniences into a Crossfire. The reason for accessing the CAN bus directly is to use the tools the engineers put there to begin with, and learn to coexist with the bus. Too often, we simply have no understanding, so we apply hacks to get around the network, instead of working with the framework that was carefully engineered into our cars. I am intending that this is a long-term, ongoing thread, with contributions from people who have good knowledge of the system and those who want to learn.

I you don't know anything about CAN bus, there is a plethora of information about the basics of CAN bus, such as these links:
https://www.csselectronics.com/pages...intro-tutorial
https://projects.cs.ru.is/svn/honnun...bus-primer.pdf

This thread is not intended to teach about the basics of CAN, but rather to be a discussion about how to hook up to our vehicle, tools to read it from, and what projects people are doing. I also hope others will contribute to the growing number of identified CAN IDs and the data stored within them. Don't worry if this is over your head. It's not most people's area of expertise. However, if you are an electronics hobbyist and a car nut, then there's a lot to be learned and contributed to here.

There is a discussion brewing on this on SLKWorld, and I will try to bring some of that discussion into this thread, also. Below is from a post I made there, and hopefully, it will kickstart discussion on Crossfire Forum!

These IDs will give you the info you need to get some basic functions up and going. Everything in CAN-world is in hexadecimal, but locations of data are given in offsets in decimal number of bits. ie, offset 0 means that the data starts at bit 0 of the data field for that CAN ID, and offset 26 means that the data we care about starts at the 26th bit. There is also a length (usually abbreviated LEN), which will tell you the range of numbers for that data. If the LEN is 1, then it is a 1 bit flag (0 or 1). If the LEN is 8, then the range is 0-255. Sometimes the LEN is 3, meaning a number of 0-7. It follows a simple binary pattern. Oftentimes, there are several parameters to be found at a single CAN ID (which will make more sense, once you understand that the CAN ID is tied to a particular piece of hardware, like the ECU or TCU). The thing to remember is that none of these are data in English, and almost none are straight numbers. You will need to do some sleuthing and a bit of algebra to get real world numbers. Almost all units are metric, natively, but any system can be applied with said algebra. As humans, we like good round numbers for things, and sometimes we can figure items out, because the engineers who made all of this are humans, too.

Everything I will present will be CAN-C (powertrain) info, unless listed, as the R170/Crossfire only has a CAN-C bus. This is very, very far from a complete list. I will add to it in future posts, and will probably consolidate it all into a future thread. I really hope that some of you will take this info and run with it, helping us as a community to find additional info and how to use it.

The format of the info I will present is as follows:

CAN ID, OFFSET, LEN, Description.
0x0200, 0, 1, brake defect lamp on
0x0200, 1, 1, BAS lamp on
0x0200, 2, 16, vehicle speed
0x0200, 14, 2, brake switch state
0x0200, 50, 14, LF wheel speed for cruise

0x0208, 11, 1, Cruise mode off

0x0212, 0, 16, engine target idle speed

0x0218, 16, 4, target gear
0x0218, 20, 4, actual gear

0x0228, 0, 2, direction LF wheel
0x0228, 2, 14, LF wheel speed
0x0228, 16, 2, direction RF wheel
0x0228, 18, 14, RF wheel speed
0x0228, 32, direction LR wheel
0x0228, 34, 14, LR wheel speed
0x0228, 48, 2, direction RR wheel
0x0228, 50, 14, RR wheel speed

0x0230, 0, 1, W/S driving program
0x0230, 1, 1, driving program switch pressed
0x0230, 4, 4, gear lever position

0x0308, 0, 1, clutch pressed
0x0308, 8, 16, engine RPM
0x0308, 30, 1, check engine lamp on
0x0308, 29, 1, oil lamp on
0x0308, 39, 1, coolant lamp on
0x0308, 32, 1, oil temp high
0x0308, 40, 8, oil temp
0x0308, 48, 8, oil level
0x0308, 56, 8, oil quality

0x0338, 0, 16, transmission output speed

0x0408, 0, 8, fuel level
0x0408, 8, 1, driver door ajar
0x0408, 14, 1, fuel level low light on
0x0408, 40, 16, odometer

0x0410, 7, 1, A/C compressor on
0x0410, 8, 8, refrigerant pressure
0x0410, 40, 8, outside temp

0x0418, 8, 8, transmission driving program
0x0418, 16, 8, transmission temp
0x0418, 31, 1, kickdown switch
0x0418, 32, 4, target gear
0x0418, 36, 4, actual gear

0x0608, 0, 8, coolant temp
0x0608, 8, 8, intake air temp

Reply

3