angelovAlex

I know it. I was trying to connect to CAN B, using brown and red brown wires. And as I understand, there's CAN D bus in obd2 connector. The question was "is it possible to connect to CAN B with mcp2515, and what is the config values for this chip".

Mackhack

Yea you can connect to CAN B. 83.3 kbps. CAN C 500 Kbps.

angelovAlex

I tried it with values from calculator and I connected it to another wires today. The same brown red and brown wires, but in the connector that goes to parktronic-off, pnevmo buttons close to transmission selector. It's very easy to pill off that panel and get this connector.
And it worked!! It read about 50 messages per second. I filtered 75 ids that spams constantly and got a normal working environment where I can sniff what I wanted.
I started to play with electric windows and found pid and pattern in package's data to open and close a needed window. It's really easy to play with it, I attached it to lock car event and now when I press lock button on key it automatically closes all windows

Just in case it will be useful for somebody https://docs.google.com/spreadsheets...it?usp=sharing

jumph4x

Going to go ahead and bump this thread. I just picked up a 2003 W211 E55 AMG and a Canbus Triple unit.

I've read this entire thread and will likely re-read this week again and then start planning where to tap into the bus and where to go from there.

Starting with CAN-B, going to attack steering wheel controls first.

angelovAlex

I sniffed and decoded pretty much everything in CAN B, but I didnt document most of the things. Let me know if you need any help. Also check out my google sheets document in privious post that contains some of stuff that I found at the beginning.

jumph4x

This is awesome, come back and jam with us!

jumph4x

Very useful!

Mackhack

I didn't look at the spreadsheet since I have my own somewhere from years ago. But what I suggest to you is, do it on your own. Spend time in your car (days and weeks) away from the family to learn how CAN works, how the messages are build up, what CAN IDs are around, which control module has which ID, etc. You will appreciate what you learn.

This knowledge comes in handy if you ever encounter a drained battery because a control module won't go to sleep and drains your battery. Even many MB mechanics don't understand the concept. Of course you can do many other things with this knowledge.

jumph4x

I don't think there is any way around the simple fact that I'm about to dump a lot of time into this, don't you worry

I do wonder, however, do the factory schematics show you where CAN firewalls are installed?
Or more importantly, do they document the Parameter IDs of various components?

In any event, sounds like step one is for me to wire in the Canbus Triple to the the CAN-B wires running around somewhere under the gear-selector trim.

Mackhack

Nope, no IDs, no nothing is documented for the public. That's the fun of it to find the corresponding control module (ID), each bit that controls what,...

jumph4x

Sounds about right.

angelovAlex

Not everything in the google sheet. I havent been updating it for long time, but did a huge progress forward. Including writing text to ic screen and controlling most of the things in car. But there are still lots of limitation, like climate control cant be controlled over CAN. At least there is no any AC button connected to CAN bus, and Im going to play with Star Diagnosi to see whether it sends any new CAN messages

Mackhack

Climate control unit has CAN B.

angelovAlex

It does connected to CAN B. Climate control reads sensors, but there is no way to control climate control, as nothing is sent when you press on climate control buttons. As climate control buttons are connected directly to climate control unit and they dont send anything over CAN B.

Mackhack

I see what you mean.

jumph4x

Alex!

Come back, we need you around here. I emailed you but I'm sure you're just busy with your own matters.

In any event, I'm about to open up the shifter console area and look for where you tapped into the network.

On another note, do you guys all simply use computers to dispatch messages or has anyone built hardware switches and wired them into CBT to dispatch commands?
I'm evaluating how to best remap steering wheel controls to an offboard panel and various other projects. Also related: where can I buy high quality momentary switches and such?

Mackhack

If you know the CAN protocol and know how to build your own Circuit you can program your own control unit to do various things.

Switches: anywhere you can find them, mouser, digikey, bg Micro,...

jumph4x

Of course. And yes, I do.

If you re-read what I wrote, I asked the people in this thread how they dispatched messages. I didn't ask what I should do.

I was looking at mouser today, that user interface is painful. I am looking for a momentary-on toggle switch (to which I want to add a missile cover). I will be changing the shift-knob and the keyless go button relocation will need to happen.

But I think for that button I will simply trace the existing leads and where they end up under the shifter and simply tap into them instead.

angelovAlex

jumph4, I double checked my emails and didnt find anything from you. (btw, I was wondering why you didnt sen anything).
Just an update: I did a long pause in reverse engeneering, but back to it a couple of weeks ago, when a nice person sent me an interesting files from star diagnosis. After deep analizing I decoded them and extruct the whole description of can b, all pids, what unit the belong to, description for every single byte for every single package in can b.
I also bought an instrumental cluster and started to play with diagnostic protocol. I found out how to draw anything on ic screen. And reversed engineered a part of agw,cgw and ic comunication protocol (to draw on music, navi, phone and service menu screens)
You can check my working sketch at github (same nickname), but its not a ready-to-use project and I expect you will find it useful only if you have some knowladge in software development.
I will push all can b description as soon as I will get some time to make a beautiful output.
Here's an example of modern reverse engineered art(for sale):


Regarding your questions:
I can make a photo of where I connected it to bus, I added a connector there, so its easy to plug my hardware. I use mcp2515 + arduino nano, it can be connected to macbook and I can send commands over serial connection to arduino and then to can bus. And also it works as independent unit that does many things(draws new ic screens (parktronic distances, detailed consumptions, gps stuff), closes windows when I lock car, controls seat heaters,etc and the arduino is controled by steering wheel buttons.

Mackhack

Well done.

jumph4x

Here is where I am at:


I wired it into the Parktronic sensor you mentioned but apparently there is some sort of a CANBUS firewall to the driver's door because only 3 windows respond to the message.

I sent you a private message with a screenshot of the email I sent

Mackhack

Disconnect the LCP and plug your Arduino or whatever you use in the plug with the two CAN cables. Works like a charm for me.

jumph4x

What's LCP?

EDIT: Lower Control Panel? I do have it wired into there. It's a 4-lead connector connecting to the rear-most part with 3 buttons (Parktronic-off, Airmatic lift and Airmatic valving buttons).
The front left window interactions aren't logged and when they are sent, they don't reach that window either. Weird.

angelovAlex

Yep, It was a big issue with driver's window. As power window is connected directly to door's unit and doesnt wont to be controlled by this can message.
The issue is that the message that you send belongs to door's unit, so it doesnt react on it's own message. You need to send a message from another block.
Driver's window can be controlled by sending a message KG_A2 ID:0x0050 from EZS.
Here's details of the package:
--- KG_A2 ID:0x0050
--- --- KB_MOD_KG() - Modus Komfortbetätigung, offset:6, len:1
--- --- KB_RI_KG() - Richtung Komfortbetätigung, offset:5, len:1
--- --- SHD_KG() - SHD/Verdeck öffnen/schließen, offset:4, len:1
--- --- FVL_KG() - Fenster vorne links öffnen/schließen, offset:3, len:1
--- --- FVR_KG() - Fenster vorne rechts öffnen/schließen, offset:2, len:1
--- --- FHL_KG() - Fenster hinten links öffnen/schließen, offset:1, len:1
--- --- FHR_KG() - Fenster hinten rechts öffnen/schließen, offset:0, len:1
And code you could find in my sketch
void closeWindows(boolean closew = true) {
#define W_LF 0b00010000
#define W_RF 0b00100000
#define W_ALL 0b11110000
#define W_OPEN 0x0
#define W_CLOSE 0b00000100
#define W_AUTO 0b00000010
#define W_MAN 0b00000000
#define W_TEST 0b00001000

sendCanMsg(createCANPackage(80, 1, W_ALL | W_AUTO | ((closew) ? W_CLOSE : W_OPEN)));
}

jumph4x

Alex has been very gracious and helpful with his efforts and documenting everything in this thread and outside of it.

He took the time to upload some ID and offset reference material, I was able to write a script to translate from German using Google Translate. I made two versions: one Russian and one English to help us all.

I sent his project a pull request, meanwhile the PID descriptions can be reviewed here in English: https://github.com/jumph4x/can-bus-w...on/EN_PIDS.txt