W211 CAN B Hacking
#177
MBWorld Fanatic!
There was a big oversight on the YoM 2004 805 W211 clusters that have the High-Line TPM - the menu states (I think I remember it correctly) "Tire pressure only available when igntion switched on."
#179
Junior Member
Apologies for the late response....
But here's a demo of me cycling through sensor outputs using an Arduino to display readings on the IC Display:
https://photos.app.*******/Y964jPCremeAMTfu8
What other sensors do you guys want??
Project:
https://github.com/UKSFM99/W203-canbus
But here's a demo of me cycling through sensor outputs using an Arduino to display readings on the IC Display:
https://photos.app.*******/Y964jPCremeAMTfu8
What other sensors do you guys want??
Project:
https://github.com/UKSFM99/W203-canbus
#183
Junior Member
I have read this whole thread now... however, cannot find the answer to:
I am trying to log CAN data from the OBD2 port; no luck.
What is the CAN bus speed there?
Or is is the OBD2 port the wrong port to quiz?
Also, has someone tried to use one of the CSS Electronic loggers successfully? If so, where was it connected to.
I suspected to be able to read from the OBD2 port, since my iSoft scanner works there quite well, displaying data from all modules.
Any hints appreciated.
I am trying to log CAN data from the OBD2 port; no luck.
What is the CAN bus speed there?
Or is is the OBD2 port the wrong port to quiz?
Also, has someone tried to use one of the CSS Electronic loggers successfully? If so, where was it connected to.
I suspected to be able to read from the OBD2 port, since my iSoft scanner works there quite well, displaying data from all modules.
Any hints appreciated.
Last edited by M-a-x-G; 12-14-2019 at 04:11 AM. Reason: typos
#184
I have read this whole thread now... however, cannot find the answer to:
I am trying to log CAN data from the OBD2 port; no luck.
What is the CAN bus speed there?
Or is is the OBD2 port the wrong port to quiz?
Also, has someone tried to use one of the CSS Electronic loggers successfully? If so, where was it connected to.
I suspected to be able to read from the OBD2 port, since my iSoft scanner works there quite well, displaying data from all modules.
Any hints appreciated.
I am trying to log CAN data from the OBD2 port; no luck.
What is the CAN bus speed there?
Or is is the OBD2 port the wrong port to quiz?
Also, has someone tried to use one of the CSS Electronic loggers successfully? If so, where was it connected to.
I suspected to be able to read from the OBD2 port, since my iSoft scanner works there quite well, displaying data from all modules.
Any hints appreciated.
About the speeds, CAN B is 83.3 kbps and C is 500 kbps
Last edited by Mackhack; 12-14-2019 at 12:25 PM.
#185
Junior Member
Decoded!
I haven't posted on here in a while but I have some news.
So it appears the AUDIO screen can ONLY display 1 line of text. But the Telephone screen can have up to 6! And it automatically puts period characters if it's too long.
I managed to get my screen to display a track that's playing on my phone now on the telephone screen
https://github.com/UKSFM99/W203-canbus
#186
Junior Member
I have some good news for everyone still here.
I have linked up with Alex and together we have been doing some work on both my W203 and his W211.
I have written a python script to decode XS Monitor data files regarding canbus ID's. you can find the script here:
https://github.com/rnd-ash/W203-canb...DAT_TRANSLATOR
Now, for you guys with the W211, I have attached a FULLY translated description of ALL the CAN C ID's found on the W211
I hope this is of use to some of you! - Be warned though, please be careful with canbus C, you can cause havoc if your not careful. Remember it runs at 500KBPS.
I have linked up with Alex and together we have been doing some work on both my W203 and his W211.
I have written a python script to decode XS Monitor data files regarding canbus ID's. you can find the script here:
https://github.com/rnd-ash/W203-canb...DAT_TRANSLATOR
Now, for you guys with the W211, I have attached a FULLY translated description of ALL the CAN C ID's found on the W211
I hope this is of use to some of you! - Be warned though, please be careful with canbus C, you can cause havoc if your not careful. Remember it runs at 500KBPS.
Spoiler
The following users liked this post:
M-a-x-G (02-14-2020)
#187
Junior Member
Excellent work... thank you for sharing... I won't ask how you figured these out
This may well be the trigger for me to look into the intermittent engine stutter I have got... I see a engine emergency shutoff signal... interesting.
As a native speaker of German I can say that some of the English translations are 'misleading', as in not translated by meaning; e.g. MSG NAME: MOT_AUF - Bonnet is on, OFFSET 11, LENGTH 1, should read bonnet is open.
This may well be the trigger for me to look into the intermittent engine stutter I have got... I see a engine emergency shutoff signal... interesting.
As a native speaker of German I can say that some of the English translations are 'misleading', as in not translated by meaning; e.g. MSG NAME: MOT_AUF - Bonnet is on, OFFSET 11, LENGTH 1, should read bonnet is open.
#188
Junior Member
I have all the original documents here. So feel free to browse the parsed ones in German if you dont want shoddy translations:
https://github.com/rnd-ash/W203-canb...SLATOR/DECODED
Enjoy!
https://github.com/rnd-ash/W203-canb...SLATOR/DECODED
Enjoy!
The following users liked this post:
M-a-x-G (02-14-2020)
#191
Anyone tried playing with W251 canbus here?
Hey, have anyone got to play with w251 interior bus here?
I'm mainly looking for some help to figure out the packages sent to display, I did search throught the github repos posted here, but haven't had much luck with one byte which i believe is checksum.
I believe the first message starting with 0x10 follows the same format as found from one GitHub repo where byte 1(byte 7 + 7) is checksum aswell as byte 7 is checksum(characters + 3), which seems to be correct for all messages I have got, but the byte 5 and 6 in last message of series is something I have not figured out, any thoughts? Also the byte 7 seems to be 0x50 or 0x80 which might be important or not.
I'm mainly looking for some help to figure out the packages sent to display, I did search throught the github repos posted here, but haven't had much luck with one byte which i believe is checksum.
I believe the first message starting with 0x10 follows the same format as found from one GitHub repo where byte 1(byte 7 + 7) is checksum aswell as byte 7 is checksum(characters + 3), which seems to be correct for all messages I have got, but the byte 5 and 6 in last message of series is something I have not figured out, any thoughts? Also the byte 7 seems to be 0x50 or 0x80 which might be important or not.
#192
MBWorld Fanatic!
CAN C
A little off CAN B here too, apologies in advance, but there has been some referencing to CAN C.
Long story short, I installed (with much help) Distronic into my MTX m271 powered w203.
I have been lead to thinking an emulator may be the only option as all coding options show “NAG”, or, New Automatic Transmission”...
Any pointers or tips?
Admittedly I won’t be building the emulator, I don’t know how. But I have resources that are willing to help.
Thank you in advance,
Jake
https://mbworld.org/forums/performan...ult-c1510.html
Long story short, I installed (with much help) Distronic into my MTX m271 powered w203.
I have been lead to thinking an emulator may be the only option as all coding options show “NAG”, or, New Automatic Transmission”...
Any pointers or tips?
Admittedly I won’t be building the emulator, I don’t know how. But I have resources that are willing to help.
Thank you in advance,
Jake
https://mbworld.org/forums/performan...ult-c1510.html
#193
Junior Member
Holy crap, congrats man.
Distronics is on Canbus C, NOT Canbus B.
If you don't have access to Star, then yes, an emulator chip is probably the best way to go. I have all the ID's stored on the W203's can C here:
See here
Just remeber, if your playing with Canbus C, be VERY careful with what you are doing :P, I won't be responsible for any accidents because your transmission decided its time to jump go into park
Distronics is on Canbus C, NOT Canbus B.
If you don't have access to Star, then yes, an emulator chip is probably the best way to go. I have all the ID's stored on the W203's can C here:
See here
Just remeber, if your playing with Canbus C, be VERY careful with what you are doing :P, I won't be responsible for any accidents because your transmission decided its time to jump go into park
#195
MBWorld Fanatic!
Thank you for the reply!
Yes, I am working on CANC. I am plugged into the distributor by the driver kick panel, per OEM.
A few people working on 722.6 transmissions, and others have replied. While an emulator might be an option, it seems the developer coding is just wrong. I have no fault error codes related to the transmission. Just with the ME (developer) coding being incorrect and ESP, which should be related, as the error code appeared at the same time.
I do not have an automatic, I have a manual 716 6 speed transmission, which, according to some, is the problem.
I do have resume cruise control, memory, that will throttle up. This led me to think the DTR project was possible with my car.
Yes, I am working on CANC. I am plugged into the distributor by the driver kick panel, per OEM.
A few people working on 722.6 transmissions, and others have replied. While an emulator might be an option, it seems the developer coding is just wrong. I have no fault error codes related to the transmission. Just with the ME (developer) coding being incorrect and ESP, which should be related, as the error code appeared at the same time.
I do not have an automatic, I have a manual 716 6 speed transmission, which, according to some, is the problem.
I do have resume cruise control, memory, that will throttle up. This led me to think the DTR project was possible with my car.
Last edited by BF_JC230; 04-04-2020 at 09:13 AM.
#196
Junior Member
Join Date: Aug 2014
Location: Surrey, UK
Posts: 51
Received 0 Likes
on
0 Posts
CLK320 2009 (W209)
rnd_ash, the work you've put together is so good - coming back to this thread after roughly 2 years and seeing the progress.
I'm back in the car with my laptop trying to give it a go again. I'm connected to X30/6 and so far, its going OK. Do you think that X30/7 will let me send more messages? Because I'm still unable to do anything with the driver's window.
With regards to the decoded data on your github (rnd_ash), my understanding is that the offset is where the data begins, so how would one send a message when the offset is 25 for example. I can only send 11-bit messages. Do I need to go 29-bit? Or can I send messages sequentially to get there?
Does someone have an example for;
ECU NAME: KG_A2, ID: 0x0050. MSG COUNT: 7
MSG NAME: FVL_KG - Open windows front left / Close, OFFSET 3, LENGTH 1
What would this look like?
Cheers
I'm back in the car with my laptop trying to give it a go again. I'm connected to X30/6 and so far, its going OK. Do you think that X30/7 will let me send more messages? Because I'm still unable to do anything with the driver's window.
With regards to the decoded data on your github (rnd_ash), my understanding is that the offset is where the data begins, so how would one send a message when the offset is 25 for example. I can only send 11-bit messages. Do I need to go 29-bit? Or can I send messages sequentially to get there?
Does someone have an example for;
ECU NAME: KG_A2, ID: 0x0050. MSG COUNT: 7
MSG NAME: FVL_KG - Open windows front left / Close, OFFSET 3, LENGTH 1
What would this look like?
Cheers
#197
Junior Member
rnd_ash, the work you've put together is so good - coming back to this thread after roughly 2 years and seeing the progress.
I'm back in the car with my laptop trying to give it a go again. I'm connected to X30/6 and so far, its going OK. Do you think that X30/7 will let me send more messages? Because I'm still unable to do anything with the driver's window.
With regards to the decoded data on your github (rnd_ash), my understanding is that the offset is where the data begins, so how would one send a message when the offset is 25 for example. I can only send 11-bit messages. Do I need to go 29-bit? Or can I send messages sequentially to get there?
Does someone have an example for;
ECU NAME: KG_A2, ID: 0x0050. MSG COUNT: 7
MSG NAME: FVL_KG - Open windows front left / Close, OFFSET 3, LENGTH 1
What would this look like?
Cheers
I'm back in the car with my laptop trying to give it a go again. I'm connected to X30/6 and so far, its going OK. Do you think that X30/7 will let me send more messages? Because I'm still unable to do anything with the driver's window.
With regards to the decoded data on your github (rnd_ash), my understanding is that the offset is where the data begins, so how would one send a message when the offset is 25 for example. I can only send 11-bit messages. Do I need to go 29-bit? Or can I send messages sequentially to get there?
Does someone have an example for;
ECU NAME: KG_A2, ID: 0x0050. MSG COUNT: 7
MSG NAME: FVL_KG - Open windows front left / Close, OFFSET 3, LENGTH 1
What would this look like?
Cheers
In regards to bits. These are at offset from the start of the message. For example, a 8 byte CAN Frame would have 64 bits. So in KG_A2 example, your magic bit would be at offset 3 (which is in the first byte of the message). I suggest you print test can frames in binary first....I think my ARDUINO_CODE folder has a method to do that in CA handler.cpp, take a look.
to actually set that bit...I would do frame.bytes[0] | 0b00100000 to toggle that bit to on
Also in regards to sending frames, doesn't matter where. Everything on can B can talk to eachother no matter where your plugged in
The following users liked this post:
the88g (07-17-2020)
#198
MBWorld Fanatic!
I detest the speed controller volume function built into the COMAND audio on my 2014 W463 (and all recent MBs for that matter). I have been unable to disable it via STAR or via the engineering menu in the COMAND system. For earlier year models (like my 2003 W463), there was setting to turn it off with STAR, but no longer. I hate it so much that I have been toying with two different ideas. I know that either may raise hell with the nav system, but I'd rather get rid of the SCV.
The first, crude, but possibly effective approach is simple disconnection. From what I have been able to piece together, the COMAND unit talks to both can B and can C. I suspect (or more like hope) that things like steering wheel controls, power up, etc come in one bus while the speed signal comes on the other. This would make simple disconnection a possible solution.
The second, more elegant, but much more complicated approach, is the idea of building a can blocker to either zero or drop the speed info that gets sent to the COMAND system. I have done embedded systems development (for medical devices), but am relatively new to can bus hacking. So to me, this seems like this would be possible to do, although I have little sense of what the hardware/software requirements might be.
For those with much more experience in the can world, what are your thoughts? Any comments/suggestions are welcome.
Thank you!
The first, crude, but possibly effective approach is simple disconnection. From what I have been able to piece together, the COMAND unit talks to both can B and can C. I suspect (or more like hope) that things like steering wheel controls, power up, etc come in one bus while the speed signal comes on the other. This would make simple disconnection a possible solution.
The second, more elegant, but much more complicated approach, is the idea of building a can blocker to either zero or drop the speed info that gets sent to the COMAND system. I have done embedded systems development (for medical devices), but am relatively new to can bus hacking. So to me, this seems like this would be possible to do, although I have little sense of what the hardware/software requirements might be.
For those with much more experience in the can world, what are your thoughts? Any comments/suggestions are welcome.
Thank you!
Last edited by Floobydust; 07-19-2020 at 11:07 AM.
#199
Junior Member
I detest the speed controller volume function built into the COMAND audio on my 2014 W164 (and all recent MBs for that matter). I have been unable to disable it via STAR or via the engineering menu in the COMAND system. For earlier year models (like my 2003 W164), there was setting to turn it off with STAR, but no longer. I hate it so much that I have been toying with two different ideas. I know that either may raise hell with the nav system, but I'd rather get rid of the SCV.
The first, crude, but possibly effective approach is simple disconnection. From what I have been able to piece together, the COMAND unit talks to both can B and can C. I suspect (or more like hope) that things like steering wheel controls, power up, etc come in one bus while the speed signal comes on the other. This would make simple disconnection a possible solution.
The second, more elegant, but much more complicated approach, is the idea of building a can blocker to either zero or drop the speed info that gets sent to the COMAND system. I have done embedded systems development (for medical devices), but am relatively new to can bus hacking. So to me, this seems like this would be possible to do, although I have little sense of what the hardware/software requirements might be.
For those with much more experience in the can world, what are your thoughts? Any comments/suggestions are welcome.
Thank you!
The first, crude, but possibly effective approach is simple disconnection. From what I have been able to piece together, the COMAND unit talks to both can B and can C. I suspect (or more like hope) that things like steering wheel controls, power up, etc come in one bus while the speed signal comes on the other. This would make simple disconnection a possible solution.
The second, more elegant, but much more complicated approach, is the idea of building a can blocker to either zero or drop the speed info that gets sent to the COMAND system. I have done embedded systems development (for medical devices), but am relatively new to can bus hacking. So to me, this seems like this would be possible to do, although I have little sense of what the hardware/software requirements might be.
For those with much more experience in the can world, what are your thoughts? Any comments/suggestions are welcome.
Thank you!
Mercedes cars only use CAN B with AGW/COMMAND. the instrument cluster sends over can the current speed of the car. And that is how the volume is raised and lowered automatically.
to make matters worse, the instrument cluster also sends out can messages about which buttons on the wheels are pressed.
What you can do, is to build a can blocker for your command unit to simply block the specific CAN ID sent over CAN from your IC. I stress you out this on you command unit, and not behind the IC. (Other ECUs in the car use the speed as well!)
#200
MBWorld Fanatic!
Hate to bring you bad news...
Mercedes cars only use CAN B with AGW/COMMAND. the instrument cluster sends over can the current speed of the car. And that is how the volume is raised and lowered automatically.
to make matters worse, the instrument cluster also sends out can messages about which buttons on the wheels are pressed.
What you can do, is to build a can blocker for your command unit to simply block the specific CAN ID sent over CAN from your IC. I stress you out this on you command unit, and not behind the IC. (Other ECUs in the car use the speed as well!)
Mercedes cars only use CAN B with AGW/COMMAND. the instrument cluster sends over can the current speed of the car. And that is how the volume is raised and lowered automatically.
to make matters worse, the instrument cluster also sends out can messages about which buttons on the wheels are pressed.
What you can do, is to build a can blocker for your command unit to simply block the specific CAN ID sent over CAN from your IC. I stress you out this on you command unit, and not behind the IC. (Other ECUs in the car use the speed as well!)
So bummer, it looks like it's option two - can blocker. Of course I would set it up so that it only blocks the info to the COMAND head unit. Do you know of anyone or have any links to someone who has already done DIY work on can blockers? I would like to avoid reinventing the wheel and learn as much as I can from those who have already done things in this area.
Thanks again!