I’m continuing to play with the CAN network available on the OBD2 port located under the dash to hopefully reverse engineer its capabilities. Click here for my previous posts on this.
I have started to play with the 30 service as outlined in ISO-14230, which is the InputOutputControlByLocalIdentifier service. Another the370z.com forum user sent me logs of his Consult-III clone software controlling the door locks. It used the 745/765 (send/receive) CAN addresses to control the locks and the 30 service as expected. Therefore, the 745 address must be for the BCM (Body Control Module), which is the module that controls just about everything you interact with in the car on a normal basis. So I wrote a program to snoop out which addresses the 30 service could use. To do this you first have to enter the correct diagnostic mode in order for the car to allow you to make changes. The following command does this:
745 02 10 C0
745 is the CAN address we are sending the command to, 02 is the number of bytes in the packet, 10 is the StartDiagnosticSession command, and C0 is the session we need for the 30 service.
Then we need to poll the 0x00 address to see what other addresses are supported:
745 02 30 00
745 is the CAN address we are sending the command to, 02 is the number of bytes in the packet, 30 is the InputOutputControlByLocalIdentifier service, and 00 is the first address we are testing. This command will return a response like this:
765 05 70 0D E7 92 51
765 is the response CAN address pair for the 745 address we used (745 + 20), 05 is the number of bytes in the packet, 70 is the response to the 30 service (30 + 40), and the last 4 bytes are a bit field that tells you which of the next 32 addresses are supported (one bit for each address from 0x01 to 0x20). The order is from most significant bit to the list significant bit. The last bit tells you if there is another bit field to retrieve. In this case there is, so you can send a request to get another bit field from address 0x20 and keep going until you run out.
In my 370Z, I could query all the way up to 0x60, so that’s gives the possibility of 124 items to control. However, only 52 returned a ‘1’ to indicate that they are supported. Once you know which addresses are supported you can change the state of many things in your car with a command like the following:
745 04 30 05 00 01
The first 3 parts we are familiar with now, 05 is the address for the door locks, 00 is a control parameter that determines what you are trying to do, 01 is the state you want to put the control in to. There seems to be 2 options for the control parameter that make changes happen: 00 or 20. 00 seems to make a brief change, kind of like pushing the door locks button briefly. 20 makes a permanent change like turning on the luggage light. Regardless, most commands take 20 as the control parameter, but some take 00. They won’t work if you use the wrong one so you can’t screw it up.
The last byte is different for each address, but is usually 00 or 01 for Off and On. Some have more values, such as the door locks, which can be All Unlock, All Lock, Driver Unlock, Passenger Unlock, etc. My dropbox spreadsheet shows all of the items I identified on the BCM PIDs tab. One last important note is that I was unable to just hop from address to address changing items as much as I wanted. I had to exit the C0 diagnostic mode and then return to it before I could change the next item. That is accomplished with the following 2 commands:
745 02 10 81
745 02 10 C0
That will jump back to the default session and then back into the diagnostic session. I think this just stops too many things from happening at once to make diagnosing problems easier. It would be easy to change a lot and then think something is wrong because you messed with so many items. I’ll keep sharing my progress as I go.