Welcome, this repository serves as my notebook regarding reverse engineering Mazda CX-30 (2019 series, Skyactiv-X, EU model).
A couple of things that are important to know from the start:
- Most (all?) CAN buses are connected to the BCM
- There is no CAN traffic on OBD connector, I'm not yet sure if traffic from that port is "firewalled"
- The amount of traffic on the main buses is huge, Raspberry Pi with MCP2515 module can barely handle the traffic on one bus (TODO: check if the code can be optimized?)
- There are no unique message IDs that would correlate to simple things like "lights toggled", so reversing the communication is a pain.
Bus called "Vehicle CAN" connects following components:
- BCM (Body Control Module)
- EPS (Electric Power Steering)
- Headlights auto levelling controller
- SAS control module (airbags)
- Electronically controlled brake unit
- TCM (Transmission Control Module) - for AT models only
- PCM (Powertrain Control Module) - ECU
Be really careful when messing with this bus :)
On BCM side, it's connected to the connector 0940-101C (black one, towards the door), pins 3W (CAN_L) and 3X (CAN_H). It runs on 500kbaud.
Body CAN bus connects following components:
- BCM
- Front and rear lights
- Climate control unit
- Steering lock unit
- Steering angle sensor
- Instrument cluster
- HUD ("Active driving display")
- LF control unit (Keyless entry / immobilizer)
- Door supply unit (one for passenger and one for driver side)
- Dash electrical supply unit
- Power liftgate control module
- Shift panel (for AT models)
- Electrical supply unit
On BCM side, it's connected to the connector 0940-101B (large white one, on the face of the unit - towards inside of the car), pins 2J (CAN_L) and 2L (CAN_H). It runs on 500kbaud.
- There's a separate CAN bus for parking sensors (connects BCM, electrical supply unit and front/rear parking sensors).
- There's a separate bus for cameras (connecting BCM, forward sensing camera, driver monitoring camera and 360° camera).
- There's a separate bus for front radar sensor (that is actually connected to the BCM twice, for some reason).
- There's a bus connecting BCM to the CMU (connectivity master unit - infotainment) and audio amplifier.
- The eCall system is also connected to the BCM via CAN bus.
- And finally, there's a CAN bus for m-Hybrid system, that connects m-Hybrid battery, NOx sensor (optionally), brake unit, DC-DC converter, ISG (integrated starter generator), and PCM.
- Lift up the long plastic cover on the bottom of the driver side door
- Gently move away the door seal (it slides in on the lip of the chassis to expose the plastic latches on the module under the dash
- The BCM is under the cover that has a removable piece as a fusebox cover.
- The cover is held in place towards the front by one pin. Remove it using a flathead screwdriver.
These scripts generally assume you have a can interface available on your computer and can-utils installed. If not, you can use vcan driver to experiment with dumps stored elsewhere.
This script shows communitaction in realtime, hilighting changes. It requires python-can installed.
Usage: ./canview.py can0
I use these to setup development environment on my computer. vcan-setup.sh creates two vcan interfaces and links them together (and requires root/sudo). dumpsender.sh the reads dump generated by candump and sends it to the specified bus.
For example: ./dumpsender.sh can0-idle-engon-liftgate-opening.txt 0.01 vcan0 will read the text file, and writes a frame to vcan0 every 0.01 seconds. Then I can use ./canview.py vcan1 to see the emulated traffic.
TODO: I'll upload the script that's also able to read timestamped dumps once I'll get to my car to test it.
Some frames have an additional layer of integrity protection - sequence numbers and checksums... For example ID 0x440. Here's a couple of messages:
60 00 00 00 40 AD 88 21
60 00 00 00 40 AD 89 22
60 00 00 00 40 AD 8A 23
60 00 00 00 40 AD 8B 24
60 00 00 00 40 AD CC 65
60 00 00 00 40 AD CD 66
60 00 00 00 40 AD CE 67
60 00 00 00 40 AD CF 68
60 00 00 00 40 AD C0 59
60 00 00 00 40 AD C1 5A
60 00 00 00 40 AD 82 1B
60 00 00 00 40 AD 83 1C
60 00 00 00 40 AD 84 1D
60 00 00 00 40 AD 85 1E
60 00 00 00 40 AD 86 1F
60 00 00 00 40 AD 87 20
60 00 00 00 40 AD 88 21
...
68 02 00 00 40 AA 42 E2
68 02 00 00 40 A9 83 22
68 01 00 00 40 A9 84 22
First nibble of 7th byte is clearly a counter, that increments and wraps around. 8th byte is some kind of checksum. The only way to determine how the checksum is computed is by (somehow educated) guesswork. In this case, it seems that for all the dataframes: (B1 + B2 + B3 + B4 + B5 + B6 + B7 - B8) % 256 = 0xb4, therefore we can compute B8 by: B1 + B2 + B3 + B4 + B5 + B6 + B7) % 256 - 0xB4.
0x09d ID uses 0x5B instead of 0xB4.
Let's start by pullsing some fuses and what effect it will have on transmitted frames.
Pulling F19 (power steering) fuse stops transmitting 086, 088, 240, 52C on can0 (vehicle/powertrain CAN) and 086 and 240on can1 (body CAN).
Pulling fuses F35 and F23 (ABS) stops transmitting of the 078, 079, 203, 211, 215, 217, 219, 223, 415, 596 IDs on vehicle CAN, and 078, 079, 203, 217, 415 IDs on body CAN.
frames-common.md is a list of frame IDs that are common on both body and vehicle bus.
frames-vehicle.md are vehicle bus only (common are excluded)
frames-body.md are body bus only (common are excluded)
https://github.com/majbthrd/MazdaCANbus/blob/master/skyactiv.kcd https://www.mazda3revolution.com/threads/canbus-messages.225538/