Open in app

Sign in

Write

Sign in

Fiat infotainment CAN messages

Francesco Montefoschi
5 min readAug 2, 2019

--

In the previous article we started to understand and to decode some CAN frames coming from my Fiat Doblò 263. After more experiments and findings, this post summarizes a list of what is currently known. I will update this post as long as new frames will be decoded. This reverse phase is necessary to reimplement a new infotainment ECU, featuring the must-to-have A2DP Bluetooth protocol.

Show me the code

Those findings have been summarized in this git repo to better track the decoded frames over time. The repository contains some basic code to decode the frames and some of the original candump log files used in the reverse phase.

The B-CAN network

Before talking about the payloads, let’s summarize who is speaking. The nodes connected to the low-speed B-CAN network through the CAN-A (HIGH) and CAN-B (LOW) wires are:

  • Body Computer (ID 0x4000)
  • Instrument Panel (maybe ID 0x4003 ?)
  • OBD-II port
  • Radio Unit (ID 0x4005)
  • Blue&Me ECU (ID 0x4021)
  • Air Bag ECU
  • Air Conditioning ECU
  • Parking Sensors ECU (I don’t have it, ID 0x4018 according to this thesis)
  • Alarm ECU
Body Computer (M001) connects several devices on the B-CAN e C-CAN networks

As stated before, CAN arbitration IDs are composed of 4 bytes: the first 2 encode a topic, the last 2 encode the sender. My interest is mostly on Blue&Me, Radio Unit and Body Computer.

Key Power On / Off

When the key is turned in MAR position, the Body Computer wakes up the B-CAN network. (FYI, according to Fiat eLearn, in case of Body Computer fault, the Instrument Panels wakes up the network). Those are the first two messages sent when turning the key in MAR position with their meanings:

can0 0E094000#001C00000001    # "BC: nodes, please wake up!"
can0 0E094000#001E00000001    # "BC: nodes, what is your status?"

The status request message (0x001E...) is repeated every second always on the topic 0x0E09. Other nodes answer with a two-byte message on the same topic. The known bits are the last four:

can0 0E094021#001C    # "B&M: I'm powering on"
can0 0E094021#001E    # "B&M: I'm working correctly"
can0 0E094021#001A    # "B&M: I'm going to sleep"

When turning off the key, the Body Computer asks the nodes to shut down:

can0 0E094000#001A0400106B    # "BC: nodes, please shut down"

When all the devices report the sleep state (0xA) the Body Computer shuts down. In a Python script I tried to always answer 0x001E to any status request. When turning off the key, the Body Computer continued to send the “please shut down” message in a loop because I reported to be still on.

PROXI Protocol

The Body Computer keeps a list of known devices in a configuration file (the “PROXI” file). At factory time, or when a node in the CAN network is replaced, the “PROXI alignment” procedure updates the PROXI file. In this way, the Body Computer knows an updated list of the connected nodes. More info can be found here (in italian, sorry).

The nodes are verified shortly after the network is woken up on topic 0x1E11:

can0 1E114000#                # BC: nodes, what's your proxi value? 
can0 1E11401A#362630045880    # 0x401A: mine is 0x362630045880
can0 1E114003#362630045880    # 0x4003: mine is 0x362630045880

The Body Computer generally verifies the PROXI configuration after ~1 second it woken up (however, in a trace the configuration check happened after ~169 seconds). If a node does not answer, the PROXI query is sent again after another second, for a maximum of 3 times. If a node never answer, it is marked as missing/faulty. In fact the original B&M ECU fails to answer the first PROXI query (maybe the ECU is busy booting Windows Mobile?), so the Body Computer issues a second request (which is then satisfied).

Moreover, not all nodes answer the PROXI query, in fact in my car only nodes with IDs 0x401A, 0x4003 and 0x4021 answer the request. If there is a missing or an unknown node, the procedure fails and the kilometers on the Instrument Panel start to blink. Apart the blink, I don’t know if there are other consequences.

Regarding the payload of the response, the value is unknown to me. I don’t know if it is set in the Body Computer at factory time, or at PROXI alignment time, or something else. “Fortunately” we don’t care: all the nodes share the same value, listening for another node’s value and republishing it on the CAN bus with the B&M ID will just pass the check.

Steering Wheel Buttons

Pressing the buttons on the steering wheel will publish a non-zero payload with ID 0x06354000. The values have been published in this previous article.

This allows to reimplement a text-based menu on the Instrument Panel, to skip music tracks and to mute the music (do you also mute your music while seeking for parking or am I alone?).

Text Messages on Displays

Text messages on the Instrument Panel display or on the Radio Unit display are sent with ID 0x0A394021. Values have been decoded in this article, here you can find the char map.

Audio Channels

The Radio Unit is able to switch between several inputs: CD, Blue&Me, FM. The Blue&Me input can be selected (using the MEDIA button) if the B&M ECU reports to be connected using one of the following payloads:

06314021#0000000000000080    # B&M audio out is muted
06314021#0000000000000081    # B&M audio out active, phone
06314021#0000000000000082    # B&M audio out active, voice
06314021#0000000000000083    # B&M audio out active, navigation
06314021#0000000000000084    # B&M audio out active, media player

Everything is played on the last byte. If the value is not 0x8* , the radio says “No source available” when trying to switch to B&M. Otherwise the input can be selected and on the radio unit display the input type (eg. PHONE) appears.

Switching to FM produces those messages:

0A194005#A2151D49466800    # FM radio tuned on ‘ VIRGIN '
0A114005#420415000000      # FM radio tuned on f= 104.50 MHz

The first, 0x0A194005 uses the usual char map to encode the radio station name that is shown on the displays.
The second one, 0x0A114005, has the payload:

  • 0xE30000000200 if Blue&Me is playing
  • 0xE30000000000 if Blue&Me is muted
  • 0x**ABCD000000 if tuned on a FM station (to get the frequency in MHz, convert 0xABCD to decimal e divide by 10)

To summarize, we have both to send frames about the active channel (0x06314021) and listen to the Radio Unit frames (like 0x0A114005) to pause (resume) the music stream when the FM radio is activated (deactivated) from the Radio Unit buttons.

Other CAN frames

Other CAN frames can be easily decoded (eg. door lock / unlock, AC fan power, …) using cansniffer. Other frames require a lot of time for proper decoding (eg. when turning on the engine a LOT of messages are broadcasted!). For the moment, I am not interested in decoding those frames since I just want to reimplement the infotainment system.

Can Bus
Fiat
Infotainment
Automotive
Reverse Engineering

--

--

Francesco Montefoschi

Written by Francesco Montefoschi

70 Followers

Web/Embedded Application Developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams