Thread: Raspberry Pi - Virtual Sensors for Car Computers

Originally Posted by penright

I understand your questions. I was not sure how to articulate what I am talking about. Thanks for asking questions as maybe I can refine what I am trying to do. Also, once I get the test bed set up and get the Raspberry PI talking on it then it might make more sense. Getting to that point "cheap" maybe a challenge. There the cable for $190 that will work with their tools, but I saw some boards that with


That was just an example. Others would be unlock doors, start car, etc....


No, this is a lot deeper than that. ODBII (For example ELM327 chip) is limited to the commands you can put on the bus, whereas the MCP2515 can get down to the raw commands.

Watch this video and you can see how deep I am talking about. https://www.youtube.com/watch?v=oqe6S6m73Zw


Here is what they have documented for a 2010 Pirus and a 2010 Ford Escape. Of course a 97 is not going to have some of the ECU that a 2010 have, but hey thats the point. What can we do. And not just limited to a 97.

Code:

#2010 Toyota Prius ECU Information

#Flashing information
(RcvAckData, RcvAckDataAck) = range(0,2)


#Prius encryption keys (These should stay in the same order due to the algo)
PriusSecrets = [0xA441, 0x2172, 0xA421, 0x4172]


#coalesced versions of above for easy XOR'ing
PriusSecret1 = 0xA4412172
PriusSecret2 = 0xA4214172


#EffectiveKeys same as doing the XORs with the above
#but less steps
PriusEffectiveKey = 0x00606000
PriusABSKey = 0x00252500


#Sometimes starting a diagnostic session is
#done with 0x5F, rather than the standard of 0x2
PriusDiagCode = 0x5F


PriusMainBodyID = 0x750


#Toyota Prius 2010 ECU IDs (a.k.a. wid) 
TP_Transmission = 0x727
TP_AirBag = 0x780
TP_PreCollision1 = 0x781
TP_Radar = 0x790
TP_PreCollision2 = 0x791
TP_EPMS = 0x7A1
TP_APGS = 0x7A2
TP_ABS = 0x7B0
TP_ComboMeter = 0x7C0
TP_AC = 0x7C4
TP_Nav = 0x7D0
TP_ECT = 0x7E0
TP_Hybrid = 0x7E2


#NEEDED 0xE0
#Sub-ECU IDs for Prius 'Main Body' ECU (0x750)
TP_LKA = 0x02
TP_MainBody = 0x40
TP_PM1 = 0x57
TP_PM2 = 0x58
TP_HLAutoLevel = 0x70
TP_DDoor = 0x90
TP_PDoor = 0x91
TP_RRDoor = 0x92
TP_RLDoor = 0x93
TP_SR = 0xAD
TP_SmartKey = 0xB5
TP_RemoteStart = 0xB6
TP_MainSwitch = 0xEC
TP_PowerSource = 0xE9


#Prius ECU to String name table (Main body is in another section)
PriusECU = {}
PriusECU[TP_Transmission] = "Transmission"
PriusECU[TP_AirBag] = "AirBag"
PriusECU[TP_PreCollision1] = "Pre-Collision"
PriusECU[TP_Radar] = "Radar"
PriusECU[TP_PreCollision2] = "Pre-Collision 2"
PriusECU[TP_EPMS] = "EPMS"
PriusECU[TP_APGS] = "APGS - Park Assist"
PriusECU[TP_ABS] = "ABS - Anti-Lock Braking"
PriusECU[TP_ComboMeter] = "Combo Meter"
PriusECU[TP_AC] = "Air Conditioning"
PriusECU[TP_Nav] = "Navigation"
PriusECU[TP_ECT] = "ECT - Engine"
PriusECU[TP_Hybrid] = "Hybrid System"


PriusMainECU = {}
PriusMainECU[TP_LKA] = "Lane Keep Assist (LKA)"
PriusMainECU[TP_MainBody] = "Main Body"
PriusMainECU[TP_PM1] = "PM1 Gateway"
PriusMainECU[TP_PM2] = "PM2 Gateway"
PriusMainECU[TP_HLAutoLevel] = "Headlamp Autolevel"
PriusMainECU[TP_DDoor] = "Driver Door"
PriusMainECU[TP_PDoor] = "Passenger Door"
PriusMainECU[TP_RRDoor] = "Rear Right Door"
PriusMainECU[TP_RLDoor] = "Rear Left Door"
PriusMainECU[TP_SR] = "Sliding Roof"
PriusMainECU[TP_SmartKey] = "Smart Key"
PriusMainECU[TP_RemoteStart] = "Remote Engine Starter"
PriusMainECU[TP_MainSwitch] = "Main Switch"
PriusMainECU[TP_PowerSource] = "Power Source Control"


#Diagnostic custom payloads
PriusDiagData = {}
PriusDiagData[TP_ABS] = [0x10, 0x01]


#SecurityAccess custom payloads
PriusSAData = {}
PriusSAData[TP_ABS] = [0x27, 0x01, 0x00]


#Hopefully 
PriusEffectiveKeys = {}
PriusEffectiveKeys[TP_ABS] = 0x00252500


#These are InputOutputControlByLocalIdentifier (0x30). See 14230-3.pdf 
#Prius Commands
PriusCMD = {}
PriusCMD["Seat_Belt_Drive"] = {'Desc':"Engage driver's seatbelt motor", 'ID':TP_PreCollision1, 'Data':[0x30, 0x01, 0x00, 0x01]}
PriusCMD["Fuel_Cut_All"] = {'Desc':"Cut fuel to all cylinders", 'ID':TP_ECT, 'Data':[0x30, 0x1C, 0x00, 0x0F, 0xA5,0x01]} #does not work at speed


#These are InputOutputControlByLocalIdentifier (0x30). See 14230-3.pdf 
#These all use WID 0x750 with the first data byte being the SubID
PriusMBCMD = {}
PriusMBCMD["Headlamps_On"] = {'Desc':"Turn off the head lamps", 'SubID':TP_MainBody, 'Data':[0x30, 0x15, 0x00, 0x40, 0x00]}
PriusMBCMD["Headlamps_Off"] = {'Desc':"Turn off the head lamps (Only works if in Auto-Mode)", 'SubID':TP_MainBody, 'Data':[0x30, 0x15, 0x00, 0x00, 0x00]}
PriusMBCMD["Horn_On"] = {'Desc':"Horn activated for several seconds", 'SubID':TP_MainBody, 'Data':[0x30, 0x06, 0x00, 0x20]}
PriusMBCMD["Horn_Off"] = {'Desc':"Deactivate Horn", 'SubID':TP_MainBody, 'Data':[0x30, 0x06, 0x00, 0x00]}
PriusMBCMD["Lock_All_Doors"] = {'Desc':"Lock All Doors", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x80, 0x00]}
PriusMBCMD["Unlock_All_Doors"] = {'Desc':"Unlock All Doors", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x40, 0x00]}
PriusMBCMD["Unlock_Hatch"] = {'Desc':"Unlock the Hatch", 'SubID':TP_MainBody, 'Data':[0x30, 0x11, 0x00, 0x00, 0x80]}


#2010 Ford Escape
FordDiagCode = 0x02


#Escape ECU to string name table
FordECU = {}
FordECU[0x0701] = "GPSM"
FordECU[0x0720] = "IC"
FordECU[0x0726] = "SJB"
FordECU[0x0727] = "ACM"
FordECU[0x0730] = "PSCM"
FordECU[0x0733] = "HVAC"
FordECU[0x0736] = "PAM"
FordECU[0x0737] = "RCM"
FordECU[0x0760] = "ABS"
FordECU[0x0761] = "4x4"
FordECU[0x0765] = "OCSM"
FordECU[0x07A6] = "FDIM"
FordECU[0x07A7] = "FCIM"
FordECU[0x07D0] = "APIM"
FordECU[0x07E0] = "PCM"

Honestly I do not quite understand what you are trying to do here...

The 97-04 and some 05 are not CAN Bus ( There is LIMITED CAN Communication for the ABS Module and other random bits like the radio for some odd reason), they are VPW and the deep level communication is based on J1850-VPW. The main chips are a motorola processor and intel EEPROM. 06+ I have not done any research on so I can not speak for those.

As for the ELM, the ELM is fully capable of any command you can dream up as long as it falls under the max sizes limited by the firmware, a better chip to use is the STN1110 as the firmware can be placed into a mode where it will let you blast anything down the pipe as long as it is smaller than 1K TX or 3K RX. OBD is not limited by commands, it is governed by ISO Standards that is is required to have across every US Car which are your more common commands and modes; however, GM and other manufactures have deep level integration abilities and can and will place commands that they do not publicly document for things like documentation or flashing to the PCM.

Again I ask what are you trying to accomplish?

Originally Posted by ADecker

The 97-04 and some 05 are not CAN Bus ( There is LIMITED CAN Communication for the ABS Module and other random bits like the radio for some odd reason)

I was afraid of that. Looking at this post http://www.grandprixforums.net/threa...pin-out-needed I did not see the Hi/Low for CAN. Looking at thumbnail 2 it had VSS Hi/Low. I was assuming vehicle speed would be a range and that might be a CAN. I have not found a BCM pin out yet, maybe because 97 does not have one! Without probing we don't learn. :-)

Originally Posted by ADecker

they are VPW and the deep level communication is based on J1850-VPW.

Option #1

AE J1850 VPW (Variable Pulse Width at 10.4/41.6 Kpbs, single wire) Pin 2: BUS+ signal Idle bus level is low High signal voltage level: +7V (min/max 6.25 to 8.00) Low signal voltage level: 0V (min/max 0.00 to 1.50) Up to 12 message bytes, excluding frame delimiters Bit Timing; "1" Bit: Signal low for 128uS or high for 64uS "0" Bit: Signal low for 64uS or high for 128uS Start-Of-Frame: Signal high for 200uS

Option #2

ISO 15765 CAN (250kbit/sec or 500kbit/sec) Pin 6: CAN high (CANH) Pin 14: CAN low (CANL) Dominant or active bus state: CANH driven high while CANL driven low Recessive or idle bus state: CANH and CANL signals are not driven CANH signal voltage level: 3.5V (min/max 2.75 to 4.50) CANL signal voltage level: 1.5V (min/max 0.5 to 2.25)

I have not looked at my DLC yet to see what pins are available. Sounds like I going to see option one and not two. :-(
On one hand that is ok because the papers say something about not all CAN are exposed at the DLC. They also said for example the PCM is built from a lot of ECU's in one box. The CAN bus maybe internal. Again :-(

Originally Posted by ADecker

GM and other manufactures have deep level integration abilities and can and will place commands that they do not publicly document for things like documentation or flashing to the PCM.

Hence the reverse engineering. :-)

Originally Posted by ADecker

a better chip to use is the STN1110

Interesting, I may have to digest this a bit. The interesting thing on the MCP2515 is it had a version that is "SPI" standard. The new Raspberry PI kernel has "SPI" integrated into it, and there are python examples already existing. Not sure how much latency would be added by using the "ST" commands. The specs on the processor sound interesting.

Originally Posted by ADecker

Again I ask what are you trying to accomplish?

Just to learn, and hack around. Not sure what I can accomplish yet without knowing what I can do. If I did not ask, I would not have known about the STN1110 option.
Maybe the ultimate goal would be to have a Raspberry PI, touch screen LCD stack, in my 97 GP, that could display/control various functions. Maybe even be able to create a "Ad Hock" wan to phone app to remote control and get sensors reading. I mean that is way, way, way down the path. I have several pieces to go before that. It just feels like they are there if can be strung together. I have a remote start kit that uses relays for the remote start and doors. I could use the PI to control relays if can not be done through existing communications.
This is just learning what can be done.