BMW M3 Forum
BMW M3 Forum BMW M3 Gallery BMW M3 Reviews BMW M3 Social Groups BMW M3 Chat M3Forum Sponsors >>
Loading


Mobile M3forum
Go Back   BMW M3 Forum.com (E30 M3 | E36 M3 | E46 M3 | E92 M3 | F80/X) > BMW M3 Discussions > E90 M3 (Sedan) | E92 M3 (Coupe) | E93 M3 (Convertible) (2008-2013)
Tire Rack Buy Winter Tires Now!
Not a member? Register Now!
Register Gallery All Albums Garage Search Today's Posts Mark Forums Read Calendar FAQ

E90 M3 (Sedan) | E92 M3 (Coupe) | E93 M3 (Convertible) (2008-2013) {Engine: S65 - Max Hp: 414 hp (420 hp Euro) at 8,300 rpm / 295 lb/ft at 3,900 rpm}


Reply
 
Thread Tools Display Modes
Old Sun, Feb-19-2012, 08:41:51 PM   #1
PencilGeek
2008 M3 - Red
 
Join Date: May 2008
Posts: 846
Reputation: 0 PencilGeek is on a distinguished road

United States




Default Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

Lately,

I've been working on a little reverse engineering project. I bought a CAN bus analyzer and decided to hook it up to the car's ECU PT-CAN data bus. I'm working with the BMW E92 M3 which uses the MSS60 ECU. This PT-CAN data bus is the computer bus that the ECU uses to receive data from other car computer modules and used to broadcast data from itself to other car computer modules. (PT-CAN = Power Train CAN bus -- attached to the ECU.) I wanted to see how many engine sensors and gauges I could find on the PT-CAN bus, and how useful they would be for creating a set of virtual gauges for use with a Video VBox. Here's a preliminary version that I helped some guy prepare. This video shows the values supplied by Racelogic as part of their Video VBox product. I wanted to see how far I could expand what they've found and add even more "virtual gauges" to the Video VBox. I also wanted to know why their throttle position virtual gauge had a bug in it. But in order to fix it, I needed to find it myself and figure out what was wrong with their version.


So far, I've found that the ECU has 81 different variables that it broadcasts and recieves on the PT-CAN data bus. The variables range from two to eight bytes wide. The 8-byte variables may (and often times do) contain more variables inside it. So I'm not just looking at 81 different variables, I'm probably trying to reverse-engineer about 240-250 different variables.

In addition to these 81 different variables, the PT-CAN data bus is also used by the Bavarian Technic ("BT") Tool to send and receive it's data to the ECU.

Phase-1: Capture CAN bus traces
Using the CAN analyzer, the first order of business is to capture sizeable bus traces that can be stored and analyzed later. So I captured two 16-minute traces of the car starting and driving. I captured this data while the BT Tool was also connected and sending/receiving it's own data and data logging at the same time.

My data logs were limited to approximately 16-minutes each. The limitation was due to the amount of samples that the CAN analyzer would store at one time. The PT-CAN is sending/receiving approximately 1000 messages per second, and the CAN analyzer tool I purchased can store about 1,000,000 samples before it becomes unhappy. 1M samples is about 16-minutes of car running -- which is ample time to capture data to catch the car warming up and driving around for a little while.

Phase-2: Reverse engineering BT Tool protocol
The second order of business was to reverse-engineer the BT Tool protocol. While I was capturing the CAN bus traces, I was also data logging with the BT Tool RPM, various engine temperatures, gear selection, etc. By reverse-engineering the BT Tool protocol, I'm hoping to use the data sent to the BT Tool to find other values on the ECU PT-CAN bus.

Reverse engineering the BT Tool protocol was pretty easy. The BT Tool always sends data on one address and it receives data on another. The difficulty is figuring what it's sending and receiving. By doing a little experimentation, it didn't take long before I had the entire BT Tool protocol figured out. I know know exactly what commands the BT Tool is sending, and I know how to interpret the data it is receiving.

Phase-3: Figure out what's meaningful and what isn't
The third order of business was to figure out everything that's possible to figure out -- in a reasonable amount of time. I wrote a few computer programs to parse the 1-million sample data logs, sort the data, and figure out what's changing and what isn't. I created a histogram of the PT-CAN bus to see this information very clearly. This would be helpful to me to figure out what I wanted to look at, and what I could safely ignore.

Here's the PT-CAN bus histogram:
Code:
ID(xxxxxxxx):  B1, B2, B3, B4, B5, B6, B7, B8
ID(000000A8):  FF, FF, FF, F1, FF, FF, 0F, 63
ID(000000A9):  FF, DF, FF, FF, 7F, FF, FF, FF
ID(000000AA):  FF, FF, FF, FF, FC, 7F, B4, FF
ID(000000B6):  FF, FF, FF, FF, 2F, 00, 00, 00
ID(000000C4):  FF, FF, FC, FF, FF, FF, F1, 00
ID(000000C8):  FF, FF, F0, FF, FF, FC, 00, 00
ID(000000CE):  FF, FF, FF, FF, FF, FF, FF, FF
ID(00000130):  55, 50, E8, F5, FF, 00, 00, 00
ID(00000135):  F5, FF, 00, 00, 00, 00, 00, 00
ID(00000175):  FF, 00, 00, 00, 00, 00, 00, 00
ID(00000194):  FF, FF, 00, FC, 00, 00, 00, 00
ID(0000019E):  02, FE, FF, FC, FE, 63, 3F, FF
ID(000001A0):  FF, B3, FC, FF, FF, FF, FF, FF
ID(000001A3):  FF, 5F, FE, F2, FF, 00, 00, 00
ID(000001A6):  FF, FF, FF, FF, FF, FF, F0, FF
ID(000001B4):  FF, D3, E2, FF, 56, 77, FE, FF
ID(000001B5):  C8, FF, 1F, 01, CA, FF, FF, 00
ID(000001B6):  FF, FF, 3C, 00, FF, FE, 7F, FF
ID(000001D0):  FF, FF, 7F, CF, FF, FF, 0D, FF
ID(000001D6):  C0, 0C, 00, 00, 00, 00, 00, 00
ID(000001D9):  FF, 3F, FF, 00, 00, 00, 00, 00
ID(00000200):  41, 91, C0, F7, FF, FF, FF, FF
ID(00000202):  FE, FF, 00, 00, 00, 00, 00, 00
ID(0000021A):  80, 33, F7, 00, 00, 00, 00, 00
ID(00000226):  00, FE, FF, 00, F3, 00, 00, 00
ID(0000023A):  00, 33, 00, 60, 00, 00, 00, 00
ID(00000242):  11, F1, FF, FF, FF, 00, 00, 00
ID(00000252):  CE, FF, 00, 00, 00, 00, 00, 00
ID(000002A6):  00, F8, 00, 00, 00, 00, 00, 00
ID(000002B2):  3F, 3F, 3F, 3F, FF, FF, 1C, 0F
ID(000002B3):  FF, FF, FF, F6, E7, 00, 00, 00
ID(000002C0):  FF, EB, FF, 00, 00, 00, 00, 00
ID(000002CF):  F9, FF, 00, 00, 00, 00, 00, 00
ID(000002D2):  FF, FF, FF, 00, 00, 00, 00, 00
ID(000002F1):  FF, FF, FD, 00, 00, 00, 00, 00
ID(000002F3):  0F, FC, FF, 00, 00, 00, 00, 00
ID(000002F6):  00, F5, 00, 00, 00, 00, 00, 00
ID(000002F8):  0F, 3F, 3F, 0C, 2F, DC, 07, FD
ID(000002FA):  FD, 05, FF, FF, FF, 00, 00, 00
ID(000002FC):  A3, 00, 0C, FF, FF, FF, FF, 00
ID(00000310):  6F, FF, FF, 03, 00, 49, 11, 00
ID(00000311):  00, F0, 00, 00, 00, 00, 00, 00
ID(00000315):  FF, F1, 00, 00, 00, 00, 00, 00
ID(0000031C):  00, E0, 7F, 67, 6F, 6F, FF, FB
ID(00000322):  FF, 07, FF, 07, FF, 07, FF, 07
ID(00000326):  F8, FF, 00, 00, 00, 00, 00, 00
ID(00000330):  FF, 8E, 00, 2F, 3F, 3F, FC, 0F
ID(00000332):  FF, FF, 00, 00, 00, 00, 00, 00
ID(00000348):  FE, FE, FE, 00, FE, FE, FF, 00
ID(0000034A):  FF, FF, FF, 7F, FF, FF, FF, 7F
ID(0000034C):  FF, 7F, FF, 7F, FE, 00, F0, FF
ID(0000034E):  FE, FF, 1F, 02, 60, 00, FE, FF
ID(0000034F):  FF, FF, 00, 00, 00, 00, 00, 00
ID(00000374):  E7, E7, FF, 00, FD, 00, 00, 00
ID(00000380):  50, 33, 36, 31, 37, 33, 38, 00
ID(00000381):  7D, FF, 00, 00, 00, 00, 00, 00
ID(00000383):  C0, FF, 00, 00, 00, 00, 00, 00
ID(00000388):  0E, 02, 68, 14, C0, 02, 28, 00
ID(00000395):  08, 08, 50, 64, FF, 00, 00, 00
ID(00000399):  FF, 51, 25, 2A, 81, 97, 00, 00
ID(000003A9):  F2, FF, 00, 00, 00, 00, 00, 00
ID(000003AC):  FE, DF, 00, 00, 00, 00, 00, 00
ID(000003B0):  FF, FF, 00, 00, 00, 00, 00, 00
ID(000003B3):  11, FF, FF, 7F, 00, F8, 00, 00
ID(000003B4):  FF, F3, B9, FD, FF, FF, FF, FF
ID(000003B9):  FF, F1, F8, 00, 00, 00, 00, 00
ID(000003BE):  FE, FF, 00, 00, 00, 00, 00, 00
ID(000003EF):  FF, FF, 00, 00, 00, 00, 00, 00
ID(00000480):  12, 42, FE, 01, FF, FF, FF, FF
ID(00000492):  29, 52, FF, 01, FF, FF, FF, FF
ID(000004A9):  39, 52, FE, FF, FF, FF, FF, FF
ID(000004B9):  00, 52, FF, FF, FF, FF, FF, FF
ID(00000580):  6F, 1F, C1, FF, FF, FF, FF, FF
ID(00000592):  F2, 33, D7, FF, FF, FF, FF, FF
ID(000005A9):  73, D7, 80, FF, FF, FF, FF, FF
ID(000005C0):  82, 31, 67, F1, 3C, FA, 94, 62
ID(000005D6):  6E, 01, 00, 00, FF, FF, FF, FF
ID(000005E0):  8D, 03, FF, FF, FF, FF, FF, FF
ID(000005F2):  6E, 1B, 00, 01, FF, FF, FF, FF
ID(000005F8):  08, 08, 00, 00, FF, FF, FF, FF
Phase-4: Categorize the variables
Now it's time to figure out what's meaningful data and what isn't. This is where the job gets a lot more difficult. It's time to start looking at the data and figure out what is in there. This isn't an easy task.

First I need to figure out if the data is changing or not. Next I need to figure out if the data represents a changing analog value or is a set of binary on/off flags. I need to figure out where the data starts and where the data ends (how big it is). Then I need to figure out whether the data appears in forward order or some type of reverse order.

During this process I realized BMW engineers are some real sneaky bastards. They store the data in ways that you don't expect to find it. Some of the data is very difficult to recognize as anything meaningful. It's not encrypted, but BMW didn't always keep the data together. So many times I had to figure out what the pieces were, and then figure out how to put them back together. Once you put them back together, my CAN analyzer software will let me play back the data and compare it to other signals. Since I've already reverse-engineered the BT Tool protocol, I'm looking for graphs that follow exactly what I captured on the BT Tool CAN bus.

So far I've found these types of data fields:
Clocks and counters. Clocks and counters are those who increase at fixed intervals. They eventually wrap back to the beginning and start all over again. The sizes range from 4-bit to 48-bit counters. Some clocks and counters increase every 5mS, 1-second, and others as long as 10-seconds (and longer). There's a LOT of clocks and counters on the PT-CAN bus.

Analog values. These are digital values that represent analog components. It could be anything from RPM data to motion sensor data.

Binary flags and on/off switches. Every button in the cockpit seems to set a flag in the PT-CAN bus data. These include everything from blinkers to steering wheel switches.

Phase-5: Figuring out exactly what I've found and give them names.
Now that I have the data types figured out, it's time to figure out what they mean. This is also a very difficult task because the data items are often scaled down from larger values. For example, the RPM you see on the tachometer is stored as many-times that value on the PT-CAN bus. Other values are scaled as well, but in non-obvious manners. I've found some items scaled by 5/8 -- kind of an odd scaling factor IMO. In many cases, I know which sensor I've found, but haven't spent the time to figure out the scaling yet.

So far, I've managed to find and decode the following items:
  • RPM
  • Throttle pedal position
  • Brake pedal position
  • Steering angle sensor
  • Individual wheel speed sensors
  • Velocity-1 (possibly GPS speed)
  • Velocity-2 (identical to Velocity-1, but seems to have an intentional error built in. This might be the actual speedometer value.)
  • Multiple MAF sensors
  • Multiple motion sensors (accelerometers, gyro's compass, possibly GPS. About 8-12 sensors in all.)
  • High speed "heartbeat" clocks.
  • 1-second counter since car started.
  • Very rough oil temperature*
  • Very rough water temperature*
  • Blinkers, headlights,
  • Blinker switches, headlight switches, steering wheel switches, etc.
  • Many other things I'm probably forgetting to mention.

*Notes:
There's some very notable things that I haven't yet found, and other things I didn't expect to find.
  • Gear selection. So far, I haven't found anything to tell me what gear the transmission is in. My tests are exclusively on 6MT. When I run these tests on a DCT, I have a strong suspicion I will find this data.
  • Oil and water temperatures. I have found some low resolution versions of oil and water tempurature. Most of the sensor values I've found are high resolution; but the only oil and water temperature sensors I've found have low resolution values. So my search continues for higher resolution values.
  • Throttle position. Anybody whose played with the CAN bus files from Racelogic (Video VBox), might have figured out there's a bug in how they handle throttle position. Now that I know where the data comes from, I know exactly what the bug is, and I have fixed it for my own Video vBox files.
  • DSC Light. The DSC light doesn't exactly have it's own entry in the PT-CAN bus. Instead, this value must be calculated by looking at various other factors.

Phase-6: Create CAN BUS Database Files (DBC Files):
The CAN analyzer I purchased allows me to create all of these data types of any size and type, then even add scaling to them. The software allows me to export CAN BUS Database Files (DBC files). The Video VBox software can directly import these DBC files. Once imported into the Video VBox software, then the Video vBox can display any of the items in my database onto the screen. This would include the tachometer, steering wheel, gas pedal, brake pedal, blinkers, headlight icons, DSC light, M-Mode buttons, etc.

I'm kind of doing phase-4, 5, and 6 simultaneously. I'm only about 50% done with phase-4, 5, and 6. Hopefully I'll generate some useful information out of this that can be used for anybody with a Video VBox software and tools.
__________________
Jump to top PencilGeek is offline   Reply With Quote
Sponsored Links
Register now and remove these ads
Old Tue, Feb-21-2012, 02:48:49 AM   #2
M3 Sedan JPS
Registered User
 
M3 Sedan JPS's Avatar
 
Join Date: Apr 2008
Posts: 4,206
Reputation: 0 M3 Sedan JPS is on a distinguished road
Location: Camarillo///Daly City -4- Work

Philippines




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

subbed...
__________________
- Jason P
:Current Car: 2008 E90 M3
:Mods: ESS Supercharger, Neez Wheels, Arqray Exhaust, Varis Front Lip+ Extension
:Future Mods: BBK and Other Stuff
MFEST Forum | porn link removed

Jump to top M3 Sedan JPS is offline   Reply With Quote
Old Tue, Feb-21-2012, 05:02:45 AM   #3
PencilGeek
2008 M3 - Red
 
Join Date: May 2008
Posts: 846
Reputation: 0 PencilGeek is on a distinguished road

United States




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

Quote:
Originally Posted by BrightLight View Post
very nice. All these options are already available on the Vishnu Procede though...Maybe look into that if you want a quicker/easier solution.
Just as I got started on this project, Vishnu and I had two phone calls on this topic, along with some emails between us and their SW developer as well. Vishnu is doing something completely different and accessing the data in a completely different way than what I need. Their approach is similar to what the BT Tool does, and that limits the capabilities and speed of the results (and introduces some very small latencies as well). But more importantly, the data can't be used in the way I wanted to use it.

Quote:
Not sure what your looking for though
As stated in the article, the goal is to extend the capabilities and virtual gauges on the Video VBox. The Vishu Procede can't do that. That can only be done by finding the data on the PT-CAN bus itself.
__________________
Jump to top PencilGeek is offline   Reply With Quote
Old Sat, Mar-03-2012, 06:44:17 PM   #4
PencilGeek
2008 M3 - Red
 
Join Date: May 2008
Posts: 846
Reputation: 0 PencilGeek is on a distinguished road

United States




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

Here's a progress update on what I've found so far. There's still plenty of work to do, but so far I have confirmed the following values on the CAN bus. Many of these values are scaled, so figuring out the scaling is another part of the reverse engineering tasks. Unless noted otherwise, I have all of these values figure out, including scaling.
  • RPM
  • Oil temperature (C)
  • Water temperature (C)
  • Ambient temperature (needs final confirmation) (C)
  • MAF (possible ambient pressure, needs final confirmation) (bar)
  • Steering angle sensor (degrees)
  • Individual wheel speed sensors (kph)
  • Speedometer-Raw Data (kph)
  • Speedometer-Adjusted (*Fudge factor shown in cockpit) (kph)
  • Individual wheel brake pressure sensors (bar)
  • Master brake pedal pressure (bar)
  • Brake pedal switch
  • Clutch switch
  • Gas pedal pressure (%)
  • Fuel Gauge
  • Odometer (km since driving)
  • iDrive settings
  • M-Mode settings
  • Blinkers
  • Headlights
  • Steering wheel buttons
  • Battery Voltage

And I can see there's many more motion sensors (maybe a dozen more), possibly GPS data, etc. still to figure out.
__________________
Jump to top PencilGeek is offline   Reply With Quote
Old Sat, Mar-03-2012, 07:13:51 PM   #5
imgm3
Registered User
 
imgm3's Avatar
 
Join Date: Oct 2007
Posts: 67
Reputation: 0 imgm3 is on a distinguished road
Location: Earth

United States




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

Impressive work as always !
Jump to top imgm3 is offline   Reply With Quote
Old Mon, Mar-12-2012, 08:37:53 AM   #6
Chebs_E84
Registered User
 
Join Date: Mar 2012
Posts: 2
Reputation: 0 Chebs_E84 is on a distinguished road
Location: Wiltshire

United Kingdom




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

Hey,

Great work on this, I have started to do something similar with my BMW X1 (E84). (To be released later this year in the USA?)
As far as I can see there are a lot of ID's that are the same as the histogram that you posted above, although I am logging the K-CAN rather than the PT-CAN.

So far I have found:-
RPM ,
Coolant temp,
Individual wheel speed,
Time / Date ,
PDC reverse sensor data ,
External Temperature ,
Range,
ODO ,
Steering wheel buttons.
Climate control temperature,
Climate control Fan speed,
Electric window buttons.

I am using a the data to feed into (and control) a computer in the car running Windows-XP with front end software Road Runner, or Ride Runner as it's now named.

I have sent you a PM to see if there is anyway we can help each other.

Last edited by Chebs_E84; Tue, Mar-13-2012 at 07:10:36 AM. Reason: Added found items
Jump to top Chebs_E84 is offline   Reply With Quote
Old Wed, Mar-14-2012, 06:14:37 PM   #7
NoQuarter
Registered User
 
Join Date: Mar 2012
Posts: 1
Reputation: 0 NoQuarter is on a distinguished road

United States




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

I'm doing the same work for the E60.
Jump to top NoQuarter is offline   Reply With Quote
Old Fri, Mar-16-2012, 06:46:00 PM   #8
PencilGeek
2008 M3 - Red
 
Join Date: May 2008
Posts: 846
Reputation: 0 PencilGeek is on a distinguished road

United States




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

Quote:
Originally Posted by NoQuarter View Post
I'm doing the same work for the E60.
I suspect E60 and E92 share much of the same data and addresses. PM me and we might be able to share information.
__________________
Jump to top PencilGeek is offline   Reply With Quote
Old Thu, Mar-22-2012, 12:51:52 AM   #9
bigugly
Dr.BMW
 
Join Date: Apr 2007
Posts: 268
Reputation: 0 bigugly is on a distinguished road
Location: Houston

United States




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

very impressive work guys
__________________
I can do anything you need done to a BMW in Houston. try me out! FB/bmwdoctor
race prep to maintenance... don't go to the dealer!
Jump to top bigugly is offline   Reply With Quote
Old Sat, Jun-02-2012, 09:06:26 PM   #10
marcm
Registered User
 
Join Date: Jun 2012
Posts: 1
Reputation: 0 marcm is on a distinguished road

United Kingdom




Default Re: Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU

Quote:
Originally Posted by PencilGeek View Post
I suspect E60 and E92 share much of the same data and addresses. PM me and we might be able to share information.
Hi I too am playing with CAN on the E90 K-BUS and would like to chat with both of you about PIDs. New to the forum so dont think I can PM you yet. Can you please PM me to start the chain.

Thanks
Marc
Jump to top marcm is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT. The time now is 09:04:38 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
M3Forum.com and M3forum.net is in no way sponsored, endorsed or affiliated by or with BMW NA / BMW AG or any of it's subsidiaries or vendors.
BMW and M3 (E90 M3 | E92 M3 | E93 M3 | E46 M3 | E36 M3 | E30 M3) are registered trademarks of BMW AG.
M3Forum Terms of Service
Copyright 1999-2017 M3Forum.com
Discussing Reverse engineering the engine ECU PT-CAN data bus for the MSS60 (M3) ECU in the E90 M3 (Sedan) | E92 M3 (Coupe) | E93 M3 (Convertible) (2008-2013) Forum - {Engine: S65 - Max Hp: 414 hp (420 hp Euro) at 8,300 rpm / 295 lb/ft at 3,900 rpm} at BMW M3 Forum.com (E30 M3 | E36 M3 | E46 M3 | E92 M3 | F80/X)