Author Topic: 2011 Concours CAN Bus - Data Logging and Decoding  (Read 6176 times)

Offline RedRambler

  • Jr. Member
  • **
  • Posts: 42
2011 Concours CAN Bus - Data Logging and Decoding
« on: November 15, 2015, 06:45:42 pm »
2011 Kawasaki Concours CAN Bus

Over the past several weeks, I have been studying the CAN bus on the Kawasaki Concours to understand how it works.  I wanted to determine some of the basic operating parameters of the system, as well as decipher the communication protocol that Kawasaki used.  I have been partially successful in this effort, and I wanted to post my learnings here for others to build upon.

CAN Bus Background

First, some background information on CAN bus technology may be helpful.  CAN bus is a communications protocol and physical specification defined by ISO 11898-1 that is commonly used on most new vehicles today.  This protocol allows computers on a vehicle to pass information back and forth as needed to operate the vehicle.  The CAN system uses differential transmission on a twisted pair of wires, somewhat similar to how Ethernet works in LANs.  Multiple computers are connected to a single pair of wires, so all messages broadcast on the bus are received by all nodes.  There is an ID number associated with each message (the Arbitration ID) that defines generally what information or request is contained in the message.  The computers receiving messages on a CAN bus use the arbitration ID to determine whether the message is intended for themselves.  In times of heavy traffic, the arbitration ID is also used to ensure that higher priority messages get through, while lower priority messages are delayed.  In addition to the arbitration ID, each message has a Data Length Code (DLC) that indicates the number of data bytes contained in the message.  Each message can contain a maximum of eight data bytes.

On the Kawasaki Concours, there are five computers that are attached to the CAN bus: 1. KIPASS ECU, 2. Fuel Injection ECU, 3. Steering Lock ECU, 4. K-ACT ABS ECU, and 5. Meter unit ECU.  There is also a connector under the seat to attach the Kawasaki Diagnostic System (KDS) to the bike for diagnostic purposes. 

Test Setup

In order to analyze the CAN bus messages that were being sent, I built a CAN bus analyzer from the following components:
•   Arduino Nano board containing an ATMega328P microprocessor running at 16 Mhz.
•   MCP2515 can bus controller
•   32KB FRAM SPI non-volatile memory

The Nano was connected to a laptop using a USB cable in order to display the messages that were captured.  The Serial Peripheral Interface (SPI) connection between the Nano and the other two components was set to run at the maximum speed of 8Mhz.  I modified the Nano slightly to enable it to work with my Atmel Dragon programmer/debugger.  The total cost of these three components is under $20.

The MCP2515 CAN bus controller was connected to the KDS diagnostic port under the seat.  I extracted the correct pins from the 6-pin KDS connector, soldered a short length of cat-5e cable with a female RJ-45 8-pin connector, and replaced each pin back into its original position in the KDS 6-pin connector.  I then attached another length of cat-5e cable with a male RJ-45 connector to the CAN bus analyzer, allowing me to easily connect and disconnect the test setup to the bike.  I stored the test electronics in the tool storage compartment to keep it protected and out of the way.  This setup allowed me to connect the CAN bus analyzer to the bike without interfering with the ability to connect a KDS system.

Because I had no knowledge of what messages I might encounter or even what bit-rate the system used, I put the controller in listen-only mode until I was certain that I had figured out how to properly set up the CAN interface.  Here are the setup parameters that I am using for my test board:

•   MCP2515 oscillator frequency: 8Mhz
•   Base Baud Rate: 500 Kb/s
•   Baud rate Prescaler: 1
•   Synchronization Jump Width: 2 Time Quanta
•   Propagation Segment 1: 3 Time Quanta
•   Propagation Segment 2: 3 Time Quanta

Message Decoding Technique: 

To decode the CAN messages, I first had to write a program to collect and display those messages. My first software routine simply saved all messages and printed them out when the buffer filled up.  This allowed me to observe the messages that were being transmitted during simple things like key-on, key-off sequences.
I quickly realized that most of the messages I received were repeated very frequently, over and over.  So I wrote a software routine to record all the messages that changed during a one second interval, and print to the screen only those messages whose values changed.  In this way, I could experiment by changing gears, engine speed, rear wheel speed, etc., and then noting what message values were changing.  Using this technique, I was able to quickly determine what message IDs were being used for various functions on the bike.

I later modified this routine to ignore all message IDs except one, and print to the screen any message with that ID that was not identical to the previous message with the same ID.  In this way, I could focus on one specific message type and observe what changes occurred due to a variety of user inputs.

Finally, I wrote software to filter out all unwanted messages, and save only messages that I knew I wanted to record, or messages that I had never seen before.  The messages were saved in non-volatile FRAM.  This created a practical way to log data messages while I was operating the bike, which could be printed out later when I returned home.

Key Learnings:

•   CAN bus operates at 500 Kb/s.
•   Uses Standard 11 bit Arbitration IDs.
•   No remote frames used under normal operation.
•   Very high traffic rate:  several thousand messages per second.
•   Impractical to log data to EEPROM.  It’s WAY too slow.
•   Cannot transmit data fast enough to a laptop screen to log all messages, even at 230Kbps.
•   Except for diagnostic messages, the protocol appears to be simple:  each arbitration ID corresponds to a specific parameter or function.
•   Most system critical signals are wired directly to the corresponding processors that need them.  Therefore, many parameters (e.g. throttle position) are not normally passed across the bus.  These parameters have to be requested via diagnostic requests.  Page 1-22 of the service manual contains a basic description of the general information that is floating around on the bus.
•   Tire Pressure messages from sensors are repeated 3 times, every minute (approximately).  Three messages with the same data are sent except for a counter byte (data5) that indicates the sequence number.
•   Tire Pressure messages sent to the display are formatted differently than the messages coming from the sensors and are sent much more frequently.
•   Tire Pressure readings from unknown sensors are broadcast with message ID 0x695, having data byte 7 = 0xff.  The ID number for the sensor is located in Byte0:Byte3 of the message.  By taking advantage of this fact, one can read the TPMS sensor ID from the CAN bus for working sensors when the ID sticker from the sensor has been lost. 
•   It is very difficult to log every message without message loss with this setup.  A better solution is to use a microprocessor with an on-board CAN controller, like the Atmel AVR ATMega32M1.  A processor like this would greatly reduce the time required to process incoming messages and provide much better filtering and masking options.

Table 1. Usage Table for Observed Message IDs
Arbitration ID   Usage
0x010           Front/Rear Wheel Speed
0x011           Timer/Counter
0x018           Brake Status (Brake OFF: Byte0=8, Brake Depressed: Byte0=0)
0x050           KTRC Button Status (See Table 3)
0x058           KACT Button Status (See Table 4)
0x060           Mode Button Status (See Table 5)
0x100           Engine RPM
0x110           Vehicle speed
0x120           Water Temp
0x121           Gear Indicator (data0 = gear, data1 = Neutral indicator)
0x130           Tire Pressure Display
0x205 
0x220           Ignition Status (Key on = 1, Key Off = 0)
0x221 
0x223           Steering Lock Status (Locked = 0, Unlocked = 1)
0x224           KTRC Mode (Enabled = 1, Disabled = 0)
0x225           KACT Mode (Low Combined = 1, High Combined = 2)
0x227           ECO Mode (OFF = 0, ON = 1)
0x230           KTRC Error
0x310 
0x311 
0x318 
0x319 
0x320 
0x321           Engine Status (Cranking/Running = 1, Stopped = 5)
0x328 
0x32f 
0x331 
0x340 
0x695           Front or Unknown Tire Pressure Sensor Message
0x696           Rear Tire Pressure Sensor Message
0x700 – 0x7ff   Reserved for Diagnostic System Requests

 


Table 2. Message Formats for Common Display Parameters

Usage IDDLCData0Data1Data2Data3Data4Data5Data6Data7
Engine RPM0x1006MSB RPMLSB RPM0000
Vehicle Speed0x1106MSB SpeedLSB Speed0000
Water Temp0x1206MSB water tempLSB water temp0000
Gear Indicator0x1212Gear number 1-6, 0 for neutral0x01 for neutral, 0x00 otherwise
Tire Pressure Display0x1304Front Pressure in 0.2 PSI incrementsRear Pressure in 0.2 PSI incrementsFront pressure warningRear Pressure Warning
Front Pressure Sensor0x6958????????Pressure in 0.2 PSI incrementsMessage counterPressure in 0.2 PSI increments0x00
Rear Pressure Sensor0x6968????????Pressure in 0.2 PSI incrementsMessage counterPressure in 0.2 PSI increments0x00
Unknown Pressure Sensor0x6958ID:3ID:2ID:1ID:0??Pressure in 0.2 PSI increments??0xff


Table 3. Message ID 0x050 - KTRC Button Status
Condition  Data0 Value
KTRC in Self Test Mode   0x0e
KTRC Mode off, KTRC button not pressed  0
KTRC Mode off, KTRC button pressed   2
KTRC Mode off, KTRC button held, mode changed   3
KTRC Mode on, KTRC button not pressed   2
KTRC Mode on, KTRC pressed   3
KTRC Mode on, KTRC button held, mode changed   1
KTRC Mode off, KTRC button released   0

Table 4. Message ID 0x060 - Mode Button Status
Condition   Data0 Value
ECO Mode off, Mode button not pressed   0
ECO Mode off, Mode button pressed   1
ECO Mode off, Mode button held, mode changed   3
ECO Mode on, Mode button not pressed   2
ECO Mode on, button pressed   3
ECO Mode on, Mode button held, mode changed   2
ECO Mode off, Mode button released   0

Table 5. Message ID 0x58 – KACT Button Status
Condition   Data0 Value
KACT High Combined mode, KACT button not pressed   4
KACT High combined mode, KACT button pressed   5
KACT High combined mode, KACT button held, mode changed   3
KACT low combined mode, KACT button released   2
KACT low combined mode, KACT button pressed   3
KACT low combined mode, KACT button held, mode changed   5
KACT High combined mode, KACT button released   4

Next Steps

As time permits, I plan to continue studying the message IDs 0x010, 0x011, and 0x018.  0x010 is somehow linked to vehicle speed, maybe wheel speed sensor readings.  0x011 is a timer or counter, but I'm not sure what it is being used for.  0x018 is a status message.  The only status that I have figured out is the first bit, which indicates whether brakes are being applied.

Message 0x32f appears to be related to engine RPM.  Could be fuel consumption.

Additional work needs to be done to understand what the TPMS flags and the system error flags.

The diagnostic interface needs to be documented.

Hopefully, my work will motivate some of the very talented folks here to take this a step further and figure out the rest of this protocol.  By understanding the protocol, I think all sorts of useful things could be done. (think digital speedo and tach, speedo correction, TPMS sensor programming, Key FOB programming, and more.)

RedRambler
« Last Edit: November 30, 2015, 06:05:31 pm by RedRambler »

Offline VirginiaJim

  • Administrator
  • Elite Member
  • *****
  • Posts: 10589
  • Country: england
  • I've forgotten more than I'll ever know...
    • Kawasaki 1400GTR
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #1 on: November 15, 2015, 07:49:47 pm »
Most excellent information....my brane hurts now.  :thumbs: :goodpost:

I'm hoping you'll be coming up with a cheap warp drive..
 
  "LOCTITE®"  The original thread locker...  #11  08-C14 EA FC ABS 46 Monitoring with cutting edge technology (sold).  U.N.I.T is Back!  2016 Indian Roadmaster.

Offline maxtog

  • Elite Member
  • ******
  • Posts: 7850
  • Country: us
  • 2011 Silver
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #2 on: November 15, 2015, 08:08:25 pm »
+1
Shoodaben (was Guhl) ECU flash, Canyon Cages front/rear, Helibars risers, Phil's wedges, Grip Puppies, Sargent World seat-low & heated & pod, Muzzy lowering links, Soupy's stand, Nautilus air horn, Admore lightbar, Ronnie's highway pegs, front running lights, HID, helmet locks, Garmin Zumo 450, Sena SMH10, Throttle Tamer, MRA X-Creen, PR4-GT, Scorpion EXO-T1200,  Tourmaster Flex II

Offline SilverConnieRider

  • Jr. Member
  • **
  • Posts: 62
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #3 on: November 15, 2015, 09:10:32 pm »
+2   ;D

Offline twowheeladdict

  • Full Member
  • ***
  • Posts: 1198
  • Country: 00
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #4 on: November 16, 2015, 06:49:21 am »
Is someone's riding season over?  ;)

My Concours Travels:
2014 New England Tour http://www.zggtr.org/index.php?topic=17336.msg212077#msg212077

Offline Rhino

  • Arena
  • Hero Member
  • *****
  • Posts: 3956
  • Country: us
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #5 on: November 16, 2015, 10:46:39 am »
Have you figured out the message that turns off warnings (such as TPMS low battery)? The message that gets sent when push and hold top button, push and release bottom button, release top button. Would love a way to do this with just a single button on the handle bars. I'm assuming these PANIC!!! ALL HOPE IS LOST!! warnings are one day going to get me killed and if I had an easy way of shutting them off, they might not kill me. I'm also assuming the only reason I'm still alive is because of BDF's device to turn off the low fuel warning.

Offline martin_14

  • Sr. Member
  • ****
  • Posts: 1379
  • Country: ar
  • know who you are
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #6 on: November 16, 2015, 01:43:30 pm »
RedRambler,
you keep pointing out how low cost is your set up to hack into the CAN Bus, but you neglect the immense knowledge that you seem to have. I am an engineer myself, but mechanical, and I deem all electronic things as pure witchcraft; stuff that in terms of comprehension could as well be sitting after Saturn's rings. How a human being can accrue and put in use all this stuff is beyond me. Thanks a lot for sharing.
 :hail:
Build bridges, not walls.

Education is important. Riding my bike is importanter.

Online B.D.F.

  • Hero Member
  • *****
  • Posts: 4745
  • Country: 00
  • It's only really cold if you fall down in it.
    • C-14 farkles you almost cannot ride without.
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #7 on: November 16, 2015, 03:55:32 pm »
Good thread, just found it.

Martin, the mysterious electrons are not so bad once you begin to think of them as mechanical objects rather like marbles or ball bearings. Then everything becomes a bit more clear. Besides, no 'real man' would ever admit to frolicking with invisible, magical things that travel in a circle but have no mass. Even worse is the 'holes' that counter those ridiculous electrons; the 'holes' are the compliments of electrons but strictly imaginary as the negative of a negative (which is NOT positive) cannot exist.

 :rotflmao:

Brian

RedRambler,
you keep pointing out how low cost is your set up to hack into the CAN Bus, but you neglect the immense knowledge that you seem to have. I am an engineer myself, but mechanical, and I deem all electronic things as pure witchcraft; stuff that in terms of comprehension could as well be sitting after Saturn's rings. How a human being can accrue and put in use all this stuff is beyond me. Thanks a lot for sharing.
 :hail:
Homo Sapiens Sapiens and just a tad of Neanderthal but it usually does not show....  My Private mail is blocked; it is not you, it is me, just like that dating partner said all those years ago. Please send an e-mail if you want to contact me privately.

KiPass keeping you up at night? Fuel gauge warning burning your retinas? Get unlimited peace and harmony here: www.incontrolne.com

Online B.D.F.

  • Hero Member
  • *****
  • Posts: 4745
  • Country: 00
  • It's only really cold if you fall down in it.
    • C-14 farkles you almost cannot ride without.
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #8 on: November 16, 2015, 04:00:46 pm »
I cannot answer your question with any certainty but I do not think so. I believe the low fuel warning is hard- wired into the system and is not merely a message send by CAN bus. But I would have to re- visit my notes and schematics to know.

One of the problems with these complex vehicle systems is that various parts are located in different places. For example: the low TMPS battery warning is located in the TMPS sensor itself rather than the ECU on the bike, so it is impossible to re-code the ECU to behave better regarding the early warning the sensors present when cold. Now there is always the possibility of interrupting the error before it gets to the dash display but I doubt it would be practical even if possible.

Brian

Have you figured out the message that turns off warnings (such as TPMS low battery)? The message that gets sent when push and hold top button, push and release bottom button, release top button. Would love a way to do this with just a single button on the handle bars. I'm assuming these PANIC!!! ALL HOPE IS LOST!! warnings are one day going to get me killed and if I had an easy way of shutting them off, they might not kill me. I'm also assuming the only reason I'm still alive is because of BDF's device to turn off the low fuel warning.
Homo Sapiens Sapiens and just a tad of Neanderthal but it usually does not show....  My Private mail is blocked; it is not you, it is me, just like that dating partner said all those years ago. Please send an e-mail if you want to contact me privately.

KiPass keeping you up at night? Fuel gauge warning burning your retinas? Get unlimited peace and harmony here: www.incontrolne.com

Online B.D.F.

  • Hero Member
  • *****
  • Posts: 4745
  • Country: 00
  • It's only really cold if you fall down in it.
    • C-14 farkles you almost cannot ride without.
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #9 on: November 16, 2015, 04:09:43 pm »
Excellent work, and thanks for post this!

Just a thought but you might be able to help yourself a bit by reverse engineering what individual devices are sending to the KiPass ECU; for example, the tire pressure sensors send additional information such as the low battery warning. The originals used an Infeneon SP 30 and later, the SP 35; the data sheet for either one may be most helpful in trying to determine what data the ECU receives.

Again, great job and great info.!

Brian

2011 Kawasaki Concours CAN Bus

Over the past several weeks, I have been studying the CAN bus on the Kawasaki Concours to understand how it works.  I wanted to determine some of the basic operating parameters of the system, as well as decipher the communication protocol that Kawasaki used.  I have been partially successful in this effort, and I wanted to post my learnings here for others to build upon.

<snip>

Additional work needs to be done to understand what the TPMS flags and the system error flags.

The diagnostic interface needs to be documented.

Hopefully, my work will motivate some of the very talented folks here to take this a step further and figure out the rest of this protocol.  By understanding the protocol, I think all sorts of useful things could be done. (think digital speedo and tach, speedo correction, TPMS sensor programming, Key FOB programming, and more.)

RedRambler
Homo Sapiens Sapiens and just a tad of Neanderthal but it usually does not show....  My Private mail is blocked; it is not you, it is me, just like that dating partner said all those years ago. Please send an e-mail if you want to contact me privately.

KiPass keeping you up at night? Fuel gauge warning burning your retinas? Get unlimited peace and harmony here: www.incontrolne.com

Offline Steve in Sunny Fla

  • Full Member
  • ***
  • Posts: 1111
  • Country: 00
    • Shoodaben Engineering
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #10 on: November 16, 2015, 09:30:51 pm »
This is what it will take to keep these bikes running and out of the scrapyard when electronic gremlins pop up... cracking the code is first, bypassing it with a viable workaround is second. Stick with it, this is important stuff. Steve

Offline jwh20

  • Full Member
  • ***
  • Posts: 316
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #11 on: November 17, 2015, 06:03:29 am »
RedRambler,

Great Information!!  I've been meaning to do this exact thing and I have a particular interest in the diagnostic and FOB programming commands used by the KDS box.  It's on my list of things to do this winter...

Offline RedRambler

  • Jr. Member
  • **
  • Posts: 42
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #12 on: November 17, 2015, 10:31:38 am »
If we can get access to a KDS system for a few hours, it should not take long to capture all the data we need to document the diagnostic interface. Building a do-it-yourself programmer for key fobs and tire sensors would then be straightforward.

I look forward to seeing the results of your work. PM me if I can assist.

RR

Offline jwh20

  • Full Member
  • ***
  • Posts: 316
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #13 on: November 17, 2015, 10:55:10 am »
If we can get access to a KDS system for a few hours, it should not take long to capture all the data we need to document the diagnostic interface. Building a do-it-yourself programmer for key fobs and tire sensors would then be straightforward.

I look forward to seeing the results of your work. PM me if I can assist.

RR

I have a KDS in my possession.   ;)

Offline VirginiaJim

  • Administrator
  • Elite Member
  • *****
  • Posts: 10589
  • Country: england
  • I've forgotten more than I'll ever know...
    • Kawasaki 1400GTR
Re: 2011 Concours CAN Bus - Data Logging and Decoding
« Reply #14 on: November 17, 2015, 10:57:36 am »
Ah Hah!  :banana
  "LOCTITE®"  The original thread locker...  #11  08-C14 EA FC ABS 46 Monitoring with cutting edge technology (sold).  U.N.I.T is Back!  2016 Indian Roadmaster.