JEEP HACKING CAN-C / CAN-IHS / UDS ! (Reverse Engineering)

[jmccorm]

More discoveries:

The 13-way star connectors on the CAN-C and CAN-IHS bus are self-terminating. When connecting a microcontroller, you shouldn't need to add a terminating resistor of your own.

When a vehicle is "asleep", sending a message, any message, on the CAN-C bus will partially wake the vehicle up. During wake-up and sleep operations, you'll often see messages in the 400-402 range. Those appear to be status messages for the CAN bus itself.

The CAN-C bus does not appear to acknowledge or reply to OBD-2 parameter queries. (There's actually yet another diagnostic bus connection for that.)

The majority of active CAN IDs seem to transmit on a very regular basis. In fact, you can usually time to the millisecond when their next broadcast will be. With only a few exceptions, how often they update is tied to their CAN ID number. Here is a rough chart I made of how often they refresh:

CAN BUS IDS TIME BETWEEN UPDATES
ID 000 - 06F 0.01 sec (1/100th seconds)
ID 070 - 0BF 0.02 sec (1/50th seconds)
ID 0D0 - 0DF 0.05 sec (1/20th seconds)
ID 100 - 1ff 0.10 sec (1/10th seconds)
ID 200 - FFF 1.00 sec (with exceptions) and ad-hoc
(NOTE: There are exceptions, but this table is 95%+ accurate.)

Based on this, we might assume that the most critical engine/system data is going to have lower CAN ID numbers, and the slower human or non-critical electromechanical systems will have the higher CAN ID numbers.

Still, it's difficult to find something as simple as RPM because when you give it some gas, all sorts of numbers start moving up in unison. It'll take time (or a cheat sheet) to figure out which field is which! It is highly recommended that you do NOT write to numbers that you do not understand. I suspect some of the lower numbers will revolve around airbag operations!

UPDATE (DECEMBER 2021): On page four I finally discovered and shared how to send and receive OBD-II messages over the CAN-C bus.

Sponsored

 

[jmccorm]

The dealer called to let me know that my package was in. Sure enough, another CAN cable. Up until now, I've been playing with the CAN-C network. But not I finally got a CAN-IHS bus connector to work with!

The two small metallic pieces in their own bag are crimps for splicing two cables together. What I found really interesting were two business cards tucked inside the package. Take a look!

The first card probably goes a long ways to explain why one cable was nearly $100 and then other was around $30. I'm going to guess that the first connector I ordered was gold plated! The second card is actually some pretty good advice. Twisting the cables helps cancel out interference, and RF interference is the last thing you want on a CAN bus.

So, wow, everything I've done up until now has been on the CAN-C body (critical systems) bus. I'll need to rework some of my documentation to reflect what bus or busses they apply to. But I'm ready to make a whole lot of new discoveries now that I've got the IHS (interior high speed) bus open to me!

 

[PocketsEmptied]

Following this. It's been a few years since I did some work on the openpilot project for my wife's car (see https://github.com/commaai/openpilot - you might be able to glean a few more headers in selfdrive/car/chrysler/ as some will be common between recent models). Had a lot of fun and still use it on trips, didn't have to do too much CAN hacking as most of the needed stuff had already been found but did analyze dumps from time to time. Hacking into the JL is on my list of things to do, mainly for quality of life stuff like @jmccorm mentioned as there's no automated lane centering capabilities in the JL so autopilot is basically out of the question. This kind of stuff is right down my alley, but I'm not quite ready to go down that road yet as it will fully consume me and I still have 50 other things to finish building out first, but I'll be cheering you guys on and will likely jump in at some point.

 

[jmccorm]

I spent the rest of the evening connecting the second network (CAN-IHS) to my Raspberry Pi, and... it refused. It looks like I have a hardware and/or driver bug that I have to track down. I unhooked my CAN-C interface and plugged the CAN-IHS network in it's place. Worked great, seeing traffic.

In fact, I reversed engineer a ton of codes tonight::

Engine speed (RPM), vehicle speed (KM/H), power status (off,accessory,run, engine on, etc), gear selector setting, volumes for radio/navigation/etc, equalizer settings, mute status, most steering wheel buttons, current camera being viewed, testing to see if the driver has Offroad Pages pulled up (that was really random), Sky One-Touch Power Top status (docked in place, button positions, etc), more center console buttons, etc.​

I'll add these to the list of codes once we got some people working with this. Speaking of which...

It's been a few years since I did some work on the openpilot project for my wife's car (see https://github.com/commaai/openpilot - you might be able to glean a few more headers in selfdrive/car/chrysler/ as some will be common between recent models).

You know what? The past couple of weeks, I've been daydreaming about adding a lane departure feature... but daydreaming is about it. The detection side of things is way outside anything I've done. I did skim through your code, though! I found your Chrysler CAN ID for LKAS display status (on the EVIC). I might just see how the Wrangler's EVIC responds to it!

This kind of stuff is right down my alley, but I'm not quite ready to go down that road yet as it will fully consume me and I still have 50 other things to finish building out first, but I'll be cheering you guys on and will likely jump in at some point.

I understand. I tell you what, if you ever start working on lane departure, I'M going to be the one following YOU!

 

[PocketsEmptied]

You know what? The past couple of weeks, I've been daydreaming about adding a lane departure feature... but daydreaming is about it. The detection side of things is way outside anything I've done. I did skim through your code, though!

Just to be clear openpilot is a large project run by comma.ai and my contribution to it was minor, lot of the stuff I did was deemed too dangerous for the masses so I rolled a lot of my own code. I have no idea what would be involved in adding LKAS to a Wrangler, you'd definitely need to transplant a number of steering components, you should be able to get away without needing a LKAS module if you rolled your own like openpilot does which basically uses a dedicated cell phone as the LKAS camera and then man in the middles the LKAS module. It would be a lot of work and on the mechanical side I'd be way out of my league.

I found your Chrysler CAN ID for LKAS display status (on the EVIC). I might just see how the Wrangler's EVIC responds to it!

You might be surprised, on my wife's car it had code for modules that weren't even available on that model year and even had some more advanced modules that showed up in later year models.

 

[jmccorm]

I have no idea what would be involved in adding LKAS to a Wrangler, you'd definitely need to transplant a number of steering components, you should be able to get away without needing a LKAS module if you rolled your own like openpilot does which basically uses a dedicated cell phone as the LKAS camera and then man in the middles the LKAS module.

Yikes! I might have been using the wrong terminology? I was just looking for something more like a lane departure warning? Something that would alert if I significantly departed from my lane, or if I had a minor departure for an extended period of time. Otherwise, you're right! It would take a serious effort to convince me to connect servos to my steering wheel! I now see that LKAS wasn't the right term for my less ambitious daydreaming.

You might be surprised, on my wife's car it had code for modules that weren't even available on that model year and even had some more advanced modules that showed up in later year models.

You bet, and an important clue, too. Clearly, the with the JL Wrangler, it no longer keeps with its legacy JK's CAN bus IDs (or adopt a FIAT CAN bus solution), and instead clearly shows a Chrysler-based lineage. Makes sense!

 

[jmccorm]

Most hacks that interface with canbus and I assumed (albeit possibly incorrectly) including the Tazer itself aren't filtering traffic, they just continuously race when they want control of something...even though the Tazer's unique location would make it a candidate for filtering. (As a holder of a few CVE's I also understand race conditions quite well.)

I wanted to circle back to you and make note that yesterday I found a variable for the uConnect radio volume. You can control the radio's main volume level by writing to it. There's a bus module (Body control module? The radio itself? Don't yet know.) that broadcasts the radio volume setting every 1/10th of a second. With each broadcast, any previous radio volume inputs via the CAN bus are overwritten.

I haven't witnessed Tazer (with its Lightshow feature and EVIC displayupdates ) or Jscan (with its adaptations) do this type of operation, but I wanted to acknowledge that I created exactly the same kind of race condition that you anticipated based upon your previous work. And you primed me to instantly recognize what was happening. Thank you!

 

[beaups]

I wanted to circle back to you and make note that yesterday I found a variable for the uConnect radio volume. You can control the radio's main volume level by writing to it. There's a bus module (Body control module? The radio itself? Don't yet know.) that broadcasts the radio volume setting every 1/10th of a second. With each broadcast, any previous radio volume inputs via the CAN bus are overwritten.

I haven't witnessed Tazer (with its Lightshow feature and EVIC displayupdates ) or Jscan (with its adaptations) do this type of operation, but I wanted to acknowledge that I created exactly the same kind of race condition that you anticipated based upon your previous work. And you primed me to instantly recognize what was happening. Thank you!

Sounds like you are making a lot of progress. I wouldn't expect that type of behavior from jscan for changing BCM parameters (assume that's what you are referring to) as those are basically "set and store" parameters that nothing else should update except for dealer tools etc.

The race stuff is funny (to me) because basically the race loser (last packet) wins. One nice thing about a 2-channel interface like you have is once you have dialed in what exactly you want to do, you have the option to actually insert yourself between a device and the bus and throw out/filter competing packets/messages as opposed to racing all the time.

Good stuff, will be following your progress.

 

[jmccorm]

You might be surprised, on my wife's car it had code for modules that weren't even available on that model year and even had some more advanced modules that showed up in later year models.

I gave it my best try but I couldn't get any reaction from the EVIC with the 0x2a6 LKAS HUD code (after setting all the correct bits for icon color, lines, alerts, and vehicle model).

Upon further research, I found that your EVIC code was at least consistent with a 2017 Chrysler Pacifica Hybrid. But looking at that vehicle's other CAN other codes, none of them line up with the Wrangler.

Hey! It was a good shot, and I'm glad I tried. In fact, it wasn't even a waste of time. Looking at some of the Pacifica's other known CAN values, I was able to better refine some of my guesses where I knew one variable but not another (like associating "steering rate" where I saw some strange steering variable next to a known "steering angle").

I've also noticed a constantly incrementing counter on the same IDs that have more easily discernable vehicle functions. It is suggesting that Chrysler applied a checksum (error detection) to those CAN IDs which have counters. That's an important clue. Also, the CAN IDs with counters seem to be attached to critical functions like steering, gear selector, acceleration, brakes, LKAS, and Auto Park. That's another important clue.

No silver bullets, but I walked away with a ton of clues to store in my back pocket. And then the race condition beaups and I discussed. Really a lot more helpful than you'd first think!

 

[jmccorm]

UPDATE: Still limited to reading one channel at a time. Either there's a bug with the SPI chip's SELECT line, or the 2-channel CAN HAT has a defective CAN reader. I've ordered a replacement just to rule out a hardware issue.

In the meantime, I'm able to pull and interpret useful vehicle information either in real-time, or logged to a file and analyzed later. Below are two quick samples for you to look at. Only two CAN IDs from the CAN-IHS bus were read and interpreted here: 0x322 for engine RPM, and 0x340 contained everything else!

NOTE: If the RPMs don't strictly match the gear and vehicle speed, remember that this has an automatic transmission, so there's always going to be some play in the drivetrain. When the vehicle is in drive, the gear number (displayed below) is actually the gear that has been selected the automatic transmission. But the shifter is still in Drive.

DRIVING TO A PARKING LOT A COUPLE OF BLOCKS AWAY:

12 Nov 2021 09:12:53 AM   RPM: 0.8k  GEAR: DRIVE 1  MPH: 0
12 Nov 2021 09:12:53 AM   RPM: 1.8k  GEAR: DRIVE 1  MPH: 0
12 Nov 2021 09:12:54 AM   RPM: 1.9k  GEAR: DRIVE 1  MPH: 3
12 Nov 2021 09:12:54 AM   RPM: 2.1k  GEAR: DRIVE 1  MPH: 6
12 Nov 2021 09:12:54 AM   RPM: 2.1k  GEAR: DRIVE 1  MPH: 6
12 Nov 2021 09:12:55 AM   RPM: 2.4k  GEAR: DRIVE 1  MPH: 8
12 Nov 2021 09:12:55 AM   RPM: 2.7k  GEAR: DRIVE 2  MPH: 8
12 Nov 2021 09:12:55 AM   RPM: 2.8k  GEAR: DRIVE 2  MPH: 11
12 Nov 2021 09:12:55 AM   RPM: 2.8k  GEAR: DRIVE 2  MPH: 11
12 Nov 2021 09:12:56 AM   RPM: 2.9k  GEAR: DRIVE 2  MPH: 12
12 Nov 2021 09:12:56 AM   RPM: 2.3k  GEAR: DRIVE 2  MPH: 13
12 Nov 2021 09:12:56 AM   RPM: 2.3k  GEAR: DRIVE 2  MPH: 13
12 Nov 2021 09:12:57 AM   RPM: 2.6k  GEAR: DRIVE 2  MPH: 15
12 Nov 2021 09:12:57 AM   RPM: 2.5k  GEAR: DRIVE 2  MPH: 17
12 Nov 2021 09:12:57 AM   RPM: 2.5k  GEAR: DRIVE 2  MPH: 17
12 Nov 2021 09:12:58 AM   RPM: 2.9k  GEAR: DRIVE 2  MPH: 20
12 Nov 2021 09:12:58 AM   RPM: 3.2k  GEAR: DRIVE 2  MPH: 23
12 Nov 2021 09:12:58 AM   RPM: 3.2k  GEAR: DRIVE 2  MPH: 23
12 Nov 2021 09:12:58 AM   RPM: 3.4k  GEAR: DRIVE 3  MPH: 23
12 Nov 2021 09:12:59 AM   RPM: 3.6k  GEAR: DRIVE 3  MPH: 25
12 Nov 2021 09:12:59 AM   RPM: 3.7k  GEAR: DRIVE 3  MPH: 27
12 Nov 2021 09:12:59 AM   RPM: 3.7k  GEAR: DRIVE 3  MPH: 27
12 Nov 2021 09:13:00 AM   RPM: 2.6k  GEAR: DRIVE 3  MPH: 29
12 Nov 2021 09:13:00 AM   RPM: 2.8k  GEAR: DRIVE 3  MPH: 30
12 Nov 2021 09:13:00 AM   RPM: 2.8k  GEAR: DRIVE 3  MPH: 30
12 Nov 2021 09:13:01 AM   RPM: 2.9k  GEAR: DRIVE 3  MPH: 31
12 Nov 2021 09:13:01 AM   RPM: 3.0k  GEAR: DRIVE 3  MPH: 33
12 Nov 2021 09:13:01 AM   RPM: 3.0k  GEAR: DRIVE 3  MPH: 33
12 Nov 2021 09:13:02 AM   RPM: 3.1k  GEAR: DRIVE 3  MPH: 34
12 Nov 2021 09:13:02 AM   RPM: 3.2k  GEAR: DRIVE 4  MPH: 34
12 Nov 2021 09:13:02 AM   RPM: 3.2k  GEAR: DRIVE 4  MPH: 35
12 Nov 2021 09:13:02 AM   RPM: 3.2k  GEAR: DRIVE 4  MPH: 35
12 Nov 2021 09:13:03 AM   RPM: 2.6k  GEAR: DRIVE 4  MPH: 36
12 Nov 2021 09:13:03 AM   RPM: 2.6k  GEAR: DRIVE 4  MPH: 36
12 Nov 2021 09:13:04 AM   RPM: 2.6k  GEAR: DRIVE 5  MPH: 36
12 Nov 2021 09:13:04 AM   RPM: 2.6k  GEAR: DRIVE 5  MPH: 36
12 Nov 2021 09:13:05 AM   RPM: 2.0k  GEAR: DRIVE 5  MPH: 37
12 Nov 2021 09:13:05 AM   RPM: 2.0k  GEAR: DRIVE 5  MPH: 37
12 Nov 2021 09:13:05 AM   RPM: 2.0k  GEAR: DRIVE 6  MPH: 37
12 Nov 2021 09:13:06 AM   RPM: 2.0k  GEAR: DRIVE 6  MPH: 37
12 Nov 2021 09:13:07 AM   RPM: 1.5k  GEAR: DRIVE 6  MPH: 36
12 Nov 2021 09:13:07 AM   RPM: 1.4k  GEAR: DRIVE 5  MPH: 36
12 Nov 2021 09:13:07 AM   RPM: 1.4k  GEAR: DRIVE 5  MPH: 34
12 Nov 2021 09:13:07 AM   RPM: 1.4k  GEAR: DRIVE 5  MPH: 34
12 Nov 2021 09:13:08 AM   RPM: 1.7k  GEAR: DRIVE 5  MPH: 31
12 Nov 2021 09:13:08 AM   RPM: 1.5k  GEAR: DRIVE 4  MPH: 29
12 Nov 2021 09:13:08 AM   RPM: 1.5k  GEAR: DRIVE 4  MPH: 29
12 Nov 2021 09:13:09 AM   RPM: 1.4k  GEAR: DRIVE 4  MPH: 26
12 Nov 2021 09:13:09 AM   RPM: 1.5k  GEAR: DRIVE 4  MPH: 24
12 Nov 2021 09:13:09 AM   RPM: 1.5k  GEAR: DRIVE 4  MPH: 24
12 Nov 2021 09:13:10 AM   RPM: 1.4k  GEAR: DRIVE 4  MPH: 21
12 Nov 2021 09:13:10 AM   RPM: 1.3k  GEAR: DRIVE 3  MPH: 21
12 Nov 2021 09:13:10 AM   RPM: 1.2k  GEAR: DRIVE 3  MPH: 18
12 Nov 2021 09:13:10 AM   RPM: 1.2k  GEAR: DRIVE 3  MPH: 18
12 Nov 2021 09:13:11 AM   RPM: 1.1k  GEAR: DRIVE 3  MPH: 17
12 Nov 2021 09:13:11 AM   RPM: 1.3k  GEAR: DRIVE 3  MPH: 16
12 Nov 2021 09:13:11 AM   RPM: 1.3k  GEAR: DRIVE 3  MPH: 16
12 Nov 2021 09:13:12 AM   RPM: 1.3k  GEAR: DRIVE 3  MPH: 15
12 Nov 2021 09:13:12 AM   RPM: 1.4k  GEAR: DRIVE 3  MPH: 15
12 Nov 2021 09:13:13 AM   RPM: 1.3k  GEAR: DRIVE 3  MPH: 14
12 Nov 2021 09:13:13 AM   RPM: 1.3k  GEAR: DRIVE 3  MPH: 14
12 Nov 2021 09:13:14 AM   RPM: 1.2k  GEAR: DRIVE 3  MPH: 13
12 Nov 2021 09:13:14 AM   RPM: 1.0k  GEAR: DRIVE 3  MPH: 12
12 Nov 2021 09:13:14 AM   RPM: 1.0k  GEAR: DRIVE 3  MPH: 12
12 Nov 2021 09:13:15 AM   RPM: 0.9k  GEAR: DRIVE 3  MPH: 10
12 Nov 2021 09:13:15 AM   RPM: 0.8k  GEAR: DRIVE 3  MPH: 10

BACKING OUT OF A SPOT AND THEN SLOWLY PULLING FORWARD:

12 Nov 2021 09:12:25 AM   RPM: 0.7k  GEAR: PARK     MPH: 0
12 Nov 2021 09:12:26 AM   RPM: 0.7k  GEAR: PARK     MPH: 0
12 Nov 2021 09:12:27 AM   RPM: 0.7k  GEAR: PARK     MPH: 0
12 Nov 2021 09:12:28 AM   RPM: 0.7k  GEAR: PARK     MPH: 0
12 Nov 2021 09:12:29 AM   RPM: 0.7k  GEAR: PARK     MPH: 0
12 Nov 2021 09:12:30 AM   RPM: 0.7k  GEAR: PARK     MPH: 0
12 Nov 2021 09:12:31 AM   RPM: 0.7k  GEAR: PARK     MPH: 0
12 Nov 2021 09:12:32 AM   RPM: 0.7k  GEAR: REVERSE  MPH: 0
12 Nov 2021 09:12:32 AM   RPM: 0.8k  GEAR: REVERSE  MPH: 0
12 Nov 2021 09:12:33 AM   RPM: 0.7k  GEAR: REVERSE  MPH: 0
12 Nov 2021 09:12:34 AM   RPM: 0.8k  GEAR: REVERSE  MPH: 0
12 Nov 2021 09:12:35 AM   RPM: 1.0k  GEAR: REVERSE  MPH: -1
12 Nov 2021 09:12:35 AM   RPM: 1.0k  GEAR: REVERSE  MPH: -1
12 Nov 2021 09:12:36 AM   RPM: 1.1k  GEAR: REVERSE  MPH: -1
12 Nov 2021 09:12:37 AM   RPM: 1.1k  GEAR: REVERSE  MPH: -2
12 Nov 2021 09:12:37 AM   RPM: 1.0k  GEAR: REVERSE  MPH: -2
12 Nov 2021 09:12:38 AM   RPM: 0.9k  GEAR: REVERSE  MPH: -2
12 Nov 2021 09:12:39 AM   RPM: 1.1k  GEAR: REVERSE  MPH: -2
12 Nov 2021 09:12:40 AM   RPM: 1.0k  GEAR: REVERSE  MPH: -3
12 Nov 2021 09:12:40 AM   RPM: 1.0k  GEAR: REVERSE  MPH: -3
12 Nov 2021 09:12:41 AM   RPM: 1.2k  GEAR: REVERSE  MPH: -3
12 Nov 2021 09:12:42 AM   RPM: 1.0k  GEAR: REVERSE  MPH: -4
12 Nov 2021 09:12:42 AM   RPM: 1.0k  GEAR: REVERSE  MPH: -4
12 Nov 2021 09:12:43 AM   RPM: 0.9k  GEAR: REVERSE  MPH: -3
12 Nov 2021 09:12:43 AM   RPM: 0.9k  GEAR: REVERSE  MPH: -3
12 Nov 2021 09:12:44 AM   RPM: 1.1k  GEAR: REVERSE  MPH: -3
12 Nov 2021 09:12:45 AM   RPM: 0.8k  GEAR: REVERSE  MPH: -3
12 Nov 2021 09:12:46 AM   RPM: 0.7k  GEAR: REVERSE  MPH: -2
12 Nov 2021 09:12:46 AM   RPM: 0.7k  GEAR: REVERSE  MPH: -2
12 Nov 2021 09:12:46 AM   RPM: 0.7k  GEAR: REVERSE  MPH: -2
12 Nov 2021 09:12:47 AM   RPM: 0.8k  GEAR: REVERSE  MPH: -1
12 Nov 2021 09:12:47 AM   RPM: 0.7k  GEAR: REVERSE  MPH: 0
12 Nov 2021 09:12:47 AM   RPM: 0.7k  GEAR: DRIVE 1  MPH: 0
12 Nov 2021 09:12:48 AM   RPM: 0.8k  GEAR: DRIVE 1  MPH: 2
12 Nov 2021 09:12:48 AM   RPM: 1.0k  GEAR: DRIVE 1  MPH: 3
12 Nov 2021 09:12:48 AM   RPM: 1.0k  GEAR: DRIVE 1  MPH: 3
12 Nov 2021 09:12:49 AM   RPM: 0.9k  GEAR: DRIVE 1  MPH: 4
12 Nov 2021 09:12:49 AM   RPM: 0.9k  GEAR: DRIVE 1  MPH: 4

Things are going well!

 

[nsfw_andy]

This can also be big news for Diesel owners wanting to be able to manually initiate a regen as it can be as simple as sending a single canbus command, given we can figure out what that is.

 

[jmccorm]

This can also be big news for Diesel owners wanting to be able to manually initiate a regen as it can be as simple as sending a single canbus command, given we can figure out what that is.

Me personally, there are two things that I've been reluctant to do:

First is fuzzing, which basically means to send random data to random locations on the CAN bus, keeping an eye out for what happens, and hoping you discover something awesome! And you know what? It sometimes works. In fact, sometimes it works really well. Other times? It fires off your airbags as it permanently disables your vehicle's ECU. That's a little too high risk / high reward for my blood.

The other thing I'm reluctant to try are CAN codes on the engine, particularly any commands that are designed to overcome performance issues or other intentional design limitations. Why? There are so many other cool things for me to work on, why choose the one that will piss of a group of people that I'd rather be on friendly terms with? (Jeep employees.) There's also that avoidance of high risk / high reward situations.

I'd rather not step on the toes of a company that I'd find it so much easier to be friendly with. Mind you, none of this represents some big moral objection to ECU overrides, so if others want to use information or tools I've created to do that kind of thing, I can hardly raise an objection. I'd rather focus on other things.

Now, all that said...

Up until now, I really had no idea what made consumer diesel engine so different, so I did some quick reading and I see what you're talking about. They've got a particulate filter in their exhaust, and when it starts to clog, it creates back pressure on the exhaust system which makes your engine run crappy like someone put a potato in your exhaust pipe. Got it! That's totally why you'd like to command a purge. Like, say, when you're trying to show your vehicle off to someone who's going to buy it.

I realize that it was a bit of a simplifcation to call it a purge. It isn't so much that as it is an attempt to cook off all the soot and ash that's trapped in the filter. It takes some pretty high exhaust temperatures to do that. So I'm reading that there are thee mainstream ways of doing this. One way is for the ECU to adjust the engine parameters to cook off the waste material as the owner continues to drive the vehicle normally.

The second way is for a vehicle to have a dedicated sprayer that's designed to send small amounts of fuel directly into the exhaust where they raise the temperature dramatically in order to burn away the diesel waste products that are trapped in the exhaust filter. From my own personal experience with gasoline on a mid-engine Fiat sports car with engine, I know this method works quite well.

One of my spark plug wires unknowingly came loose and I didn't realize that I was driving on three cylinders. So 25% of my fuel (all the fuel going to that one cylinder) was going straight into the exhaust... where it ignited. the metallic shell of the catalytic converter had an amazing yellow/orange glow like you'd never seen before, and I was sure it was going t o take the gas tank out with it, but everything turned out fine. My biggest surprise happened the next day when I discovered that no long-term damage had been done as a result of that unintended purge.​

There was a third regeneration method that wasn't described in any great detail, and was said to be new. It involved initiating the process on a parked vehicle where the ECU would raise the RPMs and do a few more steps necessary to base the car's exhaust and renew that filter. Maybe it is able to inject the cylinder at just the wrong time to get some of that unburnt fuel flowing into the exhaust. I don't know. But it clearly sounded like a user-initiated process. That's also telling me that this might be a prime candidate for a feature that the aftermarket engine tuners would be capable of pulling off.

So based on your initial description, I'd say that Jeep is using the first option, and based on your question, I'd say that they don't make allowances for owners to schedule a good time for themselves. People say that Jeep has a reputation for listening to it's customers, so you should really try to get consensus from like-minded individuals and ask Jeep to be the one to offer you a better solution. That'd be the gold star standard here.

Other than that, yes, next best thing would be if someone could find a sympathetic Jeep employee with a diesel engine who wouldn't mind sharing that code with a few good friends. After that, one might have to go to one of the tuner guys to see if they can isolate the command for you. We already talked about fuzzing, which is dangerous, and so that leaves one more method.

You should also recording it. Right now we're capable of recording the CAN bus (although, at least for myself, only now am I gaining experience on the interpretation side of things). If we can record the two CAN busses while the regeneration process happens, it may reveal useful information about the process that we'd be able to take advantage of and reproduce.

I'm also let wondering how the Wrangler/Gladiator knows when it is time to renew those filters. I didn't see a pressure monitor for the exhaust so I'm wondering if it reads something from one or more of the other engine sensors to make t hat determination? Actually, that might just be it.

I took the time to thumb through the wiring and the systems diagram for the diesel engine. I noticed that you've got a particulate sensor in your exhaust. With that alone, the Wrangler could probably guestimate when the filter is going to need purged.

Unfortunately, that module isn't directly on the CAN bus, but is on a private bus with other exhaust systems. I wouldn't think you could use it to trigger a filter regeneration at any time, but if you managed to convince it that your exhaust is far more dirty than it actually is, it would tighten its schedule for the filter regenerations and they'd happen more often, which may be a decent consolation prize.

Wow. You've got a worthy problem. I wish Jeep was willing to fix that one on it's own, you know?

 

[jmccorm]

ANNOUNCEMENT:

From here forward, the first message in this thread (link) will contain a link to an Excel spreadsheet called: CAN IDs 2018+ JL Wrangler.xlsx

That spreadsheet contains the IDs, bus, names, and formats of all known CAN-C and CAN-IHS messages on the 2018+ JL Wrangler (and by extension, the JT Gladiator). Updates will be made available on an ad-hoc basis.

Enjoy the bounty! And please... when YOU make a discovery, think about paying back the help and sharing it with us! These references only exist when we stop hording information and start sharing with one another.

 

[jmccorm]

That spreadsheet contains the IDs, bus, names, and formats of all known CAN-C and CAN-IHS messages on the 2018+ JL Wrangler (and by extension, the JT Gladiator). Updates will be made available on an ad-hoc basis.

I've made some more discoveries today, include the vehicle's odometer (in 1/10ths of a kilometer), compass readings (both magnetic and true north), cabin/vent temperature, etc.

I just got through finding the coolest one, which appears to be live (1/10th of a second) rotational plus two-axis data on the front and rear axles (6 channels). They're encoded on the CAN-IHS bus under CAN IDs 24E and 252. If you'd like to take a look at my quick trip across the street to the ATM and back, I've posted that data sample over on pastebin. [EDIT: Hard to read. Instead, use the picture below.]

I have to say that this raw bitmap data can be beautiful at times. Somehow Pastebin manages to butcher it, so I've pasted a snapshot below. From left to right, what I believe we have are rotational encodings for the front and back axle (it stops changing when I was sitting at the ATM), to the right seems to be a pair of Y axis movements, and then finally a pair of X axis movements for both axles.

I don't know if this is anyone's area of expertise, so if you have any speculation, comments, or advice, please! They're all welcome. Enjoy!

UPDATE: It's hard to figure out this bitmap. There are clearly two WORDs in the center. The left and the right track are either two BYTEs or a WORD each. Data from a well-defined test runs would help sort this out.

 

[jmccorm]

LATEST UPDATE --

Half-working CAN adapter:
The $24 two-channel CAN adapter (HAT) for the Raspberry Pi continues to have a problem where CAN0 works great, but CAN1 never works at all. The vendor for the product (Waveshare) appears to be a Chinese firm with a support team that's allergic to speaking English. I'm currently running Raspbian 10 (Buster) on a Raspberry Pi 4B, so I may yet try to change OS level or hardware.

Automated test dumps (black box recorder):
Not having access to both busses at the same time slows down the reverse-engineering process, but I made up for some of it with a little code. For the CAN-IHS bus, it detects when the Wrangler's ignition switch turns to Accessory or Run (or remote-start is used). For the CAN-C bus it looks for a specially crafted wake-up message I found. When either case happens, it automatically logs all the bus traffic that happens on a normal drive, and closes the file when the trip is over. This automatically generates fresh sets of test data for me to comb through.

Data protection:
The CAN protocol offers little protection against data corruption, but certain message IDs incorporate additional protections of their own. Your most basic pieces of information (steering wheel angle, accelerator position, brake position) are protected with CRC (mathematical addition) to make sure nothing is corrupted. Protected messages will often contain another element, like a constantly incrementing counter. The counter is used to make sure that nothing is "stuck" or that another device doesn't try to make a duplicate claim for the same ID. Once you see these techniques, they become easy to spot again and again

Other times, the integrity of one variable might be cross referenced against another. For example, the system obtains the position of the steering wheel at the same time it obtains the amount of torque being placed on the wheel by the driver.

Opportunities arise from small details:
Small details like the one just discussed have the opportunity to be turned into new features. A distracted driver feature could be crafted by looking for small amounts of steering wheel torque over a period of time. If minimal levels are not detected and the road is not completely flat and straight (as we can detect with other sensors), then an audible warning can be sounded to gain the driver's attention.

Mind you, I don't see anyone beating down the door to get their hands on something like that. But it was just an example on how the tiniest pieces of technology built into our Wranglers can serve additional functions.

Cheers,
jmccorm

Sponsored