mercedes-hacking-docs icon indicating copy to clipboard operation
mercedes-hacking-docs copied to clipboard

Published 20 hours ago verified publisher icon rnd-ash

reverse engineering formulas from xsmonitor_frame

Open aIecxs opened this issue 2 years ago • 5 comments

If signal has UNIT, sometimes there is also calculation required. for example temperatures. Would love to see calculation formula in parse_dat_v4.py

Created some formulas based on guesswork (which work). Identified 15 unknown padding bytes in frame, unfortunately I don't know how reverse engineer formulas from that.

The (working) formulas are: https://github.com/angelovAlex/can-bus-w211/issues/3#issuecomment-895824445

The full frame example is:

Click to expand 
05 80 02 00 08 53 41 4d  5f 56 5f 41 32 00 17 00  |.....SAM_V_A2...|
00 00 00 00 04 00 07 80  00 01 00 0a 54 5f 41 55  |............T_AU|
53 53 45 4e 5f 42 00 08  02 01 00 00 00 00 00 00  |SSEN_B..........|
00 3f 00 00 20 c2 02 b0  43 13 41 75 df 65 6e 6c  |.?.. ...C.Au.enl|
75 66 74 74 65 6d 70 65  72 61 74 75 72 07 80 00  |ufttemperatur...|
02 00 08 50 5f 4b 41 45  4c 54 45 08 10 02 01 00  |...P_KAELTE.....|
00 00 00 cd cc cc 3d 00  00 00 00 03 62 61 72 17  |......=.....bar.|
44 72 75 63 6b 20 4b e4  6c 74 65 6d 69 74 74 65  |Druck K.ltemitte|
6c 20 52 31 33 34 61 07  80 00 03 00 08 54 5f 4b  |l R134a......T_K|
41 45 4c 54 45 18 10 02  01 00 00 00 00 cd cc cc  |AELTE...........|
3d 00 00 20 c1 02 b0 43  1c 54 65 6d 70 65 72 61  |=.. ...C.Tempera|
74 75 72 20 4b e4 6c 74  65 6d 69 74 74 65 6c 20  |tur K.ltemittel |
52 31 33 34 61 07 80 00  04 00 06 49 5f 4b 4f 4d  |R134a......I_KOM|
50 28 08 02 01 00 00 00  00 00 00 20 41 00 00 00  |P(......... A...|
00 02 6d 41 21 53 74 72  6f 6d 20 4b 6f 6d 70 72  |..mA!Strom Kompr|
65 73 73 6f 72 2d 48 61  75 70 74 72 65 67 65 6c  |essor-Hauptregel|
76 65 6e 74 69 6c                                 |ventil|

aIecxs avatar Aug 13 '21 13:08 aIecxs

the UNIT calculation can be hard to workout, and is not present in the XSMonitor files. For instance, T_OEL in gearbox (722.6) can be calculated as

T_OEL - 50

Where as the same signal but from the engine is

T_OEL - 40

So In general, I guess the formula and just see what makes most sense based on actual values in DAS.

rnd-ash avatar Aug 13 '21 14:08 rnd-ash

Hm.. I can find the same bytes on other signals where the same formula applies. Maybe we can create some formula database, at least?

aIecxs avatar Aug 13 '21 14:08 aIecxs

have partially found formula. there is two bytes 02 01 followed by 3x binary32

53 53 45 4e 5f 42 00 08  02 01 00+00+00+00 00+00+ |SSEN_B..........|
00+3f 00+00+20+c2 02 b0  43 13 41 75 df 65 6e 6c  |.?.. ...C.Au.enl|

still don't know what the first one is but the others are multiplier + addend

00+00+00+00
00+00+00+3f                       # multiplier (0.5) Float Little Endian (DCBA)
00+00+20+c2                       # addend     (-40) Float Little Endian (DCBA)
Click to expand 
# msg header
05 80                             # Identifier for next can frame
02 00
08                                # str len
SAM_V_A2                          # string (ECU NAME)
00 17                             # id
00 00 00 00 00
04                                # msg count (4)
00

# msg position
07 80                             # Identifier for next msg pos frame
00 01 00                          # pos number (1/4)
0A                                # str len
T_AUSSEN_B                        # string (MSG NAME)
00                                # offset
08                                # length
02 01
00 00 00 00
00 00 00 3F                       # multiplier (0.5) Float Little Endian (DCBA)
00 00 20 C2                       # addend     (-40) Float Little Endian (DCBA)
02                                # str len
°C                                # string (unit)
13                                # str len
Außenlufttemperatur               # string (description)

aIecxs avatar Aug 15 '21 08:08 aIecxs

This is super cool! I never glanced at those bytes before! Thank you so much! I will get to work on a v4 parser with this knowledge.

Now assuming you have XSMonitor, there is a CSV file in there which contains a huge CAN matrix showing which ECUs send which can frames, and which ECUs read those can frames, as well as transmit intervals. This has been a huge pain for me as I can't seem to find any reference to this kind of information in the .dat files.

Any ideas? 😁

rnd-ash avatar Aug 15 '21 08:08 rnd-ash

No clue, I am completely beginner started learning about CAN two months ago, don't have any of that tools. Let's see what bytes left

edit: today started learning python but it is really hard to me (used to write shell scripts)

have modified your parse_dat_v3.py to create C structs but it doesn't work with enum. I fill the structs with memcpy() so these structs are packed bitfields. guess have to add enum as comments-only information.

What I don't know is how to print formulas (comments-only too?) if you don't mind send me commit on gitlab you are author of that script and the only one who can fix

aIecxs avatar Aug 15 '21 09:08 aIecxs