Tomi Liljemark

Mitäköhän tämäkin on syönyt?

• Homepage
• Projects
• About me

• Saab I-Bus
• Saab P-Bus
• Saab Trionic 7
• SaabOpenTech
• BSR PPC

Reverse-Engineering the Saab 9-3 Powertrain Bus (P-BUS)

Preface

This document describes reverse-engineering the Powertrain Bus (P-Bus) on my Saab 9-3 (MY2001) car. P-Bus is an internal bus that connects together the Engine Control Unit (Trionic 7), ABS / Traction Control (if installed) and Main Instrument panel. The bus is based on the Controller Area Network (CAN) standard.

Table of Contents

Reverse-engineering the bus

After watching the communication with an oscilloscope I figured out that the CAN bus speed is 500 kbit/s (bit time is 2 µs). Figure 1 shows a screen grab from the oscilloscope while connected to the P+ and P- signals. You can clearly see that the signal is differential.

Figure 1. P+ and P- signals viewed with an oscilloscope

All the messages on the bus have eight (8) data bytes even if it wouldn't be necessary. I'm guessing this simplifies response time calculations and the software that receives and decodes the messages.

I monitored the bus with Peak Systems PCAN-View software. You can see in Figure 2 the messages sent to the bus by the Trionic by itself (not connected to anything).

Figure 2. PCAN-View showing messages sent by the Trionic ECU

Discovered message information

1A0h - Engine information

Message is sent with an interval of 10 milliseconds. The ENGSTOPPED bit in the STATUS byte indicates if the engine is running or stopped. Engine RPM is shown as a 16-bit value (RPM1 and RPM0). MAP shows the Manifold Absolute Pressure in kilopascals. THROTTLE byte is the throttle pedal position, with a value range of 0...100 percent (0...64hex). MAF is the reading from Mass Air Flow sensor.

2F0h - Vehicle speed

Message is sent with an interval of 20 milliseconds. Vehicle speed is indicated by the 16-bit value (bytes SPEED1 and SPEED0). You will need to divide the value by 10 to get the right scaling, kilometers per hour. The byte 3 seems to be 80h all the time.

280h - Pedals, reverse gear

Message is sent with an interval of 1 second and if a value changes. The most significant bit of the first byte (byte 0) is set if information has changed from the last message. The GEAR byte is 02h if the reverse gear selected, otherwise the byte is FFh. When the brake pedal is pressed lightly only bit 1 of the PEDAL byte will be set. Normal braking will set bits 1, 3 and 4. The BRAKE/CLUTCH bit will also be set if the clutch is pressed. The ACTIVE bit in the CRUISE byte is set when cruise control has been activated. The ?? byte indicates that the engine is running or something like that (needs closer inspection). Example message: Information has changed from the last message, reverse gear is not selected, brake pedal has been pressed and the engine is running (?).

338h - Trionic to SID text

A group of three messages are sent with an interval of 1 second and if a value changes. Messages are sent with about 10 milliseconds apart. The CHANGED bit in the ROW byte will be set if information changes. The two bits ORD0 and ORD1 in the ORDER byte are for sequence numbering. A new message group starts with the NEW bit set and both ORD0 and ORD1 bits. On the second message the NEW and ORD1 bits are cleared and the third message has also the ORD0 bit cleared. So the ORDER byte will be 42, 01 and 00 for the three sequential messages. The ROW byte tells to which row of the SID the text will be displayed on. The byte can have a value of 2 or 1, but in these audio text messages the row number is always 2. The TEXT4...TEXT0 bytes are plain ASCII coded characters that will be displayed on the SID.

Note that the last message will contain only one normal character in the TEXT4 byte. The TEXT3 byte should contain a integer value that will be shown as a small number to indicate the selected radio station number. The last TEXT2...TEXT0 bytes are always zeros.

Example message group: The text "U1 KISS FM " will be displayed on the SID display and the radio station number is 1.

358h - Trionic to SID text control

Message is sent with an interval of 1 second. The normal value of byte STATUS is FFh. When a 338h Trionic to SID text message group is sent, the STATUS byte is changed to 04h and immediately after that to 05h for the duration of the messages. After the 338h messages, the status byte returns to FFh. Byte UNKNOWN1 is 00h when STATUS is FFh and 01h when STATUS is 05h. UNKNOWN2 byte also changes from 08h (STATUS is FFh) to 12h (STATUS is 05h). Example message: First line: requesting SID to display text provided with message 338h. Second line: SID should not display Trionic text.

370h - Mileage

Message is sent with an interval of 100 milliseconds. The 24-bit value (comprised of MIL2, MIL1 and MIL0) shows the length that has been travelled since the engine was started. You will need to divide the value by 100 to get right scaling (the value's unit is meters). The value 000069h seems to tell that you haven't moved yet. Example message: You have travelled 1 846,56 meters.

3A0h - Vehicle speed (MIU?)

Message is sent with an interval of 55 milliseconds. Vehicle speed is indicated by the 16-bit value SPEED (bytes SPEED1 and SPEED0). You must divide the 16-bit value by 10 to get the value in kilometers per hour.

3B0h - Head lights

Message is sent with an interval of 1 second and if a value changes. The most significant bit of the first byte (byte 0) is set if information has changed from the last message. LIGHT byte indicates the park and daylight head-lights with the PARK and DAY bits. When ignition signal is off, the OFF bit is set in the LIGHT byte. The ?? byte is 20h when ignition signal is off and B8h when the signal is on. Example message: Information has not changed from the last message and the head-lights are in park mode.

3E0h - Automatic Gearbox

Message is sent with an interval of 1 second and if a value changes. The most significant bit of the first byte (byte 0) is set if information has changed from the last message. The GEAR byte indicates in what state the gearbox is. Value 05h means Forward, value 03h Neutral and value 02h Reverse. The GEAR SHIFT byte tells in what position the gear shift is. Value 01h means Park, value 02h Reverse, value 03h Neutral, value 04h Drive, value 08h "limit to 4", value 07h "limit to 3" and value 06h "low speed gear".

Example message: Example text...

530h - ACC

Message is sent with an interval of 1 second. The ACCON bit in the ACC byte tells if the ACC (Automatic Climate Control) is turned on. When the bit is set, the ACC is on and when the bit is cleared the ACC has been turned off. The ACREQ bit indicates A/C request from DICE (not sure, a guess at the moment...). ACPRESS byte shows the A/C Pressure (unit is bar). Example message: Text here.

5C0h - Coolant temperature, air pressure

Message is sent with an interval of 1 second. Temperature is reported with a 8-bit byte. In order to get the correct coolant temperature, the value must be subtracted with 40. This is done to encode negative temperatures. So a value of 58 (3Ah) is in fact +18 degrees Celsius and on the other hand a value of 29 (1Dh) would give an temperature of -11 degrees Celsius. The 16-bit value combined from PRES1 and PRES0 gives the Ambient air pressure in hehtopascals [hPA]. Example message: Coolant temperature is 66 degrees Celsius and air pressure is 1017 hPa.

631h - ??

Message is sent with an interval of 1 second.

6B1h - ??

Message is sent with an interval of 1 second.

6B2h - ??

Message is sent with an interval of 1 second.

740h 750h - Security

Messages are sent when the car key is turned to ignition on. This leads me to believe that these two messages are somehow connected to the anti-theft system. The CODE bytes seem to have random numbers in them that change after a successful "handshake".

The 750h message is sent first and after about 20 ms the 740h message is sent. The "reply" can contain zeroed CODE bytes and the STATUS byte as FFh. In that case after about 190 ms the same 750h message is repeated. The second 740h "reply" seems to be always ok, since it has something in the CODE bytes and the STATUS byte is 55h.

Example messages: In this example the first column indicates the message ID. These are real-world examples of the messages. If someone figures out how these messages work, it could mean that the anti-theft mechanism could be bypassed.

Comments, questions?

Contact information

If you have comments, questions, new decoded I-Bus/P-Bus messages or would like to share information about your own Saab I-Bus project, you're free to email me at firstname.surname@gmail.com. Note that you have to fix the email address, the one in the link is invalid (firstname = tomi and surname = liljemark). It may take me sometime to answer, but I'll try to answer everyone.

Frequently Asked Questions

References

1. Wikipedia, the free encyclopedia: Controller Area Network (HTML document)
2. Nilsson, Staffan: Controller Area Network - CAN Information (HTML document)
3. Can in Automation CiA: CAN physical layer (HTML document)
4. Kvaser AB: The CAN Protocol (HTML document)
5. Kvaser AB: CAN Physical Layers (HTML document)
6. Lawicel: CAN232 Manual (PDF document)

© Tomi Liljemark 2007. All copying, printing, distribution and changing of this document is permitted.