Project Idea: Lock/Unlock doors over CAN

This is a basic capability that I’d like to build on if I can get it working but I’d like to be able to lock/unlock the doors using CAN messages sent by the M2. I’d be working with a 2006 Mercury Milan. I think it’s possible since the doors lock automatically when the car reaches a certain speed. (I think it’s once the car goes faster than 20 mph). I think something is listening for a certain message on the CAN bus and locks the doors once it’s seen. The trick is finding the CAN message that triggers this.

Is anyone working on something similar?

My Aunt have a 02 Honda Odyssey that does not unlock nor lock the car doors at all unless pressed by a switch or remote.

This will be a nice thing to add to her car.

think it would be easyer to take the signal from the inner switch or the door switch than the speed signal

First you need to look at the door lock schematics and see exactly how the door locks are wired, and which module drives them. Once you know which module drives the lock actuators themselves, you’ll be able to more effectively narrow down which CAN message needs to be sent in order to lock/unlock all doors.

Remember…there are many different conditions that can command a door lock/unlock (via the remote, scan tool, etc)…so there are probably multiple ways of doing this…dont limit yourself to just exploring one single avenue (ie vehicle speed).

Lots of logging, lots of trial and error…it just takes time and effort. Its pretty much impossible to break something just via sending a “wrong” CAN message, so dont be afraid of experimenting. Probably best to start with the car OFF (yes, there is still CAN traffic happening with the car off) until you get the hang of it. I definitely wouldnt recommend messing with things while driving unless you have a large amount of experience.

Starting with the car off is usually easier too because with the car off, not as many CAN messages are being broadcast. For your door lock experiments, that would be easiest.

Ben

@bauwow - I have a 2007 Mercury Mariner (Ford Escape) and would be interested in working with you on this.

To start it’s a hunt for can messages. I’ll report back here if I find any related to door lock/unlock. I’m still working on getting up and running in savvycan so it could be a few days.

Post anything you find here and I’ll do the same.

What about: Log all messages with the car off, key not in ignition. Add a field to the data, “run1” and pump it to a database. Repeat, but this time click the unlock remote button twice and change the extra field to “run2”. Use the database to subtract all messages that are in both runs. Seems like the remaining data would contain the unlock drivers door message and the unlock all message?

You may find that you have to connect to an internal data bus that is not accessible from the diagnostic port. So if you try this method and don’t see any data you may have to tie into the data bus elsewhere.

I haven’t tried much but any time I have tried to scan my high speed bus nothing is there when the car is off. Hopefully with M2 device hooked to SWCAN I will know for sure if that is the case there too since it is my understanding that most of the “convenience” features on my vehicle is done on that bus.

When doing projects like this getting schematic diagrams and wiring diagrams can help dramatically when trying to sort out what data bus is connected to what. I only have simple experience with my GM vehicles but I understand others may use separate types of data buses such as LIN to communicate low speed “Convenience” features. Best route to start is to research how your vehicle communicates between modules and go from there.

My little experience at least with GM vehicles has been that the BCM acts as a bridge between data buses in some cases so you can still see the activity on more than one data bus but won’t know for sure on YOUR vehicle until you start testing.

My point is be aware that you MIGHT have easy access to the data or you MIGHT have to go looking for it. Obviously it is there because hitting the unlock button in the car or on your keyfob works with the key off and these days nothing happens unless it happens over a data bus.

On GM cars/trucks, the high speed bus goes to sleep and fully shuts down ~10 seconds after the key is turned OFF.

the SWCAN bus stays awake for at least 5 minutes or more after the last door is closed and vehicle locked. If retained accessory power is active, expect the SWCAN bus to be awake (albeit not that much traffic) for 10-15 minutes before fully sleeping.

The high speed bus can NOT be woken up via bus activity. All of the modules on the high speed bus are only woken up (and put to deep sleep) via a discrete “serial data enable” +12v power circuit from the BCM.

SWCAN modules obviously all support HVWU (high voltage wakeup, via a +12v pulse and then a wake up message broadcast on ID $100. Usually its the RCDLR (remote control door lock receiver) that wakes the truck up (via HVWU on SWCAN) because you hit unlock on the remote keyless entry. But if the truck is already unlocked, but in deep-sleep, the DDM, PDM (drivers door module and passenger door module), and BCM can also force HVWU if a door is opened while the truck is asleep.

Some low priority SWCAN messages are event-triggered, but most messages are broadcast on set periodic intervals.

PMM (power mode master, ie ignition switch status) messages are broadcast by the BCM on 5 second intervals, but they are also event-trigger based (if an immediate PMM change is detected, like turning the key off)

The BCM is the gateway between high speed CAN and SWCAN. Any messages that have to get between the two busses get passed/translated via the BCM.

The BCM, VCIM (onstar module) are the only modules that are on both highspeed CAN and SWCAN. On the newest Global-A vehicles, the HMI (human machine interface) module is on both SWCAN and high speed CAN as well…

But yeah, the BCM is the gateway.

pre-global-A CAN-based GM vehicles (like mid 2000’s-ish to early 2010’s-ish) only used LIN two places…for the BCM to communicate with the compass module…and on vehicles with front auto/one-touch-up windows, the PDM and DDM communicated with the window motors themselves via LIN. But otherwise, everything else interior is SWCAN.

Global-A saw much more widespread use of LIN, for HVAC controls/radio head units, all windows, etc.

I dont know much about other makes/models of cars/trucks, but Im happy to answer most GM questions…

Ben

My 2009 CTS appears to only have high speed CANBUS and low speed SWCAN based off the factory manuals. I am surprised to hear that they also used LIN at all since it sounds like LIN and SWCAN do basically the same thing.
I suspected the different buses acted in a manner you spelled out but had no way to actually test it out.

Your 09 CTS is the first-gen GMLAN architecture…(pre-global-A)

so there is LIN…just between the DDM/PDM, and their respective window motors.

And the compass module to BCM comms is LIN.

You’d have to splice into the wiring harness in the door to watch LIN traffic. Its pointless though, because you can command the windows via GMLAN anyways. The reason the window motors tehmselves talk to the PDM and DDM via LIN is because there is auto-up functionality, and the window motors are “smart”…with current sensing, pinch protection, etc.

is LIN a simpler protocol than CANBUS? Is weird otherwise that they would do that unless it was something the 3rd party manufacturer used because they used it in other makes as well to save developmental time and money.

Learn something new every day.

So is there is no way to roll windows up/down on GM cars through the low/mid/high speed GMLAN?

You should be able to do anything they can do from the GM app for your vehicle. If you have a 2011 or newer I believe you can roll windows up and down via their app. Basically from what has been said you SHOULD be able to unlock/lock the doors and be able to start the vehicle from the low speed (SWCAN). You MAY be able to roll windows up and down but will depend on if your vehicle supports it but would be from low speed (SWCAN)

My '03 GM truck was apparently the first vehicle that was totally connected. The Drivers side Door Module controls the windows, locks, and mirrors from what I understand. The Passenger side Door Module as I understand is a slave to the Drivers side door module for the Windows Locks and Mirrors but also includes the radios for TPMS and Key Fobs.

Since you can unlock/lock and start the vehicle by sending commands to this module I suspect windows would also work assuming similar setup in other vehicles. Just would depend on if powering the windows would be supported since windows normally are only powered up during RAP cycle. Of course you could force RAP since it is a command send out from BCM but might require some sort of wake up protocol. If your vehicle includes the Key Fob receiver inside one of the door modules then the module is already awake to pick up the key fob signals and unlock/lock doors so seems reasonable they could also work your windows. Will be a trial and error thing.

Note that RAP (Retained Accessory Power) is totally dependent on vehicle. My truck has it as a data command but the sunroof relay is powered directly from the BCM to provide RAP support for the sunroof so anything is possible. (Since I don’t have a sunroof I installed a relay to power up my computer and monitor instead of using an ignition lead.)

No GM scan tool communicates ever on LIN.

So any time you need info to/from a LIN-controlled device (the window motor), the module its connected to/slaved off of acts as the gateway between CAN and the LIN node.

So yes, of course you can control windows and stuff via CAN…you’re just addressing the door module…then the door module forwards requests to the window motors via LIN.

Ben

You can wake up the truck via databus alone on both Class 2 and SWCAN on GM vehicles.

Really, J1850 (Class 2) on early GM vehicles is pretty much “functionally” identical to low speed GMLAN (SWCAN) on the newer GM vehicles.

Both standards support wakeup via bus message (no need for a separate switched power feed)…both standards have a high-speed mode for module reprogramming (41.6k for J1850, 83.3k for SWCAN)…both standards have a maximum 8-byte message…both standards have a header format that includes priority, destination, arbitration, and source node ID…

Like I said, GM was very ahead of the times. Class 2 started to get rolled out in 1995/1996.

The only difference is on the hardware layer/transmission method…like how actual 1’s and 0’s are transmitted along the wire. Otherwise, J1850 and SWCAN are VERY similar to work with on a software and reverse-engineering level.

GM was even kind enough to keep the source ID’s the same between J1850 Class 2 and SWCAN…so on a 1997 GM car/truck (J1850)…the BCM is node ID $40…and 20 years later, the source node ID (now SWCAN obviously) for the BCM is still $40!

The radio has been $80 for the past 20 years, HVAC module has been $86 for the past 20 years, instrument cluster has always been $60, etc. Device control messages still always begin with $07 $AE, etc. Pretty cool.

SO if you start working with J1850 and learn about interfacing with it/hacking it…the transition to SWCAN is very very easy. (and vice versa). SWCAN header is 4 bytes, J1850 header is 3 bytes…thats basically the only difference from a “hacking” software point of view.

Good to know. I have lots of information about the J1850 stuff such as the Module number ranges for everything that GM did and a variety of the commands used. I even have a method for pulling and pushing the binary image from an ECM so I hope to make use of them. I was NOT aware that there is a high speed mode for programming. I left you a private message with my Email account so maybe we could take some of this off line. Sounds like you have a lot more experience than I have so I certainly would appreciate chatting further.

@dmaxben, is there a current list of the IDs and other info like you have stated somewhere?

I have a list of the ranges the modules reside in. if you know the ranges then when you pick up the ID’s you know where they are coming from. I will be sorting through and pulling out all of my stuff the next week or so to get ready to start getting this going.

Fiinals next Tuesday and Wed then hopefully they will have the information up to date and I can jump on whatever they might have done and expand it.

Probably going to go through the Canbus stuff so I understand it too.

Rodney

GM Class 2 module ID’s

TCM $18
BCM $40
IPC $60
ECM $10
TCSM $1A
EBCM $29
SDM $58
RADIO $80
AMPLIFIER $81
CDX $82
XM $89
ONSTAR $97
HVAC $98
DDM $A0
PDM $A1
MSM $A6
RSA $A7
TDM $C0

I dont know what RSE (rear seat DVD player) is…Im pretty sure its $83 though. And theres obviously more modules than this, but this is all I have