Awesome

Reverse engineering CANbus messages of Fiesta MK5 dashboard/radio subsystem

This documentation applies to Ford Fiesta MK5 >2006 (MK5 restyling), with 2-DIN, 6000CD radio.

The radio sends messages to the LCD screen in the dashboard, like FM station names, CD track IDs, volume changes.

The idea was to tap into the text-to-LCD mechanism, but I ended up reversing some other interesting CANbus messages.

Tapping in the infotaiment CANbus is quite easy: just connect a CANbus interface over CANH and CANL lines that come into the QuadLock conector of the radio, no 120 Ohm terminal block resistor needed.

Personally, I used a SeedStudio CANbus Shield stacked onto an Arduino Uno R3.

Results

Bus speed is 125 KBPS.

The IDs of either partially or fully decoded messages are:

• 0x080
• 0x1e9
• 0x201
• 0x265
• 0x285
• 0x286
• 0x2d5
• 0x2d8
• 0x2da
• 0x2db
• 0x360
• 0x420
• 0x428
• 0x433
• 0x460
• 0x4c0
• 0x4c8
• 0x4f3

A Kayak .kcd file definition file is included (incomplete).

Text to LCD screen

The radio sends text to the dashboard LCD using either a short message format or an extended message format.

The short format can only be seen whenever the radio switches to AUX mode.

The extended format is composed by one header message containing the length of the text, and subsequent messages that provide additional text portions.

this happens to be the ISO-TP protocol (ISO 15765-2). For the sake of completeness, after the first extended frame message, an ACK message is received (as required by the ISO-TP flow control mechansim):

where:

• byte 1 (0x30) tells that the source is "clear to send" the next portions of the message;
• byte 2 (0x00) tells that frames are to be sent without flow control;
• byte 3 (0x00) tells to send as fast as the source can.

Thanks to /u/thatguy147 for the ISO-TP suggestion!

Radio station name

The radio also shares the radio station name with a specific message.

Radio OFF

When the radio is OFF this message is broadcasted.

Radio mode / seek buttons

Apparently, only mode and seek buttons near the steering column issue commands over MS-CAN, while unfortunately it seems that volume buttons are not.

buttons is a bitmask: the byte is the algebraic sum of these condition codes, whenever applicable.

Radio volume

The radio unit broadcasts a message containing the current volume level.

where the real volume level can be obtained as:

volume = volume_raw/8

CD track info

When the unit is not in CD playback mode, the following message is emitted:

Instead, during CD playback, the message contains the track id and current seek time:

where the current track time, in seconds, can be obtained like this:

track_seconds = track_time - 64

CD status

The radio unit tells informations about the CD presence.

Date & Time

The car has an onboard RTC that works independently from the radio clock (it works even if the radio is disconnected at all). The date and time are broadcasted with 1 second resolution.

AirBag status

The AirBag dashboard light is commanded either ON or OFF depending with the 5th byte of this message.

Doors status / Lock / Reverse gear

Doors status is signalled setting or clearing bits in the 1st byte of this message. Full lock of the doors is signalled by the 6th byte. Morover, this packet hold the status of the reverse gear in the 4th byte.

door_status is a bitmask: the 1st byte is the algebraic sum of these condition codes, whenever applicable.

reverse_gear can be interpreted as follows:

lock can be interpreted as follows:

Arrows status

Arrows status is signalled setting or clearing bits in the 1st byte of this message.

Status is a bitmask: the 1st byte is the algebraic sum of these condition codes, whenever applicable.

Vehicle ID

Periodically, the veihcle ID (lower part of VIN, so the serial number plus other codes signalling production date) is broadcasted.

Front beams / handbrake status

<img src="H35.png" data-canonical-src="H35.png" width="50"/> <img src="H36.png" data-canonical-src="H36.png" width="50"/> <img src="K02_0.png" data-canonical-src="K02_0.png" width="50"/>

Front beams status is signalled setting or clearing bits in the 1st byte of this message. Notice that, since this message is just for dashboard LEDs, parking lights cannot be distinguished from low beams, as they share the same LED indicator.

Status is a bitmask: the 1st byte is the algebraic sum of 0x10 and these condition codes, whenever applicable.

Gas pedal / RPM / Speed

Gas pedal position, engine RPM and speed (Km/h) are contained in the same packet.

where the position of the pedal can be translated in percentage with the following formula:

gas_percent = gas*100/50944

while speed in Km/h can be obtained with:

km_h = speed/100

Brake pedal / coolant temperature

Brake pedal status is repeated in two different messages, with different codes.

where brake can be interpreted as follows:

and coolant temperature can be obtained as follows:

coolant_degrees = coolant - 40

and

where brake can be interpreted as follows:

Key position

Key can be either in position 1, 2 or 3.

where the position can be obtained reading bits 5 and 6 of the first byte:

key_position = (key & 0x30) >> 4

Battery voltage

Battery voltage is expressed in tenths of Volt.

where battery status, in volts, can be obtained as:

battery_v = battery/10