Posted by
Karlis on
Nov 14, 2016; 5:49am
URL: http://bluesaab-forum.90.s1.nabble.com/Custom-CDC-to-SID-text-tp90p783.html
Ok, folks! I think we finally have a breakthrough!
TL:DR - IHU->SID text can be altered!Long versionUp until now we thought that custom SID text control can be achieved only by suppressing IHU->SID write access (CD1 PLAY) with a help of changing priorities of messages or sending custom text to SID on behalf of some other node on the bus (commonly SPA was used for this). This is one way of doing things and it works...sort of... SPA->SID text control works great, but only if you don't have an actual SPA installed on your car.
So I did some thinking for a couple of days and remembered of "TELEPHONE" message being displayed on SID. Originally SAAB had an optional hands free system package for mobile phones that could be installed and when activated, would mute whatever sound was coming through audio system and would activate mobile phone. On US market cars there was also a GM system called "OnStar" that was installed on all cars by default. The basic idea is that you pay an annual fee and if you ever get in an accident or in trouble, press a button on the dash and Bruce Willis will come to rescue you in a helicopter gunship!

Since 2008, "OnStar" system has gone digital rendering all of these systems on OG SAABs in US useless. And I haven't heard of anyone in EU using the hands free optional package "per design". Not talking about the hacks people do to get an Aux-In...
Anyway...
I started thinking about which node and how sends that "TELEPHONE" text to SID? How??? And who??? And HOW (not IF) we can use that to our benefit?
Turns out...*drums rolling*...
it's our good old friend IHU!!!Yeah! I know... I was also like:

So I started to dig deeper and sniff CAN comms. And here's what I found:
*) IHU->SID text can be altered (not quite sure yet how, but it works)
*) There's clever timing in the sequence of CAN comms that basically tells SID that IHU won't display "CD1 PLAY" (or whatever) now and from now on will display "TELEPHONE" (or whatever).
Here's an output from CAN capture I got today with some comments.
*) I separated the groups of frames with an empty line.
*) Numbers under each frame represent time in milliseconds since the last frame that we are interested in was intercepted.
*) As we know, SID expects three CAN frames from a node that writes something on display
*) 1st byte (0x42, 0x01 and 0x00) is the sequence number of the frame in the group
*) 2nd byte - 0x96 is the "address" of the SID
SAAB CAN Sniffer v1.0 - September 2016
328 Rx-> 42 96 2 46 4D 31 20 20
949
328 Rx-> 1 96 2 20 39 A6 35 30 // Group of three frames sent from IHU to SID on basetime (which should be 1000ms). Displaying “FM 96.50”
8
328 Rx-> 0 96 2 20 1 0 0 0
30
328 Rx-> 42 96 2 46 4D 31 20 20
950
328 Rx-> 1 96 2 20 39 A6 35 30 // Group of three frames sent from IHU to SID on basetime (which should be 1000ms). Displaying “FM 96.50”
8
328 Rx-> 0 96 2 20 1 0 0 0
30
328 Rx-> 42 96 82 20 20 20 20 20 // “OnStar” button/Telephone mode enabled. SID still grants IHU access to 2nd row, BUT mind the 2nd byte in the frame.
81
328 Rx-> 1 96 82 20 20 20 20 20 // 0x82 definitely means “there’s a new event we need to react to; let’s “space out” everything out on the 2nd row of the SID!”
7
328 Rx-> 0 96 82 20 20 0 0 0 // Still “spacing” out. Note that there are 12 x 0x20 bytes. 12 = length of SID row.
32
328 Rx-> 42 96 2 20 20 20 20 20
822
328 Rx-> 1 96 2 20 20 20 20 20 // “Spacing out” again, BUT now doing that on basetime (which again should be 1000ms). Notice the 2nd byte now.
8
328 Rx-> 0 96 2 20 20 0 0 0
32
328 Rx-> 42 96 82 54 45 4C 45 50
770
328 Rx-> 1 96 82 48 4F 4E 45 20 // Sending the new text to SID as an event. Hence the 2nd byte = 0x82. Displaying “TELEPHONE”
8
328 Rx-> 0 96 82 20 20 0 0 0
31
328 Rx-> 42 96 2 54 45 4C 45 50
131
328 Rx-> 1 96 2 48 4F 4E 45 20 // Group of three frames sent from IHU to SID on basetime (which should be 1000ms). Displaying “TELEPHONE”
6
328 Rx-> 0 96 2 20 20 0 0 0
31
So it looks like we could try and mimic these comms to our benefit and hope this works. I mean we could try, right?
2001 9-5 SE V6; 2006 9-5 Wagon; iOS; BlueSaab version = "latest and greatest" :)