ZS EV Reverse Engineering CAN and OBD Spreadsheets

[mikeRES]

For anyone looking to reverse engineer the ZS EV, here is the latest knowledge we have on both CAN and OBD:

OBD is for diagnostic queries where you request data from the OBD port and the ECU will respond with the data:
MG ZS EV OBD Reverse Engineering

CAN is for internal data, which is information being continiously sent by ECUs (you need to do a brakeout lead and splice onto the internal CAN buses):
MG ZS EV CAN Reverse Engineering

Please request edit access if you have anything you want to add to these spreadsheets.

 

[JodyS21]

Thanks. I'll be studying this this later.

Previously I had my laptop connected to the OBD2, using a serial terminal, I can't seem to get any of the custom PID data back.
Do you know what I could be doing wrong, I thought it was a simple case of issuing the PIDs to get the data back. (I've never done this before btw so am on a bit of a learning curve)

I didn't realise you'd had to splice in to get all of the data, thought you'd managed to capture it all via the OBD2 port.

I'd like to help/get involved if I can.

 

[mikeRES]

What i actually have is both, I have an OVMS unit connected on the OBD port and an IntrepidCS data logger permenantly connected on the GWM logging all the CAN buses. See here fror the breakout lead connections: Gateway Module Breakout Lead

You need to use a CAN device at 500 kbps (or more) on the OBD CAN-H and L pins (14 and 6 I think) and the queries you send are detailed in the spreadsheet. I would highly reccomend the OVMS unit as a very simple way to do it (and you can even run it for OBD PID data sweeps).

 

[JodyS21]

What i actually have is both, I have an OVMS unit connected on the OBD port and an IntrepidCS data logger permenantly connected on the GWM logging all the CAN buses. See here fror the breakout lead connections: Gateway Module Breakout Lead

You need to use a CAN device at 500 kbps (or more) on the OBD CAN-H and L pins (14 and 6 I think) and the queries you send are detailed in the spreadsheet. I would highly reccomend the OVMS unit as a very simple way to do it (and you can even run it for OBD PID data sweeps).

HURRAH
I've figured out what I was doing wrong and now got my terminal session successfully getting data back from the PIDs in your spreadsheet (I wasn't changing the "header?" ECU I wanted to query [ATSH 781])

This is all completely new to me, so can I ask a few newbie questions..

The first byte that you seem to always use 0x22, is that standard for requesting manufacture specific data or did you try every value?

The second and third bytes, do you literally try every combination against every ECU to see what respond? If I do this I assume I can't do any damage.......?

If I only issue "commands" starting 0x22 is this safe - they're all requests for information? can't update anything/won't be like issues a message from a sensor etc.


FYI:
>AT Z
ELM327 v1.5

ATI

ELM327 v1.5

ATSP6

OK

0100

41 00 88 18 00 13

ATH1

OK

0100

7EB 06 41 00 88 18 00 13
10001000 00011000 00000000 00010011 01,05,0C,0D,1C,1F,MORE

0120

7EB 06 41 20 80 01 80 01
10000000 00000001 10000000 00000001 21,31,MORE

0140

7EB 06 41 40 44 04 80 40
01000100 00000100 10000000 01000000 42,46,4E,51,5A

0160

NO DATA

(Defaults to VCU ECC)

22BA00

7EB 05 62 BA 00 4E 20
20000 vehicle speed (0 mph)

220112

7EB 04 62 01 12 79
121 vcu voltage

22B71B

7EB 04 62 B7 1B 00
0 bms onboard charge plug in

22B309

7EB 04 62 B3 09 34
52 edu drive unit coolant temp

22B712

7EB 05 62 B7 12 01 50
336 high voltage battery available charger power

22B702

7EB 04 62 B7 02 01
1 bms running state (03=driving)

22B18C

7EB 04 62 B1 8C 02
2 ignition switch status

22B703

7EB 04 62 B7 03 00
0 actual hv battery main contractor status

22B402

7EB 05 62 B4 02 7F FF
32767 TM speed (7FFF=0rpm)

ATSH 7E3

OK
VCU

22BA00

7EB 05 62 BA 00 4E 20
20000 vehicle speed (0 mph)

ATSH 781

OK
BMS

22B061

789 05 62 B0 61 27 10
10000 HV battery SoH (100.00)

22B041

789 05 62 B0 41 FF FE
65534 Battery pack Bus voltage

22B042

789 05 62 B0 42 06 76
1654 Battery pack voltage (divide by 4 = 413.5v)

22B043

789 05 62 B0 43 9C 40
40000 HV battery current

22B046

789 05 62 B0 46 02 68
616 Battery charge level SoC (61.6?)

22B05C

789 04 62 B0 5C 63
99 BMS coolant temp

22B061

789 05 62 B0 61 27 10
10000 HV battery SoH

22B058

789 06 62 B0 58 0E F6 FF
980735 Maximum Cell Voltage

22B048

789 04 62 B0 48 01
1 BMS running state

22B05C

789 04 62 B0 5C 63
99 BMS Coolant Temp

ATSH 724

OK
TPMS

22B001

72C 07 62 B0 01 42 3F 41 41
66 63 65 65 Tyre Pressures (x4=kPa? 264kPa 252kPa 260kPa 260kPa)

22B003

72C 07 62 B0 03 22 22 25 22
34 34 37 34 Tyre Temperatures (if X2 for F? 68F=20C 68F=20C 74F=23.3C 68F=20C)

ATSH 760

OK
IPK

22B101

768 06 62 B1 01 00 0D 15
3349 Odometer Reading (in KM. 3349=2081Miles)

220100

768 10 13 62 01 00 FF FF FF
768 21 FF FF FF FF FF FF FF
768 22 FF FF FF FF FF FF AA

 

[mikeRES]

0x22 is the function to "request data by identifier", the subfunction is the id
e.g. 22B101 = function 0x22 with subfunction 0xB101
This is a standard UDS query, you can find some examples here: Unified Diagnostic Services

 

[stevep2k22uk]

great topic,
looking to program an arduino to grab battery voltage and charge rate information and send it out on via wifi to access via mobile phone,
is this possible?

 

[JodyS21]

great topic,
looking to program an arduino to grab battery voltage and charge rate information and send it out on via wifi to access via mobile phone,
is this possible?

Anything is possible with enough effort.
Not sure how easy it is to do the necessary comms with an arduino, will you need the standard chip (the name I can’t remember) used for most obd2/can comms still though?

 

[stevep2k22uk]

ive got an arduino already setup to read canbus, just need the correct ID's to read the relevant info and then i should be good to go,

 

[Peter WA]

looking to program an arduino to grab battery voltage and charge rate information and send it out on via wifi to access via mobile phone,

I started out doing stuff with Arduinios, but never used them with WiFi due to the stupid cost of the WiFi boards. Mostly using NODEMCU boards these days.

Much faster CPU, and inbuilt WiFi at about the same price as an Arduino Nano. If a few extra mA power usage don't matter (on the OBD2 bus you have access to the car battery), they should be the better choice.

Haven't tried it in this context though.

 

[stevep2k22uk]

Does anyone have a trace from zs ev as I am trying to see what data is sent and received. I’ve Seen the spreadsheets etc but not seen any traces

 

[spiderman]

Any suggestions on where range remaining data is?, currently on EV CAN PINS 15,16 of gateway.

 

[ABDALLA]

that's interesting
I wish if I have some knowledge about vehicle reverse engineering like OBD and can bus and how to extract information, how to edit some codes in vehicle software

 

[cockroach]

HURRAH
I've figured out what I was doing wrong and now got my terminal session successfully getting data back from the PIDs in your spreadsheet (I wasn't changing the "header?" ECU I wanted to query [ATSH 781])

This is all completely new to me, so can I ask a few newbie questions..

The first byte that you seem to always use 0x22, is that standard for requesting manufacture specific data or did you try every value?

The second and third bytes, do you literally try every combination against every ECU to see what respond? If I do this I assume I can't do any damage.......?

If I only issue "commands" starting 0x22 is this safe - they're all requests for information? can't update anything/won't be like issues a message from a sensor etc.


FYI:
>AT Z
ELM327 v1.5

ELM327 v1.5

OK

41 00 88 18 00 13

OK

7EB 06 41 00 88 18 00 13
10001000 00011000 00000000 00010011 01,05,0C,0D,1C,1F,MORE

7EB 06 41 20 80 01 80 01
10000000 00000001 10000000 00000001 21,31,MORE

7EB 06 41 40 44 04 80 40
01000100 00000100 10000000 01000000 42,46,4E,51,5A

NO DATA

(Defaults to VCU ECC)

7EB 05 62 BA 00 4E 20
20000 vehicle speed (0 mph)

7EB 04 62 01 12 79
121 vcu voltage

7EB 04 62 B7 1B 00
0 bms onboard charge plug in

7EB 04 62 B3 09 34
52 edu drive unit coolant temp

7EB 05 62 B7 12 01 50
336 high voltage battery available charger power

7EB 04 62 B7 02 01
1 bms running state (03=driving)

7EB 04 62 B1 8C 02
2 ignition switch status

7EB 04 62 B7 03 00
0 actual hv battery main contractor status

7EB 05 62 B4 02 7F FF
32767 TM speed (7FFF=0rpm)


OK
VCU

7EB 05 62 BA 00 4E 20
20000 vehicle speed (0 mph)


OK
BMS

789 05 62 B0 61 27 10
10000 HV battery SoH (100.00)

789 05 62 B0 41 FF FE
65534 Battery pack Bus voltage

789 05 62 B0 42 06 76
1654 Battery pack voltage (divide by 4 = 413.5v)

789 05 62 B0 43 9C 40
40000 HV battery current

789 05 62 B0 46 02 68
616 Battery charge level SoC (61.6?)

789 04 62 B0 5C 63
99 BMS coolant temp

789 05 62 B0 61 27 10
10000 HV battery SoH

789 06 62 B0 58 0E F6 FF
980735 Maximum Cell Voltage

789 04 62 B0 48 01
1 BMS running state

789 04 62 B0 5C 63
99 BMS Coolant Temp



OK
TPMS

72C 07 62 B0 01 42 3F 41 41
66 63 65 65 Tyre Pressures (x4=kPa? 264kPa 252kPa 260kPa 260kPa)

72C 07 62 B0 03 22 22 25 22
34 34 37 34 Tyre Temperatures (if X2 for F? 68F=20C 68F=20C 74F=23.3C 68F=20C)



OK
IPK

768 06 62 B1 01 00 0D 15
3349 Odometer Reading (in KM. 3349=2081Miles)


768 10 13 62 01 00 FF FF FF
768 21 FF FF FF FF FF FF FF
768 22 FF FF FF FF FF FF AA

FYI: I use MG ZS EV 2022 TH Model.

Last week I done hard work to connect my car and finally, I can connect OBD Bluetooth Serial Port … whatever with ELM327 programmatically success.
I had try these AT command and got response almost the same like this one.
It's happy ending thought. I very appreciate knowledge and data from here.

But the command about BCM like door status "22d112" I default got response NO DATA> every single time.
But sometimes with some condition in very few time I able to access "22d122" and get door status response properly.


I think it's may have some command, or some condition to wake BCM up.
And I don't know how.
Do you guys Have any idea ?

For more information hinting.
BCM will send response properly when open "iSMART App" or do some activity in iSMART.
It's work for a while after that go NODATA>
[see attachment]

 

[DivePeak]

Thanks for all the hard work on the spreadsheet!
I have a 2019 ZS EV (Australian)

I'm attempting to communicate through the OBD port - I'm using this device OBD-II RF DEV KIT - Longan Docs and using their Serial_CAN_Module library.

The library comes with an example PID that is meant to get the speed:
unsigned char tmp[8] = {0x02, 0x01, 0x0D, 0, 0, 0, 0, 0};
can.send(0x7DF, 0, 0, 8, tmp);

This returns values from PID 0x7EB and 0x729 (sometimes / very unpredictably).

When I try using any values from the spreadsheet (e.g. for the state of charge):
unsigned char tmp[8] = {0x03, 0x22, 0xB0, 0x46, 0, 0, 0, 0};
can.send(0x781, 0, 0, 8, tmp);

I get nothing.

I have confirmed with a second micro that for state of charge it is literally just sending the raw bytes:
x00 x00 x07 x81 x00 x00 x03 x22 xB0 x00 x00 x00 x00

I've confirmed that the devices are in radio range of each other and getting a clear signal. I've tried flipping the bits for standard/extended frames. Doors locked/unlocked. Car running/not running. Doors open/closed.

Given the note from @cockroach I also tried after opening the iSMART App. It gets data fine, but still nothing from the OBD device.

I've spent days trying to work this out and I'm at a dead end.

Is there something obvious I'm missing? Am I misunderstanding the spreadsheet?

 

[leonkernan]

If you're plugging into the OBD port the gateway module is probably filtering your data.

If you want full access you probably need to rig up a connection to the main bus at another point.

 

[Coulomb]

the gateway module is probably filtering your data.

I don't think it's filtering.

This returns values from PID 0x7EB and 0x729 (sometimes / very unpredictably).

It's a long time since I did any of this stuff, and it was only for firmware versions. I think you should get a response from a pid 8 higher than your request. So the above are possibly just junk or unrelated.

Is it possible that you are sending at the wrong CAN bus speed?

Also, you may have to fiddle the receiving filters. For example when sending to the BMS at 0x781, you might have to enable receiving at 0x789.

You might get some clues from the eZS thread, perhaps start at my post where I do all the serial commands myself (no library) :

Project OBD2 - Mobile App v1.2.1 and later

Can you give that instructions to us witch doesn't have Facebook? I can post the instructions but the are files on the Facebook group that need to be downloaded as well.

www.mgevs.com