In my now long-running effort to play with puzzles (the XK8/R CAN bus), Jon (Jon89) allowed me to record a few minutes of CAN data on a model outside my cars (his, 2006, mine 2001-2002). As expected, the 2006 is different. A major change appears to have happened in Ford's CAN spec for the 2003 MY, expected this might translate to Jaguar.

In any case, there are some similarities, most of the original 13 CAN IDs have analogues in the 2006 data (i.e. generally hex ID(2003/6) = hex ID(2001/2) +1) with the big exception that the 4 CAN tokens (the heartbeats) are gone. In 06, there are 6 CAN modules instead of the 4 with now 20 CAN IDs. Interestingly, one CAN ID appears to have remained exactly the same for some reason, 4B0, the ABS/DSSCM wheel speeds. The table below has some information on the correspondence between 01-02 and 03-06. I have randomly decoded a few of the messages like the odometer, and may continue as time permits. Edifying information below:


More CAN bus hijinks. Comparison of 01-02 to 03-06

 

Well done Dale. No idea how many folks here will be digging as deeply into the CANBUS system as you do, but with these XK8s there is never such a thing as too much information....

 

Subscribed to this thread.

Great work and like John says, you can never know too much.

 

@crbass or anyone else out there into this sort of thing - In my day job I do a lot of electrical/electronic diagnostics, quite a bit on classic (or at least old) Jags and Mercs. Got a customer with an 03 XJ8 with a failed Adaptive Cruise Control (ASCM) radar module, this integrated type were only used for a couple of years and are consequently non existent on the used market. I've pulled it apart but nothing obvious broken.
Unfortunately without it there is a nagging message and no use of the normal cruise control. - However if there was an "I'm alive" message on the CAN bus and I disable the "active" switch, all should be well. Anyone know the format of this message or hazard a guess? If the unit was alive I could power it up and find out as there is pretty much only +/- and CAN wires. I could then build a simple Arduino circuit to spoof it.

 

Again unfortunately, I suspect this may be "CAN ASC STATUS", but I don't know what message this data is included in. Unlike earlier CAN heartbeats, the 2003-on heartbeats do not appear to be separate and easily identifiable. It may be in the 2 byte message ID 120 which I identified as coming from the ASCCM, but that's rank speculation. Is any of this this true for the XJ? Don't know that either.

I had data on a later model XK for a few minutes (thanks Jon), so there a limits on what can be derived from that.

 

Thanks for the input, hoping I may be able to un-option it in SDD, but there have been varying reports on the feasibility of that.
If he does end up finding a replacement I'll try and see what CAN I can capture. His car has every option there ever was on it !

 

Dale (crbass)

I'm new to this thread, but have read some of your great work on the CAN bus. I have a 2005 XK8 and the table you referenced on 9/19/20 the right hand column is exactly correct. I did a capture today with a CANedge1 recording about 30 mins of drive. Do you have more details on the CAN messages? My objective is to replace the 6HP26 with a manual transmission from a S-type 2.7 diesel (S6-53, mechanically the same) and build a "auto trans simulator" to trick the XK8 to think the auto is still installed. In order to do this I am looking for all the messages the transmission will send out and respond to.
any help would be desired.
Glenn

 

this has already been done in a 2003 STR by user iansane

i would recommend reaching out to him.

 

Appreciate it, that's all I know for sure about the later models (and I don't know the particulars of what iansane did other than some timing spoofing or the details of the S-type vs the XK8 (2001-2002)). But I would guess that there is a very large concordance between the 01-02 and 03 on messages from the TCM at C8 (earlier)/C9 (later) and at 3E8(earlier)/3E9(later). Looking at the CAN messages listed in the electrical guide, there is a vast commonality between 02 and 03, perhaps even at the byte level. Don't know details of the other modules talking back to the TCM, but expect similar levels of commonality with perhaps a few additional bells and whistles.

Happy to help compare with earlier details if that will be helpful to decode the later messages (perhaps I'll want a later XK8 one day...).

 

Dale
How can I get a CAN capture to you?
I captures 2 trips, both are very large files.
Can you repost your latest excel, last one I have is 20200525
Glenn

 

No substantial changes to the spreadsheet during the crazytimes. Will PM with a means to send large files.

 

Hi Dale,

have you done any more research on this? I took up the decoding for my Xkr -2000 again recently and did successfully decode throttle pos, engine rpm, fuel tank level and a few more. But I'm struggling to find more.

Trying to send codes to the bus in hope to get answers, but only get "termination" code back like for sending 0x7E8 00 05 I get back 0x7EC 6 127 0 0 0 0 17 0

Did you figure out how to use an Arduino to send in requests and get back response for engine oil temp, coolant temp and so on? I'm not using the OBD-port but instead directly on the can hi/cal lo wires.

Regards,
Higgins

 

Dale changed jobs and moved from North Carolina to Michigan last summer. He is rarely on the forum these days. Send him a PM and perhaps he will see that....

 

I experimented with an Arduino (actually an ESP32) using the ELMduino library. All the standard PIDs work fine (engine temp, RPM, vehicle speed etc) but I couldn't get any of the extended PIDs to work. This is on a 2001 XKR.

 

Just checking your approaches - for extended PIDs, as per Dale's spreadsheet you need to send the unlock code before any extended OBD2 services will be enabled:
e.g. to request current MAF voltage from the ECM using service 22, if using Canbus protocol (i.e. not serial)
First you send 0x01 0x10 to address 0x7e8, and get response something like 0x06 0x7f 0x10 from address 0x7ec
- if you don't send this then the extended PID request (service 0x22) is ignored
Then you send the requested service 22 extended PID to address 0x7e8 (in this case 0x03 0x22 0x12 0x29 - for 3 bytes of message, service 0x22, PID 0x12 0x29)
- and get a response from address 0x7ec, something like 05 62 12 29 00 CF 00 00 per the spreadsheet

Let me know if you want any more info, including on the more exotic canbus services - I've reverse engineered much of the AJ27 ECM code (not AJ26 or AJ34 - although others have clearly done the latter) so I have a pretty good view on canbus services supported.