Results from hacking the KTM SuperDuke 1290 CAN bus

problems . solutions . product reviews . tips
Seattle Dan
Minimoto racer
 
Posts: 6
Joined: Sun Jan 08, 2017 4:10 pm
Location: Seattle

Results from hacking the KTM SuperDuke 1290 CAN bus

Postby Seattle Dan » Mon Jan 23, 2017 3:36 am

This is a longish post about getting inside the CAN BUS protocol. I had searched far and wide but failed to find what I needed so I guy in and am taking the time to share what I found. No warranties expressed or implied – reading this means you agree that you may blow up your bike on your time, and on your dime.

My Goals:
I want access to race data. I have a SpeedAngle (http://www.speedangle.com) but it lacks access to key data I wanted: throttle position, gearbox position, braking forces, shifting efficiency, tyre slip, ABS/traction control intervention, and bike lean and tilt. This said, don’t get the idea that I’m a hard core racer… can’t be further from the truth. I simply wanted to learn quickly, make cool RaceRender videos, and geek out. I can’t leave good enough alone regardless of my hobby (or job).

Getting Started
    You need a cable to ‘read’ the data. Get the CANABLE cable for $25. https://www.tindie.com/products/protofusion/canable-usb-to-can-bus-adapter/
    Get your Sumitomo connectors here for $ 3.26 a set. Get a set for the data logger project too. http://www.corsa-technic.com/item.php?item_id=230
    Solder up the connectors as follows. The connector is facing you, with tab on top (per Corsa site image). Be sure NOT to connect power – the CANABLE is powered by the USB port, not the bike.
    1 (N/C) 2 (CAN-H) 3 (CAN-L)
    4 (N/C) 5 (N/C) 6 (GROUND)
    Screw this new cable to the CANABLE matching the pins. Note that the CANABLE as exposed metal pins below the circuit board – don’t short them out on your bike frame.
    Prepare your laptop with the right software. Get CANTACT-APP from https://github.com/linklayer/cantact-app. It’s based on Java so get that too. https://java.com
    Plug the cable into the bike and into the PC. Turn the key on your bike.
    Start the app. In the CONFIG WINDOW tab, pick your port (likely COM3) and then Bitrate of 500KB. Press START
    You’re now seeing CANBUS traffic. It’s intense. Congrats.
    In CANTACT-APP you can save data to disc but I found that it grinds to a halt around the 500 second mark so save smaller CSVs.

Reverse Engineering
Here's what i found via tedious sleuthing and math modelling:
    Throttle – it’s provided by ID 0x120/288, in the 3rd byte position. Turn it and see how it goes from 00 (off) to FF (fully on).
    Gearbox – it’s provided by ID 0x129/297, in the 1st byte position. The upper nibble (hex digit) is 0 for Neutral, 1-6 for gears. When you pull in the clutch the lower nibble goes from 0 to 8 and back.
    Front Brake Force – it’s provided by ID 0x290/656, in the 1st word (2 bytes) position. No pressure is 0x0000 (off) and a fistful of brake registers to about 0x3500 on my bike.
    RPM – it’s provided by ID 0x120/288, in the 1st word position, right before throttle. Start the engine and you’ll see it warm up around 2000 rpm and then settle in around 1500 rpm.
    Front Wheel Speed – it’s provided by ID 0x12B/299. Front wheel is first word. The wheel has to move at a certain minimal speed to get it to register. I’ve not totally figured out the scale but expect it to be pulses off of the 48 tooth hall effect sensor.
    Rear Wheel Speed – it’s also provided by ID 0x12B/299. Rear wheel is second word.
    Lean Angle – it’s provided by ID 0x12B/299. The last 3 bytes (6,7,8) split into two 12bit counters. The last 0x000 is for lean. I’ve tested the lean extensively. 0x000 is neutral, 0x001 starts leaning to the right. 0xFFF starts leaning to the left. I *believe* the first 0x000 are tilt but I’ve yet to validate.
    Traction Control – its provided by ID 0x450/1104. I’ve more testing to do here while on the road. I have figured out that the byte 1, 3, 5 express changes to ABS, MTC, and MODE settings respectively. I expect byte 2 to be ABS intervention intensity, byte 4 to be MTC intervention intensity.
    Oil temperature – I think it is provided by ID 0x540/1344, byte 7/8. Yet to fully validate.
    Water temperature – I think it is provided by ID 0x550/1360, byte 2. Yet to fully validate.
    Fuel level – I think it is provided by ID 0x551/1361, byte 1, as a percentage. Yet to fully validate.
    Date Time - I don’t know where this is yet. Can’t find it anywhere. It’s important to me for logging so if you happen to find it, please PM me!

Forward looking stuff...

Logging – baseline edition
Per above, the real reason for this work was to have a data logger. To do that, one can’t (should not) ride with a laptop taped to their race suit (unless they use 4+ wraps of tape). This being the goal, I ordered a few of these for a very reasonable $24.
https://www.tindie.com/products/akpc806a/can-bus-logger-with-sd-card
https://github.com/akpc806a/CAN_Logger/blob/master/Doc/CAN%20Logger%20(manual).pdf
I don’t have it yet but it seems like the perfect starting point for data logging. The wheel speed and brake data above comes in at 100 samples per second. The throttle data comes in at 50 samples per second so you can do the math on file size pretty quick. Right now I see the biggest problem being data sync across my CAN bus logs, my SPEEDANGLE data (GPS, speed, lean) and my GoPro video streams. I need to find the DATE TIME data in the CAN bus feed unless I can get time another way…

Logging – deluxe edition
The ultimate logger may well be this one. The design is based on a Teensy 3.2 and leverages some cool stuff FUSION (handle of the Tindie maker whose name is Paul) offers:
The amazing Teensy 3.2 unit ($20):
https://www.pjrc.com/store/teensy32.html
Killer shield for the Teensy ($95) that adds GPS for tracking (and data/time!), a GSM tracker for pushing data out to cloud service (e.g.: IoT into Azure cloud; 3D motion tracking for your spouse on long rides, etc.), a CAN bus transceiver, and a regulated power supply that can be powered from your motorcycle.
https://www.tindie.com/products/Fusion/tinytracker-gpsgsmcan-for-teensy-3132/
Another killer shield ($28) that mounts to the above shield to offer a 3-axis accelerometer, a 3-axis gyroscope, a 3-axis compass and an altimeter (height above sea level).
https://www.tindie.com/products/Fusion/10dof-mpu9250ms5637-sensor-addon-teensy-30-32/
Lastly, we need to write all this crazy cool data to storage via a shield for Micro SD ($8)
https://www.tindie.com/products/Fusion/teensy-slim-micro-sd-card-adapter
Unfortunately, this particular logger will require a lot of software to be written… and I’ve yet to start. But it sure does seems like the ultimate data logger suitable to both Super Duke’n on the track and for riding my 1200 GSA to Deadhorse, AK!

That’s in for now. I mostly wanted to share all that I had to return value to the group. Enjoy!
Last edited by Seattle Dan on Sun Jan 29, 2017 12:07 am, edited 1 time in total.

abc
Stunt rider
 
Posts: 666
Joined: Tue Dec 17, 2013 11:21 pm
Location: snowy mountains

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby abc » Mon Jan 23, 2017 4:30 am

Excellent - so sometime in the future we will be able to adjust the throttle ramp angles - I hope so and cant wait
Any modifications you undertake are your sole responsibility, I am not liable for any claims relating to modifications or suggestions posted on this forum. If you undertake any modifications you do so at your own risk.

User avatar
jmann
moderator
 
Posts: 1741
Joined: Sun Mar 22, 2009 2:28 am
Location: Sunny Adelaide, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby jmann » Mon Jan 23, 2017 4:45 am

Yup excellent work comrade Dan :D All of the ID's you talk about seem to make sense to me although I have only ever been interested in remapping so have never pursued the routine ID's. One can, of course, buy off the shelf data loggers which are quite small which also obviates the need to strap a laptop to one's back :D Mine is permanently connected :wink:

EDIT: Tried to order a couple of the tindie USB/Canbus converters but the seller doesn't ship to Australia at the mo (hopefully soon).

User avatar
jmann
moderator
 
Posts: 1741
Joined: Sun Mar 22, 2009 2:28 am
Location: Sunny Adelaide, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby jmann » Mon Jan 23, 2017 11:56 am

Hi Comrade Dan. I was just on my way to bed and remembered your question about time and date.
As you probably know the 1290 has multiple ECU's sending out canbus messages. The integrated speedo is one such ECU. I imagine that if you just change the time/date settings on the speedo you'll see some different ID's pop up and you'll be able to work out the rest from there. Happy hunting :D

Seattle Dan
Minimoto racer
 
Posts: 6
Joined: Sun Jan 08, 2017 4:10 pm
Location: Seattle

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby Seattle Dan » Mon Jan 23, 2017 2:22 pm

jmann wrote:Yup excellent work comrade Dan :D All of the ID's you talk about seem to make sense to me although I have only ever been interested in remapping so have never pursued the routine ID's. One can, of course, buy off the shelf data loggers which are quite small which also obviates the need to strap a laptop to one's back :D Mine is permanently connected :wink:

EDIT: Tried to order a couple of the tindie USB/Canbus converters but the seller doesn't ship to Australia at the mo (hopefully soon).


Thanks. Yes, getting various pre-made loggers is possible. The challenge for me has been associating all the data together, in sync. e.g.: Fast cornering is about proper throttle control, good braking, proper entry position, limiting lean, etc. Having a logger that has 10hz GPS collection, throttle position, braking, forces, gear changes, duration of clutch hold, lean angles, tilt angle, RPM (blipping), tyre slip, ABS interference on entry, MTC interference on exit, and so on is the goal.

Seattle Dan
Minimoto racer
 
Posts: 6
Joined: Sun Jan 08, 2017 4:10 pm
Location: Seattle

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby Seattle Dan » Mon Jan 23, 2017 2:42 pm

jmann wrote:Hi Comrade Dan. I was just on my way to bed and remembered your question about time and date.
As you probably know the 1290 has multiple ECU's sending out canbus messages. The integrated speedo is one such ECU. I imagine that if you just change the time/date settings on the speedo you'll see some different ID's pop up and you'll be able to work out the rest from there. Happy hunting :D


Hi J,

Yes, it turns out that the repair manual has a detailed electronic guide... 11 or so pages of "which sensors connect to which devices". From there I was able to derive all the devices and their logical IDs. From there a few PDF searches and one can learn a lot about the outputs. e.g.: The BOSCH 9M Plus spec calls out that the unit "measures the motorcycle’s longitudinal, lateral, and vertical acceleration, as well as yaw, pitch, and roll rate during the ride and uses this information to calculate its lean and tilt angle". Given this has to be done a lot to be useful, I searched all messages with updates of 100 times per second first. With engine off, tilted the bike left/right and so on. I found another counter bobbling (fuel level) but it was only being updated only 20x/sec.

The challenge with (absolute) time is that it does not seem to be output to the bus. The Byte 8 values of many 100hz IDs end with a timer that monotonically increases but never says the date/time.

Other messages toggle between two states: 1344/1345 are updated at 20hz but one transmission starts with 02, the next starts with 04. The last 2 bytes of the 04 series is oil temperature. I think this is derived from the fact the EFI controller has most of its inputs in pairs but oil temp, coolant temp, oil pressure, oil levels are all singletons. Also, the message IDs groupings (288,89,296,297,299 vs 1104) does not reflect controllers. Instead they seems to be use to sort the data. e.g.: I think that 299, 656 and 1104 come from the same ABS unit.

Since I have this data in an XLS, here it is. You'll note that the computed outputs are not always offered by the device called out. e.g.: Lean angle (Angle sensor) is said to come from gauges -- it does not. It comes from ABS messages (given the need for a much higher data rate).

e.g.:
EFI Control Unit (A11)
Crankshaft position sensor (RPM)
Gear Position Sensor
Throttle position sensor (A/B)
Coolant Temperature, cyl1
Side Stand Switch
Throttle stepper motor (A/B)
Quickshifter (optional)
Rollover sensor (?)
Intake Air temperature
Ambient Air Pressure Sensor
Manifold pressure sensor, cylinder 1
Manifold pressure sensor, cylinder 2
Injector Cylinder 1
Injector Cylinder 2
Lambda Sensor, Cylinder 1
Lambda Sensor, Cylinder 2
Ignition Coil 1, cylinder 1
Ignition Coil 2, cylinder 1
Ignition Coil 1, cylinder 2
Ignition Coil 2, cylinder 2
Secondary Air Valve (?)

Central Electronic Control Unit (A10)
Front Brake Light Switch
Rear brake Light Switch
Clutch Switch
Start button
Oil temperature Sensor
Oil Pressure Sensor
Oil Level Sensor
Fuel Level Sensor
Fuel Evaporation Valve (optional)
Fuel Pump
Hi beam button
Left signal button
Right signal button
Cancel signal button
Harzard button
Horn button
Low Beam output
High Beam output
Parking Light output
Daytime Running Light
Horn output
Emergency off button
Heated Grip output
Radiator Fan Motor 1
Radiator Fan Motor 2
License plate light
Brake/tail light
Front, Left turn
Front, Right turn
Rear, Left turn
Rear, Right turn

ABS Control Unit (A30)
Front wheel speed sensor
Rear wheel speed sensor

Combination Instrutment (P10)
Angle Sensor
Tilt
<< Time??>>
Ambient Air temperature sensor
keypad - Up
keypad - Down
keypad - Return
keypad - Enter

Alarm System (A50)
Alarm system switch

Ignition (S11)
Key switch

User avatar
jmann
moderator
 
Posts: 1741
Joined: Sun Mar 22, 2009 2:28 am
Location: Sunny Adelaide, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby jmann » Mon Jan 23, 2017 10:50 pm

Very nice work comrade Dan. I probably owe you an apology in-so-far as you've had to go searching for info on the ECU lines when most of us already knew about the schematics that you eventually discovered. The problem is that the basic stuff (what's in the manual) sits below the surface whilst newbies need to explicitly ask - sorry :D

I take it on face value what you say about date/time not being sent out on the canbus. Assuming it is correct I guess your ultimate strategy will have to be to interrogate the speedo by simulating a date/time change then linking that to an internal clock on your tracking device. From then on, you should be fine. Unfortunately, I'm not in a position to do these experiments for you at this point in time but perhaps later in the year...

Seattle Dan
Minimoto racer
 
Posts: 6
Joined: Sun Jan 08, 2017 4:10 pm
Location: Seattle

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby Seattle Dan » Wed Jan 25, 2017 3:50 am

jmann wrote:Very nice work comrade Dan. I probably owe you an apology in-so-far as you've had to go searching for info on the ECU lines when most of us already knew about the schematics that you eventually discovered. The problem is that the basic stuff (what's in the manual) sits below the surface whilst newbies need to explicitly ask - sorry :D

I take it on face value what you say about date/time not being sent out on the canbus. Assuming it is correct I guess your ultimate strategy will have to be to interrogate the speedo by simulating a date/time change then linking that to an internal clock on your tracking device. From then on, you should be fine. Unfortunately, I'm not in a position to do these experiments for you at this point in time but perhaps later in the year...


No apologies required... I read many of the other posts 10x over. I like the idea of 'hiding' a CAN BUS recorder on the bike during next service too. ;) That said, given what I've seen of the 'rolling codes' offered by ID 12xx, I doubt replay will be easy. I may short circuit this with the GPS board above (that has precise date/time via the NEMA protocol).

If you want some insight into the lean angle data, here's a excel sheet: https://thermsguy.blob.core.windows.net ... Angle.xlsx. The graph at the top is my holding the bike steady, wobble a bit to the right, to the left, dip deep to the left and raise quickly only to bobble a bit more. 12 bits of lean angle purity! The Tilt counter is pretty choppy given the bike was at a standstill with lean left/right only (tyres pretty much fixed in a spot). I presume that if I drove it in a circle I'd get a lot better resolution data.

User avatar
jmann
moderator
 
Posts: 1741
Joined: Sun Mar 22, 2009 2:28 am
Location: Sunny Adelaide, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby jmann » Sat Jan 28, 2017 10:17 am

Hi comrade Dan.

Well I couldn't resist the temptation to verify your information. To do so meant that I had to dig out my old programs and figure out what the fook they were doing (I'm not a programmers arse hole) :lol: Anyway, given what I'd already done it wasn't too big a deal to add some code to provide a clutsy dashboard that indicated RPM's, Gear, Throttle Etc... No fancy dials just numbers but it does the job.

I was then able to replay lots of my old recordings and verify that the numbers looked like they should. Guess what? You have been spot on with your analysis. :D :D :D

I've started to poke around for date/time but no joy so far. Like you I figure that there's no real reason for the speedo to tell anything else what the time is thus it doesn't appear on the canbus.

One small problem I did have when following your post and changing my code was that I needed to match what you were talking about with what I was seeing in the logs and in my code - everything on my side was in Hex whereas you'd refer to stuff in decimal. I suspect anybody looking at logs would find it easier if you referred to the Id's and data in hex. Would you care to edit your posts to change the ID's to hex or I can do it if you wish. Also I find it easier to refer to the data in the messages as D1..D8 etc rather than byte1, word1.

One question I have is how did you work out that the lean stuff was 12 bit? Perhaps i've read that on the Bosch site.

Here's a table that summarises what you have written up:

Image

Thanks for all of your effort and insight.

Seattle Dan
Minimoto racer
 
Posts: 6
Joined: Sun Jan 08, 2017 4:10 pm
Location: Seattle

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby Seattle Dan » Sat Jan 28, 2017 10:56 pm

Thanks Comrade for the validation! Much appreciate your effort considering you said you were busy. Curiosity kills the cat ;) I'll review some of the added data you have against mine and update my master XLS located here: https://thermsguy.blob.core.windows.net/slides/KTM_1290_CAN.xlsx

Agree on hex being better for sharing but I had to flip to decimal once I started reading the data into Excel. Excel coverts valid CSV data to number making 00 flip to 0 and thus preventing me from using Mid() functions for byte-to-nibble operations. Your table below sums things up well.

Small change for 0x12B. The data is F,R as you have it, then 12bit for Tilt and 12bit for Lean. The lean I've figured out is in decimal. e.g.: 123 = 12.3 degree lean. I'm still working on figuring out tilt. Here's my XLS for the lean math: https://thermsguy.blob.core.windows.net/slides/KTM_1290_LeanAngle.xlsx

Finally, here are two neat images of processed data... amazing how megabytes of spew can turn into real charts:

This first one is my leaning the bike over to the right to 50 degrees and holding it. I taped an iPhone with the 'level' app to the gas tank. You can see the direct correlation to nn.n degree lean. Positive = right lean.
Image

This second one is a short ride and only looking at 299 (0x012B) data on wheel slippage... a few wheelies in blue and lots of little noise given the tyres are not perfectly the same diameter, lean/camber in turns, etc. I've yet to figure out where ABS intervention or TC intervention is shown.. a damn lot of data is logged from a very short ride. Some of the orange is also very hard braking.

Image
That's it for now. Current project is writing a parser for the https://www.tindie.com/products/akpc806 ... th-sd-card log files into more usable CSVs with the following data structure on 10hz time intervals.

Seattle Dan
Minimoto racer
 
Posts: 6
Joined: Sun Jan 08, 2017 4:10 pm
Location: Seattle

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby Seattle Dan » Sat Jan 28, 2017 11:06 pm

And for sake of readability for everyone, here's an image of what I know at this point:

Image

User avatar
Dukem
Minimoto racer
 
Posts: 71
Joined: Fri Nov 22, 2013 9:19 am
Location: Melbourne, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby Dukem » Sun Jan 29, 2017 10:31 pm

any of you speak English???

hahah good work boys! Looking into getting my ECU flashed and this makes me understand what needs to be done. However im most interested in throttle maps. Apparently this makes a huge improvement to the Superduke feel

User avatar
jmann
moderator
 
Posts: 1741
Joined: Sun Mar 22, 2009 2:28 am
Location: Sunny Adelaide, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby jmann » Sun Jan 29, 2017 11:42 pm

Dukem wrote:any of you speak English???


LOL comrade Dukem UR funie.

Actually, it's a strange contradiction that both Dan and I seem to have a reasonable command of the English language as demonstrated above. I think that, prior to retirement, the reason I rose to the top of my profession (IT) was that I had the ability to tell the folks that held the money, what needed to be done, in simple, down to earth terms. For example, "Loading an existing map is the easy part, creating a new one is the hard part because it's encrypted". :evil:

abc
Stunt rider
 
Posts: 666
Joined: Tue Dec 17, 2013 11:21 pm
Location: snowy mountains

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby abc » Mon Jan 30, 2017 4:21 am

so does all this mean that one day we will be able to either shorten the throttle twist or increase the ramp angles on the throttle maps. Being able to change the throttle map ramp angles is going to make a huge difference to the 1290.
I hope this will become possible once all this is decoded 8)
Any modifications you undertake are your sole responsibility, I am not liable for any claims relating to modifications or suggestions posted on this forum. If you undertake any modifications you do so at your own risk.

User avatar
jmann
moderator
 
Posts: 1741
Joined: Sun Mar 22, 2009 2:28 am
Location: Sunny Adelaide, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby jmann » Mon Jan 30, 2017 4:56 am

abc wrote:so does all this mean that one day we will be able to either shorten the throttle twist or increase the ramp angles on the throttle maps. Being able to change the throttle map ramp angles is going to make a huge difference to the 1290.
I hope this will become possible once all this is decoded 8)


Unfortunately comrade abc the short answer is no.

Comrade Dan is simply trying to build a race data tracker and although reading data is easy, knowing what and how to change other stuff is far more complicated. Perhaps comrade Dan will have fresh eyes and be smarter than me and see stand out stuff that I haven't noticed. Sorry :cry:

User avatar
OzBeast
Minimoto racer
 
Posts: 35
Joined: Thu Jun 12, 2014 5:56 am
Location: Melbourne, Australia

Re: Results from hacking the KTM SuperDuke 1290 CAN bus

Postby OzBeast » Wed Sep 13, 2017 9:06 am

Ahh yes, but it doesn't have to stop here. :wink:

Finally I find the holy grail of 1290 posts! :twisted: :mrgreen:

I'd been on my own very slow and unproductive CANBUS, OBDII and ECU mapping adventure since the posts fizzled and died out back in 2014 about accessing the ECU over the diag connector.

I thought I was the only one still trying but it appears not.

Amazing work Dan, this is exactly what I've been looking for and same to you for your work jmann.

I have a few agendas with this, are you guys interested in looking into it further?

I've the full PCV setup on my bike with autotune dual channel and ignition module. I've been logging a lot recently to the POD-300 by dynojet. I've got csv files everywhere but it's all powercommander and no internal to the bike communications and that's what I want to harness and combine.

Love your work. Cheers. 8)
625 SMC Sold
525 SMR Sold
690 SMC Sold
1290 SDR Best motorcycle on the planet :twisted:


Return to Technical - Dr F's Words of Wisdom

Who is online

Users browsing this forum: No registered users and 3 guests