Expose CAN Bus(es) - MG ZS

!! STOP !! - Warning

Accessing the vehicle network can be potentially dangerous, these two wires control all vehicle signals and communication. If they are damaged, short circuited, or altered in any way then there is a risk that functions, systems, or even the whole car may fail to work as intended.

The OBD Port

Our initial plan was to access the MG via the OBD (SAE J1962) port. This is how most apps and Bluetooth dongles interface with vehicles (eg, PHEVwatchdog, Dr Prius, Leaf Spy etc.).

Unfortunately SAIC has not made it that easy for us! Although there is some CAN on pins 6 and 14, this appears to be limited to diagnostics and basic OBD requirements only. The only traffic seen was an occasional CAN message in the "0x7xx" range, and the bus appears to negotiate speed, communicating at both 500 and 800 kbps speeds. As can be seen in the image, this is all there is on the back connector.

It is not at all surprising that SIAC have done this, OBD is not a Chinese specification, it does not require access to "normal" CAN traffic, and it is not secure to allow full access to the whole vehicle CAN on such an accessible port.

Alternative Access Location

With the OBD port ruled out, we had to find another way into the vehicle CAN buses. Two viable locations were found from performing pin analysis using a Picoscope and a multimeter. These are an inline in the drivers footwell, and the gateway module itself, located behind the passenger glovebox.

See the Notes here which were made on a 2019 UK spec MGZSEV.

The best location we found was that of the gateway module, where 5 CAN buses were found:

Two of these were of particular interest:

  • RED This CAN bus remained active during the charging/locked state, assumed to be the Electric Powertrain CAN
  • GREEN The traffic on this bus, and the locations the Green/Yellow wires were seen, makes this look like a primary or body CAN

To access these buses, wire pins were pushed into the back of the connector and secured with tape (a temporary fix until a proper breakout harness can be made). These connected to a D-SUB9 with the standard CAN pin-out with NO termination resistance. The CAN Buses are all operating at 500 kbps speed.

With these access points we started the decode process, shown here.