Controlling OEM CAN device, w/o stock ECU

I'd like to be able to control an OEM electric power steering motor. But I don't have the factory ECU, so I can't capture traffic that would be going to the power steering unit.

Is there any strategy to figure out what messages the unit needs to function? Or just googling, or maybe trying to get my hands on a stock car with the same unit is my only option?

is sniffing the can network of a factory vehicle an option at all?

usually they're looking for vehicle speed and some sort of message to state the engine is on.. (engine rpm, etc.)

For some simple devices like say for instance a temperature gauge you can sometimes do what is called "bombing" - this is where you send a fixed or variable message with a different ID every send, if you get lucky you will see the needle move when the correct ID is passed. Then when you know the ballpark ID you can hone in and send smaller ranges until you find the ID. Once you have the ID then you can do a similar technique varying different parts of the message until you find which byte or range of bits is responsible.

However doing that with a power steer system would be difficult as there is usually no visual or audio feedback from just hitting the correct ID - you may hear a wake-up relay click if you are lucky - but generally it would also want the correct sequence of bits at the same time as the correct ID.

Sniffing a stock car with the same pump is the only way (unless google finds someone else's work) and EPAS can be one of the trickier ones to reverse engineer as they are often looking for data from at least two other devices.

Yeah, makes total sense, that's basically what I figured. I might know someone with a stock ECU that I might be able to do a capture.

Another thought I just had: most of the data that the EPAS needs are part of the standard OBDII dataset. My ECU supports broadcasting OBDII data, so I can try turning that on, and maybe I'll get lucky and it will just work.

No, OBD2 is not broadcast data and the EPAS will not send and OBD2 requests - OBD2 is only used for diagnostics (or very slow displays) as the acronym suggests.

OBD2 is a request/response protocol. So for instance for RPM, the scan tool (or other obd2 reader) needs to first send a request "please tell me current engine RPM", the ecu then responds with only a single snapshot of the current RPM. If the scan tool wants continuous RPM then it has to send the request over and over again every time it gets a response. Your ECU will not just broadcast OBD2 data unless there is something requesting the data.

EPAS can be quite complex - A ford one I was researching for someone recently needed Steering angle, Steering angle rate of change, vehicle speed, an enable message and a couple of other messages to confirm other relevant sensors were initialised and working correctly.

We've got such great members on this forum! Adam and Mitch are on the money, and this is my experience too. You're going to have to sniff an OEM vehicles bus and go from there, and it's likely to be a pretty complex one. Having the power steering OBD2 data might be helpful for the reverse engineering though.

You're going to need a mechanical test rig setup I'd say, this could be the car itself. I'd get a capture of the factory can traffic, and play this back into your test rig and see what the power steering does. If it wakes up and does things, start removing messages from your playback till its operation changes, and then the last message you removed must be one the EPAS ecu listens to, so you know to investigate it more thoroughly.