Announcement

Collapse
No announcement yet.

articles on hacking your vehicle bus

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • articles on hacking your vehicle bus

    i put up a couple posts on my blog about hacking your vehicle bus... might be useful to those just starting out trying to determine how to interface with things like steering wheel buttons, door locks, windows/sunroof, stereo information, etc.

    the posts use my 2003 Jeep Grand Cherokee as an example, which uses the Chrysler PCI Data Bus (SAE J1850 VPW protocol). everything should apply to those hacking on newer CAN-Bus vehicles as well - you'd just have to look at the datasheets i reference for the correct ELM AT commands.

    i focused on how to use a laptop or tablet/phone to gather the information you need from the bus. once you have the info, you would then write an app for the laptop/tablet/phone or microcontroller code depending on your exact scenario. you could continue to use an ELM327 interface if you are working with a laptop/tablet/phone. if you are going to be using a microcontroller then you could still hack into an ELM based scan-tool (before the USB/Bluetooth interface portion of the circuits), but it would probably be simpler to just buy the correct shield or breakout board.
    Last edited by theksmith; 04-25-2013, 04:19 AM.

  • #2
    Very nice...
    Did you write all of both articles?
    The picture with the breadboard on it looks alot like a Parallax Propeller module. Did you use one of these to make your ODBII connection or what is the story?

    I am thinking of getting one of the scantool modules and link it to a parallax prop for my vehicle.
    Last edited by redheadedrod; 04-25-2013, 02:36 PM.

    Comment


    • #3
      yes i wrote the articles, all stuff i assimilated or learned while doing my tablet install.

      for my own carputer, i just used the USB scan tool connected to the tablet and wrote and android app to watch for the steering wheel buttons.

      the breadboard pic is of an Arduino Nano from another project i was working on. just using the picture in reference to the statement in the article about most people using a microcontroller for this type of thing but that i didn't go that route.

      Comment


      • #4
        Nice write up. Now we need an article on creating a android app to listen for steering wheel buttons

        Comment


        • #5
          Originally posted by that_kid View Post
          Nice write up. Now we need an article on creating a android app to listen for steering wheel buttons
          thanks!

          there's a link after the video in the second article to my github account. i made the app open source. the code is documented pretty decently so that people can use it as a base for their own version.

          Comment


          • #6
            This is great news for me.

            CAN bus is much easier to work with, but with my PCI bus Chrysler there just hasn't been as much put into hacking it. You're methods will work in identicle fasion for me. Thank you very much for sharing your work.
            Computer is in the car, but in a very "raw" install right now.

            Worklog - here

            Comment


            • #7
              Originally posted by theksmith View Post
              thanks!

              there's a link after the video in the second article to my github account. i made the app open source. the code is documented pretty decently so that people can use it as a base for their own version.


              Excellent, I'll be checking this out shortly. Thanks

              Comment


              • #8
                I just ordered my OBD port reader and a OBD Y cable as well so I can leave a service port open in the stock location. I'm just using the USB version with the computer in the car.

                I'll start working on it right away when it arrives.

                Could you possibly post a lit of the codes you've successfully deduced for your car? I'm working on a similar year Chrysler that uses a lot of the same electronics.
                Computer is in the car, but in a very "raw" install right now.

                Worklog - here

                Comment


                • #9
                  my open source Steering Wheel Interface Android app has evolved into a new more flexible app called Car Bus Interface: https://github.com/theksmith/CarBusInterface (still open source)

                  the new app uses a Bluetooth OBD2 adapter instead of USB, so should work for more people. it's also much easier to configure the startup ELM327 AT commands (including any advanced CAN BUS filtering commands needed), and to configure multiple monitors/responses for different bus messages.

                  i've had a few people contact me about the old Steering Wheel Interface app, so i know it's getting used - but know one has really sent me any info on what bus messages they monitor on different vehicles... i would like to hear about folk's experiences with snooping their vehicle bus and how they identified the messages they needed to monitor for.

                  Comment


                  • #10
                    Wow this is great. For me I've spent many cold days sitting in the car messing with buttons, knobs, inserting keys and all sorts of things just to see what changed with the live data. I even did captures of particular events like connecting the nav unit to the bus to see the setup messages. There's still lots of things I need to probe for but right now I have a bunch of the information I needed. Also I have to thank users over at the gti forums for providing information on the VW canbus which helped me tremendously.

                    Comment


                    • #11
                      So if you want to hook to the Single wire protocols I am assuming you connect the -Can to ground and +Can to the data line. Is that correct?

                      Rodney

                      Comment


                      • #12
                        Originally posted by redheadedrod View Post
                        So if you want to hook to the Single wire protocols I am assuming you connect the -Can to ground and +Can to the data line. Is that correct?

                        Rodney

                        Originally posted by redheadedrod View Post
                        So if you want to hook to the Single wire protocols I am assuming you connect the -Can to ground and +Can to the data line. Is that correct?

                        Rodney
                        which protocol exactly?

                        mine is Chrysler J1850 VPW which is a single wire so i had to hook up as follows:

                        [16] to +12v
                        [4] & [5] to ground
                        [2] to the Chrysler PCI data line



                        the above picture is the port on the vehicle, i'm actually talking about the pins on the OBD2 adapter itself, which is the mirror image of that i guess

                        Comment


                        • #13
                          I guess based on this link:

                          http://www.archivedsites.com/techcon...n_feb_09_F.pdf

                          I am using pin #2 to communicate with it. Not sure how to go from there..
                          By your display it looks like I would need to tie into 2 and 10 but they only show #2.

                          And I am not sure how you actually connect to it that way.

                          I also just found this video that goes into detail:

                          https://www.youtube.com/watch?v=98h9qULPRus

                          Rodney
                          Last edited by redheadedrod; 08-12-2014, 02:38 PM.

                          Comment


                          • #14
                            Originally posted by redheadedrod View Post
                            I guess based on this link:

                            http://www.archivedsites.com/techcon...n_feb_09_F.pdf

                            I am using pin #2 to communicate with it. Not sure how to go from there..
                            By your display it looks like I would need to tie into 2 and 10 but they only show #2.

                            And I am not sure how you actually connect to it that way.

                            I also just found this video that goes into detail:

                            https://www.youtube.com/watch?v=98h9qULPRus

                            Rodney

                            interesting, so on quick glance it looks like some GM vehicles speak a CAN protocol on pins 6/14 and that's the default OBD2 interface which can connect to engine or interior systems. however, they also still support the older J1850 VPW (one-wire) protocol on pin 2 (what GM refers to as "Class 2"). that Class 2 interface on pin 2 might be limited to interior systems depending on how exactly that BCM gateway works, not sure.

                            so theoretically, if you have a vehicle configured like the PDF shows (i'm not sure the year range on that) - then you should be able to just plug right into the diagnostic port and either:

                            - set the protocol to J1850 VPW (Class 2) using command ATSP2, and then use traditional commands like ATMA to see bus traffic. this would be very much like what i'm doing in my Jeep.
                            - OR set the protocol to the correct CAN one (or maybe AUTO will choose the right one), and then you'll need to explore more about what AT commands are needed to interact with the CAN system as it's more complex and i'm not up on CAN yet.

                            i don't see a need to splice into any wiring really.
                            Last edited by theksmith; 08-12-2014, 03:24 PM.

                            Comment


                            • #15
                              @redheadedrod - i was doing more research into this general area and realized that in my previous post i failed to comprehend even close to a full picture of how GM vehicle networks can be setup. my current understanding is:


                              - older GM vehicles (i think ~1995 to ~2004-ish) used the "Class 2" protocol for everything. it conforms to the OBDII spec ISO 9141 / SAE J1850 (the 10.4 kbps VPW single-wire variation). you should be able to use pin 2 on any standard ELM327 compatible OBD2 adapter to talk to this network (and of course pins 4&5 go to ground and pin 16 to +12v). you would issue the command ATSP2 to force to this protocol. for these models/years, i am unsure if hooking to pin 2 on the car's diagnostic port will provide an interface to only the diagnostic bus or if all buses are linked to it (or if there are even separate busses), you'd have to explore. 10.4kbps is a slow crawl and should be easy enough to decipher something out of if the bus isn't too saturated.


                              - about 2004 GM started to use CAN protocols along with the Class 2 systems. they called their CAN protocols GMLAN, and they come in 2 flavors - high speed and low speed (GMLAN HS & GMLAN LS). technically they have a mid speed version too but i haven't seen anything about what might use it.

                              -- the Class 2 bus was kept around for most interior items like doors, HVAC, some radio models, etc. - but only for a few years.

                              -- for "not that old" cars the GMLAN LS bus augmented the Class 2 bus to do "other" interior stuff including the Heads-Up Display and certain radio versions. on newer cars (not sure the year), i the Class 2 bus is completely gone and all non-essential systems talk on this GMLAN LS bus. this LS bus is also known as Single Wire CAN or SW CAN, and as the name implies it's a bastard CAN standard that uses only one wire (SAE J2411). it moves at brisk walk of 33.33 kbps. it seems to be fairly standard that pin 1 on the car's diagnostic port gives access to this bus. however, it's not a standard OBDII thing, nor even a typical CAN implementation so talking to it requires a special transceiver usually not found in 99% of ELM327-compatible OBD2 dongles. however, ScanTool's OBDLink MX Bluetooth DOES have the right stuff and it's tied to pin 1 already: http://amzn.to/1vccPpn - i believe this product is using their stn1170 IC, but i cannot find in their datasheets what AT or ST commands are required to switch to this protocol, hopefully they would be forthcoming with the info as using this adapter would be a simple way to work with this bus. otherwise, the SparkFun CAN Bus shield is rumored to work with SW CAN though not really designed for it, and then there is the relatively new Raspberry PI CarberryPi shield project. of course you could go lower level and build your own circuit around any number of commercial transceiver ICs, but that's work.

                              -- the GMLAN HS bus is used for powertrain and other important things that need near real-time interaction. it is a "normal" 2 wire CAN setup that conforms to the OBDII spec ISO 15765-4 / SAE J2284-3 (11 bit, 500 kbps warp speed). it will appear on the car's diagnostic port on the standard CAN pins 6 & 14 and most any OBD2 adapter should be able to talk to this (ATSP6 i think is the correct command). however, that might only get you diagnostic bus info... other pins may have additional GMLAN busses (check out the Chevy Volt for example...) however, note that only the latest versions of the ELM327 firmware (v2.1) include advanced CAN capabilities (and i don't know where to buy an OBD2 dongle with a genuine ELM327 IC in it). dongles based on ScanTool's stnXXXX ICs also look to have extra "ST" commands for dealing with CAN systems.


                              sorry for the long post, but didn't want my previous one to mislead anyone. mainly it sounds like it depends on your model year whether you care about Class 2 on pin 2 or SW CAN on pin 1.
                              Last edited by theksmith; 08-19-2014, 07:34 AM.

                              Comment

                              Working...
                              X