Eavesdrop on OBD2 Data Communication

Eavesdrop on OBD2 Data Communication

Postby MartinViljoen » Tue Oct 07, 2014 8:09 pm

You get 3rd party devices that allows you to alter they way your vehicles computer "Thinks"
I upgraded my Jeeps tires from 31" to 34" also when i upgraded the tires i had to get wider rims to accommodate the new tires width.
In the process I lost the TPMS (Tire Pressure Monitoring System) Each wheel has a sensor that detects the tire pressure and sends it via wireless to the Jeep's computer.

So because they aren't there the Jeep is complaining about the tire pressure and giving a tire flat icon in the Jeep's display cluster.
I bought a tool that can disable or adjust the tire threshold.

Off-coarse I'm into OBD2 Hacking and cant keep wondering which messages its sending to disable TPMS, So I figured out a way to dump all data communication between the Jeep's OBD2 port and Programmer to file.

The idea was to capture the data then play it back into the OBD2 port to see if I'm able to disable the TPMS using an Arduino.

Using my CAN-BUS sniffer, I was indeed able to connect and dump the data I wanted.
But to my surprise i found there was more communication happening than i though, my fear was that it writes a total new program to the Jeep via the OBD2 port.
But luckily it seems like it only changes a parameter, But also communicates a whole lot more than i expected, which is a bummer because the more communication happens the more hectic it gets to figure out what the messages does.

When i connected my sniffer in parallel with the programmer and OBD2 port it delivers about 60/80 messages.


How the programmer works.
Whilst the Jeep's key is in ON position (Not Started) it connected then requests the VIN number
After finding the VIN number it determines the Year model of the Jeep, The programmer supports Jeep Wrangler models from 2007 to 2014, the engine's changed in year 2012 from a 3.8L V6 to a 3.6L V6 which means the ECU and many other things have changed. Hence the reason for the programmer to get the VIN and Year number. Also the programmer copies the VIN to its memory, so that you cannot use the device on another Jeep until you have restored the settings back to default, only then will it release the VIN and copy the next Jeep it connect's to. When the programmer finished programming the Jeep it honks the hooter twice to inform the user its done., These 2 honks are also CAN-BUS messages, probably only 2 messages.

This exercise cost me though!
I went and reset the programmer device back to factory defaults then connected my SeeedStudio CAN-BUS shield to try and send messages to it, I worked through most of the messages and skipped a few as i could not figure out if they came from the programmer or the Jeep. But somehow i must have supplied a fictitious VIN not knowing afterwards what i sent as i changed the Arduino code on the go and not saving in between which basically now locked me out of the device because according to the programmer its assigned to a non existent Jeep. the programmer was R2500, so you can imagine i'm a bit irritated with my self.

But all is not over I'm saving up for another one but this time i will be trying a different brand.

I could at least try some of the messages buy sending them into the Jeep.
Oh man! What a bugger up, it took a few second then the next moment the Jeep's hooter goes off and gave one long hoot, even after taking out the the key it still carried on, the jeep only switches off the CAN-BUS system a few seconds after you remove the keys from the ignition.

After switching it back on again with my CAN-BUS shield removed it was fine again, Scary Stuff!!!.

This is how i went about hooking it up to eavesdrop on the CAN-BUS.
IMPORTANT How to build a CAN-BUS Sniffer Device - viewtopic.php?f=14&t=15

photo(1).JPG


Later on i opened the Jeep programmer and soldered a wire on the inside and made a hole in the side with a female plug so that i can attache it to the SeeedStudio CAN-BUS Shield.
The Pin14 runs to the CAN-L screw connector on the shield and the Pin6 from the programmer runs to the CAN-H screw connector in the CAN-BUS Shield.

TPMS disable
Below is some of the data i captured.
Code: Select all
Enter setting mode success
set rate success!!
Enter Normal Mode Success!!
CAN BUS Shield init ok!
<1536,2,26,136,0,0,0,0,0,>
<1280,16,19,90,136,49,74,52,66,>
<1536,48,0,0,0,0,0,0,0,>
<1280,33,69,54,68,49,52,65,76,>
<---REMOVED this mesaage so my VIN cannot be decoded--->
<1568,2,33,10,0,0,0,0,0,>
<1284,16,18,97,10,240,2,17,2,>
<1568,48,0,0,0,0,0,0,0,>
<1284,33,10,4,0,3,0,0,34,>
<1284,34,0,0,0,2,3,15,0,>
<1568,2,33,176,0,0,0,0,0,>
<1284,16,20,97,176,2,0,0,0,>
<1568,48,0,0,0,0,0,0,0,>
<1284,33,0,0,0,0,71,194,236,>
<1284,34,0,225,0,255,255,15,0,>
<1568,2,33,178,0,0,0,0,0,>
<1284,16,11,97,178,0,0,0,0,>
<1284,33,0,0,0,0,0,194,236,>
<1568,2,33,18,0,0,0,0,0,>
<2015,2,62,2,0,70,84,87,33,>
<1568,2,16,146,0,0,0,0,0,>
<1284,2,80,146,250,1,192,4,216,>
<1568,2,33,11,0,0,0,0,0,>
<1568,48,0,0,0,0,0,0,0,>
<1284,33,1,2,3,0,255,156,128,>
<1284,34,30,147,97,11,14,0,133,>
<2015,2,62,2,0,70,84,87,33,>
<1568,48,0,0,0,0,0,0,0,>
<1568,2,16,146,0,0,0,0,0,>
<1284,2,80,146,97,11,14,0,133,>
<1696,2,16,146,0,0,0,0,0,>
<1300,2,80,146,7,0,0,0,0,>
<1568,4,48,173,7,1,0,0,0,>
<1284,3,112,173,7,11,14,0,133,>
<1696,4,48,64,7,1,0,0,0,>
<1300,3,112,64,7,0,0,0,0,>
<1568,4,48,173,7,0,0,0,0,>
<1284,3,112,173,7,11,14,0,133,>
<1696,4,48,64,7,0,0,0,0,>
<1300,3,112,64,7,0,0,0,0,>
<1568,4,48,173,7,1,0,0,0,>
<1284,3,112,173,7,11,14,0,133,>
<1696,4,48,64,7,1,0,0,0,>
<1300,3,112,64,7,0,0,0,0,>
<1568,4,48,173,7,0,0,0,0,>
<1284,3,112,173,7,11,14,0,133,>
<1696,4,48,64,7,0,0,0,0,>
<1300,3,112,64,7,0,0,0,0,>
<1924,2,17,130,0,0,0,0,0,>
<1536,2,17,130,0,0,0,0,0,>
<1280,3,127,17,18,48,52,52,0,>
<1925,3,127,17,128,0,0,0,0,>


In general a can bus messages consists out of 8 BIT and a CAN-ID.
The above messages are all in DEC ASCII Mode. so the first value I.E 1925 is the CAN Node's ID where the message comes from,3,127,17,128,0,0,0,0, are the bits, which can be in between 1 and 255

Looking at the first 4 messages.
Code: Select all
<1536,2,26,136,0,0,0,0,0,>
<1280,16,19,90,136,49,74,52,66,>
<1536,48,0,0,0,0,0,0,0,>
<1280,33,69,54,68,49,52,65,76,>
<1280,34,50,48,54,48,52,52,0,>


The very first message <1280,16,19,90,136,49,74,52,66,> means "Give me your VIN number" which must be coming from the Programmer.
The second message <1280,16,19,90,136,49,74,52,66,> when converted to ASCII using the below table gives you the first part of my Jeep's VIN.

asciifull.gif


The 3rd message <1536,48,0,0,0,0,0,0,0,> i found there is always 1 or more messages coming from the jeep after each other, So this means that
the OBD2 port is telling the programmer the VIN is too long to fit in one messages AKA a "frame" and is about to send more.


The last 2 messages <1280,33,69,54,68,49,52,65,76,> and <1280,34,50,48,54,48,52,52,0,> is the rest of the Jeep's VIN Number.

When viewing the codes in Excel and using a VBA macro to convert each bit to an ASCII Alpha Numeric readable code, It looks like this.

VINremoved.png


So from the above you can clearly see my VIN number.

Which starts with 1J4BE6D14AL... and the rest i removed so someone from the Interweb cannot try something funny with my VIN. :twisted:

Using the below VIN decoder you are able to determine where my Jeep was made in the US.

vindecoder.png


To come to a conclusion, If you have some time on your hands you can reverse engineer quite a bit of things using a CAN-BUS Sniffer.
You do not have the required permissions to view the files attached to this post.
Image
User avatar
MartinViljoen
 
Posts: 110
Joined: Mon Oct 06, 2014 5:23 pm
Location: Centurion South Africa

Re: Eavesdrop on OBD2 Data Communication

Postby RURIY » Wed Nov 19, 2014 11:11 pm

Hello dude... in principal, sry for my bad english, i don't speak (and write) very well!! :D

This is the thing... I'm student of telecomunnications engeneering, i'm doing rigth now my thesis and it's about a communications system between a prototype (desing by students, see BAJA SAE SERIES for more details) and a PC or laptop at 1 Km of distance (with Xbees).

MY QUESTION IS: I want to use an arduino for adquisition of the all parameters what i need (speed, accel, rpm, etc), and i want to send that information in format OBD II (for more facility and avoid to create a interpreter program)... i was trying to make a routine to your code (viewtopic.php?f=14&t=10&p=11#p11), but when i try to compile the programs show an error at line 66 or 67 to 70...

in conclusion... I want to send a data (any) in format OBD II via serial to one PC like your simulator... can u help me??
RURIY
 
Posts: 1
Joined: Wed Nov 19, 2014 10:49 pm

Re: Eavesdrop on OBD2 Data Communication

Postby MartinViljoen » Thu Nov 20, 2014 9:21 am

RURIY wrote:Hello dude... in principal, sry for my bad english, i don't speak (and write) very well!! :D

This is the thing... I'm student of telecomunnications engeneering, i'm doing rigth now my thesis and it's about a communications system between a prototype (desing by students, see BAJA SAE SERIES for more details) and a PC or laptop at 1 Km of distance (with Xbees).

MY QUESTION IS: I want to use an arduino for adquisition of the all parameters what i need (speed, accel, rpm, etc), and i want to send that information in format OBD II (for more facility and avoid to create a interpreter program)... i was trying to make a routine to your code (http://techtinker.co.za/viewtopic.php?f ... 0&p=11#p11), but when i try to compile the programs show an error at line 66 or 67 to 70...

in conclusion... I want to send a data (any) in format OBD II via serial to one PC like your simulator... can u help me??


Hey welcome to this forum!.
What you want to do sounds very doable. Regarding my ECU Simulator, Its using a can-bus shield and an external CAN-BUS library for the shield, the Arduino IDE by default does not include the the library so you have to download it. and then import it into the editor , only then when you copy and paste my code into the IDE will it compile.
When i look at the lines mentioned by you 66 or 67 to 70 , its round about where its trying to run CAN-BUS routines which is part of the CAN-BUS Library.

If you haven't imported the library

You can download the library here https://github.com/Seeed-Studio/CAN_BUS_Shield Then simply import it CAN_BUS_Shield-master.zip to just CAN.zip the Arduino IDE doesnt like weird file names.

Point the Arduino IDE to CAN_BUS_Shield-master.zip
1.png


If it was imported correctly you should see the below
2.png


Check If its available
3.png
You do not have the required permissions to view the files attached to this post.
Image
User avatar
MartinViljoen
 
Posts: 110
Joined: Mon Oct 06, 2014 5:23 pm
Location: Centurion South Africa

Re: Eavesdrop on OBD2 Data Communication

Postby MartinViljoen » Thu Nov 20, 2014 9:33 am

When I compiled it Just now it didnt want to work, seems like the library i have on my PC is older than the one currently on Seeed's GitHup Download Page.

The below should work
Code: Select all

// demo: CAN-BUS Shield, receive data with check mode
// send data coming to fast, such as less than 10ms, you can use this way
// loovee, 2014-6-13


#include <SPI.h>
#include "mcp_can.h"


unsigned char Flag_Recv = 0;
unsigned char len = 0;
unsigned char buf[8];
char str[20];


MCP_CAN CAN(10);                                            // Set CS to pin 10

void setup()
{
    Serial.begin(115200);

START_INIT:

    if(CAN_OK == CAN.begin(CAN_500KBPS))                   // init can bus : baudrate = 500k
    {
        Serial.println("CAN BUS Shield init ok!");
    }
    else
    {
        Serial.println("CAN BUS Shield init fail");
        Serial.println("Init CAN BUS Shield again");
        delay(100);
        goto START_INIT;
    }
}


void loop()
{
    if(CAN_MSGAVAIL == CAN.checkReceive())            // check if data coming
    {
        CAN.readMsgBuf(&len, buf);    // read data,  len: data length, buf: data buf

        for(int i = 0; i<len; i++)    // print the data
        {
            Serial.print(buf[i]);Serial.print("\t");
        }
        Serial.println();
    }
}




Its still complaining though it says its reaching the max amount of lines , looks like this library is also bigger than before.

IF you can wait a little longer until I'm home tonight i can send you the CAN Library i have at home that's working fine.
Image
User avatar
MartinViljoen
 
Posts: 110
Joined: Mon Oct 06, 2014 5:23 pm
Location: Centurion South Africa

Re: Eavesdrop on OBD2 Data Communication

Postby gtaion » Fri Jul 31, 2015 4:53 pm

Martin,

Have you made any more progress on sniffing what these tuners do? I happen to have a bricked procal as well and don't see much reason to buy another if a tuner can be built. I'm absolutely terrified of messing up my Jeep so any and all knowledge that you are willing to share would be helpful.

Obviously time wise it would be easier to buy a new tuner, but why do that when you can learn so much more doing it yourself. My only problem is I'm not familiar with accessing the CAN. I will probably mimic your work because you have done such a great job sharing all of your information but I have also came across threads using R-pi's or one place was selling a CAN-USB adapter. Is the arduino the best option?
gtaion
 
Posts: 7
Joined: Fri Jul 31, 2015 5:09 am

Re: Eavesdrop on OBD2 Data Communication

Postby MartinViljoen » Sun Aug 02, 2015 8:20 pm

gtaion wrote:Martin,

Have you made any more progress on sniffing what these tuners do? I happen to have a bricked procal as well and don't see much reason to buy another if a tuner can be built. I'm absolutely terrified of messing up my Jeep so any and all knowledge that you are willing to share would be helpful.

Obviously time wise it would be easier to buy a new tuner, but why do that when you can learn so much more doing it yourself. My only problem is I'm not familiar with accessing the CAN. I will probably mimic your work because you have done such a great job sharing all of your information but I have also came across threads using R-pi's or one place was selling a CAN-USB adapter. Is the arduino the best option?


Hi No I haven't actually, I cant do this without a new Tuner, Also afraid of bricking my Jeep, :D My Youtube channel also got a bit screwed by a partner called Recstudios.TV or something
I'm building a new channel , and need some content, So In the future I will most definitely be playing more with CAN-BUS Stuff,
Image
User avatar
MartinViljoen
 
Posts: 110
Joined: Mon Oct 06, 2014 5:23 pm
Location: Centurion South Africa

Re: Eavesdrop on OBD2 Data Communication

Postby gtaion » Mon Aug 03, 2015 9:09 pm

I ordered an Arduino and CAN-Bus shield but started thinking that I might be able to get started a little quicker. I have an OBDLink SX scan tool, I'm wondering if I were to use some jumper wires and connect the scan tool as a sniffer directly to a procal. Do you think it would be possible to use putty and send the VIN data to the procal and see what is sent back?

That would completely take bricking my Jeep out of the equation and would create a cleaner lab environment for seeing what messages are sent. Would this be a trail worth traveling? In your experience with programming CAN-Bus, would this require more two-way communication between the tuner and Jeep then just the VIN handshake?

Ideally what I hope to accomplish would to be able to use my Rubicon Sway bar disconnect and activate the Lockers while in 4-Hi, and Maybe alter some of the fuel mapping for economy.

Being able to use a laptop to set tire size and TPMS thresholds, etc... seems like a nice starting point for learning how to make changes via the CAN-Bus. Since I have no experiance with CAN-Bus your forum here looks like a really good resource, do you have any other suggestions of resouces for learning CAN-Bus.
gtaion
 
Posts: 7
Joined: Fri Jul 31, 2015 5:09 am


Return to OBD2 & CAN-BUS Projects

Who is online

Users browsing this forum: No registered users and 1 guest

cron