[ Car Hacking ]

[ Tools | Scripts | LABs | Links & Resources ]

[ Tools | Scripts ]

3rd_brakelight.sh - 11.2023

A simple way to tell UDS (Unified Diagnostic Services) that you want access to it's 
input/output functions and you would like to use it for turning the 3rd brake light 
on and off.

While UDS is accessed via the CAN-C bus, the message structure is completely different.
With UDS, the ECU will reply back to every single message with a code of success or a 
failure for each command sent. 

Python 3 has implementation for UDS I need to check out. udsoncan.

getVehicleTime.sh - 11.2023

JEEP vehicles broadcast the time on both CAN-C & CAN-IHS bus once per second using
message ID 350. This script reads the value from the CAN-IHS bus and returns the 
current value in a human readable form.

PRO TIP: 	If the message is one byte long, it's on the CAN-IHS bus. 
		If the message is eight bytes long, it's on CAN-C bus.
		
When you are converting the numbers you can use the bindechexascii utility, or just
use printf: printf "%d" 0x$value

Blackbox_monitor.sh - 11.2023

This script launches a black-box data recording script and a 
remote start HVAC automation script which the ignition is put into RUN mode or the 
vehicle is remotely started. When the vehicle goes back into OFF or ACCESSORY mode, 
it terminates the black box data recorder.

NOTE: The HVAC script will make it's own determination of if the vehicle was remote 
started or not. It also handles it's own exit and does not need to be killed like 
the black box monitor does.

This script takes advantage of message id $122 which exists only on the CAN-IHS bus. 
Messages are sent every tenth of a second, containing the current status of the 
ignition switch. 

It is up to the programmer to catch when the virtual ignition switch changes from 
one mode to another. When the vehicle goes into sleep mode, it will produce no 
messages until the vehicle wakes back up again.

It's possible to repurpose this script to start or kill other process or 
automatically perform actions (ex: Turn ESS off) as the vehicle goes between 
OFF/ACCESSORY and START/RUN

Remote_WiFi.sh - 11.2023

This script will disable WiFi on the Raspberry pi when you use the keyfob to 
lock/unlock your vehicle. This takes advantage of message id $1C0 which exists 
on both CAN-C and the CAN-IHS bus. New messages are sent on this bus every 
10th of a second. 

If a new remote command is recieved, it wil contain an ID which represents 
the command. If no additional commands are recieved, it will continously 
report an ID which represents an idle state.

If the vehicle goes into sleep mode, it will not produce any messages until 
the vehicle is awake again.

To enable WiFi: Rapidly press the Unlock button on your fob two times.
NOTE: takes about 10 seconds to be accessible.

pyJeepCan.py - 11.2023

Python script for reading live data from the canbus on a JEEP. Data fields 
can be added simply by adding to monitorlist.

Current data parsed: Battery Voltage, Roll\Tilt\Yaw, RPM\MPH, IAT\Coolant 
Temps, Oil temp\Oil Pressure, Gear, Transfer, Steer Angle\Rate and PS Temp
\PSI.

[ LABs | Tutorials ]

Python Canbus Lab Guide - 11.2023

Dont have access to a CAN device? No problem, you can simulate one using py-can 
& Can-Utils with the sample canbus log files provided below.

Download: TKCan.py | CANBus Log Files

tkcan.py UI example

Example CANBus dev stack using a Raspberry Pi

Example CANbus development setup using a raspberry pi
1. Raspberry Pi 4b (2GB)
2. Software controlled Argon Fan Hat 
(adjustable cpu fan)

NOTE: Without the fan, the CPU will 
still automatically throttle to keep 
operating temps within a safe operating 
range.

3. A horizontal GPIO connector 
   (better airflow & spacing)
4. Zero2Go Omni 
   (Better sleep and power management)
5. Waveshare 2 Channel CAN Hat 
   (Used as a dual port adapter)
6. Homebrew Logic Level Converter 
   (Controls the RGB Halos)
7. 40 Pin Stacking headers..

image of CAN-C and CAN-IHS bus connections (located behind the glovebox)

DIY OBD-II Diagnostic Cable - 11.2023

I usually access the canbus of the JEEP vehicles i hack on by accessing them via the unused 
ports behind the glovebox. This offers direct access to two of the vehicles 13-way CANBus 
connectors. These ports are also granted read AND write on the CANbus. 

As a bonus there is always a free port open for use and its out of the way of other things,
so plenty of room to add components for testing.. The opther bonus to accessing the canbus
via this location, is that we can easily isolate the major components which plug in to this
location as well. The only downfall, aside from taking your dash apart, is that there is no
direct power source in the area.. Most of all, makes it super simple to not interfere with 
another device already using the ODB-II port or needing to bypass the security gateway..

If taking our your glovebox is too much effort or just not possible, you can also access 
the canbus via the ODB-II port. 

However this comes with some limitations...  

One major downfall is it being read-only access (unless you installed a secure gateway 
bypass..). It's also the safest way to access the canbus for learning purposes. Writing 
things to the canbus can cause damage, undesirable results.. No telling. Use at your own 
risk.

If you understand these limitations and still want to proceed via the ODB-II port, this 
guide will help you in creating your own cable.

Always double check and cross refrence sources before playing with your vehicles canbus..

This is meant to be an informational guide only and can definitely void warranties...

Secure Gateway Modules - ?.?

Secure Gateway Modules, its purpose and relationship with the ODB-II port and how it 
interacts with yConnect radios on JEEPs.

Sniffing ISO-TP Messages over CAN (advanced) - ?.?

Sniffing the CANbus for traffic using candump.


SavvyCan
SavvyCAN is a cross platform QT based C++ program. It is a CAN bus reverse engineering 
and capture tool. It was originally written to utilize EVTV hardware such as the 
EVTVDue and CANDue hardware. It has since expanded to be able to use any socketCAN 
compatible device as well as the Macchina M2 and Teensy 3.x boards. 

SavvyCAN can use any CAN interface supported by QT's SerialBus system (PeakCAN, 
Vector, SocketCAN, J2534, etc) It can capture and send tomultiple buses and 
CAN capture devices at once.