[ Car Hacking ]

A simple way to tell UDS (Unified Diagnostic Services) that you want access to it's
input/output functions and you would like to use it for turning the 3rd brake light
on and off.

While UDS is accessed via the CAN-C bus, the message structure is completely different.
With UDS, the ECU will reply back to every single message with a code of success or a
failure for each command sent.

Python 3 has implementation for UDS I need to check out. udsoncan.

JEEP vehicles broadcast the time on both CAN-C & CAN-IHS bus once per second using
message ID 350. This script reads the value from the CAN-IHS bus and returns the
current value in a human readable form.

PRO TIP: 	If the message is one byte long, it's on the CAN-IHS bus.
		If the message is eight bytes long, it's on CAN-C bus.

When you are converting the numbers you can use the bindechexascii utility, or just
use printf: printf "%d" 0x$value

This script launches a black-box data recording script and a
remote start HVAC automation script which the ignition is put into RUN mode or the
vehicle is remotely started. When the vehicle goes back into OFF or ACCESSORY mode,
it terminates the black box data recorder.

NOTE: The HVAC script will make it's own determination of if the vehicle was remote
started or not. It also handles it's own exit and does not need to be killed like
the black box monitor does.

This script takes advantage of message id $122 which exists only on the CAN-IHS bus.
Messages are sent every tenth of a second, containing the current status of the
ignition switch.

It is up to the programmer to catch when the virtual ignition switch changes from
one mode to another. When the vehicle goes into sleep mode, it will produce no
messages until the vehicle wakes back up again.

It's possible to repurpose this script to start or kill other process or
automatically perform actions (ex: Turn ESS off) as the vehicle goes between
OFF/ACCESSORY and START/RUN

This script will disable WiFi on the Raspberry pi when you use the keyfob to
lock/unlock your vehicle. This takes advantage of message id $1C0 which exists
on both CAN-C and the CAN-IHS bus. New messages are sent on this bus every
10th of a second.

If a new remote command is recieved, it wil contain an ID which represents
the command. If no additional commands are recieved, it will continously
report an ID which represents an idle state.

If the vehicle goes into sleep mode, it will not produce any messages until
the vehicle is awake again.

To enable WiFi: Rapidly press the Unlock button on your fob two times.
NOTE: takes about 10 seconds to be accessible.

Python script for reading live data from the canbus on a JEEP. Data fields
can be added simply by adding to monitorlist.

Current data parsed: Battery Voltage, Roll\Tilt\Yaw, RPM\MPH, IAT\Coolant
Temps, Oil temp\Oil Pressure, Gear, Transfer, Steer Angle\Rate and PS Temp
\PSI.

Dont have access to a CAN device? No problem, you can simulate one using py-can
& Can-Utils with the sample canbus log files provided below.

Download: TKCan.py | CANBus Log Files

1. Raspberry Pi 4b (2GB)
2. Software controlled Argon Fan Hat
(adjustable cpu fan)

NOTE: Without the fan, the CPU will
still automatically throttle to keep
operating temps within a safe operating
range.

3. A horizontal GPIO connector
   (better airflow & spacing)
4. Zero2Go Omni
   (Better sleep and power management)
5. Waveshare 2 Channel CAN Hat
   (Used as a dual port adapter)
6. Homebrew Logic Level Converter
   (Controls the RGB Halos)
7. 40 Pin Stacking headers..

I usually access the canbus of the JEEP vehicles i hack on by accessing them via the unused
ports behind the glovebox. This offers direct access to two of the vehicles 13-way CANBus
connectors. These ports are also granted read AND write on the CANbus.

As a bonus there is always a free port open for use and its out of the way of other things,
so plenty of room to add components for testing.. The opther bonus to accessing the canbus
via this location, is that we can easily isolate the major components which plug in to this
location as well. The only downfall, aside from taking your dash apart, is that there is no
direct power source in the area.. Most of all, makes it super simple to not interfere with
another device already using the ODB-II port or needing to bypass the security gateway..

If taking our your glovebox is too much effort or just not possible, you can also access
the canbus via the ODB-II port.

However this comes with some limitations...

One major downfall is it being read-only access (unless you installed a secure gateway
bypass..). It's also the safest way to access the canbus for learning purposes. Writing
things to the canbus can cause damage, undesirable results.. No telling. Use at your own
risk.

If you understand these limitations and still want to proceed via the ODB-II port, this
guide will help you in creating your own cable.

Always double check and cross refrence sources before playing with your vehicles canbus..

This is meant to be an informational guide only and can definitely void warranties...

Secure Gateway Modules, its purpose and relationship with the ODB-II port and how it
interacts with yConnect radios on JEEPs.

Sniffing the CANbus for traffic using candump.

SavvyCAN is a cross platform QT based C++ program. It is a CAN bus reverse engineering
and capture tool. It was originally written to utilize EVTV hardware such as the
EVTVDue and CANDue hardware. It has since expanded to be able to use any socketCAN
compatible device as well as the Macchina M2 and Teensy 3.x boards.

SavvyCAN can use any CAN interface supported by QT's SerialBus system (PeakCAN,
Vector, SocketCAN, J2534, etc) It can capture and send to multiple buses and
CAN capture devices at once.