canbushack: Hack Your Car

So you want to Unlock and Lock the doors using the CAN BUS?  Well I've got good news for you, you can. Well sort of...

Because most modern vehicles have distributive electronic systems, unlock/lock type functionality is often done via a CAN BUS message by the OEM themselves.  Typically if the RFA module (controller that receives commands from the key fob) is separate from the controller(s) that actuate the door locks themselves, then this command will occur over the CAN BUS.

So how do you know if this RFA is separate? You will most likely have to consult a wiring manual such as the Mitchell Guide.

So if the modules are separate, you will have to connect to the vehicle's body CAN BUS (this is often separate from the Powertrain bus or OBDII CAN BUS).  Once you've found this network, you will have to monitor the network for the Unlock or Lock commands by using the factory key fob and watching for a new message that shows up or data that changes at the same instant that you press the key fob lock/unlock buttons.  Do this about 3 to 4 times and you'll find the message that controls the Unlock and Lock commands.  If you don't find it, try a little bit more, but remember it might not be there.

So once you have the message, you can test it.  To do this, simply send a message with the same Arbitration ID and Data as the one that you discovered.  Then see if the doors lock/unlock.  If they do, you've found it.  If not, try again, perhaps you found a message related to a door unlock/lock procedure such as disarm or dome light status.

Again, if you need help, let me know..

When I speak to most people about the vehicle network or CAN BUS there is a common misconception that there is only Diagnostic Messages or OBD II Messages.  So what's the difference between Diagnostic Messages (such as OBD II) and Normal Messages on a typical CAN BUS?

Simply put Diagnostic Messages are Command/Response Messages.  So if you want to get data from a controller, you have to send it a request. It will then respond to that request (hopefully).  This is done using a common diagnostic protocol.  There are only a handful that are used and they are typically specific to the OEM, however there is not much difference between OEMs on how they have implemented their flavor of Diagnostic Messages.  That said all OEMs that sell vehicles in North America support the common OBD II protocol, those in Europe support the EOBD and in China, the new China OBD (Based on EOBD).

Normal Messages are the Messages that are transmitted between controllers.  This data varies depending on the electronics systems and like the OEMs Diagnostic Protocol, this data is also proprietary.  This data does not need to be requested (is nearly 100% of cases).  This data is typically sent at a periodic rate by a controller as fast as it needs to be sent so that listening controllers get the most recent value.  If you are doing data acquisition, this is the data you want.

The goal of the this site is to help users who wish to extract both Diagnostic and Normal Messages and thier data from the vehicle's network.

One common misunderstanding about the vehicle network data is that it is limitless.  The truth is that the only data on the network is the data that is required to be there.  Nothing more, nothing less.  What is required is different from vehicle to vehicle.  For example some vehicles might have adaptive cruise control and this system might require vehicle dynamic information that is not required on vehicles that do not posses this system.

More and more data is being added to already heavily loaded networks, so automotive OEMs are adding more networks to accommodate more data.  Good news for us, now we can get more info at higher data rates.

CAN (Controller Area Network) BUS is not a new network, but unlike more popular network names, CAN BUS is geared more for Embedded Controllers such as the ones found in modern automobile.  So when I speak of CAN BUS 'Hacking', I am refering to automotive network reverse engineering.

The CAN BUS is now a required network on vehicles manufactured in the U.S. from 2008 and beyond.  It's popularity amoung automotive OEMs is nearly universal.  But unlike most open protocols such as TCP/IP and HTTP, CAN BUS is almost entirely implemented as a proprietary protocol.  Thus if we want to understand it, we must 'hack' it.

I will be posting more about what exactly the CAN BUS is, but you can get more infomation on it from Wikipedia by clicking here.

As an avid technology enthusist, I have always attempted to understand how electronics/computers/software worked.  I have taken this love of understanding and started a new website devoted to understanding how to 'hack' the CAN BUS.

I hope to impart a small bit of my knowedge onto you and hope to create an environment of information sharing.

... On with the Blog ...