Super Noob questions from a reasonably smart fellow

General Tuning Questions And Discussions
Post Reply
davepl
Posts: 2
Joined: Tue Apr 18, 2017 3:30 am

Super Noob questions from a reasonably smart fellow

Post by davepl »

About 10 years ago I hacked together a breadboard with an ELM327 and an Atmel that would watch for keyfob unlock commands, and if it saw three in a row, lower the convertible top on my E46 M3. It's so long ago now that I barely remember what tools I used!

I'd like to get back into PCM hacking, so have a couple of questions about tools. Most of this will be on a 2015 Corvette Z06.

Here's my goal, short term to long term:

Short term:
- Get connected, get logging, watch for "Window up" packets
- Be able to record and playback a simple packet like that

Longer term:
- Get access to some other module (body module, suspension controller, whatever)
- Start trying a seed/key attack on it to get at the firmware
- Get an image of the firmware and disassemble it in IDAPro
- Make changes and replace firmware

Obviously my short term goals are more realistic. But what tools should I be using? I don't want to spend $1000 on Vehicle Spy unless I turn this into some kind of commercial venture, which i t absolutely is not. But the demo doesn't even seem to let me define messages and so on.

I think last time around I was using a terminal program and AT commands on the ELM327, but that's pretty basic stuff. I assume there must be a few tools out there that I should become familar with, so that's my quetsion: what do I need to start with?

Thanks,
Dave
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Super Noob questions from a reasonably smart fellow

Post by antus »

Elm is still the cheapest, but it gets difficult with all the clones around. Elm is a single IC, so what other chips are bundled in your typical 'elm' adaptor, what speeds it runs at and other implementation problems are real. The STN chipset based obdlink are a better option, more features, known hardware, still your elm AT command set.

Then there is the obddiag.net interface (my personal choice). Open source firmware, still elm command set. The USB interface down the bottom here is quite nice. http://www.obddiag.net/allpro.html

Your car will have multiple can buses, and at different speeds (AKA GMLAN). You'll need to sus out which pins have the bus your interested in and make sure the interface supports the correct speed can bus.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
davepl
Posts: 2
Joined: Tue Apr 18, 2017 3:30 am

Re: Super Noob questions from a reasonably smart fellow

Post by davepl »

Thanks! And what about software? What I'm looking for is something that will help me locate packets (like "What's the Packet that does X" where X is "raise the window" or similar)?

VehicleSpy would be nice, but the Free version doesn't allow you to define messages, save the structure, or any of the handy stuff you'd want. Wish they made a $100 "Student-Hobbyist" version.

I can log packets in a terminal window, of course, but it doesn't help you sort through the traffic to find the interesting morsels, and that's my question I guess. What does?
yoda69
Posts: 1215
Joined: Sun Mar 15, 2009 10:20 am
cars: 2004 VYII Acclaim Wagon V6 Auto LPG/Petrol
2004 VYII Berlina sedan V6 Auto
2005 VZ Monaro CV8 manual
Location: Geelong, VIC

Re: Super Noob questions from a reasonably smart fellow

Post by yoda69 »

I've logged packets before and then used Excel to help sort and filter them.
What you are effectively trying to do is to reverse engineer a dbc (Vector format) file which converts the CAN data to something we can understand. As there is no real standard for information on the CAN each manufacturer uses it how best suits them and is proprietary information not published.
Below are a couple of google search links that may be useful:
https://theksmith.com/software/hack-veh ... sy-part-1/
http://hackaday.com/2013/10/22/can-hack ... e-network/
http://hackaday.com/2013/10/21/can-hack ... oductions/

I've found this document quite useful also:
https://docs.google.com/spreadsheets/d/ ... 0/htmlview#
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Super Noob questions from a reasonably smart fellow

Post by Tazzi »

Ahhh yes, Vehicle Spy. The ~$1000 kit doesnt give you the full version application with their tool. Its actually around $3000ish.

Id recommend picking up an Arduino Uno and CAN shield. This will give you raw access to the comms line. Can then filter, monitor and send out frames.
This can then end up being left in the car without any computer requirement to do whatever it is you have programmed it to do (Ie.. All windows down after unlocking three times in 5seconds). Will also need an automotive grade power supply that will handle all the noise from the car.

When sorting through CANBus frames, your best friends will be setting filters and masks.

For R&D, I have one of my microcontrollers log the raw traffic from the bus, it identifies all the repeating frames and filters those out.
After its done its initial scan, I can then go ahead and start pressing buttons (Such as volume up, mute, window down) and my micro will display any new frames or any unexplained changes in any filtered out frames.

The above is all automated for efficiency and conducted on the micro, PC does not do any processing at all. But the same principles apply for doing it manually. Grab a raw log.. throw it into excel.. identify common generic frames that repeat.. then set the micro-controller to filter those out and repeat.


An ELM could do the above.. but.. if the end game is to have something permanently sitting in the car to add some sort of new ability.. then best moving to a microcontroller.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Super Noob questions from a reasonably smart fellow

Post by antus »

I just stumbled across this list of tools. Wow some nice stuff has come out in the last couple of years!

http://makezine.com/2016/04/08/car-hacking-tools-trade/

In particular this looks quite interesting https://github.com/zombieCraig/UDSim/
It appears to be for linux, and requires linux can devices supported by the kernel and using socketCAN. A decent starting point seems to be here: http://elinux.org/CAN_Bus

Anyone tried this tool? http://shop.8devices.com/usb2can
The price is right, it advertises full speed USB 2 (400mbps) and it seems to be compatible with Linux (or win) and would suit the above. Seems to be $102AUD delivered based on current exchange rates. Product ships from Lithuania.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Super Noob questions from a reasonably smart fellow

Post by Tazzi »

antus wrote:I just stumbled across this list of tools. Wow some nice stuff has come out in the last couple of years!

http://makezine.com/2016/04/08/car-hacking-tools-trade/
That guide is top notch! Heaps of good stuff there.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply