Raspberry Pi CANBUS Adventure

[Meistro]

That box looks like custom key for unlocking, and it is unchecked so it must be not used during the read process.

Yeah I don't know what that box is for. Actually I never ever checked that box any time I read anything. Maybe it's to read a specific memory address?

The larger file is the read. However I forgot to mention that I did click the other gather info button 1st after starting the log, before I clicked read.

I hope if I have time tonight, I want to hook up my stimulator and feed it some crank & cam signals and log the bus while increasing/decreasing rpm. I'm curious to see what additional traffic appears.

[Meistro]

Better yet, I'm will to bet it is to allow a read on a tuner locked tune. Probably have to put the custom value in there if it's tuner locked. Otherwise it uses the standard gm seed key.

[ironduke]

Better yet, I'm will to bet it is to allow a read on a tuner locked tune. Probably have to put the custom value in there if it's tuner locked. Otherwise it uses the standard gm seed key.

This is exactly what it does.. comes in handy for 5 byte reads too with slightly older software

[Meistro]

So I'm messing around with some python tonight in the BusPi. I found something very useful to me. A tool to beat on the security of the ecu through the bus.
https://github.com/CaringCaribou/caringcaribou/
"a zero-knowledge tool that can be dropped onto any CAN network and collect information regarding what services and vulnerabilities exist. "

check it out... It starts by just listening to the bus

Code: Select all

(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py listener                                 
-------------------
CARING CARIBOU v0.4
-------------------

Loading module 'listener'

Running listener (press Ctrl+C to exit)
Last ID: 0x00000772 (13 unique arbitration IDs found) ^C

Detected arbitration IDs:
Arb id 0x000004f1 29 hits
Arb id 0x00000772 29 hits
Arb id 0x000004c1 58 hits
Arb id 0x000004d1 58 hits
Arb id 0x000003f9 117 hits
Arb id 0x000003c1 293 hits
Arb id 0x000003d1 293 hits
Arb id 0x000003e9 293 hits
Arb id 0x000002c5 586 hits
Arb id 0x000001a1 1172 hits
Arb id 0x000001c1 1172 hits
Arb id 0x000000c9 2344 hits
Arb id 0x00000191 2344 hits

We can see it's alive. lets do diagnostics service discovery..

Code: Select all

(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py dcm discovery -                          min 0x003

-------------------
CARING CARIBOU v0.4
-------------------

Loading module 'dcm'

Starting diagnostics service discovery
Sending Diagnostic Session Control to 0x07df
Found diagnostics at arbitration ID 0x07df, reply at 0x07e8

Poll for services at the id given with reply location..

Code: Select all

(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py dcm services 0x07df 0x07e8

-------------------
CARING CARIBOU v0.4
-------------------

Loading module 'dcm'

Starting DCM service discovery
Probing service 0xff (23 found)
Done!

Supported service 0x01: Unknown service
Supported service 0x43: Unknown service
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x47: Unknown service
Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL
Supported service 0x12: GMLAN_READ_FAILURE_RECORD
Supported service 0x1a: GMLAN_READ_DIAGNOSTIC_ID
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x22: READ_DATA_BY_IDENTIFIER
Supported service 0x23: READ_MEMORY_BY_ADDRESS
Supported service 0x27: SECURITY_ACCESS
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x2c: DYNAMICALLY_DEFINE_DATA_IDENTIFIER
Supported service 0x2d: DEFINE_PID_BY_MEMORY_ADDRESS
Supported service 0x34: REQUEST_DOWNLOAD
Supported service 0x36: TRANSFER_DATA
Supported service 0x3b: GMLAN_WRITE_DID
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x00: Unknown service
Supported service 0xa5: GMLAN_ENTER_PROGRAMMING_MODE
Supported service 0xa9: GMLAN_CHECK_CODES
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0xae: GMLAN_DEVICE_CONTROL

Then sub-function discovery. this shown below was after I stopped it. I'm going to run it again and let it finish.

Code: Select all

(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py dcm subfunc 0x07df 0x07e8 0x22 2 3

-------------------
CARING CARIBOU v0.4
-------------------

Loading module 'dcm'

Starting DCM sub-function discovery
Probing sub-function 0x22 data ['09', 'db'] (found: 52)^C

Found sub-functions for service 0x22 (READ_DATA_BY_IDENTIFIER):

Sub-function 00 00
Sub-function 00 01
Sub-function 00 02
Sub-function 00 03
Sub-function 00 04
Sub-function 00 05
Sub-function 00 06
Sub-function 00 07
Sub-function 00 08
Sub-function 00 09
Sub-function 00 0a
Sub-function 00 0b
Sub-function 00 0c
Sub-function 00 0d
Sub-function 00 0e
Sub-function 00 0f
Sub-function 00 10
Sub-function 00 11
Sub-function 00 12
Sub-function 00 13
Sub-function 00 14
Sub-function 00 15
Sub-function 00 18
Sub-function 00 19
Sub-function 00 1c
Sub-function 00 1e
Sub-function 00 1f
Sub-function 00 20
Sub-function 00 21
Sub-function 00 2c
Sub-function 00 2d
Sub-function 00 2e
Sub-function 00 2f
Sub-function 00 30
Sub-function 00 31
Sub-function 00 32
Sub-function 00 33
Sub-function 00 3c
Sub-function 00 3d
Sub-function 00 40
Sub-function 00 41
Sub-function 00 42
Sub-function 00 43
Sub-function 00 44
Sub-function 00 45
Sub-function 00 46
Sub-function 00 47
Sub-function 00 49
Sub-function 00 4a
Sub-function 00 4c
Sub-function 00 51
Sub-function 00 52


Terminated by user

Currently doing XCP discovery whatever that is lol. I'll let it finish though and post here the results.

[Meistro]

zero matches. I have no idea what this function is ATM

edit: XCP is a whole other protocall. https://cdn.vector.com/cms/content/appl ... 3.0_EN.pdf Not going to need this for what I'm messing with.

Code: Select all

(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py xcp discovery -min 0x003

-------------------
CARING CARIBOU v0.4
-------------------

Loading module 'xcp'

Starting XCP discovery
Bruteforce of range 0x3-0x7ff completed: Found 0 possible matches.

(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $

[Meistro]

DCM is old and obsolete apparently. The UDS module is the current one.

After messing with all these commands, I found the uds module has an auto mode. I brute forces all functions and displays everything it can. It's been banging away on grabbing every value it can get from each address location it seems for about an hour. for example it says the value at 0x2012 is a2100800. No idea what this means but it's info.

I just may have my chance at bricking this tonight!!

[Meistro]

Here's complete result. I stopped it at the 0x8 range because it became apparent that it wasn't finding anything past 0x2857.

Code: Select all

(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py uds auto

-------------------
CARING CARIBOU v0.4
-------------------

Loading module 'uds'

Sending Diagnostic Session Control to 0x07df
  Verifying potential response from 0x07df
    Resending 0x7df...  Success
Found diagnostics server listening at 0x07df, response at 0x07e8
Sending Diagnostic Session Control to 0x07e0
  Verifying potential response from 0x07e0
    Resending 0x7e0...  Success
Found diagnostics server listening at 0x07e0, response at 0x07e8
Sending Diagnostic Session Control to 0x07ff



Identified diagnostics:

+------------+------------+
| CLIENT ID  | SERVER ID  |
+------------+------------+
| 0x000007df | 0x000007e8 |
| 0x000007e0 | 0x000007e8 |
+------------+------------+



Target Diagnostic IDs:

+------------+------------+
| CLIENT ID  | SERVER ID  |
+------------+------------+
| 0x000007df | 0x000007e8 |
+------------+------------+

Enumerating Services:

Probing service 0xff (255/255): found 23
Done!


Identified services:

Supported service 0x01: Unknown service
Supported service 0x-32: Unknown service
Supported service 0x04: Unknown service
Supported service 0x-28: Unknown service
Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL
Supported service 0x12: Unknown service
Supported service 0x1a: Unknown service
Supported service 0x20: RETURN_TO_NORMAL
Supported service 0x22: READ_DATA_BY_IDENTIFIER
Supported service 0x23: READ_MEMORY_BY_ADDRESS
Supported service 0x27: SECURITY_ACCESS
Supported service 0x28: COMMUNICATION_CONTROL
Supported service 0x2c: DYNAMICALLY_DEFINE_DATA_IDENTIFIER
Supported service 0x2d: DEFINE_PID_BY_MEMORY_ADDRESS
Supported service 0x34: REQUEST_DOWNLOAD
Supported service 0x36: TRANSFER_DATA
Supported service 0x3b: Unknown service
Supported service 0x20: RETURN_TO_NORMAL
Supported service 0xa2: Unknown service
Supported service 0xa5: Unknown service
Supported service 0xa9: Unknown service
Supported service 0xaa: Unknown service
Supported service 0xae: Unknown service


Dumping DIDs in range 0x0000-0xffff

Identified DIDs:
DID    Value (hex)
0x0000 bfbfb993
0x0001 86076565
0x0002 0122
0x0003 0000
0x0004 00
0x0005 00
0x0006 80
0x0007 80
0x0008 80
0x0009 80
0x000a 85
0x000b 00
0x000c 0000
0x000d 00
0x000e 8a
0x000f 00
0x0010 0000
0x0011 ff
0x0012 04
0x0013 33
0x0014 5a80
0x0015 5aff
0x0018 5a80
0x0019 5bff
0x001c 03
0x001e 00
0x001f 0000
0x0020 8007e019
0x0021 0000
0x002c 00
0x002d 80
0x002e 00
0x002f 00
0x0030 00
0x0031 0000
0x0032 1d1b
0x0033 5a
0x003c 0190
0x003d 0190
0x0040 fed00000
0x0041 00070065
0x0042 3932
0x0043 0000
0x0044 1fa0
0x0045 e0
0x0046 28
0x0047 ff
0x0049 00
0x004a 00
0x004c 4c
0x0051 02
0x0052 00
0x1121 28
0x1122 00
0x1123 20
0x1124 4c
0x1125 02
0x1126 00
0x1127 02
0x1128 0c
0x1129 00
0x1130 20
0x1131 00
0x1133 00
0x1134 00
0x1135 20
0x1141 92
0x1144 00
0x1145 67
0x1146 69
0x1148 67
0x1149 68
0x114b 00
0x114d 00
0x114e 00
0x1152 00
0x1154 00
0x1155 fe
0x1157 00
0x1158 00
0x115c 03
0x115d 00
0x115e 00
0x115f 00
0x116f 00
0x1171 00
0x1175 00
0x1178 00
0x1186 0000
0x1187 0000
0x1188 13
0x1189 00
0x118a 0000
0x118b 0000
0x118c 0000
0x118d 0000
0x1190 25
0x119c 00
0x11a1 0000
0x11a6 00
0x11ac 0000
0x11bb 4d
0x11bd 00
0x11c1 00
0x11c9 89
0x11e4 0000
0x11e5 0000
0x11e6 0000
0x11e8 04
0x11ea 00
0x11eb 00
0x11ec 00
0x11ed 00
0x11f2 00
0x11f3 00
0x11f4 00
0x11f5 00
0x11f6 00
0x11f7 00
0x11f8 0000
0x11f9 0000
0x11fa 0000
0x11fb 0000
0x1200 00
0x1201 0000
0x1202 0000
0x1203 0000
0x1204 0000
0x1205 00
0x1206 00
0x1207 00
0x1208 00
0x1227 0000
0x1228 0000
0x1229 0000
0x122a 00
0x1232 00
0x1233 00
0x1234 0000
0x1235 0000
0x1236 0000
0x1237 00
0x1238 00
0x1239 00
0x1296 0000
0x1297 fd06
0x1299 0000
0x12ab 00
0x12b0 00
0x12b1 0629
0x12b4 00
0x12b5 00
0x12b7 7f
0x12b8 7f
0x12b9 fe
0x12ba 00
0x12bc 00
0x12bd 00
0x12c3 0000
0x12c4 0000
0x12d9 00
0x12da 0000
0x12de 00
0x12e0 0001
0x12e7 00000000
0x12ee 01
0x12ef 00
0x12f0 00
0x12f5 ffff
0x12ff 0000
0x1300 0000
0x130e ffff
0x130f 00
0x1310 02
0x1311 01
0x1312 02
0x1315 2e
0x1316 2e
0x1317 2e
0x1318 2e
0x1319 2e
0x131a 2e
0x131b 2e
0x131c 2e
0x131d 1500
0x131e 05fb
0x131f 0000
0x132a 0000
0x1336 0000
0x1337 f6e1
0x1338 00
0x135d 00
0x135f 97
0x1360 01
0x1365 15
0x1366 15
0x1367 00
0x1369 00
0x136a 00
0x136b 10
0x136c 10
0x136d 15
0x139c 00
0x13af 00
0x13b1 1f
0x13b2 1f
0x13b5 ffff
0x13c6 00
0x13c7 08
0x13c8 00
0x13e1 15
0x13e2 15
0x13e3 15
0x13e4 15
0x13ea 00
0x13f1 0000
0x13f2 0000
0x13f3 0000
0x13f4 0000
0x1400 15
0x1401 15
0x1402 15
0x1403 15
0x1404 15
0x1405 15
0x1406 00
0x1407 00
0x1408 15
0x1409 15
0x140a 15
0x140b 15
0x140c 15
0x140d 15
0x140e 3f
0x140f 3f
0x1410 15
0x1412 01
0x1413 00
0x1414 00
0x141d 01
0x141e 01
0x1420 0000
0x1421 0000
0x146a 15
0x146b 15
0x146c 15
0x146d 15
0x1470 00
0x1478 e9
0x1479 e9
0x147b 00
0x147f 00
0x1480 00
0x1481 0000
0x1482 0000
0x1484 0000
0x1485 0000
0x1489 28
0x148c 97
0x148d 00
0x148e 00
0x1502 10
0x1503 17
0x150a ff
0x150c 80
0x150d f3
0x150e 02
0x150f 01
0x1510 05
0x1511 02
0x1517 00
0x1518 0000
0x1519 0000
0x151a 00
0x151b 00
0x151c 00
0x151d 00
0x151f 01
0x1520 05
0x1521 02
0x1522 01
0x152c ff
0x1539 00
0x153a 00
0x153b 00
0x153c 00
0x153e 00
0x1549 00
0x1550 00
0x1551 09
0x1552 0a
0x1553 00
0x1554 00
0x1555 00
0x1556 00
0x1557 00
0x1558 00
0x1559 00
0x155a 42
0x155b 00
0x155c 00
0x155d 00
0x155e 00
0x155f 00
0x1560 07
0x1561 00
0x1563 0000
0x1564 00
0x1565 00
0x1566 00
0x1567 00
0x1568 00
0x1569 0000
0x156a 0000
0x156c 00
0x156d 00
0x156e 00
0x156f 00
0x1570 80
0x1571 80
0x1572 80
0x1573 80
0x1574 80
0x1575 80
0x1576 00
0x1577 00
0x1578 00
0x1579 00
0x157a 0000
0x1582 0000
0x1626 00
0x162b 00
0x163f 00
0x1641 00
0x1643 0000
0x1644 0083
0x1652 0000
0x166a 00
0x166b 00
0x166c 00
0x166d 00
0x1676 00
0x1677 00
0x168d 00
0x168e 00
0x168f 00
0x1690 00
0x1691 00
0x1692 00
0x1693 00
0x1694 00
0x1695 00
0x1696 00
0x1697 00
0x1698 00
0x169a 00
0x169b 00
0x169c 00
0x169d 00
0x1940 28
0x1942 0000
0x195d 1000
0x1a2d ff0c
0x2000 00
0x2001 00
0x2002 0a
0x2003 00
0x2004 4f
0x2005 00
0x2006 28
0x2007 00
0x2008 15
0x2009 00
0x200a 00
0x200b 00
0x200c 15
0x200d 15
0x200e 0000
0x200f 0000
0x2010 0000
0x2011 00e00080
0x2012 a2100800
0x2013 00
0x2014 00
0x2015 00
0x2016 00
0x2017 00
0x2018 00
0x2019 00
0x201a 00
0x201b 00
0x201c ff
0x201d ff
0x201e 00
0x201f 00
0x2020 e0
0x2021 00
0x2023 00
0x2024 00
0x2025 00
0x2026 00
0x2027 00
0x2028 00
0x2029 00
0x2032 00
0x2033 fff0
0x2034 00000000
0x2035 ff
0x204a 00ae
0x204b 009e
0x204c 009e
0x2050 0000
0x2051 00
0x2052 00
0x2066 ff
0x280e 3f
0x2810 00
0x2822 00
0x2856 c8
0x2857 c8
^C811d

Terminated by user

[Meistro]

So I've been working on this but I'm taking too long to learn it lol. I started a new route on the raspi since the bus is so easily accessible. Once I fire it up and enable can0, I use Node-Red with Socketcan. So much easier for someone with my programming skills. I also have the GPIO controlling a couple relays to cycle the battery and ignition power to the ecu. I also have a T42 connected on the bench. When I reviewed the wiring, it shows the can +/- going from OBD port to T42 then out a separate can +/- looping through it to the ecu. I'm going to plug the BCM back in soon. When I started all this, all the idle traffic was a bit much. Now that I learned how to filter that out I can add it back.

If that ain't enough I created an AI chatbot that I've been feeding all the GMLAN documentation I have. It is learning faster than me. It's name is Rudy. He's also well versed in Javascript. I just got him to where he can produce code for specific tasks, based on all the info I've been feeding him. Very, very interesting that's for sure. Cool thing is I had it create a lookup to parse all the messages incoming based on a canid filter. If it doesn't recognise the DID from what it already knows, it flags it to an unknowndid topic and logs it. I got a little sidetracked with that but it's building into something. I haven't tried changing anything on the ecu yet. I disassembled the E38 vin changer that I found on here and fed that into Rudy. He was able to reproduce that into JS functions that I could test individually.

In the end I won't be able to change my vin until all tuning is complete with the HPT. I'm pretty sure that HPT finding an invalid VIN from 04 and a P59 is going to make things difficult. I figure I'll still go through the process and finish this so if I brick it, then well that happens. Later on when the SD tune is all setup and dialed in I can change the vin. If I need to make any adjustments in HPT I'll need to put the old vin back to make changes, then put the plugged vin back in. Thats the current thought anyways.

[Meistro]

I'm still feeding Rudy info but I decided to check what he knows so far. I can't say how correct he is until I get home to try it out.

Does this make sense?

Code: Select all

User
Do you know enough to construct a can message to read vin number?
GPT
Yes, based on the information you've provided and standard practices in CAN communication and the GMLAN protocol, I can guide you on how to construct a CAN message to read the VIN number from an ECU. The Vehicle Identification Number (VIN) is typically accessed using the "Read Data By Identifier" service, which in the GMLAN (a version of the Unified Diagnostic Services (UDS) protocol) is identified by the Service Identifier (SID) 0x1A.

Here's a basic outline of how to construct the CAN message:

Service Identifier (SID): For reading data by identifier, the SID is 0x1A.

Data Identifier (DID) for VIN: The DID that represents the VIN varies depending on the vehicle's implementation. Commonly, it could be 0xF190. However, you should confirm this from the specific vehicle's documentation or standard DID listings.

Addressing: The message needs to be properly addressed to the ECU that contains the VIN information. This involves using the correct CAN ID for sending the request. The addressing could be either physical (directly to a specific ECU) or functional (to any ECU that understands the request).

Given this, a CAN message to request the VIN number would look something like this:

CAN ID: This depends on your vehicle's configuration. Let's say 0x7E0 for a physical request to the Powertrain Control Module (PCM).
Data: [0x02, 0x1A, 0xF1, 0x90]. This represents:
0x02: Length of the request (2 bytes following).
0x1A: SID for Read Data By Identifier.
0xF1, 0x90: DID for the VIN.
So, the complete CAN message to request the VIN would be:

7E0#021AF190

Remember, the actual values might vary based on the specific vehicle and ECU configuration. It's important to have the correct documentation for the vehicle you are working with. Additionally, some ECUs may require a diagnostic session to be initiated (with a StartDiagnosticSession service) before they will respond to a ReadDataByIdentifier request.

[hjtrbo]

AI reading docs then writing code... Amazing. How does one create there own AI bot?