CanBus Hacking

[Zod]

Hopefully this is the right section to ask this!

 

Has anyone here hacked into the 350z canbus to sniff out transmissions and send their own? A search on here reveals nothing but thought I'd ask. I've captured data through the use of an arduino, canbus shield and my laptop by attaching it to the canbus link in the obd2 connector and have started off small by capturing the transmissions used to switch on the sidelights. I'm in the middle of trying to understand the frame format and lengths eg (transmitting node: message length: data) but if someone has been down this road on here and has some information specific to the 350z that would be great!

 

I have found a wealth of knowledge online and found a lot of information including similar projects on the nissan leaf, E46 and Mk IV golf. My end goal is to be able to permanently attach the arduino to the canbus to control anything I want, eg: listen to longer than normal presses on the remote fob and perform an action, hack my radio controls on the steering wheel (though not 100% sure if this is on canbus)

 

I also want to stream data from OBD2 to the arduino and output what I want to an additional lcd on the dash such as throttle position, load, fuel pressure etc. This is a lot easier to do as this data should be generic. I know there are aftermarket products available but the fun for me is in doing it myself!

 

Anyone out there doing something similiar?

[Chris`I]

Sounds interesting mate, not seen anything like that before on here. Is CANBUS not encrypted? If not it certainly possible to do what you want with enough time and effort, but certainly beyond my programming skills.

[Zod]

No, not from what I have read and seen. I reckon there are up to 3 networks in the Z canbus, similiar to the leaf. I'm accessing what ever network is linked to the obd connector but I can probably connect into the AV canbus behind the stereo somewhere at a later stage and work on that.

 

The hardware I got can be picked up for under 40 quid and you can download the source code free from the website. All thats needed is a laptop. Connecting and sniffing the data is the really easy part, deciphering is going to be a bit more difficult but I'm determined to do it!

 

When the canbus is idle I get the following:

 

data len = 8

0 0 0 0 0 0 0 0

data len = 8

0 0 0 0 0 0 0 0

data len = 8

0 0 0 0 0 0 0 0

data len = 8

0 0 0 0 0 0 0 0

 

When I switch on the sidelights I get:

 

data len = 8

0 80 0 0 0 0 0 0

data len = 8

20 0 0 2 0 0 96 0

data len = 8

0 128 16 64 0 0 0 0

data len = 8

0 128 16 64 0 0 0 0

data len = 8

0 128 16 64 0 0 0 0

data len = 6

50 0 255 12 0 0

data len = 6

50 0 255 12 0 0

data len = 6

255 240 255 0 255 255

data len = 6

255 240 255 0 255 255

data len = 1

64

data len = 1

64

data len = 1

64

data len = 6

255 240 255 0 255 255

 

Parts of which keep repeating, I'm guessing some of these include start/stop bits, transmitting node ID and timestamp etc. It should hopefully be a case of re transmitting this over the canbus once I can figure out the format and should turn on sidelights, when I reach that milestone things should get a bit easier! I really wanted to see if anyone had any more info on it so I didn't have to start from scratch, if anyone is interested in collabarating give me a shout.

 

I'm not really a programmer, done a bit of c and java earlier this year in college but have been a network engineer for quite a while. Have done other projects such as using Siri to switch on and off heating in the house via siriproxy, Arduino and Raspberry Pi.

 

Hmm, voice controlled car functions?! Starting to get a bit ahead of myself...

Edited May 16, 2013 by Zod

[Keyser]

How about clap on clap off lights?

 

 

I'm intrested in this but have so much other stuff on at the moment I just won't be able to give it any time I'm afraid, I may be able to do some with you in the winter but I will be starting from scratch as you are.

[Zod]

How about clap on clap off lights?

 

 

I'm intrested in this but have so much other stuff on at the moment I just won't be able to give it any time I'm afraid, I may be able to do some with you in the winter but I will be starting from scratch as you are.

 

Haha, easily done!

 

I'm in the same boat as I don't really have a lot of time between work and other commitments but just finished college for the summer and have a few months before final year and its been something I really want to do. I'll share out my work and if anyone wants to take it up at a later stage please feel free..

[richmillions]

With regards what buses are there if there are 3 it is most and likely MS CAN-usually body information, HS CAN which would be powertrain information, and possibly and Multimedia CAN. Reading the buses is one thing but to change any data alot of the info tends to be write protected, it can vary for each diagnostic identifier what read/write permissions it has.

To identify which bit/s in what byte/s are for a particular function is painstaking work as a lot of the data is scaled. Alot of the engine data will be fixed periodic but the event periodic data should be easier (not easy) to spot.

[Zod]

With regards what buses are there if there are 3 it is most and likely MS CAN-usually body information, HS CAN which would be powertrain information, and possibly and Multimedia CAN. Reading the buses is one thing but to change any data alot of the info tends to be write protected, it can vary for each diagnostic identifier what read/write permissions it has.

To identify which bit/s in what byte/s are for a particular function is painstaking work as a lot of the data is scaled. Alot of the engine data will be fixed periodic but the event periodic data should be easier (not easy) to spot.

 

It is a complex task to understand the scaled data such as vehicle speed etc but as this can be also read with a generic obd 2 adapter such as ELM327 for most vehicles then I'm guessing this has been standardised. This is why I'll go down the obd route for reading scaled data and outputting to lcd. I've seen several videos articles on how this was done and will try this at some stage.

 

The other part is the canbus data, which I am happy to limit to looking for fixed data such as sidelight, door locks etc. From the bus I'm currently connected to I seem to just read the following constantly repeating when nothing is on, it doesn't change at all.

 

data len = 8

0 0 0 0 0 0 0 0

 

On a basic level l'm hoping to just retransmit the canbus information for the sidelights (which has been the same data the 4 times I recorded it) to hopefully see a result. I won't be changing any data as such, but monitoring the bus for interesting traffic and let the arduino code perform a seperate function based on matching values.

 

I don't admit to knowing much about this at all but if I only got that part working I would be happy

[Zod]

Update:

 

After tidying the code to query for a node id before each message I have managed to find messages originating from about 7 different nodes when I switch on the sidelights. I am going through each frame or sequence of frames and transmitting them on a loop and have somehow managed to switch on the xenons by continously looping one frame, however it also turns on the foglight symbol on the dash!

 

At least I know my transmission format is being recognised now!

Just hope I don't fry the bcm!

[Jez @ H-Dev]

I've done a bit of CAN bus reverse engineering. I used a CANdo interface - makes it nice and easy as it'll list all the nodes and give you a table of data in real time and will also log the stream if you like. You can also send data onto the bus to make stuff happen. I was helping the guys from Syvecs get the 350Z dash board (engine temp, rev counter, CEL etc) and ABS wheels speeds etc for their 350z kit.

Edited May 19, 2013 by Jez