Hacking the Jeep Interior CAN-Bus

The Jeep’s Electronic Vehicle Information Center (EVIC) Displays a Custom Message

I have a 2012 Jeep Wrangler Unlimited and have a few projects where I wanted to integrate closely with the vehicle’s electronics. Instead of tapping into the final wiring of the car, I wanted to leverage the vehicle’s own computers to tell my accessories what to do. The end goal being a much tighter and seamless integration, and much less modification to the wiring of the vehicle.

Modern automobiles use a technology called a Controller Area Network, or CAN-Bus, to communicate between the different computers within the vehicle. The use of this technology greatly simplifies the wiring requirements within the vehicle as a large number of components can share a single twisted-pair wiring harness.

There are actually three separate CAN bus systems used in the vehicle: the CAN-Interior (also known as CAN Interior High Speed/IHS), the CAN-C and the Diagnostic CAN-C. The CAN-Interior bus is used for communication between the interior modules of the vehicle, such as the dashboard and radio and runs at 125 Kbps. The CAN-C bus is used by the power train components and runs at 500 Kbps. Finally, there is the Diagnostic CAN-C which also runs at 500 Kbps.

The Diagnostic CAN-C bus is used to talk to a gateway computer, the Totally Integrated Power Module or TIPM. This gateway implements all of the logic needed for onboard diagnostics, and communicates to the other two buses as needed. One effect of this implementation is that data from the other buses is not easily obtained via the data link connector (a.k.a the ODB-II port) underneath the dash. While a tremendous amount of information is available via the diagnostic bus, it isn’t easy to hack or obtain without getting official documentation from the manufacturer directly.

I came across canbushack.com when I was thinking about looking at the CAN-interior bus and was happy to see much of the information I was after is on that bus. Unfortunately, I also found that the implementation has changed quite a bit from the time most of the work was done on that site versus what is in my Jeep today.

Radio C2
Custom Wiring Harness using the Radio C2 Connector

The easiest way to access the CAN-interior bus is the radio C2 harness. I built a pigtail wiring harness by buying a couple of aftermarket radio wiring harnesses, linking them together, and splicing in a pair of wires for the CAN-H and CAN-L connectors. By making a custom pigtail like this I avoided having to alter any of the OEM wiring making for both easy removal and a lower risk of screwing up something.

I originally used an Arduino Uno micro-controller board and a CAN interface shield from SparkFun and SK Pang Electronics. This platform is a prototype for what I will eventually use as the final production solution for my projects, but I quickly found that analyzing and hacking the vehicle’s CAN-Interior bus was too tedious with that solution, for two primary reasons: a) I had to write code to test any hypothesis, and b) I had to be physically connected to the Arduino with my laptop, in the car, in the cold of winter.

Raspberry Pi with CAN Interface Board

To solve both issues, I configured a Raspberry Pi system with a CAN interface board made specifically for it by SK Pang Electronics and a USB WiFi dongle so I could leave the system in the vehicle and login to it from the comfort of my living room. Since the RPi is a temporary research solution only, I only placed into the glovebox, connected the CAN-H and CAN-L wires, and used a USB power supply directly from the vehicle’s 12v auxiliary power port.

Configuring the Raspberry Pi to communicate with the CAN Bus is unfortunately non-trivial, and I will cover that in another post.

What’s great about using Linux for CAN-bus hacking is the plethora of great tools available. The can-utils package in particular contains the command-line tools I used to analyze CAN bus messages and generate my own.

The very first thing to do is to look at the traffic on the bus using the candump utility. This utility does exactly what it sounds like – dumps all of the traffic it sees on the bus to your terminal or to a file. When I first tried candump on the CAN-Interior bus of the Jeep, I started to see data like this:

id:0x402 len:8 rtr:0 data:0xfe 0x02 0x3f 0xff 0xff 0xff 0xff 0xff
id:0x3e6 len:3 rtr:0 data:0x0b 0x11 0x1e
id:0x1e7 len:8 rtr:0 data:0x70 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x208 len:7 rtr:0 data:0x00 0x00 0x6d 0x5a 0x1e 0x01 0x2c
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2dd len:4 rtr:0 data:0x05 0x00 0x00 0x00
id:0x2df len:8 rtr:0 data:0x10 0x04 0x03 0xe8 0x0f 0xa0 0x09 0xbf
id:0x286 len:6 rtr:0 data:0x03 0x38 0x00 0x00 0x00 0x00
id:0x348 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xee
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2b0 len:4 rtr:0 data:0x02 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
id:0x19f len:8 rtr:0 data:0x01 0xff 0x00 0xff 0xff 0xff 0xff 0x00
id:0x370 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x214 len:7 rtr:0 data:0x04 0x0d 0xba 0x00 0x14 0xb4 0x00
id:0x286 len:6 rtr:0 data:0x03 0x38 0xc0 0x00 0x00 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xef
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff

What a mess! That amount of data flashed across the screen in less than a quarter second and began to repeat in long cycles. It was very difficult to look at such a stream of data and detect when changes occurred based upon user action. Luckily, the can-utils package includes another awesome tool called cansniffer that can help with that very problem.

When you run cansniffer, it looks at the traffic for specific message ids and begins to filter out repeating messages that do not change. After a few seconds of startup time, the Jeep is left with the following changing data while in accessory mode:

214 04 12 70 00 13 11 00 ..p....
217 63 78 07 40 6b fd cx.@k.
219 01 47 35 43 4c 32 37 31 .G5CL271
3e6 00 0d 12 ...

It was clear from watching cansniffer what some of this data was.

Message Id $219 is the vehicle identification number repeated over and over. The first byte of the message is the message #, $00 through $04 with the VIN split across each.

Message Id $3e6 is a clock of the hours, minutes and seconds since the vehicle was turned on.

I was then able to operate switches in the vehicle and discover the following messages in short order:

244 81 00 39 C3 80 # Driver's door open, byte 0
244 80 00 39 C3 80 # Driver's door closed, byte 0
208 01 22 6d 5a 1e 01 2c # Left blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Left blinker off, byte 0
208 02 22 6d 5a 1e 01 2c # Right blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Right blinker off, byte 0
1e1 00 00 10 65 00 00 00 00 # Steering wheel position, bytes 3 & 4
2e0 00 01 47 21 ff ff 0c # Brake pedal depressed, byte 4
2e0 00 01 47 20 ff ff 0c # Brake pedal released, byte 4
2e7 84 1c 00 00 00 00 87 # Parking brake on, byte 0
2e7 04 1c 00 00 00 00 87 # Parking brake off, byte 0
292 00 49 33 00 00 48 28 # Throttle pressed, byte 3
2a8 00 01 00 00 00 00 # Windshield wipers, byte 3
2e5 03 # Rear wiper
2d2 01 06 00 # 4WD-HI
2d2 04 04 00 # 4WD-LO
2d2 00 03 00 # 2WD

Some of the data in each message is immediately apparent and others will take some more analysis to figure out what each byte represents. I was particularly surprised to see that the steering wheel movement t generated any data at all on the CAN-Interior bus.

Some actions result in multiple messages being generated. In particular, the lights appear to generate two message id’s when state is changed, one to two with id $208 and another with id $2e1. Here’s what I’ve found so far:

208 00 22 6d 5a 1e 01 2c # Lights on w/ fogs
208 58 22 6d 51 1e 01 2c
2e1 1a

208 00 22 6d 5a 1e 01 2c # Lights off w/ fogs
2e1 1b

2e1 1b # Fogs on
2e1 0b # Fogs off
2e1 0a # Lights on w/o fogs
2e1 0b # Lights off w/o fogs

The Radio generates a lot of data, too:

29e 00 03 97 20 02 ff ff ff # Change to FM 91.9

291 09 01 05 30 f0 00 07 # Change to satellite, w/ no signal
293 00 00 b8 20 02 ff ff ff

291 01 01 05 10 10 00 07 # Change to FM, 91.5
291 00 03 93 20 02 ff ff ff

291 09 01 05 30 80 00 07 # Change satellite stations
293 00 00 19 23 02 ff ff ff
295 43 65 73 52 65 77 6e 64 # ClsRewnd

29e 00 00 0f 21 02 00 00 00 # Change CD tracks, byte 3

3d9 0a 0a 0a 0a 0a ff # Change volume, byte 0
3d9 08 0a 0a 0a 0a ff # Change volume, byte 0

Message id $295 is the most fun, as any message broadcast with that id will appear on the vehicle’s EVIC message line, assuming you have disabled the ECO option from being displayed.

Stay tuned for more information about the bus, how to setup both the Arduino and Raspberry Pi to talk to a CAN bus, and details about upcoming projects.



Part 1 – Installing the custom wiring harness

Part 2 – routing the CAN-Bus extension

Part 3 – Hooking up the bus to the Raspberry Pi

Part 4 – Using Linux to Analyze CAN-Bus Data

Part 5 – Sending Custom Messages to the EVIC

Part 6 – What Happens if you Corrupt the CAN-Bus





Published by


Chad is a software developer from the Houston, Texas, USA. He's been working in the software industry since the 1980s and presently works for Alert Logic, a provider of managed security-as-a-service solutions for the Cloud. He spends way too much time bicycling or playing with cars.

184 thoughts on “Hacking the Jeep Interior CAN-Bus”

  1. Guess that was my question, didn’t know if anyone had messed with the nav system or not before I wasted time finding out I can’t do it 🙂

  2. There are some folks who have hacked into the radio for some fixes and other things… if you can get in touch with them you may able to get some more information (I haven’t approached this topic at all).

  3. Hi Chad,

    About reading the position of the steering wheel, do you know if the position of the steering wheel is broadcasted by the Raspberry Pi into the CAN bus, would it cause the wheels to steer?

  4. No, it would not (on this vehicle). There are no actuator motors or systems that would read the values and move the steering wheel at all. You are not going to find that on any vehicle that doesn’t have some sort of auto-pilot functionality (e.g. Acura MDX, Lexus LS, Tesla, etc.)

  5. Could a device be built to put into the bus like tach signal check engine speedometer and such

  6. how can you activate different modules in the network?
    software, sending a coded message etc
    on jeep to unlock rear camera video in motion etc

  7. This all sounds fantastic, and work well done.
    I have a 2005 Jeep grand Cherokee 5.7 V8, and it is just being repaired after a security lock out and it cost heaps.
    I am in Australia and a long way from help, I will keep following and maybe give it a go myself

  8. I need to unlock my Jeep’s brain 2015 Jeep wrangler Rubicon unlimited

  9. Hi, I am trying to get a UConnect 8.4″ from a RAM 1500 -2015 to work on my bench.
    I’ve been using the Microchip CAN Bus Analyzer tool connected to IHS, and powered the head unit with 12V. I send 30B#6100 message every 100ms, which I’ve heard should wake the radio and I do get a bunch of CAN replies, but my screen stays black. Do you or maybe someone else here have an idea, where I can continue my search to get the UConnect started.

  10. That can be a tricky one to get working since the radio won’t give you any feedback until it actually works.

    You have two likely possibilities: 1) that is not the correct command for that model year radio (they do change from model year to model year). 2) You’ve not got the wiring, speed, etc. setup right.

    Chances are it’s #1 at this point.

    What I would do, if you have access to a original vehicle where it does work, is to see if you can capture enough CAN data to get an idea of what messages are coming out that frequently. There will only be a few. There’s some utilities (samcanutils but I see they are no longer on github – I could upload there if you need them) that will do a statistical analysis to find what you need.

  11. Thank you for your reply! I was a bit naiv when I was hoping for the wakeup command to be the same on all uconnects. I will continue my search with focus on this. I guess its most likely not locked to the VIN-number.

  12. There is an awesome software tool out called alfaOBD. It works on jeeps and rams as well as fiat and other vehicles. It does cost 49$ for android and around 58 for the windows version. You MUST use a OBDLink MX to enable features or change features. So far I know it works on some vehicles 2010 and up.

  13. Hi. I’m wondering if you ever found the code to turn on the factory apline upgrade amp?

  14. Awesome blog and posts!

    I wonder if Paul Dufresne ever got the fader on the factory amp to work via CAN? I recently replaced the factory REC unit with a Kenwood, and this is one feature for which I would bother to set up a Pi / CAN shield if I knew it would work.

    Anybody controlling the factory amp via CAN?

  15. So here’s a thought… Jeep Grand Cherokee – the vehicle has a connection to the internet via some 3G cellular modem. The traffic is always enabled even if no services are in use. This is how it records your mileage and such to Mopar site I suspect: https://www.mopar.com/jeep/en-us/my-vehicle/maintenance-records.html. This also means that UConnect features like remote start and such probably work through this modem. They probably have to pay for the cell modem service (hence a yearly subscription cost and then some). It’s likely that there’s a proxy or gateway that traffic is allowed. If the modem can be tricked into thinking the proxy address to mopar or uconect (by like modifying host file IP address of that domain) to point to your home IP. Then you should be able to send and receive all traffic at the modem level … in your home. Then, you can duplicate the protocol (using a sniffer) to send and receive these commands on the software side. This software part I can figure out. Tricking the cell modem to resolve another domain to my house IP remains unclear. Any thoughts?

  16. Chad,
    I like the work you did on your 2012 Jeep Wrangler. I was wondering if you could by any chance help me with the problem I’m experiencing with getting the CAN codes from a 2011 Dodge Caravan. So currently, I have my software hooked up to what I believe is the Diagnostic CAN-C from the port of my TIPM in the car (500kbs per sec). Wireshark (the software i’m using) can sniff packages coming in as the car is on, however it doesn’t pick up any CAN ID’s when I activate the door-locks, wipers, washers, and other function, but will sniff things light headlights, AC, transmission, ect. Could they be in another bus line?

  17. I would not expect to see those messages on the diagnostic bus in raw form. I believe that year Grand Caravan has a similar network arrangement to the Jeep JK. I would consider plugging into the radio like I did (the harness is the same!) and I bet you will find the messages then.

    The diagnostic port can be used to retrieve that information, but it will be only via a diagnostic software or emulation, which I unfortunately have not yet figured out a workaround for.

  18. Chad
    Thanks a lot for the reply! I’ll be sure to try plugging into the harness for those codes. I really appreciate it! There’s one more thing I’d like to ask because I’m unsure whether or not it’s true. Does the TIPM need an activation code for it to receive and terminate CAN commands? I’d like to get the TIPM to function and perform independent from the vehicle by sending respective CAN codes for each function. I just don’t know if it needs a code to actuate the TIPM before sending commands.

  19. Hello Chad
    I did send this message but I am not sure if it passed, at least is not posted.

    Thanks for the information you share, I dont know much about this but I happened to find this thread after looking for a solution for my EVIC in my jeep liberty 2004.

    There is a lot of people having trouble with the temperature display showing dashes “_ _”, and it seems there is a communication problem as from one year to the other they change how the EVIC gets the data from the BCM and or PCM module.

    I posted this thread into a jeep forum

    And I wonder if you could drop some lines to help me solve the problem.
    Regards and thanks a lot.

  20. I’m trying to complete an axle swap and I can’t find any info on overriding the abs sensors for the rear sensors or at least allowing the jeep to drive based off just the front speed sensors. I already have ABS disabled. Do you know of any way to spoof out the computer to allow it to drive with only the front speed sensors?

  21. Chad
    Do you think you could use this to unlock your sway bar in 2WD?

    My workaround require extensive rewiring and could affect the factory waterproofing.

    Would it be possible separate the auto sway bar module from the CAN, insert the RBP in the middle to have it send acceptable unlock Parameters even though the jeep is trying to tell it otherwise?

  22. Hello, I was wondering if you could elaborate on the harness a little, I have an aftermarket harness for an iDatalink (ties into the can system to keep steering wheel controls with an aftermarket radio) with is tied into the C2 harness. What wires are you using for the canH and canL? and to get into the interior can the speed is set to 50k right?

  23. Best thing to do for any connector is head over to http://connectors.dcctools.com/ and search for the particular connector you are looking for.

    For the Radio C2 connector, for example, and for my 2014, it is pin 2 for CAN IHS- and pin 13 for CAN IHS+

    It depends upon the year… for my year JK, the CAN IHS is at 125 Kbps; diagnostic and powertrain run at 500 Kbps. If you’re thinking 50 Kbps then you likely have an older Mopar vehicle…

  24. Possibly, yes… you’d have to do some analysis to see if it is possible just with introducing a message, or if the powertrain computer is smart enough to deny you regardless of what you tell it. I suspect the latter.

  25. No ideas, other than to start from first principles. Can you do some diagnostic on your CAN bus and see the temperature data, or is it that the temperature data doesn’t make it onto the CAN bus for the EVIC to see?

  26. Question; I have a 2012 JK and took it in for service. They gave me a 2017 JK to drive. I noticed the EVIC had all kinds of things mine doesn’t. Like digital speed, had actual tire pressures and locations from TPMS. Do you think it’s possible to flash a newer (2017) firmware to the 2012 to add these features? I’m assuming the hardware is the same or compatible. Great work on this, I’m a techy and have hacked all kinds of things on my Jeep, the factory radio, etc.

  27. Maybe but probably not. There hasn’t been great success in the Jeep aftermarket world with flashing modules freely, primarily given the way the software interacts with their Dealer Network software system. I’m sure it is absolutely possible to figure that out, should someone want to do so.

    As far as your specific question, I think the answer is: it depends. Some of the features are absolutely both hardware and software (TPMS in particular), others do appear to be software only changes.

  28. Question
    I have a 2007 Jeep JK and will be swapping out the Dash and Steering Wheel. I have a after market radio with an idatalink maestro unit. Is there a way to get the Radio buttons on the Wheel to work?

  29. Isn’t that the whole point of the iDatalink Maestro ADS-MSW, to do that very thing? Sounds like a support question for them.

  30. The Steering wheel controls where not an option on the 07 and don’t think they where till 2011. Would installing a newer Body control module work. From reading your past post it does not seem to be a way to add that Feature. Thx

Leave a Reply

Your email address will not be published. Required fields are marked *