Hacking the Jeep Interior CAN-Bus

Hacked!
The Jeep’s Electronic Vehicle Information Center (EVIC) Displays a Custom Message

I have a 2012 Jeep Wrangler Unlimited and have a few projects where I wanted to integrate closely with the vehicle’s electronics. Instead of tapping into the final wiring of the car, I wanted to leverage the vehicle’s own computers to tell my accessories what to do. The end goal being a much tighter and seamless integration, and much less modification to the wiring of the vehicle.

Modern automobiles use a technology called a Controller Area Network, or CAN-Bus, to communicate between the different computers within the vehicle. The use of this technology greatly simplifies the wiring requirements within the vehicle as a large number of components can share a single twisted-pair wiring harness.

There are actually three separate CAN bus systems used in the vehicle: the CAN-Interior (also known as CAN Interior High Speed/IHS), the CAN-C and the Diagnostic CAN-C. The CAN-Interior bus is used for communication between the interior modules of the vehicle, such as the dashboard and radio and runs at 125 Kbps. The CAN-C bus is used by the power train components and runs at 500 Kbps. Finally, there is the Diagnostic CAN-C which also runs at 500 Kbps.

The Diagnostic CAN-C bus is used to talk to a gateway computer, the Totally Integrated Power Module or TIPM. This gateway implements all of the logic needed for onboard diagnostics, and communicates to the other two buses as needed. One effect of this implementation is that data from the other buses is not easily obtained via the data link connector (a.k.a the ODB-II port) underneath the dash. While a tremendous amount of information is available via the diagnostic bus, it isn’t easy to hack or obtain without getting official documentation from the manufacturer directly.

I came across canbushack.com when I was thinking about looking at the CAN-interior bus and was happy to see much of the information I was after is on that bus. Unfortunately, I also found that the implementation has changed quite a bit from the time most of the work was done on that site versus what is in my Jeep today.

Radio C2
Custom Wiring Harness using the Radio C2 Connector

The easiest way to access the CAN-interior bus is the radio C2 harness. I built a pigtail wiring harness by buying a couple of aftermarket radio wiring harnesses, linking them together, and splicing in a pair of wires for the CAN-H and CAN-L connectors. By making a custom pigtail like this I avoided having to alter any of the OEM wiring making for both easy removal and a lower risk of screwing up something.

I originally used an Arduino Uno micro-controller board and a CAN interface shield from SparkFun and SK Pang Electronics. This platform is a prototype for what I will eventually use as the final production solution for my projects, but I quickly found that analyzing and hacking the vehicle’s CAN-Interior bus was too tedious with that solution, for two primary reasons: a) I had to write code to test any hypothesis, and b) I had to be physically connected to the Arduino with my laptop, in the car, in the cold of winter.

RPi
Raspberry Pi with CAN Interface Board

To solve both issues, I configured a Raspberry Pi system with a CAN interface board made specifically for it by SK Pang Electronics and a USB WiFi dongle so I could leave the system in the vehicle and login to it from the comfort of my living room. Since the RPi is a temporary research solution only, I only placed into the glovebox, connected the CAN-H and CAN-L wires, and used a USB power supply directly from the vehicle’s 12v auxiliary power port.

Configuring the Raspberry Pi to communicate with the CAN Bus is unfortunately non-trivial, and I will cover that in another post.

What’s great about using Linux for CAN-bus hacking is the plethora of great tools available. The can-utils package in particular contains the command-line tools I used to analyze CAN bus messages and generate my own.

The very first thing to do is to look at the traffic on the bus using the candump utility. This utility does exactly what it sounds like – dumps all of the traffic it sees on the bus to your terminal or to a file. When I first tried candump on the CAN-Interior bus of the Jeep, I started to see data like this:

id:0x402 len:8 rtr:0 data:0xfe 0x02 0x3f 0xff 0xff 0xff 0xff 0xff
id:0x3e6 len:3 rtr:0 data:0x0b 0x11 0x1e
id:0x1e7 len:8 rtr:0 data:0x70 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x208 len:7 rtr:0 data:0x00 0x00 0x6d 0x5a 0x1e 0x01 0x2c
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2dd len:4 rtr:0 data:0x05 0x00 0x00 0x00
id:0x2df len:8 rtr:0 data:0x10 0x04 0x03 0xe8 0x0f 0xa0 0x09 0xbf
id:0x286 len:6 rtr:0 data:0x03 0x38 0x00 0x00 0x00 0x00
id:0x348 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xee
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2b0 len:4 rtr:0 data:0x02 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
id:0x19f len:8 rtr:0 data:0x01 0xff 0x00 0xff 0xff 0xff 0xff 0x00
id:0x370 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x214 len:7 rtr:0 data:0x04 0x0d 0xba 0x00 0x14 0xb4 0x00
id:0x286 len:6 rtr:0 data:0x03 0x38 0xc0 0x00 0x00 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xef
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff

What a mess! That amount of data flashed across the screen in less than a quarter second and began to repeat in long cycles. It was very difficult to look at such a stream of data and detect when changes occurred based upon user action. Luckily, the can-utils package includes another awesome tool called cansniffer that can help with that very problem.

When you run cansniffer, it looks at the traffic for specific message ids and begins to filter out repeating messages that do not change. After a few seconds of startup time, the Jeep is left with the following changing data while in accessory mode:


214 04 12 70 00 13 11 00 ..p....
217 63 78 07 40 6b fd cx.@k.
219 01 47 35 43 4c 32 37 31 .G5CL271
3e6 00 0d 12 ...

It was clear from watching cansniffer what some of this data was.

Message Id $219 is the vehicle identification number repeated over and over. The first byte of the message is the message #, $00 through $04 with the VIN split across each.

Message Id $3e6 is a clock of the hours, minutes and seconds since the vehicle was turned on.

I was then able to operate switches in the vehicle and discover the following messages in short order:

244 81 00 39 C3 80 # Driver's door open, byte 0
244 80 00 39 C3 80 # Driver's door closed, byte 0
208 01 22 6d 5a 1e 01 2c # Left blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Left blinker off, byte 0
208 02 22 6d 5a 1e 01 2c # Right blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Right blinker off, byte 0
1e1 00 00 10 65 00 00 00 00 # Steering wheel position, bytes 3 & 4
2e0 00 01 47 21 ff ff 0c # Brake pedal depressed, byte 4
2e0 00 01 47 20 ff ff 0c # Brake pedal released, byte 4
2e7 84 1c 00 00 00 00 87 # Parking brake on, byte 0
2e7 04 1c 00 00 00 00 87 # Parking brake off, byte 0
292 00 49 33 00 00 48 28 # Throttle pressed, byte 3
2a8 00 01 00 00 00 00 # Windshield wipers, byte 3
2e5 03 # Rear wiper
2d2 01 06 00 # 4WD-HI
2d2 04 04 00 # 4WD-LO
2d2 00 03 00 # 2WD

Some of the data in each message is immediately apparent and others will take some more analysis to figure out what each byte represents. I was particularly surprised to see that the steering wheel movement t generated any data at all on the CAN-Interior bus.

Some actions result in multiple messages being generated. In particular, the lights appear to generate two message id’s when state is changed, one to two with id $208 and another with id $2e1. Here’s what I’ve found so far:

208 00 22 6d 5a 1e 01 2c # Lights on w/ fogs
208 58 22 6d 51 1e 01 2c
2e1 1a

208 00 22 6d 5a 1e 01 2c # Lights off w/ fogs
2e1 1b

2e1 1b # Fogs on
2e1 0b # Fogs off
2e1 0a # Lights on w/o fogs
2e1 0b # Lights off w/o fogs

The Radio generates a lot of data, too:

29e 00 03 97 20 02 ff ff ff # Change to FM 91.9

291 09 01 05 30 f0 00 07 # Change to satellite, w/ no signal
293 00 00 b8 20 02 ff ff ff

291 01 01 05 10 10 00 07 # Change to FM, 91.5
291 00 03 93 20 02 ff ff ff

291 09 01 05 30 80 00 07 # Change satellite stations
293 00 00 19 23 02 ff ff ff
295 43 65 73 52 65 77 6e 64 # ClsRewnd

29e 00 00 0f 21 02 00 00 00 # Change CD tracks, byte 3

3d9 0a 0a 0a 0a 0a ff # Change volume, byte 0
3d9 08 0a 0a 0a 0a ff # Change volume, byte 0

Message id $295 is the most fun, as any message broadcast with that id will appear on the vehicle’s EVIC message line, assuming you have disabled the ECO option from being displayed.

Stay tuned for more information about the bus, how to setup both the Arduino and Raspberry Pi to talk to a CAN bus, and details about upcoming projects.

Resources

Videos

Part 1 – Installing the custom wiring harness

Part 2 – routing the CAN-Bus extension

Part 3 – Hooking up the bus to the Raspberry Pi

Part 4 – Using Linux to Analyze CAN-Bus Data

Part 5 – Sending Custom Messages to the EVIC

Part 6 – What Happens if you Corrupt the CAN-Bus

 

 

 

 

Published by

chadwick

Chad is a software developer from Colorado, USA. He's been working in the software industry since the 1980s and presently works for Alert Logic, a provider of managed security-as-a-service solutions for the Cloud. He spends way too much time bicycling or playing with cars.

142 thoughts on “Hacking the Jeep Interior CAN-Bus”

  1. It depends a lot upon the specific vehicle architecture. On my Jeep JK, for example, the OBD-II port is silent without an explicit request for information. It sounds like your Audi is, too. The BMW and Acura I’ve tested with were very chatty. Another collaborator has found other Chrysler products broadcast just about everything on the OBD-II CAN bus. SO, it just depends.

  2. I can see that this post comes thanks to mine, great push.
    Two things that personally I don’t like :
    1- Changing the config.txt, instead of modules file.
    2- The “CAN test”, OK for first testing, but it doesn’t explain to people what to do next and where, just read comments after.

    Thanks for your feedback.

  3. Hi,

    Thanks for doing all these stuffs to let us know more about CAN. I have used a phyton sniffer and arduino can-bus shiled to analyse the data. Im trying to figure out how aircon works. I have found all the related CAN-BUS ids and datas for the aircon. When i send them back it doesn’t care my data it keeps sending its own data. I used this way to lock unlock the doors, open the windows, move the seats, lights and so on. i used the aircon id and data for same brand car but different model it worked. I wonder that it maybe LIN-BUS or something else? here is my id and sample data for fan level and temperature:
    CAN ID: 856, data: 0, 0, 0, 0, 21, 21, 153, 17
    CAN ID: 856, data: 0, 0, 0, 0, 21, 21, 153, 34
    CAN ID: 856, data: 0, 0, 0, 0, 21, 21, 153, 51

    17,34 and 51 are for fan level and 21 is for temperature
    The car is 2015 Model.

  4. If the HVAC module is designed to broadcast its messages constantly (many modules are) then sending your own data instead doesn’t work to well, as you’ve found.

    The HVAC module is pretty easy to pull out of the car (I’m talking about the switches themselves, which is where the module is). Pull that out, hook it up to a your Arduino on a bench and see what messages it broadcasts directly. It might be easier to get all of the data that way.

    If you want to completely control HVAC without the switches getting in the way, you may need to build a proxy device, which isolates the HVAC module onto its own private CAN bus, and your proxy and listen and send messages to the HVAC module when it wants to.

  5. You mean something like CAN injector? I know that the other car with same data and same id response my data if i send my desired id and data then the bus changes to my id and data then even i stop sending, it keeps sending my own data. The difference is that these two cars have two different aircons(Like Mercedes Viano and Vito) but the CAN-BUS signals and ids are the same. The aircon unit has linbus and canbus cables behind, and when i cut the linbus cables then i change the fan level to the max, it changes on the screen but the fan is not working, if i put the linbus cable back and it detected the fan level on the screen by CANBUS data and it worked in max speed too. I tried HVAC to pull out of the car and see that which CAN id does it have and i found 16 can id belongs to it. If i plug it back the ids come back. Im not really sure whether the aircon uses CAN-BUS or LIN-BUS. May i have your advice ?

    Thank you.

  6. Hi,

    Awesome post! I’m planning on doing this same concept with my 14 Wrangler. One thing I have a question about though. I cannot seem to find these radio c2 connectors (male and female). I was able to find the pinout on the Mopar website along with the entire wiring harness (for $60). You said you spliced your own with an after market harness? Where did you find both of the connectors? Am I just missing something?
    Thanks!

    Lee

  7. Head over to eBay and look for an aftermarket radio harness specific to the Wrangler. There will be two different kinds: the common one will be the harness sold that plugs into the OEM connector but has open wires on the other end, so you can connect it to an aftermarket stereo. The other kind of harness is a repair harness, that is the exact opposite. Those are usually sold to let you fix a poorly done aftermarket installation 🙂

    The BEST KITS BHA6522 is an example of one of the harnesses that I’ve bought.

  8. I went ahead and ordered a Raspberry Pi 2, and also the PiCAN board. When I try to insmod all of the .ko driver files, I get errors, I believe stem from the version of Raspbian (2015-02-16-raspbian-wheezy) I am using, as it may be too new for the kernel and drivers. The kernel seems to work, and LED1 on the PiCAN board comes up once that kernel is loaded, but the .ko files error out before I can get any farther. What version of Raspbian are you using? Also, I want to use the CAN-utils program, but being new to Raspberry Pi, I am unsure how to compile it, and get it running. Any help you can offer on the setup would be wonderful.

    I also picked up some Microchip PIC 18F26K80 and other similar microcontrollers, which all have onboard CAN. I plan to migrate to them, as soon as I get the command structure working on the Raspberry Pi. Based on your experiences, I figure this is the quickest/best way to get moving. Thanks!

  9. Looked at the SK Pang site a little more closely, and found the instructions, sort of hiding in plain sight. I have not tried them, yet, but will tomorrow evening, and will report back. For ease of locating the info in the future, the link is:

    http://skpang.co.uk/blog/archives/1165

  10. Still having trouble making the Raspberry Pi w/PiCAN work properly, but went ahead and bought a cheap CAN -> USB device from amazon.com, and played with four radios tonight. All were low speed, but the thing was, despite so much documentation, I only started getting any data out of them when the speed was set to 83.3k, not 125k. I may be wrong, but thought low speed radios were 125k, and high speed were 500k, but perhaps it is low speed 83.3k, and high speed 125k?? At any rate, while I cannot declare success just yet, I am making progress.

  11. Neil,

    Depending upon your vehicle’s architecture, the low-speed bus may indeed be 83.3 Kbps. The Mopar world in particular used that for the radio and other internal CAN bus modules in the mid-2000s.

  12. Chad,
    Yes, finding that out. Just have the radios on a bench setup. Have an REN, REC, RER and REF. All respond at 83.3k. If you look at pinout data for them, it is listed at 125k, even the earlier radios! I was stuck there for a while, but eventually, got past that. I am noticing that the commands are similar to what you have posted, but some do not operate the same. That’s to be expected when dealing with different model year buses. At any rate, this is pretty neat!

  13. There’s also the switch from the old Mopar message identifiers to the Fiat based message identifiers. In the Jeep JK that happened around model year 2010, I believe. That one is a little annoying since they are pretty different messages across the board.

  14. I’m interested in doing some similar testing with my Jeep JK. Mine is a 2008, however, so I’ll have to confirm that the bus speed is the same and find the right connectors.

    I’m not only interested in reading the bus, however, I’m also interested in sending commands. For example, I’d like to use the Pi to adjust the fade control on the stock amplifier and control the radio (volume, skip, play, pause, etc). I should be able to mimic steering wheel controls to accomplish this.

    In your blog, you said you’d create another post on how to get the Pi to communicate with the canbus. Where can I find that?

  15. I now have four RECs, one REN, two RHRs, and two RERs to play with. One of the RERs was inop when I got it. It would power up briefly, display a Ferrari emblem on a red screen, and then power off. After taking it apart and fixing a few things, it would power up properly. I applied the v2.404 update to it, and it powered back up on the bench – this time it came up as a Volkswagen! I remember a similar thing years ago when I got a used RB1 satnav for my car. It came up at first as a Jeep unit, but then next time it came up as a Dodge in my SRT4. I am guessing one of the many messages out on the bus is a manufacturer’s ID. This also makes one think that despite some visual differences, these same radios are used in a whole lot more than just Chrysler vehicles. The VW info screen and the Ferrari emblem are probably just the tip of the iceberg!

  16. Since I do not have a CAN bus vehicle here, would it be possible to ask you to sniff for any of the following:

    Message and ID for the following:
    – Parking Brake on/off
    – Park/Neutral
    – Reverse
    – Drive

    Thanks!!!

  17. With this CANBUS diagnostics setup, how to change the configuration of the car?

    For example, many people have headache with Eucrope cars when they change the headlight from Halogen to HID oe LED since CANbus pulse the PWM signal to detect the lower power draw and then shut the headlight off.

    So my current interest is to find a way to stop CANBUS to stop reporting this low power draw and keep headlight on.

    Then the further step will be even this pulsing PWM by software if possible? But this could be easily resolve by hardware changes.

    Would like to listen to your ideas.
    This could be a huge market if we could come up with some solution by just selling this software.

    Thanks,
    Tony

  18. Generally, not very easy. The whole world of car configuration is a much deeper topic than just the network protocol on how to get there.

    Your comment has some misconceptions about what is really happening even though your conclusion is right. The car’s ECU’s are ultimately the ones deciding if the voltage is unexpected or not, and they’re the ones that need to have the configuration change. Anything else is just a hack around the signal being sent to them.

    Most cars do have configuration to change this, but then you’re in the OEM diagnostic world which usually is non-trivial.

  19. Hey Chad, were you able to turn on your jeep radio outside of the vehicle on a bench? I’ve been working with an arduino uno with a can bus shield to try and do this so I can bench test chrysler radios. I have found several arduino sketches that claim to do it but none of them have worked. Currently I’m working with an RBZ MyGig radio which uses the 125Kbps speed. Any help would be greatly appreciated.
    Thank You

  20. Hi Chad – Enjoyed your blog – although a lot of it is over my head. My goal is to keep the 430N radio in my 2015 Wrangle Unlimited but reset the internal DSP for a flat response – i.e. remove the curve that the factory programmed in to compensate for the awful speakers they provide (base system 8 speakers (4 LF and 4HF)
    I am an audio guy not a computer and/or programmer so my idea may be way to simple. I envison the solution similar to a reset “button” for the equalization and gain on the power amplifier to flat or neutral. I know they use the same radios for different cars and speaker systems and just change the EQ and gain to get the most out of the system they are selling.

    Is there a (easy) way to bypass or reset the internal DSP settings for a flat audio response from the speaker (output) amplifiers without hacking into the CAN bus?

    Thank you, Will

  21. The CAN bus won’t come into play with that at all. The external factory amplifier they use for this system only uses the CAN bus to listen for “on” messages – the rest is good ol’ audio connections that are hard-wired, so there really isn’t anything special as far as that goes.

  22. Hi Chad – thanks for getting back with me. After further research I am now focused on installing the Alpine 12 channel amplifier that comes with the 2015 Alpine upgrade (it is inexpensive and optimizes the specific speakers engineered for the speaker encloses that come with all 2015 Wranglers). The Mopar part number is 68223347AC. The Kicker part number (MFG) is 77KCK056. The reason for using that amplifier is I would like to retrofit my 2015 with the Alpine speakers. The speakers themselves are inexpensive and easy to install.

    The rub is that Mopar wants to sell me a whole new wiring harness that cost over $500 and requires re-wiring a good bit of the car. The reason for the new harness (besides the speaker wires and power – which are easy to install) is that the amplifier requires a CAN-bus connection to turn on. It also uses the CAN-bus to make pre-prgrammed changes to the EQ, signal delay etc. based on triggers like speed, top being removed (rear windshield wiper is then disconnected) etc.

    My questions are:

    1. By making up a harness as you described and connecting that low speed CAN-bus pigtail wires to the amplifier will it recognize the connection and work correctly? And/OR
    2. Do I need to go to a dealer to “flash” the correct code to initialize the amplifier?
    3. If so do you know what the code name would be? It is likely the dealers won’t have any specifics and I would need to tell them the code.
    4. Lastly – if I connect the amplifier as noted above do I run the risk of damaging the CAN-bus?

    Thank you Chad. Will
    will.parry44@gmail.com

  23. Chad – since my post I have received back this response from Alpine engineering. They state that you must re-flash the CAN-bus system using CAN OE Tools to have the power amplifier connect to the cars CAN-bus system and re-program the radio form a speaker level output to a fixed level output. Looks like a dead end unless a dealer or someone is willing to do this programming. Thoughts?

    From my emails to Alpine:
    Recently you requested personal assistance from our on-line support center. Below is a summary of your request and our response. If this issue is not resolved to your satisfaction, you may reopen it within the next 7 days. Thank you for allowing us to be of service to you.
    Subject
    No Value

    Response By Email (Jim) (09/09/2015 08:06 AM)
    Hi Will,

    One last bit of info I got regarding retrofitting the jeep with the Alpine system.

    “BTW – the retrofit takes ~12 hours and requires CAN OE tools that are near impossible to acquire”
    Response By Email (Jim) (09/09/2015 07:38 AM)
    Q: Is the radio/nav in my Jeep (Mopar model number P68245849AM) compatible with the Mopar 68223347AC amplifier? To the best of my knowledge is only has speaker level outputs.

    A: Same as below, the BCM tells the radio which mode it is in based on Cabin ID, from the factory … fixed output with CAN-based volume messages … or Hi-Level fading outputs for speakers. This can be flashed via CAN Tools, but not likely by the general public.

    Q: The Mopar wiring harness part number 68234726AD. I assume this harness replaces all of the base system speaker wires with the 8 HF/MB speaker wires, the CAN-bus connection, wires feeding the subwoofer and other wires that plug directly into the radio. Is that correct?

    A: We have no involvement in this harness, so we cannot comment at all about compatibility

    Q: The sound bar and the small mid-bass enclosures look identical to the Alpine upgrade system sound bar and mid-bass enclosures. Is that correct?

    A: Identical housing, different wire harness. Alpine is discrete wiring, base audio is in parallel with the dash or soundbar 2.5″ speakers.

    Q: When the amplifier is connected to the CAN-bus will it automatically come up knowing it is in a 4 door Wranger based on the VIN? Is any additional programming required by the dealer? If so what is the code to tell the dealer?

    A: This question was answered yesterday. The car flashes the amp via BCM, calling up a Vehicle ID for 2dr or 4dr, top on or top off. The amp is capable of storing more than 10 cars of EQ’s with all variants .. crazy capable for an OEM amp

  24. Re-flashing sounds scary! But it isn’t really a re-flash, it’s enabling an option code in the vehicle. Dealers will usually do this for you for cheap, if you know what to ask for.

    I haven’t done this personally, but I believe what they’re talking about here is enabling the feature code in the TIPM to allow power to the Alpine amplifier. Chances are high the forum has info on what option code to enable in the vehicle with the dealer software.

    The same sort of thing gets done when people add a backup camera to the OEM navigation units – the dealers have to enable an option code to make the radio do that.

    In the Chrysler world, the software is very locked down and requires expensive hardware to work with the vehicle. You CAN get access to the software via the techauthority web site, but you need the hardware to talk to the car. Unlike say, the BMW world, no one has really done the effort to make cheaper hardware.

  25. Thank you Chad for clarifying the process. That makes more sense. I have a post out to the Forum and hope to get back a response with the code to get this done.

    This is an interesting change to the stereo system as it not only enables the amplifier to power up but also changes the radio to a fixed level line output device, assigns the front volume control to control the remote amplifiers volume and enables the DSP in the radio to “read” the triggers in the car for different EQ’s. As he notes this amplifier has the DSP settings for 10 different cars. Very clever.

    When I get the code I will pass it along to you.

    Thank you again for your help!!

    Will

    PS – I already added the backup camera and you are 100% right. Once I gave the dealer the code it was done in less than 5 minutes.

  26. Not on this vehicle platform. The power-train control module (PCM) gets brake input directly from the pedal system and doesn’t allow software messages over the other buses to control that. That’s certainly not the case on all vehicles, however.

  27. Hey Chad,

    Great work here. I am wondering if you have compiled some type of database with the message id codes. That is the most difficult part of course in being able to interpret the codes, even using cansniffer, since many codes will be found in these can segments.

    Thanks!

  28. Hello Chad,
    I have been working on a project, but with my limited knowledge I am now stuck. I have a section of a real car that was set up as a driving simulator. It has the original computer which has a can bus output. I found the simulator by a dumpster, and i’m not sure how the people who built it hooked it up. It has a lot of wires coming out, besides the can bus, which I believe are for potentiometers for the gas brake and ignition. I think the steering, gauges and other accessories are hooked up through the can bus. I have ordered an Arduino Leonardo to interface the potentiometers with a computer, but i’m not sure how to gather data from the can bus, mainly for steering, to send to the computer. Could you please help me in any way?
    Thanks, James

  29. This is tricky without much info, but here’s what I’d do next.

    See if you can find out the model of the ECU you’ve got itself. Chances are it is a well-known one, as there really aren’t a lot of different companies who make them. Bosch is certainly one of the main ones, for example.

    If you can find out the make/model of the ECU, then you will almost certainly find the wiring pinouts for it, and then hooking it back up would be pretty easy.

    For the CAN bus itself, you’ll need to do something like I did with the Raspberry Pi projects I talk about on this blog or on the videos. Effectively you get a RPi setup with a CAN bus controller (or you could do it with an Ardunio – but it’s a bit more work without the tooling you get from the Linux side of the RPi) and then off you go.

    If you want some more detailed info, let’s talk more via email or here.

  30. The people who have set this up before me have already labeled the high and low for the can bus, so i’m not sure if I would still need to see a pinout? Also my ecu is a Denso, and i’m not sure of the model: TN232400-0193 or P/N 25847589. I would like to try and use the Arduino board if possible. I’m not sure if this gives any more useful information, but what should I be looking for when I connect the ecu to my Arduino, and how should I go about connecting it? Would it be possible to plug bare wires into the Arduino, or will I have to get a can bus shield?

  31. You’ll need a CAN bus shield, or hook up a MCP2515 and MCP2551 directly on a breadboard (those two chips, plus supporting circuity, is all that a CAN bus shield will do to make CAN connectivity work). An Arduino can’t talk the CAN protocol directly, so you’ll definitely need something that can.

    An Arduino will talk to an MCP2515 via SPI, so that is an easy thing to program. If you get a CAN bus shield, like the SK-PANG one, then there are some downloadable libraries that do everything you need.

  32. Great article. I’ve been looking into trying to figure out the CAN protocol and what exists in my truck (14 ram 1500) for a while now. I have a few MCP2515s and MCP2551s laying around, I might get around to making the circuit one day. Anyways, what I really want to do is be able to fully understand the protocol/commands available. I have an upgraded cluster I bought for this truck and I’m desperately trying to avoid having to pay more than the price of the cluster itself to have the mileage and engine hours re-programmed to be correct. Unfortunately, I understand that there are lots of commands to these protocols that cannot be sniffed with a logic analyzer (such as re-programming certain values). It is interesting to see you input garbage data with no ill effects, but I certainly don’t like the idea of brute-forcing my CAN bus either. I can’t imagine what that could possibly screw up. So, do you think my only option is to fork over a few hundred bucks for the ISO CAN documents? Do you think those are even what car mfrs use? I’m assuming they do use some protocol that is fully documented somewhere and not internally created by Chrysler, but I could be wrong on that too. Or maybe you think shelling out 300 to have it re-programmed is really the best option at the end of the day? Your input would be appreciated. I suppose it’s a shame though, if that’s the case. I’m completely up for a challenge, with both software and hardware. It’s also interesting you mentioned in the BMW community that cheaper hardware was produced? Was this done by an avid community of enthusiasts? Did they have access to necessary documentation to produce the software/hardware? It seems like this should totally be possible in any scenario and I hate to believe there is no way, but, maybe there is no way. Thanks.

  33. Kevin,

    Paying $300 to do that will be the cheapest, easiest way. Any of the hacking attempts will easily eat up thousands of dollars of man hours on your part (which is okay if you want to do it).

    The ISO CAN documents won’t help you at all here (and they’re available online anyway, if you search). They will cover the bare minimum of standards. The internal vendor documents would help you quite a bit, but those will be way into the proprietary realm where you could only get access if you were a certified partner with the various vendors.

    Now, you may be able to do some of what you need by getting access to a WiTech VCI POD device, which is the current Chrysler/Fiat tool for diagnostics and programming (what the dealers use). The Chinese clone market is making these now, so you can pick one up for less than $500: http://www.aliexpress.com/item/2015-new-arrival-DHL-free-shipping-for-Chrysler-Diagnostic-Tool-WITECH-VCI-POD-with-Multi-Language/1331589656.html

  34. Ey chad! I know you don’t have a Hyundai but at least I can give it a try… Can you throw me some clues on how to get the can-bus on a Hyundai Elantra 2013? Should I go and mak an harness like you? The C2 harness is a standard or it will be different in my car? How can I tell if I’m able to connect to the interior bus from OBDII?thank you very much!

  35. Nothing I’ve written about on the Jeep will directly apply to your Hyuandai. The network topology of your vehicle will be different, even if some of the concepts will be the same.

    The best thing for you to do is to get access to the service manual for your vehicle and start with that. Figure out what modules are available and what wiring diagrams are available.

    I did find this, which (not surprisingly) tells us that there is a CAN bus available to the navigation/radio head unit. You could certainly build a connector for that and see what data is there. I’d also look at the diagnostic connector (ODB-II port) as it will have a CAN bus as well. It may or may not be the same. http://www.elantraclub.com/forum/uploads/monthly_11_2012/post-4300-1352161101.png

  36. Chad,
    Thanks for taking the time to put your information on the web to help others. I have a 2016 Jeep Wrangler. I have created the wire harness similar to yours and connected up my Sparkfun Canbus. I see all of the codes scrolling by. I captured them into files and wrote a program to compare the files so I can find the codes that I’m looking for. I’m looking to turn my panic button into a remote car starter. My thoughts were to write and arduinos program that listens for the panic code, then it would send the code to turn off the panic, send the code to lock the doors, and finally send the code to start the Jeep. My issue is that I can’t seem to even find the lock code. Even if I have the code and write it to the Canbus, will the Jeep actually lock the doors or do I need to connect to one of the other canbuses?
    Thanks for your help!

  37. Unfortunately what you are doing is one of the areas where the OEM has designed a fair bit of security in. A couple of things I’ll point out you should do next:

    1) Buy the service manual DVD so you can read about how the SKREEM module works. It’ll cover even a lot of the CAN bus communication (at a high level) between that module, the PCM, and the EVIC module.
    2) The SKREEM is on the powertrain C bus, so you’ll need to interface with that.
    3) The SKREEM and PCM use a rolling key algorithm to authenticate stuff, so you probably can’t easily play in their communication to do what you want.
    4) I don’t know if you could send the operational messages (unlock the doors, etc) without doing an authentication first – I bet you can, so in the end you may be able to do what you want.

  38. Glad to see information out there on this. I’m starting the process of tryin to figure out the can-bus to intergrate with an LS power plant for my 07 JKU.

  39. Do you have the messaging for the dash for temperature, oil pressure etc?

  40. Per Jason’s comment… do you know if remote-start also has “a fair bit of security in it” as well?

    I’d LOVE to have Alexa start my Wrangler 🙂

    Thanks in advance!

  41. Hello Chad I ran into your page as I was searching for a RFI Radio Frequency Interferance problem with with mobile Ham Radio gear install in my 2015 Jeep JK. My radio amplifier is getting into the CAN BUS right in that radio area. I was thinking of installing some RFI Suppression Snap-On Ferrite Beads on the radio cable you are showing in your video. I was wondering if that interfere with the operation of the CAN BUS?

  42. Hi Chad, I found your blog when I was searching for information about my dog in car project.
    To make it short. My dog is with me at work every day. I sometimes have him waiting in the car (Town and Country 2008). Usually I have the engine running to cool him off/heat him up.
    My project is safety related. I want to build a raspberry pi temperature measuring project, that sends alerts to my smartphone in case the temperatur in the inside rises or falls.
    I thought it might be possible to upgrade that with a can bus interface and remotely / automatically start the engine, open windows and so on…
    Do you think thats possible with your solution? I thought about hooking up that whole thing to the PT-Can and things might work…
    Best regards
    Bastian

  43. Are you able to get information from the ECU from this connection? Just curious, looking to do a similar setup since I cant read any data about speed, RPM, ect. from the OBD2 CAN pins.

Leave a Reply

Your email address will not be published. Required fields are marked *