Hacking the Jeep Interior CAN-Bus

Hacked!
The Jeep’s Electronic Vehicle Information Center (EVIC) Displays a Custom Message

I have a 2012 Jeep Wrangler Unlimited and have a few projects where I wanted to integrate closely with the vehicle’s electronics. Instead of tapping into the final wiring of the car, I wanted to leverage the vehicle’s own computers to tell my accessories what to do. The end goal being a much tighter and seamless integration, and much less modification to the wiring of the vehicle.

Modern automobiles use a technology called a Controller Area Network, or CAN-Bus, to communicate between the different computers within the vehicle. The use of this technology greatly simplifies the wiring requirements within the vehicle as a large number of components can share a single twisted-pair wiring harness.

There are actually three separate CAN bus systems used in the vehicle: the CAN-Interior (also known as CAN Interior High Speed/IHS), the CAN-C and the Diagnostic CAN-C. The CAN-Interior bus is used for communication between the interior modules of the vehicle, such as the dashboard and radio and runs at 125 Kbps. The CAN-C bus is used by the power train components and runs at 500 Kbps. Finally, there is the Diagnostic CAN-C which also runs at 500 Kbps.

The Diagnostic CAN-C bus is used to talk to a gateway computer, the Totally Integrated Power Module or TIPM. This gateway implements all of the logic needed for onboard diagnostics, and communicates to the other two buses as needed. One effect of this implementation is that data from the other buses is not easily obtained via the data link connector (a.k.a the ODB-II port) underneath the dash. While a tremendous amount of information is available via the diagnostic bus, it isn’t easy to hack or obtain without getting official documentation from the manufacturer directly.

I came across canbushack.com when I was thinking about looking at the CAN-interior bus and was happy to see much of the information I was after is on that bus. Unfortunately, I also found that the implementation has changed quite a bit from the time most of the work was done on that site versus what is in my Jeep today.

Radio C2
Custom Wiring Harness using the Radio C2 Connector

The easiest way to access the CAN-interior bus is the radio C2 harness. I built a pigtail wiring harness by buying a couple of aftermarket radio wiring harnesses, linking them together, and splicing in a pair of wires for the CAN-H and CAN-L connectors. By making a custom pigtail like this I avoided having to alter any of the OEM wiring making for both easy removal and a lower risk of screwing up something.

I originally used an Arduino Uno micro-controller board and a CAN interface shield from SparkFun and SK Pang Electronics. This platform is a prototype for what I will eventually use as the final production solution for my projects, but I quickly found that analyzing and hacking the vehicle’s CAN-Interior bus was too tedious with that solution, for two primary reasons: a) I had to write code to test any hypothesis, and b) I had to be physically connected to the Arduino with my laptop, in the car, in the cold of winter.

RPi
Raspberry Pi with CAN Interface Board

To solve both issues, I configured a Raspberry Pi system with a CAN interface board made specifically for it by SK Pang Electronics and a USB WiFi dongle so I could leave the system in the vehicle and login to it from the comfort of my living room. Since the RPi is a temporary research solution only, I only placed into the glovebox, connected the CAN-H and CAN-L wires, and used a USB power supply directly from the vehicle’s 12v auxiliary power port.

Configuring the Raspberry Pi to communicate with the CAN Bus is unfortunately non-trivial, and I will cover that in another post.

What’s great about using Linux for CAN-bus hacking is the plethora of great tools available. The can-utils package in particular contains the command-line tools I used to analyze CAN bus messages and generate my own.

The very first thing to do is to look at the traffic on the bus using the candump utility. This utility does exactly what it sounds like – dumps all of the traffic it sees on the bus to your terminal or to a file. When I first tried candump on the CAN-Interior bus of the Jeep, I started to see data like this:

id:0x402 len:8 rtr:0 data:0xfe 0x02 0x3f 0xff 0xff 0xff 0xff 0xff
id:0x3e6 len:3 rtr:0 data:0x0b 0x11 0x1e
id:0x1e7 len:8 rtr:0 data:0x70 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x208 len:7 rtr:0 data:0x00 0x00 0x6d 0x5a 0x1e 0x01 0x2c
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2dd len:4 rtr:0 data:0x05 0x00 0x00 0x00
id:0x2df len:8 rtr:0 data:0x10 0x04 0x03 0xe8 0x0f 0xa0 0x09 0xbf
id:0x286 len:6 rtr:0 data:0x03 0x38 0x00 0x00 0x00 0x00
id:0x348 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xee
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2b0 len:4 rtr:0 data:0x02 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
id:0x19f len:8 rtr:0 data:0x01 0xff 0x00 0xff 0xff 0xff 0xff 0x00
id:0x370 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x214 len:7 rtr:0 data:0x04 0x0d 0xba 0x00 0x14 0xb4 0x00
id:0x286 len:6 rtr:0 data:0x03 0x38 0xc0 0x00 0x00 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xef
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff

What a mess! That amount of data flashed across the screen in less than a quarter second and began to repeat in long cycles. It was very difficult to look at such a stream of data and detect when changes occurred based upon user action. Luckily, the can-utils package includes another awesome tool called cansniffer that can help with that very problem.

When you run cansniffer, it looks at the traffic for specific message ids and begins to filter out repeating messages that do not change. After a few seconds of startup time, the Jeep is left with the following changing data while in accessory mode:


214 04 12 70 00 13 11 00 ..p....
217 63 78 07 40 6b fd cx.@k.
219 01 47 35 43 4c 32 37 31 .G5CL271
3e6 00 0d 12 ...

It was clear from watching cansniffer what some of this data was.

Message Id $219 is the vehicle identification number repeated over and over. The first byte of the message is the message #, $00 through $04 with the VIN split across each.

Message Id $3e6 is a clock of the hours, minutes and seconds since the vehicle was turned on.

I was then able to operate switches in the vehicle and discover the following messages in short order:

244 81 00 39 C3 80 # Driver's door open, byte 0
244 80 00 39 C3 80 # Driver's door closed, byte 0
208 01 22 6d 5a 1e 01 2c # Left blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Left blinker off, byte 0
208 02 22 6d 5a 1e 01 2c # Right blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Right blinker off, byte 0
1e1 00 00 10 65 00 00 00 00 # Steering wheel position, bytes 3 & 4
2e0 00 01 47 21 ff ff 0c # Brake pedal depressed, byte 4
2e0 00 01 47 20 ff ff 0c # Brake pedal released, byte 4
2e7 84 1c 00 00 00 00 87 # Parking brake on, byte 0
2e7 04 1c 00 00 00 00 87 # Parking brake off, byte 0
292 00 49 33 00 00 48 28 # Throttle pressed, byte 3
2a8 00 01 00 00 00 00 # Windshield wipers, byte 3
2e5 03 # Rear wiper
2d2 01 06 00 # 4WD-HI
2d2 04 04 00 # 4WD-LO
2d2 00 03 00 # 2WD

Some of the data in each message is immediately apparent and others will take some more analysis to figure out what each byte represents. I was particularly surprised to see that the steering wheel movement t generated any data at all on the CAN-Interior bus.

Some actions result in multiple messages being generated. In particular, the lights appear to generate two message id’s when state is changed, one to two with id $208 and another with id $2e1. Here’s what I’ve found so far:

208 00 22 6d 5a 1e 01 2c # Lights on w/ fogs
208 58 22 6d 51 1e 01 2c
2e1 1a

208 00 22 6d 5a 1e 01 2c # Lights off w/ fogs
2e1 1b

2e1 1b # Fogs on
2e1 0b # Fogs off
2e1 0a # Lights on w/o fogs
2e1 0b # Lights off w/o fogs

The Radio generates a lot of data, too:

29e 00 03 97 20 02 ff ff ff # Change to FM 91.9

291 09 01 05 30 f0 00 07 # Change to satellite, w/ no signal
293 00 00 b8 20 02 ff ff ff

291 01 01 05 10 10 00 07 # Change to FM, 91.5
291 00 03 93 20 02 ff ff ff

291 09 01 05 30 80 00 07 # Change satellite stations
293 00 00 19 23 02 ff ff ff
295 43 65 73 52 65 77 6e 64 # ClsRewnd

29e 00 00 0f 21 02 00 00 00 # Change CD tracks, byte 3

3d9 0a 0a 0a 0a 0a ff # Change volume, byte 0
3d9 08 0a 0a 0a 0a ff # Change volume, byte 0

Message id $295 is the most fun, as any message broadcast with that id will appear on the vehicle’s EVIC message line, assuming you have disabled the ECO option from being displayed.

Stay tuned for more information about the bus, how to setup both the Arduino and Raspberry Pi to talk to a CAN bus, and details about upcoming projects.

Resources

Videos

Part 1 – Installing the custom wiring harness

Part 2 – routing the CAN-Bus extension

Part 3 – Hooking up the bus to the Raspberry Pi

Part 4 – Using Linux to Analyze CAN-Bus Data

Part 5 – Sending Custom Messages to the EVIC

Part 6 – What Happens if you Corrupt the CAN-Bus

 

 

 

 

Published by

chadwick

Chad is a software developer from Colorado, USA. He's been working in the software industry since the 1980s and presently works for Alert Logic, a provider of managed security-as-a-service solutions for the Cloud. He spends way too much time bicycling or playing with cars.

125 thoughts on “Hacking the Jeep Interior CAN-Bus”

  1. Not directly.

    You can communicate with the TIPM this way, which in turn can communicate with the powertrain modules. But you can do exactly the same thing via the diagnostic port as well, if you know the right protocol.

    You can also use the same technique to hook into to the powertrain bus, and then you can see the messages for the transmission and engine modules directly.

    And, even with regular OBD2, you can read speed and RPM data through the ISO standard there, so I suggest reading up on that. That data is available on just about very vehicle via the standard way, without talking to the powertrain bus.

  2. Did you do the guide to configure can with raspberry pi? is there anything I can follow to achieve that?

  3. Hi chad, I was able to connect my raspberry pi + pican 2 to the can bus on my car, so far, I am connected to the OBD2 (faster way to test, without dissasembling radio), I am happy, because, following your guides I was able to get it working, but, whenever I do something, it does not shows up, however it does shows up data.

    My car has eco mode, so, whenever I enable it or disable it, I can see it, also, almost everything transmision related… when it is in park, in D, in N, in manual mode, also, it tells me the gear that it is currently in.

    But, if I send a “bad response” or something different… lets say, eco mode is enabled and I want to send the “disable” command, I just receive back the “enable” command, it never disables.

    Also, something funny, if I move rapidly on the car, there are other ID’s triggered that I can see, but nothing else is shown on my screen when I do something different such as rolling down the window or turning on/off lights…

    (Hyundai Elantra 2013 GLS)

  4. I have a Jeep liberty 2008, do you think there is any chance to do the same trick.
    By the way isnt the signal also present on the OBD port? With the diagnostic bus acting as a gateway?

  5. The same technique will work on your Liberty. I believe the CAN Interior bus on that vehicle is low speed but otherwise its the same technology.

    The TIPMGW module should act as a gateway for the other two buses – the CAN Interior and Powertrain. On the JK, at least, there is no wiring on the diagnostic port besides talking to the gateway (some other vehicles have the other busses available on the diagnostic port directly). I didn’t find any gateway messages that enabled me to spy on the other busses, but I didn’t pursue it much.

  6. Do you think you can inject event such as wheel control , cruise control … to the CAN Bus?

  7. Currently I’ve been trying to reprogram my instrument cluster for information display changes.My current project is on a Toyota Corolla 2014. Current information display have the following options available to the user:

    Average Fuel Consumption
    Cruising Range until empty
    Trip Elapsed Time
    Average Speed
    Realtime Fuel Consuption
    Setting (for brightness etc)
    The display cluster is controlled by a single button for switching displays. My project consists of changing ( or possibly ) adding a menu. For the displays that is subject to change, I want to replace the Average Speed display to Current Speed. Also, if possible, I want to add a menu for displaying Engine Load and Voltage Meter.

    How can I reprogram the instrument cluster? Can i do it via OBD2? Also, what tools do i need? Any feedback would be greatly appreciated. Thank you.

  8. Hey I am adding ac to a 2008 jeep wrangler that didn’t come with ac. The TIPM will not recognize the ac with out the sales code in it being changed. The dealer can not change the code. Is there a way I can change the code using this method. Thanks

  9. I have been trying to work out how to play around with my Smart Roadster Coupe, and thanks to this article I finally know for sure which hardware I should get to reach my goals, thanks!

  10. I’m looking at purchasing the raspberry pi and pican board to start sniffing the canbus on my 2014 grand cherokee. Once I find the canbus messages of interest what is involved in implementing a lower power arduino/pican setup for permanent installation in the vehicle? Are there libraries and example code that make it simple to receive and send canbus messages?

  11. On second thought how easily will all this transfer over to the raspberry pi zero? It looks like the pican communicates with the raspberry over SPI. I don’t see a pican for the pi zero but there are SPI can controller boards available. Seems like the hardware is available but with my limited knowledge on this I may struggle to figure it out if your work is not applicable to the pi zero and other canbus controller.

    I’m interested in this as a low power permanent option to leave in my jeep. It would also be cheaper hardware and I could use the same hardware for sniffing the messages and implementing my end result.

  12. Yes, it works! I’m reading and sending can messages on my 2014 grand cherokee. Able to unlock and lock the doors which is the first order of business. Some sketchy software in the jeep makes the passive entry flaky so I’m going use this as a work around. Then, on to more fun stuff. Thanks again for the op post and everyone’s help!

    I still have to figure out how to incorporate these commands into a python script to run on the pi zero but I’m sure that is simple once you know how to set it up.

  13. I ordered the PICAN2 a couple weeks back, today I had time to play with it… But I can’t get any CAN packages… I’ve read a lot of documentation, including yours, but I still have no luck… Setting up the can0 interface seems to be fine, but when I do a candump can0, I get no output (not even an error)…

  14. That’s the general condition you get into when things aren’t working correctly.

    Things to do:

      make sure you are seeing packet counts, error counts, etc. on the can0 interface when you do stuff
      if you have a scope, look at the CAN H & L signal lines and see if you see traffic. it should be obvious.
      triple check the clock rate of the PICAN oscillator
      triple check the baud rate of the PICAN versus the bus you are listening on (one of the most common issues)
  15. Not really, no. This is about talking to the devices on the network, and programming an option code is a more specific security protocol built-in to the TIPM. Find a different dealer.

  16. Chad, do you happen to know the can id’s for icp. I’m trying to sniff a device that tricks powernet cars to allow keyboard input in the address entry when driving. I think the device is just reporting 0mph over some can device but there is just too much data I can not narrow it down. If I knew what some of the ID’s were I could possibly get somewhere.

  17. I’m pretty far in over my head on this and have a LOT to learn about networking in general. That being said, I have a 2003 Jeep WJ. I want to put a rear camera up by the info display.
    Is it possible to build a simple circuit to just passively monitor for the “reverse” code off the data link to the info display or must I use a Arduino type device?

  18. Interestingly, none of your info corresponds to what I’m seeing on my Jeep Renegade. Though over the past few months I’ve discovered what certain IDs contain. Ive found the ABS wheel speeds, several messages with accelerator pedal position, throttle position, steering wheel position, brake pedal, clutch pedal, and battery voltage to name a few…

  19. Chad,
    It’s been a while since I messed with this, but I am back at it. From your Jeep, do you know what the message IDs and data are for transmission range select, ie, Park, Reverse, Neutral, Drive, etc? Trying to emulate that on the bench as I am sniffing out several different radios with a LockPick attached. I do not have a vehicle available to test directly. Any help you can offer would be much appreciated. Thanks!

  20. Hi Chad

    Nice write up. currently i have problem on how can i read the speed and RPM? I already tap on the dashboard connector in that i assume that i do not need to request the data. is it possible to get the speed and RPM by just sniffing?

    Some PID dump:
    300 – I think somethink like distance counter.
    2de
    215
    174
    292
    181
    280
    284
    354
    1f9
    176
    285
    560
    160

  21. I don’t recall toying with the transmission by listening to the interior CAN bus. I’m sure that data is there – since the gear shift shows up in the dash – but I just didn’t try and find it.

    That said, I did find it in the ODB-II settings using PID 0x5A:

    7e9 61 5c 0d d0 00 50 8e # engine running, in park
    7e9 61 5c 0b b0 01 52 5e # engine running, in reverse
    7e9 51 5c 00 00 02 4e 88 # engine off, in neutral
    7e9 51 5c 00 00 04 44 60 # engine off, in drive

  22. If you’re after that data, you are better off talking to the ODB-II port and doing it via diagnostics instead. Super easy and well documented.

  23. Thanks for posting on the transmission range. Reason I am after it, is that the LockPick will intercept that data, and it sends some command to the radio, which will turn on an option for a rear (or front) camera. This is not enabled by default, and indeed, the LockPick comes with an additional connector to plug into the VES side of the radio to give a standard video input to the radio. My goal is to get that same effect, but without the lockpick. If I can isolate the PRNDL message on the interior bus, then I think it will work. I will share my results back here. The 7E9 ID message does not seem to work on the bench. The lockpick passes it through, unmodified, and without additional commands, which indicates that it is not a message it ‘cares about’.

Leave a Reply

Your email address will not be published. Required fields are marked *