Hacking the Jeep Interior CAN-Bus

Hacked!
The Jeep’s Electronic Vehicle Information Center (EVIC) Displays a Custom Message

I have a 2012 Jeep Wrangler Unlimited and have a few projects where I wanted to integrate closely with the vehicle’s electronics. Instead of tapping into the final wiring of the car, I wanted to leverage the vehicle’s own computers to tell my accessories what to do. The end goal being a much tighter and seamless integration, and much less modification to the wiring of the vehicle.

Modern automobiles use a technology called a Controller Area Network, or CAN-Bus, to communicate between the different computers within the vehicle. The use of this technology greatly simplifies the wiring requirements within the vehicle as a large number of components can share a single twisted-pair wiring harness.

There are actually three separate CAN bus systems used in the vehicle: the CAN-Interior (also known as CAN Interior High Speed/IHS), the CAN-C and the Diagnostic CAN-C. The CAN-Interior bus is used for communication between the interior modules of the vehicle, such as the dashboard and radio and runs at 125 Kbps. The CAN-C bus is used by the power train components and runs at 500 Kbps. Finally, there is the Diagnostic CAN-C which also runs at 500 Kbps.

The Diagnostic CAN-C bus is used to talk to a gateway computer, the Totally Integrated Power Module or TIPM. This gateway implements all of the logic needed for onboard diagnostics, and communicates to the other two buses as needed. One effect of this implementation is that data from the other buses is not easily obtained via the data link connector (a.k.a the ODB-II port) underneath the dash. While a tremendous amount of information is available via the diagnostic bus, it isn’t easy to hack or obtain without getting official documentation from the manufacturer directly.

I came across canbushack.com when I was thinking about looking at the CAN-interior bus and was happy to see much of the information I was after is on that bus. Unfortunately, I also found that the implementation has changed quite a bit from the time most of the work was done on that site versus what is in my Jeep today.

Radio C2
Custom Wiring Harness using the Radio C2 Connector

The easiest way to access the CAN-interior bus is the radio C2 harness. I built a pigtail wiring harness by buying a couple of aftermarket radio wiring harnesses, linking them together, and splicing in a pair of wires for the CAN-H and CAN-L connectors. By making a custom pigtail like this I avoided having to alter any of the OEM wiring making for both easy removal and a lower risk of screwing up something.

I originally used an Arduino Uno micro-controller board and a CAN interface shield from SparkFun and SK Pang Electronics. This platform is a prototype for what I will eventually use as the final production solution for my projects, but I quickly found that analyzing and hacking the vehicle’s CAN-Interior bus was too tedious with that solution, for two primary reasons: a) I had to write code to test any hypothesis, and b) I had to be physically connected to the Arduino with my laptop, in the car, in the cold of winter.

RPi
Raspberry Pi with CAN Interface Board

To solve both issues, I configured a Raspberry Pi system with a CAN interface board made specifically for it by SK Pang Electronics and a USB WiFi dongle so I could leave the system in the vehicle and login to it from the comfort of my living room. Since the RPi is a temporary research solution only, I only placed into the glovebox, connected the CAN-H and CAN-L wires, and used a USB power supply directly from the vehicle’s 12v auxiliary power port.

Configuring the Raspberry Pi to communicate with the CAN Bus is unfortunately non-trivial, and I will cover that in another post.

What’s great about using Linux for CAN-bus hacking is the plethora of great tools available. The can-utils package in particular contains the command-line tools I used to analyze CAN bus messages and generate my own.

The very first thing to do is to look at the traffic on the bus using the candump utility. This utility does exactly what it sounds like – dumps all of the traffic it sees on the bus to your terminal or to a file. When I first tried candump on the CAN-Interior bus of the Jeep, I started to see data like this:

id:0x402 len:8 rtr:0 data:0xfe 0x02 0x3f 0xff 0xff 0xff 0xff 0xff
id:0x3e6 len:3 rtr:0 data:0x0b 0x11 0x1e
id:0x1e7 len:8 rtr:0 data:0x70 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x208 len:7 rtr:0 data:0x00 0x00 0x6d 0x5a 0x1e 0x01 0x2c
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2dd len:4 rtr:0 data:0x05 0x00 0x00 0x00
id:0x2df len:8 rtr:0 data:0x10 0x04 0x03 0xe8 0x0f 0xa0 0x09 0xbf
id:0x286 len:6 rtr:0 data:0x03 0x38 0x00 0x00 0x00 0x00
id:0x348 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2d2 len:3 rtr:0 data:0x00 0x33 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xee
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x2b0 len:4 rtr:0 data:0x02 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
id:0x19f len:8 rtr:0 data:0x01 0xff 0x00 0xff 0xff 0xff 0xff 0x00
id:0x370 len:8 rtr:0 data:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id:0x214 len:7 rtr:0 data:0x04 0x0d 0xba 0x00 0x14 0xb4 0x00
id:0x286 len:6 rtr:0 data:0x03 0x38 0xc0 0x00 0x00 0x00
id:0x2eb len:4 rtr:0 data:0x1e 0x00 0x64 0xef
id:0x2ce len:8 rtr:0 data:0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00
id:0x211 len:8 rtr:0 data:0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff

What a mess! That amount of data flashed across the screen in less than a quarter second and began to repeat in long cycles. It was very difficult to look at such a stream of data and detect when changes occurred based upon user action. Luckily, the can-utils package includes another awesome tool called cansniffer that can help with that very problem.

When you run cansniffer, it looks at the traffic for specific message ids and begins to filter out repeating messages that do not change. After a few seconds of startup time, the Jeep is left with the following changing data while in accessory mode:


214 04 12 70 00 13 11 00 ..p....
217 63 78 07 40 6b fd cx.@k.
219 01 47 35 43 4c 32 37 31 .G5CL271
3e6 00 0d 12 ...

It was clear from watching cansniffer what some of this data was.

Message Id $219 is the vehicle identification number repeated over and over. The first byte of the message is the message #, $00 through $04 with the VIN split across each.

Message Id $3e6 is a clock of the hours, minutes and seconds since the vehicle was turned on.

I was then able to operate switches in the vehicle and discover the following messages in short order:

244 81 00 39 C3 80 # Driver's door open, byte 0
244 80 00 39 C3 80 # Driver's door closed, byte 0
208 01 22 6d 5a 1e 01 2c # Left blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Left blinker off, byte 0
208 02 22 6d 5a 1e 01 2c # Right blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Right blinker off, byte 0
1e1 00 00 10 65 00 00 00 00 # Steering wheel position, bytes 3 & 4
2e0 00 01 47 21 ff ff 0c # Brake pedal depressed, byte 4
2e0 00 01 47 20 ff ff 0c # Brake pedal released, byte 4
2e7 84 1c 00 00 00 00 87 # Parking brake on, byte 0
2e7 04 1c 00 00 00 00 87 # Parking brake off, byte 0
292 00 49 33 00 00 48 28 # Throttle pressed, byte 3
2a8 00 01 00 00 00 00 # Windshield wipers, byte 3
2e5 03 # Rear wiper
2d2 01 06 00 # 4WD-HI
2d2 04 04 00 # 4WD-LO
2d2 00 03 00 # 2WD

Some of the data in each message is immediately apparent and others will take some more analysis to figure out what each byte represents. I was particularly surprised to see that the steering wheel movement t generated any data at all on the CAN-Interior bus.

Some actions result in multiple messages being generated. In particular, the lights appear to generate two message id’s when state is changed, one to two with id $208 and another with id $2e1. Here’s what I’ve found so far:

208 00 22 6d 5a 1e 01 2c # Lights on w/ fogs
208 58 22 6d 51 1e 01 2c
2e1 1a

208 00 22 6d 5a 1e 01 2c # Lights off w/ fogs
2e1 1b

2e1 1b # Fogs on
2e1 0b # Fogs off
2e1 0a # Lights on w/o fogs
2e1 0b # Lights off w/o fogs

The Radio generates a lot of data, too:

29e 00 03 97 20 02 ff ff ff # Change to FM 91.9

291 09 01 05 30 f0 00 07 # Change to satellite, w/ no signal
293 00 00 b8 20 02 ff ff ff

291 01 01 05 10 10 00 07 # Change to FM, 91.5
291 00 03 93 20 02 ff ff ff

291 09 01 05 30 80 00 07 # Change satellite stations
293 00 00 19 23 02 ff ff ff
295 43 65 73 52 65 77 6e 64 # ClsRewnd

29e 00 00 0f 21 02 00 00 00 # Change CD tracks, byte 3

3d9 0a 0a 0a 0a 0a ff # Change volume, byte 0
3d9 08 0a 0a 0a 0a ff # Change volume, byte 0

Message id $295 is the most fun, as any message broadcast with that id will appear on the vehicle’s EVIC message line, assuming you have disabled the ECO option from being displayed.

Stay tuned for more information about the bus, how to setup both the Arduino and Raspberry Pi to talk to a CAN bus, and details about upcoming projects.

Resources

Videos

Part 1 – Installing the custom wiring harness

Part 2 – routing the CAN-Bus extension

Part 3 – Hooking up the bus to the Raspberry Pi

Part 4 – Using Linux to Analyze CAN-Bus Data

Part 5 – Sending Custom Messages to the EVIC

Part 6 – What Happens if you Corrupt the CAN-Bus

 

 

 

 

Lightning Quick Summary of the Houston Auto Show

New BMW 5-series Gran Turismo = stunner, inside & out. Was happy to see roof-rack slots are back for the 5-series (presumably the new sedan out later this year will have them as well).

BMW 7-series = nicer than the previous generation, also quite surprised to see roof-rack slots in for this model.

All Audis = beautiful design on the exterior, meh on the inside. You can do better, Audi… make me feel like I’m giving up something if I go buy a BMW.

Cadillac CTS, CTS-V and CTS SportWagon = much nicer than I expected. Exterior is sharp, interior is nicely done and about on par with the BMW 3-series as it should be. CTS-V is slightly nicer on the inside.

New Camaro = too bad they kept the name, because eventually this car will be in every trailer park making the new ones look horrible. Extremely well done car, inside & out. Back-seat only for midgets and a large trunk with one of the smallest hatches I’ve ever seen on a car. Totally not practical, but totally awesome. Even the V6 version looks good.

New Grand Sport version of the Corvette = much, much sharper looking in person than I expected. Tempting, tempting…

New Mercedes-Benz E-Class sedan & coupe = absolutely gorgeous on the outside and a total letdown on the inside. Not even as nice as a BMW 3-series, let alone a 5-series. These were the E-350 versions, so hopefully the V8 and AMG versions will remedy some of that. Having a total display floor size of an average size guest bedroom doesn’t help showing off the cars.

All Acuras = couldn’t be more boring if they tried. Interiors remind me of cheap GM cars from the early 90s. Exteriors only a boy racer wanna-be could love. The new ZDX was interesting but had rear-doors that would make you yearn for the spaciousness of a Camaro.

A Year of Motion

The end of the year is always a good time for reflection. One of the things I always do is look at how much time and distance I’ve spent in a car or on a bicycle.

2009 was a record year for riding in a cars at just over 21,000 miles, just over my previous record driving year of 2008 which was around 19,000 miles.

On the bicycles, I only managed 2,000 miles, significantly less than my 2008 peak of 2,700 miles.

iPod installation in the car

Due to recent negative events with XM Radio’s customer service, I no longer have an XM subscription in any of my vehicles. In the truck there is an auxiliary input jack, so feeding music from an iPod is a no-brainer. But in the Corvette, there was no such option. GM never really provided a great solution for it, but luckily the aftermarket came to the rescue.

One of the better options is a device called the Lockpick that intelligently interfaces with the various radio interfaces in GM vehicles. The Corvette Lockpick they provide interfaces directly with the navigation radio in all 6th generation Corvettes so I ordered it to try it out.

Installation turned out to be incredibly simple. The unit ties into the wiring harness that feeds the XM Radio brain. In the convertible model, the brain is hidden behind the waterfall, located between the seats. Removing the waterfall is straight-forward, and then you are left with a simple wire routing problem.

In the end, I decided to locate the Lockpick unit itself on the carpeted area behind the waterfall. I used sticky-tape velcro to keep the unit attached to the carpet, and then ran the wiring harness to the XM Radio unit in order to attach the Y-connector that feeds into the Lockpick itself. The wiring harness that connects to the iPod also has to be routed, and I decided in the end to locate the iPod in the glove box rather than the center console. Access to the center console would require some cutting for a clean installtion look, and plus it tends to get rather hot inside so I was worried about shortening the life of the iPod a bit too much to locate it there.

Luckily the glove box had a space for a switch that wasn’t installed with my option packages, so it made a perfect place to feed the wiring harness. From there, I routed the wiring harness into the dash and then underneath the center console and feed it directly to the waterfall area. The final result is a perfectly clean and hidden installation with no permanent modifications needed to the car.

The Lockpick unit itself works great, although the control system is a quirky. The lower right-hand button in the XM Radio menu activates the iPod. Once activated, the Category up and down buttons control your playlist selection, and then seek forward and back buttons control the current song playing within the playlist. The info button displays the song information as you would expect. It’s quirky, but works extremely well.

Hello, my name is Chad and I have an addiction…

I am, quite simply put, addicted to shiny new cars.

It has been almost two whole years since I’ve purchased a new vehicle and the itch has returned, and when it does it’s all consuming until it has been scratched. I will now be obsessing over cars until either I buy another one, or something else takes my mind off of them.

When I drove home from Austin this Friday night, I saw a nice new shiny BMW M5 sedan that I shadowed the entire way. I really wanted one of these when the new generation came out, and in many ways I think it would be the perfect vehicle to replace the two I currently drive. The price for a new one is a bit obscene and used ones are as hard to find as gold, and the 17 MPG freeway rating is worse than my Tahoe, so I have yet to pull the trigger. And yet, I’ve come very close to doing exactly that.

I’ve also always wanted a Porsche 911. Much like the BMW, a new one is so overpriced that I’ve always found other vehicles that were “better” for a much lower price. And yet, I know I need to have one someday just to see. I see several folks locally that have theirs with a bike rack on top, so I could conceivably replace both vehicles I drive today with one. I’ve heard automotive experts say again and again that the base 911 Carrera is the best of all the 911 models, given its relatively simplicity, but it would be so hard to “settle” with just that instead of an S or Turbo. I’ll ignore the GTx models for obvious reasons…

But it isn’t just the super fast expensive cars that get my attention. I’d love to buy a new Volkswagen Jetta Sportwagen TDI right now, too. This is a great little machine, and would make an excellent daily driver and bike carrier. VW’s new TDI engine is an outstanding work of engineering resulting some rather amazing real world fuel economy figures. Clearly, from my other choices and current vehicles, fuel economy is very important to me…

One day, I should just give in and buy a used car. I still have never done it. My very first car was used, but it was my parents old beater that I inherited. All of my other vehicles since then have been new – a whopping 9 since 1991, and 11 if you count the two we’ve bought for my wife in that same period. And, if I could really stop being dumb about it all, I should just stop buying vehicles all together. I should really just now be breaking in my 2nd car…

But, oooh, they’re so shiny.