What can be done through the OBD connector in the car
It's no secret that in modern cars all the systems are packed with various electronics, even a simple window regulator has its own microcontroller and address in the public network. I, as an interested owner, wondered what could be done with just access to the OBD connector and nothing more.
Everything described in the article refers to the car of 2008 (Mitsubishi Lancer), but as practice has shown, after 10 years, the manufacturer has not changed anything and all functions continue to be used and work on modern cars.
The structure of the network in the car is shown in the picture:
')
The car has 3 CAN buses (500kbps high-speed engine bus, 83.3 kbps low-speed cabin lighting, diagnostic) and one LIN bus. The connecting link between them is the ETACS (Electronic Total Automobile Control System) block, which acts as a “gateway” and forwards messages from one bus to another, according to certain rules, and also processes some of them. What can be done with the CAN bus? For example, to communicate with the blocks, and maybe something to change. To start a dialogue with any block, you need to know its address, as well as the supported functions (PID), which it can process and respond to.
In the open access is software for dealerships called MUT III. Having studied the database from it, you can find all the information we are interested in.
About addresses (request-response) in the CAN network:
Request PIDs, full decryption of responses from all blocks, including the position of bytes in the response (if several values ​​are sent in one frame) and multipliers with units:
For example, we want to know the angle of rotation of the steering wheel. To do this, we will send a command 2102 to the ESP control unit. In response, a message will arrive 6102 FFEA000008FFF302
Looking at the table, we learn that we need bytes 2 and 3.
The value is in int16. 0xFFEA = -22, multiplying by the coefficient 0.04375, we get the steering angle of -0.9625 degrees.
Thus, it is possible to request a lot of information from control units, up to how many hours the radio played and how many discs were loaded into the radio, as well as to run diagnostic checks on all nodes (you can turn on different lights on the dashboard and pull arrows, for example).
Well, all that we wanted to know, and what good is that? But if you change something / enable / disable ...
A simple example. In the control unit of the automatic transmission there is a software counter for the level of oil aging, and when a certain threshold value is accumulated, a message appears on the BC screen stating that it is necessary to service the transmission. The oil has changed, and the message continues to be displayed on the screen, because nobody has reset the counter and only the dealer scanner MUT-III (which costs about $ 1000, not everyone can afford it) and some programs (also not free) can reset. All in the same tables you can find the command under the self-titling name CLEAR_CVT_oil_degradation_level_Start. You can laugh angrily in the direction of ML and reset this unfortunate counter yourself. We send the command 31 03 to the CVT block and ... we get in response 7F 31 33.
A small digression. Almost all vehicles use the UDS mechanism (aka ISO 14229) for diagnostics and maintenance.
It simplifies the life of automotive diagnostic scanner developers and is unified for all automakers (but this does not mean that some cannot invent their own add-ins on top of it).
As a result, we have a decrypted response from the variator: 7F - the request was rejected, 31 is the PID that we sent and the Negative response code 33, namely Security Access Denied. That is, we do not have rights to change or request this function. Who has it?
Exception 2. In UDS, a mechanism is used to differentiate access across several levels — a normal diagnostic session, an extended session, a programming session, and so on. At each session, there are tolerance levels that decide what you can and cannot do. To access them, you need to request the so-called Seed from the block, process it with a certain algorithm and send it back to the block (Key). You can read more here .
Let's try to request a seed. We send the command 2701 to the ECU and we get back 6701 6A43FD3C.
Sending in response any 4-byte value ( 27 02 DEADBEEF), we get in response 7F 27 35, where 35 is the Invalid Key (invalid key), because The value was sent from the ceiling. Where to find the algorithm for calculating the key? In the firmware of the control unit, nowhere else. It is quite easy to get it (but not on all blocks, it all depends on the microcontroller used), first we find the CAN receive handler, then the PID 0x27 processing function.
Repeating the exchange of the seed-key with the algorithm from the firmware, we get in return 6702 34, where 34 is “Access allowed”. After that, the command to reset the level of oil degradation successfully works out and returns not a negative response code, but a positive response 7103 01 and the counter is successfully reset.
Thus, through the OBD connector you can do almost everything with the car: change the VIN numbers in the blocks, adjust the encoding (configuration), disable the immobilizer in less than a second, clear the error information, enter the block in the boot state, when you can load any controller into the RAM code and execute it. The Japanese security system is slightly lame.
An example of a configuration change on the video:
The article is written for informational purposes only. Any intervention in the electronic control units of the car may be their last. Have a nice day, everyone!
Everything described in the article refers to the car of 2008 (Mitsubishi Lancer), but as practice has shown, after 10 years, the manufacturer has not changed anything and all functions continue to be used and work on modern cars.
The structure of the network in the car is shown in the picture:
')
The car has 3 CAN buses (500kbps high-speed engine bus, 83.3 kbps low-speed cabin lighting, diagnostic) and one LIN bus. The connecting link between them is the ETACS (Electronic Total Automobile Control System) block, which acts as a “gateway” and forwards messages from one bus to another, according to certain rules, and also processes some of them. What can be done with the CAN bus? For example, to communicate with the blocks, and maybe something to change. To start a dialogue with any block, you need to know its address, as well as the supported functions (PID), which it can process and respond to.
In the open access is software for dealerships called MUT III. Having studied the database from it, you can find all the information we are interested in.
About addresses (request-response) in the CAN network:
Request PIDs, full decryption of responses from all blocks, including the position of bytes in the response (if several values ​​are sent in one frame) and multipliers with units:
For example, we want to know the angle of rotation of the steering wheel. To do this, we will send a command 2102 to the ESP control unit. In response, a message will arrive 6102 FFEA000008FFF302
Looking at the table, we learn that we need bytes 2 and 3.
The value is in int16. 0xFFEA = -22, multiplying by the coefficient 0.04375, we get the steering angle of -0.9625 degrees.
Thus, it is possible to request a lot of information from control units, up to how many hours the radio played and how many discs were loaded into the radio, as well as to run diagnostic checks on all nodes (you can turn on different lights on the dashboard and pull arrows, for example).
Well, all that we wanted to know, and what good is that? But if you change something / enable / disable ...
A simple example. In the control unit of the automatic transmission there is a software counter for the level of oil aging, and when a certain threshold value is accumulated, a message appears on the BC screen stating that it is necessary to service the transmission. The oil has changed, and the message continues to be displayed on the screen, because nobody has reset the counter and only the dealer scanner MUT-III (which costs about $ 1000, not everyone can afford it) and some programs (also not free) can reset. All in the same tables you can find the command under the self-titling name CLEAR_CVT_oil_degradation_level_Start. You can laugh angrily in the direction of ML and reset this unfortunate counter yourself. We send the command 31 03 to the CVT block and ... we get in response 7F 31 33.
A small digression. Almost all vehicles use the UDS mechanism (aka ISO 14229) for diagnostics and maintenance.
It simplifies the life of automotive diagnostic scanner developers and is unified for all automakers (but this does not mean that some cannot invent their own add-ins on top of it).
As a result, we have a decrypted response from the variator: 7F - the request was rejected, 31 is the PID that we sent and the Negative response code 33, namely Security Access Denied. That is, we do not have rights to change or request this function. Who has it?
Exception 2. In UDS, a mechanism is used to differentiate access across several levels — a normal diagnostic session, an extended session, a programming session, and so on. At each session, there are tolerance levels that decide what you can and cannot do. To access them, you need to request the so-called Seed from the block, process it with a certain algorithm and send it back to the block (Key). You can read more here .
Let's try to request a seed. We send the command 2701 to the ECU and we get back 6701 6A43FD3C.
Sending in response any 4-byte value ( 27 02 DEADBEEF), we get in response 7F 27 35, where 35 is the Invalid Key (invalid key), because The value was sent from the ceiling. Where to find the algorithm for calculating the key? In the firmware of the control unit, nowhere else. It is quite easy to get it (but not on all blocks, it all depends on the microcontroller used), first we find the CAN receive handler, then the PID 0x27 processing function.
Repeating the exchange of the seed-key with the algorithm from the firmware, we get in return 6702 34, where 34 is “Access allowed”. After that, the command to reset the level of oil degradation successfully works out and returns not a negative response code, but a positive response 7103 01 and the counter is successfully reset.
Thus, through the OBD connector you can do almost everything with the car: change the VIN numbers in the blocks, adjust the encoding (configuration), disable the immobilizer in less than a second, clear the error information, enter the block in the boot state, when you can load any controller into the RAM code and execute it. The Japanese security system is slightly lame.
An example of a configuration change on the video:
The article is written for informational purposes only. Any intervention in the electronic control units of the car may be their last. Have a nice day, everyone!
Source: https://habr.com/ru/post/448658/
All Articles