in part 1 of this series, i covered the basics for how to interface with a vehicle bus using an inexpensive USB or Bluetooth ELM327-based scan tool. in part 2 below, i’ll go over how to actually use that hardware interface to collect and analyze data with the intention of discovering how to interact with the vehicle in some specific way.
for my own first project, i wanted to know how to intercept the steering wheel radio remote-control button press events. i replaced my factory radio with a Motorola Xoom 10″ Android tablet in order to have a bigger and better GPS (and OBDII app, and better entertainment options, etc). however, touching the screen precisely while driving can be difficult (especially when bouncing around off-road). hence why i wanted the factory steering wheel buttons to still control volume, track, play/pause, etc. i’ll use this goal as an example to walk through navigating the bus data.
what you’ll need
- patience!
- a working vehicle bus hardware interface (the scan tool, see part 1)
- laptop or tablet with serial terminal application capable of logging to a file
- Microsoft Excel (or Apple Numbers, a Google Docs spreadsheet, MS Access, etc.)
task 1: get a baseline
the first task is to gather some baseline data – i.e. what msgs are flying around the bus when your are NOT doing whatever particular interaction you are looking to find the msg for. i tested and found that with the vehicle not running, i could still use the steering wheel buttons to control the radio. that made things a little simpler since i would be able to gather all my sample data with the engine off and the key in “run” (there are way less msgs on the bus when the vehicle is not running).
- issue the following commands (one at a time):
ATL1,ATH1,ATS1,ATAL - be sure your serial terminal app is set to log to a text file.
- issue
ATMAto have the scan tool start reporting all of the bus msgs it sees. - just press enter after a minute to stop the stream of data.
task 2: log data from the event/interaction in question
the next task is to log the bus msgs when the action you are looking for occurs. this could be when something like when the radio changes tracks, when you press the sunroof close button, etc. i wanted to know the msg for each steering wheel button. i did a data collection run for each of the 6 buttons separately. for each run, i would press the same button 5 times, trying to space the presses evenly about 1 second apart. i wanted to create some sort of pattern that would hopefully stand out in the data stream.
- repeat the steps from the previous task, while causing the event in question (or allowing it to happen if you have no control over it).
task 3: analyze the data
now you’re ready to analyze the data you collected in order to find just the bus msgs you care about. i used Excel, but you could go with any spreadsheet or database tool that you’re familiar with. the complete MS Excel spreadsheet for all the examples below can be downloaded here: 2003WJ-PCIBus-SWButtonData.xls
- paste the data from each of your baseline/test runs into separate sheets of the spreadsheet. all the bus msgs should be in the first column. add a column header called “msg“.
- on the sheet with the baseline data, add a second column with the header “count“. just fill this column with a “1” for every row.
- still on the baseline data sheet, create a pivot table that sums the count for each msg. this is just an easy way to give you a list of distinct msgs.
- now go to the sheet with your first sample data run. again use “msg” for the first column header and create a second column filled with 1’s called “count“.
- for the third column add the header “not in baseline“. for the value of every row, specify a function that places the msg from the first column into this column ONLY if that msg is not in the baseline list. the function might look something like this (my baseline data pivot table is in the sheet named “baseline”, on column “D”):
=IF(ISNA(MATCH(A2,baseline!D:D,0)), A2, "")
you should end up with something like this, where the third column is a bunch of blank cells with only a few having msgs in them:
- now create another pivot table similar to the previous. however, for this sample run sheet, use the “not in baseline” and “count” columns. this give you a list of distinct bus msgs that occurred during your test that were NOT duplicates of msgs from the baseline run. it also tells you how many times the msg occurred. you’ve basically removed the background noise from your data sample. if you’re after something really simple, this might be nearly the end of your journey. for my project, i needed to compare several of the buttons to really understand what was going on.
- in the previous img, notice i had several distinct bus msgs that were not in my baseline. i had pressed the “up” button on the right side of the steering wheel 5 times for this test run, yet none of the distinct “not-in-baseline” msgs happened exactly 5 times! so i went ahead and repeated these steps for the other 2 buttons on the right side. below are the pivot tables i generated from each of the test runs.
- now for some basic deductive reasoning and a little intuition. above i’ve highlighted in red all of the msgs that occurred at least 5 times – i knew that i definitely pressed the buttons distinctly and hard enough that they should have registered for each press, but perhaps they were sending multiple msgs if i held them down just a bit too long? next i crossed out any msgs duplicated between test runs (the 3 different buttons can’t be producing the exact same msg).
- this left me with one unique msg to look at in 2 of the runs, and 2 unique msgs in the other run. however with this little data left, it was easy to spot a pattern – all 3 runs had a msg that was sent to bus ID 11. i guessed that 11 must be the radio’s ID, and the 3 distinct msgs sent it must be my 3 buttons on the right side of the steering wheel.
task 4: test your hypothesis
- you might next want to do a confirmation test, monitoring only the ID that you believe is sending the msg (
ATMT#), or only the ID that the msg is destined for (ATMR#).
based on the deductions above, i thought i had the right 3 bus msgs. but why didn’t they occur exactly the number of times i pressed the buttons? i decided to perform another test, but only monitor ID 11 (the radio). hopefully my sample data would be small enough to look at directly and spot a pattern. again i tested each button separately, this time issuing the command ATMR11 to only see msgs destined for the radio. i pressed each button 5 times again, about a second apart. this time i was extremely deliberate and consistent in how i pressed each button. check out the results:
i think what is happening is a side-effect of mechanical switches known as contact bounce or chatter. i later saw that holding down a switch sends regular timed repeats of the msg, whereas a quick press can send from 1 to 3 msgs in rapid succession. this reinforces my suspicion of bounce.
- another way to test your conclusions is to send the msg into the bus and physically verify the vehicle responds as expected. this would work for actions like locking/unlocking the doors, etc. i tried to replicate the “up” button on the right side of the steering wheel. if i was sending the right msg, then i would hear the radio increase volume (and see the display indicate the new level). the “up” button msg that i had monitored was
3D 11 04 00 C3, so i used the the commandATSH 3D 11 04and then issued00(theC3checksum will be generated by the ELM327 automaticly). sure enough, it worked!
for all of the examples so far i’ve been working with the a SAE J1850 type bus. the msg structure and sample commands should work with most other protocols except CAN-Bus. you may have already inferred part of the msg structure:
3 byte header + up to 7 data bytes + checksum
the ELM327 reports the msgs in hex, so they look like this (where PP = priority, RR = receiver ID, TT = transmitter ID, DD = data, CC = checksum):
PP RR TT DD DD DD DD DD DD DD CC
the msg structure for CAN is just a bit different, and the ELM327 has an entire set of commands specifically for working that protocol. check out the datasheet for complete info on msg structures and all the possible commands.
additional resources
- walkthrough of a much more complex data gathering/analysis exercise (CAN-Bus, Mini Cooper)
http://bobodyne.com/web-docs/robots/MINI/CAN/MINI_CAN.pdf
- Chrysler/Jeep/Dodge
- Audi/VW
http://secuduino.blogspot.com/2011/04/grupo-volkswagen-can-confort.html
http://www2.dasilvas.info/home/steering-wheel-buttons
- BMW
http://web.archive.org/web/20041204074622/www.openbmw.org/bus/
http://www.reslers.de/IBUS/index.html
http://www.loopybunny.co.uk/CarPC/k_can.html
conclusions
you’ve likely surmised that vehicle bus hacking can prove non-trivial. it could be much more complex than my little example. i’ve read that some manufactures encode longer data across multiple standard msgs using custom schemes. deciphering something like that might be impractical. deciphering constantly changing data from a running vehicle is also challenging.
there are professional data collection and analysis tools/software, but you could also write your own. creating a simple application that time-stamps each msg in the log file would be a good start to help find patterns. adding the capability to graph msg frequency would be useful as well.
i came away from this project frustrated that the majority of data moving about in our vehicles is proprietary. it’s just another example of how society is moving away from a fix-it culture. if this type of information remains confidential, there is no hope of an individual or small repair shop fixing certain types of vehicle problems. we’re not far from a future where cars are as throw-away as iPads. one day i’ll have a Jeep that has to go to the Fiat/Chrysler Genius Bar. there i’ll find out that repairing whatever minor issue it has is too costly because everything is glued together, and that i’m better off buying the new model.
Hi!
Nice writeup! I’m actually doing the exact same thing, in the exact same vehicle (Well, an ’02 2.7 CRD, but that doesn’t make much of a difference). I started a few months ago, and made my own J1850 implementation for a LeafLabs Maple, communicating with a Pi. Now it’s a Galaxy Note instead of a Pi (Didn’t really have the time to make my own UI, and can’t really compete with the tablets anyway), and I’m thinking of how to wire the things together.
It’s very interesting to see how other people attack similar issues. Apart from my home-implementation of J1850, your data analysis approach was the exact same as mine. I also traced memory settings, mirror controls, speed, rpm, as well as other data. I need to implement a writing circuit for the Maple, as I think I might be able to control some of these things fairly easily (seats, mirrors, …).
When I finally get ‘er wired up properly, I’ll do my best to trace out every last drop of data from the bus. I have some ideas in mind, such as increasing volume at speed, automatic play/pause on ignition, data logging, as well as completely useless but fun info, such as current gear ratio (including converter slip – Might be interesting if you’re towing, to estimate current transmission load? I have the feature, now I need to think of a use for it. ;) ).
I completely agree with you on proprietary implementations. It’s the reason I rather prefer older vehicles with less fancy features, as it allows me to do it my way, instead of having to work around all the OEM crap (I really dislike having to bypass existing features – Either they’re going to be used, or they shouldn’t be there.)
What amp are you using, btw? And in case you have the Infineon power amp, did you just tie amp enable to the acc line? I plan on having the tablet be in control of that line through the maple, allowing me to listen to music with acc off. Also, did you figure out a good way to have it turn on automatically, or do you simply allow it to go on standby when no power is connected (having the charger hooked to acc)?
Anyway, I’ll share my findings… I’m sure I can find *something* of interest on that bus! (There’s *definitely* a lot of spam there… There HAS to be something)
Have fun, and hack away!
i am using the factory infinity amp. i had to use a small pre-amp to get my bluetooth adapter’s output up high enough to drive the high-level inputs on that amp to sound good and have any bass. i used a small Lepai amp from Amazon, but i recently got a small Kinter from there too and i think it’s better (less noise at higher volumes) – i might swap it out.
i plan to one day rip out all the factory audio stuff and put in a good aftermarket amp and speakers. then i can do away with the pre-amp. i’ll also use one of those 1/2 din EQ’s that have a single stereo input but 2 stereo outputs and a fader knob so i can get independent front/rear volume again. clarion makes an inexpensive one with good specs. i plan to mount the EQ inside the center armrest storage.
This is a great write-up. Does anyone have or know of a listing for the ID’s for the different systems? I know from this posting that the radio is “11” but I would like to know the locks, memory, etc…
Good Write Up.
I seem to be linked in the BMW section of additional resources :)
I have spent nearly a year now reverse engineering the Can ID’s of the BMW K-can bus. The BMW X1 contains 4 Canbus’s K-Can, D-Can, F-Can and PT-Can (this excludes the smaller k-bus, LIN-Bus and MOST media bus). Each bus deals with different application areas of the vehicle. The k-Can contains most of the ‘User’ controls, Air Con, Windows, steering wheel buttons, reverse sensors, dashboard display etc. The PT-Can links the engine management ECU, stability control and fuel pump etc. i.e the components you don’t really want to mess with!. However the buses are linked via gateway modules so some of the ID’s and data from the PT-can are available on the K-can.
It is worth noting that the BMW does not send all commands across the PT-Can. This is the can bus that the OBDII connector is linked to. To use an elm232 to snoop things like steering wheel buttons you will have to tap into the K-Can bus at the rear of the stereo, at the PDC module in the boot or at the alarm sensor in the roof.
From what I have seen my BMW X1 contains data packets that are very similar to E65, E90, E82, E87, BMW Mini’s etc…
thanks! great info on your site for BMW, i could tell you spent a ton of time on it.
Hi,
is any way to configure ELM327 for reading/writing to BMW K-CAN bus (without gateway over PT-CAN bus)?
Thank you.
LuCKy
I’ve been thinking recently about a vehicle automation system and was considering replacing the in-built buttons (and radio, and… etc). This has given me a new insight on the project. Thanks!
Thanks for your write-ups! I, too, put an Android tablet in my dash. My goal was always to have it tap into the CAN-bus and I’m glad I have this info to reference. (oh my tab is the HTC Evo View 4G and the car is ’08 Subaru Legacy write-up here if anyone’s interested http://csmatt.com/notes/?p=5 )
I like this job! Congratulations to you, Kristoffer. You are good.
I own a Grand Cherokee 3.0 Overland. Your articles give me some ideas, they are the following:
1. If possible, I would like to speak to the navigation system. The gps database of that system does not know my country (Senegal). I want to add an USB connector (there is not usb port on it) through which I can read my own database on an usb (external memory). I would also want to use this port for playing music and video clips in the car.
2. Is it possible to tun some values in the motor to enhance it’s efficiency (more power and less fuel consum)?
Thank you very much.
A.KOTE
sorry i don’t know specifically how to do what you ask. these articles are meant to be an introduction to the topic and hopefully can help you get started if you choose to delve deeper into your vehicle. as far as tuning, something like a SuperChips module would probably be best.
Really well written and useful blog. Really helpful. Thanks a lot.
Also, I would like to understand if I want the output of my CAN bus on USB directly by opening the car wiring what would it take. Basically, as cars generally support only one of the several protocols, can I take the output on USB port and implement that OBD2 protocols on USB itself rather than OBD port ?
Sorry mate, you wouldn’t be able just plug the can bus in to USB. you need something in between. hence the recommendation of the ELM based odb units. I remember seeing some work done direct to serial port, but there was still some circuit in place to aid in decoding.
You’ll need something in place to interpret the car network (can bus) data into something the computer can understand. I picked up a cheap bluetooth ELM clone off ebay for 10 bucks, works like a charm.
Wow man, I’ve been toying with trying to snoop the button presses from the PCI bus for the steering wheel controls for a while now. I have an old Milestone i wanted to wire in for GPS/MP3/diagnotics but leave the factory sound system in place in my 2000 wj. You just made a major winter project into a weekend project!
Great work man, great work!
Outstanding! I found my way to your write up by blindly searching half cooked ideas to try on my ’03 WJ. Well done and thank you for posting it up for the rest of us. Now if you’d kindly turn your attention to the DRB III…LOL
thanks, yeah the DRBIII… i actually just purchased a Innova 3160 from Amazon for $200 so i could check the SRS code and clear my airbag light, and also needed to pull the extended codes for the transmission issue i was having. it worked perfectly for these 2 things, and compared to $3k for a DRBIII, it’s a bargain. of course it can’t do nearly all the tests and interactive stuff the DRB can – but at least i can do SRS, ABS and some extended codes on the WJ now. FYI – the Innova 3150 does nearly everything the 3160 does for $50 less.
I was just checking out the 3160 myself. Luckily, I have access to a similar unit for a small fee (usually beer). Now if there was an over the counter option for programming key fobs…I’d be all over it, dealerships are my only option around here. The cost of programming two remotes and one spare key is going to run me more than I would have ever imagined. Once again, great write up…keep up the hackin.
Hi, i’m french informatician and i think you’ve done a very good job! i’m actually triying to extract TCM’s DTC via OBD2, C-CAN or PCI Bus, and it’s hard to progress on it…. is that the 3160 have allowed you to get the transmission faults? and reset?
thanks! yes, on my 2003 Grand Cherokee i was able to read and reset DTC’s for the transmission. the options were under the “enhanced” menu after choosing Chrysler/Jeep for the vehicle make. the manual does say “Transmission DTCs are not supported on most Chrysler/Jeep vehicles manufactured prior to 2002”, but doesn’t mention any other makes/models specifically.
Hi,
I really liked your posts about CanBus and did many stuff on my car. Now, I want to control my android mobile phone with steering wheel buttons. Is there any chance for you to rewrite your steering wheel application so that it has bluetooth capability? Thanks.
the source is up on github (https://github.com/theksmith/Steering-Wheel-Interface), but doesn’t look like anyone has taken on the task of adding bluetooth yet. that’s on my “some-day” to-do list, but that’s a pretty long list ;)
thanks for nice article
Excellent series of articles! Thank you for putting the time in to help the rest of us.
I have just today started researching canbus hacking as I am planning a Nexus 7 install. One of the frustrations with a Nexus install is the requirement for a $85 radio adapter (just to turn the stock amp on through canbus), a $100 adapter to grab the canbus message from the steering wheel buttons, and another $50 adapter to convert the output of the adapter into key presses so android can recognize them. This info will likely condense all of those down into a single $20 OBD adapter. Granted, the software side of it gets more complicated, but that’s time not money. Add to that the ability to expand beyond just steering wheel buttons.
And here I thought I was going to have to make some setup out of a beagle bone, compiled kernel, Linux canbus utilities, etc.
thanks, this is what i like to hear – someone that can directly use the info!
the software side really isn’t hard. the time consuming part is figuring out the msgs you need to send/receive on the bus without buying all that hardware you mentioned and sniffing it’s conversations.
hope to see you fork my github project. people keep asking me to do a bluetooth version but i just haven’t had the time.
Have you ever been able to control the lights such as turn signals, stop or tail? That would be great when towing a vehicle behind another vehicle.
i never looked into that. my guess is not on older vehicles like mine.
newer vehicles (usually CAN BUS based) often have “bulb out” warning systems so that tells me the control modules are at least aware of sections of lighting circuitry – but still unsure whether you could control individual bulb behavior with bus data.
I’d love to play with this but I can’t see sitting in the car with my IMac. Sure wish there was a simple program and cheep hardware where I could monitor and create messages from my iPad. Then I could just clip onto various busses and check it out.
not sure about a program for ipad, but there are wifi OBDII adapters. i haven’t tried any of the cheap ones on ebay/amazon yet myself, but i might explore this one soon: http://www.scantool.net/obdlink-mxwf.html
The only circumstance where this is workable on my vehicle is the headlights and even then only when the physical switch is set to auto. In other words the physical switch overrides all in most cases
Really great starter info here!
I’ve got a 2008 Chrysler Aspen, picked up a bluetooth ODBII adapter, and your latest build. I’d love to contribute message info (doing a nexus 7 install!) to your database, but I can’t seem to get any data. When connecting a terminal app, I can successfully send AT commands to the interface, but an ATMA command (protocol = 0) always results in a “searching..” message and absolutely no data events come across. I know the adapter works as I was able to use other Android-based ODBII data apps to pull data in from various engine diagnostics/rpm/speed/gas, etc….
Have you run into this? Nudge in the right direction?
Once I can start seeing messages, I can start filtering down…
one of 2 problems likely…
1) a lot of newer vehicles don’t return anything with ATMA because they are on a CAN bus system and have the diagnostic bus separated from the other more interesting ones. for those systems, the diagnostic bus only responds to specific queries and doesn’t just broadcast stuff all the time. in this case you have to wire directly into the bus you want to deal with – if it’s the “comfort” (interior systems) type bus, then you can splice in at the stereo harness.
2) you might also just need to set the protocol manually. the “searching” msg usually indicates you don’t yet actually have communication with the vehicle. usually adapters start out with “auto” protocol detection (ATSP0), but if that’s not working then some of the other apps manually try each one (ATSP1, ATPS2, etc.) and issue a query after each one till they find a match – so you might need to do the same thing if you aren’t sure which protocol you need.
i’m guessing you have both problems, i know 07 and above Wranglers are that way – sorry i don’t remember which protocol number you would need if you manually tap into the stereo harness, it’s one of the user-CAN protocols i think (maybe 6 or 7 or A or B depending on your ELM chip version).
anyway, it’s a lot to have to tinker with just to get started i know – good luck!
Hi
I am planing on removing all buttons from my car interior and to bond a tablet touch screen in the dash so that i can control everything via touch screen but i am not sure of what kind of components i need !!!
My goal was to be able to control front wipers,rear wiper,electric windows,hazarts,ac,ecc !! but ineed to receive signals to deliver to the screen too like speed,fuel level,engine temp,ecc
sounds like a big project. what year/make/model vehicle? most of the information such as speed, coolant temp, etc. are all standard OBDII parameters that any OBD2 adapter and a program like Torque will give you.
controlling everything depends greatly on your vehicle… on very new vehicles you might be able to control many components via the data bus, but on older vehicles you would have to wire up direct control of most circuits through some sort of electrical interface controlled by the tablet. there are bluetooth controlled 12v relay boards that might do much of this work (http://www.tinyosshop.com/index.php?route=product/product&path=141&product_id=371). however, if you have complex circuits like HVAC that need variable inputs to control them (and they can’t be accessed via the data bus), then you’ll need some sort of MCU like an Arduino to handle those.
This is one of the the best written articles i have read. It tied the hardware, the software and examples together with explanations that filled in the gaps. I am a beginner Arduino enthusiast and your article(s) answered question I had that were not even directly related to automotive control. I will definitely be looking into accessing data from info centers like temperatures, gas mileage etc.
thanks for the info, keep up the good work.
Love the knowledge.
hello sir , i would like your help in deciphering the following code
Bus speed: 500000 kbit/s H, Sampling point: 75%, SJW 2
18DAF130 X | 8 | 02 7E 00 55 55 55 55 55 | 5076
18DAF128 X | 8 | 02 7E 00 55 55 55 55 55 | 1506
18DAF110 X | 8 | 02 7E 00 55 55 55 55 55 | 1620
18DAF153 X | 8 | 02 7E 00 55 55 55 55 55 | 8639
Can you explain me what the above data corresponds to in-terms of
1: Start of frame
2: Arbitration Field
3: Control Field
4: Data Field
5: CRC Field
6: ACK Field
7: End of frame
This is just an example for the data i was able to gather from a
Honda City , Petrol Injection. CAN protocol observed in ISO15765 CAN HIGH AND ISO 15765 CAN LOW .
Your help will be much appreciated sir.
What you mention in the last paragraph is exactly what the auto-industry is built around. A big part of the Big 3’s revenue model is based on you bringing your vehicle to them for repair (or selling their repair manuals to automotive shops at a premium). The only reason we have OBD-II is because the government required it and best believe that was fought against tooth and nail.
Thanks for the information on sniffing data I’m excited to get started on my next project now.
Hello, you did a great job. Congratulations.
I have a question for you, or through your work – you could get the car to start operating from another radio than the factory?
He wants to mount to his Chrysler Pacifica – CarPad II android.
Only the installation of Infinity is controlled by the help of K-Line. Do you think that you could be after running the station CarPad send a car to the bus amplifier enable signal, and transmitting the data on the audio settings – the bass, treble, balance, fade?
Is it better to buy a set of Chto-02?
Wach of purchase, when you hit your website and knowing your project.
probably simpler to buy the premade component. determining the exact bus messaging that you need to use for your specific goal can be a very time-consuming task. however, if you have documentation on the exact bus data that needs to be sent to the amp, then my app could certainly be modified to send those messages with a little work.
Thanks for sharing your knowledge, great writing. I wonder how did you override buttons functions permanently. Is this stored “in the car” somewhere, are you using arduino and sending the new settings upon starting your car or is the android app doing this when connecting?
Do you know if it is possible to record electric seats position in order to memorize it and recall if someone changes it?
Thanks a million.
It is frustrating that each manufacturer lay their own code, data blocks and even encode/lock this. But if they were to work to a standard then innovation would be stifled and it would make progress in ECU development come to a halt. By focussing on just one maker you can built up the knowledge you need to tweak things to your liking.
Be careful setting and playing with the engine MAPS!
It is clear to me that it is possible to mess up an engine completely by tweaking the settings in the computer, thankfully many ECU’s particularly BOSCH are full of failsafes that will kick in and prevent the worst from happening. I have heard of turbos burning out due to over enthusiastic boost settings.
Awesome Guide !
I learned a lot. hope to learn more from you. working as an “Automotive Installer” for years and made my own modules(window roll up, mirror folder, roof closer ,smart blinker…and more). but not with Car Network…
Thanks for sharing.
Hi!
Thanks for this great guide. Really good job.
My problem is that I only get it working particularly. I’m able to connect to my bluetooth elm327 adapter and I can send commands to my car. For instance if I send 010c I get back the current rpm. The thing what is not working is the ATAL command. If I send ATAL I got back a “?”. If I send ATMA I got back “OK” but there is no data receiving.
What could be the problem if ATMA only returns “OK”? My car is a Audi A4 Cabrio 2004 which has the “ISO 14230-4 KWP (5 baud init, 10.4 kbaud)” protocol I think.
It will be really nice to get some help.
Thanks Thomas
see part #1 of this comment regarding your issue with ATMA, i think it applies to a lot of newer cars (even though you aren’t on a CAN Bus): https://theksmith.com/software/hack-vehicle-bus-cheap-easy-part-2/#comment-38478
if ATAL doesn’t say OK, then i would question if your ELM based adapter is a clone that doesn’t have full capabilities…
Very cool! I plan to give this a shot on my 2000 Dodge Intrepid soon, it too uses the “Chrysler PCI Bus” (SAE J1850 VPW), definitely up my alley; should be very similar to your Jeep. One question I have, is did the scanner work with the car off at all? I would think there has to be something still going across the bus at least, otherwise how would the remote lock and unlock the doors, right?
the OBDII connector is always supplied with the +12v for the adapter, as that is part of the OBD spec – so the scan tool will “work”… however i can’t remember if there was any data on the bus when my rig was completely turned off.
i do remember that the amount of traffic on the bus grew by an insane amount when the vehicle was running, so i captured all my sample data with it not started. however, i *think* that i still had to turn the key to “acc” to see the audio system msgs. but, your reasoning that there would always be some data and some systems that could respond sounds logical!
Well I finally got around to working on this project.
One thing I have discovered is that nearly all the messages on the J1850 bus are actually using 1-byte headers, not 3-byte headers (including the radio’s 0x3D). According to a whitepaper[1] I’ve found, a bit in the first byte of the header describes whether or not the frame uses a 1-byte header or a 3-byte header. It’s unfortunate that these OBD2 chips don’t seem to recognize that, otherwise I’d be able to easily replace my HVAC control head with a tablet… I can’t send the damn 4-byte button controls! “3-byte header” + CRC = 4 bytes, but it won’t send it without a data byte in-between the two, so minimum of 5 bytes :(
For more reliable output from the monitoring commands I’d suggest using ATS0, it cuts down the number of bytes output by a third. I’m generally able to run ATMA while driving with that, even over Bluetooth! :D
These pivot tables are a life-saver by the way, thank you! My knowledge of Excel is now higher than 0. XD
[1] “Implementing the J1850 Protocol”, http://download.intel.com/design/intarch/papers/j1850_wp.pdf
Hi, I too found your site and was quite happy to find that you were doing this wj. I have an 03 wj overland. I just purchased the ELM327 and am going to be connecting it to my iPhone 5S and/or my laptop running Windows 10. The reason I was looking to learn on how to hack this is I wanted to know if I could change a signal that would normally require the RBDIII. Basically I’ve been looking into a set of projector housings and running HID lights. From what I’ve read, because our WJ uses the low beam as a DRL, the HID will receive low voltage when the DRLs are on and make them flicker. My only options I see are to just always have my lights on ( full voltage) or use a DRBIII to change the country code to a country like USA to disable them.. Apparently you can go to a dealership to have this done. Unfortunately, because I live in Canada, the dealer won’t change it for me because they are required in Canada. ( it’s not illegal to have them off, but finding someone to do it is a different story). Anyways, that’s where I’m at. I’d like to be able to change the country code to USA to turn off my DRLs via my ELM327. Is this possible? Thank you for your time
this hack has to do more with sending and receiving messages that are flying around the bus real-time. you need to actually program one of the ECU’s settings and i don’t know any details regarding that myself. you might email these guys about this product and ask if there is a way you can use it with a relay harness to have the low beams OFF when the DRL low duty cycle PWM signal is applied and ON when the constant +12v is applied: https://www.theretrofitsource.com/components/harnesses/morimoto-xchange-switchback-drivers.html
Hi!
Very nice write-ups! You make it seem so easy and simple. I have a 1998 Jeep Grand Cherokee (with a v8 5.2l engine) that I use for offroad competition. Recently I bought an Obdlink MXwifi, which is supposed to be fully backward compatible with ELM327, so I’m looking forward to try what you did here (even though my car doesn’t have a radio – or even air conditioning, nor even a control panel, instrument cluster, etc (for weight reduction reasons).
I have tried to see vehicle information on my iphone (throu Obdlink app) and everything works just fine for RPM, Speed, engine temp, and many other sensors that I don’t really need to see info from. However I haven’t been able to see Fuel Level, Transmission Temperature and Oil Pressure, even though I know for sure that info is available, since I can see it when connecting Chrysler/Jeep factory OBD Scanner. I also tried to get that same info on a WJ, without any success, so my guess is that both hrand cherokees use the same PIDs. I was wondering if maybe, since you have that same car, you may know the
PIDs for those 3 piecez of info that I need?
Thanks in advance for any help you can give us.
sorry i don’t know the PIDs. i’m 99% sure that you can’t get trans temp on the the WJ 454RFE (in the V8s), i don’t think there is such a sensor.
you might search and see if the numbers on this page can be decoded into a PID somehow: http://www.scangauge.com/support/x-gauge/dodge-specific/
One word T-SQL dude.
Good job of Excel though but importing it into SQL express made things a lot easier for me.
agreed! i was trying to show how any average joe could get this done. however, dumping into MySQL, SQL Server or even Access – and writing some queries against the data is faster and more powerful if you have that skillset.
Awesome write-up!! Hoping you could answer a quick question for me, and possibly even offer some advice on the subject as well… I have a 2016 Ram with power folding mirrors (via a button on the drivers side armrest near pwr lock/windows switches). I’d like to either find a way to program my key fob so that I can fold/unfold the mirrors remotely, or as a last resort at least have them automatically fold/unfold when I lock/unlock the doors OR upon engine startup/shutdown. I have been looking for a way to do this since I bought the truck, and so far, this article is the closest that I’ve gotten. I’m assuming there’s got to be a way to make this happen, especially seeing as how my buddy’s new GMC Denali can do it remotely by holding one of the buttons on the fob. Any help would be GREATLY appreciated. Speaking of appreciated, the fact that you took the time to explain all of this step by step is even more so appreciated!
your project sounds very doable. the first step would be to identify the bus msg that is sent when you press the armrest button to fold the mirrors in. i’m about 95% sure that there would be such a bus msg and that it would be on the “interior” bus, called the IHS CAN bus. then you’ll need to send that same msg manually from your computer/tablet/MCU as a test to make sure that it can trigger the mirrors and that they don’t just pop back out again too… if the factory button is a momentary switch then it should be all good, if it’s a toggle/slide type switch then it might be constantly sending its state and therefore you couldn’t override it without some additional electronics to isolate that switch.
check out this guy’s blog entry, your RAM should be very similar to his modern Wrangler and i think his approach using a RasperryPi, CAN interface shield, and the linux can-utils pkg is perfect for initial snooping of the bus: http://chadgibbons.com/2013/12/29/hacking-the-jeep-interior-can-bus/
Thank you very much for the info, I’m swapping a obd2 jeep drive train into a 63 AMC rambler and this is the first useful post I’ve found
cool, what is your donor vehicle exactly? are you taking the cluster too? tranny & TCM?
be aware that some newer Jeep’s may also required the BCM and other items in order to keep the Sentry Key system working (i.e. everything coming from the same donor rig so that the encoded VINs all match in each module).
good luck with your project!
Hi! Recently I’m planning to buy a bluetooth OBD2 tool for car data information to be displayed on my Android phone (engine load, water temp, voltage, and etc.) After reading this article, I’ve thought of another option : To hack my car’s multi information display to include such details. Currently my car’s multi information display includes mpg, trip time, engine eco status, and average speed. Do you think this will be possible? Btw, its a toyota corolla 2014. Regards, Kurt.
it is very likely that you could do this. a linux computer with a CAN-Bus adapter (USB adapter on a laptop or a “shield” if using RaspberryPi or BeagleBone) and the can-utils software package would be the best way to determine which bus messages contain the text you want to modify or replace.
Thank you for your response. By the means of “with a CAN-Bus adapter (USB adapter on a laptop or a “shield” if using RaspberryPi or BeagleBone) “, is it an OBD2 connector or a CAN-Bus adapter is different? Also may I talk to you via email regarding my queries about this subject matter? Regards, Kurt.
some OBD2 adapters/shields support more than just the OBD required CAN protocols, which might be necessary if you want to hack into other vehicles system beyond the diagnostic bus. if you know for sure you are dealing with CAN, then you might just want a generic CAN-Bus adapter/shield, which will simply have 2 inputs for the CAN-Hi/Low wires and support any speed or CAN encoding. feel free to email me, i may be slow to respond depending on how busy work is!
Is it possible by using the tool ELM 327? It’s the only available tool at my local market.
How difficult do you think it would be to modify a vehicle’s ACC speed limit? I have an Accord and ACC will only activate if 25mph or over. What I assume is the same sensing tech. is in the civic and it activates below 25mph as well.
ACC?
ACC is active cruise control
Thanks for the guide it’s incredibly useful. I’m hoping to do the same sort of thing on my 2002 Peugeot 406 car, so far I haven’t managed to find a code reader/software that supports the KWP_SLOW protocol that my car uses, I’ve only tried various bluetooth OBD adapters paired with my cell phone though so a PC-based solution is probably more appropriate.
My car has a dashboard LCD screen that shows various statistics but I am hoping to replace this with something I create myself so I can show additional information on it from a Raspberry Pi computer which will be functioning as a multimedia system for music etc. As I will be remodelling the center console to add a large touchscreen, the existing basic LCD screen will need to be removed and the stats shown on it need to be displayed through the Raspberry Pi onto the touchscreen. I’ll grab a USB OBD adapter soon and have a play around with it
By ACC he means accessories that might require radiator cooling. He wants to modify car’s software.
Great articles! Seriously, best info I’ve been able to find. I’m very interested in figuring out the whole DRB-III protocol, mostly for diagnosis… and ideas on the best way to start? I’m already working on gathering info on other things like windows using the technique you outline and will hopefully have a library that others can use.
I have a 2001 grand cherokee 4.7 V8 with the Kenne Bell supercharger. The engine had a meltdown, so a fresh rebuilt engine was built to take advantage of the supercharger and other kenne bell electronics. They apparently reprogram one or both of the factory ecu’s, then add their own additional computer under the hood. something must have gone awry, because best I can figure it went lean and that made some broken parts. I havent figured out what the original problem was, and the ecu has been reset multiple times, so that info is lost.
My problem at this point, is since rebuilding the engine it will not start. Believe me when I tell you I have tried every possible way to get this thing to start and have not been able to hear it run. Here is a link if anyone is interested in that project:
http://www.jeepforum.com/forum/f310/fresh-rebuilt-kenne-bell-supercharged-4-7-engine-will-not-start-2285465/#post21799857
currently the entire harness has been removed and inspected for any continuity, shorting or ground issues. it all looks great.
My next step is probably the dealer to have them hook it up to their machine. what would you suggest that I try and do using this obd2 hack to make this jeep run, or is this just a stealership issue now?
i don’t think my hack would help you in any way. best of luck though – i also had to replace my 4.7 and was fortunate that everything fired up on first crank. if you clear any codes and then hook up the engine and try to turn it over – do you get any codes back?
Sounds like the immobilizer was reset and no longer recognizes the chip in your key. When the immobilizer is activated the engine wont start. Look for a jeep factory scan tool it will have the interface to reset the immobilizer.
very good !!!
Thank you for all this useful information! I’m in Africa helping at a small relief and development project. We have a 1998 Grand Cherokee (euro spec) which has an immobilizer system that is a huge pain in the neck. It automatically activates when I lock the doors, and the only way to disable it is through the remotes. I have two remotes, but one never worked since we received the vehicle. The other remote works somewhat, but the circuit board inside is corroded and I’m worried I won’t be able to do anything with the vehicle once it goes out (currently, the batteries for the remote only last about 3 weeks). I bought a elm327 Bluetooth adapter hoping I’d be able to somehow uncover that hidden menu where I can program new remotes. I’m in over my head though. Any help would be tremendously appreciated!
Great tutorial!
I try with an elm327 Bluetooth. When I send ATMA command after some data I receive BUFFER FULL and trasmission end. If I resend ATMA command have some data as other BUFFER FULL. Has anyone encountered this trouble and found a solution?
Same problem here!!
Hello, good article. My doubt is: how can I dump the car system? Any experience with uConnect 7″ HD (Live) System on new Fiat cars?
Hi, great article!
I very much enjoyed reading it, it’s very informative, well organized and explained, thank you for sharing with us :)
I’m trying to start my car via a micro controller, and I was wondering if I can do it using the OBD2 connection. Do you think it could be done? and if so I would love some guidance :)
thanks, michael
Hello, it´s a grate article thank you very much for all tat information. I have a question, where did you get that commands for the Scan Tool? Like ATL1, ATH1, ATS1, ATAL
Great stuff! How do u deal with a situation where ATMA blows the lid off your text buffer?
Hello,
do you know how can I get the absolute distance of the car ?
It seems that OBD don’t give it
Thank you
Hello, due to electrical failure in my car the manual four digit immobiliser went on. Now I need to get the code from ecu and eeprom, can I use my elm327 interface together with my laptop ana an obd1 to obd2 adapter and some software to read the code? The repair shop costs approximately 200 dollars to figure out the code, but if I can do it by myself I will. and wouldn’t be robbed for a five minutes job!
What program will I need to download to my computer, I have tunerpro rt and torque and some other software, the thing is, I don’t know which one of these programs is convenient for the job?
Can you please tell me what program I need to download or is it possible to do the trick with tunerpro rt and the devices I have? I have seen in youtube that tunerpro rt is a very good program and inexpenesive software, but it can do a lot of different operations with it.
Best Regards,
Janne Siekkinen
Nice!! You have great intuition.
I’m a BSEE and an avid DIY person.
Theksmith, I would like to know how to send the request to read oxygen sensor data and how to graph it.(Korora linux)
I would like to know if Pyobd is set up for this and what it does contain.It is not good that if I had windows I could do what I want. I presume what I am asking is simple. I do not have experience with python and do not have the time to learn right now.I wish you had more for persons like myself.If all problems are software problems, you need to be removing the random-ness.Can you isolate the node that you are talking too,/ use statistical methods??
I’m trying to activate my high idle on my 2004 duramax how do I do this with my commands
I think the biggest thing I’m getting confused on, is when the lines are less than 8 bytes long. My adapter (which also did the oddball 38400baud) would get frequent Buffer Fulls, so maybe it’s an issue on my end, but…
So in your example result of 3D 11 02 00 76, are the last two bytes just 00 00 / not sent? Mine shows the extra header information as well which threw me off trying to compare my numbers to yours.
Long and short of my project is, I’m trying to figure out how to get my Ford to display the front camera on-demand. Explorers have a button that send a signal over canbus to display the front camera and I want to find it / inject it on my car on-demand.
Great write. I don’t think there is switch bounce, I think the cluster/steerwheel module is repeatedly sending to radio until switch is released (preventing excessive switch wear by reducing total number of presses by the user).
I’d like to share what I’m doing with my 05 ford freestar.
I’m currently developing a mobile tool (Galaxy S10) for viewing transmission details (inp/out shaft rpm, fluid temp, fluid pres). The tool has been given the ability to talk with the ELM 372 (over bt) for all supported AT commands and OBDII stuff. Includes a graphical dash (tach, mph, fuel pres, eng temp, voltage w/cal feature). MPH is ‘smoothed’ by the cluster so it reads lower than dash gauge and gps at higher road speeds (> 40mph). I also included a serial interface to capture all communications on the bus in question (MA comnmand) and save to file / display unique messages with live count of each and ‘last seen’ timestamp. The line flashes when updated and a new one is added if not already in the list. Can also be viewed from a specific modules perspective (filters communications intended for or coming from a specific module that has been talking on the bus).
Also, I have a copy of fords IDS and am using it to sniff ford specific serial data (with a wire splitter, second female DLC port wired in parallel with original) when initiating things like evap test, control/read trans gear shift etc.. this way I can id the module and talk with it directly. There’s a lot you can do if the data received can be decoded and acted upon. :)
The goal is to have a single tool that will keep me informed of global vehicle health and allow me to pinpoint issues before mechanical failure.
Eventually, I’d like to make this app a service that connects to the vehicle automatically and alerts me to issues (notification bar) without actually running a user interface.
Thank you for creating a space to share/sharing and good luck to all who hax!