Hacking Volvo XC60

In previous post , I realized that ELM327 is not ideal platform to do car hacking. I need to develop some more *interesting* hacking tool to achieve the job. So I turned to Raspberry Pi to continue development Implement a CAR by Raspberry Pi (Pi-CAR) ELM327 communicates to a car, so I need to make a CAR... What? I used a Raspberry Pi plus CAT-HAT to behave like a VOLVO XC60. The HW installation is not difficult, and I used PYTHON-CAN to write car emulator. So it can receives query from ELM327, and responds 0902 (VIN query command) ELM327 ---- Pi-CAR Left rectangular is ELM327, which queries VIN via 0902 command 500kbps CANBUS wire, in the right-buttom corner, connects between ELM327/Pi-CAR Right rectangular is RPi, it responds 0902 command. He says: I'm a Volvo XC60 The experiment shown above Upper window is ELM327 serial port. You can double confirm the result with earlier post . It had the same response as I connected ELM327 to real car Lower window is...

Volvo XC60 2017 doesn't offer the capability of closing tailgate by remote control. I have to press the button in the tailgate (see below) to hand. That's probably because of security reason, but I feel so stupid. M assumption is, the button sends some message to CAN bus. If I can sniffer the signal, I can close the tailgate remotely Challenge Accept !! I connect the ELM327 with my XC60, and successfully read VIN code . Then I tried ATMA (Monitor All) command to sniffer CAN bus... Then... nothing happened !! What the fuck ?! So now I can tell you when the cheap ELM327 makes you disappointed In complete AT command Because Torque App doesn't use ATMA command, so the cloned ELM327 don't offer such capability Poor bluetooth connectivity As sending ATRV command, sometimes I got incomplete response. I guess that's because bluetooth module doesn't work well Even the cheap ELM327 dongle offers ATMA capability, the data rate is far exceeding the blue...

Go to Google play and search keyword of "ELM327 Terminal", all of them were similar, you can just pick arbitrary of one. If you really had some difficult of selection, this one  looks beautiful and just updated recently After connecting the tool with ELM327 and car, type "0902" in the tool to read the VIN code . These PIDs (0902) were industrial standard , and all cars shall implement it. Here's some useful PIDs. That's why HUD (head up display) can connect to all brands of cars with OBD2 connector 01 0D: car speed 01 0C: engine RPM Here's the 0902 query response of my car in the APP. If interested, decode it :-) 7E8 08 01 14 49 02 01 59 56 41 7E8 08 21 44 5A 41 38 42 44 48 7E8 08 22 32 30 37 36 36 38 32 A lot of people read CAN bus by Torque, but only few people read the ELM327's capability document. Check out ELM327 website and download their AT command list , that's all the capability it had. It had different capability...

I bought a Volvo XC60 2017, and the car had an OBD-II port. I always feel the port is inviting me to do some hacking. I had power supply, oscilloscope, soldering equipment, multi-meter. I can read English, and had some embedded system development experience, but no hacking car ever. Maybe with some study, I can learn to do that My adventure starts with ELM327, the equipment is quite cheap. I want to talk pro/con of the cheap China ELM327 unit, and when you will feel disappointed to it ELM327 is basically a Microchip PIC18F2480 with customized FW, which supports various OBD protocol. Picture below is from its datasheet Left-upper corner, MCP2551 is the CAN transceiver It communicates to car by CANL/CANH signals It outputs CAN signal to PIC18F2480 (ELM327) (PIN1/4) PIC18F2480 (ELM327) It accepts the output signal from CAN transceiver The internal CAN controller send/receive from CAN bus It had UART interface in PIN17/18 Option1: FTDI UART to USB interface Conne...