OBD-II and ELM327 (3), try to decode CAN package recorded by ELM327

Volvo XC60 2017 doesn't offer the capability of closing tailgate by remote control. I have to press the button in the tailgate (see below) to hand. That's probably because of security reason, but I feel so stupid. M assumption is, the button sends some message to CAN bus. If I can sniffer the signal, I can close the tailgate remotely




Challenge Accept !!

I connect the ELM327 with my XC60, and successfully read VIN code. Then I tried ATMA (Monitor All) command to sniffer CAN bus... Then... nothing happened !! What the fuck ?!

So now I can tell you when the cheap ELM327 makes you disappointed
  • In complete AT command
    • Because Torque App doesn't use ATMA command, so the cloned ELM327 don't offer such capability
  • Poor bluetooth connectivity
    • As sending ATRV command, sometimes I got incomplete response. I guess that's because bluetooth module doesn't work well
  • Even the cheap ELM327 dongle offers ATMA capability, the data rate is far exceeding the bluetooth maximum thtoughput

USB ELM327

In the 1st article, I explained the internal structure of ELM327 dongle, there're basically two configurations
  • ELM327 + bluetooth-module
  • ELM327 + FTDI (UART-TO-USB)
I guess USB had larger bandwidth, so I bought another USB-ELM327 from China. However, I forgot that the cloned-ELM327 itself doesn't have ATMA command (I'm probably a stupid)... Finally, I got some ELM327 2.2 unit from Taiwan's Ruten market
  • The unit finally had ATMA supporting
  • I used it against 500kbps CAN bus, and it reported buffer full immediately
The seller also offered ELM327 which can switches high/low speed CAN bus (I ought to buy this at first)
  • Volvo car had two CANBUS. Volvo's POT (Power Operated Tailgate) is connected in low-speed bus
    • After doing some research over Internet, checking Volvo's EWD (Electrical Wiring Diagram)
  • High speed bus (OBD pin 6/14), 500kbps, BUFFER FULL with ELM327
  • Low speed bus (OBD pin 3/11), 125kbps, I can run ATMA successfully

Try to decode low speed CAN

Decoding CAN bus signal is not fun at all. I found some packet looks like time-stamp
  • 2E7 8 80 00 0A 27 0D 0A 02 13
    • The format is ?? ?? SS MM HH DD MM YY
    • It decoded as 2019/2/10 13:10:39
      • 0A: SS, second = 10
      • 27: MM, minute = 39
      • 0D, HH, hour = 13 (PM 1:00)
      • 0A, DD, day = 10
      • 02, MM, month = 2
      • 13, YY, year = 19
  • 300 8 00 00 00 00 00 00 00 00
  • 301 8 00 00 00 00 00 00 00 00
    • These two packets appeared every second
  • 310 8 84 48 00 00 00 90 80 00
    • The package appeared every 0.1 second



Wrong Assumption

However, after doing more survey, I found the tailgate pressing button is just tie some signal to ground without sending any CAN packet. Adding some external module (relay) to emulate human pressing the button is not hard, which is reliable and safe. So I basically doing the experiment in wrong way, it's impossible to get the close tailgate CAN command by sniffering

However, I asked some guy with XC60 and VIDA-DICE. He told me that the VIDA interface does have some button to close the tailgate in Internet Explorer!! So I still have chance. I just need to sniffer CAN bus when VIDA-DICE is connected to the car

ELM327 Review

Let's talk ELM327 again. It's useful as some master to query the car, such as VIN, speed, engine RPM, and check fault code. However, it's not suitable for car hacking:
  • It's buffer is quite small, buffer full easily. I can only used it to sniffer low speed bus
  • Text interface, slow speed
  • ELM327 is not suitable to pretend as an CAN device
    • Upon reception of ID=258, do some processing, and send another command
    • It's not suitable to do this with ELM32
So basically, I almost abandon ELM327. I would discuss how to make my own CAN bus analysis tool then

Comments

Popular posts from this blog

OBD-II and ELM327 (1)

OBD-II and ELM327 (2), the underlying interface of ELM327