OBD-II and ELM327 (4), man in the middle framework

In previous post, I realized that ELM327 is not ideal platform to do car hacking. I need to develop some more *interesting* hacking tool to achieve the job. So I turned to Raspberry Pi to continue development


Implement a CAR by Raspberry Pi (Pi-CAR)

ELM327 communicates to a car, so I need to make a CAR... What?



I used a Raspberry Pi plus CAT-HAT to behave like a VOLVO XC60. The HW installation is not difficult, and I used PYTHON-CAN to write car emulator. So it can receives query from ELM327, and responds 0902 (VIN query command)

  • ELM327 ---- Pi-CAR
    • Left rectangular is ELM327, which queries VIN via 0902 command
    • 500kbps CANBUS wire, in the right-buttom corner, connects between ELM327/Pi-CAR
    • Right rectangular is RPi, it responds 0902 command. He says: I'm a Volvo XC60

The experiment shown above
  • Upper window is ELM327 serial port. You can double confirm the result with earlier post. It had the same response as I connected ELM327 to real car
  • Lower window is the RPi screenshot. It also reveals more detail of 0902 transaction
    • ELM327 sends 0902 query
    • RPi responses the 1st response
    • ELM327 sends 0x30 which queries remaining message (refer to ISO15765-2 for more detail)
    • RPi responses the 2nd/3rd packets

Now ELM327 behaves like communicating a CAR, that's the initial part of hacking...


Implement a WIRE by Raspberry Pi (Pi-WIRE)

Now use another board of Raspberry Pi, equipped two CAN transceiver, I want to implement a *wire* (Pi-WIRE). You can imagine that this board is invisible between ELM327 & Pi-CAR. They don't know the packet is bypassed by Pi-WIRE




  • ELM327 ---- Pi-WIRE ---- Pi-CAR
    • All configuration kept the same except Pi-WIRE is introduced
    • Pi-WIRE is a cable
      • Packet from ELM327 is re-directed to Pi-CAR, and it sniffered (I know what ELM327 talked)
      • Packet from Pi-CAR is re-directed to ELM327, and it sniffered (I know what Pi-CAR talked)
The experiment result now has 3 windows, the upper/lower windows is the same as previous step (both ELM327/Pi-CAR doesn't know the existence of Pi-WIRE). The middle one is MITM (man in the middle) result. It knows the packet from both side





 Many Interesting Staff of Pi-WIRE

I had a HUD connecting to OBD-II. So I can use Pi-WIRE to do reverse engineering toward OBD-II, to know how HUD works. We can verify these add-on OBD dongles' behavior. However, I don't have confidence to connect these *toys* to the real cars (I probably need some box to fasten them first)



Before I connect these staff into the car, I would talk some pitfall encountered during making these tools

Comments

Post a Comment

Popular posts from this blog

OBD-II and ELM327 (1)

Image
I bought a Volvo XC60 2017, and the car had an OBD-II port. I always feel the port is inviting me to do some hacking. I had power supply, oscilloscope, soldering equipment, multi-meter. I can read English, and had some embedded system development experience, but no hacking car ever. Maybe with some study, I can learn to do that My adventure starts with ELM327, the equipment is quite cheap. I want to talk pro/con of the cheap China ELM327 unit, and when you will feel disappointed to it ELM327 is basically a Microchip PIC18F2480 with customized FW, which supports various OBD protocol. Picture below is from its datasheet Left-upper corner, MCP2551 is the CAN transceiver It communicates to car by CANL/CANH signals It outputs CAN signal to PIC18F2480 (ELM327) (PIN1/4) PIC18F2480 (ELM327) It accepts the output signal from CAN transceiver The internal CAN controller send/receive from CAN bus It had UART interface in PIN17/18 Option1: FTDI UART to USB interface Conne
Read more

OBD-II and ELM327 (3), try to decode CAN package recorded by ELM327

Image
Volvo XC60 2017 doesn't offer the capability of closing tailgate by remote control. I have to press the button in the tailgate (see below) to hand. That's probably because of security reason, but I feel so stupid. M assumption is, the button sends some message to CAN bus. If I can sniffer the signal, I can close the tailgate remotely Challenge Accept !! I connect the ELM327 with my XC60, and successfully read VIN code . Then I tried ATMA (Monitor All) command to sniffer CAN bus... Then... nothing happened !! What the fuck ?! So now I can tell you when the cheap ELM327 makes you disappointed In complete AT command Because Torque App doesn't use ATMA command, so the cloned ELM327 don't offer such capability Poor bluetooth connectivity As sending ATRV command, sometimes I got incomplete response. I guess that's because bluetooth module doesn't work well Even the cheap ELM327 dongle offers ATMA capability, the data rate is far exceeding the blue
Read more

OBD-II and ELM327 (2), the underlying interface of ELM327

Image
Go to Google play and search keyword of "ELM327 Terminal", all of them were similar, you can just pick arbitrary of one. If you really had some difficult of selection, this one  looks beautiful and just updated recently After connecting the tool with ELM327 and car, type "0902" in the tool to read the VIN code . These PIDs (0902) were industrial standard , and all cars shall implement it. Here's some useful PIDs. That's why HUD (head up display) can connect to all brands of cars with OBD2 connector 01 0D: car speed 01 0C: engine RPM Here's the 0902 query response of my car in the APP. If interested, decode it :-) 7E8 08 01 14 49 02 01 59 56 41 7E8 08 21 44 5A 41 38 42 44 48 7E8 08 22 32 30 37 36 36 38 32 A lot of people read CAN bus by Torque, but only few people read the ELM327's capability document. Check out ELM327 website and download their AT command list , that's all the capability it had. It had different capability
Read more