Hacking Volvo XC60

After the 1st prototype broken , I made several prototypes again. I'm not good at soldering so I re-do the prototypes several times to get a working board. To make VOLVO+ become a real product, I have to do something difficult: low power mechanism VOLVO XC60 used AGM battery which costs ~300USD and many people complained the lifetime is only roughly 2 years. It means 150USD expense per year. The basic idea to make lead-acid battery healthy is simple: make the battery fully charged I don't want VOLVO+ kill my battery, so I shall design low power mechanism carefully As engine on, the VOLVO car's alternator can output >100A while VOLVO+ only drains 13mA, which is so small to neglect. As the engine-off, VOLVO+ keeps draining the battery as it's plugging to OBD2.  So the real challenge is: how to minimize the standby power I defined a useful metric to measure low-power performance: how long does VOLVO+ standby power drains 1% battery. The longer time, the better low-power

The story went back to 2017, as I bought VOLVO XC60. The electronic tailgate can open with remote. But Volvo denied to close the tailgate remotely. In 2019 Chinese new year, I suddenly wanted to  play it ... The record above is actually developing the mechanism called MITM, and you can read it to know more sight. I made some tools, tried to figure out the car's CAN bus protocol. Thanks to my friend lending his VOLVO XC70, let this "box" do experiment on the car, without worrying the car broken. Thank you again: we've figured out the CAN bus packet to close the tailgate With the understanding to VOLVO car CAN bus, I can make the prototype. Including FW coding and HW design. I completed the first prototype in May of 2019. The PCB looks bad: a lot of flying wires and hot melt glue everywhere. Fortunately, it worked. There's only few components on the PCB, but I still had some hard time to make it work The development board I used was named  Blue Pill . It's cheap

I bought VOLVO XC60 at 2017. I especially love CAN bus, it had a lot of fun things. The series kept how I hacked the bus, and an interesting demo in the end. Hope you enjoying the reading :-) 1. OBD2 and ELM327 2. The underlying interface of ELM327 3. Try to decode CAN package recorded by ELM327 4. Man in the Middle Framework 5. What happened if CAN bus had something bad 6. Reverse engineering HUD against Pi-WIRE 7. MITM timing analysis 8. MITM failure analysis 2 9. MITM failure analysis 3, the CAN bus requires at least two devices 10. Superb driving skill demo

Finally, I can demo my superb driving skill in basement, the HUD showed that I'm @ 116km/hr !! HUD kept queried the speed from the car. Here's the code snippet to hack the speed response in STM32 STM32, the man-in-the-middle hacked the speed (+100). Here's the code snippet to hack Video demo Thanks for your reading. Two years after buying the car, learned a bit of CAN development

A House to The Development kit I have to say, keep the things neat is profession. I seek expert (my wife) to improve my equipment The pins of the development board are inserted into the foam as the base, and the base is attached to the box with hot melt glue Expert: Hot melt glue is your friend The DuPont wire is fixed to the edge of the box with strap Expert: With strap, I can adjust wires if desired Dig a hole in the box to fix the OBD-II head (fixed with hot melt glue),  Dig another hold to route USB cable USB1: Powering MCU board, and programming it USB2: Get 5V power source, and a 5v-to-12v DC-to-DC coverter to power devices (HUD) USB3: Powering Raspberry Pi Datasheet is good friend to play with MCU The advantage of changing to STM32 is that environment is simple. Reading datasheet about CAN bus makes me understand more. The text below is some note for me as reading the datasheet STM32 by default doesn't enable CAN re-transmission As the packet from HUD forwards to CAR, it mig

Introduction In school, the textbook illustrates theorems in sequence. It seems there's some path that we can get the answer. In reality, I can write some failure analysis with confident, but I would say it's wrong in this article. I think that's engineer's daily life, struggling in debugging, until reaching the answer New Weapon I bought  STM32 Nucleo F767ZI  in  Mouser , which is high-end MCU fabricated in 90nm Cortex-M7 @ 216Mhz，512KB SRAM，2MB Flash Extremely fast processor, very large PM/DM Stupid code still runs quite fast 3x CAN，USB 2.0HS，Ethernet With 3x CAN, I can do packet forwarding within MCU I can play USB/Ethernet if desired FedEx is quite efficient. Ordering on Friday and the EVB dispatched from USA and arrived to Taiwan on the next Tuesday. With some efforts, I completed CAN forwarding within MCU. In the scope picture below, the latency reduces from 400us to 20us (finally...) HUD was NOT killed by latency In the picture below, with extremely fast packet