VOLVO+ Development Story (9), A-SS development

VOLVO made the A-SS default on. I spent hundreds of hours to learn CAN bus programming from scratch to make the A-SS default off. The article illustrates the idea to hack car, and A-SS OFF development detail. 


Build development Tool

  • I typically interact with CAN bus via Raspberry Pi + Linux toolchain
    • Pro
      • Raspberry Pi had built-in WiFi, bluetooth, high performance
      • Convenient can-utils package
      • It's basically a computer and we can write program
    • Con
      • No commercial or GUI based tool, higher entry barrier
      • No technical support, develop everything on our own
      • No solid mechanical structure, I spend a lot of time debugging toolkit before doing experiment
  • Hardware selection
    • Raspberry Pi 3B+
    • Candlelight FW based USB-to-CAN bus converter
    • Adjustable DC-to-DC converter module for 12V-to-5V
  • I made several HW and picture below is the one I'm using
  • I also had a outdoor version, which used Raspberry Pi ZW to reduce size
  • Debian Linux had can-utils package, whose candump can sniffer CAN bus
    • The command can output CAN bus packet to the screen (so we can feel the packets). It looks like screenshot below
      • The Linux had convenient pipe + grep command to filter the packets we're interested
      • We may also direct the screen output to some files for further analysis
    • The package also had a "cansend" command which can send arbitrary packet

Find the trigger signal

Since this is CAN bus product, our judgement is based on CAN bus packets. To turn off A-SS after engine-on, this means detecting engine on by CAN bus and sending some packet to turn off A-SS

With my homebrew development, I recorded some log containing the transition from engine off->on. The log file contained thousands of CAN packets, how to find it? It's impossible to consult technical support from VOLVO, they will not provide CAN bus packet definition. Well.. let's do hard working

  • Reading the CAN packets seems stupid, but that's worthy. VOLVO selected fixed 8bytes format whose timing is probably more predictable (but wasting bandwidth)
    • As far as I know, Japanese car used variable length packets
  • Analyze the log file by Excel
    • There must be duplicated packets in the log files. Excel can find the unique set of packages and calculate the count of each packet. The picture below is the result
      • The method is basic but useful. Imagine you trigger some events 3/5/7 times and some CAN packets also appear 3/5/7 times, then you're lucky to find the event
    • Excel can also do quick filtering to check the desired ID, and plotting diagram to do visualization analysis
    • Different ID usually means different purpose. I ever checked each ID individually to find clues. In my previous article, the VOLVO low CAN had ID=2E7 indicating sort of timestamp
  • CAN packet visualization tool
    • I wrote Python utility to visualize CAN packet. Below is the visualization result of 2E7. Unique packets appeared as time goes by



Find the A-SS off packet
  • I tried to press the A-SS button under different scenarios and recording the CAN bus traffic. I tried to find the rules in these logs
  • Finding the A-SS stop behavior is a bit tricky. After locating some suspicious packet, I tried to send another packet to "overwrite" the previous state, and the A-SS light were OFF!
    • To read the CAN bus is safe. After all, everyone on the bus can do reception without risk
    • To write the CAN bus is another story. We don't know whether the inject packet will affect the system
  • As mentioned before, I also bought the Module 4.0 as reference design. By sniffer the CAN bus, I also double check my answer with it. I'm happy that we're doing the same design
    • MITM tricks also used to examine Module 4.0 behavior directly

FW development
STM provided STM32CUBEMX that generated the boot code and provided CAN library. By just some clicking, I had skeleton of the system with FreeRTOS. Then I wrote FW to connect the engine-on message, and send A-SS off packet. The essential code is roughly 20 lines. Final production code experienced several times of re-written to support multiple model and cars. Doing prototype with my car is easy, but supporting various car models and years is nightmare


Picture below indicating how the VOLVO+ working. The upper yellow row is the engine start event while the lower yellow row is the A-SS off! Now I had an invisible hand to press the A-SS button as engine on



Special thanks
VOLVO made the A-SS default on. I spent hundreds of hours to learn CAN bus programming from scratch to make the A-SS default off

In the end of the article, I want to say thanks for all XC60 owners who helped me test VOLVO+. Without your help, the verification is just limited to a single XC60 only
  • Taipei, Mr. Yang, Mr. Huang
  • Taoyuan, Mr. Chen
  • Hsinchu, Mr. Hsu, Mr Chang, Mr. Chen
  • Yilan, Mr. Chang
  • Kaohsiung, Mr. Yang

Comments

Post a Comment

Popular posts from this blog

OBD-II and ELM327 (1)

Image
I bought a Volvo XC60 2017, and the car had an OBD-II port. I always feel the port is inviting me to do some hacking. I had power supply, oscilloscope, soldering equipment, multi-meter. I can read English, and had some embedded system development experience, but no hacking car ever. Maybe with some study, I can learn to do that My adventure starts with ELM327, the equipment is quite cheap. I want to talk pro/con of the cheap China ELM327 unit, and when you will feel disappointed to it ELM327 is basically a Microchip PIC18F2480 with customized FW, which supports various OBD protocol. Picture below is from its datasheet Left-upper corner, MCP2551 is the CAN transceiver It communicates to car by CANL/CANH signals It outputs CAN signal to PIC18F2480 (ELM327) (PIN1/4) PIC18F2480 (ELM327) It accepts the output signal from CAN transceiver The internal CAN controller send/receive from CAN bus It had UART interface in PIN17/18 Option1: FTDI UART to USB interface Conne
Read more

OBD-II and ELM327 (3), try to decode CAN package recorded by ELM327

Image
Volvo XC60 2017 doesn't offer the capability of closing tailgate by remote control. I have to press the button in the tailgate (see below) to hand. That's probably because of security reason, but I feel so stupid. M assumption is, the button sends some message to CAN bus. If I can sniffer the signal, I can close the tailgate remotely Challenge Accept !! I connect the ELM327 with my XC60, and successfully read VIN code . Then I tried ATMA (Monitor All) command to sniffer CAN bus... Then... nothing happened !! What the fuck ?! So now I can tell you when the cheap ELM327 makes you disappointed In complete AT command Because Torque App doesn't use ATMA command, so the cloned ELM327 don't offer such capability Poor bluetooth connectivity As sending ATRV command, sometimes I got incomplete response. I guess that's because bluetooth module doesn't work well Even the cheap ELM327 dongle offers ATMA capability, the data rate is far exceeding the blue
Read more

OBD-II and ELM327 (2), the underlying interface of ELM327

Image
Go to Google play and search keyword of "ELM327 Terminal", all of them were similar, you can just pick arbitrary of one. If you really had some difficult of selection, this one  looks beautiful and just updated recently After connecting the tool with ELM327 and car, type "0902" in the tool to read the VIN code . These PIDs (0902) were industrial standard , and all cars shall implement it. Here's some useful PIDs. That's why HUD (head up display) can connect to all brands of cars with OBD2 connector 01 0D: car speed 01 0C: engine RPM Here's the 0902 query response of my car in the APP. If interested, decode it :-) 7E8 08 01 14 49 02 01 59 56 41 7E8 08 21 44 5A 41 38 42 44 48 7E8 08 22 32 30 37 36 36 38 32 A lot of people read CAN bus by Torque, but only few people read the ELM327's capability document. Check out ELM327 website and download their AT command list , that's all the capability it had. It had different capability
Read more