As an automotive enthusiast delving into vehicle diagnostics, particularly with the CANBUS system, recent explorations into the FCA Uconnect hack sparked a deeper curiosity about OBD2 Parameter IDs (PIDs). Utilizing an OBDLink MX, which supports AT & ST commands for OBD2, I’ve been navigating the intricacies of vehicle communication protocols. To overcome limitations encountered with Bluetooth modules—specifically, buffer overflows during continuous data monitoring—I’m transitioning to a wired USB OBD2 ELM327 module. This switch aims to ensure uninterrupted data flow, crucial for comprehensive OBD2 traffic analysis without packet loss due to Bluetooth bandwidth constraints.
A significant breakthrough in this investigation was realizing the potential hidden within the extended PIDs revealed during full PID scans with tools like Torque. The responses indicating NULL PIDs (signaled by ‘7F’) actually pinpointed PIDs that were skipped and are now considered prime candidates for containing valuable, yet undocumented, data. A refined version of the full PID scan data has been prepared, stripping away the initial rows to focus on actionable information. By parsing this data in spreadsheet software, the objective is to meticulously identify all PIDs that might hold data but were not initially included in standard scans. Essentially, PIDs within the hexadecimal range 0-F that were omitted are now under scrutiny as potential enhanced PIDs.
This targeted approach promises to significantly narrow down the search for functional PIDs, allowing for a comparative analysis against known or mapped PIDs. This process is a crucial step towards reverse engineering and fully understanding the data landscape within the vehicle’s network. Upon integrating the USB ELM scanner into the setup, the next phase involves capturing CANBUS communication to ascertain if data points for systems like Tire Pressure Monitoring System (TPMS) – specifically pressure and temperature – are transmitted from the Body Control Module (BCM) to the Engine Control Module (ECM). A practical method to potentially capture all TPMS values in a single scan session involves toggling the Driver Information Center (DIC) to the TPMS screen during data acquisition.
Parallel to this PID exploration, interest in an OBD2 window rollup/rolldown module has emerged. Understanding the unlock/lock command sequences that trigger the module to control all four windows presents another intriguing avenue of investigation. To facilitate simultaneous CANBUS sniffing while keeping the window module active, the implementation of an OBD2 splitter cable is planned. This setup will allow for real-time monitoring of communication alongside module operation. Detailed insights into the window control module, including operational demonstrations, are available in a dedicated forum thread and accompanying YouTube video linked below. Notably, this module also incorporates a safety feature, activating hazard lights upon door opening and closing, which is particularly beneficial when parked on streets.
http://www.ssforums.com/forum/electronics/13170-window-roll-down-function.html
For enthusiasts eager to delve deeper into vehicle bus hacking, several foundational resources are invaluable. These include comprehensive guides that break down the process of vehicle bus hacking into accessible parts, starting with hardware interface setup and progressing to data interpretation. Furthermore, detailed documentation on the ELM327 chipset and the comprehensive Car Hacker’s Handbook provide critical knowledge for anyone serious about understanding and manipulating vehicle communication systems.
a complete guide to hacking your vehicle bus on the cheap & easy – part 1 (hardware interface) |
a complete guide to hacking your vehicle bus on the cheap & easy – part 2 (interpreting the data) |
https://cdn.sparkfun.com/assets/learn_tutorials/8/3/ELM327DS.pdf
http://opengarages.org/handbook/2014_car_hackers_handbook_compressed.pdf
Regarding in-cabin device integration, inspired by community setups featuring tablets and phone mounts, considerations are being made for mounting solutions. A rearview mirror mount for an Android phone dedicated to gauge display is under consideration, alongside a separate dash mount for an iPhone. Planning also includes integrating a v1 radar detector with a BlendMount. The envisioned setup aims to position the Android Torque device to the left of the rearview mirror in landscape mode, potentially necessitating a custom bracket built with RAM Mounts components to achieve optimal placement and ergonomics.
Updates on the progress of PID identification, CANBUS data analysis, and in-vehicle setup will be provided as advancements are made. Stay tuned for further insights into unlocking the diagnostic potential of the 2007 LBZ engine and beyond.
