Need Help Spoofing CAN Messages for Rasio/HVAC with ELM327

General discussion about interfacing with the CAN bus
Post Reply
BlueKoda
How the heck did I end up here?
Posts: 1
Joined: 2016 Sep 18 22:20

Need Help Spoofing CAN Messages for Rasio/HVAC with ELM327

Post by BlueKoda » 2016 Sep 18 22:48

Hi all!

I'm working on a pretty cool project that involves using a Raspberry Pi inside my vehicle to control different functions of the vehicle remotely (Over cellular). I'm already able to Lock, Unlock, and Remote Start the vehicle using some transistors to activate some sacrificed keyfobs so that is pretty straight forward. The method of communication is over a serial cellular board called Fona, which I a sending SMS messages for each different command.

I would like to take this a step further, such as being able to control in-vehicle systems such as the HVAC, Windows, Radio, and maybe even Ford Sync. So inherently, with most of these systems being controlled over the CAN-bus, that was my next step.

I'm using a cheap ELM327 bluetooth reader connected to the raspberry pi, and I am able to send messages directly to the ELM327 which in turn can communicate over the CAN.

Here's the problem. While I'll need to do a little more sniffing to figure out what all of the IDs of all of the different modules are, I need to be able to 'spoof' the commands from those modules in the first place, and that's where I'm stuck. The vehicle in question is a 2012 Ford Fusion, which uses an 11-bit CAN with 125 kbaud for the MS-CAN network which all of the 'body related' modules talk on.

For example, the Radio Button Panel CAN ID is 2E0, and messages for the Volume Knob up and down look like this:

Code: Select all

2E0 2B 88 00 00 00 00 00 00            <---- 2 CAN messages are sent for 
2E0 2B 48 00 00 00 00 00 00            <---- each 'click' for some reason 88+48
2E0 2B 88 00 00 00 00 00 00
2E0 2B 48 00 00 00 00 00 00
2E0 2B 88 00 00 00 00 00 00
2E0 2B 48 00 00 00 00 00 00            <---- 2B is Volume Up
2E0 2C 88 00 00 00 00 00 00            <---- 2C is Volume Down
2E0 2C 48 00 00 00 00 00 00
2E0 2C 88 00 00 00 00 00 00
2E0 2C 48 00 00 00 00 00 00
2E0 2C 88 00 00 00 00 00 00
2E0 2C 48 00 00 00 00 00 00
When trying to spoof messages with an ELM327, I was trying to use a guide like this: https://theksmith.com/software/hack-veh ... sy-part-2/. However his vehicle uses a different protocol and doesn't seem to line up.

According to the ELM 327 documentation, my vehicle seems to be using 'Extended Addresses', for the different button IDs, 2B & 2C.
However after setting the ID, and the extended address, and sending a message, nothing seems to happen.

Code: Select all

>ATSH 2E0
OK

>AT CEA 2B
OK

>88
NO DATA

>48
NO DATA
The volume does not change.

Is there something I'm missing? I've not worked very much with serial connections in the past, let alone ELM chips, until this project. So this is all very new to me.

If anyone has any suggestions as to how I can get this to work, I'm open to anything. I guess in the meantime, I'll keep sniffing for more of the different IDs until I can get it figured out.

If it helps anyone, the documentation for the ELM327 chip can be found here: https://www.elmelectronics.com/wp-conte ... M327DS.pdf

Post Reply