I'm working on a pretty cool project that involves using a Raspberry Pi inside my vehicle to control different functions of the vehicle remotely (Over cellular). I'm already able to Lock, Unlock, and Remote Start the vehicle using some transistors to activate some sacrificed keyfobs so that is pretty straight forward. The method of communication is over a serial cellular board called Fona, which I a sending SMS messages for each different command.
I would like to take this a step further, such as being able to control in-vehicle systems such as the HVAC, Windows, Radio, and maybe even Ford Sync. So inherently, with most of these systems being controlled over the CAN-bus, that was my next step.
I'm using a cheap ELM327 bluetooth reader connected to the raspberry pi, and I am able to send messages directly to the ELM327 which in turn can communicate over the CAN.
Here's the problem. While I'll need to do a little more sniffing to figure out what all of the IDs of all of the different modules are, I need to be able to 'spoof' the commands from those modules in the first place, and that's where I'm stuck. The vehicle in question is a 2012 Ford Fusion, which uses an 11-bit CAN with 125 kbaud for the MS-CAN network which all of the 'body related' modules talk on.
For example, the Radio Button Panel CAN ID is 2E0, and messages for the Volume Knob up and down look like this:
When trying to spoof messages with an ELM327, I was trying to use a guide like this: https://theksmith.com/software/hack-veh ... sy-part-2/. However his vehicle uses a different protocol and doesn't seem to line up.
Code: Select all
2E0 2B 88 00 00 00 00 00 00 <---- 2 CAN messages are sent for 2E0 2B 48 00 00 00 00 00 00 <---- each 'click' for some reason 88+48 2E0 2B 88 00 00 00 00 00 00 2E0 2B 48 00 00 00 00 00 00 2E0 2B 88 00 00 00 00 00 00 2E0 2B 48 00 00 00 00 00 00 <---- 2B is Volume Up 2E0 2C 88 00 00 00 00 00 00 <---- 2C is Volume Down 2E0 2C 48 00 00 00 00 00 00 2E0 2C 88 00 00 00 00 00 00 2E0 2C 48 00 00 00 00 00 00 2E0 2C 88 00 00 00 00 00 00 2E0 2C 48 00 00 00 00 00 00
According to the ELM 327 documentation, my vehicle seems to be using 'Extended Addresses', for the different button IDs, 2B & 2C.
However after setting the ID, and the extended address, and sending a message, nothing seems to happen.
The volume does not change.
Code: Select all
>ATSH 2E0 OK >AT CEA 2B OK >88 NO DATA >48 NO DATA
Is there something I'm missing? I've not worked very much with serial connections in the past, let alone ELM chips, until this project. So this is all very new to me.
If anyone has any suggestions as to how I can get this to work, I'm open to anything. I guess in the meantime, I'll keep sniffing for more of the different IDs until I can get it figured out.
If it helps anyone, the documentation for the ELM327 chip can be found here: https://www.elmelectronics.com/wp-conte ... M327DS.pdf