Page 2 of 5

Re: 2014 Dodge Charger

Posted: 2017 Jul 03 16:22
by loneferret
Sweet ! I just ordered a CANtact and that Tazer you mentioned a few days ago.
Was curious to know how via the ODB2 it was able to accomplish all that it does.
Can't to see your write up, really curious to see what you've found out.

Re: 2014 Dodge Charger

Posted: 2017 Jul 05 00:06
by poop713
I just downloaded the "desktop" app from CANtact and its pretty cool. it has some features to read from the ECU but at the moment it looks like its not working, or I'm doing something wrong. in one of the options I came across it had an input for a "seed key" I just happen to have one of those I just stumbled across on some old .bin file from this "avidcode" device. ill test it out and post the update on that. fingers crossed.

so far on my project ive written a custom script that auto sets up my CANBUS device once plugged in, and have been tinkering on setting up my own custom GUI on my raspberry pi, so when it boots up I can make my own custom layout just for my car with all the buttons mapped with the ID's I've been collecting. I can already remove my radio and send my commands to control all the missing functions so now I just need to map a few more things. for some reason I can only control the passenger window, all the other windows do not show up. I managed to get the CANBUS layout on my 14 charger from the techauthority website. I also got 2017,2015 layouts as well. just to reference any changes.im still studying those but I'm sure thats going to tell me why I can only control the passenger window. it has a lot of useful info.

Re: 2014 Dodge Charger

Posted: 2017 Jul 05 08:42
by loneferret
Mind sharing what you have so far?
I'd be interested in having a look.

Re: 2014 Dodge Charger

Posted: 2017 Jul 06 00:42
by casadia880
I recently swapped in a cluster form a 2015 charger into my 2012. I'm going to try to get everything on it working by transcoding the CAN commands that are different into the 2015 codes (Menu buttons, sport mode indicator, and gear indicators are the only things that I know for sure don't work). I'm going to try to use an ELM327 OBDII device's serial function to read and send commands, manually at first. Actually, one of the last updates for Avidcode has exactly the functions I'm trying to replicate in it. Would you be able to make a list of the commands and their functions that you've been able to identify? I work at an FCA dealership so hopefully I'll be able to get into a new charger to sniff out the newer commands.

Re: 2014 Dodge Charger

Posted: 2017 Jul 06 12:20
by poop713
I have all the menu buttons, sport mode button, and shifter

Re: 2014 Dodge Charger

Posted: 2017 Jul 06 12:29
by poop713
I just got the CANBUS diagram its a complete layout of everything connected for my 2014 charger from the tech authority website. I tried to download as much as possible, I got the 2017 and 2015 chargers too for reference.

Re: 2014 Dodge Charger

Posted: 2017 Jul 06 12:53
by poop713
this comes from hours of testing but here it is. once I was "on the CANBUS" it was just a matter of hitting buttons off/on
Steering wheel buttons
318#00000000100CFF00 #up arrow left side steering wheel
318#00000000040CFF00 #down arrow left side steering wheel
318#00000000010CFF00 # back button left side steering wheel
318#00000000400CFF00 #forward button left side
318#00000010000CFF00 #behind steering wheel skip track
318#00000020000CFF00 #behind steering wheel rewind
318#00000004000CFF00 #volume up right side behind steering wheel
318#00000008000CFF00 #volume down right side behind steering wheel
318#00000001000CFF00 #change input behind steering wheel right side
318#00000040000CFF00 #behind steering wheel middle button seek radio

Shifter I have the 5-speed V6 I can always connect to the 8-speed and read the data, but it looks like it just increments the 4th number
332#18507840A9F900FF #park
332#18527940AFF900FF #reverse
332#184E7A40B1F900FF #neutral
332#184E7A40B1F900FF #drive
332#18317C40ADF900FF #manual mode 1 gear
332#18327C40AFF900FF #manual mode 2 gear
332#18337C40AFF900FF #manual mode 3 gear
332#18347C40AFF900FF #manual mode 4 gear
332#18357C40AFF900FF #manual mode 5 gear

Sport mode button touch screen this was from my radio, but the light came on/off with the command
2FA#0001000800000000 #off
2FA#0001004800000000 #on


if anyone has anything to contribute or wants some help setting their device up let me know. I'm not a super programer or very knowledgeable but I can share what I know/ what I did to get my device working on my charger. if someone can make a button debouncing sketch that would be sick I'm trying to learn to code in Arduino IDE the leaning curve is slowing me down lol but basically we need to make a sketch that would wait for a certain ID to pop up then send the "ID" we want to send. the AVIDcode device had to be plugged in the whole time for this to work which leads to me to believe thats how it was setup. I trying to figure out how to read the avid code device from a OBDII splitter my plan is to sit in the car with it off so no data is showing up then plug in the avidcode to see what exactly is being sent from the device. if anyone has any other ides on the please let me know. I know what type of chip it has but still a bit nervous on trying stuff on the "only one" avid code device. I need to figure out how to clone. it lol or atlas make a virtual copy of it for testing.


@casadia880 if you can connect to the newer cars that would be great to confirm the results here if anything has changed.

Re: 2014 Dodge Charger

Posted: 2017 Jul 06 13:06
by casadia880
I'll try to get my logging setup working and get codes from a 2015+ as soon as I can. I'm thinking about trying the same thing with my tazer to figure out how it makes changes to the BCM such as enabling performance pages and such. I tried decompiling the binary, but it's encrypted so I won't be able to get a look at the source.

Re: 2014 Dodge Charger

Posted: 2017 Jul 08 10:22
by poop713
more stuff from my 2014 charger

Push button start
122#04020000 #run mode
122#03020000 #acc mode
122#00010000 #off

Vin number
3E0#

Traction control
302#02F0000000000000 #turn off and on same command

**AC **
342#00010A0000 #turn ac up
342#00010B0000 #turn ac down
34E#7F007F000148007F # AC on
34E#7F7F7F7F000F007F #AC off
34E#7F007F000448007F #max ac off
34E#7F007F000748007F #max ac on
342#0000020000 #turn temp down
342#0000010000 #turn temp up
342#0900000000 #mode face
342#0700000000 #feet face
342#0500000000 #feet
342#0300000000 #defrost & feet
342#0100000000 #front defrost send to turn off/on
342#0000002000 #rear defrost send to turn off/on
342#0000400000 #climate off/on
342#00000B0000 #fan speed down
342#00000A0000 #fan speed up

Defrost button
30E#A4EE1DFF07FF07FF #off
30E#94EE1DFF07FF07FF #on
30E#84EE1DFF07FF07FF

Circulation button ac
342#0000000200 # send to turn off & on

Door locks
2E2#0201 #unlock
2E2#0401 #lock
2E2#2001 #lock windows button down
2E2#0001 #lock windows button up

Radio off (still trying to figure this one out but I think this is what is being sent) (mark this one as unsure) someone else hopefully can figure this one out. I keep sending the command but I can't get it to turn off/on in thinking I'm missing an ID somewhere.
328#40410046004D0020
328#300100390037002E
328#2001003900200050
328#1001003400200020
328#0001002000000000
328#0000000000000000

windows

I can only control the passenger window, I'm still looking into why

Re: 2014 Dodge Charger

Posted: 2017 Jul 08 10:24
by poop713
casadia880 wrote:
2017 Jul 06 13:06
I'll try to get my logging setup working and get codes from a 2015+ as soon as I can. I'm thinking about trying the same thing with my tazer to figure out how it makes changes to the BCM such as enabling performance pages and such. I tried decompiling the binary, but it's encrypted so I won't be able to get a look at the source.
if you have the TAZER I've talked to Joe @zauto and he's helped me setup the tazer to sniff the canbus. you can setup filters and log everything.

Re: 2014 Dodge Charger

Posted: 2017 Jul 08 10:33
by loneferret
@casadia880 :
-You could try to open up the Tazer and dump the firmware directly from there. Firmware won't be encrypted once on the chip.
-Second option would be to intercept their Windows app when updating the firmware. Like a man-in-the-middle attack.
I'm still looking into but serial port, not as straight forward as tcp/ip.
-Third option would be to reverse engineer the Windows up, and figure out where the firmware is decrypted before uploading to the device. I'm not going to even try this one.

@poop713:
Have you read this: https://www.ioactive.com/pdfs/IOActive_ ... _Units.pdf
It's not for a Dodge, but good info on how CAN-BUS & ECUs interact. Might give you a few ideas on how to accomplish some of the stuff you're trying.

Re: 2014 Dodge Charger

Posted: 2017 Jul 08 10:51
by poop713
loneferret wrote:
2017 Jul 08 10:33
@casadia880 :
-You could try to open up the Tazer and dump the firmware directly from there. Firmware won't be encrypted once on the chip.
-Second option would be to intercept their Windows app when updating the firmware. Like a man-in-the-middle attack.
I'm still looking into but serial port, not as straight forward as tcp/ip.
-Third option would be to reverse engineer the Windows up, and figure out where the firmware is decrypted before uploading to the device. I'm not going to even try this one.

@poop713:
Have you read this: https://www.ioactive.com/pdfs/IOActive_ ... _Units.pdf
It's not for a Dodge, but good info on how CAN-BUS & ECUs interact. Might give you a few ideas on how to accomplish some of the stuff you're trying.
appreciate it! I've seen a few of their articles reading it now.


I have a avidcode device I would like to dump the firmware on and examine that!!!!!!! I have a firmware backup but I can't get any useful info form it I've tried to open it "hopper disassembled 4" on a Mac and I was able to get some info from there but nothing I could use. theres a ton refrence into the features they can enable but none of the actual code they used.

Re: 2014 Dodge Charger

Posted: 2017 Jul 08 11:00
by poop713
the chip on the avidcode device is a "atmel atsam3x8c"

Re: 2014 Dodge Charger

Posted: 2017 Jul 08 11:02
by poop713
if I can provide pics would anyone know of a way to reverse engineer the board? I have a version of the firmware that is not vin locked and could flash that.

Re: 2014 Dodge Charger

Posted: 2017 Jul 12 22:35
by loneferret
Would have to have to the device to do any reversing. Best thing I can suggest is to open it up and find the JTAG interface.
You may need extra hardware but dumping the firmware would be possible. Just not as easy as it sounds.

The Tazar is a Atmel 90CAN64-14AU so I'm not surprised it can be setup to sniff. It's a CAN interface, much like the CANtact or CAN2USB

Anyway, I got my gear to start sniffing just need a setup a few things. I'll try can confirm some of your findings poop.
And I will share anything I find of course, which is kind of the point.