Hacking the CAN-Interior Bus on the Jeep JK

Ideas and discussion of what to do with the CAN Bus ( i.e. XMDirect, iPod, Carputer, etc... )
Post Reply
plextor
How the heck did I end up here?
Posts: 5
Joined: 2013 Nov 29 16:19
Location: Katy, TX

Hacking the CAN-Interior Bus on the Jeep JK

Post by plextor » 2013 Dec 29 13:39

I started hacking the CAN-Interior bus on my 2012 Jeep JKU and noticed all of the message ids on the bus did not match any of the ids on the canhack.org database. This is both a surprise and not a surprise, as you could expect a lot of data to change as the vehicle platforms improve.

I wrote up my findings on my blog at http://chadgibbons.com/2013/12/29/hacki ... r-can-bus/

Long-story short, here's the message id's I've found so far on this bus:

Code: Select all

3e6 00 0d 12 ... # hours, minutes, seconds since vehicle turned on
244 81 00 39 C3 80 # Driver's door open, byte 0
244 80 00 39 C3 80 # Driver's door closed, byte 0
208 01 22 6d 5a 1e 01 2c # Left blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Left blinker off, byte 0
208 02 22 6d 5a 1e 01 2c # Right blinker on, byte 0
208 00 22 6d 6a 1e 01 2c # Right blinker off, byte 0
1e1 00 00 10 65 00 00 00 00 # Steering wheel position, bytes 3 & 4
2e0 00 01 47 21 ff ff 0c # Brake pedal depressed, byte 4
2e0 00 01 47 20 ff ff 0c # Brake pedal released, byte 4
2e7 84 1c 00 00 00 00 87 # Parking brake on, byte 0
2e7 04 1c 00 00 00 00 87 # Parking brake off, byte 0
292 00 49 33 00 00 48 28 # Throttle pressed, byte 3
2a8 00 01 00 00 00 00 # Windshield wipers, byte 3
2e5 03 # Rear wiper
2d2 01 06 00 # 4WD-HI
2d2 04 04 00 # 4WD-LO
2d2 00 03 00 # 2WD
208 00 22 6d 5a 1e 01 2c # Lights on w/ fogs
208 58 22 6d 51 1e 01 2c
2e1 1a
208 00 22 6d 5a 1e 01 2c # Lights off w/ fogs
2e1 1b
2e1 1b # Fogs on
2e1 0b # Fogs off
2e1 0a # Lights on w/o fogs
2e1 0b # Lights off w/o fogs
29e 00 03 97 20 02 ff ff ff # Change to FM 91.9
291 09 01 05 30 f0 00 07 # Change to satellite, w/ no signal
293 00 00 b8 20 02 ff ff ff
291 01 01 05 10 10 00 07 # Change to FM, 91.5
291 00 03 93 20 02 ff ff ff
291 09 01 05 30 80 00 07 # Change satellite stations
293 00 00 19 23 02 ff ff ff
295 43 65 73 52 65 77 6e 64 # ClsRewnd
29e 00 00 0f 21 02 00 00 00 # Change CD tracks, byte 3
3d9 0a 0a 0a 0a 0a ff # Change volume, byte 0
3d9 08 0a 0a 0a 0a ff # Change volume, byte 0
And of course you can do the fun stuff like change EVIC messages:
Image

One thing in particular I've found is that the current radios here do not respond to message id $000 to power on, nor do I see that message ever appearing on the bus.

yosemitesammy217
How the heck did I end up here?
Posts: 7
Joined: 2013 Nov 21 03:33

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by yosemitesammy217 » 2013 Dec 30 01:37

Chad:


1) a statistical analysis script in Python for use with SocketCAN you may find useful with candump: https://github.com/yosemitesammy217/samcanutils
2) can you provide more information on your Jeep? I am trying to determine if the ability to put information on the EVIC using the Sirius messages only works with a vehicle with Sirius enabled in FCM/TIPM register containing the vehicle config

plextor
How the heck did I end up here?
Posts: 5
Joined: 2013 Nov 29 16:19
Location: Katy, TX

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by plextor » 2014 Jan 04 19:47

Cool! I'll check out that script right now. I've been doing it by and and code so far.

My Jeep did come up with the RES radio with the Sirius XM option installed, so that's available for me to dump on the display at least.

I finally found one message I've been looking for tonight: 20b#6100 is "ON" in these cars, and 20b#0000 is off, so now I can bench test the RES radio out of the car.

plextor
How the heck did I end up here?
Posts: 5
Joined: 2013 Nov 29 16:19
Location: Katy, TX

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by plextor » 2014 Jan 04 20:37

Good stuff! Here's the data from a ~30 minute drive or so:

Code: Select all

CAN ID		Qty	avg inter-msg 	 msg rate
			interval (s)	 (msg/s)
============================================================
0x19f		40259	0.047309	21.137662
0x1c0		2013	1.001716	0.998287
0x1e1		20135	0.100697	9.930802
0x1e7		2014	1.002610	0.997397
0x208		20236	0.090771	11.016739
0x20b		20133	0.099394	10.060961
0x20e		4083	0.501059	1.995773
0x211		40259	0.044356	22.544931
0x214		20254	0.100707	9.929791
0x217		20129	0.085163	11.742205
0x219		20206	0.099866	10.013427
0x21b		2026	1.000318	0.999682
0x21d		1007	2.000473	0.499882
0x21e		1007	2.000516	0.499871
0x21f		1007	2.000481	0.499880
0x221		1007	2.000532	0.499867
0x244		4026	0.500127	1.999492
0x249		2013	1.000467	0.999533
0x25f		1007	2.000484	0.499879
0x270		2027	1.000935	0.999066
0x282		1996	1.015000	0.985222
0x283		2010	1.004580	0.995441
0x286		20219	0.099735	10.026568
0x290		2025	1.000124	0.999876
0x291		2035	1.000139	0.999861
0x292		4023	0.517808	1.931217
0x293		2033	0.990495	1.009596
0x295		5	4.320371	0.231462
0x2a8		20288	0.099268	10.073720
0x2b0		2025	1.000009	0.999991
0x2ca		2026	0.999897	1.000103
0x2ce		20132	0.099953	10.004709
0x2d0		1996	1.015010	0.985212
0x2d2		2014	1.000362	0.999638
0x2d3		1005	2.002970	0.499259
0x2d6		1003	2.000457	0.499886
0x2d9		2005	1.000079	0.999921
0x2da		499	4.002061	0.249871
0x2db		1004	2.000271	0.499932
0x2dd		1004	2.002280	0.499431
0x2de		1004	2.004968	0.498761
0x2df		502	4.002875	0.249820
0x2e1		4051	0.500155	1.999380
0x2e3		4054	0.502177	1.991330
0x2e5		1025	2.000494	0.499877
0x2e7		2028	0.999980	1.000020
0x2e9		2024	1.000117	0.999883
0x2eb		40471	0.050114	19.954537
0x308		4050	0.501329	1.994698
0x348		4026	0.500071	1.999716
0x370		2026	1.000035	0.999965
0x371		2024	1.000899	0.999102
0x392		2024	0.990101	1.009998
0x3a3		4057	0.501433	1.994285
0x3a6		1996	1.014978	0.985243
0x3b0		2025	1.000157	0.999843
0x3b3		2025	1.000118	0.999882
0x3d0		1004	2.001439	0.499640
0x3d1		1007	2.000532	0.499867
0x3d9		2068	1.000145	0.999855
0x3e6		2005	1.000045	0.999955
0x3e9		1348	1.500188	0.666583
0x402		3625	0.564981	1.769971
0x411		3626	0.580537	1.722544
0x414		3624	0.579979	1.724201
0x416		3625	0.583355	1.714222
0x43e		3627	0.581124	1.720804
0x43f		3625	0.567439	1.762304
0x73a		252	8.042569	0.124338

plextor
How the heck did I end up here?
Posts: 5
Joined: 2013 Nov 29 16:19
Location: Katy, TX

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by plextor » 2014 Jan 09 18:39

I finished the 1st proof-of-concept for using the CAN-Bus data to control auxiliary relays. It worked great. Attached is a block diagram of what I used, and a longish video of how the testing went.

Image

If you want to skip all the bench testing, the actual in-car testing happens at the 11:15 mark of the video.
http://www.youtube.com/embed/v64EYqzys0Q

Code for the demo can be found at https://github.com/dcgibbons/jeepbot/tree/poc1

A few hours after I finished, a bluetooth-low-energy board I ordered showed up. The next step will be to throw that on there so that I can use the smartphone to configure each switch and optionally control them by hand.

Each switch will have the following different possible control states:
  • always on
  • manual only
  • on when interior lights are on
  • on when high-beams are on
Right after that, I'll start working on a prototype PCB and housing so I can start testing real versions of this system.

I'll post the design, schematics and code in progress on my blog so anyone can offer feedback as it gets built.

User avatar
linuxkidd
Site Admin
Posts: 345
Joined: 2005 Jul 22 15:48
Location: Anywhere, USA
Contact:

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by linuxkidd » 2014 Jan 10 09:22

Great work plextor!

Thanks very much for sharing your endeavors.

LK
If you can read this, the light is still red.

gapco
How the heck did I end up here?
Posts: 7
Joined: 2010 Nov 04 15:17
Location: Johannesburg,South Africa

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by gapco » 2014 May 08 15:55

Hello All, I've tried the ID's for bench testing the HU. They don't work. I've had one REL and one RES HU on the bench. In both cases the car owners reported no problems when the HU where re-installed in their cars. Is there anyone else that may have the CAN ID for ignition key "ON" ?

mendilloE
How the heck did I end up here?
Posts: 2
Joined: 2014 Aug 27 15:01

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by mendilloE » 2014 Aug 27 15:47

Hi,

Great work.

I am also working on CAN Sniffing of KIA SPORTAGE 2013 but no luck so far. I am primarily interested onh CAN IDs and datafields for Engine Speed(RPM), Vehicle Speed(kph), Seat Belt, Fuel Consumption, Headlight. I'm able to graph patterns indicative of actual RPM but there are plenty and not sure which one directly controls the RPM dial. BTW, I used the technicque presented here:

http://tucrrc.utulsa.edu/CANClock/Jason ... 20Wiki.pdf.

Will I be able to decode CAN IDs and their descriptions for the Kia Sportage with the tools you used? The way I see it, you hacked the Jeep codes+descriptions instantly.

If I have the CAN data logs(*.csv), will you be able to help?

Best Regards,
eduardo

mendilloE
How the heck did I end up here?
Posts: 2
Joined: 2014 Aug 27 15:01

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by mendilloE » 2014 Aug 27 15:50

below is the sample CAN log:


ASCII Trace IXXAT MiniMon V3 Version: 1.1.2.4072
Date: 12/08/2014
Start time: 3:12:26 PM
Stop time: 3:15:22 PM
Overruns: 0 Errorframes: 0
Baudrate: 500 kbit/s
Time Identifier (hex) Format Flags Data (hex)
02:28.9 A0 Std 64 85 B4 09 00 1E 02 00
02:28.9 A1 Std 83 76 00 00 26 00 00 00
02:28.9 43F Std 00 40 60 FF 6E 56 09 00
02:28.9 370 Std 00 20 00 00 00 00 00 00
02:28.9 440 Std FF 00 00 00 FF 56 09 00
02:28.9 316 Std 01 24 B4 09 24 25 00 6B
02:28.9 18F Std FE 83 00 00 00 3E 00 00
02:28.9 260 Std 19 24 24 30 04 7B 69 3F
02:28.9 2A0 Std 68 00 96 1D 43 09 22 05
02:28.9 329 Std 86 BC 7C 04 11 20 00 14
02:28.9 350 Std 38 10 13 A3 BB 00 00 23
02:28.9 545 Std D0 00 00 89 00 00 00 00
02:28.9 580 Std 00 00 00 00 00 00 00 00
02:28.9 4B1 Std 00 00 00 00 00 00 00 00
02:28.9 43F Std 00 40 60 FF 6E 51 09 00
02:28.9 370 Std 00 20 00 00 00 00 00 00
02:28.9 440 Std FF 00 00 00 FF 51 09 00
02:28.9 4F0 Std 00 00 00 00 00 9E 88 06
02:28.9 316 Std 01 24 B4 09 24 25 00 6B
02:28.9 18F Std FE 83 00 00 00 3E 00 00
02:28.9 260 Std 19 24 24 30 04 7B 6A 0B
02:28.9 2A0 Std 08 00 96 1D 43 09 22 05
02:28.9 329 Std 86 BC 7C 04 11 20 00 14

gapco
How the heck did I end up here?
Posts: 7
Joined: 2010 Nov 04 15:17
Location: Johannesburg,South Africa

Re: Hacking the CAN-Interior Bus on the Jeep JK

Post by gapco » 2014 Nov 30 14:19

gapco wrote:Hello All, I've tried the ID's for bench testing the HU. They don't work. I've had one REL and one RES HU on the bench. In both cases the car owners reported no problems when the HU where re-installed in their cars. Is there anyone else that may have the CAN ID for ignition key "ON" ?

Does anyone have this info ?

Post Reply