Not really a "hack" request here but I am trying to obtain the immobilizer PIN for my 2009 Volvo XC70 (P3 platform) as I need to lower the security for the radio system. I'm marking it as "key fob" because that uses the same PIN so it seems to be the closest flair option.

There are 2 programs I know of that can do this - P3 Tool and VDASH - which are both not working for me. The dev for P3 Tool confirmed it will not work for my year model (awesome) and VDASH gives me a "Read Error 581" when running the decode PIN task. I've reached out to VDASH support twice so far and still waiting on an answer.

If anyone here happens to have experience with Volvo PIN stuff, I am hoping to find alternative methods to getting this PIN or suggestions on how to avoid that read error. Volvo's own software (VIDA) can technically do it, but from what I've read sounds like it needs additional software that only the dealer will know about so it seems like that option isn't feasible. And, dealers can only lower it until it leaves the shop, at which point they have to put it back which defeats my purpose here.

This is the only thing I need to restore functionality to my radio, which I really miss having.

Hi guys! My first post here, I bought a chinese carplay retrofit box. It works overall but I can't switch back to the OEM screen. They said it's a firmware issue and asked if I can provide them PIDs to make correct firmware for Dart. I have a Journey firmware.

Could someone help me getting these or share (maybe paid)?

It seems that Dart shares the same PIDs as Fiat 500 so they'll work too.

I have some but it's not enough.

The PIDs are these

Buttons front left side of steering wheel:

0814C035#00 00 00 00 00 10 0C FF

0814C035#00 00 00 00 00 04 0C FF

Thank you!

Hello it's me again, is there anyone who has a knowledge about ABS, ESP or other lights on the cluster and how to turn them on in some situations? I've already found that the ABS light can be found on KOMBI_01, I tried to send a message with 1 on the byte that is used to display ABS light, but nothing happened. Is there anyone who can help me?

Thanks in advance

Hi Guys,

Unfortunately me and a few others in my local community have had their car stolen in the neighbourhood via relay attack.

Im a military veteran and know a little bit about comms and radio frequencies. It's now something that I'm keen to understand/teach myself how this occurs and also teach the local community how to prevent this from happening in the future. Is it very costly or too technical for average folk to understand? If anyone knows of any good reading material, software or hardware which could help me setup something to show my community that would be great.

Thank you!

Hi all, beginner here looking for some advice.

I'm trying to transmit onto the bus and cause the high-beams to activate / deactivate, for example. I am not up to anything mischievous, this is just a proof of concept idea.

If I've found the right Arbitration ID and correct bytes to send onto the bus to activate the high-beams, is that all that's needed to send properly onto the bus? This is also assuming I am sending from behind the gateway.

In my tests, I have not been able to get my message to trigger a change of the lights. I believe I'm sending on to the bus correctly, but I see messages coming from the ECU (Arb ID #140) that controls that function also repeatedly sending that the high-beams are off. So, I can see pairs of messages going: mine saying they are on, and the real ECU saying they are off.

I've tried playing with the timing I am sending the messages, thinking I can overwhelm the messages that are saying the high-beams are off and get the system to respect my message. This hasn't worked.

I'm wondering if I'm missing something fundamental about the CAN Bus - if two sources are sending the sending the same Arbitration ID but different data, who wins? Is there some way to make my message the dominant one?

If I'm doing everything right, then maybe I have the wrong arbitration ID or data bytes. I'm just not sure which area I am messing up (or both!)

Thanks for your advice! I feel like I'm close but missing something key to the process.

Anyone got an offline version of ners?

Hello, someone help with downloading the following file: https://www.cartechnology.co.uk/attachment.php?aid=202759 from topic https://www.cartechnology.co.uk/showthread.php?tid=95569 and send it to pavelppp888@abv.bg.

Thanks a lot! 🙏

Looking to set up my aftermarket underbody stand alone leds so that they automatically turn on when I turn the car off and still have the ability to turn on/off while the vehicle is running. I’ve left them on overnight every night for weeks at a time and never had any issues with it draining the battery. Doesn’t seem like an impossible task if you ask me but I know nothing of electronics. The vehicle is a 2017 Audi A4 Quattro.

Hello All,

I am working on a Project by building a F10 Bench, but I lack having a K-CAN2 log for the F Chassis BMW. On the internet you really can't find so much I guess, accept loopybunny.co.uk, nothing else. You can only find the Logs of the E chassis, and also the .dbc files.

Is there someone who is willing to lend me a Log of the Can Bus from a real Car? Would be great if someone offers to give his log. Could be anything, like where the car is being driven around or you are not. For me the log is important.

Thanks in Advance!

2015 Volkswagen GTI, 2l I4 Turbocharge, Autobahn trim

I recently acquired the Macchina AO and have been trying to connect it just with Bluetooth to Torque on my phone. It turns on and and has a green light, but isn't visible on any device. My current guess on why is that it comes with the Bluetooth turned off for some reason. To fix this I have to install Arduino IDE and a bunch of stuff to reprogram the device to turn on Bluetooth. I follow every tutorial available and try everything but it is not coming up in ports, and is not coming up in device manager on my computer. I have yet to get confirmation other than a green light that this device connects or has any kind of intelligence or reason other than emitting a green light.

https://preview.redd.it/ecbdpqvqekxd1.png?width=1262&format=png&auto=webp&s=494a93cd863f02bf41064d1cac00e7b98a6e71e7

https://preview.redd.it/1cbnx0q3fkxd1.png?width=765&format=png&auto=webp&s=7c0f5e62f5352bb1636dea0f480a824c31fb5fb6

On my other computer I get a port at least but it still cannot connect to it for some reason. Just updated the drivers on the only visible device in device manager that could possibly be it. What's concerning is that the COM 1 port is still there after I unplug the AO from my computer.

TLDR This is for Macchina support team, ig this is how they do customer service help

Anyone on here able to download a file for me off there would help out alot.

I am reading the book "The Car Hacker's Handbook". Could you give me more references on that matter ? Are there some goto websites/forum/books/youtube channel ? I'd especially like to have more references on car hacking using bluetooth.

Also, if you have some references (youtube or anything) to expand my car culture for this matter, I would be interested too.

I saw a thread a while back about unlocking android auto on VW MIB2 units.

Someone had a patch that could be used without the need for OBDeleven etc.

Just wondering if anyone has a link for this patch.

Trying to unlock my radio

MST2_EU_VW_ZR_PO359T

With nav and 2 SD cards.

I am looking for some help with my radio, it had to be replaced in my 2018 Silverado, I am trying to unlock it using a ELM connector and Realterm. I referred to an older post and used that to type in the prompt but I am getting back a bunch of zeros repeating that doesn’t stop and nothing else happens.

Looking to get something that works on 2024+ vehicles, anyone know where to buy a lifetime offline sub and hardware?

Is there anyway to get blue link added to your car if it wasn’t added when made? It should have came standard on my car but did not for some reason. Maybe a hack to check and see if it is on the hardware somewhere? Or is there another way that will enable me to use my remote start?

hey, id like to add a couple digital gauges. my scan tool can read the trans temp/pressure and id just like to throw that data up to a small screen of any kind. so either an aftermarket addon that i can configure or maybe an arduino with some github scantool software?

ive found some amazon stuff that lists basic things like fuel, speed, rpm but none list transmission values

Hello everyone,

I have done some research on passive-keyless entry systems (PKES) theft and I wanted to share it with you to see how accurate it is.

But before I get into my own research, I have to say that the theory I have come up with is mostly based on the following research:

https://eprint.iacr.org/2010/332.pdf

According to this research and this video on YouTube, it seems like all you have to do is capture a KHz signal from key fob and relay it to the car to unlock and start it.

Now that seems quite simplified and according to research, it's a method that's well tested against many SUV cars. Now there is a little confusion on my end when I compared that research paper & video with this blog by Cosic research group.

The goal of our research was to evaluate the resistance of a modern-day PKES system to attacks other than relay attacks. We have completely reverse engineered the PKES system used in the Tesla Model S. Our research shows that this system is using the outdated proprietary DST40 cipher.

In their research, they demonstrate PKES against Tesla Model S, I am not sure if whether their methodology is specific to Tesla or it works on other vehicles.

Now here is my research

The key fob emits a signal even when nobody is using it every few seconds, I don't know how many seconds but some say it's 5. The signals that are sent by key fob is sent through KHz frequency, the signal range that you could listen to could be between 120-135 KHz. Although some say that for most cars in North America, the exact frequency is 125 KHz.

The RFID technology involved typically relies on LF technology (from 120 to 135 KHz). It can operate in both passive and active modes depending on the scenario.

A practical device that can actually receive KHz signals is LimeSDR not LimeSDR 2.0 but LimeSDR itself.

Now as far as I understand, we need two LimeSDR devices, one for receiving KHz signal and one for relaying it back to the car. LimeSDR is a full-duplex radio platform meaning that it can both transmit and receive signals. So you might be able to perform this attack with two LimeSDR devices that are first connected to a computer and those computers could be connected with WiFi-direct to transmit received signals quickly to the relay device.

The receiver has to have a long range amplifier so that it can intercept or capture KHz signals from a radius of 20 meters at least.

The receiver and the relay device must be connected to each other because as soon as the receiver receives a KHz signal, it must transmit it to the secondary device and that will relay it to the car door or engine.

Now the secondary device doesn't need to have a long range for relaying signals, at maximum it should have a 2 meters radius and that's enough according to this text:

When the user approaches the car, the key and the car perform a secure distance bounding protocol. If the key is verified to be within 2 m distance, the car would unlock and allow the user to enter. In order to start the car, the car will verify if the key is in the car. This can be done using a verifiable multilateration protocol proposed in [11], which allows the car to securely compute the location of a trusted key.

I don't know how correct I am, I don't know if different attack methods are used for Tesla Model S in comparison to other PKES cars so I am not sure how much of my research is correct.

Who is kind enough to tell me which areas do I need to improve on and which areas are correct?

.

.

.

Edit #1

I have reached a conclusion and I wanted to share it with everyone in here.

I had some confusions about PKES systems and after exchanging ideas with a few of you and researching further, I have clarified certain things.

Any car that uses passive keyless entry emits a low frequency (LF) signal at 125 KHz to detect presence of a paired key fob nearby. Paired key fob basically means the key fob that works for unlocking and starting the vehicle.

This signal is sent out of the car covering a range of 2 meters to detect a key. In a real-world scenario, as soon as you are close to the car with key fob, the doors open.

PKES key fobs are designed to be passive devices that automatically respond when they receive a legitimate Low Frequency (LF) signal from the car (typically at 125 kHz).

Overview:

Car Initiates Communication: The vehicle periodically emits a Low Frequency (LF) signal at approximately 125 kHz to detect the presence of a paired key fob nearby.

Key Fob Response: Upon receiving the LF signal, the key fob wakes up and responds by sending a High Frequency (HF) or Ultra High Frequency (UHF) signal, commonly at 315 MHz or 433 MHz, back to the car.

Authentication Process: The car receives the key fob's response, authenticates it, and grants access if the credentials are valid.

Hardware requirements:

1. Two computers connected with each other
2. Two full-duplex radio platforms, both must be capable of transmitting/receiving LF/HF/UHF signals
3. Special antenna or low noise amplifier for relaying 125 KHz signal from car to the key fob at long distance; this could work or try loop antennas or magnetic coils
4. Antenna for relaying HF/UHF to the car from short-distance (typically 2 meters)
5. Additional antennas might be required to connect two computers with wifi direct for long range communication

Device A (near car):

• Receives LF Signals: Captures the car's LF signal intended for the key fob
• Transmits HF/UHF Signals: Forwards the key fob's response back to the car

Device B (in key fob range):

• Transmits LF Signals: Relays the LF signal to the key fob to prompt a response
• Receives HF/UHF Signals: Captures the key fob's response to send back to Device A

High-level attack process:

1. Car Emits LF Signal: The car sends out an LF signal to detect the key fob
2. Device A Captures LF Signal: Device A intercepts this LF signal
3. Signal Relay to Device B: Device A transmits the captured LF signal to Device B via a communication link such as Wifi-direct
4. Device B Broadcasts LF Signal: Device B rebroadcasts the LF signal at 125 kHz without targeting any specific device
5. Key Fob Receives LF Signal: Any compatible key fob within range of Device B receives the LF signal
6. Key Fob Responds: The key fob responds with a HF/UHF response containing authentication data
7. Device B Captures HF/UHF Response: Device B intercepts the key fob's response
8. Response Relay to Device A: Device B sends the key fob's response back to Device A over the communication link
9. Device A Transmits to Car: Device A forwards the key fob's response to the car
10. Car Grants Access: The car authenticates the response and, if valid, unlocks or allows the engine to start

How do we detect the key fob?

Here is something else that I was confused about and I thought I would share it with you. We know the car emits a LF signal every few seconds but what about the key fob?

How do we detect the key fob and when do we know it's in range?

As you know Device B broadcasts the captured LF signal from car at 125 kHz to the surrounding area, once the key fob receives such a signal from a car it's paired with, then it will respond with a HF/UHF signal.

This is a Non-Directional Broadcast meaning that the LF signal is broadcasted without targeting a specific device, similar to how sound waves spread out when someone shouts in an open space. Any key fob within the effective range that is designed to respond to that specific LF signal will receive it and respond back.

It's much like shouting in a cave, you don't choose a specific person or direction to shout at, you just do it and if someone recognizes your voice they respond. Now there may be scenarios where you might receive more than one HF/UHF responses but the chances of that happening is pretty low.

Estimated costs:

I think that if you have any programming experience combined with an intermediate knowledge of radio systems, you might be able to perform all of this under a budget. Maybe $2,000 (USD) max but if you are looking to build something compact and specific or something that covers a longer range, you may need to spend a few thousand dollars more.

Most of the money will be spent for the right antennas and correct hardware for relaying KHz signals.

Let me know what do you think about this added information, I would be happy to learn more from you.

Anyone have suggestions for a good adapter that can work with with Chrysler J1850 VPW? Working on a piece of software to program a key remote and I have the commands but would like something more reliable than a ELM327 knock off.

Hello, I've got a project where I'm trying to create my own OBD2 Software (Like Torque or Car Scanner). I've got a bluetooth elm327 OBD2-reader which i use to connect my laptop to my car.

My problem here is that I'm not sure how to actaully get the data out of the connector into my laptop. I want to aquire both live data and fault codes but I can't get either. Does anyone know of any methods, apps or other ways to do this? I'd like to not have to spend more money on this project, but please tell me if there are options involving other devices etc.

Please write if anymore information is needed :)

I am trying to read and send can codes with an Arduino and an mcp2515. It works flawlessly on a friend's Toyota and Mazda but does not working on Honda Civic. It can read can IDs but the data is just gibberish and noise. The setup is identical and works on Toyota/Mazda. Any ideas? I'm using the OBD port and the car is 10+ years old

Does anyone have any resources or able to provide raw J1939 data straight from caterpillar equipment?

Why I can’t get the seed using caring caribou security seed ? Am I missing a step before ?

Successfully sniffed the CAN packets via OBD on a 2015 Hyundai, but struggling to figure out the Arbitration IDs for specific tasks (like turn signals, headlights, instrument cluster RPM, etc.). Can anyone help me find the correct IDs?

Hi,

I'm making an interceptor device for a set of Automotive Headlights (now Magnetti) that have AFS. The headlight bending motors are controlled via LIN, and are unfortunately inaccessible to check what LIN driver they are using. There's a central LIN master node in the car which reads the steering angle data, car angle positions and speed and informs the headlights based on this in which directions to point the beam.

I've managed to get a sniff of the headlight network in an attempt to reverse engineer it however am struggling to find out what each message actually does. Here's a breakdown of what I know so far:

• 0x3C is some kind of master diagnostics PID?
• 0x37 is the master node inside the car which informs the lights which way to point
• 0x7D - Unsure but appears to show up at the same time as 0x3C
• 0xA3 - Headlight motor (vertical)
• 0xA6 - Headlight motor (horizontal)
• 0xE7 - Headlight motor (vertical)
• 0xE2 - Headlight motor (horizontal)

A sample message array would be:

37 30 5A 38 5A 19 04 11 00

A6 71 FF FD 00

E2 79 00 20 00

And another with the other PIDs showing up:

37 30 66 38 66 19 07 F1 FD

A3 70 0B 17 00

E7 78 0B 30 00

E2 79 00 38 00

A6 71 FF E8 00

The initial startup sequence where 0x3C appears has a message of:

3C 80 91 F0 C0 DD 4D 93 8C

This seems to align somewhat with a TMC221 doing dynamic assignment of LIN IDs; the above message is the first message on the network so it would make sense.

TMC221 Datasheet

If anyone has any pointers it'd be much appreciated. Here's the first 5 seconds worth of messages on the network in case anything pops out:

0.034	A3								
0.053	E7								
0.072	E2								
0.091	A6								
0.101	3C	80	91	F0	C0	DD	4D	93	8C
0.12	A3	70	00	00	E0				
0.129	37	10	00	1F	00	1F	00	1F	00
0.187	3C	80	91	F8	C0	DD	4D	97	9C
0.196	3C	80	82	F0	FF	FF	FF	FF	FF
0.206	7D	FE	FF	B1	C0	B6	26	00	03
0.244	E7	78	00	00	E0				
0.254	37	10	00	18	00	1F	00	1F	00
0.292	3C	80	91	F9	C0	DD	4D	92	88
0.301	3C	80	82	F8	FF	FF	FF	FF	FF
0.31	7D	FE	EF	F1	C0	98	26	00	03
0.32	3C	80	89	F0	E0	3A	84	00	E3
0.377	E2	79	00	00	E0				
0.387	37	10	00	18	00	19	00	1F	00
0.406	3C	80	91	F1	C0	DD	4D	96	98
0.415	3C	80	89	F8	E0	3A	84	00	E3
0.425	3C	80	81	F0	FF	FF	FF	FF	FF
0.434	7D	F0	E0	3A	04	E0	0F	F4	FF
0.453	A3	70	00	00	00				
0.51	A6	71	00	00	E0				
0.519	3C	80	89	F9	E2	6A	83	00	F3
0.529	3C	80	81	F8	FF	FF	FF	FF	FF
0.538	7D	F8	E0	3A	04	E0	0F	F4	FF
0.548	37	10	00	18	00	19	00	11	00
0.576	E7	78	00	00	00				
0.624	3C	80	89	F1	E2	6A	83	00	F3
0.634	3C	80	81	F9	FF	FF	FF	FF	FF
0.643	7D	F9	E2	6A	83	E0	0F	F4	FF
0.7	E2	79	00	00	00				
0.729	3C	80	81	F1	FF	FF	FF	FF	FF
0.738	7D	F1	E2	6A	83	E0	0F	F4	FF
0.814	A6	71	00	00	00				
3.433	E7	78	00	00	00				
3.471	A6	71	00	00	10				
3.49	A3	70	00	00	10				
3.509	E7	78	00	00	10				
3.528	E2	79	00	00	10				
3.727	37	10	00	18	00	19	00	11	00
3.746	37	10	00	18	00	19	00	11	00
3.87	7D	F1	E2	6A	83	10	02	F0	FF
3.946	A6	71	00	00	00				
3.956	3C	80	81	F0	FF	FF	FF	FF	FF
3.965	7D	F0	E0	3A	04	10	02	F0	FF
3.984	A3	70	00	00	00				
4.051	3C	80	81	F8	FF	FF	FF	FF	FF
4.06	7D	F8	E0	3A	04	10	02	F0	FF
4.098	E7	78	00	00	00				
4.145	3C	80	81	F9	FF	FF	FF	FF	FF
4.155	7D	F9	E2	6A	83	10	02	F0	FF
4.212	E2	79	00	00	00				
4.315	3C	80	88	F0	9C	F4	C0	E9	80
4.325	3C	80	88	F8	9C	F4	C0	E9	80
4.344	A3	70	FF	AF	00				
4.363	E7	78	FF	7B	00				
4.42	A3	70	FE	03	00				
4.439	E7	78	FD	C5	00				
4.496	A3	70	FC	53	00				
4.515	E7	78	FC	10	00				
4.572	A3	70	FA	A3	00				
4.591	E7	78	FA	5A	00				
4.648	A3	70	F8	F3	00				
4.668	E7	78	F8	A5	00				
4.724	A3	70	F7	43	00				
4.744	E7	78	F6	F2	00				
4.801	A3	70	F5	93	00				
4.82	E7	78	F5	3D	00				
4.877	A3	70	F4	B9	00				
4.896	E7	78	F4	97	00				
4.953	A3	70	F4	18	00				
4.972	E7	78	F3	F4	00

I've been trying to figure out how to change the startup logos/badges in my 2020 Buick Regal infotainment system. I know it's Android based and does have a rooted GM tech adb mode. But nobody ive spoken to does not know how to fake the GM token and access it in read/write. And the one website I've found that talks about hacking this unit is Russia based and to ask questions or download apps you must be a supporter and pay something like $25 a month. I don't really trust Ru forums that offer cracked proprietary apps all that much not trust I'll get legit advice and not a sales pitch.

I know my way around standard Linux operating systems on both PC and phone class environments but never really looked into car hacking and don't even know where to begin to get root access etc.

But yeah my goal is to change my infotainment splash screen and logo from Buick to Opel or Opcline. Any advice or even a starting point would be appreciated

s

Hi all! Once in a while it gets sunny here in Sweden and when driving against the sunlight I noticed that I have this permanent pattern of “leopard stains” on my windshield (inside). The car is relatively new and AC doesn’t really help to solve it. Really annoying to drive like that. I tried to wipe it with a windscreen spray but didn’t really help. Do you have any suggestion on how to remove it? I noticed it that it sort of goes away when I scratch it with my nail (the attempt is visible in the upper part of the windshield). What could that be? Any ideas?

Quick and simple: is there anyway to get a used e78 from ebay with identical numbers. pulled from the same year, car, and engine to work? Original ecu is toast and cant be read by any device i have ( hptuners, Rlink j2534, code reader)
I have access to gm DPS, but have no idea how to use it. i have read mixed things on SPS being able to do it correctly.
Am i just better off getting a refurb from rockauto and flashing it with sps?
i have flashed VIN and OS with HPtuners, but as i have obviously read Global A is alot more than that.
any good tutorials or places to look on how i can learn DPS or tools to make it easier?
Ive been doing Hptuners for awhile but im new to this kind of calibration, bought the j2534 in hopes learning to fix it myself and i know itll be of use later on when i inevitably or have a friend inevitably fry an ECM/ECU/PCM

I'm looking to upgrade my tablet with launch I bought back in 2018. Diagzone looks to be an ideal replacement and more feature rich....compared to my old version of launch. 2 questions...

Will diagbox stop working if you dont get the update after 12 months or will it continue to work as normal without more updates.

Are there any diagbox license sellers on here?

Where does the trackers normally be on Nissan Altimas?