A

I have a BMW which is pre-lci, 02/2007 on k-can.

I tried sniffing CAN through OBD port, firstly on pin 7 and pin 15 with no data coming through (k lines) then i tried pin 6 and pin 14, (can_h, can_l) with also no luck.

My question is this:

Do i have to send something through obd port in order to receive data? Or do i have to hook into PT-CAN? Using arduino r3, mcp2515 with tja1050 (i also have a seeed can shield v2) & coryjfowler library.

I want to get engine data.

I have a 2024 Toyota RAV4 Prime. I'm still learning about things like ECU and CAN. I have a fair amount of experience with rooting Android devices and using Tasker, so I'd consider myself a hacking enthusiast but not an expert. Comfortable with technical instructions, let's say.

Here are some things I'd love to be able to do with my car:

• Change the layout of my instrument panel (icons, fonts, placement of information, etc)
• Get rid of the Toyota sign-in screen/ad when the car starts, without making an account
• Extend the range of my remote A/C (Primes don't have "remote start" due to their nature as PHEVs), either near my house (e.g. relay) or from miles away (e.g. replace the car SIM with my own and send a signal, maybe via Tasker or a connection with my phone; I don't want to subscribe to Toyota's awful app and telemetry)
• Get better details about energy usage (the car has MPG, but mixes that with EV use, and I'd like to separate that into HV/ICE use only, while also getting overall kWh usage across both fuel types)
• Disable the seatbelt startup chime (the official disabling method doesn't work for the startup sound)
• Set window defrost + feet vent as the default air vents, rather than just feet vent
• Explore making AndroidAuto connection stronger (I'm convinced it's due to my phone changing cell towers, but I'm still exploring and a car-side solution would be interesting)
• Change the car charging schedule to "allow during hours of" rather than "start at" or "depart by" (the standard software is such a mess)
• Disable "takeover" lane-assist steering without disabling wheel warning vibration (i.e. I want it to warn me but not micromanage)
• Change blinker sound (not volume, but the actual sound)
• Change voice command button from long-press-for-Google and short-press-for-Toyota to the other way around
• Disable charger locking (this used to be a standard software option and it was removed in recent models)

What do folks think? Are some of these ideas possible? I'd love recommendations for where to start reading. I checked the Wiki, but haven't been able to find what's possible and what's not (and lot of links are dead).

Thanks for your attention!

Hi guys, has anyone been able to unlock the security access to unlock hidden features on Ford vehicles?

Hi everyone, I'm new to the world of car hacking. I'm good with electronics and have programmed industrial CAN devices before, but never in a car. My question is: do the programmable memory hotkey buttons in my BMW trigger CAN messages which I could sniff? My idea would be to have a microcontroller permanently attached to my OBD2 port and perform certain actions once one of the hotkeys is pressed. The most obvious one would be to send the open signal to my garage via RF (unfortunately my BMW does not have the integrated garage door opener).

Hello, I have a Golf II and my girlfriend has a BmW F45 (2016).

I'm pretty noob regarding to cars but I was able to fix every problem of my Golf II just by local for YouTube tutorials (switching shock absorbers, changing rear brakes, etc). But until now I never had to fix anything on my girlfriend's car.

My girlfriend's F45 rear pad brake are old and need to be switched, by looking at YouTube tutorials I found that I need to put the electronic brake in maintenance mode. To do it I need a cable and some software.

Now that's the hardest part, what software and cable do I need taking knowing that I only have Apple devices (Macbook M1 and Macbook Intel, and iPhone).

At the end I want to be able to do some easy maintenance also on my girlfriend car.

Thanks for the help, btw im in Europe.

Wow another question within 24 hours

So I have come to this issue once before but put it on hold as it wasn't a priority yet, though I knew it would need to be handled at some point. I have been trying to read data from a 2013 VW Jetta using an arduino nano and an MCP2515 module with a TJA1050 CAN transceiver on it. In my first post here where I was first trying to wrap my head around how the systems all work in my vehicle, someone mentioned that a lot of the comfort/convenience stuff in cars around those years work off FT CAN and I confirmed by finding the voltage to be 1v and 4v instead of the usual 2.5v. I cannot just simply hook up the MCP2515 to any FT CAN lines since it will do nothing. I do, however, have a head unit main board with a TJA1055T/c FT CAN transceiver on it which I can pull off it. As far as I know, I should be able to remove the 1050 from my MCP2515 and match the pinouts for the 1055T/c and the guy who commented on my original post confirmed as much when I asked if it was possible. Also note that the 1055T/c is SOIC 14 while the original 1050 is SOIC 8 (not a problem for me, but still relevant)

My main questions are:

• Am I correct in thinking I can just swap them out as long as the pins match?
• What should I do for the remaining pins? I'm not quite sure what I should do with them as I'm fairly certain they need to be pulled high/low/provided battery voltage/etc.
• Is it more likely that these CAN lines run on 125kbaud or 100kbaud?
• Will I need to use a different arduino library/modify the source? If so, what changes will be important to make? (Not looking for spoonfed code, just wondering loosely what needs to be amended.) Note I have been using the mcp_can library by coryjfowler

I was told the following originally regarding swapping out the transceivers:

BATT and WAKE each need to get pulled high with a 10K to 12V.

STB and ENB are high for normal operation.

My goal here is to be able to tap into these fault tolerant buses and sniff the data since I can't sniff it directly from the OBD port without making a request knowing the address and DIDs. If I can sniff the FT CAN bus, I should be able to get some insight into what request data I would need to send to read/write to specific components.

Thanks

SOLVED EDIT:

The problem has been solved and I am now getting readouts from the fault tolerant CAN bus in the head unit. Attached is a schematic of the dodgy setup. Note that this circuit is absolutely NOT for anything long term and will need to be changed a lot if that's your goal. The only purpose of this is if you need to log data to work out what they each do.

Note: U1 is TJA1055

https://preview.redd.it/83b9xf2kn64e1.png?width=1468&format=png&auto=webp&s=9b5524198a4cb299594819115a376bbf7e8ebc90

Not a great schematic - first time making a proper one in kicad so I am a bit clueless. Thanks for the help :D

My logic here is that if I can read a piece of data from a module and I know what it's connected to, there must be a way for me to send a frame which can control whichever component it targets. This would apply to any CAN connected component in the vehicle such as air conditioning settings, window state (up/down/etc.). For the sake of keeping it simple, I will use the windows as an example and keep in mind I'm working with a 2013 Volkswagen Jetta here so reading/sending the data isn't as easy as it would be on a lot of cars. I can read the state of any of the four window switches on the driver side using 0x1820 and it returns 4 bytes in counter clockwise order from the driver window. If I were to use the switches, the corresponding window's byte would change. Now, I can't assume that replicating this exact frame and sending it to the module its associated with on mode 2E or 2F will do anything since it would just be a button state. However, since that button state readout exists, one can logically conclude that it is relevant in telling the controller what to do.

My question here is: Is it easier to try and work out which DID is for transmitting control data and if so, do you have any advice for working out what it is and how to use it easier/more efficiently? Or, is it easier to physically tap into each bus I am interested in and read the traffic from there.

The way I see it, tapping into the bus will remove the need to make requests on every single DID but will flood my screen with an overwhelming amount of values and will likely be just as challenging. I'm just trying to get a feel for what I should do before I throw myself into something that will inevitably fail.

TL;DR: I don't have problems with reading data, but I don't know how to find or use the DID associated with transmitting data to actually interact with a component. E.g. the windows up/down. Note this is with a 2013 VW Jetta.

Thanks

So, I have 2012 Ford Focus which was mechanically running fine until one day ECU gave up. I showed it to three different mechanics and they all came to one conclusion the ECU is the problem.

The main problem is the car wouldn't start. No crank. No start. Before you suggest, it's not fuse, it's not relay That has been diagnosed. Two locations told me the ECU thing.

They told, get the ECU, we will "try" to make it work and it would be 1500$.

Now, the software developer in me, doesn't want to give up on this car.

I was looking to get some ECU or a couple from scrapyard where they sell it for 50 bucks a pop and then find some open source or even cheap softwares to clone the old ECU into the spare ECU.

Is it possible? I am willing to spend around 500$ on this car. No more than that. Let me know if someone has done something similar or have any suggestions? TIA.

I'm planning to connect my OBD2 Port to an ESP32 to view some deeper statistics on a OLED screen about my car, as my instrument cluster is pretty basic and doesn't even show my coolant temperature. Does anybody have experience with the Freematics OBD-II UART adapter, or even better or cheaper options? How do you guys let your microcontrollers communicate with your car? I hope I'm in the right community to ask that question, thanks in advance!

Ordered myself a can bus shield v2 (seeed) and i realized that i have no k line pin for it (I made myself an obd2 to db9 plug).

My car (bmw e90 2007.02) communicates over k line but i'm stuck, i just can't get it.

Could someone help me out?

Using arduino uno r3 & seeed can bus shield v2.

Edit: Could I, in theory, hook CAN H to K-Line (both pin7&pin8 with a switch) and CAN L to K-Low & code the baudrate to 10400?

I've been trying to read data from a 2013 VW Jetta for a fair bit of time and have recently started having a bit of success. I'm currently in the stage of working out what different PIDs do in the front door module (Named "TUER-SG FT" which I assume translates to "DOOR Control Unit Front Door" or something) and I have worked out that 0x0286 has a single byte value which changes when I move the windows. Since there is no noticeable patterns when I do each window, I'm assuming it is bit encoded for the low nibble in the data byte. Here is an example of what my response frame could look like from 0x0286: "0x04 0x62 0x02 0x86 0x9E 0xAA 0xAA 0xAA." I observed that frame when lowering the passenger side window. I assumed that I could just replicate that frame and send it with mode 2E which didn't work. I then tried it with 2F just to be safe and it also didn't work. They both responded with 0x31 which is the "Request Out of Range" Error. My frame looked like this: "0x04 0x2E 0x02 0x86 0x9E 0x00 0x00 0x00"

I also tried replacing the 0x00s with 0xAAs and it made no difference. I don't quite understand what the Request Out of Range implies or what I should do to fix it. I assume there's something wrong with my frame or I've done something incorrectly.

Basically I'm looking for advice on how to successfully send frames back to control various things when I know the data. I'm just using this as a testing opportunity but I need to know how to do it with the other PIDs. Thanks

Edit: Will also add, I could solve this problem and answer this myself by just tapping into the CAN wires inside the door harness and reading the traffic, but I would rather not if this is just something dumb that I'm missing which is usually the case.

Need a new Transmission control module and was just hoping to get some info on how to go about programming it when I get the part. Is it possible to get a pre-programmed TCM?

Hello. I have a pretty old car, Fiat Bravo 198 (2009), I bought second and. I checked with a mechanic and the diagnostic didn't show any problem. The car worked fine with (minimilistic) information about trip and stuff.

Recently I bought a chinese Android Radio, with a CAN-BUS decoder for the steering weel commands.

I'm still not able to make it function (the audio is not working, and I'm not finding reference online for the special version of my car, equipped with a manufacturer HiFi system...but this is another story), but aside from that the system boot and the steering weel control works...at least the basic one.

But something strange happened. Because I cannot make it work, I left the canbus adapter and the radio harness connected to the ISO connector of the card, but disconnected fromt he radio itself. And I started experiencing strange stuff. First, the arrows weren't working properly: instead of the long-press arrowing (that return in the normal state after the turn), only the "short" one worked, even if I deeply press (the short one is the 2-second arrow signal that doesn't need the turn to return in place, to be used in highway). Also when I went out from the car, I pressed the button to close it with the allarm but it didn't work. I had to wait like 30 second, and after that it worked.

Now, I don't know if it's just my imagination, the first day of cold (around 4 degree) and its effect on a old car...but, could the connected CAN decoder messed up with the functions I have described? Teoretically it doesn't need to be connected to the radio since the +12V arrived anyway from the ISO connector.

Anyway, any help also for the audio function would be much appreciated...

Hey all! I just wanted to post a quick inquiry to see if anyone was aware of any comprehensive DBC files for Ford vehicles available? I'm aware of the ones Comma.AI has in their Git repos but most of the data seems to be ADAS focused.

I've since discovered thanks to another post and comment in this subreddit that the cantools Py library seems to allow pretty easy access to interpret these files instead of doing so manually which has been breaking my brain. lol. So I'm jumping back in on a few projects I've wanted to tackle.

But I'm trying to find some more general data than the ADAS stuff that Comma has available. One of the key areas would be pulling GPS/location related info from the Sync 3 APIM (or GPSM which my vehicle still has). Also hybrid related messages would be nice (although I have a good chunk of these as mode 22 PIDs but would like to go passive if possible).

Hey guys,

I bought a 2016 Cadillac ATS that came with a 2.0 HMI. Only for a few months in 2015 did they do this before the 2.5 was ready for primetime, and they released a TSB for updating to the 2.5 HMI/Radio.

I replaced the radio and bought a used (apparently very early) 2.5 HMI which came out of a Corvette (only knew this once I installed it). Programmed both into the car without problem but the only problem I have now is that this HMI did not receive the Android Auto update, which means it is carplay only. I have an Android phone of course.

Anway, the way to remedy this (according to a TSB for early '16 Vettes) is via USB programming/update. I first tried this with just my vin, and a few different USB sticks, but when I plug into the car nothing happens. I also tried this with a Corvette vin and same, nothing happens. I know the USB ports are working because Carplay works fine, but I don't understand why it's not reading my USB stick as valid.

Has anyone been down this road that can lend some expertise? Greatly appreciated.

Thanks a ton.

Quick post since I’m just going to continue as normal but just want to make sure I’m not screwing myself over here.

While I’m logging data, I don’t want to be draining the battery and since I would rather not buy a ludicrously expensive battery charger/tender, I’m opting for my 30v 10a bench power supply. I’ve got it set to 13.8v with a 7A limit. Originally had it at 2A to trickle charge while I had the ignition on but I feel as though I’m doing something wrong here. Just wondering if I should be using a lower amperage, or doing something different. Just looking for tips here. Thanks

So this is super specific and I'm super beginner in car hacking and anything technical like this in general but this is what I'm trying to accomplish.

I'm trying to come up with a way to completely turn off all running lights, brake lights interior lights (switches, dashboard, etc) without messing with the running and driving of the car.

I'd like to get the the point where I can just plug the system into my OBDII port and it'll kill all the lights.

Edit: It's for a 2014 Chevy Silverado 1500 LTZ

Reason: Im an instructor for private and military organizations focusing on the topic of driving with the use of night vision. I'd like to be able to kill all the interior and exterior lights in the truck I use so that they don't mess with my night vision goggles. (Even the little window switches get super annoying under NODs)

In the past I'd just tape over everything and pull fuses on the headlights but it's annoying. And the issue with pulling the fuse on my brake lights is its also connected to my brake switch so I have to press the override thingy to get my truck out of park into drive.

I only want to control all the different interior and exterior lighting. Anyone have any recommendations on where to start with this project? Is something like this even possible? I can't find anything online that I could buy that can do this which is why I wanna try building something myself.

Anyone looking for such software can dm me

Hi There,

I don't know if this is the right place to post this but I couldn't find a more relevant sub.
Here's the thing:

Someone I know is looking for Car Hacker's/ECU engineers/Reverse Engineers in the UK, with visa and relocation support.
The job pay is quite good and also have good benefits.
The profile is :
4 years of experience in SW reverse engineering/Embedded domain.

• Strong understanding of the Assembly language x86 / PPC/ Tricore
• Hands-on experience with IDA Pro or Ghidra
• Solid programming skills in C/C++ and Python
• Good understanding of CAN Bus and Diagnostics protocol
• Familiar with Automotive programming tools
• Knowledge of advances within Automotive security

Please know this position will require you to move to the UK and work from office 4days atleast and is not a full work from home or other such comfortable luxuries.
If you love cars and know how to tune them by i.e. :
- Extracting, Modifying and Re-flashing the ECU firmware using any means necessary
- Reverse engineer newer security protections and find ways to bypass them
- Expand for variations of Car and ECU brands
- Hardware Reverse engineering - good to have

Please don't drop dumb messages in my dm.
Ensure you have hands-on in this area, general cybersecurity IT, SOC, analyst, malware experience will not work.

Only dm me with your CV so that I can process them further and don't waste your and my time !

Note: This is not a post to get your personal details or is not a scam, I don't want any money or any other favors for referring you. If you fit then send your CV to me I will gladly forward them.

I recently found a project of a guy who used his Tesla's CAN BUS to read data and let light strips inside the cabin react to different stuff, like open doors, lane change, blind spot assistance and so on.

I would love to implement this into my '09 Jeep Commander.

It seems like I could use pretty much the same setup hardware wise, but would need to do some reverse engineering with the CAN pinout? and stuff.

Maybe somebody could give me some basic assistance on what to keep an eye for and what hardware I would need for this kind of task.

I am currently working in IT so this is a welcome project and field to improve and learn on. It also goes hand-in-hand with my other ideas to program a little app in order to change settings like climate e.g.

Thanks!

Hi everyone,

I’m currently working on a project that involves interacting with the Comfort CAN in vehicles. I’m looking for a comprehensive list of CAN Bus IDs related to Comfort systems (e.g., windows, climate control, seat heating, mirrors, etc.).

If you have any resources, lists, or documentation, I’d greatly appreciate it if you could share them here or provide links to where I might find them. Even partial lists or specific IDs you’ve come across would be super helpful!

I’m particularly interested in Comfort CAN but welcome any general CAN Bus info or insights you might have.

Thanks in advance for any help or direction!

— Disclaimer: I’m aware of the technical and legal considerations when working with CAN systems, and I’m ensuring this is done responsibly and safely.

Hi Guys,

Could you please help me and decide between OBDeleven and Carista please? Do they have the same features for Toyota? Does the subscription method with free trial better or the credit system? I just want to make simple modifications. Thank you!

Not sure if this is the right subreddit but I was wondering if anyone knows where to find firmware updates for Toyota?

VIN on Toyota's firmware website returns "sorry unknown vin" and when I select the right model and year it comes up with the wrong region 😕

Thanks for any pointers in the right direction 😁

Can anyone help me and guide me on the issue of changing the vin in all the car modules of the most recent models, what hardware or software do you recommend?

I got an OBDII V519 for free from Temu. Downloaded the update and print software but on Windows 10 x64 it doesn't work because Windows claims the USB device isn't recognized and shuts it down instead of allowing the app to communicate with it. Software version on it is V1.00.231120