What can be done through the OBD connector in the car

    It’s no secret that in modern cars all systems are clogged with various electronics, even a simple window regulator has its own microcontroller and an address on the shared network. As an interested owner, I was wondering what can be done with just access to the OBD connector and nothing more.

    Everything described in the article refers to the car of 2008 (Mitsubishi Lancer), but as practice has shown, after 10 years the manufacturer has not changed anything and all functions continue to be used and work on modern cars.

    The network structure in the car is shown in the picture:

    image

    The car has 3 CAN buses (high-speed motor bus 500kbps, low-speed cabin 83.3 kbps, diagnostic) and one LIN bus. The connecting link between them is the ETACS (Electronic Total Automobile Control System) block, which acts as a “gateway” and sends messages from one bus to another, according to certain rules, and also processes some of them. What can be done with the CAN bus? For example, chat with blocks, or maybe change something. To start a dialogue with any block, you need to know its address, as well as the supported functions (PID), which it can process and give an answer.

    In the public domain lies software for dealerships called MUT III. Having studied the database from it, you can find all the information we are interested in.

    About addresses (request-response) in the CAN network:

    image

    PIDs of requests, full decryption of responses from all blocks, including the position of bytes in the response (if several values ​​are sent in one frame) and factors with units:

    image

    For example, we want to find out the angle of rotation of the steering wheel. To do this, send command 2102 to the ESP control unit. In response, message 6102 FFEA000008FFF302 will arrive. Having

    looked at the table, we find out that bytes 2 and 3 are needed.

    image

    The value is in int16. 0xFFEA = -22, multiplying by a factor of 0.04375 we get a steering angle of -0.9625 degrees.

    Thus, you can request a lot of information from the control units, up to how many hours the radio played and how many disks were loaded into the radio, as well as run diagnostic checks on all nodes (you can turn on different lights on the dashboard and pull arrows, for example).

    image


    Well, all we wanted was what we learned, but what good is it? Now, if you change / enable / disable something ...

    A simple example. In the automatic transmission control unit there is a software counter for the oil aging level, and when a certain threshold value is accumulated, a message appears on the bk screen stating that the transmission needs to be serviced. The oil was changed, and the message continues to be displayed on the screen, because no one can reset the counter and only the MUT-III dealer scanner (which costs about $ 1000, not everyone can afford it) can reset it and some programs (also not free). All in the same tables you can find the team under the self-explanatory name CLEAR_CVT_oil_degradation_level_Start. You can laugh viciously towards OD and reset this ill-fated counter yourself. We send command 31 03 to the CVT block and ... we get 7F 31 33 in response .

    A small digression. Almost all vehicles use the UDS mechanism (aka ISO 14229) for diagnostics and maintenance .

    It simplifies the life of developers of automotive diagnostic scanners and is unified for all car manufacturers (but this does not mean that some cannot invent their own add-ons on top of it).

    As a result, we have a decrypted response from the variator: 7F - the request is rejected, 31 is the PID that we sent and Negative response code 33, namely Security Access Denied. That is, we do not have rights to change or request this function. Who does she have?

    Digression 2.UDS uses a mechanism for access control at several levels - a regular diagnostic session, an extended session, a programming session, etc. Each session has access levels that decide what you can and what not. To access them, you need to request the so-called Seed from the block, process it with a certain algorithm and send it back to the (Key) block. Read more here .

    Let's try to request a seed. We send command 2701 to the ECU and get a response 6701 6A43FD3C.
    Sending any 4-byte value in response ( 27 02 DEADBEEF), we get in response 7F 2735, where 35 is the Invalid Key, because the value "from the ceiling" was sent. Where to look for a key calculation algorithm? There is nowhere else in the firmware of the control unit. It is easy enough to get it (but not on all blocks, it all depends on the microcontroller used), first we find the CAN receive handler, then the processing function PID 0x27.

    image

    Repeating the exchange of seed-key with the algorithm from the firmware, we get in response 6702 34, where 34 is “Access is allowed”. After that, the command to reset the oil degradation level successfully fulfills and returns not a negative response code, but a positive response of 7103 01 and the counter is successfully reset.

    Thus, through the OBD connector, you can do almost anything with the car: change the VIN numbers in the blocks, configure the encoding (configuration), turn off the immobilizer in less than a second, clear information about errors, enter the block in the boot state when you can load any code and execute it. The Japanese security system is slightly lame.

    An example of a configuration change on a video:


    The article is written for informational purposes only. Any intervention in the electronic control units of the car may be the last for them. Have a nice day, everyone!

    Also popular now: