Can Bus Settings / Speeds / Commands

[redracer]

I have been having fun exploring the JL canbus with a canbus hat and a raspberry pi zero. I didn't find much detailed information when I got started and it took some work to find the speeds for each bus, so I just want to share my information for the next geek to come along and want to hack on their Jeep...

My goal is to create a small touchscreen add-on that you could use to activate missing features after changing out my radio. For example the missing MAX A/C and Sync buttons that only live in the radio screens. ... Enjoy.

canbus blocks behind glove box:

Green bus 500k speed - Body
2b1#01 - 07 hvac fan speed status
2b1#00.00.?? Temperature status
230#?? 01 ac off 03 ac on 07 defrost 00 all off status
22d#00.00.00.??.?? 10 00 left arrow, 00 01 right arrow, 40 00 down, 00 04 up
318 ?? : 01 left blinker stalk, 02 right, 08 moment high beam, 04 hold high beam, 10 wipers moment,

-----------
white bus 125k speed - Radio / HVAC Controls
230#03 AC on 00 AC off - status only
2D3#00.00.00.00.00.00.xx.00 00 not pressed, 02 loop, 01 AC, 08 mode,
2D4#00.00.xx 10 pass seat heat, 01 driver seat heat
273#00.00.xx 09 up, 0a down

2D3#07.00.00.00.00.00.01.00 AC on / off
2D3#07.00.00.00.00.00.08.00 cycles through hvac modes
273#00.00.0A.00.00.00.00.00 fan down
273#00.00.05.00.00.00.00.00 fan up
2D3#07.00.20.00.00.00.00.00 screen off
2D3#07.00.00.00.00.02.00.00 auto AC
2D3#07.00.01.00.00.00.00.00 Mute
2D3#07.24.00.00.00.00.00.00 Auto Stop Start
342#80.00.00.00.00.00.00.00 max ac
342#00.00.00.04.00.00.00.00 sync

--vehicle settings from radio screens:
314#01.01 02 auto door locks off - on
314#02.01 02 auto unlock on exit off - on
314#07.01 02 flash lights with lock off - on
314#05.03.00 01 02 sound horn with lock off - 1st - 2nd
314#04.01 02 Remote door unlock all - driver
314#28.01 02 auto-on driver heated seat & wheel off - with start
314#95.03.00 03 14 28 Doors off engine off power delay 0sec - 45sec - 5min - 10min
314#0E.03.00 1E 3C 5A Headlight Off Delay 0sec - 30sec - 60sec - 90sec
314#10.03.00 03 14 28 Doors on engine off power delay 0sec - 45sec - 5min - 10min
314#57.03.00 01 02 03 04 05 Aux1 Latch - Moment - ignition - battery - last.state.on - last.state.off (last.state on requires ignition)
314#58.03 aux2
314#59.03 aux3
314#5A.03 aux4
30F#00.00.00.00.00.00.00 02 04 06 Speed adjust Volume off - 1 - 2 - 3
314#21.01 02 Hill start assist off - on

Sponsored

 

[jmccorm]

I have been having fun exploring the JL canbus with a canbus hat and a raspberry pi zero. I didn't find much detailed information when I got started and it took some work to find the speeds for each bus, so I just want to share my information for the next geek to come along and want to hack on their Jeep...

My goal is to create a small touchscreen add-on that you could use to activate missing features after changing out my radio. For example the missing MAX A/C and Sync buttons that only live in the radio screens. ... Enjoy.

Any progress? Would you like to work with a peer? Or do you mind giving a fellow experimenter a leg up with what you got working so far?

I'm glad to see you've selected the Raspberry Pi as your platform. Inexpensive, powerful, and room to grow! Even the Zero should have plenty of speed to pull messages off of the bus and not keep losing messages due to a slow FIFO. You've got plenty of headroom to do complex things.

I'm headed in a different direction with this. I have a few small quality-of-life gadgets that I'd like to put together. Things that I an others complain about, and things that people wish their Jeep could do if only it had a bit of something else thrown in.

I've got programming experience (albeit a bit rusty lately) and a UNIX administration and cybersecurity background which are both sure to be incredibly handy when dealing with the Raspberry Pi (zero).

Mind describing more about the hardware? Which CAN bus HAT? You're speaking CAN 2.0B, or... ? Any cool tips? Any potential value in collaboration?

 

[nsfw_andy]

Fellow geek here also, but unfamiliar with CANBUS.

So is this basically like packet sniffing? Are you able to do MITM attacks, because if so, we can possibly disable the pesky auto-park from activating!

 

[redracer]

I have not worked on this since posting. Some house work took priority over dinking with the jeep. That and I put the factory 7" radio back in for now.

I have very little programming experience and was basically learning python on the fly with the PI. I've always been more of a server / network admin Until I became an electronics / automation tech for a utility. So Linux is in my blood from compiling custom kernel days.

Yes, this just packet sniffing. CanBus is just a simple network handing out hex words with a short destination address. It's not man in the middle unless you want to. The simplest thing is to just watch for a command and then send your own command after to change the setting back. There is no authentication or security as long as you are not using the OBD2 connector.

I was using a 2 channel isolated can hat off of Amazon, connecting directly to the can hubs behind the glove box using common jumper wires.
2-Channel Isolated CAN Bus... https://www.amazon.com/dp/B08BFZMHJ4?ref=ppx_pop_mob_ap_share

 

[redracer]

Fellow geek here also, but unfamiliar with CANBUS.

So is this basically like packet sniffing? Are you able to do MITM attacks, because if so, we can possibly disable the pesky auto-park from activating!

As for auto park.... I'm not sure how we could affect a change on that. It's the engine control unit handling that logic. Unless somehow we get between the door open signal and ECU... Possibly a man in the middle between the body module (if there is one) and ECU to filter out door open status messages while in a non parked state. Sounds fun.

But I'm no use for this.... As I have a Manual Transmission.

 

[jmccorm]

I was using a 2 channel isolated can hat off of Amazon, connecting directly to the can hubs behind the glove box using common jumper wires.
2-Channel Isolated CAN Bus... https://www.amazon.com/dp/B08BFZMHJ4?ref=ppx_pop_mob_ap_share

That's exactly the model I was looking at! Thank you. ORDERED! How did you handle the 12VDC -> 5VDC power situation?

It looks like I'll be spending some time getting up-to-speed on all of this. But I imagine it won't take me long to have my first 'feature' up and running.

BTW... I wonder if anyone has actually cracked the EVIC to any real degree? I mean, I see how the Tazer JL sends text messages... but graphics? That's one of the nuts I'd like to crack!

SAY... I don't suppose anyone knows any official publication with FCA's CAN based messages? Or, at least, one thing I'd be interested to see in particular are the CAN messages which area accepted (and responded to) by the Uconnect radio. I have a few integration ideas along those lines, too.

Truth be told, there are a lot of little neat things that can be done here. So many directions, so many possibilities (and an incredible need to be careful, too). No chance of any official support, protocol documentation, etc... is there?

 

[jmccorm]

Can someone help me out here and identify the type of connectors I'm looking at here? (I'd rather wire in with a connector than try to piggyback on an existing connector.)

EDIT: I found a great resource which talks all about this, but still no lead for the actual connectors themselves! I might just have to go to the dealer and have them look one of these up for me.

Here are two useful images when it comes to wiring up the connections:

 

[redracer]

For 5v, This can hat does not have a power supply built in. So I wired in a USB power supply to an aux switch wire in the passenger footwell. This powers the PI.

 

[redracer]

This is how I was testing. The pins are the standard breadboard size so a few female to female jumpers worked great.

Now, you can find replacement pigtails sold by Mopar to get the official connector. I would probably do this for a finished install. I believe that the hub is called a can Star, so some Google image searches should find what you want.

 

[redracer]

Aha!
http://connectors.dcctools.com/details.htm?id=153287

 

[jmccorm]

Aha!
http://connectors.dcctools.com/details.htm?id=153287

Good job finding it. But wow... whatever it is they're selling exactly (no picture at the Mopar store), they're wanting $60.69? I think you've got the right names here, just I'm hoping the wrong item? I'm not complaining though, you've gotten quite far with this already.

EDIT: This was my first guess, but I just can't see the connector.

 

[redracer]

Truthfully, I'm thinking of just modeling the connector in tinkercad and 3d printing them. The nice thing is the size match of the pins and spacing to the standard 2.54mm electronics jumper wires... So tweaking an existing design should be simple. Then just buy premade jumpers and pull the pins out and slide them into the printed connector.

ELEGOO 120pcs Multicolored Dupont Wire 40pin Male to Female, 40pin Male to Male, 40pin Female to Female Breadboard Jumper Wires Ribbon Cables Kit Compatible with Arduino Projects https://www.amazon.com/dp/B01EV70C78/ref=cm_sw_r_apan_glt_fabc_R5VF568HAZTKBRH1DA7T

HJ Garden 620pcs 2.54mm Dupont Jumper Connectors Male Female Crimp Pin Terminal Kit 250V 3A 1-12Pin Dupont Cable Jumper Wire Pin Header Housing Kit https://www.amazon.com/dp/B07BDJ63CP/ref=cm_sw_r_apan_glt_fabc_W2Y2C1V9RE1HNG6BV3NM

 

[jmccorm]

Okay, so the big green CAN bus connector, here's the part:

Connector Can Buss
68230877AA
Can distributor block. Green 13 Way Connector. Can Buss 13 Way Green. Can C 13 Way Green. Star. 13 Way Green 60 OHM Key B Tyco #214186475. Star. 13 Way Neutral 60 Ohm Key B Tyco # 221386855.

And the big white CAN bus connector, I believe this is the part:

Connector Can Buss
68140647AA
Green. Star. 13 Way Neutral 60 Ohm Key E. Can B 13 Wat Tan. Tan 13 Way. Star. 13 Way White 60 Ohm Key E Tyco # 514186475.

...now I just need some sort of part number for some sort of small harness that plugs into one of these, right?? I think I've gotten as far as I can with this tonight. But what I can do is take these two part numbers to the dealer and have them find something small and cheap that plugs into it, and that'll provide me with my nice clean pigtail. [Whew!]

I'm wondering about Tyco... are they a parts supplier for electrical connectors?

EDIT: HA! Getting too excited. I know it isn't necessary to go this way, but I'd rather have a very clean connection if I'm connecting to either one of the CAN busses. I don't want to pollute the entire bus by making a bad connection of my own.

 

[jmccorm]

So is this basically like packet sniffing? Are you able to do MITM attacks, because if so, we can possibly disable the pesky auto-park from activating!

So, as redracer said, yes, we've got two busses. The Wrangler has all the human-facing systems on a relatively fast interior bus. Then it has all the critical automotive system (the vehicle body) isolated on its own separate bus that's even faster.

There are various ways that you can configure a network, but in our case, these networks are in a star configuration. That means that all the members of each bus are directly tied together to each other. When they speak, they're always talking to everyone in the group (and never in private to another member). Like a conference call.

So what he's done (and where I'm also going to start) is to add ourselves as a member of the interior bus, and then separately, add ourselves as a member of the vehicle body's bus. We get to hear everything that's happening (often uniquely) on both busses. But sometimes a component on one bus needs to know what's happening on the other bus. How does that work?

There's actually a component in the vehicle that's already connected to both busses. It's the SGW (Secure Gateway Module). When there are messages from a member of one bus that are pre-defined as suitable for members of the other bus to hear, the SGW forwards the message. Kind of like a man-in-the-middle (MITM), but with a white hat. It's purpose is to prevent any malicious messages on the ("potentially insecure") interior bus from interfering with the ("secure") vehicle body bus. Like a firewall. (Now you know why the Tazer JL replaces the SGW module. That gives it access to both busses and all the components on them.)

I'll leave it to you to figure out if we're a MITM or not when we're a member of both busses and if we start to relay messages (with the SGW module removed, and again without it removed).

But you've actually touched upon an interesting possibility. If there's a particular module that we'd want to lie to (or tell other people lies from... without the real module contradicting us) we COULD remove that module from the star configuration and add them directly to us (and we'd be connected to the star in their place). In that situation, we could relay and/or falsify any message to/from the targeted module that we like, in true MITM style. Perhaps, say... a module that handles interior audio, or the door locks, or something else?

Regarding Auto-Park, that involves the coordination of a number of systems. I forget what all we have, but there's vehicle speed, current gear selection, seatbelt status, door open/close status, a decision-making module, and possibly more. As a member of the star configured hub, if we see a check being made, we might be able to emit a (false) response quick enough to prevent Auto-Park from engaging, such as "the doors are shut!". Or we might be able to shout over other member's responses thereby preventing any action. But if we put ourselves directly between the bus and one of those modules, then we could prevent Auto-Park from engaging a whole lot easier. (These are the kinds of possibilities we can start to flesh out as we experiment.)

Take note: The problem with attaching to the vehicle body's CAN network is that it has the potential to be dangerous. Even fatal. Anything from a hacker coming in over the WiFi, to a programming error, to an energetic cosmic ray hitting the CPU could cause a serious and life-threatening condition. Examples:

Your throttle is electronically controlled. The vehicle itself can command the engine to go full-throttle and ignore ANYTHING you do with the gas pedal. The computer cannot control the steering wheel, but it can individually control each of the brakes (a function required for roll-over mitigation, stability control, etc). That means it could make the vehicle perform a wild turn (by locking a wheel) or even a vehicle roll-over! And don't forget that your air bags are computer controlled, too.

If done correctly, there is a great deal of value to be had and it goes well beyond disabling something like Auto-Park. Entirely new classes of features (beyond what we've seen so far) are possible. There's a risk/reward balance that would have to be carefully thought out and preserved. But for now, we're looking to see what's possible for our own vehicles. Later, there's the challenge of figuring out how to make it safe for others, and then actually productionizing it. EDIT: typos, clarity.

 

[gato]

Not sure if the picture below helps. I've been primarily focused on the CAN BUS C (high speed) to track down some error messages on shifter, stability control, etc, caused by loose connections and chafed wires.

Sponsored