Hacking the OnStar GPS v2

[Andy] has provided us with his new guide to hacking the OnStar GPS. Previously, we have covered a way to grab the GPS data from an unused OnStar system, however in recent years GM has added much more complex systems, which make it harder than swapping out a serial line. For the new version, [Andy] has figured out GM’s Controller Area Network (CAN), which they call GMLAN. He has also done most of the software snooping and sleuthing, and has mostly solved GMLAN’s method of announcing GPS data. There is sample code available to convert this information into generic latitude and longitude.

Unfortunately for the project, (and very fortunately for [Andy]), he has a child on the way and new job responsibilities, so he is offering up his results to the HaD community to finish up, double check, and provide a good how-to for everyone else. To anyone who decides to pick up this project and run with it, let us know!

Comments

  1. MS3FGX says:

    Very clever how he found the CAN messages containing lat/lon information.

    It would be nice to see this completed since it could be used without disabling the OnStar service like the previous method did. Of course, as he says on the page, dedicated GPS modules are so cheap now that there is very little incentive to hacking out the GPS data from the car’s computer. If you were building a car PC, it would be easier and probably cheaper to just plug in a USB GPS receiver and be done with it.

  2. Joe says:

    Does anyone know of a way to emulate the
    command/signal emissions needed to “disable”
    a vehicle ? (or unlock the doors) – the way
    the droids at the onstar control center do.
    i’m thinking it’s probably a cellphone link
    with a simple command decoder (ie. DTMF) &
    a relay controller to either interrupt, say
    the fuel pump relay, or energize a door unlock
    relay. haven’t seen any service manuals on
    the subject (or maybe i’m not looking hard
    enough – since i imagine it should be in the
    GM/Helm documents)

  3. Daniel says:

    if GM is using CAN to transport gps data, i suSpect they use CAN to instruct the ecu to disable the car. Onstar also has access to tire pressures and other more detailed diag info; their connection to your car is a little more advanced than a dtmf decoder. If you could install a CAN sniffer and have them disable the car you could likely see what command they send.

    Most switches and buttons in modern cars are CAN. In many cars it is normal to have the power window switch simply send a CAN message to your power window motor to raise or lower. Same goes for your dash lights.

    It makes me wonder what all Onstar could actually control if they wanted.

    • Galane says:

      Using a computer network to do simple tasks like opening windows and switch lights on and off is a bloody stupid overcomplicated thing to do in a car, plus it only serves to make the car cost a lot more. Hasn’t reduced the amount of wire in a car either, like was touted back in the 80’s when “multiplexed” systems for car wiring were first bandied about.

      So now, instead of simply pushing a couple of contacts together in an inexpensive switch, a light “switch” is a Rube Goldberg or Heath Robinson affair of digital electronics that costs a small fortune to replace when it quits working VS being able to carefully take apart a real switch and clean the contacts.

      That’s led to BS like the latest Camaro where the controls for *everything* are integrated into the radio. Remove the radio and the car won’t start, can’t even turn on the lights! Metra has reverse engineered that junk and makes a kit (sans radio) so an aftermarket radio can be installed – and the car can be driven.

      The movie version of Bumblebee being a Camaro who can’t talk and has to communicate using the radio is a bit ironic given how removing the radio will completely disable the real car. Should’ve used that in one of the Transformers movies – some thief steals Bumblebee’s radio when in car form and he’s inert until another one is installed.

  4. tj says:

    It’s nice to see people with a lot of money reversing..don’t see it much.

  5. regulatre says:

    This is very intriguing. Not only does it mean the GPS is available, but just think of the possibilities. The OnStar module is on the CAN network, with a CDMA phone, GPS, etc. Think bigger than GPS, what else can we use or access? I would like to delve deeper into this project but the problem I’m running into is finding a suitable GMLAN to USB/Serial/bluetooth converter. If there were a GMLAN bluetooth converter (ELM327 would be a huge plus) I could integrate this into another project I’m already working on with the Droid phone (Project name Voyager, not released yet) and controlling the vehicle via OBDii/CAN. GMLAN is on a separate LAN in the vehicle I think but if GMLAN could be accessed from CAN that would be really cool and lots of possibilities.

  6. Andy says:

    Several GMLAN protocol documents can be purchased from IHS:

    http://auto.ihs.com/news/newsletters/auto-apr05-04.htm#gmw

    I haven’t seen these documents so I don’t know how much useful information they contain.

  7. JRJ says:

    This has more appeal than you might think despite the lower cost of GPS’s on the market. For one, the Onstar’s installation is optimized for reliable reception and is better than built-in patch antennae. Another is the selection & versatility of PC/& Handheld software compared to street or trail units. You can combine GPS and Google earth running in cached mode to track yourself in realtime with satellite imagery. Can’t do that with a hand-held. Also Onstar’s GPS doesn’t have a long delay finding sattelites in a new location.
    Is there a service port we could use for a no-cut mod? I imagine plugging in a bluetooth link that takes power from the plug. I could probably work up a PIC board with a bluetooth module PDQ.

  8. Jeff Baitis says:

    My 2002 GMC Envoy has a very nice gas-discharge matrix element display that displays the odometer, tripmeter, and other settings. When making calls with OnStar, it would also display something like “ONSTAR ACTIVE;” when voice dialing in OnStar, it would display the number, digit by digit. I always thought it would be really fun to hack the car to display my own custom messages; this project seems like a great starting point :-)

  9. GMLAN Expert says:

    So yeah. I have done a lot of this kind of stuff. Specifically with GMLAN and other vehicles.

    Although I don’t go much into detail on my blog (canbushack.com), you can always shoot me an email if you are working on a specific project.

    I have gotten the Lat/Log from OnStar. Found the lock/unlock and other features that it OnStar performs. Don’t come asking for free work if you are a business, hackers only please.

  10. beyerch says:

    I know how to retrieve data from the older systems WITHOUT hardware modifications very similar to what he proposes for the GMLAN. While I’ve been wanting to put something together on that for a while, perhaps I’ll pick up his GMLAN example and publish the other at the same time? (assuming there is interest)?

  11. regulatre says:

    Oh how far we’ve come since this thread started. There are now a few of us garage hackers that are writing apps/hardware to integrate into the GMLAN networks.

    I personally am writing Android apps and perl scripts to analyze data and monitor the vehicle systems on the GMLAN and CAN networks. In addition, I already wrote one test app (VoyagerRC) with which I was able to control various vehicle systems. And another (VoyagerConnect) which is on the Android market. See my website/blog.

    My upcoming app – Voyager Dash, will pull together everything I’ve learned about the GMLAN and other vehicle networks into a single Android app, and present this information and control to a phone user with a bluetooth OBD adapter.

    If you are interested in teaming up, please follow my blog and feel free to contact me.

  12. TonyK says:

    Playing with a GMLAN mirror on a non-GMLAN car. There’s got to be an inexpensive way to simulate a low speed GMLAN reverse signal to the mirror to activate the built in monitor… Any ideas?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s