Follow-up: Hacking OnStar

Reader [regulatre] has provided us with his furthering of hacking the OnStar system in GM cars. Previously, we wrote about some initial attempts to gain access to the system that OnStar uses to monitor and control cars called GMLAN. [regulatre] has managed to create an adapter between the GMLAN connector and a standard OBD2 plug, which should allow a number of standard readers to be able to retrieve data.

This method details using a bluetooth OBD2 reader, and passing the data onto a linux machine. It looks as though the writer of this method is looking to integrate OnStar reading and writing into an Android App which currently is an OBD monitor.

We love seeing follow-ups like this, because it puts everyone one step closer to full control of closed devices. As always, let us know if you take any of this in a new direction.

Comments

  1. blizzarddemon says:

    I can imagine what would happen if you activated it the wrong way and the cops show up thinking your stealing your car. lol

  2. Dennis Booth says:

    The Blob, over at http://bomarc.org has some car modules schematics, including an Onstar module.
    USA 307-234-3488 .

  3. regulatre says:

    Looking at Baromac, don’t see schematics.

    We’re not just hacking OnStar any more, we’re hacking everything on the SWC CAN Bus, which includes radio, locks, onstar, seats, heads-up-display, text display on equipped GM vehicles, etc. Check out the video for a demo of me using the interface to control the radio.

    one hurdle right now is deciphering the PGNs from the CAN bus.

  4. This is awesome! I am definitely going to make a microcontroller-based filter/NMEA formatter to send GPS Serial data over USB to my netbook.

    http://prj.perquin.com/obdii/

    Has some really good information about CAN protocol. Does anyone know if there are C/Arduino libraries for CAN?

  5. regulatre says:

    @Dantheman2865 – I’ve been kicking around some plans for an Arduino that talks OBD. The schematic you linked to looks pretty sweet. I would recommend adding an ELM327 to the mix and you can instantly communicate with any of the common OBD protocols (10+) including GMLAN.

    Also, by using an ELM327 you don’t need CAN libraries, you just need to connect to the ELM327 via RS232. The ELM chips are like $20, its a steal!

    Please do contact us though to bounce around a few more ideas. gmail name gtosoft

  6. Gon says:

    The Toyota Prius also uses CAN Bus. There are other projects out there where people have tapped into it.

  7. regulatre says:

    CAN = two wire bus
    GMLAN = one wire bus, based on CAN.

    All modern cars in the US come with CAN. The EPA has mandated it. They use it to check emissions stuff and dealers use it to connect to your onboard systems for testing and maintenance.

    There are lots of scan tools out there that can connect to CAN but the ones that connect to GMLAN are very expensive, until now.

    This article is about the hacking of the existing scan tools (some cost as little as $50) and adding support for GMLAN.

    We take a regular bluetooth OBD adapter and rig it to communicate on the GMLAN network.

    This is a first as far as I know – making a bluetooth I/O connection to the GMLAN network and establishing 2-way communication on it.

  8. @regulatre – I understand where you are coming from with ease-of-use, but my mentality is one of frugality. ;) I am looking at this particular project from a perspective of having “Free GPS” so paying a solid $40 doesn’t appeal to me. Besides, it’s harder to break software; I’m still a student so I can’t imagine holding a $20 chip in my hand.

    I will be in touch, certainly once I actually start working on the project. Thanks!

  9. HackerK says:

    Now only if someone dare to hack their Prius ;) to see what’s causing the gas and break issues and create a patch before Toyota did.. hehe

  10. taylor says:

    Hey, looks like some solid good work here!

    Sounds like you’re on the right track, so I’ll just add what I’d want, in case you’re looking for input. I’d love to have a unit that interfaces with my OBDII that connects via bluetooth to my android phone, and can display interesting data about the car’s operation.

    My car is a 2004 Audi S4, so it has OnStar (they had a partnership for a while), but I’m not sure how much, if any, of the system uses GMLAN.

    I’d be most interested if the project was all open source, as think it would be a better product if it were. But yeah, I just scanned your project page so far, so not sure what you’ve implemented, but this is cool!

    AT&T finally gets a nexus one, so I’m ditching my G1 ASAP!

  11. fartface says:

    Older on-star is easy to hack. The GPS module is separate and has a standard NEMA stream. I have several ham friends that have ripped out the useless onstar phone section and tapped in to use the GPS and onstar buttons for other uses.

  12. regulatre says:

    @hackerK – haha good idea. Did you know big brother has a data recorder in your car? http://mfes.com/cdr.html I wonder why they don’t just look at the CDR logs in those Toyotas.

    @taylor – Alrady on it :) Tonight I coded VoyagerRC to sniff the data and pick it apart into its data/MAC layer fields and save it to a DB for analysis. I intend to factor out the common messages so we can analyze the interesting packets.

    Next, I’m adding a screen that displays the captured packets and analyzes their content.

    And of course I’ll have the option to select one or more packets and re-play them onto the network.

    VoyagerRC, coming soon! :)

  13. Floz says:

    CAN is actually the new standard that is replacing OBD-ii… by federal mandate here in the states.

    That said, yes, if you can decypher the communications on the bus, you can control a myriad of systems.

    Airbag, Radio, Sat-Nav, OnStar (or at least the fone in the headliner), Creature Comforts (power locks, windows), HVAC systems, ABS, possibly parking brake on some vehicles, engine feedback and control, and so on…

    Basically, the new standard is laid out in such a way that every subsystem of the car really should be on the bus. From Body-Control (HVAC/windows/lighting) to SRS (airbag), Engine, and yes, even the braking system.

  14. Floz says:

    almost forgot my point…
    throttle by wire, electromechanical steering assist… Android, CAN/GMLAN Scantool…

    How far are we from that James Bond flick, where you drive the car with your mobile phone, whilst standing across the street?

  15. batty boy says:

    great stuff

  16. Burton says:

    What is your best memory of childhood? Worst?

  17. Bryson says:

    any suggestions how to “easy” hack the older onstar systems for iphone control through anything? suggestions? just an idea need some help, not my forte. All i know about stupid chevy OS’s connecting with iphones is the iphone

  18. Ozzie says:

    @regulatre The link above to your Hacking the OnStar System no longer works and lands on gtosoft.webs.com/comingsoon.htm

    Can you please post a working link in a comment here so we can read about your work?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,401 other followers