Hijacking the Mazda LCD display

[Pieter] is in the process of adding a turbo package to his ride. He needed a status display for the boost but didn’t have a good way to mount an additional display. He came up with the idea of using the LCD screen that’s already in the dashboard, but the specs for it were not available. Wielding his hard-earned hacking skills [Pieter] used a logic analyzer to sniff out the communications to the screen. He built a controller board that overrides the data coming in from the head unit. The board is also able to query the car’s computer for data and display it in any format you want. What he ends up with is a stock look that he can customize for his needs. Nice!

74 thoughts on “Hijacking the Mazda LCD display

  1. I really admire this kind of work because IMO it’s the best way to go. It hides under the dashboard and the turbo under the hood. It looks like anyone else’s car, so it doesn’t stick out as something Joe Criminal should steal, but it still has added functionality that’s so smooth it could have (and should have; wtf is up with automakers?) been done that way from the factory.

    Kudos to you dude.

  2. It’s uncanny how hackaday picks up on obscure projects I have kicking around my head. A couple months back it was the guy who data logged his indoor bike trainer, and now this guy does it to his RX-8. I’ve always wanted to make my own iPod interface for my car, but I didn’t know the protocol at the time. I emailed some guy who apparently knew, but he wanted to charge me.

  3. @ksmith: Do you mean the protocols for whatever system you have in your car or for the iPod? I’m in the process of doing something similar (or was until work got in the way) and found the iPod protocols fairly easily, it’s just an adaptation of RS232. Let me know if you’re interested and I’ll find ‘em for you.

  4. @ksmith thats a lot better than what happens to me, I think up something and 4 years later its available or easily doable for $400 :-/

  5. Most of us are like this here, with obscure niche inventions and ideas that this year’s teenagers will eventually neglect to appreciate when they become mainstream, guys :( just like you, you can’t imagine how many times I’ve wished I had extra money for patent protection and then been like DAMN. Most recently I met a flywheel-powered push lawnmower that I wrote about in a text document on my website two years ago.

  6. I apologize for the newbie question I’m about to ask. I’ve never learned to use a logic analyzer but I understand the basic concept of the tool.

    Can someone recommend a good webpage, article, book to get a good start on learning to reverse simple communications between chips?

  7. @ terry, if its not a documented thing you just kinda poke around until you find stuff

    a data clock is pretty easy to sniff out, from there you need to find the control lines (if any) the last thing that usually shows up is the data (in a given cycle)

  8. No source code? Awesome hack, but the protocol information should be shared somewhere. I’ve seen some people work on this Mazda databus before awhile back and I’ve personally done some decoding on the RX-8 navigation controls. Maybe author could use these controls for more OEM interface/look?

    Please post the source or more info, thx!

  9. Now this is a REAL hack. I am always impressed by people willing to go to these lengths to make something like this work. I have reverse engineered the OTC Genisys line of automotive scan tools, so I am always fond of automotive hacks :)

    Out of curiosity, anyone else here own a Genisys, and have you reverse engineered it at all? I have mine authorized for most all of the applications, all I had to buy was the cables and smart inserts, and I got the scan tool itself from eBay for under $400!

    1. Jake,

      I noticed several of your posts about OTC Genisys, I have an Older genisys, Pre 2.0, Although I was able to do a bit copy of a friends CF card to get 2.0. I tried several ways to unlock things, Maybe you can help, if your willing. I know this post is old so im not sure if you will ever get this.

  10. I’d love to do something like this with my ’03 Jag X type It’s a cool car with a lot of potential. Any comments? Either way, this is inspiring!

    (The H is for Heineken, the PhD is me.)

  11. Meh, I would probably enjoy looking at this but putting the video across 10 parts instead of all in one video clip fails hard. Sort of the video equivalent of Too Long, Didn’t Read.

    If you buy a car as nice and expensive as an RX-8, you probably should know better than to fuck with its electronics.

  12. @M4CGYV3R
    “…know better than to fuck with its electronics…”

    and you call yourself a hacker? ;)
    But seriously, I wonder if the protocol is similar for other Mazdas of this vintage.
    I had a 2004 mazda6s wagon (and miss it as well) and now own a 2008 CX-7. My teenage daughters complain that I don’t have RDS display in my car.
    If I was ambitious I’d add that functionality, as well as indoor/outdoor temp readings to my display. Oh and ipod functionality would be cool too. Hmmmmm

  13. @strider
    Calling me a troll is far more immature and troll-ish than me pointing out my view of a hack, which you disagree with.

    I’m sorry, the whole world doesn’t agree with you. I hope it didn’t pop your imaginary world bubble.

    @Cromag
    Dude, if you want to void warranty on a $40,000 car, go ahead. I’d at least try it out first on a used pile or better yet a junker. One wrong connection on those boards can feed power into the CPU and fry a lot more than the display.

  14. @Lee

    Judging by my experiences with car dealerships (and being an ASE Master Auto Tech for almost 10 years myself) I would say that the dealership wouldn’t notice. They avoid getting under the dash at all costs, and with satellite radio add-ons and such, it’s pretty common to have people come in to the dealership with aftermarket electronics added under the dash. Unless they had to service/replace the LCD module itself, they would never know.

    You have to realize, todays mechanics are a different breed, most are trained to replace individual modules when they fail, and few understand how those modules actually work, and how they all talk to each other. The only ones that *do* understand are the few-and-far-between rockstar driveability techs, and geeks like me that have diverse and out of control hobbies.

    Not to mention the fact that [Pieter] is installing a turbo in his Mazda. I don’t think he is worried about the warranty ;)

  15. this sir has inspired me
    my car also has a lcd display and I
    have been looking for a good way to add a few guages to my mega squirt setup
    never even though about polling the can network
    and pumping it out on my stock lcd

  16. @M4CGYV3R

    True, it is your opinion and in America you are entitled to it, and i respect that. But when you “disagree” with 99% of the posts on this site…In a not-so-helpful way…It’s not hard for a group of hackers to put two and two together.

    If it sounds like a troll, acts like a troll, then it must be a TROLL.

    :D

  17. @wdfowty

    “and in America you are entitled to it”

    Do you live somewhere that you aren’t entitled to your own opinion!?!? D:

    /haz own opinions :D

  18. @Terry

    Man, that would be some work. I have gigabytes of communication logs, flash images, and random linux crap. They run on Lynx, a linux RTOS. I started playing around with a MAC mentor, which is the same as the original Genisys, and I later got a newer tool on eBay that has the faster processor in it (has shiny buttons instead of dull). They have since released at least 2 newer models, but I think they are all pretty much the same.

    My reverse engineering goes as far as manually flashing the tool for newer OS’es, and cracking the software to authorize all of the applications. I am kind of hesitant to say anything about how I cracked the apps since that would definitely be covered by software piracy laws…

    It wasn’t that hard. The machine has a linux console that is accessible through the RJ45 port on top, using your average terminal emulation software. I believe the settings are 9600-n-8-1 for the serial port, I’d have to double check, it’s been a while. I would be cool to get some people working on some custom software for these tools, there are a lot of them floating around out there, and they have a ton of potential.

  19. NO!!!! I had a mazda like that and wanted to use the display so bad! I would have been happy just replacing the initial “HELLO” with “MIKES” or something.

  20. Most car electronics are designed to survive shorts to ground and battery on every pin, and sometimes double or reversed battery on the at least the power/ground pins to handle various situations when the car is jumped improperly or by a semi w/ two batteries or something.

  21. Hi, I am looking to do something like this in my Mazda 3, would you be willing to share the code you used to output to the screen and the pin config?

    Cheers
    Chris

  22. I too have a Genisys. All apps unlocked i have been trying to decompile the tool, hoping to administer super user rights. Mine has system 2.0 any help or chat would be awesome

  23. got a 2.0 Genisys. After dd’ing the CF card, I’ve been trying to disassemble the bootloader, but haven’t spent too much time on it. Thanks for the RJ45 tip; I’ll play around with that.

    1. Bootloader? On the CF card? There is no bootloader on the CF card that I have seen. The operating system is contained on that card. Every time you boot, it loads the OS and various drivers, programs the on board FPGA’s, and then loads the scan tool utility.

  24. well tried to upload new updates to an aftermarket CF card on my genisys and it froze. OTC wants me to send it in to repair so any one who has claimed cracking the unit(Jake) andy help would be appreciated.

  25. Im also interested in info on the Genisys, i have one that died, and i want to transfer all my applications to my other unit. if anyone can help me with the RJ-45 thing i’d appreciate it.

    1. See my answer below – smart cards can not be used on two devices, and there is nothing on the one device that can simply be transferred to the other to make it work.

  26. I am looking for info on how to transfer applications on the genisys, one of my units has quit turning on, and i need to transfer my applications to my other tool, as i dont want to rebuy them. anyone have any info how to do it? OTC says i have to buy then all over again…

  27. I am in need of some info on the genisys as well, i have two scanners, only one that had european and asian. the one with euro and asian died, and OTC won’t help to transfer the applications to the working unit. anyone know how to do it through the serial port or something?

    1. Once the smart card is registered to one tool, it can not be used on another as the tool’s serial number is burned on the smart card. I suppose that you could find where in the device the serial number is stored, and try to remove that IC and change the data within it, but I suspect that would be one of the flash chips (there are several) and you would risk doing much more harm than good.

  28. jake if you have reflashed oses on scan tools did you do it through a MAC computer seeing how it is linux(unix) based OS? currently my scanner wont boot due to bad flash do you have the bootloader by any chance. Any help would be appreciated jake

  29. This is Jake.

    Wow, lots of interest in this subject.

    As far as the flash is concerned, are you talking about the on-board flash chips or the CompactFlash card in the unit? The CompactFlash can be fixed. If your onboard flash is corrupt, then it may be easier to just send it in, I really don’t have the time to figure out how to bootload that part of the device.

    Leave me a message on here, I’ll check back in a few days to see if anyone is still having trouble.

  30. I can’t support anyone on this. Looking in to it and any way you look at it, it’s software piracy, piracy of a company’s product that I am very loyal to. There is no way that you can twist this to call it “innocent hacking”, etc. OTC has a lot of money and a lot of lawyers, and seeing that no one but me (in the world, lol) has truly cracked this tool, I am NOT going to make myself a target. Good luck guys.

    1. I REALIZE LOOKING BACK AT ONES COMMENTS CAN SHOW TERMS FOR LITIGATION, IN ALL HONESTY NATO DID YOU SUCCESSFULLY CRACK THE TOOL? YOU DONT HAVE TO REPLY WITH A YES FOR REASON OF SELF INCRIMINATION BUT I AM JUST CURIOUS…FOR ALL OTHERS READING I HAVE THREE TOOLS 1 OF WHICH IS WORKING AND I AM VERY DETERMINED TO CRACK THE TOOL..FEEL FREE TO CHIME IN IF YOU OWN A GENISYS/DETERMINATOR/MENTOR/TECHFORCE BUT PLEASE REALIZE THAT IN ORDER TO SUCCESSFULLY UNLOCK/CRACK/BREAK/UPDATE/ROOT THE DEVICE YOU NEED TO KNOW WHAT YOUR TALKING ABOUT AND HOW THE OS BOOTLOADER FPGA MICROPROCESSOR DRAM SRAM RTOS UNIX IEEE AND SUCH OPERATE..ANYONE WITH ME ON THIS???

    2. PS NATO YOU DIDNT CRACK SH!T EVERYONE KNOWS IT…”YA I DID IT, OH YOU WANNA KNOW HOW, WELL IM NOT GUNNA TELL”…YA RIGHT BRO

      1. Marc – You sound pretty bitter and frustrated. I have completely reverse engineered this tool, and am able to activate any application with a script which I wrote back in 2005.

        Judging by your “ALL CAPS” and profanity, you are a very stupid person whom I would never share any of my work with. Good luck ;)

  31. well, I was able to gain root access via a serial console and many hours of poking around but that is as far as i got, anyone have any more info?

    1. Sounds like you’ve been putting some work in to it. If you have gained root access, then you should know the first and last characters of the root password. Post them here. If you are correct, I’ll post my email and we can discuss this somewhere else.

      1. I have been working on my Genisys for a while, It’s nice to finally find someone who know’s something. Several years ago I used a sniffer when updating my Tool, Back when it was v1.9 I believe, Did a CF bitcopy of a friends 2.0. I need to dig through all the paperwork I wrote but I will provide the Pass NATO, If interested I would like to communicate via email.

  32. actually what i did to gain root access is look up the installation manual for lynx os and found a default account user name and password that worked, then used the update routine in the tool to upload a script to reset the root account password.

    1. Interesting… Where did you find an installation manual for LynxOS? I recall looking for such information but at the time there was nothing available for free from Lynx.

    1. Back in the day when I first started to look for things I couldn’t find anything, After seeing Jake/Nato’s comments it got me reinvigorated to play again. I can’t believe how much info I can find now. Looking up US patents can be a nice resource for some :)

      1. Sharing is caring! I still can’t find anything on the Genisys except this thread. I don’t understand what you mean using patents as info. Email me: repatten at gmail

  33. Emailed you guys back finally. I’m gonna be out for the next two weeks, internet access will be sporadic. Sent y’all some information and we can chat when I get back. Thanks

    1. I just priced the interface cable at my jobber for the genisys…$109! can someone tell me the pinout on on the RJ-45? I expect a tx rx and gnd but doubt it is standard.
      Wolfman.

  34. Strange, my post didn’t take. Can someone tell me the pinout for the rj-45 on the genisys? A cable from the jobber is $109, and i’m sure it is just tx rx and gnd.
    Wolfman

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s