Hijacking the Mazda LCD display

[Pieter] is in the process of adding a turbo package to his ride. He needed a status display for the boost but didn’t have a good way to mount an additional display. He came up with the idea of using the LCD screen that’s already in the dashboard, but the specs for it were not available. Wielding his hard-earned hacking skills [Pieter] used a logic analyzer to sniff out the communications to the screen. He built a controller board that overrides the data coming in from the head unit. The board is also able to query the car’s computer for data and display it in any format you want. What he ends up with is a stock look that he can customize for his needs. Nice!

Comments

  1. Dan Fruzzetti says:

    I really admire this kind of work because IMO it’s the best way to go. It hides under the dashboard and the turbo under the hood. It looks like anyone else’s car, so it doesn’t stick out as something Joe Criminal should steal, but it still has added functionality that’s so smooth it could have (and should have; wtf is up with automakers?) been done that way from the factory.

    Kudos to you dude.

  2. regulatre says:

    Like++
    I’m working on this for GM but you are way ahead of me.

  3. ksmith says:

    It’s uncanny how hackaday picks up on obscure projects I have kicking around my head. A couple months back it was the guy who data logged his indoor bike trainer, and now this guy does it to his RX-8. I’ve always wanted to make my own iPod interface for my car, but I didn’t know the protocol at the time. I emailed some guy who apparently knew, but he wanted to charge me.

  4. James says:

    Makes me miss my Mazda 6 even more. But very cool.

  5. leftfootleashed says:

    @ksmith: Do you mean the protocols for whatever system you have in your car or for the iPod? I’m in the process of doing something similar (or was until work got in the way) and found the iPod protocols fairly easily, it’s just an adaptation of RS232. Let me know if you’re interested and I’ll find ‘em for you.

  6. Kyle says:

    @ksmith thats a lot better than what happens to me, I think up something and 4 years later its available or easily doable for $400 :-/

  7. Dan Fruzzetti says:

    Most of us are like this here, with obscure niche inventions and ideas that this year’s teenagers will eventually neglect to appreciate when they become mainstream, guys :( just like you, you can’t imagine how many times I’ve wished I had extra money for patent protection and then been like DAMN. Most recently I met a flywheel-powered push lawnmower that I wrote about in a text document on my website two years ago.

  8. Terry says:

    I apologize for the newbie question I’m about to ask. I’ve never learned to use a logic analyzer but I understand the basic concept of the tool.

    Can someone recommend a good webpage, article, book to get a good start on learning to reverse simple communications between chips?

  9. blizzarddemon says:

    Totally a hack in every sense of the word. Great Job!

  10. Paul Potter says:

    Impressive.

  11. osgeld says:

    @ terry, if its not a documented thing you just kinda poke around until you find stuff

    a data clock is pretty easy to sniff out, from there you need to find the control lines (if any) the last thing that usually shows up is the data (in a given cycle)

  12. Birdman says:

    That is awesome 0_0

  13. dext0rb says:

    No source code? Awesome hack, but the protocol information should be shared somewhere. I’ve seen some people work on this Mazda databus before awhile back and I’ve personally done some decoding on the RX-8 navigation controls. Maybe author could use these controls for more OEM interface/look?

    Please post the source or more info, thx!

  14. Jake says:

    Now this is a REAL hack. I am always impressed by people willing to go to these lengths to make something like this work. I have reverse engineered the OTC Genisys line of automotive scan tools, so I am always fond of automotive hacks :)

    Out of curiosity, anyone else here own a Genisys, and have you reverse engineered it at all? I have mine authorized for most all of the applications, all I had to buy was the cables and smart inserts, and I got the scan tool itself from eBay for under $400!

    • brit2k says:

      Jake,

      I noticed several of your posts about OTC Genisys, I have an Older genisys, Pre 2.0, Although I was able to do a bit copy of a friends CF card to get 2.0. I tried several ways to unlock things, Maybe you can help, if your willing. I know this post is old so im not sure if you will ever get this.

  15. strider_mt2k says:

    Extremely cool automotive hack!

    Very nice!

  16. blue carbuncle says:

    nice job :) great hack :)

  17. doctrh says:

    I’d love to do something like this with my ’03 Jag X type It’s a cool car with a lot of potential. Any comments? Either way, this is inspiring!

    (The H is for Heineken, the PhD is me.)

  18. M4CGYV3R says:

    Meh, I would probably enjoy looking at this but putting the video across 10 parts instead of all in one video clip fails hard. Sort of the video equivalent of Too Long, Didn’t Read.

    If you buy a car as nice and expensive as an RX-8, you probably should know better than to fuck with its electronics.

  19. Cromag says:

    @M4CGYV3R
    “…know better than to fuck with its electronics…”

    and you call yourself a hacker? ;)
    But seriously, I wonder if the protocol is similar for other Mazdas of this vintage.
    I had a 2004 mazda6s wagon (and miss it as well) and now own a 2008 CX-7. My teenage daughters complain that I don’t have RDS display in my car.
    If I was ambitious I’d add that functionality, as well as indoor/outdoor temp readings to my display. Oh and ipod functionality would be cool too. Hmmmmm

  20. strider_mt2k says:

    He’s not a hacker.

    He’s a troll.

  21. Lee says:

    If the car is still under warranty, leave it alone. If it’s out of warranty, go ahead and have some fun!

  22. M4CGYV3R says:

    @strider
    Calling me a troll is far more immature and troll-ish than me pointing out my view of a hack, which you disagree with.

    I’m sorry, the whole world doesn’t agree with you. I hope it didn’t pop your imaginary world bubble.

    @Cromag
    Dude, if you want to void warranty on a $40,000 car, go ahead. I’d at least try it out first on a used pile or better yet a junker. One wrong connection on those boards can feed power into the CPU and fry a lot more than the display.

  23. B1rdm4n says:

    Isn’t that what hacking is, messing with electronics???

    Now, if it’s still under warranty, I agree, I wouldn’t mess with it!

  24. Jake says:

    @Lee

    Judging by my experiences with car dealerships (and being an ASE Master Auto Tech for almost 10 years myself) I would say that the dealership wouldn’t notice. They avoid getting under the dash at all costs, and with satellite radio add-ons and such, it’s pretty common to have people come in to the dealership with aftermarket electronics added under the dash. Unless they had to service/replace the LCD module itself, they would never know.

    You have to realize, todays mechanics are a different breed, most are trained to replace individual modules when they fail, and few understand how those modules actually work, and how they all talk to each other. The only ones that *do* understand are the few-and-far-between rockstar driveability techs, and geeks like me that have diverse and out of control hobbies.

    Not to mention the fact that [Pieter] is installing a turbo in his Mazda. I don’t think he is worried about the warranty ;)

  25. rob says:

    this sir has inspired me
    my car also has a lcd display and I
    have been looking for a good way to add a few guages to my mega squirt setup
    never even though about polling the can network
    and pumping it out on my stock lcd

  26. wdfowty says:

    @M4CGYV3R

    True, it is your opinion and in America you are entitled to it, and i respect that. But when you “disagree” with 99% of the posts on this site…In a not-so-helpful way…It’s not hard for a group of hackers to put two and two together.

    If it sounds like a troll, acts like a troll, then it must be a TROLL.

    :D

  27. Jake says:

    @wdfowty

    “and in America you are entitled to it”

    Do you live somewhere that you aren’t entitled to your own opinion!?!? D:

    /haz own opinions :D

  28. Terry says:

    @jake – I would love to read what you have done with the Genisys scan tool. Would you write it up?

  29. Jake says:

    @Terry

    Man, that would be some work. I have gigabytes of communication logs, flash images, and random linux crap. They run on Lynx, a linux RTOS. I started playing around with a MAC mentor, which is the same as the original Genisys, and I later got a newer tool on eBay that has the faster processor in it (has shiny buttons instead of dull). They have since released at least 2 newer models, but I think they are all pretty much the same.

    My reverse engineering goes as far as manually flashing the tool for newer OS’es, and cracking the software to authorize all of the applications. I am kind of hesitant to say anything about how I cracked the apps since that would definitely be covered by software piracy laws…

    It wasn’t that hard. The machine has a linux console that is accessible through the RJ45 port on top, using your average terminal emulation software. I believe the settings are 9600-n-8-1 for the serial port, I’d have to double check, it’s been a while. I would be cool to get some people working on some custom software for these tools, there are a lot of them floating around out there, and they have a ton of potential.

  30. Mark says:

    This is some really outstanding work. Great Job!

  31. jeditalian says:

    TURBO BOOST!

  32. Steve Shockley says:

    Warranty? You should read this:

    http://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty_Act

    If you screw with your car, and something unrelated breaks, they still have to cover it.

  33. Mike says:

    NO!!!! I had a mazda like that and wanted to use the display so bad! I would have been happy just replacing the initial “HELLO” with “MIKES” or something.

  34. Splat says:

    Most car electronics are designed to survive shorts to ground and battery on every pin, and sometimes double or reversed battery on the at least the power/ground pins to handle various situations when the car is jumped improperly or by a semi w/ two batteries or something.

  35. ChrisMalyon says:

    Hi, I am looking to do something like this in my Mazda 3, would you be willing to share the code you used to output to the screen and the pin config?

    Cheers
    Chris

  36. Marc says:

    I too have a Genisys. All apps unlocked i have been trying to decompile the tool, hoping to administer super user rights. Mine has system 2.0 any help or chat would be awesome

  37.    says:

    got a 2.0 Genisys. After dd’ing the CF card, I’ve been trying to disassemble the bootloader, but haven’t spent too much time on it. Thanks for the RJ45 tip; I’ll play around with that.

    • NATO says:

      Bootloader? On the CF card? There is no bootloader on the CF card that I have seen. The operating system is contained on that card. Every time you boot, it loads the OS and various drivers, programs the on board FPGA’s, and then loads the scan tool utility.

  38. marc says:

    well tried to upload new updates to an aftermarket CF card on my genisys and it froze. OTC wants me to send it in to repair so any one who has claimed cracking the unit(Jake) andy help would be appreciated.

  39. Alex says:

    Im also interested in info on the Genisys, i have one that died, and i want to transfer all my applications to my other unit. if anyone can help me with the RJ-45 thing i’d appreciate it.

  40. Alex says:

    I am looking for info on how to transfer applications on the genisys, one of my units has quit turning on, and i need to transfer my applications to my other tool, as i dont want to rebuy them. anyone have any info how to do it? OTC says i have to buy then all over again…

  41. Alex says:

    I am in need of some info on the genisys as well, i have two scanners, only one that had european and asian. the one with euro and asian died, and OTC won’t help to transfer the applications to the working unit. anyone know how to do it through the serial port or something?

    • NATO says:

      Once the smart card is registered to one tool, it can not be used on another as the tool’s serial number is burned on the smart card. I suppose that you could find where in the device the serial number is stored, and try to remove that IC and change the data within it, but I suspect that would be one of the flash chips (there are several) and you would risk doing much more harm than good.

  42. marc says:

    jake if you have reflashed oses on scan tools did you do it through a MAC computer seeing how it is linux(unix) based OS? currently my scanner wont boot due to bad flash do you have the bootloader by any chance. Any help would be appreciated jake

  43. NATO says:

    This is Jake.

    Wow, lots of interest in this subject.

    As far as the flash is concerned, are you talking about the on-board flash chips or the CompactFlash card in the unit? The CompactFlash can be fixed. If your onboard flash is corrupt, then it may be easier to just send it in, I really don’t have the time to figure out how to bootload that part of the device.

    Leave me a message on here, I’ll check back in a few days to see if anyone is still having trouble.

  44. NATO says:

    I can’t support anyone on this. Looking in to it and any way you look at it, it’s software piracy, piracy of a company’s product that I am very loyal to. There is no way that you can twist this to call it “innocent hacking”, etc. OTC has a lot of money and a lot of lawyers, and seeing that no one but me (in the world, lol) has truly cracked this tool, I am NOT going to make myself a target. Good luck guys.

    • MARC says:

      I REALIZE LOOKING BACK AT ONES COMMENTS CAN SHOW TERMS FOR LITIGATION, IN ALL HONESTY NATO DID YOU SUCCESSFULLY CRACK THE TOOL? YOU DONT HAVE TO REPLY WITH A YES FOR REASON OF SELF INCRIMINATION BUT I AM JUST CURIOUS…FOR ALL OTHERS READING I HAVE THREE TOOLS 1 OF WHICH IS WORKING AND I AM VERY DETERMINED TO CRACK THE TOOL..FEEL FREE TO CHIME IN IF YOU OWN A GENISYS/DETERMINATOR/MENTOR/TECHFORCE BUT PLEASE REALIZE THAT IN ORDER TO SUCCESSFULLY UNLOCK/CRACK/BREAK/UPDATE/ROOT THE DEVICE YOU NEED TO KNOW WHAT YOUR TALKING ABOUT AND HOW THE OS BOOTLOADER FPGA MICROPROCESSOR DRAM SRAM RTOS UNIX IEEE AND SUCH OPERATE..ANYONE WITH ME ON THIS???

    • MARC says:

      PS NATO YOU DIDNT CRACK SH!T EVERYONE KNOWS IT…”YA I DID IT, OH YOU WANNA KNOW HOW, WELL IM NOT GUNNA TELL”…YA RIGHT BRO

      • NATO says:

        Marc – You sound pretty bitter and frustrated. I have completely reverse engineered this tool, and am able to activate any application with a script which I wrote back in 2005.

        Judging by your “ALL CAPS” and profanity, you are a very stupid person whom I would never share any of my work with. Good luck ;)

  45. Alex says:

    well, I was able to gain root access via a serial console and many hours of poking around but that is as far as i got, anyone have any more info?

  46. Alex says:

    actually what i did to gain root access is look up the installation manual for lynx os and found a default account user name and password that worked, then used the update routine in the tool to upload a script to reset the root account password.

    • NATO says:

      Interesting… Where did you find an installation manual for LynxOS? I recall looking for such information but at the time there was nothing available for free from Lynx.

  47. USMC0317 says:

    This is all quite interesting… I’ve been looking for resources on the OTC series for a while.

    • Brit2k says:

      Back in the day when I first started to look for things I couldn’t find anything, After seeing Jake/Nato’s comments it got me reinvigorated to play again. I can’t believe how much info I can find now. Looking up US patents can be a nice resource for some :)

      • USMC0317 says:

        Sharing is caring! I still can’t find anything on the Genisys except this thread. I don’t understand what you mean using patents as info. Email me: repatten at gmail

  48. Alex says:

    Hey Nato, Is your emaIl workIng? I emaIled you and never heard back…

    Alex

  49. NATO says:

    Emailed you guys back finally. I’m gonna be out for the next two weeks, internet access will be sporadic. Sent y’all some information and we can chat when I get back. Thanks

    • wolfman says:

      I just priced the interface cable at my jobber for the genisys…$109! can someone tell me the pinout on on the RJ-45? I expect a tx rx and gnd but doubt it is standard.
      Wolfman.

  50. wolfman says:

    Strange, my post didn’t take. Can someone tell me the pinout for the rj-45 on the genisys? A cable from the jobber is $109, and i’m sure it is just tx rx and gnd.
    Wolfman

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,441 other followers