Enhance Your Key Fob Via CAN Bus Hacking

can_bus_hacking

[Igor] drives a 4th generation Volkswagen Golf, and decided he wanted to play around with the CAN bus for a bit. Knowing that the comfort bus is the most accessible and the safest to toy with, he started poking around to see what he could see (Google translation).

He pulled the trim off one of the rear doors and hooked into the comfort bus with an Arudino and a CAN interface module. He sniffed the bus’ traffic for a bit, then decided he would add some functionality to the car that it was sorely lacking. The car’s windows can all be rolled down by turning the key in any lock for more than a few seconds, however this cannot be done remotely. The functionality can be added via 3rd party modules or through manipulating the car’s programming with some prepackaged software, but [Igor] wanted to give it a go himself.

He programmed the Arduino to listen for longer than normal button presses coming from the remote. Once it detects that he is trying to roll the windows up or down, the Arduino issues the proper window control commands to the bus, and his wish is the car’s command.

It’s a pretty simple process, but then again he has just gotten started. We look forward to seeing what else [Igor] is able to pull off in the future.  In the meantime, continue reading to see a quick video of his handiwork.

If you are interested in seeing what you might be able to do with your own car, check out this CAN  bus sniffer we featured a while back.

[youtube=http://www.youtube.com/watch?v=_JQyTYB3ZoA&w=470]

30 thoughts on “Enhance Your Key Fob Via CAN Bus Hacking

  1. Vdubs have a “Comfort Bus”? I’m guessing it’s some common bus for data around the car not related to the engine. How cool!

    Can the door locks be actuated via this bus? Time to do some googling.

    1. I can assure you it gets way way cooler…VWs have not only an engine control bus or a comfort bus but also an instrument cluster bus, lighting bus, transmission control bus, electric seat bus, radio bus, and much much more. It has two serial busses that connect all these things (K-lines) It’s part of what makes Volkswagen group cars so cool.

  2. Not to pick this hack to pieces but you actually can recode the car to do remote windows using vag-com and an obd-ii cable. It’s the 6th bit coded in module 46 (Central Convenience) — just go into that module, write down the existing value, add 64 to the number and recode the new value. Presto. Hold down the button on the remote and the windows do their thing.

  3. Anyone have a good reference to all the commands on the bus? From what I can gather, it also connects to the radio, and I bet cars with in-wheel buttons send commands to the radio. I don’t have in-wheel buttons to capture the commands, but now want to add them.

  4. @John,

    Having owned a 4th gen GTI, I am aware that Vag-Com can do this sort of thing, but unless Ross-Tech has changed their business model, it’s at least $200 to get your foot in the door with that software.

    I recently saw a dos-based application that purportedly does this all for free as well, but I don’t have the GTI any longer, so I have no need to investigate it.

    Besides, there’s something to be said for banging it out yourself, right?

  5. I also went the cable route. You can buy a generic Vagcom cable on ebay for $15. They aren’t as good, but they work with VCDS Lite, which is $100. Or free if the demo mode allows recoding, I forget.

    But when I did this with my Audi I just used my friend’s actual VAG COM cable that he had.

    Still, neat hack nonetheless! I’m sure he learned a lot!

  6. VDS Pro is the tool to code your car to have automated windows. This is a serial based tool, and before today, I didn’t know it was possible via VAG-COM/VCDS.

    Just a heads up.

  7. I wrote a little presentation on how I decoded the MINI Cooper CAN bus protocol.

    You can see it here:
    bobodyne dot com/web-docs/robots/MINI/CAN/Presentation/index.html

    It’s converted from a MS powerpoint, so it’s a little hideous for online viewing. Sorry about that.

  8. I did this on my vee-dub too, but I used a vag-com. I bought the vag-com to do my own diagnostics on the car, the hacks were just a small benefit. Either way, mad props for figuring it out on your own. Now, if you figure out how to re-code your ecu, I will be very interested in a write up on that, it may finally make me cough up the cash for an arduino lol

  9. Efficient way to achieve the stated goal? Hell no.

    Fun way to learn about the CAN bus and have some personal satisfaction when things in the real world obey your code? You betcha. Nice hack…

    But as it has been mentioned – I’ve got a Passat B4 and it does this window thing locally with it’s original key (not RF) in the lock; it did it remotely too when I had a RF alarm on it.

  10. Well, hacking it with VDS-Pro was still hacking it, when that hack was discovered – it was just changing bits in the EEPROM of the central convenience module, rather than hijacking the CAN bus.

    Also, as for VAG-COM/VCDS… sure, it’s a little expensive, but it’s a useful tool to have when working on these cars – if you want to know anything about the status of anything in the car, it’ll give it to you (which is really, really nice when troubleshooting something), it’ll let you adapt some settings (want a 24 hour clock? log into the instrument cluster and change it to UK coding – and that’s just one of many examples), and some maintenance requires it. That said, I was under the belief that the long coding for the CCM didn’t have the bits for this.

    (Of course, I’ve got a 99.5 Golf with crank windows, so this hack won’t do anything for me – and, I believe the CAN bus is far, far more limited on 99.5s, so the CCM ROM hack would be the only way that would work even if I had power windows.)

  11. All manufacturers put this in the BCM ASIC. I’ve always been interested in the computers, and also the security for a while.

    You can completely change the fob and key authentication by changing a seed number in a SPI or bit-banged ASIC interface on the BCM. I’ve demonstrated this both on a 2011 RX8 and a 98 Prelude.

  12. Hi,

    I know that you can do this with the VAG COM or similar softs. This has only been an example what you can get hacking the CAN bus of the car.
    I mean, the objetive is connect to the Traction one and get wheel speeds,yaw, throttle, etc.
    You can add a cool lcd, SD, GPS, etc and create your own automotive ECU with adquisition features and some extras (shift lights or beeps, gear indicator, etc). For example => http://real2electronics.blogspot.com/2009/09/can-bus-display.html
    After decode the messages, it’s only your imagination to create extras!!

    cheers!

  13. The generic VAGCOM/VCDS cables that work with the free version of the software don’t support the newer cars with CAN bus. Don’t let the OBDII connector fool you, OBDII is actually FOUR different hardware protocols that use the same connector and high level protocols.

  14. This method (among others) has already been thoroughly explored and documented on the ‘net and various Vdub forums. You can build your own VAG-COM equivalent if you really want to, but if you ask me, for the work involved, sometimes it’s more cost effective to just buy one. It all depends on what you think your time is worth.

  15. I’ve seen a few cool CAN bus hacks, but never one that lock/unlocks doors. Is there something special about these as far as protection or something? I’d love to make my next keypad plug’n’play.

  16. Hi Mike,

    I have decoded the message to open/close all the doors (which is sent when you open/close with the remote or the driver console door).
    Let’s me try again, but if I’m not wrong I was able to open/close replicating this message.

    ;)

  17. Very cool, but as others have pointed out, potentially unnecessary. This functionality can’t be coded in VAG-COM as suggested by others on the fourth generation cars. This is only available on the mkV & mk6 cars. However, some clever people on the tdiclub.com forums (I believe) figured out how to enable this on certain mk4 comfort control modules by directly manipulating bits with DOS-based VDS-Pro. For years prior to this, companies sold microcontroller-based add-on modules to provide this functionality by monitoring the door lock actuators. Thereafter, companies have come up with single-use “bit flippers” that plug into the ODB port and do the hack automatically.

  18. Awesome, and just in time for my personal/related project for a TDi Jetta. Need to extract fuel flow rate information which is very easy as a mechanical pump already reports injection quantity per stroke. Just need to dust off this PIC24 and get things going.

  19. Bill: The Mk4 cars have a K-Line to CAN gateway, and the cheap cables usually work fine on them. (There can be timing issues on certain control modules, when using a USB to serial, but they do work). So, it’s only the Mk5 and newer cars where you need a VCDS cable that supports CAN.

    Roman: There’s already a fuel consumption pulse line off of the ECU, no CAN bus needed, and I believe MPGduino can work with that. Or, I’ve got a hacked ROM that’ll allow a 1999 Passat cluster to work in a 99.5 Golf/Jetta TDI, with all the fuel consumption stuff… just haven’t gotten around to adding the wiring. (A similar hack can be done by flashing part of the contents of a 2000-2002 Jetta/Golf TDI’s ROM to a 2000-2002 Passat’s ROM, or a 2003 Jetta/Golf TDI’s ROM to a 2003 or so Passat’s ROM, or so on.)

  20. Need some nissan sentra 06 info. Also – question – can other Car Companies EVER be able to be programmed in different cars?? (I have toyota and ford fobs laying around and only my nissan left)

  21. Hello

    I have a Golf IV from 2001 without electric windows but with central lock.
    I bought 2 motors (from golfIV) for the front windows, but there is no central unit of the confort module in my car.
    I want to able to:
    -controled each motor from the driver side, and controled the passenger side motor by the passenger side
    -windows go up when remote control lock button is long pressed

    Each motors has the CAN wire but when I tried to connect these wires the motors stop working.
    I have an Arduino and i build CAN bus from these site: http://www.seeedstudio.com/wiki/CAN-BUS_Shield

    Can you help me with an arduino soft to read the datas from the CAN bus?
    Can you send me the codes(message) for windows up, down, passenger side windows up,down.

    Thank You!

  22. Alot of vag cars have the ability to open close windows and electric sunroof, they were just coded not to utilise the feature due to different country specs and/or laws, i.e in africa or Jamaica not too sure which, where there are so many cars stolen while in use (hijacked) there is a auto lock feature when you exceed a certain speed, this feature is available on all vag cars (with central locking) again its the coding of the unit, the windows etc all depends on which central convenience module was installed in the factory, as some simply do not support the protocol, i use vcds and other vag tools, and for prople who say roms etc, its actually the eeprom, the eeprom stores the codings etc, with ecu and speedo the eeprom holds the mileage, immo details etc, the engine maps works from the flash memory, both can be edited with various levels of ease/difficulty but they are 2 different types of memory, basically flash is read only, eeprom is read and write, only saying this for the people who dont know

  23. Igor missed a trick I’m trying to solve. Most VWs already have the remote windows roll up/down feature which just requires a bit set with vcds as others said. However, it doesn’t work the way I want. Closing all the windows and an open sunroof needs a 15 second hold on the keyfob which will run down the keyfob battery a lot quicker. What I want is one normal click on the key fob lock button closes any open window as I leave the car, with an overide disable for pets and kids left inside the car. To do that you need to listen and discover the CAN codes for door locking then send the code for rollup windows either one data word sent or maybe it needs repeating for the 15 seconds it takes?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.