Enhance your key fob via CAN bus hacking

can_bus_hacking

[Igor] drives a 4th generation Volkswagen Golf, and decided he wanted to play around with the CAN bus for a bit. Knowing that the comfort bus is the most accessible and the safest to toy with, he started poking around to see what he could see (Google translation).

He pulled the trim off one of the rear doors and hooked into the comfort bus with an Arudino and a CAN interface module. He sniffed the bus’ traffic for a bit, then decided he would add some functionality to the car that it was sorely lacking. The car’s windows can all be rolled down by turning the key in any lock for more than a few seconds, however this cannot be done remotely. The functionality can be added via 3rd party modules or through manipulating the car’s programming with some prepackaged software, but [Igor] wanted to give it a go himself.

He programmed the Arduino to listen for longer than normal button presses coming from the remote. Once it detects that he is trying to roll the windows up or down, the Arduino issues the proper window control commands to the bus, and his wish is the car’s command.

It’s a pretty simple process, but then again he has just gotten started. We look forward to seeing what else [Igor] is able to pull off in the future.  In the meantime, continue reading to see a quick video of his handiwork.

If you are interested in seeing what you might be able to do with your own car, check out this CAN  bus sniffer we featured a while back.

Comments

  1. neorazz says:

    I just did this on my bug but I just hooked up with a serial cable via dos

  2. Bill says:

    Vdubs have a “Comfort Bus”? I’m guessing it’s some common bus for data around the car not related to the engine. How cool!

    Can the door locks be actuated via this bus? Time to do some googling.

  3. John Laur says:

    Not to pick this hack to pieces but you actually can recode the car to do remote windows using vag-com and an obd-ii cable. It’s the 6th bit coded in module 46 (Central Convenience) — just go into that module, write down the existing value, add 64 to the number and recode the new value. Presto. Hold down the button on the remote and the windows do their thing.

  4. Bill says:

    Anyone have a good reference to all the commands on the bus? From what I can gather, it also connects to the radio, and I bet cars with in-wheel buttons send commands to the radio. I don’t have in-wheel buttons to capture the commands, but now want to add them.

  5. Mike Nathan says:

    @John,

    Having owned a 4th gen GTI, I am aware that Vag-Com can do this sort of thing, but unless Ross-Tech has changed their business model, it’s at least $200 to get your foot in the door with that software.

    I recently saw a dos-based application that purportedly does this all for free as well, but I don’t have the GTI any longer, so I have no need to investigate it.

    Besides, there’s something to be said for banging it out yourself, right?

  6. Taylor Alexander says:

    I also went the cable route. You can buy a generic Vagcom cable on ebay for $15. They aren’t as good, but they work with VCDS Lite, which is $100. Or free if the demo mode allows recoding, I forget.

    But when I did this with my Audi I just used my friend’s actual VAG COM cable that he had.

    Still, neat hack nonetheless! I’m sure he learned a lot!

  7. Johnny D says:

    VDS Pro is the tool to code your car to have automated windows. This is a serial based tool, and before today, I didn’t know it was possible via VAG-COM/VCDS.

    Just a heads up.

  8. AlanKilian says:

    I wrote a little presentation on how I decoded the MINI Cooper CAN bus protocol.

    You can see it here:
    bobodyne dot com/web-docs/robots/MINI/CAN/Presentation/index.html

    It’s converted from a MS powerpoint, so it’s a little hideous for online viewing. Sorry about that.

  9. Kyle says:

    I did this on my vee-dub too, but I used a vag-com. I bought the vag-com to do my own diagnostics on the car, the hacks were just a small benefit. Either way, mad props for figuring it out on your own. Now, if you figure out how to re-code your ecu, I will be very interested in a write up on that, it may finally make me cough up the cash for an arduino lol

  10. Lange says:

    I also have a golf and this option is standard long press key to open/close all windows.

  11. Max says:

    Efficient way to achieve the stated goal? Hell no.

    Fun way to learn about the CAN bus and have some personal satisfaction when things in the real world obey your code? You betcha. Nice hack…

    But as it has been mentioned – I’ve got a Passat B4 and it does this window thing locally with it’s original key (not RF) in the lock; it did it remotely too when I had a RF alarm on it.

  12. thanks for this hack, and Igor’s for his work. impressive stuff!

    it would be great if someone could point us to the VW’s CAN messaging protocol and how to decode particular messages just like Igor did with the RPM.

  13. Olivier says:

    I love comments like: “why hacking the car and having fun, while you can do the same by spending $1000+?”

    Anyway, this hack is very nice.

  14. bhtooefr says:

    Well, hacking it with VDS-Pro was still hacking it, when that hack was discovered – it was just changing bits in the EEPROM of the central convenience module, rather than hijacking the CAN bus.

    Also, as for VAG-COM/VCDS… sure, it’s a little expensive, but it’s a useful tool to have when working on these cars – if you want to know anything about the status of anything in the car, it’ll give it to you (which is really, really nice when troubleshooting something), it’ll let you adapt some settings (want a 24 hour clock? log into the instrument cluster and change it to UK coding – and that’s just one of many examples), and some maintenance requires it. That said, I was under the belief that the long coding for the CCM didn’t have the bits for this.

    (Of course, I’ve got a 99.5 Golf with crank windows, so this hack won’t do anything for me – and, I believe the CAN bus is far, far more limited on 99.5s, so the CCM ROM hack would be the only way that would work even if I had power windows.)

  15. xorpunk says:

    All manufacturers put this in the BCM ASIC. I’ve always been interested in the computers, and also the security for a while.

    You can completely change the fob and key authentication by changing a seed number in a SPI or bit-banged ASIC interface on the BCM. I’ve demonstrated this both on a 2011 RX8 and a 98 Prelude.

  16. Igor says:

    Hi,

    I know that you can do this with the VAG COM or similar softs. This has only been an example what you can get hacking the CAN bus of the car.
    I mean, the objetive is connect to the Traction one and get wheel speeds,yaw, throttle, etc.
    You can add a cool lcd, SD, GPS, etc and create your own automotive ECU with adquisition features and some extras (shift lights or beeps, gear indicator, etc). For example => http://real2electronics.blogspot.com/2009/09/can-bus-display.html
    After decode the messages, it’s only your imagination to create extras!!

    cheers!

  17. Bill says:

    The generic VAGCOM/VCDS cables that work with the free version of the software don’t support the newer cars with CAN bus. Don’t let the OBDII connector fool you, OBDII is actually FOUR different hardware protocols that use the same connector and high level protocols.

  18. Texas Toast says:

    This method (among others) has already been thoroughly explored and documented on the ‘net and various Vdub forums. You can build your own VAG-COM equivalent if you really want to, but if you ask me, for the work involved, sometimes it’s more cost effective to just buy one. It all depends on what you think your time is worth.

  19. Mike says:

    I’ve seen a few cool CAN bus hacks, but never one that lock/unlocks doors. Is there something special about these as far as protection or something? I’d love to make my next keypad plug’n’play.

  20. Igor says:

    Hi Mike,

    I have decoded the message to open/close all the doors (which is sent when you open/close with the remote or the driver console door).
    Let’s me try again, but if I’m not wrong I was able to open/close replicating this message.

    ;)

  21. willis7575 says:

    Very cool, but as others have pointed out, potentially unnecessary. This functionality can’t be coded in VAG-COM as suggested by others on the fourth generation cars. This is only available on the mkV & mk6 cars. However, some clever people on the tdiclub.com forums (I believe) figured out how to enable this on certain mk4 comfort control modules by directly manipulating bits with DOS-based VDS-Pro. For years prior to this, companies sold microcontroller-based add-on modules to provide this functionality by monitoring the door lock actuators. Thereafter, companies have come up with single-use “bit flippers” that plug into the ODB port and do the hack automatically.

  22. Awesome, and just in time for my personal/related project for a TDi Jetta. Need to extract fuel flow rate information which is very easy as a mechanical pump already reports injection quantity per stroke. Just need to dust off this PIC24 and get things going.

  23. Santos says:

    Thats cool. I picked up an alientech chip http://www.alientech.net/ a few years ago to accomplish the same thing on my 99.5 jetta.

  24. bhtooefr says:

    Bill: The Mk4 cars have a K-Line to CAN gateway, and the cheap cables usually work fine on them. (There can be timing issues on certain control modules, when using a USB to serial, but they do work). So, it’s only the Mk5 and newer cars where you need a VCDS cable that supports CAN.

    Roman: There’s already a fuel consumption pulse line off of the ECU, no CAN bus needed, and I believe MPGduino can work with that. Or, I’ve got a hacked ROM that’ll allow a 1999 Passat cluster to work in a 99.5 Golf/Jetta TDI, with all the fuel consumption stuff… just haven’t gotten around to adding the wiring. (A similar hack can be done by flashing part of the contents of a 2000-2002 Jetta/Golf TDI’s ROM to a 2000-2002 Passat’s ROM, or a 2003 Jetta/Golf TDI’s ROM to a 2003 or so Passat’s ROM, or so on.)

  25. Jon says:

    Need some nissan sentra 06 info. Also – question – can other Car Companies EVER be able to be programmed in different cars?? (I have toyota and ford fobs laying around and only my nissan left)

  26. Levi says:

    Hello

    I have a Golf IV from 2001 without electric windows but with central lock.
    I bought 2 motors (from golfIV) for the front windows, but there is no central unit of the confort module in my car.
    I want to able to:
    -controled each motor from the driver side, and controled the passenger side motor by the passenger side
    -windows go up when remote control lock button is long pressed

    Each motors has the CAN wire but when I tried to connect these wires the motors stop working.
    I have an Arduino and i build CAN bus from these site: http://www.seeedstudio.com/wiki/CAN-BUS_Shield

    Can you help me with an arduino soft to read the datas from the CAN bus?
    Can you send me the codes(message) for windows up, down, passenger side windows up,down.

    Thank You!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,288 other followers