Control everything in your car with the Car Kracker

If your whip is a Honda, Toyota, BMW, Chrysler, VW, or Mini made in the last decade or so, the Car Kracker is for you. This project allows you to connect directly to your car’s computer system, allowing you to display messages on your stereo, play music off an SD card, and even override factory settings like always-on daytime running lights.

The Car Kracker uses ISO 9141, an in-car communications protocol that is now mostly used in foreign (for the US) cars. The build uses a Gadget Gangster Propeller board to connect to the CD changer port and OBD-2 port in the trunk, and the diagnostic port located under the hood.

With the Car Kracker, it’s easy to connect the Aux In on your stereo to an SD card loaded with music, or even plug in an iPod for the poor souls without a 1/8″ jack. Dealer customizations such as turning the ‘door is ajar’ noise off, toggling daytime running lights, and throwing a nav warning up are also possible.

Check out the two videos after the break, and if anyone has any more info on getting this deep into a car’s computer system (a wiki, maybe?), send a link in on the tip line.


  1. MB says:

    ODB-2… OBD-2?

  2. Eirinn says:

    “pay music off an SD card”

    I assume “play”? :) Quite interesting nonetheless!

    Getting a toyota next month… interfacing.

  3. SavannahLion says:

    Next month on Hack a Day; How to Unbrick Your BMW.


  4. Chad says:

    Remember doing something like this with my cw jetta and the obd port and vagcom program
    Very cool stuff wouldn’t surprise me as BMW’s have enough wires and computers to link up to NORAD !!

  5. Alan Kilian says:

    If you’d like some more information about the MINI Cooper CAN bus traffic, I wrote up a presentation Here.

  6. Trevor says:

    Really cool, but turning off day time running lights is not a smart idea. Plus they are mandatory in Canada so disabling them could get you a ticket up here!

    • gabriel says:

      daytime lights are just silly in places like california.

      it should be configurable in foggy places, but other than that, just useless battery drain.

    • metalwolfhax says:

      If this was possible on my car I would look into it right away. Running lights a more of an annoyance if you have a job like mine. I work security and occasionally I have a job that requires me to sit in my car all night. Thankfully pulling the hand brake turns off the lights or else I would have to chose between sitting in air conditioning and giving away my position or not sticking out but having to sit in a hot car all night.

  7. nmcclana says:

    Hey HAD! This is my project;
    It’s actually pretty hard to brick your car – only the engine and transmission have re-writable firmware, and they’re on a separate data bus.

    Many complaints about my ’00 e46. But the data bus is a lot of fun to play with.

  8. Jay G. says:

    Ross tech made an interfacing cable a long time ago with free software to do this very thing. I just bought my wife a VW Jetta and managed to turn off the seat belt buzzer, door buzzer, and activate/deactivate a half-dozen other features. However, this is much neater, and notably cheaper. I will have to try this out as well.

  9. other_firmware says: … there is much more that has firmware (ABS, ESP, Airbag, …)

    • xorpunk says:

      BCM, where most crypto code and dash controls are.

      There are some cool patented algos in ECMs for fuel and emissions.

      I remember messing with this stuff late 90s, it’s too expensive for most people including me, now. Some of the things I did made world news when some university researchers published papers 5 years later on just a fraction of it. They got sewed though ^^

  10. bhtooefr says:

    Software-wise, they’re just targeting BMW stuff. Some of the stuff they’re doing won’t work the way they’re doing it on a VW, for instance, or is just impossible without hardware mods.

    Also, ISO 9141 is an outdated protocol, most companies have since moved to CAN-only systems.

    Re: the Ross-Tech cable, that’s somewhat different in that it’s a diagnostic tool that can manually access the control modules in the car to change settings or read sensors. (I highly recommend their stuff if you have a VW, though.)

    Re: OBD-I vs. OBD-II… generic OBD-II is very limited compared to the proprietary protocols, which at least in the case of VWs, stayed the same when they moved from OBD-I to OBD-II. This may actually work on an OBD-I BMW, given that it’s not going to be using the Generic OBD-II command set.

    Re: Reflashable control modules… you’d be surprised what’s reflashable. On my 99.5 Golf TDI, the engine computer is NOT reflashable (2000+ were, and there was a nasty bug in the firmware on the pre-2000 Mk4 TDI startup fueling map (essentially, a corner of the map that covered high temperature and low RPM was zeroed out, meaning you had to crank for 5+ seconds before the emergency start fueling map was used to dump fuel into the engine), that went unfixed due to the cost of fixing it). However, the instrument cluster and the central convenience (locks, doors, windows, mirrors, that sort of thing) modules are reflashable. Nowadays, everything in the car is reflashable.

    • Robot says:

      Yes, I unhappily discovered this only after purchasing the Kiwi WiFi ODBII dongle and iPhone app. What a bummer that was. I would hate to make that mistake again with this product.

  11. NewCommentor1283 says:

    ahh, one of the FEW people that dont think im off my rocker by TRYing to warn people… that newer cars can be started and driven off unattended THROUGH the INTERNET connection provided by OnStar… how? your car doesnt have a firewall nor virus scanner, and hash andor checksum can both easily be faked, as has been prouven on desktop computers time and time again.

    but how could this “virus” possibly be implanted? does your car play MP3’s? MP3’s that were burnt on a CD… on a computer that is connected to the internet and browses on websites.

    have fun with facebook,,, GIF and JPG files can BOTH hold viruses, picked a few up from facebook (someone else using) and antivirus deleted it.

    friend request? too late you already just downloaded the virus just by viewing the request list-page! hmm scary

    PS: everything i just talked about was about viruse files, im have no clue and dont want to know if they can be hacked into directly… even more scary

    PPS: if there is a webcam (backup camera, while in reverse, and reverse IS fast enough to kill a person) or GPS involved (onstart has GPS built in i think) then it becomes MUCH more dangerous of a machine!

    PPPS: toyota

    • xorpunk says:

      I’ve reversed onstar firmware, you are off your rocker. It’s most robust system at most can control ECM to the point of ignition and alarm security bypass and only after challenge/response with an operator.

      FPGA on ECM are hardware-write-locked and only some can be dumped, so super hax0rs are no significant threat even if they give generic bypass tools to thiefs..

      A bypass tool would defeat challenge/response via physical connection to FBGA bus board..

      • NewCommentor1283 says:

        but it(onstar) can shut down the engine without any hacking if the car is reported stolen(to the police)… so wouldnt one be right to say it could also start said engine?

        maybe im just stuck thinking about OLDER car networks, the ones without a hoot of thought put into them. 1st gen if you will

        im not talking about a specific car, and im not talking about all cars, im talking about “some” cars.

        and since when are cars challenge and response? maybe i was out of the loop too long but last i heard car “networks” didnt even have the “from” field in their network packet… so the left-front brake can not tell if it is the pedal telling it to brake, or the onstar, or even the stereo, yes, the stereo could concievebly tell the car to spin out.

        seperate networks, i heard there is a device that translates from one network to the other in a car, blocking certain sendto address packets. could that not be overwritten too? im assuming this device has the same amount of security in it as a home networking router, and those have been broken time and time again.

        PS: i mean (toyota) cars dont just accelerate uncontrolled and crash for no reason.

        they said it needed a metal “shim”, yeh right.
        how the hell does a “shim” keep the whole thing from going bonkers, i mean i’d understand if the pedal’s calibration was off by as much as 50% when it breaks, but 100% off???

    • markS says:

      Fear is our greatest weapon.. and Surprise !
      Fear and Surprise are our greatest weapons…

  12. tom says:

    Does any one have any more info on doing stuff like this with a 99 VW Golf?

  13. Tony says: has lots of info on reverse engineering and tuning the ME7 engine computers used in 1999-2005 VW/Audi/Skoda/Seat. On the site there is a lot of info on the ISO9141/KWP1281 and KISP14230/WP2000 protocols used for communicating with the different computers in the car.

  14. medwardl says:

    Now if it will let me alter the perimeters in the computer so i can get the engine lite out and get it to pass inspection before it’s due that would be awesome.

    • hexmonkey says:

      Clearing codes can be done with any OBD reading tool. You can probably even get it done at the local Pep Boys or Autozone.
      Altering the engine parameters is a little harder since that’s actually ECU modding, which is a whole different problem.

      • medwardl says:

        clearing codes is easy I’m taking about clearing the codes so it doesn’t look like it’s been cleared and keeping them from coming back on so it can “pass” inspection as my pos needs expensive exhaust work that I can’t afford to do.

  15. biogetica says:

    I think this is nto full demo video. I have seen more in this type in technique area.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,695 other followers