ODB-II Hacking Using An Android Tablet

What a strange message to read on the digital dashboard display of your car. This is proof that [Kristoffer Smith] was able to control the ODB-II bus on his Eagle Grand Cherokee.

He’s not just doing this for the heck of it. It stems from his goal of adding an Android tablet on the dashboard which has been a popular hack as of late. This left [Kristoffer] with steering wheel controls that did nothing. They originally operated the radio, so he set out to make them control the tablet.

He had seen an Arduino used to control the CAN bus, but decided to go a different route. He grabbed a USB CAN bus interface for around $25. The first order of business was to use it with his computer to sniff the data available. From there he was able to decode the traffic and figure out the commands he needed to monitor. The last piece of the puzzle was to write his own Android code to watch for and react to the steering wheel buttons. You can check out the code at his repository and see the demo after the break.

http://www.youtube.com/watch?v=iYj5OgHyrc0

[Thanks Mat]

71 thoughts on “ODB-II Hacking Using An Android Tablet

    1. Perhaps the reason odb-ii is used rather than ODB-II is because persons not need to be concerned about using the proper case when making use of tags. When ever I take the time to tag bookmarks, I use lower case for ancronyms. Besides ODB-II was used in the article where that’s probably mor important than in the tags where generally an otbi-ii tag wil reconize ODB-II & the reverse may not be true. That has been my experiance anyway, YMMV.

      1. OK I was confused, no need to point that out,only if there was a way to delete mistakes, but wait that was tried & many didn’t like any changes ar all. Yea I remember the reason it was rejected is that old old post or comments to them would have been lost.

    1. Probably because there is no such thing as “Eagle Grand Cherokee”, especially a 2003 year model. It’s a Jeep, designed and built by Chrysler, the parent company of Dodge, Jeep, and the now defunct Eagle. Eagle ceased to exist as a marque as of 1999.

  1. surely you are not trying to reset or change the odometer (milage display)?

    doing so is illegal.

    the only reason it is done is to make the car look less miles so a dishonest car dealer can sell the car for more.

    just look at the movie used cars for an example

    1. Your viewpoint is somewhat narrow minded, yes some people do this, but there’s far more people out there who just love to tinker. Take me for example, I’ve done a similar thing; http://www.youtube.com/watch?v=98h9qULPRus

      I’ve helped decode all sorts of protocol information for General Motors “GMLAN” (their implementation of a CAN) on the CarModder.com forums, information that would, say, help someone replace their head unit with built-in HVAC controls with an iPad or other tablet.

      Still sound sinister? ;)

  2. Nice job, I always wanted to do this exact thing. Unfortunately, the car I had with steering wheel controls for the radio was totalled in an accident. I’m not sure you can actually reprogram the odometer through the OBD-II/CAN interface. I know that in some cars the mileage is stored in the ECU, possibly in the TCU, as well as the cluster itself. The clusters require a special clip or jtag connection to reprogram, and yes, there are legitimate reasons to reprogram mileage, as well as fraudulent purposes.

    Working in automotive and collision repair, I can tell you that a lot of clusters get damaged, or burn out and need repairs or replacement. The old method was to replace
    the cluster (Mechanical) with a new or salvage unit, and to put a discrepancy disclaimer decal on your door pillar. Now the units can be reprogrammed to show the correct mileage, which can be used illegally, or can be used properly to revert to the stock mileage. I doubt most online ‘repair’ sites follow the rules, and will program your cluster
    to read whatever you want, but the legitimate shops program them to your actual mileage.

    I’ve repaired many clusters, I’ve just never had to reprogram one, most of the problems I’ve fixed were from bad solder joints on VFD odometer displays. or replacing burned out lamps (Sometimes soldered in place, which makes no sense for incandescent lamps).

  3. I just have a problem with the whole idea of adding a computer screen to a car (specifically one accessible to the driver) in the first place.

    If texting while driving is dangerous (which it obviously is), how much more dangerous is this? Drivers need fewer distractions, not more of them.

    1. Um, MANY new cars come with ‘screens’ and have many ‘views’ that control radio, climate control…. There is a huge difference between texting and accessing a control system. I am in the process of adding a tablet to my truck to; replace the radio; climate control system; add a secure start system….

      I understand that texting and driving is a huge distraction and dangerous, but this is really nothing like that. Further more a good driver will know when it is appropriate to ‘fiddle’ with controls and when all attention must be on the road. (Granted good drivers are a rarity)

      When you try to idiot proof something all you do is create bigger idiots. Please don’t conflate texting and driving and accessing a car control system (or even a ‘carputer’) they are not they same.

      1. I think what was left out was that while they used the OBDII connector, I think they’re working with data that isn’t defined as part of the OBDII standard. (e.g. there’s more on that CAN bus than just OBDII traffic.)

        I’m 90% certain you can’t change dash messages like in the article photo using vanilla OBDII.

  4. For general entertainment here’s an old OBD story I noticed: “PHer had their ÂŁ43K M car stolen from their driveway when thieves smashed a small area of window glass in the car without activating the alarm and used a diagnostic device to reprogramme a key fob through the OBD port.”

    Now that’s a hack :)
    Only worked with BMW’s back in the day though it seems. But still a nice hacking achievement.

    1. nope. the odometer reading is directly connected to the VIN of the car. you’d need to scrap the VIN(legally scrapping the car) in order to change the odometer reading due to a motor swap..

      the only allowable reason to change the odometer is a gauge cluster change–to change the replacement unit to the defective unit’s mileage.

      although you can also fill out legal form to allow for a change in odometer mileage if a gauge cluster needs to be changed, which makes the above change unnecessary to some regard..

        1. “Has no worth”? Are you just trying to sound sophisticated without actually being right? In the US, the federal government legislates standards for odometer accuracy under 49 USC Chapter 327. Google it. States can and do set more restrictive standards, but residents of any state are bound by the federal law.

      1. The model of motorcycle I have has a glitch where if you disconnect the battery for a while and then reconnect it with the key in the on position it will reset the odometer. I’ve come close to being a criminal a couple of times while working on it haha.

  5. I don’t know why manufacturers just add the OBD reader to the dash in the first place. They put so much under the hood these days another small electronic device wouldn’t be much extra…

    If you don’t have the OBD-II reader, you can always jump pins with wire and a light bulb and get “morse code” signals to indicate the fault, or just splurge the $50 for a cheap reader.

    I love this hack, but isn’t using an Android tablet a little over the top? Plus, if you need the OBD-II reader more than your radio, shouldn’t you focus your attention on what’s under the hood?

    Final note: way to lay off the arduino!

      1. some do… at least to a point. My car will display the OBD-II code on the odometer display if you cycle the key on-off three times without starting. You still need to google the code to see what it means, but it’s a start. I have a 2011 Dodge, but I imagine most Chrysler/Dodge/Jeep vehicles of similar vintage will do it.
        Unfortunately, my most common problem is that my cluster loses communication with the rest of the system, so it doesn’t know what code to display. And it prevents the car from starting until I pull the battery to reboot everthing.

  6. i read further to try to figure out how or why anyone would install a mid 90’s bmw gauge panel in a 2006+ grand cherokee.. come to find out, it’s just a lazy editor ;)

  7. OBD – ODB – BOD – BDO – DOB – DBO
    Who gives a rat’s sas!!?? lol
    As if nobody here has never typed something wrong? Gimme a break.
    Nobody should poke fun of someone who might be suffering from lysdexia.
    Just as one shouldn’t poke fun of somebody with a peech inspediment.
    Please, if it is all that critical, then invent something to prevent it.

    Life is sexually transmitted.
    The leading cause of death is birth.
    Some people make mistakes, while others are.
    Get pro-creative. Conceive no spoonerisms.
    Invent number 102, or bend number 69, then post it to Hackaday.
    I’m sure we’d all enjoy critiquing that!

  8. Isnt it a Jeep not an eagle? To my knowledge the grand cheorkee was marketed as a jepp. Also the steering wheel says Jeep. Eagle sold mostly rebadged mitsubishi cars and that one AMC wagon

    1. Torque is a great diagnostic app (I have and use it regularly), but DOES NOT do what is being discussed in this article. Torque does not allow you to send messages on the can bus, it allows you to retrieve OBD Diagnostic codes, clear ODB codes and monitor some (limited) amount of data on the can bus.

      You can’t, for instance lock the doors via Torque, nor can you read data for most of the secondary systems such as button pushes of the steering wheel controls (for that matter Torque doesn’t even cover all the primary systems. I am actually working on an app to monitor and control most secondary systems from my Android tablet for my truck.

      Also Bluetooth is hardly secure to the point I would want to leave a Bluetooth OBD connector on connected all the time. (http://hackaday.com/2008/08/01/essential-bluetooth-hacking-tools/) that could result in bad things happening. I would look into a chipKIT Max32 as t comes with dual Can Bus controllers which makes it a little easier to securely manage the vehicle from the can bus.

      1. I would love an app to monitor the BUSes present. In this way we could find more and more pids and protocols. Count me is for testing. I have an ELM 327 bluetooth-OBD dongle that works perfectly with torque and android.

  9. There is no such thing as an ‘Eagle Grand Cherokee’. It is a Jeep Grand Cherokee. The Jeep name is right there on the steeering wheel. Apparently no fact checking or research went into this article. Eagle only existed from 1988 – 1998 after Chrysler bought AMC. Only vehicles under that badge were Medallion, Premier, Vista, Summit Talon, Vision and the 2000GTX(Canada only, Dodge Stealth in U.S.) Even a quick check of Wikipedia reveals this. You would think someone would make a correction after the comments on this as well as the mispelling of OBD-II as ODB-II. Of course one is a mispelling and the other is factually incorrect.

    1. I’m wondering if “Eagle” is another brand of “Jeep” in another country. If you Google “Eagle Grand Cherokee” you get foreign and US parts sellers with “Eagle Grand Cherokee” under their inventory (with a wide range of parts) – also if you Google “Eagle Grand Cherokee” and “UK” or “Australia” you’ll come across hits of people selling 2006 and 2011 “Eagle Grand Cherokee” – maybe it’s some sort of branding thing outside of the states.

  10. I just opened an Actron CP9550 Pocketscan-Plus scan tool and found it has SEVERAL additional connections inside.. Behind the Enter button, is a card-edge with several connections labelled & unlabelled. Behind the Erase key, are two pads marked UART-RX & UART-TX, Has anyone gotten adventurous enough to tap into these connections?

  11. i have tuned many built sfwd Hondas and have made a hand full of custom one off devices using ur run of the mill chipped n socketed p28’s with but entirely eliminating the eprom rom chipset with a custom made to order personal design, direct memory access to access sram with usb, 2.4ghz ble radio which conviently eliminates any PC interaction. So with ii custom let’s say tuner view apk that I develeped :) I can tune all engine properties battery off sets fuel tables log flash write read etc etc wirelessly anywhere. Now the accidental stuff i was able to sniff out the rolling codes by simply by opening a frequency graph. but no worries I have all of this tech on lock. The next project is to eliminate the entire wiring harness and go wireless talk about a wire tuck

  12. Woow interesting!!! Sir, can you provide the code to activate auto speed sensing door lock for the car hyundai i20 1.2 petrol?

    I used obd2 elm327 adaptor.
    Waiting for your help. Thanks.

Leave a Reply to JohnnieTechCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.