Reverse-Engineering the Peugeot 207’s CAN bus

Here’s a classic “one thing led to another” car hack. [Alexandre Blin] wanted a reversing camera for his old Peugeot 207 and went down a rabbit hole which led him to do some extreme CAN bus reverse-engineering with Arduino and iOS. Buying an expensive bezel, a cheap HDMI display, an Arduino, a CAN bus shield, an iPod touch with a ghetto serial interface cable that didn’t work out, a HM-10 BLE module, an iPad 4S, the camera itself, and about a year and a half of working on it intermittently, he finally emerged poorer by about 275€, but victorious in a job well done. A company retrofit would not only have cost him a lot more, but would have deprived him of everything that he learned along the way.

Adding the camera was the easiest part of the exercise when he found an after-market version specifically meant for his 207 model. The original non-graphical display had to make room for a new HDMI display and a fresh bezel, which cost him much more than the display. Besides displaying the camera image when reversing, the new display also needed to show all of the other entertainment system information. This couldn’t be obtained from the OBD-II port but the CAN bus looked promising, although he couldn’t find any details for his model initially. But with over 2.5 million of the 207’s on the road, it wasn’t long before [Alexandre] hit jackpot in a French University student project who used a 207 to study the CAN bus. The 207’s CAN bus system was sub-divided in to three separate buses and the “comfort” bus provided all the data he needed. To decode the CAN frames, he used an Arduino, a CAN bus shield and a python script to visualize the data, checking to see which frames changed when he performed certain functions — such as changing volume or putting the gear in reverse, for example.

The Arduino could not drive the HDMI display directly, so he needed additional hardware to complete his hack. While a Raspberry Pi would have been ideal, [Alexandre] is an iOS developer so he naturally gravitated towards the Apple ecosystem. He connected an old iPod to the Arduino via a serial connection from the Dock port on the iPod. But using the Apple HDMI adapter to connect to the display broke the serial connection, so he had to put his thinking cap back on. This time, he used a HM-10 BLE module connected to the Arduino, and replaced the older iPod Touch (which didn’t support BLE) with a more modern iPhone 4S. Once he had all the bits and pieces working, it wasn’t too long before he could wrap up this long drawn upgrade, but the final result looks as good as a factory original. Check out the video after the break.

It’s great to read about these kinds of hacks where the hacker digs in his feet and doesn’t give up until it’s done and dusted. And thanks to his detailed post, and all the code shared on his GitHub repository, it should be easy to replicate this the second time around, for those looking to upgrade their old 207. And if you’re looking for inspiration, check out this great Homemade Subaru Head Unit Upgrade.

Continue reading “Reverse-Engineering the Peugeot 207’s CAN bus”

Stealing Cars for 20 Bucks

[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.

The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob.  One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.

The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.

A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk.  We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.

[via Wired]

Different Differentials & The Pitfalls of the Easy Swap

I dig cars, and I do car stuff. I started fairly late in life, though, and I’m only just starting to get into the whole modification thing. Now, as far as automobiles go, you can pretty much do anything you set your mind to – engine swaps, drivetrain conversions, you name it – it’s been done. But such jobs require a high level of fabrication skill, automotive knowledge, and often a fully stocked machine shop to match. Those of us new to the scene tend to start a little bit smaller.

So where does one begin? Well, there’s a huge realm of mods that can be done that are generally referred to as “bolt-ons”. This centers around the idea that the install process of the modification is as simple as following a basic set of instructions to unbolt the old hardware and bolt in the upgraded parts. Those that have tread this ground before me will be chuckling at this point – so rarely is a bolt-on ever just a bolt-on. As follows, the journey of my Mazda’s differential upgrade will bear this out.

The car in question, currently known as the “Junkbox MX-5” until it starts running well enough to earn a real name. It somehow looks passable here, but in person I promise you, it looks awful.

It all started when I bought the car, back in December 2016. I’d just started writing for Hackaday and my humble Daihatsu had, unbeknownst to me, just breathed its last. I’d recently come to the realisation that I wasn’t getting any younger, and despite being obsessed with cars, I’d never actually owned a sports car or driven one in anger. It was time to change. Continue reading “Different Differentials & The Pitfalls of the Easy Swap”

Smart Child Seat Aims to Prevent Tragedy

For most of us, a memory lapse is as harmless as forgetting to bring the garbage to the curb, or maybe as expensive as leaving a cell phone and cup of coffee on the roof of the car before driving off. But when the toddler sleeping peacefully in the car seat slips your mind in the parking lot, the results can be deadly.

We have no doubt that child detection systems will soon be standard equipment on cars, like backup cameras and trunk-escape levers are now. Not willing to wait, [ayavilevich] came up with his own car occupancy sensor for child seats (Update: We originally linked to the Instructable but [ayavilevich] wrote in and mentioned this is actual Hackaday Prize entry and he’s looking for more people to get involved in the project).

Dubbed Fochica, for “Forgotten Child in Car Alert,” the system is clearly a proof of concept right now, but it has potential. The Arduino Uno senses Junior’s presence in the car seat with a homebrew capacitive sensor under the padding of the seat and a magnetic reed switch in the chest harness buckle. An Android app on a smartphone pairs with a BLE module to get the sensors’ status, and when the phone goes out of Bluetooth range while the seat is occupied, the app sounds an alarm. Simple, but effective.

We like how well [ayavilevich] thought this through. Systems like this are best left uncomplicated, so any improvements he makes should probably concentrate on engineering a reliable, fieldable device. Another hack we’ve presented in the kid-safety space is fast stairwell lights for a visually impaired girl, which might provide some ideas.

Continue reading “Smart Child Seat Aims to Prevent Tragedy”

OBD-II Dongle Attack: Stopping a Moving Car via Bluetooth

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

How Many Parts In A Triumph Herald Heater?

This Herald is in much better condition than my 12/50 was. Philafrenzy [CC BY-SA 4.0]
This Herald is in much better condition than my 12/50 was. Philafrenzy [CC BY-SA 4.0]
What was your first car? Mine was a 1965 Triumph Herald 12/50 in conifer green, and to be frank, it was a bit of a dog.

The Triumph Herald is a small saloon car manufactured between about 1959 and 1971. If you are British your grandparents probably had one, though if you are not a Brit you may have never heard of it. Americans may be familiar with the Triumph Spitfire sports car, a derivative on a shortened version of the same platform. It was an odd car even by the standards of British cars of the 1950s and 1960s. Standard Triumph, the manufacturer, had a problem with their pressing plant being owned by a rival, so had to design a car that used pressings of a smaller size that they could do in-house. Thus the Herald was one of the last British mass-produced cars to have a separate chassis, at a time when all other manufacturers had produced moncoques for years.

My 12/50 was the sporty model, it had the high-lift cam from the Spitfire and a full-length Britax sunroof. It was this sunroof that was its downfall, when I had it around a quarter century of rainwater had leaked in and rotted its rear bodywork. This combined with the engine being spectacularly tired and the Solex carburetor having a penchant for flooding the engine with petrol made it more of a pretty thing to look at than a useful piece of transport. But I loved it, tended it, and when it finally died irreparably I broke it for parts. Since then I’ve had four other Heralds of various different varieties, and the current one, a 1960 Herald 948, I’ve owned since the early 1990s. A piece of advice: never buy version 0 of a car.

Continue reading “How Many Parts In A Triumph Herald Heater?”

Build Your Own Animated Turn Signals

Automotive lighting used to be strictly controlled, particularly in the United States — anyone remember sealed beam headlamps? These days, pretty much anything goes. You can even have an animated turn signal, because a simple flash isn’t fancy enough these days. You can get a scanning-LED turn signal on your new model Audi, among others. [Shravan] wanted this on their Mazda and set about building an animated turn signal and daytime running lights setup for their car.

It’s not a complicated build by any means; an off-the-shelf WS2812B strip provides the blinkums, an Arduino Nano the smarts. Using a modified library to drive the LEDs allowed [Shravan] to get things running with a minimum of fuss. We’d love to see a little more of the gritty reality of this build — how the Nano is getting directional signals from the car, and how it’s all wired up and bolted on. When you’re installing custom hardware onto a vehicle, the devil really is in the details. It’s supremely difficult to create something that looks tidy and functions well.

It’s amazing to think about how far we’ve come. When high-brightness LEDs first came on to the market in the 1990s, you would have been on the hook for wiring your own loom to connect the 20+ LEDs, building your own driver circuitry, and likely etching a custom PCB — all the while you programmed a PIC in assembly as it dangled off a parallel-port programmer. But then again, our cave-dwelling ancestors didn’t even have matches. Time marches on. Use today’s technology to build the very best things you can.

We love seeing car mods, particularly those that are well executed. Check out [Dave]’s interior lighting mods to the Nissan Juke — a car this writer has weighty opinions about. Video after the break.

Continue reading “Build Your Own Animated Turn Signals”