Follow-up: Hacking OnStar

Reader [regulatre] has provided us with his furthering of hacking the OnStar system in GM cars. Previously, we wrote about some initial attempts to gain access to the system that OnStar uses to monitor and control cars called GMLAN. [regulatre] has managed to create an adapter between the GMLAN connector and a standard OBD2 plug, which should allow a number of standard readers to be able to retrieve data.

This method details using a bluetooth OBD2 reader, and passing the data onto a linux machine. It looks as though the writer of this method is looking to integrate OnStar reading and writing into an Android App which currently is an OBD monitor.

We love seeing follow-ups like this, because it puts everyone one step closer to full control of closed devices. As always, let us know if you take any of this in a new direction.

22 thoughts on “Follow-up: Hacking OnStar

  1. Looking at Baromac, don’t see schematics.

    We’re not just hacking OnStar any more, we’re hacking everything on the SWC CAN Bus, which includes radio, locks, onstar, seats, heads-up-display, text display on equipped GM vehicles, etc. Check out the video for a demo of me using the interface to control the radio.

    one hurdle right now is deciphering the PGNs from the CAN bus.

  2. @Dantheman2865 – I’ve been kicking around some plans for an Arduino that talks OBD. The schematic you linked to looks pretty sweet. I would recommend adding an ELM327 to the mix and you can instantly communicate with any of the common OBD protocols (10+) including GMLAN.

    Also, by using an ELM327 you don’t need CAN libraries, you just need to connect to the ELM327 via RS232. The ELM chips are like $20, its a steal!

    Please do contact us though to bounce around a few more ideas. gmail name gtosoft

  3. CAN = two wire bus
    GMLAN = one wire bus, based on CAN.

    All modern cars in the US come with CAN. The EPA has mandated it. They use it to check emissions stuff and dealers use it to connect to your onboard systems for testing and maintenance.

    There are lots of scan tools out there that can connect to CAN but the ones that connect to GMLAN are very expensive, until now.

    This article is about the hacking of the existing scan tools (some cost as little as $50) and adding support for GMLAN.

    We take a regular bluetooth OBD adapter and rig it to communicate on the GMLAN network.

    This is a first as far as I know – making a bluetooth I/O connection to the GMLAN network and establishing 2-way communication on it.

  4. @regulatre – I understand where you are coming from with ease-of-use, but my mentality is one of frugality. ;) I am looking at this particular project from a perspective of having “Free GPS” so paying a solid $40 doesn’t appeal to me. Besides, it’s harder to break software; I’m still a student so I can’t imagine holding a $20 chip in my hand.

    I will be in touch, certainly once I actually start working on the project. Thanks!

  5. Hey, looks like some solid good work here!

    Sounds like you’re on the right track, so I’ll just add what I’d want, in case you’re looking for input. I’d love to have a unit that interfaces with my OBDII that connects via bluetooth to my android phone, and can display interesting data about the car’s operation.

    My car is a 2004 Audi S4, so it has OnStar (they had a partnership for a while), but I’m not sure how much, if any, of the system uses GMLAN.

    I’d be most interested if the project was all open source, as think it would be a better product if it were. But yeah, I just scanned your project page so far, so not sure what you’ve implemented, but this is cool!

    AT&T finally gets a nexus one, so I’m ditching my G1 ASAP!

  6. Older on-star is easy to hack. The GPS module is separate and has a standard NEMA stream. I have several ham friends that have ripped out the useless onstar phone section and tapped in to use the GPS and onstar buttons for other uses.

  7. @hackerK – haha good idea. Did you know big brother has a data recorder in your car? http://mfes.com/cdr.html I wonder why they don’t just look at the CDR logs in those Toyotas.

    @taylor – Alrady on it :) Tonight I coded VoyagerRC to sniff the data and pick it apart into its data/MAC layer fields and save it to a DB for analysis. I intend to factor out the common messages so we can analyze the interesting packets.

    Next, I’m adding a screen that displays the captured packets and analyzes their content.

    And of course I’ll have the option to select one or more packets and re-play them onto the network.

    VoyagerRC, coming soon! :)

  8. CAN is actually the new standard that is replacing OBD-ii… by federal mandate here in the states.

    That said, yes, if you can decypher the communications on the bus, you can control a myriad of systems.

    Airbag, Radio, Sat-Nav, OnStar (or at least the fone in the headliner), Creature Comforts (power locks, windows), HVAC systems, ABS, possibly parking brake on some vehicles, engine feedback and control, and so on…

    Basically, the new standard is laid out in such a way that every subsystem of the car really should be on the bus. From Body-Control (HVAC/windows/lighting) to SRS (airbag), Engine, and yes, even the braking system.

  9. almost forgot my point…
    throttle by wire, electromechanical steering assist… Android, CAN/GMLAN Scantool…

    How far are we from that James Bond flick, where you drive the car with your mobile phone, whilst standing across the street?

  10. any suggestions how to “easy” hack the older onstar systems for iphone control through anything? suggestions? just an idea need some help, not my forte. All i know about stupid chevy OS’s connecting with iphones is the iphone

  11. @regulatre The link above to your Hacking the OnStar System no longer works and lands on gtosoft.webs.com/comingsoon.htm

    Can you please post a working link in a comment here so we can read about your work?

  12. Late to this party, most of the links are dead. I have a 2003 Saab 9-3 with On-Star. It does not have remote start, but I would love to have that feature (it’s cold in the NorthEast). Can anyone point me to schematics or a device that will let me do that one thing ? If it does more, that’s ok, too.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.