Progress and the proliferation of computers in automotive applications have almost made the shade tree mechanic a relic of the past. Few people brave the engine compartment of any car made after 1999 or so, and fewer still dive into the space behind the dashboard. More’s the pity, because someone may be trying to turn back the odometer with one of these nefarious controller area network (CAN bus) dongles.
Sold through the usual outlets and marketed as “CAN bus filters,” [Big Clive] got a hold of one removed from a 2015 Mercedes E-Class sedan, where a mechanic had found it installed between the instrument cluster and the OEM wiring harness. When the dongle was removed, the odometer instantly added 40,000 kilometers to its total, betraying someone’s dishonesty.
[Big Clive]’s subsequent teardown of the unit showed that remarkably little is needed to spoof a CAN bus odometer. The board has little more than an STM32F microcontroller, a pair of CAN bus transceiver chips, and some support circuitry like voltage regulators. Attached to a wiring harness that passes through most of the lines from the instrument cluster unmolested while picking off the CAN bus lines, the device can trick the dashboard display into showing whatever number it wants. The really interesting bit would be the code, into which [Clive] does not delve. That’s a pity, but as he points out, it’s likely the designers set the lock bit on the microcontroller to cover their tracks. There’s no honor among thieves.
We found this plunge into the dark recesses of the automotive world fascinating, and [Big Clive]’s tutelage top-notch as always. If you need to get up to speed on CAN bus basics, check out [Eric Evenchick]’s series on automotive network hacking.
[rasz_pl] sent us a tip on this one. Thanks!
43 thoughts on “Dashboard Dongle Teardown Reveals Hardware Needed To Bust Miles”
Guess what? They’re $20.
The ebay ones only seem to be used on BMW and Mercedes-Benz, where they sit between the dashboard and the CAN-bus. This means that an unsuspecting person (and a lot of garages) might get tricked with this scam, as long as the thief makes sure that the numbers are consistent during a certain range (in the Netherlands the garage has to register the mileage). Reading the meter directly from the CAN will expose the scam though, but it’s hard to notice when done properly.
Finally get to see a hack on HaD
Maybe unpopular opinion, but I actually enjoy the biographies.
wow, really the worst comment section, thanks guys
So true. Still gross inaccuracies in the writeup though-> “Few people brave the engine compartment of any car made after 1999 or so”…. That statement is the opposite of true. There is at least one person who actually DOES things for every 10 people who sit around reading about non-hacks(like on this site), mimicing those non-hacks and later refer to themselves as “makers” or “hackers”… I re-tuned my ECM for non-stock bosch injectors over the past week; I’m sure this site would call it a “hack” though it is not; I figured it all out myself and you won’t find me doing a “writeup” to toot my useless horn! Better things to DO.
I miss the old days when all you needed was a drill and an hour or two to turn back the odometer to zero.
On the other hand, increasing the value is now much easier than it used to be (it may get reset to zero when replacing certain components in the car). It is just a software command now…
Or disconnecting the odometer cable at the transmission to reduce the chargeable distance for a rental car during a lengthy return trip. However, Overdrive would not engage when doing this. Hmm… and bicycle speedometers were also cable based back then. Time flies!
Even better, in the old days the tach was only 5 digits, so us in metricville had a rollover to zero every few years. Made it impossible to tell the real mileage on any vehicle.
“Tach” is short for “tachometer” a thing that measures the rotation of a shaft.
I think you mean “odometer”. Tachometer is the RPM gauge.
Just out of high school, I worked for a Ford dealer, car washing, oil and tire changes, etc.
We got in trade an older Thunderbird.
While I was prepping it for resale, I noticed an oil change sticker in door jamb that indicated much higher mileage than the odometer.
Possibly the least interesting anecdote I’ve ever heard.
Interesting board for £12 – not bad for an STM32 with a pair of CAN bus tranceivers and a 12v psu.
Yeah, I actually have a use for something that can talk CAN(-like) and be programmed. My little old Peugeot has something called VAN-bus for some of the internal systems, the instrument cluster, etc. One of the annoying things since I replaced the stock stereo is not being able to control it with the steering wheel controls which talk over VAN.
google peugeot steering controll adapter / stalk interface. I get the fun in making one ( i made mine for my old bmw) but they are usually £20 or so. and sometimes its nice to just get something that works :)
> it’s likely the designers set the lock bit on the microcontroller to cover their tracks
I’m sure there is some chinese factory somewhere where you can send the IC and some $$ and get the code back, never mind the lockbit.
Or send it to Micah E. Scott and she will find some glitching attack to get the code out of this thing.
Available from several online sources:
Am I reading it correctly? It looks like they also want you to remove a chip from the dashboard pcb.
I have thought about using a device like this as part of an anti-theft system. Basically make it into a CAN bus jammer. If nothing can successfully use the CAN bus most cars are not going to run, start, shift the transmission, code new keys or anything. Physically jumping power to the starter, etc would be useless and it could be installed anywhere on the CAN bus making is much harder to find or bypass than most kill systems. It would also block attempts to code new keys or remotes. It would however require some other kind of remote to turn it off since the factory remote will be useless when the CAN bus is jammed.
Really cool idea, maybe instead of a key, you use an RFID dongle or card?
Then install a secret activate/deactivate reader behind a part of the dash (maybe have two separate ones with individual RFID codes, since RFID can be coded to a ring, keyring etc, really inconspicuous addition to your car keys) behind a pillar cover, under the floor carpet, in the roof lining, endless possibilities lol.
You could rig the reader to only run when the CAN is powered, which would mean on a GM car you will likely have a flat battery after a week or two of parked up lol.
But every other manufacturers cars will power when the car is unlocked.
This really is a good idea.
A high tech version of the old “hidden fuel pump switch” strategy i like it.
This is a fine idea, but there might be other things to consider. I’ve seen ECUs that if they don’t see the proper data will set trouble codes and the check engine light. In extreme cases getting negotiations incorrect will lockout some functionality in the ECU for minutes at a time, and sometimes key cycles are needed to make things happy again. My point is that messing with the CAN bus temporarily, won’t necessarily mean everything will be back to working order. More work may be needed to convince the ECUs that the blips in communication they saw earlier are fine. A simple way to artificially mess with communication could be to just short the CANH and CANL wires with a relay.
That’s a terrible idea!
Unless you really know how to make such a system SAFE you’re going to end up losing power at 70mph and crashing into the back of a truck.
why not just tie both can lines to 0v with a dpdt switch or relay. The can bus is pretty robust, itll handle that abuse like a champ. what the modules wont handle is not seeing each other when ignition is powered on, or in the case of more modern vehicles , when some other bus comes awake but the power-train can does not. expect a billion fault codes when you do start the car :)
The modern car have gateways that isolate faulty devices. It’s probably likely that the car will go into limp mode if you set such a device on the dashboard or stereo, or an error code will be shown up or nothing will happen and the car will just not send any data to your device. If you set it up on the ECU however, that’s a different thing.
code seems like it’d be pretty obvious:
Get packet from car side can bus
If type is odometer subtract 40,000 km from odometer value and rebuild packet.
Send packet to dash side can bus.
I suppose you might also decide to drop some packets if they are check engine codes… Particularly some of the emissions codes won’t cause any noticeable issues with the operation of the car, but will normally turn on the check engine light. (like the catalytic convert not running at optimum efficiency code).
Nope won’t be that simple, someone will have had to reverse engineer quite a lot of stuff to be able to man in the middle the odometer at a system level. Even then it will be easy to spot it has been done if you have access to the right diagnostic tools, as the rest of the car will not match the cluster.
This simple way is precisely how the device Clive tore down works. There are other, more advanced ones you splice directly in front of car computer module with ability to fake not only dash but also diagnostic readers (both cheap odb2 dongles and Manufacturer ones), those are sold with multitude of options, like auto clearing fault codes on every start, filtering faults, cheating emissions etc.
I’m guessing someone who uses this on a car, is probably not following oil change intervals either.
$12.58 Also more details on supported vehicles etc.
Haha, doubtful! Even with the >99,999 rollover, a 1962 Chevy whatever would be close enough to the trash to be obvious to even the most drunken country garage hand.
Not sure how many of those old boats would roll over once, let alone twice! Maybe an ELF/NPR, or a dump on its third rebuild.
A few years ago I was looking at buying a specific kind of vehicle. Make, model, year, color, # of miles on it, etc.
*Every* *single* one I found had odometer fraud on it. I’d find a good one, check it out, drive it, and be almost ready to buy it when I’d run a vehicle history report. I learned a long time ago that vehicle history reports should only be used to prevent you from buying something, not to reassure you about the car you’re buying–if you’ve got an inkling that something’s wrong, just pass.
Anyway, the first four I looked at–and these are not high-end vehicles–all showed less than 100k miles….but I remember the first one had very detailed vehicle history creeping up past 350,000 miles and the second one had over 250k. One of them had actually shown 275k on it a *month* prior at a dealer oil change.
So, just do your research and you won’t get screwed.
So how is this easier than cracking open the part that actually saves the odo data in the first place? Is it not just some nvram/flash somewhere?
The mileage is saved in several places, I’ve heard that in some cars even in the headlight controllers – not the body/LCM, but the actual light controlling microchip. This is probably done for fraud purposes, as, at least in Germany, it is a fraud (jailtime) to alter the number of kilometers. That’s why you get seemingly ‘bad deals’ on cars with high mileage but as soon as the car is outside the country it ‘magically’ has the number of kilometers that people feel comfortable with (20-25k / year). Despicable.
Used car market in Germany is controlled by Turks, and they already reverse mileage before car leaves the country on its journey east.
While odometer fraud is not singled out in Polish law, knowingly keeping any data lowering the value of a car (odometer, previous crashes etc) secret has potential of 6 months to 8 year prison sentence. Guess what, not a single person went to jail under this law, ever.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)