Emulating OBD-II On The ESP32

It used to be that you could pop the hood and with nothing more than flat head screwdriver, some baling wire, and tongue held at the optimal angle, you could fix anything that ailed your car. But today, for better or for worse, the average automobile is a rolling computer that runs on gasoline and hope (if it even still has a gasoline engine, that is). DIY repairs and maintenance on a modern car is still possible of course, but the home mechanic’s toolbox has needed to evolve with the times. If you want to do anything more advanced than changing a tire, you’ll really want to have the gear to interface with the vehicle’s computer via the OBD-II port.

But for some, even that isn’t enough. [limiter121] recently wrote in to tell us of an interesting project which doesn’t read the OBD-II port in a vehicle, but actually emulates one. Like so many others this hack was born out of necessity, as a way to test an OBD-II project without having to sit out in the driveway all day. It allows you to create fictitious speed and engine RPM values for the OBD-II device or software under test to read, complete with a slick web interface to control the “car”.

So what makes it tick? Surprisingly little, actually. At the most basic level, an ESP32-WROOM-32 is connected up to a SN65HVD230 CAN transceiver chip. You’ll also need a 3.3V power supply, as well as a USB to serial adapter to do the initial programming on the ESP32. From there it’s just a matter of compiling and flashing the code [limiter121] has made available in the GitHub repo.

If you’re wondering if such products don’t already exist on the commercial market, they do. But like so many other niche projects, the price is a bit hard to swallow for the home hacker. Compared to the nearly $300 USD list price of commercial offerings such as the Freematics OBD-II Emulator, building one of these ESP32 based emulators should only cost you around $20.

Unless you’re developing an OBD-II reader, you probably don’t have much use for an OBD-II emulator. But this project could still be useful for anyone who wants to learn more about OBD from the comfort of their couch.

OBD-II Dongle Attack: Stopping A Moving Car Via Bluetooth

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

Open Source OBD-II Adapter

Automotive diagnostics have come a long way since the “idiot lights” of the 1980s. The current version of the on-board diagnostics (OBD) protocol provides real time data as well as fault diagnostics, thanks to the numerous sensors connected to the data network in the modern vehicle. While the hardware interface is fairly standardized now, manufacturers use one of several different standards to encode the data. [Alex Sidorenko] has built an open source OBD-II Adapter which provides a serial interface using the ELM327 command set and supports all OBD-II standards.

The hardware is built around the LPC1517 Cortex-M3 microprocessor and can accept a couple of different versions. Here’s the PDF schematic, and a set of Gerber files (ZIP archive) for the PCB layout, if you’d like to dig in to it’s internals. The MC33660 ISO K Line Serial Link Interface device is used to provide bi-directional half-duplex communication interface with the micro-controller. Also included is the TJF1051, a high-speed CAN transceiver that provides an interface between the micro controller and the physical two-wire CAN lines on the ODB-II connector. The serial output from the adapter board is connected to a computer using a serial to USB adapter.

The software is written in C++ for the LPCXpresso IDE – a GNU tool chain for ARM Cortex-M processors, but can also be compiled using a couple of other toolchains. He’s got instructions if you’d like to build the firmware from source, or if you’d like to program the adapter via Flash Magic.

We featured [Alex]’s inexpensive PIC based ODB-II interface way back in 2007, so he’s been working on this for a while and has a good grip on what he’s doing.

OBD-II TrckrX: Data Logging In A BMW E36 M3

[Bruce Land] sent in this cool final project for ECE 4760 at Cornell University. Dubbed TrckrX, it is an OBD-II tracking and data logging system built into a BMW E36 M3. The car in question is being used in some auotocross competitions. The driver wanted instant access to some data as well as a log of everything for later analysis. The unit gives a real time display of vehicle speed, coolant temp, and RPM. G-force and timestamps are stored on the SD card.

We think this is a very cool idea, and could be quite useful in some instances. The real time display of speed and RPM seem a bit peculiar as the car’s speedometer and tachometer are more appropriately placed for real time information. However, we completely understand that this was a class project and this person may not have wanted to replace their dash cluster with a new readout.

Keep Tabs On Your Car Without OBD-II

[Steve] let us know about his MultiDisplay car monitoring system. Unlike traditional systems that rely on interfacing with the OBD-II protocol and existing car computer, the MultiDisplay uses an Arduino and custom shield with a combination of sensors; including temperatures, pressures, throttle, Boost, and etc. The data collected can then be displayed on a 20×4 LCD or streamed to a PC with visualization and event recording.

It’s nice to see half a years worth of work finally be complete and presented in such a clean and professional manner, keep up the good work [Steve]

OBD-II Automotive Data Logging

obd2

[Avi Aisenberg] sent us his final project for ece 4760.  His team built and OBD-II data interface. Even though OBD-II is an industry standard, each manufacturer has implemented it differently. This is where this project shines. They have built it to be capable of talking to any of them. Not only that, but it has a nice backlit LCD screen for diagnosing issues without having to go back to your computer and downloading the data. If you really don’t need all the bells and whistles, you can make one for roughly $15. They even have an OBD-II app for the iPhone.

IPhone OBD-II App

Rev by DevToaster is an application for the iPhone and iPod Touch that allows real-time monitoring of vehicle ECU data from the OBD-II port. Rev interfaces with a WiFi OBD-II dongle.

If your check engine light is on or flashing, REV is able to check the engine code, list all of the engine codes stored in the vehicle, and reset the stored codes or check engine light.

Rev is able to monitor real-time; vehicle speed, RPM, fuel consumption, engine coolant temp, fuel pressure, calculated engine load, throttle position, intake manifold pressure, air intake temp, timing advance, mass air flow, fuel level, barometric pressure, EVAP system vapor pressure, and fuel trim.

A brief video of REV in action is after the break.

Continue reading “IPhone OBD-II App”