Train Speed Signaling Adapted For Car

September 11, 2024 by Bryan Cockfield 33 Comments

One major flaw of designing societies around cars is the sheer amount of signage that drivers are expected to recognize, read, and react to. It’s a highly complex system that requires constant vigilance to a relatively boring task with high stakes, which is not something humans are particularly well adapted for. Modern GPS equipment can solve a few of these attention problems, with some able to at least show the current speed limit and perhaps an ongoing information feed of the current driving conditions., Trains, on the other hand, solved a lot of these problems long ago. [Philo] and [Tris], two train aficionados, were recently able to get an old speed indicator from a train and get it working in a similar way in their own car.

The speed indicator itself came from a train on the Red Line of the T, Boston’s subway system run by the Massachusetts Bay Transportation Authority (MBTA). Trains have a few unique ways of making sure they go the correct speed for whatever track they’re on as well as avoid colliding with other trains, and this speed indicator is part of that system. [Philo] and [Tris] found out through some reverse engineering that most of the parts were off-the-shelf components, and were able to repair a few things as well as eventually power everything up. With the help of an Arduino, an I/O expander, and some transistors to handle the 28V requirement for the speed indicator, the pair set off in their car to do some real-world testing.

This did take a few tries to get right, as there were some issues with the power supply as well as some bugs to work out in order to interface with the vehicle’s OBD-II port. They also tried to use GPS for approximating speed as well, and after a few runs around Boston they were successful in getting this speed indicator working as a speedometer for their car. It’s an impressive bit of reverse engineering as well as interfacing newer technology with old. For some other bits of train technology reproduced in the modern world you might also want to look at this recreation of a train whistle.

Continue reading “Train Speed Signaling Adapted For Car” →

ESP32 Used As Wireless CAN Bus Reader

November 22, 2023 by Lewin Day 34 Comments

The CAN bus, accessible through the OBD-II port, is the channel that holds all the secrets of the modern automobile. If you want to display those for your own perusal, you might consider this nifty tool from [EQMOD].

Yes, it’s an OBD-II dongle that you can build using an ESP32 WROVER module. It’s designed to read a car’s CAN bus communications and display them on a self-hosted web page, accessible over WiFi. The build relies on the dual-core nature of the ESP32, with the first core handling CAN bus duties via the SN65HVD230 CAN bus transceiver chip. The second core is responsible for hosting the web page. Data received via the CAN bus is pushed to the web user interface roughly every 60 to 100 milliseconds or so for information like RPM and speed. Less time-critical data, like temperatures and voltages, are updated every second.

It’s a neat little thing, and unlike a lot of dongles you might buy online, you don’t need to install some dodgy phone app to use it. You can just look at the ESP32’s web page for the data you seek. The graphics may be a little garish, but they do the job of telling you what’s going on inside your car. Plus, you can always update them yourself.

Getting to grips with the CAN bus is key if you want to diagnose or modify modern vehicles. Meanwhile, if you’ve been cooking up your own electronic vehicular hacks, don’t hesitate to drop us a line!

Adding Upgrades To A Stock Motorcycle

September 11, 2018 by Bryan Cockfield 28 Comments

In today’s world of over-the-air firmware upgrades in everything from cars to phones to refrigerators, it’s common for manufacturers of various things to lock out features in software and force you to pay for the upgrades. Even if the hardware is the same across all the models, you can still be on the hook if you want to unlock anything extra. And, it seems as though Suzuki might be following this trend as well, as [Sebastian] found out when he opened up his 2011 Vstrom motorcycle.

The main feature that was lacking on this bike was a gear indicator. Even though all the hardware was available in the gearbox, and the ECU was able to know the current gear in use, there was no indicator on the gauge cluster. By using an Arduino paired with an OBD reading tool (even motorcycles make use of OBD these days), [Sebastian] was able to wire an LED ring into the gauge cluster to show the current gear while he’s riding.

The build is very professionally done and is so well blended into the gauge cluster that even we had a hard time spotting it at first. While this feature might require some additional lighting on the gauge cluster for Suzuki to be able to offer this feature, we have seen other “missing” features in devices that could be unlocked with a laughably small amount of effort.

Continue reading “Adding Upgrades To A Stock Motorcycle” →

Emulating OBD-II On The ESP32

April 11, 2018 by Tom Nardi 35 Comments

It used to be that you could pop the hood and with nothing more than flat head screwdriver, some baling wire, and tongue held at the optimal angle, you could fix anything that ailed your car. But today, for better or for worse, the average automobile is a rolling computer that runs on gasoline and hope (if it even still has a gasoline engine, that is). DIY repairs and maintenance on a modern car is still possible of course, but the home mechanic’s toolbox has needed to evolve with the times. If you want to do anything more advanced than changing a tire, you’ll really want to have the gear to interface with the vehicle’s computer via the OBD-II port.

But for some, even that isn’t enough. [limiter121] recently wrote in to tell us of an interesting project which doesn’t read the OBD-II port in a vehicle, but actually emulates one. Like so many others this hack was born out of necessity, as a way to test an OBD-II project without having to sit out in the driveway all day. It allows you to create fictitious speed and engine RPM values for the OBD-II device or software under test to read, complete with a slick web interface to control the “car”.

So what makes it tick? Surprisingly little, actually. At the most basic level, an ESP32-WROOM-32 is connected up to a SN65HVD230 CAN transceiver chip. You’ll also need a 3.3V power supply, as well as a USB to serial adapter to do the initial programming on the ESP32. From there it’s just a matter of compiling and flashing the code [limiter121] has made available in the GitHub repo.

If you’re wondering if such products don’t already exist on the commercial market, they do. But like so many other niche projects, the price is a bit hard to swallow for the home hacker. Compared to the nearly $300 USD list price of commercial offerings such as the Freematics OBD-II Emulator, building one of these ESP32 based emulators should only cost you around $20.

Unless you’re developing an OBD-II reader, you probably don’t have much use for an OBD-II emulator. But this project could still be useful for anyone who wants to learn more about OBD from the comfort of their couch.

OBD-Sniffing A Caddy PHEV

February 22, 2018 by Jenny List 25 Comments

The Cadillac ELR is a plug-in hybrid car with a bit of class, it has the beating heart of a Chevy Volt in a nice coupé body with some up-market styling and a nice interior. Since it wasn’t on the market for long and some consumers are still wary of cars with electric motors, it also represents something of a sweet spot: according to [Andrew Rossignol] you can pick them up for less outlay than you might imagine. He bought one, and being an inquisitive soul decided to probe its secrets through its OBD-II ports.

OBD-II sniffing is nothing especially new, but his write-up provides an interesting run-down of the methodology used to identify the different proprietary pieces of data that it makes available. His Python script attempted to parse the stream as though it were multi-byte words of different lengths, plotting its results as graphs, It was then a straightforward process of identifying the graphs by eye that contained useful data and rejecting those that were obviously garbage. He was able to pick out the figures in which he was interested, and write an interface for his little Sony VAIO UX to display them on the move.

We’ve covered OBD hacks too numerous to mention over the years, but perhaps you’d like to read our history of the standard.

OBD-II Dongle Attack: Stopping A Moving Car Via Bluetooth

April 14, 2017 by Pedro Umbelino 30 Comments

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device. The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

Bil Herd Asks OBD “How Fast Am I Going?”

February 15, 2017 by Bil Herd 87 Comments

Whenever I end up with a new vehicle I ultimately end up sticking in a new GPS/Receiver combination for better sound quality and a better GPS.

I am quite at home tearing into a dashboard as I was licensed to install CB radios in my teens as well as being the local go-to guy for 8-track stereo upgrades in the 70’s. I have spent a portion of my life laying upside down in a puddle on the car floor peering up into the mess of wires and brackets trying to keep things from dropping on my face. If you remember my post on my Datsun 280ZXT, I laid in that same position while welding in a clutch pedal bracket while getting very little welding slag on my face. I did make a note that the next time I convert a car from an automatic to a manual to do so while things are still disassembled.

Swapping out a factory radio usually involves choosing whether to hack into the existing factory wiring wire-by-wire, or my preference, getting a cable harness that mates with the factory plug and making an adapter out of it by splicing it to the connector that comes with the new radio.

Usually I still have to hunt down a few signals such as reverse indicator, parking brake indicator, vehicle speed sensor and the like. In my last vehicle the Vehicle Speed Sensor (VSS) wire was supposed to be in the factory harness, but driving experience showed it must not be as the GPS would show me driving 30 feet to the right of the highway. That and the calibration screen on the GPS verified that it was not receiving speed pulses.