Nissan 370Z Forum  

Can bus Hacking

So I'm sitting here in the car right now and I'm not seeing any PID requests come in over CAN. I even did an ECU dump to make sure that

Go Back   Nissan 370Z Forum > Nissan 370Z Tech Area > Engine & Drivetrain > Tuning


Like Tree9Likes

Reply
 
LinkBack Thread Tools Display Modes
Old 04-26-2020, 07:45 PM   #16 (permalink)
Track Member
 
Join Date: May 2018
Location: Farmington Hills, MI
Posts: 599
Drives: 08 Expedition
Rep Power: 6764
dts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond repute
Default

So I'm sitting here in the car right now and I'm not seeing any PID requests come in over CAN. I even did an ECU dump to make sure that I was seeing that traffic in my log and that it wasn't being filtered out. Maybe uprev makes all it's PID requests over K-line?

Data is being logged @ 50hz so the bus isn't being saturated at K-line speeds.
__________________
Visit my blog!
www.LeftoverPi.com
dts3 is offline   Reply With Quote
Old 04-29-2020, 07:23 PM   #17 (permalink)
Base Member
 
Join Date: Jan 2016
Location: Ontario
Posts: 230
Drives: G37 Sport
Rep Power: 6720
SonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond repute
Default

Quote:
Originally Posted by dts3 View Post
So I'm sitting here in the car right now and I'm not seeing any PID requests come in over CAN. I even did an ECU dump to make sure that I was seeing that traffic in my log and that it wasn't being filtered out. Maybe uprev makes all it's PID requests over K-line?

Data is being logged @ 50hz so the bus isn't being saturated at K-line speeds.
Wow, that is odd to me....
Are you seeing any CAN Bus activity? I would expect to see activity using service $21 or $22.

How is your CAN bus sniffer set up? Pass through or listen only?
Are your filtering out every CAN ID below 0x700? -OR- just allow -7E0 & 7E8

Since your Z is from 2017, I would be surprised that they would use the slow K-Line.
BUT maybe they are using the K-Line with the NDSIII protocol? I don't know...

Last edited by SonicVQ; 04-29-2020 at 09:41 PM.
SonicVQ is offline   Reply With Quote
Old 04-29-2020, 10:24 PM   #18 (permalink)
Base Member
 
Join Date: Jan 2016
Location: Ontario
Posts: 230
Drives: G37 Sport
Rep Power: 6720
SonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond repute
Default

Well... This is VERY interesting. For those interested in making a copy of their ECU ROM, "VQ_Crazy!" on romraider has designed/built/programmed a cheap ($15+) Arduino based, CAN bus hardware solution using the OBD port to copy the ECU ROM to an SD card in 3-4 minutes!

Details are here: https://www.romraider.com/forum/view...p?f=65&t=17089

Just to put this in perspective, this is the first step to being able to tune and update our own ECU ROMs for VERY little money.

I think this will be a good first step to "open source tuning" for the 2008+ (CAN Bus) ECUs.
What do you think?
Elmo370z likes this.
SonicVQ is offline   Reply With Quote
Old 05-01-2020, 09:05 AM   #19 (permalink)
Base Member
 
Join Date: Jan 2016
Location: Ontario
Posts: 230
Drives: G37 Sport
Rep Power: 6720
SonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond repute
Default

Quote:
Originally Posted by dts3 View Post
Do you have any other resources for the ROM format or CAN bus PIDs? I've been posting on the romraider forums and I'm going to put the ROM in Ida. Any clues you have will help with the disassembly
I wish I did. There is a little bit of info on RomRaider and I suspect you have already gone through it.

I have not done any disassembly in about 30 years and can only imagine how complex the 32 bit RISC ECU firmware would be.

I think the best starting point is to see if anyone has mapped an HR and use that as a starting point. As time permits, I will try the free version of WinOLS. I hope the learning curve isn't too steep.
SonicVQ is offline   Reply With Quote
Old 05-01-2020, 01:53 PM   #20 (permalink)
Track Member
 
Join Date: May 2018
Location: Farmington Hills, MI
Posts: 599
Drives: 08 Expedition
Rep Power: 6764
dts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond repute
Default

Quote:
Originally Posted by SonicVQ View Post
Wow, that is odd to me....
Are you seeing any CAN Bus activity? I would expect to see activity using service $21 or $22.

How is your CAN bus sniffer set up? Pass through or listen only?
Are your filtering out every CAN ID below 0x700? -OR- just allow -7E0 & 7E8

Since your Z is from 2017, I would be surprised that they would use the slow K-Line.
BUT maybe they are using the K-Line with the NDSIII protocol? I don't know...
I see full CAN bus activity from the vehicle on all expected IDs. I do not see any CAN activity from Uprev during logging. I DO see CAN bus activity from Uprev:
  • When starting Uprev (reading VIN and other data)
  • When dumping the ECU
  • When checking and clearing code

It's not a filtering issue because I see IDs all the way from 2, to whatever tester IDs Uprev is using (I forget all of them)

As far as reading the bus, I'm using a Vector 1610 with Vector:s CANalyzer software. I can fully interact with the bus and send arbitrary messages.

I'm not familiar with the NDSIII protocol. I have plans to reconfigure my snooping cable to allow me to listen on K-Line also.
__________________
Visit my blog!
www.LeftoverPi.com
dts3 is offline   Reply With Quote
Old 05-01-2020, 02:06 PM   #21 (permalink)
Track Member
 
Join Date: May 2018
Location: Farmington Hills, MI
Posts: 599
Drives: 08 Expedition
Rep Power: 6764
dts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond repute
Default

Quote:
Originally Posted by SonicVQ View Post
Well... This is VERY interesting. For those interested in making a copy of their ECU ROM, "VQ_Crazy!" on romraider has designed/built/programmed a cheap ($15+) Arduino based, CAN bus hardware solution using the OBD port to copy the ECU ROM to an SD card in 3-4 minutes!

Details are here: https://www.romraider.com/forum/view...p?f=65&t=17089

Just to put this in perspective, this is the first step to being able to tune and update our own ECU ROMs for VERY little money.

I think this will be a good first step to "open source tuning" for the 2008+ (CAN Bus) ECUs.
What do you think?
I did see that post before and its interesting for sure. I was thinking about making an add-on board to a RaspberryPI for this, which would be a cool project (I've mad a few add-on "hats" as they call it, it's not too hard). What has kept me from doing that is because I have access to some of the best CAN tools in the industry through my job, so that keeps my motivation for this low.

I post on ROMraider under the name LeftoverPi
__________________
Visit my blog!
www.LeftoverPi.com
dts3 is offline   Reply With Quote
Old 05-01-2020, 02:26 PM   #22 (permalink)
Track Member
 
Join Date: May 2018
Location: Farmington Hills, MI
Posts: 599
Drives: 08 Expedition
Rep Power: 6764
dts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond repute
Default

As you suggested I'm sure the 370z ROM format follows the 350 pretty closely. The 370 ROM is 1.5Mb versus 1.0 for the 350. Best case scenario is that it's the same format as the 350s with the HR engine, with an extra .5Mb of unused space. I'd imagine it's more different for the older 350s with the DE engine.

I have the tuner version of Uprev, so I think a good start is to look at the tables that you are allowed to edit, and compare that with what I see in the ROMs disassembly. I can then cross-reference this with what we know about the 350 ROM structure.

Phase 2 would be to make very obvious edits to a table in Uprev (eg setting all values in one table to 3, in the next table to 4, etc). I can then flash and reconstruct the ROM again to see where these known values end up. For phase 2 I'm going to eBay an ECU to do this on the bench; I don't want to do this with my own ECU. If anyone has an extra one sitting around that they can sell for cheap (or donate!) this would would be a good cause!
Elmo370z likes this.
__________________
Visit my blog!
www.LeftoverPi.com
dts3 is offline   Reply With Quote
Old 05-01-2020, 04:33 PM   #23 (permalink)
A True Z Fanatic
 
Join Date: Apr 2013
Location: st. petersburg
Posts: 5,707
Drives: 09 nissan 370z Sp M6
Rep Power: 295377
Elmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond reputeElmo370z has a reputation beyond repute
Default

Off topic. If successful, could you complete disable vdc?
Elmo370z is offline   Reply With Quote
Old 05-01-2020, 06:28 PM   #24 (permalink)
Track Member
 
Join Date: May 2018
Location: Farmington Hills, MI
Posts: 599
Drives: 08 Expedition
Rep Power: 6764
dts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond reputedts3 has a reputation beyond repute
Default

Quote:
Originally Posted by Elmo370z View Post
Off topic. If successful, could you complete disable vdc?
Not through Uprev or software like ROMRaider. But you put a switch on the yaw sensor box and turn it off when you want it completely disabled
__________________
Visit my blog!
www.LeftoverPi.com
dts3 is offline   Reply With Quote
Old 05-01-2020, 09:37 PM   #25 (permalink)
Base Member
 
Join Date: Jan 2016
Location: Ontario
Posts: 230
Drives: G37 Sport
Rep Power: 6720
SonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond reputeSonicVQ has a reputation beyond repute
Default

Quote:
Originally Posted by dts3 View Post
As you suggested I'm sure the 370z ROM format follows the 350 pretty closely. The 370 ROM is 1.5Mb versus 1.0 for the 350. Best case scenario is that it's the same format as the 350s with the HR engine, with an extra .5Mb of unused space. I'd imagine it's more different for the older 350s with the DE engine.

I have the tuner version of Uprev, so I think a good start is to look at the tables that you are allowed to edit, and compare that with what I see in the ROMs disassembly. I can then cross-reference this with what we know about the 350 ROM structure.

Phase 2 would be to make very obvious edits to a table in Uprev (eg setting all values in one table to 3, in the next table to 4, etc). I can then flash and reconstruct the ROM again to see where these known values end up. For phase 2 I'm going to eBay an ECU to do this on the bench; I don't want to do this with my own ECU. If anyone has an extra one sitting around that they can sell for cheap (or donate!) this would would be a good cause!

I have only looked at a few ROMs, but Nissan seems to move the tables around much more than I would have thought. I'm not sure the 350 ROM definitions will be helpful to find the 370 tables.

Also factor in some CARB/EPA required changes that were mandated around 2012, which may require more program space / ROM.

I know EcuTek creates their own higher resolution tables in different locations than stock, and UpRev might do the same, so please keep this in mind with your testing.


I look forward to your update on the K-Line. Since it runs at 10,400 baud, I guess UpRev could use it and still get a fast sample rate.

Last edited by SonicVQ; 05-08-2020 at 09:39 AM.
SonicVQ is offline   Reply With Quote
Old 07-19-2021, 10:18 PM   #26 (permalink)
Base Member
 
Join Date: Aug 2013
Location: Barbados
Posts: 33
Drives: Uk spec 08 350z gt
Rep Power: 11
HOODEY is on a distinguished road
Default

Trying to locate DTS
HOODEY is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
People hacking cars Rooster89 The Lounge (Off Topic) 1 07-23-2011 06:32 AM


All times are GMT -5. The time now is 07:22 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 PL2