Can bus Hacking

s200bym · 05-26-2019, 01:37 PM

Hi All,

I am from the UK and I am trying to hack the can bus on my 370z Nismo.

I have tried on the UK forums but not having any luck.

I am using the USB2CAN device from 8devices on Linux with the can-utils package. I connect to the device in terminal using the command:

sudo ip link set can0 up type can bitrate 500000

Then I send the command:

cansniffer can0 -c

I have also tried sending the messages:

7E0#1081 to start a diagnostic session
7E0#3E01 for keepalive

I am not getting any results back. Does anyone know anything about the USB2CAN device? I noticed that some of the guys on here are using the CANUSB device from Lawicel, what is the difference?

If anyone could help that would be great.

Thanks,
Mike.

gbrettin · 05-26-2019, 03:06 PM

Subbed.

SouthArk370Z · 05-26-2019, 03:20 PM

Have you tried using dmesg and lsusb commands? Or USB2CAN_TEST.py (manual says you can download it from web)?

s200bym · 05-28-2019, 03:09 PM

Quote:

Originally Posted by SouthArk370Z

Have you tried using dmesg and lsusb commands? Or USB2CAN_TEST.py (manual says you can download it from web)?

I will give that a go at the weekend, thanks.

dts3 · 01-24-2020, 10:49 AM

I'm not sure if others have done this; I couldn't find any tools to do so, but I was able to dump my stock ECU ROM over the OBD port.

I was hoping that UpRev would give me my stock ECU ROM, but it looks like whenever they read it, it's stored encrypted on the PC

I found a work-around for that. I put it on my blog
https://leftoverpi.com/2020/01/23/re...-370z-ecu-rom/

I would like to help get more support in ROM Raider for the newer Nissans

I'll add more information to the threads when I get home from work.

SonicVQ · 02-09-2020, 10:21 AM

Thank you for sharing the raw ECU dump! This will be VERY useful.

dts3 · 04-26-2020, 01:11 AM

I discovered something interesting today. I want to put a little more work into documenting these undocumented PIDs (especially the conversion calculations). Uprev obviously knows all of this already because they can log everything with no problem. My intention was to snoop on the CAN bus while each of these PIDs were being requested one by one. I made a special cable that would allow me to pull a man in the middle on the PID requests. The CAN lines are interrupted which allows me to monitor the bus with my laptop. This is how I was able to read out my ECU ROM.

So I started my CAN logging software on my laptop and started logging in Uprev, hoping to see the PID requests for each parameter one by one. Logging in Uprev was working and I could see correct parameters. I couldn't see it in my CAN bus logging software. I was trying to troubleshoot and noticed that I never connected the CAN lines together. So Uprev does all of their PID request logging outside of the CAN bus lines. I was thinking it's coming in over K-line, but I looked in the FSM and I didn't see K-line being brought out to an OBD pin. We have a K-line BUS but if I remember correctly the FSM says that it's for internal use only, for modules to communicate with each other. Does anyone have any info on this? If I can't see K-line traffic I'm going to have to put a scope on the vendor specific pins, and I REALLY don't want to do that inside of the car.

SonicVQ · 04-26-2020, 08:51 AM

Quote:

Originally Posted by dts3

So I started my CAN logging software on my laptop and started logging in Uprev, hoping to see the PID requests for each parameter one by one. Logging in Uprev was working and I could see correct parameters. I couldn't see it in my CAN bus logging software.

I was trying to troubleshoot and noticed that I never connected the CAN lines together. So Uprev does all of their PID request logging outside of the CAN bus lines. I was thinking it's coming in over K-line, but I looked in the FSM and I didn't see K-line being brought out to an OBD pin.

We have a K-line BUS but if I remember correctly the FSM says that it's for internal use only, for modules to communicate with each other. Does anyone have any info on this? If I can't see K-line traffic I'm going to have to put a scope on the vendor specific pins, and I REALLY don't want to do that inside of the car.

The latest documentation I have is for a 2016 370z, and I don't think Nissan would have changed anything since. Based on the ROM you posted, your 370 is from 2017 and I would expect it to be the same.

The K-Line is still on pin 7 of the OBD connector and goes directly to pin 117 of the ECU. Nissan sometimes calls it "K-Line" and sometimes calls it "Data Link Connector"

Try this test:
• With the CAN bus not connected, log data and look at the time between samples. The UpRev log shows time in milliseconds.
• Hook up the CAN bus and run the data logging program again.

Since the K-Line runs at 10,400 bits per second, and CAN bus runs at 500,000 bits per second, I would expect the time between data to be much faster with the CAN bus.

I suspect the UpRev software checked the CAN bus for communication, didn't see it and "failed over" to the K-line.
This would allow them to use the same code for older cars (before 2008) that don't have CAN bus.
I look forward to your test results

dts3 · 04-26-2020, 10:57 AM

Quote:

Originally Posted by SonicVQ

The latest documentation I have is for a 2016 370z, and I don't think Nissan would have changed anything since. Based on the ROM you posted, your 370 is from 2017 and I would expect it to be the same.

The K-Line is still on pin 7 of the OBD connector and goes directly to pin 117 of the ECU. Nissan sometimes calls it "K-Line" and sometimes calls it "Data Link Connector"

Try this test:
• With the CAN bus not connected, log data and look at the time between samples. The UpRev log shows time in milliseconds.
• Hook up the CAN bus and run the data logging program again.

Since the K-Line runs at 10,400 bits per second, and CAN bus runs at 500,000 bits per second, I would expect the time between data to be much faster with the CAN bus.

I suspect the UpRev software checked the CAN bus for communication, didn't see it and "failed over" to the K-line.
This would allow them to use the same code for older cars (before 2008) that don't have CAN bus.
I look forward to your test results

Thank you for this. I will try it later today

And my car that the ROM came from is a 2017 6MT base model

SonicVQ · 04-26-2020, 11:13 AM

Quote:

Originally Posted by dts3

Thank you for this. I will try it later today

And my car that the ROM came from is a 2017 6MT base model

Crap... I messed up when looking up the ECU ID: 6GE2C = 2017 370Z MT

dts3 · 04-26-2020, 11:57 AM

Do you have any other resources for the ROM format or CAN bus PIDs? I've been posting on the romraider forums and I'm going to put the ROM in Ida. Any clues you have will help with the disassembly

dts3 · 04-26-2020, 12:33 PM

... my end goal is to get 370z ROM support in romraider, so we don't need Uprev or ECUTek. I think they have some limited support for the 350z generation, but those ECUs used a different generation micro, and they are 1MB while ours are 1.5, so I'm sure the tables will not line up

Elmo370z · 04-26-2020, 01:23 PM

Subbed

dts3 · 04-26-2020, 01:55 PM

I keep running this through my head about how to uncover these tables. Uprev stores the ROMs heavily encrypted on the PC, but when flashing it has to be decrypted. I wrote the software to regenate the ROM from the CAN bus log, so I'm thinking of using Uprev to give all cells in each of the tables the same constant value, and using a different value for each table. This way we can flash, recover the ROM from the CAN bus log, and look at the disassembly to find the table addresses from the eyecatcher numbers we put in. I don't want to do this with my ROM though. (I haven't flashed it yet because I am still under warranty). If I buy an ECU off eBay do you think I'd be able to flash and interact with it without having the immobilizer running?

Jayhovah · 04-26-2020, 05:09 PM

subbed

05-26-2019, 01:37 PM	#1 (permalink)
s200bym Base Member Join Date: May 2019 Location: UK Posts: 6 Drives: 2019 370z Nismo Rep Power: 5	Can bus Hacking Hi All, I am from the UK and I am trying to hack the can bus on my 370z Nismo. I have tried on the UK forums but not having any luck. I am using the USB2CAN device from 8devices on Linux with the can-utils package. I connect to the device in terminal using the command: sudo ip link set can0 up type can bitrate 500000 Then I send the command: cansniffer can0 -c I have also tried sending the messages: 7E0#1081 to start a diagnostic session 7E0#3E01 for keepalive I am not getting any results back. Does anyone know anything about the USB2CAN device? I noticed that some of the guys on here are using the CANUSB device from Lawicel, what is the difference? If anyone could help that would be great. Thanks, Mike. Elmo370z likes this.

05-26-2019, 03:20 PM	#3 (permalink)
SouthArk370Z Premium Member Join Date: Nov 2010 Location: South Arkansas Posts: 8,435 Drives: 2014 Challenger Rep Power: 324197	Have you tried using dmesg and lsusb commands? Or USB2CAN_TEST.py (manual says you can download it from web)? __________________ Steering Lock Links - Search The370Z Bookmarklet - FSM @ NICOclub Mankind has progressed past the need for war but we haven't evolved that far. - NachoMahma

01-24-2020, 10:49 AM	#5 (permalink)
dts3 Track Member Join Date: May 2018 Location: Farmington Hills, MI Posts: 599 Drives: 08 Expedition Rep Power: 6764	I'm not sure if others have done this; I couldn't find any tools to do so, but I was able to dump my stock ECU ROM over the OBD port. I was hoping that UpRev would give me my stock ECU ROM, but it looks like whenever they read it, it's stored encrypted on the PC I found a work-around for that. I put it on my blog https://leftoverpi.com/2020/01/23/re...-370z-ecu-rom/ I would like to help get more support in ROM Raider for the newer Nissans I'll add more information to the threads when I get home from work. SouthArk370Z, 2011 Nismo#91 and JARblue like this. __________________ Visit my blog! www.LeftoverPi.com Last edited by dts3; 01-24-2020 at 12:24 PM.

02-09-2020, 10:21 AM	#6 (permalink)
SonicVQ Base Member Join Date: Jan 2016 Location: Ontario Posts: 230 Drives: G37 Sport Rep Power: 6720	Thank you for sharing the raw ECU dump! This will be VERY useful. dts3 likes this. Last edited by SonicVQ; 02-09-2020 at 09:06 PM.

04-26-2020, 01:11 AM	#7 (permalink)
dts3 Track Member Join Date: May 2018 Location: Farmington Hills, MI Posts: 599 Drives: 08 Expedition Rep Power: 6764	I discovered something interesting today. I want to put a little more work into documenting these undocumented PIDs (especially the conversion calculations). Uprev obviously knows all of this already because they can log everything with no problem. My intention was to snoop on the CAN bus while each of these PIDs were being requested one by one. I made a special cable that would allow me to pull a man in the middle on the PID requests. The CAN lines are interrupted which allows me to monitor the bus with my laptop. This is how I was able to read out my ECU ROM. So I started my CAN logging software on my laptop and started logging in Uprev, hoping to see the PID requests for each parameter one by one. Logging in Uprev was working and I could see correct parameters. I couldn't see it in my CAN bus logging software. I was trying to troubleshoot and noticed that I never connected the CAN lines together. So Uprev does all of their PID request logging outside of the CAN bus lines. I was thinking it's coming in over K-line, but I looked in the FSM and I didn't see K-line being brought out to an OBD pin. We have a K-line BUS but if I remember correctly the FSM says that it's for internal use only, for modules to communicate with each other. Does anyone have any info on this? If I can't see K-line traffic I'm going to have to put a scope on the vendor specific pins, and I REALLY don't want to do that inside of the car. JARblue likes this. __________________ Visit my blog! www.LeftoverPi.com

05-26-2019, 03:06 PM	#2 (permalink)
gbrettin A True Z Fanatic Join Date: Oct 2010 Location: Portage, MI Posts: 2,237 Drives: Tricycle Rep Power: 542172	Subbed.

04-26-2020, 11:57 AM	#11 (permalink)
dts3 Track Member Join Date: May 2018 Location: Farmington Hills, MI Posts: 599 Drives: 08 Expedition Rep Power: 6764	Do you have any other resources for the ROM format or CAN bus PIDs? I've been posting on the romraider forums and I'm going to put the ROM in Ida. Any clues you have will help with the disassembly __________________ Visit my blog! www.LeftoverPi.com

04-26-2020, 12:33 PM	#12 (permalink)
dts3 Track Member Join Date: May 2018 Location: Farmington Hills, MI Posts: 599 Drives: 08 Expedition Rep Power: 6764	... my end goal is to get 370z ROM support in romraider, so we don't need Uprev or ECUTek. I think they have some limited support for the 350z generation, but those ECUs used a different generation micro, and they are 1MB while ours are 1.5, so I'm sure the tables will not line up __________________ Visit my blog! www.LeftoverPi.com

04-26-2020, 01:23 PM	#13 (permalink)
Elmo370z A True Z Fanatic Join Date: Apr 2013 Location: st. petersburg Posts: 5,707 Drives: 09 nissan 370z Sp M6 Rep Power: 295377	Subbed

04-26-2020, 01:55 PM	#14 (permalink)
dts3 Track Member Join Date: May 2018 Location: Farmington Hills, MI Posts: 599 Drives: 08 Expedition Rep Power: 6764	I keep running this through my head about how to uncover these tables. Uprev stores the ROMs heavily encrypted on the PC, but when flashing it has to be decrypted. I wrote the software to regenate the ROM from the CAN bus log, so I'm thinking of using Uprev to give all cells in each of the tables the same constant value, and using a different value for each table. This way we can flash, recover the ROM from the CAN bus log, and look at the disassembly to find the table addresses from the eyecatcher numbers we put in. I don't want to do this with my ROM though. (I haven't flashed it yet because I am still under warranty). If I buy an ECU off eBay do you think I'd be able to flash and interact with it without having the immobilizer running? __________________ Visit my blog! www.LeftoverPi.com

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
People hacking cars	Rooster89	The Lounge (Off Topic)	1	07-23-2011 06:32 AM