Hacking into Zoe's CANbus

Zubehör für den Renault ZOE

Hacking into Zoe's CANbus

Beitragvon jmeijer » Fr 14. Aug 2015, 08:56

This is a continuation of the OBD2 Diagnosegerät für Renault ZOE erhältlich! thread, which I derailed somewhat with information about hacking into the CANbus by other means than using the i907. The link above opens my first posting there so you can find the history of the project there. Short synopsis:

- a few people from several counties have a shared interest in getting access to the computerized information of the car (Zoe and Fluence ZE);
- we are sharing our findings regarding required hardware and the information content in a shared environment (google drive);
- by just watching and monitoring what happens if an i907 is connected, we have cracked hundreds of parameters that are either floating on the bus or can be requested;
- a spin-off is that we managed to use SOME (not all) cheap Chinese ELM327 dongles to acquire most of the data, something that was not thought possible as those are very "ICE oriented". For a display-app on a tablet or phone, this lowers the price mark substantially and does not require modification to the car or self-made electronics.

Enjoy the thread.

Oh and as my German is OK for reading but absolutely not OK for writing, feel free to post in German, but forgive me for answering and posting in English. I am from the Netherlands BTW.
Jeroen - ZOE Q210 Nov 2013 - PV powered - CanZE co-developer http://canze.fisch.lu
jmeijer
 
Beiträge: 200
Registriert: Mo 2. Sep 2013, 15:08

Anzeige

Re: Hacking into Zoe's CANbus

Beitragvon jmeijer » Fr 14. Aug 2015, 09:07

I do think Android should be good since one can get a simple 7" tablet with Bluetooth for ~50€ which could be used as a stationary device in the car.


I agree. On top of that, Apple has made it very hard to use Bluetooth Serial (needed to get to an ELM327) from an iPhone or iPad.

Why don't you want to leave the ELM plugged in? There isn't communication with the ECU without 'ignition', is it? At least that was the case in my old combustion car.
The only reason is the drain from the battery. That is why I would include simple switches in the powerline.


I WANT the ELM plugged in, because next to some nice display stuff, I want to automatically monitor charging. My home charger should leave some room in the battery at night to store predicted PV surplus during the day. However, I do not want the CANbus to be exposed to anyone sitting next to my car. Indeed, the CANbus is (very) active even when the car is off and locked and most of the ECU's are online! We have not done any serious writing on the CANbus, but I rather not take chances. Even software updates are done through the bus, and security seems to be extremely poor.

A powerswitch on a modified ELM would be fine for people wanting to have display apps only.

A possible solution is to cut the serial lines in the adapter between the bluetooth module and the core ELM processor chip, and fit a small processor like for example a ATtiny85 between them to handle encyption. The same algorithm could be implemented optionally in the app, so the paranoid could use it and the others, well, not. I know it is a pain, but I rather modify a EUR 10 dongle than modifying the car.
Jeroen - ZOE Q210 Nov 2013 - PV powered - CanZE co-developer http://canze.fisch.lu
jmeijer
 
Beiträge: 200
Registriert: Mo 2. Sep 2013, 15:08

Re: Hacking into Zoe's CANbus

Beitragvon noICE » Fr 14. Aug 2015, 18:17

Alright, we should take this into account then.
I am very excited that some ELMs work with Zoe :)
noICE
 
Beiträge: 29
Registriert: Fr 12. Jun 2015, 08:52

Re: Hacking into Zoe's CANbus

Beitragvon jmeijer » Mo 17. Aug 2015, 09:49

I might have been wrong on that. It seems the bus powers down in a few steps after all. I need to carefully check and document that.

Right now, the project is a bit slow, partly because the girl seems to not like me pulling at her wires. Orange light is on with a meaningless message in the dashboard. Clearing all the DTC's with the i907 did not help. Pouting brat!
Jeroen - ZOE Q210 Nov 2013 - PV powered - CanZE co-developer http://canze.fisch.lu
jmeijer
 
Beiträge: 200
Registriert: Mo 2. Sep 2013, 15:08

Re: Hacking into Zoe's CANbus

Beitragvon egonalter » Mo 17. Aug 2015, 15:50

In the light of the recent "stagefright" vulnerability of Android (and also R-Link), wouldn't it be easier to hack the OS itself, so one can directly use the CAN processor on the mainboard and the internal display? Up to now, I haven't found any sign of hacking attempts of the R-Link system itself. There must be lots of other open doors, given that it is based on the ancient Android 2.3.
Q210 ZOE Nr. 865, Bj Nov. 2012, aus Frankreich importiert
eON/ABL Ladebox mit 22 kW
egonalter
 
Beiträge: 116
Registriert: Mi 26. Jun 2013, 14:13

Re: Hacking into Zoe's CANbus

Beitragvon jmeijer » Mo 17. Aug 2015, 16:26

Well, as soon as anyone has a decent R-link tool-chain, and enough experience with it not to break the regular system, good plan! Until then, "must be" sounds not good enough. To me that is ;-)
Jeroen - ZOE Q210 Nov 2013 - PV powered - CanZE co-developer http://canze.fisch.lu
jmeijer
 
Beiträge: 200
Registriert: Mo 2. Sep 2013, 15:08

Re: Hacking into Zoe's CANbus

Beitragvon jmeijer » Mi 19. Aug 2015, 16:37

The two ELM devices came in today. I can confirm the KV902 works! I can also confirm another blue bootleg device didn't. To be honest, it didn't work AT ALL, no Bluetooth signal, but it proves the point the Leaf Spy developer made here: just go for the Konnwei KV902. I ordered this one. http://www.ebay.com.au/itm/301420844013

Warm regards,


Jeroen
Jeroen - ZOE Q210 Nov 2013 - PV powered - CanZE co-developer http://canze.fisch.lu
jmeijer
 
Beiträge: 200
Registriert: Mo 2. Sep 2013, 15:08

Re: Hacking into Zoe's CANbus

Beitragvon jmeijer » Sa 22. Aug 2015, 12:28

To get some feel for where we are.

Analysis with the Arduino Due https://www.youtube.com/watch?v=6Ei03NHvTKA

Display data with an ELM (Konnwei KW902) https://www.youtube.com/watch?v=TQRatlPNUmw

No "app" stuff. One of the team members is working on that, but at least here is some proof of concept. Things work, we can get data, we understand a lot of the many hundreds of fields already.
Jeroen - ZOE Q210 Nov 2013 - PV powered - CanZE co-developer http://canze.fisch.lu
jmeijer
 
Beiträge: 200
Registriert: Mo 2. Sep 2013, 15:08

Re: Hacking into Zoe's CANbus

Beitragvon e-tron-73 » So 23. Aug 2015, 06:27

Great work! Go on with it!
Nochmal fossile Verbrennung? Nur bei meiner Harley ....
Benutzeravatar
e-tron-73
 
Beiträge: 126
Registriert: Mo 20. Jul 2015, 12:53

Re: Hacking into Zoe's CANbus

Beitragvon jmeijer » So 23. Aug 2015, 14:13

Thank you! Next stop: Scratch the surface on Android Studio. ;-)

As for the "dangers" of letting an ELM327 plugged in. I did some testing last night. I locked myself in my car and monitored the CANbus. The car powers down in 3 steps. First, the accessories power down (after about 3 minutes). This is noticeable with a contactor click. After about 2 minutes more, more stuff is shut down, and you can hear another click. Then, after about another 10 seconds, the CANbus goes dead. So far so good.

Playing with the i907 left most ECU's unreachable. However, I was able to wake up the Instrument panel and the UDP with the i907, and emulated that later with the dongle. Both ECUs in turn wake up at least the EVC, and maybe more computers. And what was really nasty is that the wakeup unlocked the charger cable!!

So, for a "permanent on" solution, I think some more protection would be needed.
Jeroen - ZOE Q210 Nov 2013 - PV powered - CanZE co-developer http://canze.fisch.lu
jmeijer
 
Beiträge: 200
Registriert: Mo 2. Sep 2013, 15:08

Anzeige

Nächste

Zurück zu ZOE - Zubehör

  • Ähnliche Artikel im Blog

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 2 Gäste