Skip to content

Latest commit

 

History

History
108 lines (93 loc) · 4.13 KB

README.md

File metadata and controls

108 lines (93 loc) · 4.13 KB

MQB-sniffer

CAN-BUS sniffing for Volkswagen Golf MK7 (and most likely other MQB platform cars). Currently this is more a work log for future reference.

Hardware used (not everything is required)

  • Car: VW Golf MK7, 2016, 2.0TDI (110kW, CRLB) + DSG (DQ250)
  • OBDeleven (GEN2) OBD2 adapter + iOS device + OBDeleven account with PRO license
  • ELM327 v1.5 (Carista)
  • MCP2515 + Arduino Nano + bunch of cables + PC/Mac/Linux
  • OBD2 cable splitter (to connect two OBD2 devices at the same time to the car)

Sniffing

Cables and adapters

  • OBD2 Splitter connected to the car
  • OBDeleven connected to one of the ports
  • Carista ELM327 connected to the other port
  • iOS device connected with OBDeleven adapter
  • Mac/PC/Linux connected with Carsita ELM327 dongle
  • serial monitor app running on Mac/PC, Carista ELM327 serial port connected at high baudrate (115200bps)

ELM327 config

Commands to send to Carista ELM327 to prepare it for data sniffing:

  • at z - reset ELM327 chip
  • at d - defaults
  • at sp 6 - set CAN-BUS to 11bit, 500kbps (Golf MK7 is using ISO 15765-4 CAN, 11 bit ID, 500 kbaud standard)
  • at cfc1 - flowcontrol
  • at d1 - show DLC
  • at al - enable long messages
  • at h1 - show headers
  • at caf0 - disable formating
  • at l0 - disable linefeeds
  • at s1 - enable whitespaces (easier to view data)

Data gathering

  • at ma - start sniffing
  • At the same time use OBDeleven to connect with car, go to list of modules, select module, select live data, select data type, view.
  • Carista ELM327 will sniff the communication between OBDeleven and car.

Injecting

ELM327 config

  • at z - reset ELM327 chip
  • at sp 6 - set CAN-BUS to 11bit, 500kbps
  • at al - enable long messages
  • at caf0 - disable formating
  • at v1 - enable frames shorter than 8 bytes (no padding)
  • at bi - bypass the initiation step

Sending frame

  • at sh 777 - set frame header to 777
  • 11 22 33 44 55 - send 0x11 0x22 0x33 0x44 0x55
    This will send this frame:
    Standard ID: 0x777 DLC: 5 Data: 0x11 0x22 0x33 0x44 0x55

Request headers and modules

Example data sniffed from OBDeleven-Car communication

Starting and maintaining communication with instrument cluster

714 8 02 10 03 55 55 55 55 55 - Accessing instrument cluster
77E 8 06 50 03 00 32 00 C8 AA - Cluster reply

714 8 03 19 02 AE 55 55 55 55
77E 8 03 59 02 19 AA AA AA AA

714 8 02 3E 00 55 55 55 55 55 - I'm here, don't sleep
77E 8 02 7E 00 AA AA AA AA AA - not sleeping!

714 8 02 3E 00 55 55 55 55 55
77E 8 02 7E 00 AA AA AA AA AA
...

RPM from instrument cluster

714 8 03 22 22 D1 55 55 55 55 - request
77E 8 05 62 22 D1 1F 98 AA AA - reply (0x1F98 = 8088 DEC; 8808 / 4 = 2022RPM)

Phototransistor instrument cluster (ambient light sensor)

714 8 03 22 22 4D 55 55 55 55 - request
77E 8 04 62 22 4D FA AA AA AA - reply (0xFA = 250 DEC; 250 out of 0-255 range; higher=brighter)

Enagaged gear from DSG

7E1 8 03 22 38 16 55 55 55 55 - request
7E9 8 04 62 38 16 00 AA AA AA - gear not engaged
7E9 8 04 62 38 16 0C AA AA AA - reverse
7E9 8 04 62 38 16 02 AA AA AA - 1st

Gearbox mode from DSG

7E1 8 03 22 38 15 55 55 55 55 - request
7E9 8 04 62 38 15 00 AA AA AA - P
7E9 8 04 62 38 15 01 AA AA AA - R
7E9 8 04 62 38 15 02 AA AA AA - N
7E9 8 04 62 38 15 03 AA AA AA - D
7E9 8 04 62 38 15 04 AA AA AA - S
7E9 8 04 62 38 15 05 AA AA AA - M

Warnings

  • Cheap ELM327 adapters will not work. Buffer will overflow with date before you can read the data from it.
  • For some reasons, when trying to use MCP2515 to sniff, experiencing communication problems between OBDeleven and the car. Tried both with and without EOL termination resistor with no luck.

Shopping list