Pages: [1] 2
Author Topic: Anyone into car mods with Linux and OpenSource?  (Read 11285 times)
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« on: October 21, 2020, 07:16:15 AM »

Anyone here into linux and open source projects with cars? I've been using linux as my primary machine (I use arch btw) and I started playing around with USB2CAN and ELM327 to retrieve and write information momentary temporary information. Right now I am trying to wrap my head around how does an actually software read the full chip or just the part where is used for remapping? I've done specific chip reading before where electricity is stopped on the device, and with the use of pin clamps information is extracted in to a linux machine. This was for PC BIOS unlocking where some BIOS does not allow you to use different WIFI card. I believe the concept is similar. I have also seen people grounding some pins on the ECU to put it into boot mode where the software reads the full ECU. Both original and clone software don't give you an insight and full control of how things work. I want to fully find out how things work and help improve the open source community. There are already very good open source projects for car diagnostics and map configurations (as long as there are the map def files). But unfortunately I didn't come across anything regarding reading and writing into ECU with open source.

I would appreciate if anyone can point me to the right direction. Thanks.
Logged
_nameless
Hero Member
*****

Karma: +342/-466
Offline Offline

Posts: 2802



« Reply #1 on: October 21, 2020, 08:24:05 AM »

Anyone here into linux and open source projects with cars? I've been using linux as my primary machine (I use arch btw) and I started playing around with USB2CAN and ELM327 to retrieve and write information momentary temporary information. Right now I am trying to wrap my head around how does an actually software read the full chip or just the part where is used for remapping? I've done specific chip reading before where electricity is stopped on the device, and with the use of pin clamps information is extracted in to a linux machine. This was for PC BIOS unlocking where some BIOS does not allow you to use different WIFI card. I believe the concept is similar. I have also seen people grounding some pins on the ECU to put it into boot mode where the software reads the full ECU. Both original and clone software don't give you an insight and full control of how things work. I want to fully find out how things work and help improve the open source community. There are already very good open source projects for car diagnostics and map configurations (as long as there are the map def files). But unfortunately I didn't come across anything regarding reading and writing into ECU with open source.

I would appreciate if anyone can point me to the right direction. Thanks.
oof, defo feel like i lost some brain cells on this one
Logged

Giving your mom a tuneup
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #2 on: October 21, 2020, 08:43:06 AM »

oof, defo feel like i lost some brain cells on this one


That doesn't mean anything to me.
Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #3 on: October 21, 2020, 08:51:30 AM »

hmm how about https://github.com/NefMoto/NefMotoOpenSource/
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #4 on: October 21, 2020, 09:29:21 AM »

https://github.com/nyetwurk/ecuxplot
https://github.com/nyetwurk/ME7Sum
https://github.com/nyetwurk/ME7L
https://github.com/nyetwurk/me7-tools
https://github.com/nyetwurk/mmll
https://github.com/nyetwurk/ME7Explorer

https://github.com/KalebKE/ME7Tuner
« Last Edit: October 21, 2020, 09:34:07 AM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #5 on: October 21, 2020, 10:46:50 AM »


Thank you. I recently saw this. As you might tell I am new to the forum. I will check it out and play around with it.
Logged
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #6 on: October 21, 2020, 10:50:02 AM »


Thank you! I just gave you a follow on GitHub  Grin You got very interesting projects there. Is this what you do as a main job or side hobby? Currently for me is just a side hobby and slowly will dive into thinkering around with ECUs as I just love programing, reverse engineering and IoT.
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #7 on: October 21, 2020, 11:14:33 AM »

side hobby, unfortunately have less and less time to dedicate to it.

but good software devs that understand both git and cars are thin on the ground, so your help would be greatly appreciated!
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #8 on: October 22, 2020, 08:42:01 AM »

I have been doing some research as I am new and will share what I have found out so far so that I can use it for reference for myself and to help other people out. This will only be the 1st update out of many.

My goal is to use Unix based OS and be able to read full ECU data, modify and write the modified data back.

First of all I learned how the communication happens between the device (laptop) and the ECU. The laptop uses USB to connect to the OBD2 port of the car. From there on, for retrieving data from the car's ECU the cheapest alternative that can be used is ELM327 micro-controller. According to Wikipedia, protocols supported by ELM327 are:

- SAE J1850 PWM (41.6 kbit/s)
- SAE J1850 VPW (10.4 kbit/s)
- ISO 9141-2 (5 baud init, 10.4 kbit/s)
- ISO 14230-4 KWP (5 baud init, 10.4 kbit/s)
- ISO 14230-4 KWP (fast init, 10.4 kbit/s)
- ISO 15765-4 CAN (11 bit ID, 500 kbit/s)
- ISO 15765-4 CAN (29 bit ID, 500 kbit/s)
- ISO 15765-4 CAN (11 bit ID, 250 kbit/s)
- ISO 15765-4 CAN (29 bit ID, 250 kbit/s)
- SAE J1939 (250kbit/s)
- SAE J1939 (500kbit/s)

I am not going to pretend that I know what all those mean but for now I am familiar with JXXXX and CAN. I learned that using ELM327 device and open source compatible projects like python-OBD [2] and PiOBDII [3], useful real time information can be obtained my accessing the right memory location or my monitoring the memory and reading the hex values.

After some more diving, I found out about SocketCAN [4]. It gives you a deeper understanding of how a communication happens through CAN and how you can read the values and even modify them (temporary). I followed these guides to generate fake CAN traffic and played around: Check Sources [5], [6] and [7].

After learning about that, the only thing on my mind was "how can I fully read and write to the ECU?". I came across a project called "ecutools" on github [8]. After checking out the source code, I came across a file called "j2534". I looked it up on Google and came across one article which explained it well for me to understand [9]. For some reason J2534 is known very well for diagnostic and reprogramming and is used by "professionals". Those professionals don't know how it works on a programming level, they just use the tools. While learning more about J2534, I came across a github issue which talks about very interesting points [10]. It is mentioned in the github issue that CAN can be used for reprogramming (even though I searched so many times on Google and didn't find anything that was a basic concept that explained that). Based on user Altenius "ECUs use a seed and key algorithm to secure certain services such as reprogramming, so you will not be able to reprogram it just by sniffing the session. You would need to find the algorithm which would require reverse engineering the firmware on the ECU." He suggests a book which I have came across but haven't read in detail [11].

For now that's all I know. I am just starting to dive into how I can actually read and write to the ECU. I am clear on how reading live values work and how it can be temporarily manipulated, but reprogramming is on another level.

If you have anything to add or correct, please do.

Thank you and I hope someone has found this helpful.

[1] https://en.wikipedia.org/wiki/ELM327#Protocols_supported_by_ELM327
[2] https://github.com/brendan-w/python-OBD
[3] https://github.com/BirchJD/PiOBDII
[4] https://www.kernel.org/doc/Documentation/networking/can.txt
[5] https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-i-cd88d3eb4a53
[6] https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-ee998570758
[7] https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-ea40c05c49cd
[8] https://github.com/jeremyhahn/ecutools
[9] http://www.drewtech.com/customers/diagaftmkt.html
[10] https://github.com/Altenius/j2534-rs/issues/1
[11] http://opengarages.org/handbook/

Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #9 on: October 22, 2020, 11:28:52 AM »

Great links, these schould be somewere on sticky tread or some wiki
Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #10 on: October 22, 2020, 11:36:22 AM »

You're going down the right path. I don't mean to diminish your research. These links are all great for a beginner and keeping this in one place is wonderful.

But, you're going in a slow meandering way IMO.

Read the code to the NefMoto flasher I linked you, it's all there for you. Then read about ISO 14229 UDS, which is generally speaking based on the KWP protocol the NefMoto flasher uses but over CAN-TP as the transport instead of a serial line.

J2534 is a minor aside in all this, it's a convenient way to access CAN from Windows but nothing more. You could use the ELM327 protocol (not recommended, it sucks) or SocketCAN on Linux instead of J2534 on Windows, it's all the same at the end of the day. It sounds like you've figured this part out already Smiley

Between the NefMoto flasher and the ISO 14229 documentation, you'll have a general idea of the ECU flashing process works (very broadly speaking diagnostic session -> security access -> erasememory -> request download -> transfer data (repeat) -> exit transfer -> checksum -> reset).

Now you can read "Corporate Group Requirement Specification For Programming Control Units with Keyword Protocol 2000 Transport Protocol 2.0.pdf" which documents this procedure for VW ECUs specifically, including the SecurityAccess Seed/Key calculation which is a simple bytecode script transformation.

Next, you need to understand how the ECU software verifies its own integrity. This varies from ECU to ECU. For example, in ME7 (which the NefMoto flasher handles) this is basic sum/CRC checksums applied to various blocks. ME7Sum at https://github.com/nyetwurk/ME7Sum can calculate these for you and "fix" an ME7 file so it will pass its own integrity checks. Later in the ME7 days, an RSA integrity check was added to the application running on the ECU, but it's performed by the software itself after it's running rather than when it's written, so it can either be removed in the ECU code or self-signed (the public key replaced and the file signed with a valid, matching key). ME7Sum can self-sign RSA ME7 files as well.

For newer ECUs, there is usually a real integrity check (RSA, etc.) and sometimes the flash payload is encrypted with AES, too. For these ECUs, you need to reverse engineer the integrity checking and find the AES keys as well as an exploit in the chain of trust, just as you would with any other protected hardware. Unfortunately these exploits are usually fought over and protected as there's $$$ to be made in this industry. Learning to use Ghidra or IDA and how to map ECU files at the correct memory addresses to follow the disassembly is what will let you eventually figure this stuff out.

Also, you mention reading. On most modern ECUs, you simply can't read the ECU back when the application software is running as the ability to do so was intentionally left out of the software. You'll have to add the ability back by breaking the chain of trust somewhere and adding your own flash read-out/transfer code, or rely on decrypted factory update files (FRFs), also known as "virtual reads" to help you on your path.
Logged
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #11 on: October 22, 2020, 01:14:29 PM »

You're going down the right path. I don't mean to diminish your research. These links are all great for a beginner and keeping this in one place is wonderful.

But, you're going in a slow meandering way IMO.

Read the code to the NefMoto flasher I linked you, it's all there for you. Then read about ISO 14229 UDS, which is generally speaking based on the KWP protocol the NefMoto flasher uses but over CAN-TP as the transport instead of a serial line.

J2534 is a minor aside in all this, it's a convenient way to access CAN from Windows but nothing more. You could use the ELM327 protocol (not recommended, it sucks) or SocketCAN on Linux instead of J2534 on Windows, it's all the same at the end of the day. It sounds like you've figured this part out already Smiley

Between the NefMoto flasher and the ISO 14229 documentation, you'll have a general idea of the ECU flashing process works (very broadly speaking diagnostic session -> security access -> erasememory -> request download -> transfer data (repeat) -> exit transfer -> checksum -> reset).

Now you can read "Corporate Group Requirement Specification For Programming Control Units with Keyword Protocol 2000 Transport Protocol 2.0.pdf" which documents this procedure for VW ECUs specifically, including the SecurityAccess Seed/Key calculation which is a simple bytecode script transformation.

Next, you need to understand how the ECU software verifies its own integrity. This varies from ECU to ECU. For example, in ME7 (which the NefMoto flasher handles) this is basic sum/CRC checksums applied to various blocks. ME7Sum at https://github.com/nyetwurk/ME7Sum can calculate these for you and "fix" an ME7 file so it will pass its own integrity checks. Later in the ME7 days, an RSA integrity check was added to the application running on the ECU, but it's performed by the software itself after it's running rather than when it's written, so it can either be removed in the ECU code or self-signed (the public key replaced and the file signed with a valid, matching key). ME7Sum can self-sign RSA ME7 files as well.

For newer ECUs, there is usually a real integrity check (RSA, etc.) and sometimes the flash payload is encrypted with AES, too. For these ECUs, you need to reverse engineer the integrity checking and find the AES keys as well as an exploit in the chain of trust, just as you would with any other protected hardware. Unfortunately these exploits are usually fought over and protected as there's $$$ to be made in this industry. Learning to use Ghidra or IDA and how to map ECU files at the correct memory addresses to follow the disassembly is what will let you eventually figure this stuff out.

Also, you mention reading. On most modern ECUs, you simply can't read the ECU back when the application software is running as the ability to do so was intentionally left out of the software. You'll have to add the ability back by breaking the chain of trust somewhere and adding your own flash read-out/transfer code, or rely on decrypted factory update files (FRFs), also known as "virtual reads" to help you on your path.

Thank you one more time. Will definitely do! I really appreciate the points you gave for me to adjust my route instead and move forward on specific topics, instead of "meandering" around. I will check out the code and see how NefMoto handles the reading, writing and checksum part. I think that would be a starting point. Love reading documentations so I will read ISO 14229 documentation too.
Logged
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #12 on: October 22, 2020, 01:57:57 PM »

Does anyone know where I can find free PDF for ISO 14229 documentation? It's a lot of money which I am not willing to pay.
Logged
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #13 on: October 22, 2020, 02:01:33 PM »

Never mind. Found the 2006 edition for now.
Logged
00001101
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 15


« Reply #14 on: October 23, 2020, 06:45:16 PM »

Okay I found something interesting and new for me.

As you guys know, geohotz is into AI and vehicles. I checked out his projects of his company comma.ai and found panda.

As I am good with python, I checked the code and I kind of understand it (especially after I checked out ISO 14229). This two links are what I am going to look and try to understand:

- https://github.com/commaai/panda/blob/9fb584b20cbbee80aa3e4c98416da726dcd4c1f2/python/dfu.py#L14

- https://github.com/commaai/panda/blob/9fb584b20cbbee80aa3e4c98416da726dcd4c1f2/python/dfu.py#L14

The crazy part is that they have a JS version which allows you do read and write from your browser. I have long way to go and just using my free time on learning for now. So I though I share for people that can make use of it, because trust me I have spent a lot of time researching and will for sure spend hundreds of hours more.

That's it for now.
Thanks.
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.032 seconds with 18 queries. (Pretty URLs adds 0.001s, 0q)