APC Australia

A beginner’s guide to car hacking

Modern cars are powered by computers, but new wireless hardware can let you peak inside through On-Board Diagnostic­s and your Android phone. Darren Yates explains.

-

If you drive a car exceeding a certain age (five years in NSW), you’ll be familiar with the yearly trek to your local mechanic to have the registrati­on safety and roadworthi­ness check — the ‘e-safety check’ — performed. While the check invariably requires a once-over of tyres and correct operation of all exterior indicator lights, the mechanic is also required to check your vehicle’s brakes. For most cars built in the last 15 years, it’s a relatively easy affair, thanks to a socket hidden under the dashboard near the driver’s side front door. This socket allows profession­al hand-held instrument­s to read diagnostic­s codes and real-time data from the vehicle’s engine control unit (ECU) about almost everything that’s going on, from fuel pressure to engine RPM. Now thanks to low-cost Bluetooth scanners, you can read much the same real-time engine data with your Android phone.

OBD-II INTERFACE

In 1996, the US mandated that all cars sold in the country’s market required an on-board diagnostic­s (OBD) interface to read the car’s ECU codes and data. Today, OBD-II is a worldwide compliance standard and supported on Australian vehicles going back as far as 1999 and the Holden VT Commodore. However, local OBD-II support start dates vary between manufactur­er and model, so you’ll need to investigat­e your car independen­tly.

While it not only allows you to read data from the dozens of sensors floating around your vehicle’s engine bay, OBD-II also allows a mechanic to diagnose vehicle error or ‘diagnostic trouble codes’ (DTCs) that otherwise appear as a mostly-meaningles­s engine warning light on your dashboard. The OBD-II port itself is known as a data link connector (DLC) and you’ll typically find it under the dashboard between the driver’s side door and the steering column.

HOW OBD-II WORKS

The 16-pin DLC interface electrical­ly links to the ECU via an RS232-like serial bus and to access data, you essentiall­y send two eight-bit hexadecima­l numbers — one for ‘mode’, the other for ‘PID’ (parameter ID). The mode determines the type of data you want returned and the PID, the specific data itself. For example, to get real-time data on the current engine RPM (revolution­s per minute), you send 0x1/0xC — 0x1 for Mode 1 (current data) and 0xC, the PID for ‘engine RPM’. This command returns a two-byte data field that is converted back to RPM values up to a maximum of 16,384rpm. Want current vehicle speed? You send 0x1/0xD, where 0x1 is Mode 1 as before and 0xD is the PID for speed, returned as a single byte for a maximum reading of 255km/h.

The combined mode/PID list is extensive and too much for us to cover here — you can get an idea of its breadth over at en.wikipedia.org/wiki/OBD-II_PIDs.

“While it not only allows you to read data from the dozens of sensors floating around your vehicle’s engine bay, OBD-II also allows a mechanic to diagnose vehicle error or ‘diagnostic trouble codes’ (DTCs) that otherwise appear as a mostly-meaningles­s engine warning light on your dashboard.”

WHY OBD-II MATTERS

As more and more cars began featuring ECUs, they each came with their own interface standard, making it a nightmare for mechanics and others to keep track of who was who in the zoo, particular­ly when it came to signal protocols. By 1991, the first On-Board Diagnostic­s standard (which eventually became known as ‘OBD-I’) was mandated in vehicles to offer basic diagnostic data access. However, there were no data signal protocols or connection standards included, so it was still a messy system.

Not long after, vehicle exhaust emissions testing began to receive serious considerat­ion in the US and that’s when a more comprehens­ive standard in OBD-II came into force for cars in 1996. Having a single, unified interface system that covered all of the various protocols was vital if simplified engine servicing and testing was to become a reality.

Officially, there are five signal protocols now available for use on an OBD-II interface: SAE J1850 PWM (pulse-width modulation) SAE J1850 VPW (variable pulse width) ISO 9141-2 (similar to RS232) ISO 14230-4 KWP (keyword protocol) ISO 15765-4 CAN (controller area network) On top of that, you also have variations in ID bit length and data transmissi­on speeds. When it comes to official documentat­ion, there are dozens of ISO (Internatio­nal Organisati­on for Standardis­ation) and SAE (Society of Automotive Engineers) standards that refer to OBD-II and the combinatio­ns of protocol, speed and additional diagnostic functions added to previous versions. Even so, vehicle manufactur­ers reportedly don’t have to support all PIDs and each car manufactur­er also has its own additional PID sets. As a result, profession­al diagnostic tools, like those used by your mechanic for rego checks, have been around for the much of the past two decades. But more recently, low-cost alternativ­es have become available to consumers and hobbyists, although the technology behind a number of these devices appears to have a murky back-story.

ELM327 MICROCONTR­OLLER

One of the earliest and most popular consumer-grade solutions to hit the market came courtesy of Canada’s ELM Electronic­s ( elmelectro­nics.com). The company creates its own chips that read the different OBD standard codes from the different car makers. One of those chips was dubbed the ‘ELM327’, which, reports suggest, is actually an ELM — programmed Microchip PIC32 microcontr­oller. Unfortunat­ely, it seems the company didn’t set the copy-protection bit of the original ‘version 1.0’ batch of chips and that allowed hackers to read the op-codes from the chip and use it to create their own clones. Since then, eBay has been awash with ELM327-branded dongle clones selling for as little as US$3 and competitio­n being what it is, soon version 1.5 and even version 2.1 models began appearing. The only problem is, in many cases, they’re just copies of this original v1.0 code, warts and all. ELM Electronic­s still develops its source

code and manufactur­es its own chips (it recently released version 2.2), you’ll also find genuine ELM327-powered devices on the market. So the question is how can you tell if you’re getting a genuine ELM327 chip or a copy? Simple — if it costs you less than US$21, it’s a pretty safe bet it’s a copy, for that’s the price of a genuine ELM327 chip from ELM Electronic­s. The other giveaway is that the company doesn’t sell v1.5 or v2.1 versions.

But before you go around screaming ‘fake chips’, just be aware that, in the electronic­s industry, there are degrees of ‘fake’ and it’s a term thrown around a bit too freely. These ELM327 clones might not be genuine, but they appear to work. If you call that ‘fake’, so be it. But there are worse ‘fakes’ in the electronic­s industry — try ‘fake ICs’ (integrated circuits) that are nothing more than blobs of plastic some refer to as ‘slugs’. For example, popular retailer SparkFun Electronic­s was stung with a reel of dud ATMEGA328 microcontr­ollers (chips used in the popular Arduino Uno DIY boards) back in 2010 at a time when this chip was apparently in short supply. When the SparkFun team investigat­ed, these chips had nothing inside them ( sparkfun. com/news/350).

But then on the other hand, I’ve seen people dub as ‘fake’ other chips legitimate­ly manufactur­ed under license by secondary manufactur­ers that perform exactly the same as the original. It’s hard to see these low-cost ELM327 clones falling into this category — but it still suggests you need to tread with some caution.

HOW OBD-II DONGLES WORK

We purchased two units for this story — a generic blue ‘ELM327’ Bluetooth dongle for about $5 on eBay, plus a second similar unit, a Viecar VC004-A, with the same styling but added power button for around the same price. The blue dongle identified itself on Bluetooth as ‘OBDII’, while the Viecar dongle simply came up as ‘viecar’.

In both cases, the dongle plugs straight into the ODB-II/DLC interface port and, even with the engine off and no keys in the ignition, both had power — the OBDII dongle powers up straight away, while the Viecar model requires you press its power button.

ANDROID SOFTWARE

You can buy OBD-II clones that are hard-wired via USB, but the cheapest models feature Bluetooth only — still, that allows you to combine them with your Android device, thanks to the growing number of OBD-II ready apps available on Google Play.

We think the best of them is Ian Hawkins’ Torque, but we also reckon your first stop should be ELM327

“You can buy OBD-II clones that are hardwired via USB, but the cheapest models feature Bluetooth only — still, that allows you to combine them with your Android device, thanks to the growing number of OBD-II apps available on Google Play.”

Identifier ( tinyurl.com/lfa7zz6). This simple app pairs your Android device with your ELM327 clone plugged into your vehicle to check the firmware version and just which of the genuine ELM OBD-II features are supported.

We used this app to test our two units — the blue ‘ELM327/OBDII’ dongle identified itself as having ‘ELM327 v2.1’ firmware, while the Viecar VC004-A had seemingly-older ‘ELM327 v1.5’ code. However, what we found interestin­g about this is that, despite its older version code, the VC004-A actually had greater OBD-II function support, according to the ELM327 Identifier app.

Beyond that, to get real-time and logged data from your vehicle’s ECU, we think Torque is the app you want. There’s a free version called Torque Lite ( tinyurl.com/cdjtljp), which is ideal to start with and loaded with plenty of features, but the $5 full version has bucketload­s more. The first time you use Torque, you’ll get basic informatio­n from the ELM327 dongle, even with your vehicle’s ignition off, but the features list obviously comes alive when you fire up the ignition and the vehicle’s ECU kicks in — and that list is quite long. What’s more, Torque gives you excellent configurat­ion options — you’ve got seven swipe screens, each of which can feature dials or graphs. You can move features around and even change their size. Torque isn’t the only option either — search Google Play for ‘OBD2’ and you’ll find plenty of apps, but we think Torque should top your list.

WHAT ABOUT HACKING?

OK, given these low-cost scanners are essentiall­y read-only, the hacking you can do with them is more virtual — by graphing how you drive, you can learn, for example, that hard accelerati­on from a standing-start creates serious spikes in fuel consumptio­n and by easing your way off the mark, you can reduce that consumptio­n. If you drive a manual, you’d also likely be able to work out the optimum RPM point for changing gears, by comparing RPM with fuel consumptio­n. So in effect, this is about hacking you as a driver and improving your skills.

However, it’s also possible to read, as well as reset error codes that light up your dashboard’s engine fault light using an ELM327-style dongle and the Torque Lite app.

GETTING SERIOUS

But that’s not to say serious vehicle hacking can’t be done. Once you get past the low-cost read-only scanners, you move into full-on modding territory or ‘chip-tuning’, where you can make serious changes to engine function, for example, fudging the air intake temperatur­e to change the fuel flowrate and make the engine generate more power. However, just be aware that incorrect tampering with your vehicle’s ECU could cause all sorts of trouble, including extremely serious engine damage. There are numerous profession­al services out there that will tune or ‘remap’ your car’s ECU, but just be sure you’re fully aware of the risks involved before you proceed.

SECURITY

One thing we wouldn’t recommend with these low-cost dongles is to leave them plugged into your car — not because they might fail as a result of heat, or eventually bleed your battery dry, but because of their essentiall­y non-existent security. Think about it — a Bluetooth-connected dongle tapping into your car’s ECU with a password of ‘0000’ or ‘1234’? It just isn’t worth the risk. Sure, these devices are meant to be ‘read-only’ and, in most cars, they’ll be out of sight under the dashboard and won’t work if your car’s ignition is switched off. But frankly, there’s no such thing as ‘100% guaranteed security’, so why leave the crooks an opening?

And yep, it might sound like we’re calling for the tin hats on this, but the reality is there are known denial of service (DoS) attacks already possible over ODB-II and an interestin­g white paper from the Software Engineerin­g Institute of Carnegie Mellon University highlights the potential security issues ( tinyurl.com/yaa59tn9, PDF).

All we’re saying is that it’s better to be safe than sorry.

BUYER BEWARE

So there it is — the tools for scanning ECU codes from your set of wheels are as close as eBay and your Android phone. Are they perfectly safe for your car? The cheap ELM327 clone scanners are only supposed to read data from your ECU, not write to it beyond clearing DTCs and plenty of reviews suggest users swear by them (rather than ‘at’ them). All we can say is we’ve tried two different units on a 2005 Mazda 3 sedan and we’ve seen no ill effects so far. Beyond that, though, it’s definitely ‘buyer beware’.

“One thing we wouldn’t recommend with these low-cost dongles is to leave them plugged into your car — not because they might fail as a result of heat, or eventually bleed your battery dry, but because of their essentiall­y non-existent security.”

?? ?? The Viecar dongle won’t start until you press the power button.
The Viecar dongle won’t start until you press the power button.
?? ?? The OBD-II port is under the dash between the door and steering column.
The OBD-II port is under the dash between the door and steering column.
?? ?? This no-name $5 ‘OBDII’ ELM327 Bluetooth dongle came from eBay.
This no-name $5 ‘OBDII’ ELM327 Bluetooth dongle came from eBay.
?? ?? A Viecar VC004A OBD Bluetooth dongle purchased on eBay for about $5.
A Viecar VC004A OBD Bluetooth dongle purchased on eBay for about $5.
?? ?? The ELM327 dongle powers up as soon as you plug it into the OBD-II socket.
The ELM327 dongle powers up as soon as you plug it into the OBD-II socket.
?? ?? The ELM327 clone reading my car’s revolution­s per minute (RPM) counter.
The ELM327 clone reading my car’s revolution­s per minute (RPM) counter.
?? ?? Most OBD-II dongles have a ‘0000’ Bluetooth pairing password.
Most OBD-II dongles have a ‘0000’ Bluetooth pairing password.
?? ?? More profession­al scanners like this Bosch OBD 1100 sell for around $200. Any Bluetooth-ready Android device can pair up with most OBD-II dongles.
More profession­al scanners like this Bosch OBD 1100 sell for around $200. Any Bluetooth-ready Android device can pair up with most OBD-II dongles.
?? ?? The default Torque Lite settings aren’t bad but it is highly configurab­le.
The default Torque Lite settings aren’t bad but it is highly configurab­le.
?? ?? The ELM327 clone’s function support via ELM327 Identifier app.
The ELM327 clone’s function support via ELM327 Identifier app.
?? ?? Despite an older firmware, the Viecar dongle shows better support.
Despite an older firmware, the Viecar dongle shows better support.

Newspapers in English

Newspapers from Australia