A beginner’s guide to car hacking
Modern cars are powered by computers, but new wireless hardware can let you peak inside through On-Board Diagnostics and your Android phone. Darren Yates explains.
If you drive a car exceeding a certain age (five years in NSW), you’ll be familiar with the yearly trek to your local mechanic to have the registration safety and roadworthiness check — the ‘e-safety check’ — performed. While the check invariably requires a once-over of tyres and correct operation of all exterior indicator lights, the mechanic is also required to check your vehicle’s brakes. For most cars built in the last 15 years, it’s a relatively easy affair, thanks to a socket hidden under the dashboard near the driver’s side front door. This socket allows professional hand-held instruments to read diagnostics codes and real-time data from the vehicle’s engine control unit (ECU) about almost everything that’s going on, from fuel pressure to engine RPM. Now thanks to low-cost Bluetooth scanners, you can read much the same real-time engine data with your Android phone.
OBD-II INTERFACE
In 1996, the US mandated that all cars sold in the country’s market required an on-board diagnostics (OBD) interface to read the car’s ECU codes and data. Today, OBD-II is a worldwide compliance standard and supported on Australian vehicles going back as far as 1999 and the Holden VT Commodore. However, local OBD-II support start dates vary between manufacturer and model, so you’ll need to investigate your car independently.
While it not only allows you to read data from the dozens of sensors floating around your vehicle’s engine bay, OBD-II also allows a mechanic to diagnose vehicle error or ‘diagnostic trouble codes’ (DTCs) that otherwise appear as a mostly-meaningless engine warning light on your dashboard. The OBD-II port itself is known as a data link connector (DLC) and you’ll typically find it under the dashboard between the driver’s side door and the steering column.
HOW OBD-II WORKS
The 16-pin DLC interface electrically links to the ECU via an RS232-like serial bus and to access data, you essentially send two eight-bit hexadecimal numbers — one for ‘mode’, the other for ‘PID’ (parameter ID). The mode determines the type of data you want returned and the PID, the specific data itself. For example, to get real-time data on the current engine RPM (revolutions per minute), you send 0x1/0xC — 0x1 for Mode 1 (current data) and 0xC, the PID for ‘engine RPM’. This command returns a two-byte data field that is converted back to RPM values up to a maximum of 16,384rpm. Want current vehicle speed? You send 0x1/0xD, where 0x1 is Mode 1 as before and 0xD is the PID for speed, returned as a single byte for a maximum reading of 255km/h.
The combined mode/PID list is extensive and too much for us to cover here — you can get an idea of its breadth over at en.wikipedia.org/wiki/OBD-II_PIDs.
“While it not only allows you to read data from the dozens of sensors floating around your vehicle’s engine bay, OBD-II also allows a mechanic to diagnose vehicle error or ‘diagnostic trouble codes’ (DTCs) that otherwise appear as a mostly-meaningless engine warning light on your dashboard.”
WHY OBD-II MATTERS
As more and more cars began featuring ECUs, they each came with their own interface standard, making it a nightmare for mechanics and others to keep track of who was who in the zoo, particularly when it came to signal protocols. By 1991, the first On-Board Diagnostics standard (which eventually became known as ‘OBD-I’) was mandated in vehicles to offer basic diagnostic data access. However, there were no data signal protocols or connection standards included, so it was still a messy system.
Not long after, vehicle exhaust emissions testing began to receive serious consideration in the US and that’s when a more comprehensive standard in OBD-II came into force for cars in 1996. Having a single, unified interface system that covered all of the various protocols was vital if simplified engine servicing and testing was to become a reality.
Officially, there are five signal protocols now available for use on an OBD-II interface: SAE J1850 PWM (pulse-width modulation) SAE J1850 VPW (variable pulse width) ISO 9141-2 (similar to RS232) ISO 14230-4 KWP (keyword protocol) ISO 15765-4 CAN (controller area network) On top of that, you also have variations in ID bit length and data transmission speeds. When it comes to official documentation, there are dozens of ISO (International Organisation for Standardisation) and SAE (Society of Automotive Engineers) standards that refer to OBD-II and the combinations of protocol, speed and additional diagnostic functions added to previous versions. Even so, vehicle manufacturers reportedly don’t have to support all PIDs and each car manufacturer also has its own additional PID sets. As a result, professional diagnostic tools, like those used by your mechanic for rego checks, have been around for the much of the past two decades. But more recently, low-cost alternatives have become available to consumers and hobbyists, although the technology behind a number of these devices appears to have a murky back-story.
ELM327 MICROCONTROLLER
One of the earliest and most popular consumer-grade solutions to hit the market came courtesy of Canada’s ELM Electronics ( elmelectronics.com). The company creates its own chips that read the different OBD standard codes from the different car makers. One of those chips was dubbed the ‘ELM327’, which, reports suggest, is actually an ELM — programmed Microchip PIC32 microcontroller. Unfortunately, it seems the company didn’t set the copy-protection bit of the original ‘version 1.0’ batch of chips and that allowed hackers to read the op-codes from the chip and use it to create their own clones. Since then, eBay has been awash with ELM327-branded dongle clones selling for as little as US$3 and competition being what it is, soon version 1.5 and even version 2.1 models began appearing. The only problem is, in many cases, they’re just copies of this original v1.0 code, warts and all. ELM Electronics still develops its source
code and manufactures its own chips (it recently released version 2.2), you’ll also find genuine ELM327-powered devices on the market. So the question is how can you tell if you’re getting a genuine ELM327 chip or a copy? Simple — if it costs you less than US$21, it’s a pretty safe bet it’s a copy, for that’s the price of a genuine ELM327 chip from ELM Electronics. The other giveaway is that the company doesn’t sell v1.5 or v2.1 versions.
But before you go around screaming ‘fake chips’, just be aware that, in the electronics industry, there are degrees of ‘fake’ and it’s a term thrown around a bit too freely. These ELM327 clones might not be genuine, but they appear to work. If you call that ‘fake’, so be it. But there are worse ‘fakes’ in the electronics industry — try ‘fake ICs’ (integrated circuits) that are nothing more than blobs of plastic some refer to as ‘slugs’. For example, popular retailer SparkFun Electronics was stung with a reel of dud ATMEGA328 microcontrollers (chips used in the popular Arduino Uno DIY boards) back in 2010 at a time when this chip was apparently in short supply. When the SparkFun team investigated, these chips had nothing inside them ( sparkfun. com/news/350).
But then on the other hand, I’ve seen people dub as ‘fake’ other chips legitimately manufactured under license by secondary manufacturers that perform exactly the same as the original. It’s hard to see these low-cost ELM327 clones falling into this category — but it still suggests you need to tread with some caution.
HOW OBD-II DONGLES WORK
We purchased two units for this story — a generic blue ‘ELM327’ Bluetooth dongle for about $5 on eBay, plus a second similar unit, a Viecar VC004-A, with the same styling but added power button for around the same price. The blue dongle identified itself on Bluetooth as ‘OBDII’, while the Viecar dongle simply came up as ‘viecar’.
In both cases, the dongle plugs straight into the ODB-II/DLC interface port and, even with the engine off and no keys in the ignition, both had power — the OBDII dongle powers up straight away, while the Viecar model requires you press its power button.
ANDROID SOFTWARE
You can buy OBD-II clones that are hard-wired via USB, but the cheapest models feature Bluetooth only — still, that allows you to combine them with your Android device, thanks to the growing number of OBD-II ready apps available on Google Play.
We think the best of them is Ian Hawkins’ Torque, but we also reckon your first stop should be ELM327
“You can buy OBD-II clones that are hardwired via USB, but the cheapest models feature Bluetooth only — still, that allows you to combine them with your Android device, thanks to the growing number of OBD-II apps available on Google Play.”
Identifier ( tinyurl.com/lfa7zz6). This simple app pairs your Android device with your ELM327 clone plugged into your vehicle to check the firmware version and just which of the genuine ELM OBD-II features are supported.
We used this app to test our two units — the blue ‘ELM327/OBDII’ dongle identified itself as having ‘ELM327 v2.1’ firmware, while the Viecar VC004-A had seemingly-older ‘ELM327 v1.5’ code. However, what we found interesting about this is that, despite its older version code, the VC004-A actually had greater OBD-II function support, according to the ELM327 Identifier app.
Beyond that, to get real-time and logged data from your vehicle’s ECU, we think Torque is the app you want. There’s a free version called Torque Lite ( tinyurl.com/cdjtljp), which is ideal to start with and loaded with plenty of features, but the $5 full version has bucketloads more. The first time you use Torque, you’ll get basic information from the ELM327 dongle, even with your vehicle’s ignition off, but the features list obviously comes alive when you fire up the ignition and the vehicle’s ECU kicks in — and that list is quite long. What’s more, Torque gives you excellent configuration options — you’ve got seven swipe screens, each of which can feature dials or graphs. You can move features around and even change their size. Torque isn’t the only option either — search Google Play for ‘OBD2’ and you’ll find plenty of apps, but we think Torque should top your list.
WHAT ABOUT HACKING?
OK, given these low-cost scanners are essentially read-only, the hacking you can do with them is more virtual — by graphing how you drive, you can learn, for example, that hard acceleration from a standing-start creates serious spikes in fuel consumption and by easing your way off the mark, you can reduce that consumption. If you drive a manual, you’d also likely be able to work out the optimum RPM point for changing gears, by comparing RPM with fuel consumption. So in effect, this is about hacking you as a driver and improving your skills.
However, it’s also possible to read, as well as reset error codes that light up your dashboard’s engine fault light using an ELM327-style dongle and the Torque Lite app.
GETTING SERIOUS
But that’s not to say serious vehicle hacking can’t be done. Once you get past the low-cost read-only scanners, you move into full-on modding territory or ‘chip-tuning’, where you can make serious changes to engine function, for example, fudging the air intake temperature to change the fuel flowrate and make the engine generate more power. However, just be aware that incorrect tampering with your vehicle’s ECU could cause all sorts of trouble, including extremely serious engine damage. There are numerous professional services out there that will tune or ‘remap’ your car’s ECU, but just be sure you’re fully aware of the risks involved before you proceed.
SECURITY
One thing we wouldn’t recommend with these low-cost dongles is to leave them plugged into your car — not because they might fail as a result of heat, or eventually bleed your battery dry, but because of their essentially non-existent security. Think about it — a Bluetooth-connected dongle tapping into your car’s ECU with a password of ‘0000’ or ‘1234’? It just isn’t worth the risk. Sure, these devices are meant to be ‘read-only’ and, in most cars, they’ll be out of sight under the dashboard and won’t work if your car’s ignition is switched off. But frankly, there’s no such thing as ‘100% guaranteed security’, so why leave the crooks an opening?
And yep, it might sound like we’re calling for the tin hats on this, but the reality is there are known denial of service (DoS) attacks already possible over ODB-II and an interesting white paper from the Software Engineering Institute of Carnegie Mellon University highlights the potential security issues ( tinyurl.com/yaa59tn9, PDF).
All we’re saying is that it’s better to be safe than sorry.
BUYER BEWARE
So there it is — the tools for scanning ECU codes from your set of wheels are as close as eBay and your Android phone. Are they perfectly safe for your car? The cheap ELM327 clone scanners are only supposed to read data from your ECU, not write to it beyond clearing DTCs and plenty of reviews suggest users swear by them (rather than ‘at’ them). All we can say is we’ve tried two different units on a 2005 Mazda 3 sedan and we’ve seen no ill effects so far. Beyond that, though, it’s definitely ‘buyer beware’.
“One thing we wouldn’t recommend with these low-cost dongles is to leave them plugged into your car — not because they might fail as a result of heat, or eventually bleed your battery dry, but because of their essentially non-existent security.”