mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
  
|
| CANBUS and OBD2 connector/interface |
|
I have one of the cheap OBD2-USB interfaces (from eBay) - am I correct in thinking that this will be able to communicate with all devices/systems in the car provided I had the correct software?
I've read the many comments on here that generic OBD2 software only provides access to a subset of the data/diagnostics available. I've also seen devices like the FaultMate which presumably use the same connector but have much more comprehensive software that can access the other systems on the bus - is this right?
Cheers
Matt
|
 4th Nov 2010 1:23 pm |
|
|
anglefire
Member Since: 09 Mar 2010
Location: In the Club House
Posts: 4180
|
No.
All you will be able to read are the generic codes - its unlikely that there will be any software around that can get you around the other modules - there is a lot of security, which devices, such as the faultmate, has got around. Mark.
2006, D3 SE Auto - gone but not forgotten.
2014 BMW 530d M Sport Tourer.
1977 Triumph Spitfire 1500
_________________________________________________
Disco Picture Website Here
|
| 4th Nov 2010 2:27 pm |
|
|
mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
|
anglefire wrote:No.
All you will be able to read are the generic codes - its unlikely that there will be any software around that can get you around the other modules - there is a lot of security, which devices, such as the faultmate, has got around.
So how has the Faultmate circumvented the security features? In theory I guess I could write my own software that circumvented it too...
|
| 4th Nov 2010 3:34 pm |
|
|
anglefire
Member Since: 09 Mar 2010
Location: In the Club House
Posts: 4180
|
In theory you could I guess - I wouldn't know where to start - my limitations of software writing are various PLC ladder logic and other controls protocols and limited VB. All high level! Mark.
2006, D3 SE Auto - gone but not forgotten.
2014 BMW 530d M Sport Tourer.
1977 Triumph Spitfire 1500
_________________________________________________
Disco Picture Website Here
|
| 4th Nov 2010 7:36 pm |
|
|
mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
|
I think I'd need to start with some specification of the messages that the Landrover specific modules on the bus use.
Writing a protocol decoder is something that isn't a massive headache (I've done one before for a RADAR protocol).
I'd also need to work out if the cheap OBD2 device I have can physically communicate onto the CAN bus(es) in the Discovery - does anyone know?
I think the biggest step would be to get hold of any message specs - I did notice some in the workshop manual...
...maybe I'll take another look in there.
Matt
|
| 4th Nov 2010 8:30 pm |
|
|
BBS SPY
Site Sponsor
Member Since: 15 Jun 2007
Location: Sunny Cyprus
Posts: 3054
  
|
Quote:So how has the Faultmate circumvented the security features? In theory I guess I could write my own software that circumvented it too.
I guess since we have done it, it must seem quite easy to do, huh 
Everyone now knows that our equipment provides such things as CCF edit capabilities, amongst many other features on our system, and the value of being able to do that is now well known and appreciated. After all we have soley been providing this for almost a year now,
Given it's value, worth and desirability, you now have to really start wondering why our competitors are still not yet providing the same capability. They sure as hell have access to our equipment and can see what we are sending to and getting from the ECU's.
The answer is of course in the security features.
For the vast majority of features an ECU provides diagnostically, like reading and clearing fault codes, accessing live data values and so on, you do not need to "pass security". However for anything more involved, like CCF editing or re flashing, you do.
So just how hard can that be?
Well you start by requesting a randomly generated seed. This takes the form of a 3 Hexidecimal byte number that in decimal equates to anywhere between 0 and 16777215
or on binary 0000000000000000000000 to 111111111111111111111111
then you apply the secret cyclic conversion algorythtm to this, which can be in booleean form or normal mathematical form. however it is important to realise that the result does not have to be reversible.
IE multiply by eBay Item No. 602654987321 and take only the last 7 digits is quite vailis along with XOR with 101111010111000001110001110011.
If the software you are using somehow manages to calculate exactly the right answer and suppy exactly the right 3 hexadimal values to the specific ECU, and each one is different, then you can write new CCF contents, reflash as desired and so on, and never even guess or imagine what really went on behind the scenes to allow you to do this, then i guess you must be using one of our systems.
You are welcome to wonder as much as you wish just how we achieved this, and am quite sure that no matter how much wondering you may apply, it would not come close to how much Ford are trying to figure it out how we beat such a seemingly invincible anti access system. but non the less we quite obviously have.
And so many members now have just cause to thank us for that.
|
| 4th Nov 2010 8:56 pm |
|
|
geoff.
Member Since: 24 Jan 2010
Location: West kent
Posts: 8531
|
Thank you Colin 
ps having had the required lesson on how to use my MSV2 i,m just loving it (thanks wiggs)
Geoff
|
| 4th Nov 2010 9:14 pm |
|
|
anglefire
Member Since: 09 Mar 2010
Location: In the Club House
Posts: 4180
|
BBS SPY wrote:Quote:So how has the Faultmate circumvented the security features? In theory I guess I could write my own software that circumvented it too.
...Well you start by requesting a randomly generated seed. This takes the form of a 3 Hexidecimal byte number that in decimal equates to anywhere between 0 and 16777215
or on binary 0000000000000000000000 to 111111111111111111111111
then you apply the secret cyclic conversion algorythtm to this, which can be in booleean form or normal mathematical form. however it is important to realise that the result does not have to be reversible.
IE multiply by eBay Item No. 602654987321 and take only the last 7 digits is quite vailis along with XOR with 101111010111000001110001110011.
...
Well, there you go, I knew it would be simple. 
To be honest, I used the services of Wiggs to do some mods for me, as I couldn't, in the end, justify the cost of a MSV - or at least I could, but SWMBO couldn't
But I'm sure 1000% that creating your own version would cost a heck of a lot more than the MSV - and what it you got it wrong? Mark.
2006, D3 SE Auto - gone but not forgotten.
2014 BMW 530d M Sport Tourer.
1977 Triumph Spitfire 1500
_________________________________________________
Disco Picture Website Here
|
| 4th Nov 2010 9:23 pm |
|
|
mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
|
BBS SPY wrote:
You are welcome to wonder as much as you wish just how we achieved this, and am quite sure that no matter how much wondering you may apply, it would not come close to how much Ford are trying to figure it out how we beat such a seemingly invincible anti access system. but non the less we quite obviously have.
And so many members now have just cause to thank us for that.
Well that sounds like a challenge.
My initial guesses are, in rough order of time and effort to achieve success:-
-1) the secret algorithm is incredibly dumb and you guessed it first time
0) you were the original designer/inventor of the algorithm
1) you have access to the design of the "secret cyclic conversion algorithm"
2) you have access to the source code implementing said algorithm
3) you have decompiled the compiled code in an ECU that implements the algorithm
4) you captured request & response messages on the CAN bus whilst performing a secured operation using existing manufacturers equipment - then used this data as the basis for some crypto-analysis
5) you brute-force attacked it with various candidate algorithms and cycle times
Without having seen it - it sounds conceptually similar to a 'rotating cipher' (somewhat analogous to the Enigma machine but I'm no expert).
Matt
|
| 4th Nov 2010 9:27 pm |
|
|
mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
|
oops, I forgot one:-
-2) You Googled for the answer
|
| 4th Nov 2010 9:41 pm |
|
|
mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
|
I've done a bit of Googling around and come up with one possible approach to break the security (this is an approach used on Ford ECUs).
I can't vouch for the authenticity nor correctness of the comments made - it's the best I could find in an hour.
http://www.canbushack.com/blog/index.php/2...ess-anyone
|
| 4th Nov 2010 10:39 pm |
|
|
fade2grey
Member Since: 06 Sep 2008
Location: Reading
Posts: 304
|
yup, so I think the upshot is that yes it's possible to do it via the OBDII connector using a std usb type cable providing you get teh crypto right & have suitable software to make the changes. (a-la vag-com etc). I'd be interested to see what you come up with, it can't be impossible - everything's reversable or crackable, just depends on how log it takes.. 56 HSE
|
| 5th Nov 2010 11:20 am |
|
|
mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
|
fade2grey wrote: I'd be interested to see what you come up with, it can't be impossible - everything's reversable or crackable, just depends on how log it takes..
Yes, it certainly must be do-able given it's been done before.
I think in the first instance I'll look at the fault code reading and resetting - the crypto stuff I believe is needed for the more advanced features (like re-flashing devices). Those features are worth more so require a larger upfront investment in time/money to solve.
Of course they should have used a digital certificate (public/private key) based authentication mechanism then it would have been only the CIA or GCHQ who could re-flash my satnav 
|
| 5th Nov 2010 12:52 pm |
|
|
ids
Member Since: 12 May 2009
Location: Herefordshire
Posts: 384
|
I'm intrested in what kind you got.
Do you know if it see/decode CAN Hi and Low speed BUS's ?
I'm looking for a module just to 'see' basic sensor data to try and mirror what the Terrain Response system sees from the diffs, wheel speed sensors, suspension heights etc on my Carputer.
Not bothered about CCF/Fault Reading/editing as I would get a FaultMate or Hawkeye to do the same when funds allow.
Someone must know...... 
|
| 5th Nov 2010 5:47 pm |
|
|
mattgreen
Member Since: 15 Sep 2009
Location: Worksop
Posts: 211
|
I bought it off eBay - it uses this chipset ==> http://www.ftdichip.com/Products/ICs/FT232B.htm
I'm about to test whether it can use the hi and lo speed CAN bus - I suspect (though will need to confirm this) that if I can read the OBD2 generic data then it can read the Landrover specific stuff but I will need to confirm that the generic data uses the CAN Bus
I'm also using it to talk K-bus to the Webasto FBH but that needs wiring directly into the FBH rather than the Discovery bus. I assume there is a controller (the HEVAC controller I guess) in between that translates.
Matt
|
| 5th Nov 2010 6:31 pm |
|
|
