how to update DC motor To Hacks

 how to update DC motor To Hacks

How to hack a car — a quick crash course

The goal of this article is to get you started hacking cars — fast, cheap, and easy. In order to do this, we'll spoof the RPM gauge as an example.

The following is by no means an exhaustive tutorial. It instead aims to provide just enough information to get you up and running. If you want to dig deeper you can check out the must-reads at the end.

If you decide to carry out this tutorial in real life, you'll need a Linux computer (or a virtual Linux machine), and a CAN-to-USB device (which we'll look into later).

A car is a network

A car consists of multiple computers to control the engine, transmission, windows, locks, lights, etc. These computers are called electronic control units (ECU) and communicate with each other over a network.

For example, when you press the button on your steering wheel to increase the volume of the radio, the steering wheel ECU sends a command to increase volume onto the network, the radio ECU then sees this command and acts accordingly.

There are multiple networks in a car, generally at least two:

One for critical data such as engine and powertrain messages

And one for less critical data such as radio and door locks

The critical network uses a fast and reliable protocol whereas the non-critical network uses a slower, less reliable but cheaper protocol. The number of networks as well as which ECUs are networked together depends on the car make, model and year. An ECU could also be connected to multiple networks.

Connecting to a network

Some networks can be accessed via the OBD-II port. OBD-II is mandatory on all cars and light trucks built in the US after 1996 and Europe after 2004.

The connector is in arm reach of the driver's seat. You might need to lift off some plastic cover but it is always accessible without tools.

The OBD-II standard allows for five signaling protocols. It's up to the manufacturer to decide which one to use. CAN is the most popular one and is what we will discuss. It is accessible via pins 6 and 14 of the OBD-II connector. If your car has a CAN bus, you will see metal leads on the pins as in the image above.

The CAN bus is a reliable, high speed bus that is used to send critical data. Unfortunately the data packets on the bus are not standardized so you will need to reverse them to know what they mean. The OBD-II standard also leaves room for vendor specific pins that can be used for vendor specific protocols. This makes it easier for the dealer to diagnose problems.

On my car (GM), I have a standard CAN bus on pins 6 and 14, and a vendor specific single wire CAN bus on pin 1. The standard CAN bus is a reliable, high speed (500 kbps) protocol also referred to as high speed CAN (HS-CAN). It is used for critical data. The single wire CAN bus (SW-CAN) or GMLAN is slower (33.3 kbps) and less reliable but cheaper since it only uses one wire. This bus is used for non-critical data.

If you see a vendor specific pin and don't know which protocol is being used, Google "<make> OBD pinout". There is also low speed CAN (LS-CAN) and medium speed CAN (MS-CAN). MS-CAN is generally on pins 3 & 11, running at 125 kbps on Ford and Volvo cars.

Tools

You will need both a device that's capable of interpreting CAN data as well as software to analyze the data

Hardware

In order to receive and transmit CAN packets, you need a device that is capable of this. You will often come across ELM327 based devices. While these have their use, they are terrible for hacking. They are way too slow to monitor the CAN bus.

There are also high-end devices like Kvaser, Peak or EMS Wünsche. These will get the job done but are overkill and pretty expensive.

Some high end devices also require you to purchase software along with it. The USB2CAN is a native CAN interface for Linux that offers great value for money.

You could also use Cantact or CANUSB. However these aren't native CAN devices in Linux and use an ASCII based protocol. This means that they are slightly more complicated to set up and have lower performance. On the other hand, they are well supported across multiple operating systems.

I use CANalyze which I've designed for my needs. It is similar to USB2CAN in that it's an affordable native CAN interface but it uses a newer micro controller, is open source and can be built using open source tools. The rest of this tutorial assumes you are using a native CAN interface.

Software

To communicate with the device you need to install the can-utils package on your Linux machine. You can do this via by typing the following into the Linux prompt:

sudo apt-get install can-utils

Can-utils makes it extremely easy to send, receive and analyze CAN packets. These are the commands that we will use.

cansniffer display only the packets that are changing

candump dump all received packets

cansend send a packet

Linux has CAN support built in to the kernel via SocketCAN. This makes it easy to write your own additional programs. You can interact with the CAN bus in the same way you would interact with any other network i.e. via sockets.

CAN bus

Before you start reversing, you should have some understanding of how the CAN bus works. It consists of 2 wires and uses differential signaling. Since it's a bus, multiple devices can be connected to these two wires. When a CAN frame is sent on the bus, it is received by all ECUs but is only processed if it is useful for the ECU. If multiple CAN frames are sent at the same time, the one with the highest priority wins. A CAN frame has 3 parts that are relevant to us.

arbitration identifier The identifier of a message. An ECU uses it to decide to process or ignore the received frame. It also represents the message's priority. A lower number has a higher priority. So for example, if you'd be an engineer designing the network, you would give the frame for the deployment of airbags a very high priority or a low arbitration ID. On the other hand you'd give a lower priority or higher arbitration ID to data meant for the door locks.

data length code (DLC) indicates the length of the data field in bytes. A CAN frame can have at most 8 bytes of data.

data field Contains up to 8 bytes of data.

Reversing the CAN bus

The general approach to reversing the CAN bus is to generate the behavior you want to mimic and find the message that causes that behavior. For example, lets say the lane keeping assist system (LKAS) on your car is crap and you've made your own.

In order for it to control the steering, you need to know what messages to send. The way to figure this out is to turn on the original LKAS, monitor the CAN bus and identify the packets responsible for turning the steering wheel. Once you have identified these packets, you can have your own LKAS send these packets onto the CAN bus to control the steering wheel.

In our case, we want to spoof the tachometer so we need to change the RPM by stepping on the gas with the car on and in neutral and then try to find the packet responsible for changing the RPM.

 how to update DC motor To Hacks

How to hack a car — a quick crash course

The goal of this article is to get you started hacking cars — fast, cheap, and easy. In order to do this, we'll spoof the RPM gauge as an example.

The following is by no means an exhaustive tutorial. It instead aims to provide just enough information to get you up and running. If you want to dig deeper you can check out the must-reads at the end.

If you decide to carry out this tutorial in real life, you'll need a Linux computer (or a virtual Linux machine), and a CAN-to-USB device (which we'll look into later).

A car is a network

A car consists of multiple computers to control the engine, transmission, windows, locks, lights, etc. These computers are called electronic control units (ECU) and communicate with each other over a network.

For example, when you press the button on your steering wheel to increase the volume of the radio, the steering wheel ECU sends a command to increase volume onto the network, the radio ECU then sees this command and acts accordingly.

There are multiple networks in a car, generally at least two:

One for critical data such as engine and powertrain messages

And one for less critical data such as radio and door locks

The critical network uses a fast and reliable protocol whereas the non-critical network uses a slower, less reliable but cheaper protocol. The number of networks as well as which ECUs are networked together depends on the car make, model and year. An ECU could also be connected to multiple networks.

Connecting to a network

Some networks can be accessed via the OBD-II port. OBD-II is mandatory on all cars and light trucks built in the US after 1996 and Europe after 2004.

The connector is in arm reach of the driver's seat. You might need to lift off some plastic cover but it is always accessible without tools.

The OBD-II standard allows for five signaling protocols. It's up to the manufacturer to decide which one to use. CAN is the most popular one and is what we will discuss. It is accessible via pins 6 and 14 of the OBD-II connector. If your car has a CAN bus, you will see metal leads on the pins as in the image above.

The CAN bus is a reliable, high speed bus that is used to send critical data. Unfortunately the data packets on the bus are not standardized so you will need to reverse them to know what they mean. The OBD-II standard also leaves room for vendor specific pins that can be used for vendor specific protocols. This makes it easier for the dealer to diagnose problems.

On my car (GM), I have a standard CAN bus on pins 6 and 14, and a vendor specific single wire CAN bus on pin 1. The standard CAN bus is a reliable, high speed (500 kbps) protocol also referred to as high speed CAN (HS-CAN). It is used for critical data. The single wire CAN bus (SW-CAN) or GMLAN is slower (33.3 kbps) and less reliable but cheaper since it only uses one wire. This bus is used for non-critical data.

If you see a vendor specific pin and don't know which protocol is being used, Google "<make> OBD pinout". There is also low speed CAN (LS-CAN) and medium speed CAN (MS-CAN). MS-CAN is generally on pins 3 & 11, running at 125 kbps on Ford and Volvo cars.

Tools

You will need both a device that's capable of interpreting CAN data as well as software to analyze the data

Hardware

In order to receive and transmit CAN packets, you need a device that is capable of this. You will often come across ELM327 based devices. While these have their use, they are terrible for hacking. They are way too slow to monitor the CAN bus.

There are also high-end devices like Kvaser, Peak or EMS Wünsche. These will get the job done but are overkill and pretty expensive.

Some high end devices also require you to purchase software along with it. The USB2CAN is a native CAN interface for Linux that offers great value for money.

You could also use Cantact or CANUSB. However these aren't native CAN devices in Linux and use an ASCII based protocol. This means that they are slightly more complicated to set up and have lower performance. On the other hand, they are well supported across multiple operating systems.

I use CANalyze which I've designed for my needs. It is similar to USB2CAN in that it's an affordable native CAN interface but it uses a newer micro controller, is open source and can be built using open source tools. The rest of this tutorial assumes you are using a native CAN interface.

Software

To communicate with the device you need to install the can-utils package on your Linux machine. You can do this via by typing the following into the Linux prompt:

sudo apt-get install can-utils

Can-utils makes it extremely easy to send, receive and analyze CAN packets. These are the commands that we will use.

cansniffer display only the packets that are changing

candump dump all received packets

cansend send a packet

Linux has CAN support built in to the kernel via SocketCAN. This makes it easy to write your own additional programs. You can interact with the CAN bus in the same way you would interact with any other network i.e. via sockets.

CAN bus

Before you start reversing, you should have some understanding of how the CAN bus works. It consists of 2 wires and uses differential signaling. Since it's a bus, multiple devices can be connected to these two wires. When a CAN frame is sent on the bus, it is received by all ECUs but is only processed if it is useful for the ECU. If multiple CAN frames are sent at the same time, the one with the highest priority wins. A CAN frame has 3 parts that are relevant to us.

arbitration identifier The identifier of a message. An ECU uses it to decide to process or ignore the received frame. It also represents the message's priority. A lower number has a higher priority. So for example, if you'd be an engineer designing the network, you would give the frame for the deployment of airbags a very high priority or a low arbitration ID. On the other hand you'd give a lower priority or higher arbitration ID to data meant for the door locks.

data length code (DLC) indicates the length of the data field in bytes. A CAN frame can have at most 8 bytes of data.

data field Contains up to 8 bytes of data.

Reversing the CAN bus

The general approach to reversing the CAN bus is to generate the behavior you want to mimic and find the message that causes that behavior. For example, lets say the lane keeping assist system (LKAS) on your car is crap and you've made your own.

In order for it to control the steering, you need to know what messages to send. The way to figure this out is to turn on the original LKAS, monitor the CAN bus and identify the packets responsible for turning the steering wheel. Once you have identified these packets, you can have your own LKAS send these packets onto the CAN bus to control the steering wheel.

In our case, we want to spoof the tachometer so we need to change the RPM by stepping on the gas with the car on and in neutral and then try to find the packet responsible for changing the RPM.