CAN Bus/OBDII Hacking?

[mongo]

Thanks for chiming in and finding the video! I had not seen that one since the initial 'We broke your Range Rover'

We need a healthy respect for the now very advanced electronics in cars...it is way beyond 'electrical'...

Regards
Jack

Yeah, signal integrity can be a pain (electrical engineering vs electrician level (nothing against electricians)). Automotive is still mostly fixable, though sometimes it requires replacing the harness...

Sponsored

 

[truck]

I'm a network analyst, and have some experience with Wireshark. If you have the pcap file, I'd definitely check it out!

Will send as soon as I get back home.

can bus is still used for local communication and you can tap into those easily enough but have also been wondering about how to tap into the Etherloop.

@truck , how were you able to capture traffic? (what hardware? connected where?)

All I used was my laptop, wireshark, a tplink usbc to ethernet converter, and this odb to rj45 cable. Gonna try some other things to see if it'll give different data.

 

[TickTock]

Via the Ethersnoop RJ45 connection. Other links are point to point and might not like being tapped, if you had a high impedance sniffer.

Sweet! I didn't know that was there. Found it in the service manual (under the footwell cover):
https://service.tesla.com/docs/Cybe...UID-FC390461-FFE7-413C-9E43-B86D12AA1180.html

 

[TickTock]

Can bus is pretty resilient. It supports multi-drop so is fairly tolerant of impedances and, being used in ICE automotive systems (think induction coils, spark plugs, etc), has a fair amount of noise tolerance. The problem with the Cybertruck is the can busses appear to be used point-to-point (see schematic below) so you would probably only get very specific messages. I hacked the crap out of my Nissan Leaf - you could access almost everything from one canbus. It appears we will need to use the Etherloop if we really want that level of access in the cybertruck.

 

[mongo]

Can bus is pretty resilient. It supports multi-drop so is fairly tolerant of impedances and, being used in ICE automotive systems (think induction coils, spark plugs, etc), has a fair amount of noise tolerance. The problem with the Cybertruck is the can busses appear to be used point-to-point (see schematic below) so you would probably only get very specific messages. I hacked the crap out of my Nissan Leaf - you could access almost everything from one canbus. It appears we will need to use the Etherloop if we really want that level of access in the cybertruck.

Yeah, no CAN-D with gateway access to powertrain and body CAN busses like the old days...

 

[truck]

Updated with new info

 

[TickTock]

Good information. You are probably right that there is some scrambling going on. This is common for most high speed interfaces to make them more immune to deterministic error sources (such as reflections or package resonance). This way if a packet fails checksum, it won't just re-send the exact same pattern that it had problems with the first time. Good news is these are typically LFSR24 or similar and can usually be ferreted out with enough data. If, however, it is actual encryption (i.e. 128b or higher) then our chances drop significantly and, at that point, it becomes illegal anyway.

 

[Stefan224]

Has anyone got anywhere on this? I saw a cybertruck dash screen getting info over the canbus!

Seems like it's definitely possible. Also very curious about the data over the lightbar databus mod wires.




Product: https://www.tesstudio.com/products/...TxOgO_kiRhcHab4R_RXy8JHkYvUabYB0aAtDZEALw_wcB

 

[truck]

Has anyone got anywhere on this? I saw a cybertruck dash screen getting info over the canbus!

Seems like it's definitely possible. Also very curious about the data over the lightbar databus mod wires.




Product: https://www.tesstudio.com/products/cybertruck-carplay-dashboard-screen-c9-9-in-touch-screen-tesstudio®?gad_source=1&gbraid=0AAAAAqxHfaPPuqwcM4CNLr1sMkWaH21_9&gclid=Cj0KCQiA7se8BhCAARIsAKnF3rzPj4SoXB8paFmtTJoQLGdTxOgO_kiRhcHab4R_RXy8JHkYvUabYB0aAtDZEALw_wcB

I thought this was just another generic overpriced android box branded as “Tesla specific” but this actually taps into the CAN bus. It’s similar to the 3/Y where you have to remove the trim and install a MITM thing. The install guide is here, maybe the footwell OBD port is for toolbox only?
https://cdn.shopify.com/s/files/1/0...el_Installation_Instructions.pdf?v=1737077553

 

[CyberGian]

Will send as soon as I get back home.


All I used was my laptop, wireshark, a tplink usbc to ethernet converter, and this odb to rj45 cable. Gonna try some other things to see if it'll give different data.

Great try! Maybe the Ethersnoop interface (RJ45) could provide more Ethernet packet info. Because they said this interface is used for vehicle debugging.

 

[cybercricket]

I would assume the CT has an OBD automotive interface which may give you access to the CAN messages - that would be the safest way to *see* the messages.

I would NOT recommend attempting to hack into wiring, harnesses for CAN Bus. CAN Bus is a timed [critical] communication system where even the wire impedance needs to be matched - and termination is required for the timing to operate correctly. The CAN controllers [interface chips] detect that.

It can be so critical - that it can be impracticable to 'repair' a broken CAN Bus harness.

I recall the Youtube TFL guys reported that Range Rover Service SCRAPPED their entire new range rover cutting the CAN harness when attempting to add the factory winch option.

They were utterly shocked you could not 'crimp' the harness back together - CAN bus speeds are in the 20 - 40MHz - this is so fast you could send live video - which is typically send on COAX cable. CAN bus has some error correction built in - but that is limited - it is not made to work with a broke, frayed harness.

..so don't f**k with it...simply disconnecting the sub-system would be detected and could cause the system to go into limp mode, error mode, etc.

You'd likely find a 'cap' with matching resistors on expansion CAN ports like for example winch control or the light bar. [not everything \option would be using CAN bus]

I am not a EE, but work on critical system that employ such things as CAN bus...I know enough to not mess with trying to wire one up myself.



Regards
Jack

CAN is a well-understood standard that is also widely used outside of the automotive applications. Pretty much all modern industrial motor controllers (such as for forklifts), chargers, solar and battery inverters, BMSes speak CAN and there is a lot of knowledge available regarding the topic on the discussion boards such as www.diyelectriccar.com and diysolarforum.com. It's pretty robust and is not as finicky as you're describing. 40Mhz you say ? Have you heard of Cat6A ?

Sponsored