11

I'm trying to figure out how to lock and unlock the doors of a 2010 Toyota RAV4 using the CAN bus via the OBD-II port. I have a microcontroller attached via an CAN controller and a CAN receiver, and I've written some firmware to capture and replay messages.

If I unlock the doors either via the key fob or the door button, I get a flurry of messages on an otherwise silent bus (key is out). However, replaying them does nothing. I suspected that it might be some kind of authentication issue, so I tried something less sensitive -- the headlights. Interestingly, when I replay the messages from turning the headlights on, the headlight indicator in the instrument cluster lights briefly, but the actual headlights do nothing.

I guess I have several questions:

1) Should this be possible over the CAN bus exposed on the OBD-II port? I've seen sources saying that doors are controlled by a different, slower bus, but I've also seen devices advertised that will lock the doors when you reach a particular speed.

2) Are the other buses exposed in any way?

3) Is there any way I can find out the meaning of the messages I've captured without paying vast amounts of money to Toyota?

Isvara
  • 261
  • 1
  • 2
  • 8

4 Answers4

6

What you are wanting to do is possible. I've had similar experience and desire for my 2010 Camry. From my experience, reading messages from the OBD-II port wasn't getting me anywhere. It was like the CAN messages were only a response to me manually manipulating the the car.

I would get a message response from locking or unlocking the doors with the key FOB, but sending that same message didn't do anything.

What you should do is get an OBD-II splitter cable and a copy of Toyota Techstream with a "mini VCI cable". This will allow you to read the messages the Techstream software sends to through the OBD-II port.

You should be able to:

1- Lock and Unlock driver/all doors

2- Pop trunk

3- Turn on low and high beams and flashers

4- Honk the horn

5- Roll up and down windows

6- Etc.

..or at least it all worked for me!!

YMMV and good luck! :D

(I'm not responsible for damages to self or car.)

mccoy
  • 61
  • 1
  • 1
5

Usually the OBD CAN bus is 'bridged' onto the other CAN buses of the vehicle, in order to facilitate diagnostics of ECUs on the other buses. However, the bridge may only pass diagnostic messages onwards :( It's different on every platform.

In terms of the protocol - it's a classic reverse engineering problem. You need to capture a few traces of the CAN activity when you press the unlock button and figure out what the format of the messages is. Your headlight example may indicate that there are multiple buses and you only have access to one of them (which goes to the dashboard unit, and not to the headlamps in this case)

With the door locks - it's quite possible there is also some kind of challenge-response going on which stops your simple "replay-attack".

Martin Thompson
  • 151
  • 1
  • 5
4

Even if you connect to the correct bus and broadcast the correct CAN message you still run into the issue, of transmitting a CAN message that is already being transmitted by another ECU.

The way CAN works, every can message has an Arbitration ID also referred to as the message id. Under normal operation, no ECU will ever broadcast a message with the same ID on the Same bus. When you do this. In theory you should be able to lock or unlock the door, by flooding the bus, with the desired message, but it will not be something I would use inside of a product, since your abuse of the bus will interefere with the communication of ECU's on the bus that broadcast at a lower priority.

Now again, if the CAN message for locking and unlocking the door, is completely event driven, and not periodically broadcasted then what your trying to do completely feasible.

Also, the messages that you are sniffing, that change when you lock or unlock the door, may not be the ones of interest. Status messages are often gatewayed on to other buses, you would have to broadcast the correct message on the bus that it originates from.

Hint: Search online for the pin out for the OBD connector in your vehicle.

1) Should this be possible over the CAN bus exposed on the OBD-II port? I've seen sources saying that doors are controlled by a different, slower bus, but I've also seen devices advertised that will lock the doors when you reach a particular speed.

Yes, it may be possible, but you need to know the pin out for the OBDII in your car which probably is not public information, but you can figure out which ones are of interest by eliminating the standard OBDII pins.

2) Are the other buses exposed in any way?

As answered above, I think there is a good chance, eliminate the standard OBD pins, and the remaining pairs, will be the ones of interest. Each can data channel has a Data high, and Data low.

3) Is there any way I can find out the meaning of the messages I've captured without paying vast amounts of money to Toyota?

You need a CAN tool, to watch the data on the suspect pins, the good news is you will only catch can messages when connected to the correct pins. Otherwise tool will throw errors. and You may need a tool that can automaticly detect the baud rates, or you can guess.

Its going to require a good bit of time, and hacking.

am6sigma
  • 312
  • 1
  • 2
  • 7
3

If I were the guy who designed the electronics, I would make it impossible to do this via CAN-Bus simply because you get bluetooth adapters for OBD2 that someone standing outside the car could pair with and send the unlock instruction to.

It's a safety hazard, so I wouldn't support it.

Captain Kenpachi
  • 8,888
  • 3
  • 26
  • 43