I don’t have my M2, as I just ordered it yesterday… But I wanted to share how I was able to reverse engineer, and control different things on my car using another dongle(just like the M2). Once I get my M2, I will be able to share source code, etc with everyone.
This was on a 2003 Trailblazer. I was able to control the windows, radio, seat heaters, lights, seat motors, etc…
What’s the first step you ask? Get a device such as an M2, where you can log can traffic.
After you’ve got that, you need software to help you reverse engineer which message actually controls the window, seat, etc… For me, I am a software/application/electrical engineer… So I wrote my own software that logged all of the can messages.
The software I wrote, connected to the hardware through a serial interface. The software had a list that would be populated with the messages, once I hit the start button to start logging. So my process is, hit start logging, press the window down button on the car, hit stop logging. Now I have my message, somewhere in this list that rolls the window down. How do I narrow this down, to which one it is?
Without knowing my module IDs, I had to try the messages one by one. So I already had all the messages in a list in my software I wrote. So I had another button in my software, that would resend every single message that I just logged. So I replay every message, and when my window goes down… I know I definitely have the message somewhere in my list. My next step was to put a delay between the sending of the messages. This would allow me to watch as my software sent all of the messages. Then I could narrow it down to around 10 messages that it could be. Then from there, I could only send those 10 messages with an even longer delay. When the software sends the message, and the window rolls down… I know thats it! So from there, I would log that this message rolls my window down. Then I would try to manually send the message myself.
I would repeat this for every action I wanted to perform on my vehicle. After a month or so of getting, and organizing everything. I was able to control pretty much anything on my car.
*Something to note:
Most cars after 2008 (or maybe it’s 2012?) have gateway modules. Gateway modules prevent users like us from seeing all of the traffic going across the CAN BUS. The only time we would see traffic, is if it’s requested by a scan tool. We would see the request, and response. So, if you don’t see any traffic across your CAN BUS because you have a gateway module on your car… You will have to go a different route to do this.
That route would be to find a scan tool that controls your windows, lights, etc… Then monitor the can bus when that tool is controlling them. This has good news and bad new though…
Good news: You have the message now to control your window, seats, etc…
Bad news: You can’t use it. OEMs use security on their modules. So unless you know how to get past that, you won’t be able to use the messages you get this way.
Don’t be disappointed though! Some OEMs don’t use security for output controls, and some modules on other OEMs might not use security for output controls. But the ECM, and BCM most likely will for a lot of the OEMs.
Once I get my M2, I can write software to help all of use reverse engineer our vehicles with the M2. I will be back, when I get it. Other than that, any questions, just ask.