Infotainment CANBUS Sniffed and Hacked (Blue LCD) - Hyundai Genesis Forum
 19Likes
Reply
 
LinkBack Thread Tools
post #1 of 286 Old 11-03-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)
Thumbs up Infotainment CANBUS Sniffed and Hacked (Blue LCD)

Hey Guys:

Just wanted to share a little project I am working on. Was able to sniff the communication on the infotainment BUS going from the radio to the blue LCD, and then send the LCD whatever command I wanted to from my laptop.

Once I deciphered the right codes and commands, I took the LCD out of the vehicle, wired up my test rig, and went to town.

Particularly pay attention to the time, outside temperature, and channel readouts.

Yes, more fun things to come


p.s. I have no idea how to embed video to a post, perhaps someone can help out. In any event, the link is above.

Last edited by qwaszx; 11-04-2012 at 12:34 PM.
Dreadie is offline  
Sponsored Links
Advertisement
 
post #2 of 286 Old 11-03-2012
a bOOOOst user
 
sliverworm's Avatar
 
Join Date: May 2012
Location: Austin,TX
Posts: 430
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

You should be able to embed video with the hyperlink button, or if you right click your video the html code might work.

As far as the LCD, it looks like you've made some progress what are you plans for this?
sliverworm is offline  
post #3 of 286 Old 11-03-2012
3.5L TT but wrong body
Moderator
 
CrookedH's Avatar
 
Join Date: Apr 2009
Location: ATX
Posts: 12,003
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 6 Post(s)
Garage

Good stuff man. Nice work




What is required for a new FS thread?
  • Detailed title of item
  • Detailed description of item (specify if its new, used, etc.)
  • Contact information (Phone number OR email preferred - not just Private Messaging)
  • Asking price
  • Location (State if local pickup or if you will ship)
  • Actual Photos of the item
Any of these missing means your thread will not be approved.
CrookedH is offline  
 
post #4 of 286 Old 11-03-2012
I'd rather do it myself
 
Red Raspberry's Avatar
 
Join Date: Aug 2009
Location: Flat lands of Illinois
Posts: 18,017
Mentioned: 18 Post(s)
Tagged: 1 Thread(s)
Quoted: 3 Post(s)
Garage

Are you just manipulating the existing logic or can you add new things to the display?

Can I get rid of the stupid GENESIS COUPE when the audio is off?

2010 Red 2.0L track

Quote:
If the Pharaohs had duct tape, the Sphinx would still have a nose...."
Red Raspberry is offline  
post #5 of 286 Old 11-03-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Thanks guys... tried to get the video embedded, but still no luck. Maybe a mod can help me out.

In any event, I'm not sure what my eventual goal is going to be. This was more of a "proof of concept" that got started due to curiosity and crappy hurricane weather.

I still have some things to work on, such as determining the protocol the radio uses to send the song/artist XM readout, USB title and name, etc. I'm sure it's possible, but will take some time to figure out.

One eventual goal is either replacing the LCD with a different one, and add capability to that for engine speed, RPM, and other vehicle diagnostics. The main vehicle components reside on a different CAN network, so briding the (2) can sometimes be a difficult task.

Another idea would be to create a standalone Android APK to display the the blue LCD information, similarly to Unavi.

I am primarily going to be focused on the 2010 Coupes, 2011/2012 CANBUS commands changed slightly, and would require an OEM radio from that year, which I have no desire purchasing.
Dreadie is offline  
post #6 of 286 Old 11-03-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Quote:
Originally Posted by Red Raspberry View Post
Are you just manipulating the existing logic or can you add new things to the display?

Can I get rid of the stupid GENESIS COUPE when the audio is off?
The only way to change the existing logic would be to change/modify the firmware in the blue LCD. That's powered by a NEC/Renesas V850ES microprocessor. I have no programming knowledge of Renesas components, and it's likely secured/encrypted so code dumping via their debugging protocol likely wouldn't work.

The LCD is listening for specific CAN commands, and then reacts accordingly.

As an example, command 0x502 06 69 00 00 00 00 00 00 tells the display to show 6:69 for the time. 0x502 is the message identifier for time. I also tested my Unavi in the same fashion, and identically, it's just listening for specific commands, and the "trip" (radio) interface reacts accordingly.

The easier route would be programming a new microprocessor (Arduino, ATcan128, etc.) to display the OEM information, with a toggle button to display additional data.
Dreadie is offline  
post #7 of 286 Old 11-03-2012
...+.....+...+..+.++
 
GcoupeS's Avatar
 
Join Date: Feb 2012
Posts: 858
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 2 Post(s)
Garage

Quote:
Originally Posted by Dreadie View Post

Another idea would be to create a standalone Android APK to display the the blue LCD information, similarly to Unavi.
do this

2013 2.0T 8-Speed Shoreline Drive Blue
GcoupeS is offline  
post #8 of 286 Old 11-03-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Quote:
Originally Posted by GcoupeS View Post
do this
haha...maybe.. I don't have an Android tablet, nor a 2011, 2012, or 2013 radio

The 2011/2012 are different than 2010, and can almost guarantee 2013s are different too.
Dreadie is offline  
post #9 of 286 Old 11-04-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Progress Update:

I got about 90% of all features figured out, mapped, and decoded. I now understand how the display will read out how many CDs are present, which one is currently active, and how many currently aren't loaded.

Also have the automatic AC decoded for inside temperature setting and "automatic" mode.

To do list:

1) Menu functions (AVC/Treble/Bass), etc.
2) Figure out how the song data is displayed (XM, IPOD, etc). Data is NOT on the low speed can, per say.

Here's a snippet of some of the captured CAN data for those who are curious:

9 Receive 19:36:33:390 Data frame Standard frame 00000103 8 00 00 00 00 00 00 00 00
10 Receive 19:36:33:390 Data frame Standard frame 00000104 8 00 00 00 00 00 01 00 00
11 Receive 19:36:33:406 Data frame Standard frame 00000112 8 00 00 00 00 00 00 00 00
12 Receive 19:36:33:406 Data frame Standard frame 00000171 8 00 00 00 00 00 00 00 00
13 Receive 19:36:33:406 Data frame Standard frame 00000501 8 00 59 00 00 02 ac 02 00
14 Receive 19:36:33:406 Data frame Standard frame 00000502 8 19 36 00 00 00 00 00 00
15 Receive 19:36:33:437 Data frame Standard frame 00000133 8 03 00 00 00 00 00 00 00
16 Receive 19:36:33:453 Data frame Standard frame 00000134 8 00 00 00 00 00 00 00 00
17 Receive 19:36:33:453 Data frame Standard frame 00000530 8 00 00 00 00 00 00 00 00
18 Receive 19:36:33:484 Data frame Standard frame 00000440 8 40 02 00 00 00 00 00 00
19 Receive 19:36:33:593 Data frame Standard frame 00000103 8 00 00 00 00 00 00 00 00
20 Receive 19:36:33:593 Data frame Standard frame 00000104 8 00 00 00 00 00 01 00 00
21 Receive 19:36:33:593 Data frame Standard frame 00000112 8 00 00 00 00 00 00 00 00
22 Receive 19:36:33:609 Data frame Standard frame 00000171 8 00 00 00 00 00 00 00 00
23 Receive 19:36:33:609 Data frame Standard frame 00000501 8 00 59 00 00 02 a9 02 00
24 Receive 19:36:33:609 Data frame Standard frame 00000502 8 19 36 00 00 00 00 00 00
Dreadie is offline  
post #10 of 286 Old 11-04-2012
2013 2.0T Rspec
 
dccseek's Avatar
 
Join Date: Apr 2012
Location: Austin, TX
Posts: 76
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

What HW are you using to send/receive these commands? Can you access this from the OBD2 port? Or is this bus internal to the radio?

2013 2.0T Rspec
Forge BOV
WeirTech Race 02 and DP
WeirTech CBE Single Exit
WeirTech SRI
Catch-Can JEGS
BTRcc Tuned- 280 HP 330 TQ
dccseek is offline  
post #11 of 286 Old 11-04-2012
3.5L TT but wrong body
Moderator
 
CrookedH's Avatar
 
Join Date: Apr 2009
Location: ATX
Posts: 12,003
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 6 Post(s)
Garage

Quote:
Originally Posted by Dreadie View Post
haha...maybe.. I don't have an Android tablet, nor a 2011, 2012, or 2013 radio

The 2011/2012 are different than 2010, and can almost guarantee 2013s are different too.
Ive got a motorola droid x i could send your way if it would help. Gps and wifi dont work but the rest does...




What is required for a new FS thread?
  • Detailed title of item
  • Detailed description of item (specify if its new, used, etc.)
  • Contact information (Phone number OR email preferred - not just Private Messaging)
  • Asking price
  • Location (State if local pickup or if you will ship)
  • Actual Photos of the item
Any of these missing means your thread will not be approved.
CrookedH is offline  
post #12 of 286 Old 11-04-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Quote:
Originally Posted by dccseek View Post
What HW are you using to send/receive these commands? Can you access this from the OBD2 port? Or is this bus internal to the radio?
You can use any CAN -> USB/RS232 adapter, I am using a cheap Chinese one from fleabay, but the software is very primitive and crappy.

I'd recommend one from Peak Systems (here), or Lawicel (here). Both have application SDKs available to design your own program around them, which the chinese junk ones don't. Their software is also much more advanced and user friendly.

I plan to pick one of these up when the budget permits - will greatly help my endeavors.

Technically, you can convert one of the ELM327 clones to read a CAN network, but their buffers are tiny, and with the BUS speed you'll drop several hundred frames and it would be worthless to even bother. On average, there is about 100 data frames sent a SECOND through the network, and this is only on the HVAC bus, the high speed can is probably around a thousand a second

The GenCoupe has (2) CAN networks, a low speed CAN and a high speed CAN. The low speed can (100kbps, 2.0A - standard frame) contains the HVAC information, radio information, etc. The easiest access point is from the blue LCD connector - tap into CANL, CANH and ground.

The second CAN network (highspeed - extended frame - 2.0b) can be accessed from the OBD2 port on pins 3 (CANH), 11 (CANL) and 4 (ground). This BUS uses extended frames (2.0b) and runs at 500kbps. This is the one that contains the high priority and important vehicle communications, such as ABS, TPMS, ECU, BCM, etc.

Check out the wikipedia article for CANBUS here as it can explain CAN networks much better than I'd be able to.

Last edited by Dreadie; 11-04-2012 at 10:08 AM.
Dreadie is offline  
post #13 of 286 Old 11-04-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Quote:
Originally Posted by CrookedH View Post
Ive got a motorola droid x i could send your way if it would help. Gps and wifi dont work but the rest does...
Appreciate the offer, I am going to hold off for now, as I don't know where this project is going to take me. When the time comes though, I'll keep that in mind

I'm considering buying a radio from ebay, because doing this in the car is becoming a pain and I'd like to tear it apart to see the circuit boards to get a better understanding of how the artist information gets transferred - that's the only hold up currently.
Dreadie is offline  
post #14 of 286 Old 11-04-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Quote:
Originally Posted by Dreadie View Post

I'm considering buying a radio from ebay, because doing this in the car is becoming a pain and I'd like to tear it apart to see the circuit boards to get a better understanding of how the artist information gets transferred - that's the only hold up currently.
Decided to test the forums to see if anyone has one they're willing to let go cheap or donate to the cause: https://www.gencoupe.com/private-clas...ml#post1311493
Dreadie is offline  
post #15 of 286 Old 11-04-2012
Administrator
 
qwaszx's Avatar
 
Join Date: Jul 2010
Location: Washington DC
Posts: 58,741
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)

Quote:
Originally Posted by Dreadie View Post
Thanks guys... tried to get the video embedded, but still no luck. Maybe a mod can help me out.
Fixed.

I got a 2010 single disc I can send your way for the cost of shipping...

Quote:
Originally Posted by Stevejohns29 View Post
Im learning JB! lol
qwaszx is offline  
post #16 of 286 Old 11-05-2012
FS section ravager
Moderator
 
dwjp90's Avatar
 
Join Date: Sep 2012
Location: West Chicago, IL
Posts: 2,183
Mentioned: 5 Post(s)
Tagged: 0 Thread(s)
Quoted: 6 Post(s)

Is it possible to read this information from the OBII plug?

If so it could be incorporated into Torque for the tablet install guys.
dwjp90 is offline  
post #17 of 286 Old 11-05-2012
13 White 2.0T R-Spec
 
ssyk's Avatar
 
Join Date: Apr 2012
Location: Roswell, GA
Posts: 182
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

interesting subbed haha
ssyk is offline  
post #18 of 286 Old 11-05-2012
Tyr
Captain Awesomesauce
 
Tyr's Avatar
 
Join Date: Dec 2010
Location: Ontario, Canada
Posts: 2,743
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 13 Post(s)

Interesting to see where this goes. Subbed.

With this data, you could take it the other way too. Decoding the system commands with your own android app to show the OEM info on a tablet or whatever.

2010 Silverstone Premium 2.0T 5-Speed AT

Done:
AEM CAI
Synapse Synchronic DV
Weirtech FMIC kit + 600hp Garrett Core
WeirTech EVOLVE Al. TBE
PA 91 Stage-1
Dynojet CMD+WB2
Enkei RPF1 18x9.5/10.5
Michelin Pilot Super Sports 265/285
StopTech SS Lines w/ RBF600
Brembo GT Caliper w/ GLoc R8/R6
WeirTech Protoype Coolant Overflow Tank
Saikou Michi DC-3 Catch Cans
OEM GT Strut Bar
Eibach Sway Bar Kit
Solar Gard 20% All Around
Tyr is offline  
post #19 of 286 Old 11-05-2012 Thread Starter
Senior Member
 
Join Date: Apr 2012
Posts: 588
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
(Thread Starter)

Quote:
Originally Posted by dwjp90 View Post
Is it possible to read this information from the OBII plug?

If so it could be incorporated into Torque for the tablet install guys.
Please read my previous posts. I won't reiterate myself.


In regards to the Android App idea... I did give it thought, but don't really see the point.

A) Majority of tablet owners relocate their OEM LCD, so not realy sure of the benefit of doing this, versus keeping the relocated stock LCD

B) Would take 6-8 months of development time, and would not be an pen source: project. Hardware, software, and pricing would obviously be determined if I go this route, however it would likely be north of $300.

C) With that said, $300+ when majority of tabs already relocate LCD, not
really sure it'd be worth the time or effort.

Please correct me if I'm mistaken. I also know this community, sadly "everyone" will want it, but when the time comes, no one will buy it aside from a few pioneers, ala 3.8 forced induction.

My thoughts so far.

On an unrelated note, I ordered an ATMEL proc and LCD, next task will be getting the data on that display.
Dreadie is offline  
post #20 of 286 Old 11-08-2012
Senior Member
 
Sieldan's Avatar
 
Join Date: Apr 2010
Location: Tallassee, AL
Posts: 347
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Garage

What interests me is an ability to eliminate that blue LCD all together when going aftermarket with the head unit. I have a HAM radio installed in the pocket where the LCD gets relocated, so I cant go that route. I'd love to be able to cook up a Arduino with a LED screen to relay the AC info!

Sieldan
2010 3.8 AT Mirabeau Blue Track

Hankook Ventus V12s
SFR Flash 1.5
EBC Blue f/r
StopTech SS Brake Lines
ATE Super Blue Brake Fluid
Setrab 619 Trans Cooler
BC BR-Type Coil-Overs

To Do:
Swaybars
Exhaust
Sieldan is offline  
Sponsored Links
Advertisement
 
Reply

Related Threads
Thread Thread Starter Forum Replies Last Post
Brand new blue LCD relocation kit ipimpslpmstngs Interior 1 06-24-2012 02:05 PM
what type of blue lcd? eeharris Interior 2008-2012 7 04-28-2012 04:42 AM
WTB - 2011+ blue LCD Screen leo215 Want to Buy 0 04-08-2012 04:04 PM
2011/2012 Blue LCD in 2010 crashp Interior 2008-2012 15 04-05-2012 05:47 PM
WTB: Blue LCD Screen crashp Want to Buy 2 06-08-2010 01:32 PM


Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Hyundai Genesis Forum forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










User Tag List

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome