JKowners.com : Jeep Wrangler JK Forum - View Single Post - CAN Bus Hacking Sway Bar Disconnect
View Single Post
post #2 of Old 05-05-2018, 04:23 AM
UFDUB
Wheeler
 
Join Date: Jul 2017
Posts: 38

Quote:
Originally Posted by christensent View Post
I don't think I've ever heard of anyone else pulling this off. I realize this won't be all that useful to most people as it requires fairly significant electrical and software engineering background but hey, maybe someone wants to do this! None of these CAN commands are documented anywhere on the internet and it took quite some effort to reverse engineer this so maybe I can save someone some time.

The result is the dashboard sway bar button working perfectly at all speeds and in 2Hi, and the indicator light even works perfectly and stays on if disconnected at speed and flashes normally during connect/disconnect events.


This requires active hardware unfortunately, it's not a one-time reprogramming (and we'll never have that unless a truly gifted hacker spends a very long-time finding a vulnerability in the sway bar and then decompiling the software). Just cut the CAN-bus wires to the sway bar and insert a board in between that has a microcontroller and two CAN bus ports. We'll call CANj the Jeep's CAN-C bus, and CANs a new CAN-bus you're adding to the vehicle that just communicates to the sway bar.

I designed a little circuit board to do this, but you could probably use something like an Arduino with some CAN shields for a slightly less favorable form factor if you didn't want to go through making a custom board:


And now the good bits to save you a few days of sniffing the bus staring at hex values trying to figure out how this thing works:
  • For any message transmitted on CANs (from the sway bar), re-transmit untouched on CANj. This sets the state of the LED on the dash.
  • If CANj receives message ID 0x215, ignore its contents and transmit a length-7 message containing 0x8F000000000000 on CANs
  • If CANj receives message ID 0x428, ignore its contents and transmit a length-7 message containing 0x00007E00001001 on CANs
  • If CANj receives message ID 0x325, take its 6th-byte and replace the blank in 0xFD__1EE1C00F0C with that byte, and transmit that on CANs
  • For all other messages received on CANj, ignore it and do nothing

And now you can sway around town whenever you want or wheel at 25MPH without having it re-connect, all from the comfort of OEM controls. Drove it around town at up to 50MPH disconnecting and reconnecting and never got any engine codes and the sway bar light worked perfect and of course the sway bar behaved as desired.


Impressive! Nice trick to pull off and thank you for sharing. Seems not many have the know how AND bother to post up their findings.

Do you think you could figure out the esp? Figure out a way to disable in 2hi but still keep ABS? I know that is a more involved issue. Any thoughts?
UFDUB is offline  
 
 
For the best viewing experience please update your browser to Google Chrome