JKowners.com : Jeep Wrangler JK Forum

JKowners.com : Jeep Wrangler JK Forum (https://www.jkowners.com/forum/)
-   Modified JK Tech Dept. (https://www.jkowners.com/forum/modified-jk-tech-dept/)
-   -   CAN Bus Hacking Sway Bar Disconnect (https://www.jkowners.com/forum/modified-jk-tech-dept/376786-can-bus-hacking-sway-bar-disconnect.html)

christensent 05-05-2018 12:07 AM

CAN Bus Hacking Sway Bar Disconnect
 
I don't think I've ever heard of anyone else pulling this off. I realize this won't be all that useful to most people as it requires fairly significant electrical and software engineering background but hey, maybe someone wants to do this! None of these CAN commands are documented anywhere on the internet and it took quite some effort to reverse engineer this so maybe I can save someone some time.

The result is the dashboard sway bar button working perfectly at all speeds and in 2Hi, and the indicator light even works perfectly and stays on if disconnected at speed and flashes normally during connect/disconnect events.


This requires active hardware unfortunately, it's not a one-time reprogramming (and we'll never have that unless a truly gifted hacker spends a very long-time finding a vulnerability in the sway bar and then decompiling the software). Just cut the CAN-bus wires to the sway bar and insert a board in between that has a microcontroller and two CAN bus ports. We'll call CANj the Jeep's CAN-C bus, and CANs a new CAN-bus you're adding to the vehicle that just communicates to the sway bar.

I designed a little circuit board to do this, but you could probably use something like an Arduino with some CAN shields for a slightly less favorable form factor if you didn't want to go through making a custom board:
https://farm1.staticflickr.com/947/2...de707bfa_z.jpg

And now the good bits to save you a few days of sniffing the bus staring at hex values trying to figure out how this thing works:
  • For any message transmitted on CANs (from the sway bar), re-transmit untouched on CANj. This sets the state of the LED on the dash.
  • If CANj receives message ID 0x215, ignore its contents and transmit a length-7 message containing 0x8F000000000000 on CANs
  • If CANj receives message ID 0x428, ignore its contents and transmit a length-7 message containing 0x00007E00001001 on CANs
  • If CANj receives message ID 0x325, take its 6th-byte and replace the blank in 0xFD__1EE1C00F0C with that byte, and transmit that on CANs
  • For all other messages received on CANj, ignore it and do nothing

And now you can sway around town whenever you want or wheel at 25MPH without having it re-connect, all from the comfort of OEM controls. Drove it around town at up to 50MPH disconnecting and reconnecting and never got any engine codes and the sway bar light worked perfect and of course the sway bar behaved as desired.

UFDUB 05-05-2018 04:23 AM

Quote:

Originally Posted by christensent (Post 4408994)
I don't think I've ever heard of anyone else pulling this off. I realize this won't be all that useful to most people as it requires fairly significant electrical and software engineering background but hey, maybe someone wants to do this! None of these CAN commands are documented anywhere on the internet and it took quite some effort to reverse engineer this so maybe I can save someone some time.

The result is the dashboard sway bar button working perfectly at all speeds and in 2Hi, and the indicator light even works perfectly and stays on if disconnected at speed and flashes normally during connect/disconnect events.


This requires active hardware unfortunately, it's not a one-time reprogramming (and we'll never have that unless a truly gifted hacker spends a very long-time finding a vulnerability in the sway bar and then decompiling the software). Just cut the CAN-bus wires to the sway bar and insert a board in between that has a microcontroller and two CAN bus ports. We'll call CANj the Jeep's CAN-C bus, and CANs a new CAN-bus you're adding to the vehicle that just communicates to the sway bar.

I designed a little circuit board to do this, but you could probably use something like an Arduino with some CAN shields for a slightly less favorable form factor if you didn't want to go through making a custom board:
https://farm1.staticflickr.com/947/2...de707bfa_z.jpg

And now the good bits to save you a few days of sniffing the bus staring at hex values trying to figure out how this thing works:
  • For any message transmitted on CANs (from the sway bar), re-transmit untouched on CANj. This sets the state of the LED on the dash.
  • If CANj receives message ID 0x215, ignore its contents and transmit a length-7 message containing 0x8F000000000000 on CANs
  • If CANj receives message ID 0x428, ignore its contents and transmit a length-7 message containing 0x00007E00001001 on CANs
  • If CANj receives message ID 0x325, take its 6th-byte and replace the blank in 0xFD__1EE1C00F0C with that byte, and transmit that on CANs
  • For all other messages received on CANj, ignore it and do nothing

And now you can sway around town whenever you want or wheel at 25MPH without having it re-connect, all from the comfort of OEM controls. Drove it around town at up to 50MPH disconnecting and reconnecting and never got any engine codes and the sway bar light worked perfect and of course the sway bar behaved as desired.



Impressive! Nice trick to pull off and thank you for sharing. Seems not many have the know how AND bother to post up their findings.

Do you think you could figure out the esp? Figure out a way to disable in 2hi but still keep ABS? I know that is a more involved issue. Any thoughts?

christensent 05-05-2018 10:00 AM

Quote:

Originally Posted by UFDUB (Post 4409018)
Impressive! Nice trick to pull off and thank you for sharing. Seems not many have the know how AND bother to post up their findings.

Do you think you could figure out the esp? Figure out a way to disable in 2hi but still keep ABS? I know that is a more involved issue. Any thoughts?

No, that'd be extremely difficult and may actually be impossible if the firmware is secure. Sway bar is relatively easy because it is its own separate module and messages can be intercepted and adjusted. Killing ESP but keeping ABS would most likely require disassembling and modifying the code that's actually installed on the Jeep. Far beyond my skill level and the few people in the world who do that sort of thing would require strong financial motivation.

I assume you know about the purple wire hack which kills everything including ABS in any 4WD/2Hi mode? I've done that and it's really fantastic in certain off-road scenarios.

gt1guy 05-05-2018 10:36 AM

And there's your cockpit adjustable swaybar. Nice job man.

Does your device sit outside, or inside the swaybar ?(where the other electrical stuff is)

I'd ask how you figured it out but, I wouldn't understand the answer. :D

christensent 05-05-2018 11:32 AM

Quote:

Originally Posted by gt1guy (Post 4409090)
And there's your cockpit adjustable swaybar. Nice job man.

Does your device sit outside, or inside the swaybar ?(where the other electrical stuff is)

I'd ask how you figured it out but, I wouldn't understand the answer. :D

It is outside the sway bar, no need to open the sway bar at all. It's just in-line on the cable, I put it about a foot away from the sway bar and zip-tied the thing to the cable (after encapsulating it in shrink-wrap and hot glue).

I'll at some point write a blog post about how I figured it out and link it here.

White13JKUR 05-06-2018 10:42 AM

This reverse engineering project sounds very interesting. Thanks for doing it and more importantly for sharing.

Sorry but I have some completely lame questions...

How much time and money do you have into this?

Is it better than currently existing options like the eVo NoLimits manual or pneumatic options? The latter would give you OEM-like push button operation. Some folks already have onboard air.

Why does one need to disconnect the sway bar outside of crawling or running a trail?

My approach was to install the electronic portion of the sway bar into a small cardboard box located in my attic where it can remain clean, functional and reliable in solitude.


Still - your reverse engineering/hacking and sharing here is super cool.

christensent 05-06-2018 05:15 PM

Quote:

Originally Posted by White13JKUR (Post 4409361)
This reverse engineering project sounds very interesting. Thanks for doing it and more importantly for sharing.

Sorry but I have some completely lame questions...

How much time and money do you have into this?

Is it better than currently existing options like the eVo NoLimits manual or pneumatic options? The latter would give you OEM-like push button operation. Some folks already have onboard air.

Why does one need to disconnect the sway bar outside of crawling or running a trail?

My approach was to install the electronic portion of the sway bar into a small cardboard box located in my attic where it can remain clean, functional and reliable in solitude.


Still - your reverse engineering/hacking and sharing here is super cool.

About $30 and maybe 15 hours of work, of which almost all was writing code and figuring out the protocol.

The actual feature that you still have which other options don't give is feedback on whether the sway bar is actually connected or not. For example with NoLimits or pneumatic, you can disconnect it but you don't actually know whether it's disconnected yet, or visa versa when re-connecting. Not a big deal, but it is nice to know for when the mechanical section seizes up and needs to be opened and greased (which I've been through twice).

It's also great for me because my compressor is inside the vehicle and loud so I don't want pneumatic, and wanted to have control when driving.

I wheel mostly dry terrain (or at least not submerged in water and mud up to the sway bar) so the electronic section is great for me. I've had to rebuild twice, but both times it was the mechanical half that needed a grease job and cleaning which would go bad even with any of the aftermarket actuators for manual or pneumatic. Never had problems with the motor or electrical and doubt I will unless I get into mud wheeling which I never will.

I like to disconnect for a day of wheeling and not have it reconnect constantly. A pot-holed road is much more pleasant disconnected in my opinion. Also I'm running ORI's so I have a bit extra desire to have no sway bar off-road even at some speed.

snout 05-06-2018 07:47 PM

Do you plan on creating a project on a repo somewhere?

UFDUB 05-06-2018 11:54 PM

What doing a similar mod to the electric lockers? Then we could lock in 2HI/4HI whenever we wanted if the situation called for it?

christensent 05-07-2018 08:07 AM

Quote:

Originally Posted by snout (Post 4409513)
Do you plan on creating a project on a repo somewhere?

Here is a GIT which contains the code (with Keil uVision project which is small enough code to use the free version), and PCB in Altium as well as gerbers in the project outputs folder: https://bitbucket.org/christensent1/swaybar/src/master/

Quote:

Originally Posted by UFDUB (Post 4409577)
What doing a similar mod to the electric lockers? Then we could lock in 2HI/4HI whenever we wanted if the situation called for it?

No, that'd probably be quite hard. The lockers are powered directly from the TIPM so you'd have to fool the TIPM into thinking you're in a different transfer case gear which is just risky and not something I'd personally want to attempt. Better off just adding your own switches, cutting the wires, and putting relays on. Personally I've never in my life wanted lockers in 2HI/4HI or over whatever speed they cutoff at so I just left the lockers all OEM, but understand cases where some people might want that.

snout 05-07-2018 11:30 AM

Quote:

Originally Posted by christensent (Post 4409697)
Here is a GIT which contains the code (with Keil uVision project which is small enough code to use the free version), and PCB in Altium as well as gerbers in the project outputs folder: https://bitbucket.org/christensent1/swaybar/src/master/

Awesome, thanks!

gt1guy 05-08-2018 09:53 AM

Quote:

Quote:

Originally Posted by christensent (Post 4409697)
Here is a GIT which contains the code (with Keil uVision project which is small enough code to use the free version), and PCB in Altium as well as gerbers in the project outputs folder: https://bitbucket.org/christensent1/swaybar/src/master/

Quote:

Originally Posted by snout (Post 4409793)
Awesome, thanks!



You understood that? :thefinger:

Riptide9 05-08-2018 01:42 PM

That is awesome. We just pulled the circuit board out of the sway bar and wired the solenoid to a switch inside the cab

vdl 02-20-2019 01:59 PM

Do you know messages/formats that comes from swaybar? My swaybar board is dead and i'm thinking about making new one (stm32 also). But without proper responses to can messages jeep will flash swaybar light.

j3ff3ry_j33p 02-20-2019 03:35 PM

this is why JKO


:jeep2:

christensent 02-20-2019 05:49 PM

Quote:

Originally Posted by vdl (Post 4452578)
Do you know messages/formats that comes from swaybar? My swaybar board is dead and i'm thinking about making new one (stm32 also). But without proper responses to can messages jeep will flash swaybar light.

I'm pretty sure it was CAN ID 994 (0x3E2) that the sway bar sends to the Jeep to control the light, with a packet length of one byte. I'm not totally sure what the contents were but you could try various numbers until it works. I'm pretty sure it was 0, 1, or 2 and I don't recall which correlates to solid, blink, or off. Worst case try all 256 possibilities since it's only a 1-byte length packet. It sends this packet approximately once per second. Hopefully timing isn't critical since my system inherently runs synchronously with the Jeep whereas you will be emulating it.

I'm not 100% sure on that and don't really have a good way to figure out as I encapsulated my board in epoxy after finishing the project so can't easily revert it to being a CAN-sniffer logger and don't personally own a CAN-to-USB adapter. In my final code I just forward all messages untouched in the direction of sway bar to Jeep so don't have it in my code. The above is just based on a data log I still have in the project folder.

Also, if you or anyone else is curious here's a bit more information on the process I went through to figure this out. I don't think there's any more info that'd help you with this particular thing though. https://tcengineering.wordpress.com/...r-can-hacking/

vdl 02-21-2019 02:46 AM

Thank you. I'll try with USBtin ( worked great on wk2 ), before implementing with stm32.

Matti 02-22-2019 05:25 AM

Quote:

Originally Posted by j3ff3ry_j33p (Post 4452588)
this is why JKO


:jeep2:

Exactly

Gobi_Rubi 02-22-2019 11:43 AM

This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.

gt1guy 02-22-2019 10:19 PM

Quote:

Originally Posted by Gobi_Rubi (Post 4452836)
This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.

I'd think the stability control would go nuts with the lockers locked at any kind of speed.

Gobi_Rubi 02-23-2019 05:07 AM

Quote:

Originally Posted by gt1guy (Post 4452870)

I'd think the stability control would go nuts with the lockers locked at any kind of speed.

Why is that? I haven't heard of anyone having issues after wiring switches to bypass the lockers.

I would think the ESC would be fine. It would never detect any slippage because all tires would always be spinning the same speed

gt1guy 02-23-2019 09:39 AM

Quote:

Originally Posted by Gobi_Rubi (Post 4452882)
Why is that? I haven't heard of anyone having issues after wiring switches to bypass the lockers.

I would think the ESC would be fine. It would never detect any slippage because all tires would always be spinning the same speed

I could be wrong but, isn't ESC looking for steering wheel input and both wheels turning the same speed? As would happen with understeer.

Like I said, I could be completely wrong. Though, there's a reason that Jeep did what they did. I'd think avoiding conflicts between systems would have been part of it.

Gobi_Rubi 02-23-2019 10:55 AM

Yes I guess you may be right. I wasnt 100% on how the ESC works. However, like I said, if it does cause issues, I would think we would have heard about it from people who are overriding the factory limitations by other means. As to why Chrysler didn't allow it from the factory, I think its more about preventing the average Joe from locking them when its not necessary and causing damage or premature wear.

A related note is that one feature shown of the Gladiators. The rear locker can be locked in 4 Hi

christensent 02-24-2019 06:30 AM

Quote:

Originally Posted by Gobi_Rubi (Post 4452836)
This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.

No this would be really tricky. The sway bar is easy because the button talks to the sway bar, and the sway bar talks to the dash light. Since the sway bar is fully self contained it's really easy to throw a hack board inline with it.

The lockers on the other hand are controlled by the TIPM, and the actuation sensor is read by the TIPM. Once you're in that box, good luck hacking it because the TIPM does so many things it's just not going to be practical to do any simple hacks. Not going to say impossible, but the effort is not justified in even trying.

vdl 02-24-2019 11:03 AM

CAN ID 994 (0x3E2) works
data byte controls dash light

seems that only 3d and 4th bit is only used

xxxx00xx ( 0-3 ) - off
xxxx01xx ( 4 - 7 ) - on
xxxx10xx ( 8 - b ) - slow blink ( i think originally this is used while sway bar is engaging/disengaging )
xxxx11xx ( c - f ) - fast blink ( indicates error )


All times are GMT -7. The time now is 11:02 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.

 
For the best viewing experience please update your browser to Google Chrome