CAN Bus Hacking Sway Bar Disconnect - JKowners.com : Jeep Wrangler JK Forum
 8Likes
Reply
 
LinkBack Thread Tools Display Modes
post #1 of 60 Old 05-05-2018, 12:07 AM Thread Starter
Rock God
 
Join Date: May 2016
Location: Woodinville, WA
Posts: 890
Feedback: 0 reviews
CAN Bus Hacking Sway Bar Disconnect

I don't think I've ever heard of anyone else pulling this off. I realize this won't be all that useful to most people as it requires fairly significant electrical and software engineering background but hey, maybe someone wants to do this! None of these CAN commands are documented anywhere on the internet and it took quite some effort to reverse engineer this so maybe I can save someone some time.

The result is the dashboard sway bar button working perfectly at all speeds and in 2Hi, and the indicator light even works perfectly and stays on if disconnected at speed and flashes normally during connect/disconnect events.


This requires active hardware unfortunately, it's not a one-time reprogramming (and we'll never have that unless a truly gifted hacker spends a very long-time finding a vulnerability in the sway bar and then decompiling the software). Just cut the CAN-bus wires to the sway bar and insert a board in between that has a microcontroller and two CAN bus ports. We'll call CANj the Jeep's CAN-C bus, and CANs a new CAN-bus you're adding to the vehicle that just communicates to the sway bar.

I designed a little circuit board to do this, but you could probably use something like an Arduino with some CAN shields for a slightly less favorable form factor if you didn't want to go through making a custom board:


And now the good bits to save you a few days of sniffing the bus staring at hex values trying to figure out how this thing works:
  • For any message transmitted on CANs (from the sway bar), re-transmit untouched on CANj. This sets the state of the LED on the dash.
  • If CANj receives message ID 0x215, ignore its contents and transmit a length-7 message containing 0x8F000000000000 on CANs
  • If CANj receives message ID 0x428, ignore its contents and transmit a length-7 message containing 0x00007E00001001 on CANs
  • If CANj receives message ID 0x325, take its 6th-byte and replace the blank in 0xFD__1EE1C00F0C with that byte, and transmit that on CANs
  • For all other messages received on CANj, ignore it and do nothing

And now you can sway around town whenever you want or wheel at 25MPH without having it re-connect, all from the comfort of OEM controls. Drove it around town at up to 50MPH disconnecting and reconnecting and never got any engine codes and the sway bar light worked perfect and of course the sway bar behaved as desired.
christensent is offline  
Sponsored Links
Advertisement
 
post #2 of 60 Old 05-05-2018, 04:23 AM
Wheeler
 
Join Date: Jul 2017
Posts: 38
Feedback: 0 reviews

Quote:
Originally Posted by christensent View Post
I don't think I've ever heard of anyone else pulling this off. I realize this won't be all that useful to most people as it requires fairly significant electrical and software engineering background but hey, maybe someone wants to do this! None of these CAN commands are documented anywhere on the internet and it took quite some effort to reverse engineer this so maybe I can save someone some time.

The result is the dashboard sway bar button working perfectly at all speeds and in 2Hi, and the indicator light even works perfectly and stays on if disconnected at speed and flashes normally during connect/disconnect events.


This requires active hardware unfortunately, it's not a one-time reprogramming (and we'll never have that unless a truly gifted hacker spends a very long-time finding a vulnerability in the sway bar and then decompiling the software). Just cut the CAN-bus wires to the sway bar and insert a board in between that has a microcontroller and two CAN bus ports. We'll call CANj the Jeep's CAN-C bus, and CANs a new CAN-bus you're adding to the vehicle that just communicates to the sway bar.

I designed a little circuit board to do this, but you could probably use something like an Arduino with some CAN shields for a slightly less favorable form factor if you didn't want to go through making a custom board:


And now the good bits to save you a few days of sniffing the bus staring at hex values trying to figure out how this thing works:
  • For any message transmitted on CANs (from the sway bar), re-transmit untouched on CANj. This sets the state of the LED on the dash.
  • If CANj receives message ID 0x215, ignore its contents and transmit a length-7 message containing 0x8F000000000000 on CANs
  • If CANj receives message ID 0x428, ignore its contents and transmit a length-7 message containing 0x00007E00001001 on CANs
  • If CANj receives message ID 0x325, take its 6th-byte and replace the blank in 0xFD__1EE1C00F0C with that byte, and transmit that on CANs
  • For all other messages received on CANj, ignore it and do nothing

And now you can sway around town whenever you want or wheel at 25MPH without having it re-connect, all from the comfort of OEM controls. Drove it around town at up to 50MPH disconnecting and reconnecting and never got any engine codes and the sway bar light worked perfect and of course the sway bar behaved as desired.


Impressive! Nice trick to pull off and thank you for sharing. Seems not many have the know how AND bother to post up their findings.

Do you think you could figure out the esp? Figure out a way to disable in 2hi but still keep ABS? I know that is a more involved issue. Any thoughts?
UFDUB is offline  
post #3 of 60 Old 05-05-2018, 10:00 AM Thread Starter
Rock God
 
Join Date: May 2016
Location: Woodinville, WA
Posts: 890
Feedback: 0 reviews

Quote:
Originally Posted by UFDUB View Post
Impressive! Nice trick to pull off and thank you for sharing. Seems not many have the know how AND bother to post up their findings.

Do you think you could figure out the esp? Figure out a way to disable in 2hi but still keep ABS? I know that is a more involved issue. Any thoughts?
No, that'd be extremely difficult and may actually be impossible if the firmware is secure. Sway bar is relatively easy because it is its own separate module and messages can be intercepted and adjusted. Killing ESP but keeping ABS would most likely require disassembling and modifying the code that's actually installed on the Jeep. Far beyond my skill level and the few people in the world who do that sort of thing would require strong financial motivation.

I assume you know about the purple wire hack which kills everything including ABS in any 4WD/2Hi mode? I've done that and it's really fantastic in certain off-road scenarios.
christensent is offline  
Sponsored Links
Advertisement
 
post #4 of 60 Old 05-05-2018, 10:36 AM
JKO Addict!
 
gt1guy's Avatar
 
Join Date: Sep 2012
Location: New Iberia, La.
Posts: 3,627
Garage
Feedback: 0 reviews

And there's your cockpit adjustable swaybar. Nice job man.

Does your device sit outside, or inside the swaybar ?(where the other electrical stuff is)

I'd ask how you figured it out but, I wouldn't understand the answer.

Kevin
gt1guy is offline  
post #5 of 60 Old 05-05-2018, 11:32 AM Thread Starter
Rock God
 
Join Date: May 2016
Location: Woodinville, WA
Posts: 890
Feedback: 0 reviews

Quote:
Originally Posted by gt1guy View Post
And there's your cockpit adjustable swaybar. Nice job man.

Does your device sit outside, or inside the swaybar ?(where the other electrical stuff is)

I'd ask how you figured it out but, I wouldn't understand the answer.
It is outside the sway bar, no need to open the sway bar at all. It's just in-line on the cable, I put it about a foot away from the sway bar and zip-tied the thing to the cable (after encapsulating it in shrink-wrap and hot glue).

I'll at some point write a blog post about how I figured it out and link it here.
christensent is offline  
post #6 of 60 Old 05-06-2018, 10:42 AM
JKO Addict!
 
White13JKUR's Avatar
 
Join Date: Oct 2013
Location: Danville, CA
Posts: 2,984
Feedback: 0 reviews

This reverse engineering project sounds very interesting. Thanks for doing it and more importantly for sharing.

Sorry but I have some completely lame questions...

How much time and money do you have into this?

Is it better than currently existing options like the eVo NoLimits manual or pneumatic options? The latter would give you OEM-like push button operation. Some folks already have onboard air.

Why does one need to disconnect the sway bar outside of crawling or running a trail?

My approach was to install the electronic portion of the sway bar into a small cardboard box located in my attic where it can remain clean, functional and reliable in solitude.


Still - your reverse engineering/hacking and sharing here is super cool.
White13JKUR is offline  
post #7 of 60 Old 05-06-2018, 05:15 PM Thread Starter
Rock God
 
Join Date: May 2016
Location: Woodinville, WA
Posts: 890
Feedback: 0 reviews

Quote:
Originally Posted by White13JKUR View Post
This reverse engineering project sounds very interesting. Thanks for doing it and more importantly for sharing.

Sorry but I have some completely lame questions...

How much time and money do you have into this?

Is it better than currently existing options like the eVo NoLimits manual or pneumatic options? The latter would give you OEM-like push button operation. Some folks already have onboard air.

Why does one need to disconnect the sway bar outside of crawling or running a trail?

My approach was to install the electronic portion of the sway bar into a small cardboard box located in my attic where it can remain clean, functional and reliable in solitude.


Still - your reverse engineering/hacking and sharing here is super cool.
About $30 and maybe 15 hours of work, of which almost all was writing code and figuring out the protocol.

The actual feature that you still have which other options don't give is feedback on whether the sway bar is actually connected or not. For example with NoLimits or pneumatic, you can disconnect it but you don't actually know whether it's disconnected yet, or visa versa when re-connecting. Not a big deal, but it is nice to know for when the mechanical section seizes up and needs to be opened and greased (which I've been through twice).

It's also great for me because my compressor is inside the vehicle and loud so I don't want pneumatic, and wanted to have control when driving.

I wheel mostly dry terrain (or at least not submerged in water and mud up to the sway bar) so the electronic section is great for me. I've had to rebuild twice, but both times it was the mechanical half that needed a grease job and cleaning which would go bad even with any of the aftermarket actuators for manual or pneumatic. Never had problems with the motor or electrical and doubt I will unless I get into mud wheeling which I never will.

I like to disconnect for a day of wheeling and not have it reconnect constantly. A pot-holed road is much more pleasant disconnected in my opinion. Also I'm running ORI's so I have a bit extra desire to have no sway bar off-road even at some speed.
christensent is offline  
post #8 of 60 Old 05-06-2018, 07:47 PM
Vaporware jeep
 
snout's Avatar
 
Join Date: Apr 2015
Posts: 969
Feedback: 0 reviews

Do you plan on creating a project on a repo somewhere?
snout is offline  
post #9 of 60 Old 05-06-2018, 11:54 PM
Wheeler
 
Join Date: Jul 2017
Posts: 38
Feedback: 0 reviews

What doing a similar mod to the electric lockers? Then we could lock in 2HI/4HI whenever we wanted if the situation called for it?
UFDUB is offline  
post #10 of 60 Old 05-07-2018, 08:07 AM Thread Starter
Rock God
 
Join Date: May 2016
Location: Woodinville, WA
Posts: 890
Feedback: 0 reviews

Quote:
Originally Posted by snout View Post
Do you plan on creating a project on a repo somewhere?
Here is a GIT which contains the code (with Keil uVision project which is small enough code to use the free version), and PCB in Altium as well as gerbers in the project outputs folder: https://bitbucket.org/christensent1/swaybar/src/master/

Quote:
Originally Posted by UFDUB View Post
What doing a similar mod to the electric lockers? Then we could lock in 2HI/4HI whenever we wanted if the situation called for it?
No, that'd probably be quite hard. The lockers are powered directly from the TIPM so you'd have to fool the TIPM into thinking you're in a different transfer case gear which is just risky and not something I'd personally want to attempt. Better off just adding your own switches, cutting the wires, and putting relays on. Personally I've never in my life wanted lockers in 2HI/4HI or over whatever speed they cutoff at so I just left the lockers all OEM, but understand cases where some people might want that.
christensent is offline  
post #11 of 60 Old 05-07-2018, 11:30 AM
Vaporware jeep
 
snout's Avatar
 
Join Date: Apr 2015
Posts: 969
Feedback: 0 reviews

Quote:
Originally Posted by christensent View Post
Here is a GIT which contains the code (with Keil uVision project which is small enough code to use the free version), and PCB in Altium as well as gerbers in the project outputs folder: https://bitbucket.org/christensent1/swaybar/src/master/
Awesome, thanks!
snout is offline  
post #12 of 60 Old 05-08-2018, 09:53 AM
JKO Addict!
 
gt1guy's Avatar
 
Join Date: Sep 2012
Location: New Iberia, La.
Posts: 3,627
Garage
Feedback: 0 reviews

Quote:
Quote:
Originally Posted by christensent View Post
Here is a GIT which contains the code (with Keil uVision project which is small enough code to use the free version), and PCB in Altium as well as gerbers in the project outputs folder: https://bitbucket.org/christensent1/swaybar/src/master/
Quote:
Originally Posted by snout View Post
Awesome, thanks!

You understood that?

Kevin
gt1guy is offline  
post #13 of 60 Old 05-08-2018, 01:42 PM
Wheeler
 
Riptide9's Avatar
 
Join Date: Mar 2013
Age: 51
Posts: 82
Garage
Feedback: 0 reviews

That is awesome. We just pulled the circuit board out of the sway bar and wired the solenoid to a switch inside the cab

2011 Jeep Rubicon JKU 6.0l VORTEC L96 - 6L80E 6 speed auto
40" Cooper SST Pros-17" Level 8's - 4.5" Synergy Suspension
WTO Hydro assist- Fusion D60's 4.88 gears
VKS Fab and XRC Bumpers/Armor-9500 Synthetic Winch 10lb CO2-Teraflex Big Brake Kit

Last edited by Riptide9; 05-08-2018 at 03:57 PM.
Riptide9 is offline  
post #14 of 60 Old 02-20-2019, 01:59 PM
vdl
Newbie
 
Join Date: Feb 2019
Posts: 3
Feedback: 0 reviews

Do you know messages/formats that comes from swaybar? My swaybar board is dead and i'm thinking about making new one (stm32 also). But without proper responses to can messages jeep will flash swaybar light.
vdl is offline  
post #15 of 60 Old 02-20-2019, 03:35 PM
Super Moderator
 
j3ff3ry_j33p's Avatar
 
Join Date: Jul 2012
Location: Nashville
Posts: 5,595
Garage
Feedback: 0 reviews

this is why JKO


Mason likes this.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
j3ff3ry_j33p is offline  
post #16 of 60 Old 02-20-2019, 05:49 PM Thread Starter
Rock God
 
Join Date: May 2016
Location: Woodinville, WA
Posts: 890
Feedback: 0 reviews

Quote:
Originally Posted by vdl View Post
Do you know messages/formats that comes from swaybar? My swaybar board is dead and i'm thinking about making new one (stm32 also). But without proper responses to can messages jeep will flash swaybar light.
I'm pretty sure it was CAN ID 994 (0x3E2) that the sway bar sends to the Jeep to control the light, with a packet length of one byte. I'm not totally sure what the contents were but you could try various numbers until it works. I'm pretty sure it was 0, 1, or 2 and I don't recall which correlates to solid, blink, or off. Worst case try all 256 possibilities since it's only a 1-byte length packet. It sends this packet approximately once per second. Hopefully timing isn't critical since my system inherently runs synchronously with the Jeep whereas you will be emulating it.

I'm not 100% sure on that and don't really have a good way to figure out as I encapsulated my board in epoxy after finishing the project so can't easily revert it to being a CAN-sniffer logger and don't personally own a CAN-to-USB adapter. In my final code I just forward all messages untouched in the direction of sway bar to Jeep so don't have it in my code. The above is just based on a data log I still have in the project folder.

Also, if you or anyone else is curious here's a bit more information on the process I went through to figure this out. I don't think there's any more info that'd help you with this particular thing though. https://tcengineering.wordpress.com/...r-can-hacking/

Last edited by christensent; 02-20-2019 at 05:55 PM.
christensent is offline  
post #17 of 60 Old 02-21-2019, 02:46 AM
vdl
Newbie
 
Join Date: Feb 2019
Posts: 3
Feedback: 0 reviews

Thank you. I'll try with USBtin ( worked great on wk2 ), before implementing with stm32.
vdl is offline  
post #18 of 60 Old 02-22-2019, 05:25 AM
CUNT
 
Matti's Avatar
 
Join Date: Oct 2011
Location: The Land of the Polite, Where shits covered in Ice.
Age: 35
Posts: 415
Feedback: 3 reviews

Quote:
Originally Posted by j3ff3ry_j33p View Post
this is why JKO


Exactly
j3ff3ry_j33p likes this.

Quote:
Originally Posted by DMadole View Post
As previously mentioned, the key step in this process is saturating those whores in piss.
Quote:
Originally Posted by maunder View Post
I just gotta say.. When you're being butt hurt by your fudge packer minions.. how do you decide which one gets to pull the pony tail n who's left to cup the balls.. If there is any..
Matti is offline  
post #19 of 60 Old 02-22-2019, 11:43 AM
Wheeler
 
Gobi_Rubi's Avatar
 
Join Date: May 2018
Posts: 24
Feedback: 0 reviews

This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.
Gobi_Rubi is offline  
post #20 of 60 Old 02-22-2019, 10:19 PM
JKO Addict!
 
gt1guy's Avatar
 
Join Date: Sep 2012
Location: New Iberia, La.
Posts: 3,627
Garage
Feedback: 0 reviews

Quote:
Originally Posted by Gobi_Rubi View Post
This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.
I'd think the stability control would go nuts with the lockers locked at any kind of speed.

Kevin
gt1guy is offline  
post #21 of 60 Old 02-23-2019, 05:07 AM
Wheeler
 
Gobi_Rubi's Avatar
 
Join Date: May 2018
Posts: 24
Feedback: 0 reviews

Quote:
Originally Posted by gt1guy View Post

I'd think the stability control would go nuts with the lockers locked at any kind of speed.
Why is that? I haven't heard of anyone having issues after wiring switches to bypass the lockers.

I would think the ESC would be fine. It would never detect any slippage because all tires would always be spinning the same speed
Gobi_Rubi is offline  
post #22 of 60 Old 02-23-2019, 09:39 AM
JKO Addict!
 
gt1guy's Avatar
 
Join Date: Sep 2012
Location: New Iberia, La.
Posts: 3,627
Garage
Feedback: 0 reviews

Quote:
Originally Posted by Gobi_Rubi View Post
Why is that? I haven't heard of anyone having issues after wiring switches to bypass the lockers.

I would think the ESC would be fine. It would never detect any slippage because all tires would always be spinning the same speed
I could be wrong but, isn't ESC looking for steering wheel input and both wheels turning the same speed? As would happen with understeer.

Like I said, I could be completely wrong. Though, there's a reason that Jeep did what they did. I'd think avoiding conflicts between systems would have been part of it.

Kevin
gt1guy is offline  
post #23 of 60 Old 02-23-2019, 10:55 AM
Wheeler
 
Gobi_Rubi's Avatar
 
Join Date: May 2018
Posts: 24
Feedback: 0 reviews

Yes I guess you may be right. I wasnt 100% on how the ESC works. However, like I said, if it does cause issues, I would think we would have heard about it from people who are overriding the factory limitations by other means. As to why Chrysler didn't allow it from the factory, I think its more about preventing the average Joe from locking them when its not necessary and causing damage or premature wear.

A related note is that one feature shown of the Gladiators. The rear locker can be locked in 4 Hi
Gobi_Rubi is offline  
post #24 of 60 Old 02-24-2019, 06:30 AM Thread Starter
Rock God
 
Join Date: May 2016
Location: Woodinville, WA
Posts: 890
Feedback: 0 reviews

Quote:
Originally Posted by Gobi_Rubi View Post
This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.
No this would be really tricky. The sway bar is easy because the button talks to the sway bar, and the sway bar talks to the dash light. Since the sway bar is fully self contained it's really easy to throw a hack board inline with it.

The lockers on the other hand are controlled by the TIPM, and the actuation sensor is read by the TIPM. Once you're in that box, good luck hacking it because the TIPM does so many things it's just not going to be practical to do any simple hacks. Not going to say impossible, but the effort is not justified in even trying.
christensent is offline  
post #25 of 60 Old 02-24-2019, 11:03 AM
vdl
Newbie
 
Join Date: Feb 2019
Posts: 3
Feedback: 0 reviews

CAN ID 994 (0x3E2) works
data byte controls dash light

seems that only 3d and 4th bit is only used

xxxx00xx ( 0-3 ) - off
xxxx01xx ( 4 - 7 ) - on
xxxx10xx ( 8 - b ) - slow blink ( i think originally this is used while sway bar is engaging/disengaging )
xxxx11xx ( c - f ) - fast blink ( indicates error )
vdl is offline  
Sponsored Links
Advertisement
 
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the JKowners.com : Jeep Wrangler JK Forum forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome