JKOwners Forum banner

1 - 20 of 65 Posts

·
Registered
Joined
·
960 Posts
Discussion Starter #1
I don't think I've ever heard of anyone else pulling this off. I realize this won't be all that useful to most people as it requires fairly significant electrical and software engineering background but hey, maybe someone wants to do this! None of these CAN commands are documented anywhere on the internet and it took quite some effort to reverse engineer this so maybe I can save someone some time.

The result is the dashboard sway bar button working perfectly at all speeds and in 2Hi, and the indicator light even works perfectly and stays on if disconnected at speed and flashes normally during connect/disconnect events.


This requires active hardware unfortunately, it's not a one-time reprogramming (and we'll never have that unless a truly gifted hacker spends a very long-time finding a vulnerability in the sway bar and then decompiling the software). Just cut the CAN-bus wires to the sway bar and insert a board in between that has a microcontroller and two CAN bus ports. We'll call CANj the Jeep's CAN-C bus, and CANs a new CAN-bus you're adding to the vehicle that just communicates to the sway bar.

I designed a little circuit board to do this, but you could probably use something like an Arduino with some CAN shields for a slightly less favorable form factor if you didn't want to go through making a custom board:


And now the good bits to save you a few days of sniffing the bus staring at hex values trying to figure out how this thing works:
  • For any message transmitted on CANs (from the sway bar), re-transmit untouched on CANj. This sets the state of the LED on the dash.
  • If CANj receives message ID 0x215, ignore its contents and transmit a length-7 message containing 0x8F000000000000 on CANs
  • If CANj receives message ID 0x428, ignore its contents and transmit a length-7 message containing 0x00007E00001001 on CANs
  • If CANj receives message ID 0x325, take its 6th-byte and replace the blank in 0xFD__1EE1C00F0C with that byte, and transmit that on CANs
  • For all other messages received on CANj, ignore it and do nothing
And now you can sway around town whenever you want or wheel at 25MPH without having it re-connect, all from the comfort of OEM controls. Drove it around town at up to 50MPH disconnecting and reconnecting and never got any engine codes and the sway bar light worked perfect and of course the sway bar behaved as desired.
 

·
Registered
Joined
·
41 Posts
I don't think I've ever heard of anyone else pulling this off. I realize this won't be all that useful to most people as it requires fairly significant electrical and software engineering background but hey, maybe someone wants to do this! None of these CAN commands are documented anywhere on the internet and it took quite some effort to reverse engineer this so maybe I can save someone some time.

The result is the dashboard sway bar button working perfectly at all speeds and in 2Hi, and the indicator light even works perfectly and stays on if disconnected at speed and flashes normally during connect/disconnect events.


This requires active hardware unfortunately, it's not a one-time reprogramming (and we'll never have that unless a truly gifted hacker spends a very long-time finding a vulnerability in the sway bar and then decompiling the software). Just cut the CAN-bus wires to the sway bar and insert a board in between that has a microcontroller and two CAN bus ports. We'll call CANj the Jeep's CAN-C bus, and CANs a new CAN-bus you're adding to the vehicle that just communicates to the sway bar.

I designed a little circuit board to do this, but you could probably use something like an Arduino with some CAN shields for a slightly less favorable form factor if you didn't want to go through making a custom board:


And now the good bits to save you a few days of sniffing the bus staring at hex values trying to figure out how this thing works:
  • For any message transmitted on CANs (from the sway bar), re-transmit untouched on CANj. This sets the state of the LED on the dash.
  • If CANj receives message ID 0x215, ignore its contents and transmit a length-7 message containing 0x8F000000000000 on CANs
  • If CANj receives message ID 0x428, ignore its contents and transmit a length-7 message containing 0x00007E00001001 on CANs
  • If CANj receives message ID 0x325, take its 6th-byte and replace the blank in 0xFD__1EE1C00F0C with that byte, and transmit that on CANs
  • For all other messages received on CANj, ignore it and do nothing
And now you can sway around town whenever you want or wheel at 25MPH without having it re-connect, all from the comfort of OEM controls. Drove it around town at up to 50MPH disconnecting and reconnecting and never got any engine codes and the sway bar light worked perfect and of course the sway bar behaved as desired.


Impressive! Nice trick to pull off and thank you for sharing. Seems not many have the know how AND bother to post up their findings.

Do you think you could figure out the esp? Figure out a way to disable in 2hi but still keep ABS? I know that is a more involved issue. Any thoughts?
 

·
Registered
Joined
·
960 Posts
Discussion Starter #3
Impressive! Nice trick to pull off and thank you for sharing. Seems not many have the know how AND bother to post up their findings.

Do you think you could figure out the esp? Figure out a way to disable in 2hi but still keep ABS? I know that is a more involved issue. Any thoughts?
No, that'd be extremely difficult and may actually be impossible if the firmware is secure. Sway bar is relatively easy because it is its own separate module and messages can be intercepted and adjusted. Killing ESP but keeping ABS would most likely require disassembling and modifying the code that's actually installed on the Jeep. Far beyond my skill level and the few people in the world who do that sort of thing would require strong financial motivation.

I assume you know about the purple wire hack which kills everything including ABS in any 4WD/2Hi mode? I've done that and it's really fantastic in certain off-road scenarios.
 

·
Premium Member
Joined
·
4,087 Posts
And there's your cockpit adjustable swaybar. Nice job man.

Does your device sit outside, or inside the swaybar ?(where the other electrical stuff is)

I'd ask how you figured it out but, I wouldn't understand the answer. :D
 

·
Registered
Joined
·
960 Posts
Discussion Starter #5
And there's your cockpit adjustable swaybar. Nice job man.

Does your device sit outside, or inside the swaybar ?(where the other electrical stuff is)

I'd ask how you figured it out but, I wouldn't understand the answer. :D
It is outside the sway bar, no need to open the sway bar at all. It's just in-line on the cable, I put it about a foot away from the sway bar and zip-tied the thing to the cable (after encapsulating it in shrink-wrap and hot glue).

I'll at some point write a blog post about how I figured it out and link it here.
 

·
Registered
Joined
·
3,032 Posts
This reverse engineering project sounds very interesting. Thanks for doing it and more importantly for sharing.

Sorry but I have some completely lame questions...

How much time and money do you have into this?

Is it better than currently existing options like the eVo NoLimits manual or pneumatic options? The latter would give you OEM-like push button operation. Some folks already have onboard air.

Why does one need to disconnect the sway bar outside of crawling or running a trail?

My approach was to install the electronic portion of the sway bar into a small cardboard box located in my attic where it can remain clean, functional and reliable in solitude.


Still - your reverse engineering/hacking and sharing here is super cool.
 

·
Registered
Joined
·
960 Posts
Discussion Starter #7
This reverse engineering project sounds very interesting. Thanks for doing it and more importantly for sharing.

Sorry but I have some completely lame questions...

How much time and money do you have into this?

Is it better than currently existing options like the eVo NoLimits manual or pneumatic options? The latter would give you OEM-like push button operation. Some folks already have onboard air.

Why does one need to disconnect the sway bar outside of crawling or running a trail?

My approach was to install the electronic portion of the sway bar into a small cardboard box located in my attic where it can remain clean, functional and reliable in solitude.


Still - your reverse engineering/hacking and sharing here is super cool.
About $30 and maybe 15 hours of work, of which almost all was writing code and figuring out the protocol.

The actual feature that you still have which other options don't give is feedback on whether the sway bar is actually connected or not. For example with NoLimits or pneumatic, you can disconnect it but you don't actually know whether it's disconnected yet, or visa versa when re-connecting. Not a big deal, but it is nice to know for when the mechanical section seizes up and needs to be opened and greased (which I've been through twice).

It's also great for me because my compressor is inside the vehicle and loud so I don't want pneumatic, and wanted to have control when driving.

I wheel mostly dry terrain (or at least not submerged in water and mud up to the sway bar) so the electronic section is great for me. I've had to rebuild twice, but both times it was the mechanical half that needed a grease job and cleaning which would go bad even with any of the aftermarket actuators for manual or pneumatic. Never had problems with the motor or electrical and doubt I will unless I get into mud wheeling which I never will.

I like to disconnect for a day of wheeling and not have it reconnect constantly. A pot-holed road is much more pleasant disconnected in my opinion. Also I'm running ORI's so I have a bit extra desire to have no sway bar off-road even at some speed.
 

·
Registered
Joined
·
41 Posts
What doing a similar mod to the electric lockers? Then we could lock in 2HI/4HI whenever we wanted if the situation called for it?
 

·
Registered
Joined
·
960 Posts
Discussion Starter #10
Do you plan on creating a project on a repo somewhere?
Here is a GIT which contains the code (with Keil uVision project which is small enough code to use the free version), and PCB in Altium as well as gerbers in the project outputs folder: https://bitbucket.org/christensent1/swaybar/src/master/

What doing a similar mod to the electric lockers? Then we could lock in 2HI/4HI whenever we wanted if the situation called for it?
No, that'd probably be quite hard. The lockers are powered directly from the TIPM so you'd have to fool the TIPM into thinking you're in a different transfer case gear which is just risky and not something I'd personally want to attempt. Better off just adding your own switches, cutting the wires, and putting relays on. Personally I've never in my life wanted lockers in 2HI/4HI or over whatever speed they cutoff at so I just left the lockers all OEM, but understand cases where some people might want that.
 

·
Registered
Joined
·
94 Posts
That is awesome. We just pulled the circuit board out of the sway bar and wired the solenoid to a switch inside the cab
 

·
Registered
Joined
·
3 Posts
Do you know messages/formats that comes from swaybar? My swaybar board is dead and i'm thinking about making new one (stm32 also). But without proper responses to can messages jeep will flash swaybar light.
 

·
Registered
Joined
·
960 Posts
Discussion Starter #16 (Edited)
Do you know messages/formats that comes from swaybar? My swaybar board is dead and i'm thinking about making new one (stm32 also). But without proper responses to can messages jeep will flash swaybar light.
I'm pretty sure it was CAN ID 994 (0x3E2) that the sway bar sends to the Jeep to control the light, with a packet length of one byte. I'm not totally sure what the contents were but you could try various numbers until it works. I'm pretty sure it was 0, 1, or 2 and I don't recall which correlates to solid, blink, or off. Worst case try all 256 possibilities since it's only a 1-byte length packet. It sends this packet approximately once per second. Hopefully timing isn't critical since my system inherently runs synchronously with the Jeep whereas you will be emulating it.

I'm not 100% sure on that and don't really have a good way to figure out as I encapsulated my board in epoxy after finishing the project so can't easily revert it to being a CAN-sniffer logger and don't personally own a CAN-to-USB adapter. In my final code I just forward all messages untouched in the direction of sway bar to Jeep so don't have it in my code. The above is just based on a data log I still have in the project folder.

Also, if you or anyone else is curious here's a bit more information on the process I went through to figure this out. I don't think there's any more info that'd help you with this particular thing though. https://tcengineering.wordpress.com/2018/12/10/jeep-sway-bar-can-hacking/
 

·
****
Joined
·
415 Posts
  • Like
Reactions: j3ff3ry_j33p

·
Registered
Joined
·
24 Posts
This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.
 

·
Premium Member
Joined
·
4,087 Posts
This is awesome! Is there anyway, this same thing could be done with the Rubi lockers for High Range usage? To my knowledge, they also use their own module. Could be wrong though. I feel like someone could make some money offering a plug and play solution that utilizes the factory switches and maintains the factory light indicators full functinality.
I'd think the stability control would go nuts with the lockers locked at any kind of speed.
 
1 - 20 of 65 Posts
Top