Skip to content

Latest commit

 

History

History
70 lines (49 loc) · 8.67 KB

README.md

File metadata and controls

70 lines (49 loc) · 8.67 KB

Ford Mustang VI (S550) 2015+ instrument panel cluster hacking1 (STM32H503RB)

An STM32 HAL example of communicating with the IPC. Tested on three different versions of the cluster: GR3T, FR33, and JR3T.

Motivation

Engaging classrooms/labs. Hands-on training on the CAN bus communication. You can buy a decent IPC starting from 10 EUR or even less. You will see such examples in my other submissions later on (e.g. Peugeot 207, Citroen C5 or Ford Focus Mk3). Here I deal with Ford Mustang VI IPCs. I've bought mines from PinyaStore and GoTradeMCh for under 30 EUR mark each. Why IPCs in CAN bus training? We need at least two nodes to play with the bus (except the loopback-mode scenario). A node built from scratch using a Nucleo board, a CAN transceiver, a stepper motor with a driver (to have some movement, which is always more fun), and a breadboard with a power supply would cost you around 30 EUR. For the same money you can play with a piece of art such as GR3T featuring analog gauges with a controllable RGB backlight, a TFT color display, plenty of LED indicators, and a speaker. It's gonna be fun to turn all that stuff alive. Using such training aids is definitely fun for me and I hope that this fun can be contagious. And you can learn a lot interacting with production devices, e.g. that selecting CAN segments does matter.

Ford Mustang (S550) 2016 instrument panel cluster

How to

Probably the most convenient way would be to get your hands on a working car and sniff the bus. If this is not the case for you, as was not the case for me with Ford Mustang, still we have some options.

First of all, choose an IPC that has been hacked by other hobbyists. And by hacking I don't mean here any illegal activity. We are not going to gain access to any protected data stored in the cluster to change it, such as the odometer. I mean completely legal reverse engineering done by hobbyists who enjoy connecting production IPCs to e.g. computer games/simulators via SimHub.

Second, use a brute force method to find some more frames and there are always more of them. Pick devices that use 11-bit identifiers. The 29-bit IDs are impractical to be hacked using the brute force method. Let me demonstrate why. To spot a movement or a LED blink by human eye a 100 ms visual event is sufficient (at least my experiments demonstrate that). Don't confuse it with a reaction time which is an order of magnitude slower. You will miss around 10 frames between the frame that switched on the diode and the one that you actually stopped at by pressing the button. There are 2048 different 11-bit identifiers. We need then less than 4 minutes to send a selected pattern with all the possible IDs. The common choices for the pattern are 0x55 and 0xAA. Note that the message has to have a specific length to be accepted by the node (hardware filters check the ID, but on the software side we often verify also the length before we act on the message content). CAN 2.0B2 limits the length to 8 bytes. It is not uncommon for IPCs to use not only 8-byte long messages, but also shorter ones, e.g. 7-byte, 6-byte or even 5-byte long ones. 4 minutes times 2 patterns times 2 lengths (I would suggest going initially for 8-byte and 7-byte long messages) gives 16 minutes. Bearable. Doable when accompanied with sipping your favorite beverage ☕ This is not to encourage you to repeat this experiment multiple times. It wouldn't be productive in most cases. Just find a single undocumented frame and play with it to feel satisfaction from the discovery. And then move to more advanced stuff, e.g. CAN-TP3, OBD2 simulators or OBD2 scanners4 - more on that in future submissions. Oh, and for the 29-bit IDs this would take close to 2 years.

Track AppsTM

Some versions of that IPC have Track AppsTM installed, or maybe all of them but I was able to activate it only in some of them. The app visualizes e.g. acceleration/deceleration of the car. Hacking this app is my small addition to the overall set of frames published in the sources I'm aware of.

Ford Mustang (S550) 2016 instrument panel cluster

Missing files?

Don't worry 🙂 Just hit Alt-K to generate /Drivers/CMCIS/ and /Drivers/STM32H5xx_HAL_Driver/ based on the .ioc file. After a couple of seconds your project will be ready for building.

Tools

Some IPCs also sent their own frames. For example, when you navigate the menu on your IPC it may distribute your choices to other components of the system such as the center console. In our case the instrument cluster shares the information about your preferences regarding e.g. temperature and distance units. It is convenient to use a bus sniffer to catch that part of the communication. Here are some tools from my home lab that work for me:

and the one I enjoy at the university:

Wiring diagram

Ford Mustang (S550) 2015+ System Wiring Diagrams - Instrument cluster Source: cardiagn.com

If you are new to the STM32 CAN/FDCAN5 internal peripheral

Exemplary hardware for breadboarding

Sources and inspirations

Call for action

Build your own home laboratory/workshop! Get inspired by ControllersTech, DroneBot Workshop, Andreas Spiess, GreatScott!, ElectroBOOM, Phil's Lab, atomic14, That Project, Paul McWhorter, and many other professional hobbyists sharing their awesome projects and tutorials! Shout-out/kudos to all of them!

Warning

Control engineering - do try this at home ❗

190+ challenges to start from: Control Engineering for Hobbyists at the Warsaw University of Technology.

Stay tuned ❗

Footnotes

  1. Cambridge Dictionary: the activity of riding on a horse in the countryside for pleasure 🙂

  2. CAN FD is already knocking on the vehicle door. The next one is CAN XL. Both of them support much longer payloads. The brute force method will be rendered by them impractical. Enjoy CAN 2.0B while you can 😉

  3. RAND_ASH: "I hacked my old Mercedes instrument cluster to display custom text"

  4. OBD2 PID Overview

  5. The FDCAN (Flexible Data-Rate Controller Area Network) peripheral is fully backward compatible with the CAN peripheral.