Intercepting stealership diag port communications. . .

Hypathetically speaking, does anyone know of any home made circuits, or devices that can be purchase don the internet that can be hooked up between the car's computer and the odbII connector? It would be interesting to see what the dealer sees when they hook up their equipment to say, determine what errors are in the computer, and umm.,., program keys ;-)

The interesting part is, the dealerships probably have an encrypted connection going over the internet back to VW to obtain the necessary information to program key transponders. The information being transmitted from their computer system to the car's computer is probably being transmitted via RS232 signals at various baud rates (unencrypted). If one wanted to find out the importer code, and other pertenant information to program their own keys, that would be the way to do it.

Hypathetically speaking There are keyboard loggers out there like the one on thinkgeek that can capture (via hardware intercept) the various charicters entered in on a keyboard. The following link is for refererencing the technology:
http://www.thinkgeek.com/gadgets/security/5a05/

I'm not an EE, i'm just a computer security type of guy. Given that it's a serial communication that occurs in order to say perform diagnostics or program keys, I would assume it would be pretty easy to caputre the raw data, then dig through the data-stream to see "interesting" things.

Does anyone have any information on the pinout of the diag port, voltages, etc?

Just thinking out loud, but this seems like an interesting project. Especially if it can be added inside the dash between the diag port and the computer...

Lightflyer1 said:

http://www.ross-tech.com/

Click to expand...

He wants to do man-in-the-middle capture. Not be Alice or Bob.

muahahah sounds like we have an information security professional on the thread.

Yes I want to be Eve (evesdropper). . .

rjr311 said:

He wants to do man-in-the-middle capture. Not be Alice or Bob.

Click to expand...

Okay. I guess I haven't a clue to what he wants then! I don't know Alice or Bob or Eve.

I'll just sit back and read and try to learn something new.

I think he means to tap into the GEKO system for immobilizers. VAG-COM will not do so, and they have refused to make that function available for fear of security reasons. There are other units available that will, but they are kinda 'spensive.

What you want is an RS-232 sniffer.

Here is a good place to start: http://www.lammertbies.nl/comm/cable/RS-232-spy-monitor.html

While that is possible, where would you stash a small enough computer to intercept the data? I suppose a small enough laptop would slide under the passenger seat but, you would need to run the intercepting link to the OBD connector, good laptop batteries, and a dealership not that curious in looking underneath it all.

There is a lot of confusing going on here...

#1 RS232 Sniffer? The dealer VASG-155x / VAS-505x do not use a RS232 port.
#2 What you want is a K-Line or CAN Sniffer, but even when you got the stuff sniffed do you really think you are able to understand the protocol on which the communication is based?

I agree with ^^^. Now you could buy a simple CAN transceiver node from likes of Microchip (the PIC people) and wire it in. Or a CAN hardware vendor like KVaser (there are many) will sell a USB-CAN cable too. Having debugged CANOpen communication, which is well documented, it's still a royal pain to decode.

Gilty_one said:

While that is possible, where would you stash a small enough computer to intercept the data? I suppose a small enough laptop would slide under the passenger seat but, you would need to run the intercepting link to the OBD connector, good laptop batteries, and a dealership not that curious in looking underneath it all.

Click to expand...

Good question.... Did you know that you can run RS232 over extreme long distances? I've actually seen RS232 serial console cables (running 9600) approximatly 200 feet over cat5 cable. The shorter the distance, the higher the baud rate. I would imagine you could wrap a cat5 cable a few times around your car and still be able to get at least 9600 ;-)

The trick is trying to find a piece of hardware that can detect the baud rate change from 9600 to 10.4k (or whatever it is for ISO 9141-2) and still be able to capture the serial data stream.

Once the datastream is captured, I would hope that it would just be a matter of munging through the datastream and finding the applicable information (such as importer code & what not) that would be necessary to use VAG-COM to configure the transponder on the key, or car to accept the new transponder on the newly cut blade.


Obviously it would be highly inappropriate to see if you could hook up an ethernet sniffer up to the machine that's programming the transponder... EVEN if you could sweet talk the stealership into doing such a thing, I'm willing to bet my left testical that it's encrypted or encoded in some way (that's what I would do anyways). If not, hey I already have 4 kids, and the right one to work with ;-)


This would be quite the interesting project. if there continues to be interest in such a thing, we might need to take this offline and continue a more active development / investigation stance. I cant wait till my diag cable arrives.... *holds breath*

All this is well if RS232 is being used. The CAN-BUS /K-Line may just be some data protocol that the OBD talks to VAG.

The actual connection transmission protocol could be anything...

I myself haven't looked into it in any detail.

http://en.wikipedia.org/wiki/Controller_Area_Network

http://en.wikipedia.org/wiki/On-Board_Diagnostics

Sebastian,

I could have sworn I read somewhere yesterday that the ISO 9141-2 had similar communications properties with rs232, except hte voltage reference was much higher and based off of the battery voltage.

My thoughts would be to basically build a VAG cable, something you can buy cheep off of those folks off of ebay that have a DB9 serial connection on one side, and the diag male port on the other. Once that is obtained, if we can find a way to basically do the reverse and interconnect the two db9 sides via a null modem cable, we would have effectivly converted from ISO9141-2 to rs232 to ISO9141-2. The real accomplishment would be to monitor the communications on the RS232 link as that appears to be easier than via the more proprietary SAE interface. . .

The trick would be to look at the communications and see if there is a preamble associated with the baud rate change, then compensate accordingly.

Yes, ISO9141/ISO9141-2 do specify it similar but depending on the model you want to work on this may not be related because it uses CAN. So the real first question is what year, make, model and engine type are you trying to sniff?

Ideally I'd like to use my car as a guenni pig. . .

2002 Golf TDI (ALH) engine w/ 01M transmission.

What I was thinking, is if there was a way to wire up two odb2 connections by wiring it up directly behind the plug (kinda like a two headed pigtail) or have a cable like that wired up to test with, where one side would be a male odb2 (like most diagnostics cables) then the other side break out to two females...

I'm thinking, atleast the way how RS232 ghost ports work, so long as the TX wires are not connected to the PC, then it would essentially act as a passive particpant in the communications path...

You would still need to have an odb2 cable plugged into the car, you'd just need to have a different software package rigged to sniff the rs232 serial connection at 10.4kbps (hopefully that's the speed the magic occurs wtih)....

GardRail said:

.

What I was thinking, is if there was a way to wire up two odb2 connections by wiring it up directly behind the plug (kinda like a two headed pigtail) or have a cable like that wired up to test with, where one side would be a male odb2 (like most diagnostics cables) then the other side break out to two females...

..

Click to expand...

Yes you can add a second OBD2 port. http://forums.tdiclub.com/showthread.php?t=38143

Just wired them in parallel.

mmmm Parallel good. . .



Now I just need to find a Unix or Windows serial program to hit the weird baud rates VW uses via that port . . .

then how are you going to do the sniffing? that's $90 a session unless you have an insider access.

and when/how are you going to initiate the sniffer-obd handshake?

I have a '98 AHU TDI and a home made OBD2 -to - RS232 port circuit, and use it with an older version of VAG-COM.

The OBD2 signal has the same timing characteristics as an RS-232 signal.
It's just optically isolated and voltage level translated
The voltage levels aren't +/- 10V as on RS-232.
I'd have to look at it again, but as long as the Tx and Rx signals go from 0 to >+2V, it will work with the RS-232 'sniffer' diode circuit.

I also have serial port logging sw, but I'm sure there is lots of freeware out there too. I agree with some others, the protocol would be tough for a novice to figure out.

OTOH, our state passes/fails emissions based on OBD2 error codes.
It would be nice to have a device which could be inserted to ('cough-cough)
filter them out.

vwlogue said:

then how are you going to do the sniffing? that's $90 a session unless you have an insider access.

and when/how are you going to initiate the sniffer-obd handshake?

Click to expand...

I need to get my key programmed either way. I was hoping to use this as a little experiment to determine if any real data could be obtained. A good test would be to see if I can get together with someone wiht another vagcom cable and see if I can sniff their communications before I goto the stealership.

BioDiesel said:

I have a '98 AHU TDI and a home made OBD2 -to - RS232 port circuit, and use it with an older version of VAG-COM.

The OBD2 signal has the same timing characteristics as an RS-232 signal.
It's just optically isolated and voltage level translated
The voltage levels aren't +/- 10V as on RS-232.
I'd have to look at it again, but as long as the Tx and Rx signals go from 0 to >+2V, it will work with the RS-232 'sniffer' diode circuit.

Click to expand...

That's what i've been able to determine. What i'm kinda hoping to find out is if I can get the USB interface to work under Linux, then sniff the raw data via the USB device from an operating system level. If both devices are wired in parallel and the monitoring system is just monitoring tx/rx communications it should be easy enough to do this. The key is finding software that can trigger the serial interface to run at the odd baud rates...

BioDiesel said:

I also have serial port logging sw, but I'm sure there is lots of freeware out there too. I agree with some others, the protocol would be tough for a novice to figure out.

Click to expand...

I'd really like to find out more about your experiments. It sounds as if you were practically there!

BioDiesel said:

OTOH, our state passes/fails emissions based on OBD2 error codes.
It would be nice to have a device which could be inserted to ('cough-cough)
filter them out.

Click to expand...

Ah you're talking about doing some sort of data modification in transit, kinda like emulating the car computer to tell the emissions station that everything is okay (while the car belches soot) *snicker* that would be quite amusing to see if it can be done.