www.tdiclub.com

Economy - Longevity - Performance
The #1 Source of TDI Information on the Web!
Forums Articles Links Meets
Orders TDI Club Cards TDIFest 2016 Gone, but not forgotten VAG-Com List Unit Conversions TDIClub Chat Thank You

Order your TDIClub merchandise and help support TDIClub


Go Back   TDIClub Forums > VW TDI Discussion Areas > OBD Scanners

OBD Scanners Discussions on using On Board Diagnostic (OBD) scanners/ Diagnostic Equipment related to TDIs

Reply
 
Thread Tools
Old November 12th, 2007, 07:39   #1
GardRail
Veteran Member
 
Join Date: Aug 2005
Location: Martinsburg, WV
Cool Intercepting stealership diag port communications. . .

Hypathetically speaking, does anyone know of any home made circuits, or devices that can be purchase don the internet that can be hooked up between the car's computer and the odbII connector? It would be interesting to see what the dealer sees when they hook up their equipment to say, determine what errors are in the computer, and umm.,., program keys ;-)

The interesting part is, the dealerships probably have an encrypted connection going over the internet back to VW to obtain the necessary information to program key transponders. The information being transmitted from their computer system to the car's computer is probably being transmitted via RS232 signals at various baud rates (unencrypted). If one wanted to find out the importer code, and other pertenant information to program their own keys, that would be the way to do it.

Hypathetically speaking There are keyboard loggers out there like the one on thinkgeek that can capture (via hardware intercept) the various charicters entered in on a keyboard. The following link is for refererencing the technology:
http://www.thinkgeek.com/gadgets/security/5a05/

I'm not an EE, i'm just a computer security type of guy. Given that it's a serial communication that occurs in order to say perform diagnostics or program keys, I would assume it would be pretty easy to caputre the raw data, then dig through the data-stream to see "interesting" things.

Does anyone have any information on the pinout of the diag port, voltages, etc?

Just thinking out loud, but this seems like an interesting project. Especially if it can be added inside the dash between the diag port and the computer...
GardRail is offline   Reply With Quote
Old November 12th, 2007, 08:19   #2
Lightflyer1
Veteran Member
 
Lightflyer1's Avatar
 
Join Date: Sep 2005
Location: Round Rock, Texas
Default

http://www.ross-tech.com/
__________________
How to post pics:http://forums.tdiclub.com/showthread...t=post+picture
Lightflyer1 is offline   Reply With Quote
Old November 12th, 2007, 08:21   #3
rjr311
Veteran Member
 
Join Date: Jan 2006
Location: Western Shawnee, Kansas
Fuel Economy: 45 mpg
Default

Quote:
Originally Posted by Lightflyer1
He wants to do man-in-the-middle capture. Not be Alice or Bob.
rjr311 is offline   Reply With Quote
Old November 12th, 2007, 08:59   #4
GardRail
Veteran Member
 
Join Date: Aug 2005
Location: Martinsburg, WV
Default

muahahah sounds like we have an information security professional on the thread.

Yes I want to be Eve (evesdropper). . .
GardRail is offline   Reply With Quote
Old November 12th, 2007, 10:27   #5
Lightflyer1
Veteran Member
 
Lightflyer1's Avatar
 
Join Date: Sep 2005
Location: Round Rock, Texas
Default

Quote:
Originally Posted by rjr311
He wants to do man-in-the-middle capture. Not be Alice or Bob.
Okay. I guess I haven't a clue to what he wants then! I don't know Alice or Bob or Eve.

I'll just sit back and read and try to learn something new.
__________________
How to post pics:http://forums.tdiclub.com/showthread...t=post+picture
Lightflyer1 is offline   Reply With Quote
Old November 12th, 2007, 10:31   #6
oilhammer
Certified Volkswagen Nut Vendor
 
oilhammer's Avatar
 
Join Date: Dec 2001
Location: St Louis
Fuel Economy: fantastic
Default

I think he means to tap into the GEKO system for immobilizers. VAG-COM will not do so, and they have refused to make that function available for fear of security reasons. There are other units available that will, but they are kinda 'spensive.
__________________
oilhammer
www.cardocautomotive.com
oilhammer is offline   Reply With Quote
Old November 12th, 2007, 11:08   #7
TeleDawg
Veteran Member
 
TeleDawg's Avatar
 
Join Date: Apr 2004
Location: LosAnchoros, Alaska
Fuel Economy: 49/48/33
Default

What you want is an RS-232 sniffer.

Here is a good place to start: http://www.lammertbies.nl/comm/cable...y-monitor.html
__________________
2004 Golf GLS TDi,FIS Cluster,Cat Filter,TDi Heater,Aero Wipers,Alum Skid Plate,Valeo eCodes w/Man Lvl,Euro Switch w/LED,Rear Fog,Homelink Visor.
TeleDawg is offline   Reply With Quote
Old November 12th, 2007, 12:32   #8
Gilty_one
Veteran Member
 
Gilty_one's Avatar
 
Join Date: Jul 2007
Location: Warman, Saskatchewan, Canada
Default

While that is possible, where would you stash a small enough computer to intercept the data? I suppose a small enough laptop would slide under the passenger seat but, you would need to run the intercepting link to the OBD connector, good laptop batteries, and a dealership not that curious in looking underneath it all.
__________________
I'd get better mileage if I would just drive slower...
~~

Gilty_one is offline   Reply With Quote
Old November 12th, 2007, 13:20   #9
Sebastian
 
Join Date: Aug 2004
Location: Magdeburg, Germany
Default

There is a lot of confusing going on here...

#1 RS232 Sniffer? The dealer VASG-155x / VAS-505x do not use a RS232 port.
#2 What you want is a K-Line or CAN Sniffer, but even when you got the stuff sniffed do you really think you are able to understand the protocol on which the communication is based?
__________________
Sebastian
Sebastian is offline   Reply With Quote
Old November 12th, 2007, 13:57   #10
hgeittmann
Veteran Member
 
hgeittmann's Avatar
 
Join Date: May 2003
Location: Longmont, Colorado
Default

I agree with ^^^. Now you could buy a simple CAN transceiver node from likes of Microchip (the PIC people) and wire it in. Or a CAN hardware vendor like KVaser (there are many) will sell a USB-CAN cable too. Having debugged CANOpen communication, which is well documented, it's still a royal pain to decode.
__________________
B5 wagon
hgeittmann is offline   Reply With Quote
Old November 12th, 2007, 18:57   #11
GardRail
Veteran Member
 
Join Date: Aug 2005
Location: Martinsburg, WV
Wink

Quote:
Originally Posted by Gilty_one
While that is possible, where would you stash a small enough computer to intercept the data? I suppose a small enough laptop would slide under the passenger seat but, you would need to run the intercepting link to the OBD connector, good laptop batteries, and a dealership not that curious in looking underneath it all.
Good question.... Did you know that you can run RS232 over extreme long distances? I've actually seen RS232 serial console cables (running 9600) approximatly 200 feet over cat5 cable. The shorter the distance, the higher the baud rate. I would imagine you could wrap a cat5 cable a few times around your car and still be able to get at least 9600 ;-)

The trick is trying to find a piece of hardware that can detect the baud rate change from 9600 to 10.4k (or whatever it is for ISO 9141-2) and still be able to capture the serial data stream.

Once the datastream is captured, I would hope that it would just be a matter of munging through the datastream and finding the applicable information (such as importer code & what not) that would be necessary to use VAG-COM to configure the transponder on the key, or car to accept the new transponder on the newly cut blade.


Obviously it would be highly inappropriate to see if you could hook up an ethernet sniffer up to the machine that's programming the transponder... EVEN if you could sweet talk the stealership into doing such a thing, I'm willing to bet my left testical that it's encrypted or encoded in some way (that's what I would do anyways). If not, hey I already have 4 kids, and the right one to work with ;-)


This would be quite the interesting project. if there continues to be interest in such a thing, we might need to take this offline and continue a more active development / investigation stance. I cant wait till my diag cable arrives.... *holds breath*
GardRail is offline   Reply With Quote
Old November 12th, 2007, 19:22   #12
Gilty_one
Veteran Member
 
Gilty_one's Avatar
 
Join Date: Jul 2007
Location: Warman, Saskatchewan, Canada
Default

All this is well if RS232 is being used. The CAN-BUS /K-Line may just be some data protocol that the OBD talks to VAG.

The actual connection transmission protocol could be anything...

I myself haven't looked into it in any detail.
__________________
I'd get better mileage if I would just drive slower...
~~

Gilty_one is offline   Reply With Quote
Old November 12th, 2007, 20:01   #13
Sebastian
 
Join Date: Aug 2004
Location: Magdeburg, Germany
Default

http://en.wikipedia.org/wiki/Controller_Area_Network

http://en.wikipedia.org/wiki/On-Board_Diagnostics
__________________
Sebastian
Sebastian is offline   Reply With Quote
Old November 13th, 2007, 07:39   #14
GardRail
Veteran Member
 
Join Date: Aug 2005
Location: Martinsburg, WV
Default

Sebastian,

I could have sworn I read somewhere yesterday that the ISO 9141-2 had similar communications properties with rs232, except hte voltage reference was much higher and based off of the battery voltage.

My thoughts would be to basically build a VAG cable, something you can buy cheep off of those folks off of ebay that have a DB9 serial connection on one side, and the diag male port on the other. Once that is obtained, if we can find a way to basically do the reverse and interconnect the two db9 sides via a null modem cable, we would have effectivly converted from ISO9141-2 to rs232 to ISO9141-2. The real accomplishment would be to monitor the communications on the RS232 link as that appears to be easier than via the more proprietary SAE interface. . .

The trick would be to look at the communications and see if there is a preamble associated with the baud rate change, then compensate accordingly.
GardRail is offline   Reply With Quote
Old November 13th, 2007, 17:19   #15
Sebastian
 
Join Date: Aug 2004
Location: Magdeburg, Germany
Default

Yes, ISO9141/ISO9141-2 do specify it similar but depending on the model you want to work on this may not be related because it uses CAN. So the real first question is what year, make, model and engine type are you trying to sniff?
__________________
Sebastian
Sebastian is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 05:37.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright - TDIClub Online LTD - 2017
Contact Us | Privacy Statement | Forum Rules | Disclaimer
TDIClub Online Ltd (TDIClub.com) is not affiliated with the VWoA or VWAG and is supported by contributions from viewers like you.
1996 - 2017, All Rights Reserved
Page generated in 0.18563 seconds with 10 queries
[Output: 124.41 Kb. compressed to 103.19 Kb. by saving 21.22 Kb. (17.06%)]