Disclaimer: I did not list any actual codes in this blog post. I am not sure the legalities involved, so I will outline everything except the actual codes to send on the CAN Bus. Everything I talk about are just place holders. They are easy enough to find on your own.
What in the hell was I missing?! I had the adapter configured and the car still wasn’t listening. Back to the STN1100 sheet I went. I just knew at this point I was structuring it incorrectly. If I had the command 10 00 00 00 02 01 how was I supposed to put that code back on the CAN Bus and get a response. I’ll spare you the exact details, but I ended up trying a lot of different things. I eventually hit pay dirt.
AT CP 10
AT SH 00 00 00
02 01
Boom. Instant response. My car doors locked. Now to find the unlock button.
I did the exact same thing as earlier. I turned the car off, let the CAN Bus go to sleep, and pressed the unlock button five times as I was logging the data from the CAN Bus.
I dumped the data to Excel again and started to sift through it.
Hmm. I wasn’t seeing ANY commands showing up five times. I thought about it for a minute, and guess what happens when the car is locked and you hit the unlock keyfob button for the first time? Just the driver door unlocks. Well, that explains it.
I found the command that showed up FOUR times (because the first command was something else to just unlock the driver’s door remember?).
10 00 00 00 02 03
Hmm. That’s the exact same code I wrote down earlier, well almost. It was the same up until the very last digit. 01 changed to 03, that’s it. Game on.
Side note, you’ll see the importance of this soon: My car was running when I started sending codes for two reasons.
- It was freakin’ cold out!
- The CAN Bus goes to sleep when the car is turned off.
I started rifling down the list, 01, 02, 03, 04…20 until I found everything.
01 Lock
02 Unlock Driver
03 Unlock All
07 Panic
15 Trunk
Hell yes. (Hint, GM only has a few sets of codes across ALL of their vehicles since 2006. Most of these may line up to your vehicle.)
Wait a minute, something is missing from that list. START! Where in the hell is start? Ugh. So close, yet so far. And how in the hell was I going to find what worked for start with the car running and the CAN Bus busy as hell?
I actually got lucky here. I remembered the STN1100 chipset allowed filtering by header. Since I already knew the header that all of the keyfob commands were sending, and only the last two digits of the code changed thus far, maybe the start commands were structured like the rest of the commands. Yes, yes they were.
0B Start
0C Stop
Sweeeet. I’ve got my codes. But as I discovered earlier. The CAN Bus goes to sleep when there is no activity… Well, what is the hell was I supposed to do now?!
Wake the sucker up. Duh.
I had absolutely no idea how to do this. I Googled for a while, trying multiple different search terms trying to find ANYONE that could give me some insight.
That guy saved my project. I had to send an 11-bit wake-up message FIRST before sending the rest of my commands. Ok, cool. SO HOW IN THE HELL DO I DO THAT?!
Back to the STN1100 Reference Manual and OBDLink MX Protocol Commands PDF.
I’ll spare you the ridiculous trial and error I went through and jump right to how I woke the bus up.
ATR0
ATAL
STP 61 (Set the sw can mode to 11 bit)
STCSWM 2 (Set the sw can mode to “Wakeup”)
AT SH 621 (Set the header to 621)
01 FF FF FF FF 00 00 00
BUT WAIT, The CAN Bus dude said I only had 3 seconds to send commands after the CAN Bus was woken up.
I’d like to say this is where I started to investigate writing a Python script to do everything fast enough for me, nope. Imagine me sitting in my driver’s seat with my laptop on my lap and a list of commands printed next to me in the order they needed to be typed. Imagining? Good. Now, imagine me typing as quick as I can trying to beat the 3 second timer, for 20 minutes straight, growing increasingly frustrated. Now imagine me throwing my laptop on my passenger seat and running into my house pissed as shit. Ok? Done laughing? Joke’s on you, I got it to work by hand. 😛 Let’s move on to the Python script.
To Be Continued on Part 5. Check back in a day or two. Writing is hard.
First of all. This is awesome.Thank you!!!. Just in case your are wondering, what you did is perfectly legal as of Oct 2015
http://www.wired.com/2015/10/library-of-congress-says-its-ok-to-hack-your-car/
Thanks. I did hear about that, still playing it safe.
You’re welcome. I’m glad I saved your project because it’s cool!
Thanks again for all your help. You saved me a lot of frustration from that single post.
Hey – Can you reach out to me about this? I had a couple of questions about the Service Stabilitrak messages you’re getting, along with the codes you’re using. Check the email in the form 🙂
So the wakeup works even if your car has been off for a while?
I saw this in the STN1100 PDF:
Note 2: Wireless add-on modules (Bluetooth, WiFi)
are unpowered in sleep mode. Therefore, it is not
possible to wake up the device over a wireless link.
And you are using Bluetooth which makes it sound impossible, but you seem to have pulled it off.
Not sure what they are referring to. The MX Bluetooth goes to sleep and wakes just fine via bluetooth.
Theoretically, the MX Wifi should too, but that thing was more buggy than the MX Bluetooth and I never got it to work right.