rusefi
/
rusefi_documentation
mirror of https://github.com/rusefi/rusefi_documentation.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md

This commit is contained in:
rusefillc 2024-02-10 19:34:34 -05:00
parent f2a0e1cc55
commit 8d461267fb
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md
View File

@ -12,7 +12,10 @@ Original ECU which I am looking to replace for no good reason is BOSCH MED9.1. C
## Toolset
I have PCAN USB dongle to record CANbus traces and a few Proteus units for Man-in-the-middle research. I've also created my own suite of CANbus trace processing utilities https://github.com/rusefi/can-log-tools/
* PCAN USB dongle to record CANbus traces
* a few Proteus units for Man-in-the-middle research
* VAG diagnostics cable to read/reset error codes
* I've also created my own suite of CANbus trace processing utilities https://github.com/rusefi/can-log-tools/
## First experiments
@ -22,7 +25,14 @@ Comparing these two files we confirm which packets are clearly originating from
## Now let's cut the wires
I am going to use the https://en.wikipedia.org/wiki/Man-in-the-middle_attack approach meaning I want to drop the CANbus wire coming into TCU, install my Proteus and by means of Lua scripting alter the flow between
vehicle and TCU. By doing that I hope to understand what TCU cares about and what it does care about while running OEM ECU in order to later apply that knowledge while making my own ECU cooperate with same TCU.
On this Passat TCU is located under the fender, I've cut and extended the wires. Proteus now sits between TCU and rest of the vehicle.
First script would just pass all messages and just print ``isShiftActive``
https://github.com/rusefi/rusefi_documentation/blob/master/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_1_mim.lua
```
2024-02-10_18_43_23_440: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0
@ -30,9 +40,22 @@ Comparing these two files we confirm which packets are clearly originating from
2024-02-10_18_43_23_839: EngineState: LUA: TCU isShiftActive=1 tcuError=0 EGSRequirement=0
```
## Let's drop a packet or two
Next step: let's drop MOTOR_BRE 0x284, i.e. not let it through.
https://github.com/rusefi/rusefi_documentation/blob/master/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_bre.lua
```
2024-02-10_18_54_03_328: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0
2024-02-10_18_54_03_517: EngineState: LUA: Total from vehicle 123015 from TCU 15380 dropped=3796 replaced 0
2024-02-10_18_54_03_718: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0
```
```
Well, TCU did care. Let's drop something else, let's drop MOTOR_5 0x480.
https://github.com/rusefi/rusefi_documentation/blob/master/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_3_drop_motor_5.lua
Nice! TCU reports an error now! We've learned that MOTOR_5 0x480 is required.
Manually resetting codes gets old really quickly so I have a second Proteus constantly checking if there are error codes to reset https://github.com/rusefi/rusefi/blob/0bcf342976951a24c9e81a3524e0c897b29e5440/firmware/controllers/lua/examples/vw-tp-tcu.txt

2
OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_5.lua → OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_3_drop_motor_5.lua
View File

@ -1,4 +1,4 @@
-- scriptname script_2_drop_motor_5.lua
-- scriptname script_3_drop_motor_5.lua
-- sometimes we want to cut a CAN bus and install rusEFI into that cut
-- https://en.wikipedia.org/wiki/Man-in-the-middle_attack