diff --git a/HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md b/HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md index f228bc16..5f3192fc 100644 --- a/HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md +++ b/HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md @@ -12,7 +12,10 @@ Original ECU which I am looking to replace for no good reason is BOSCH MED9.1. C ## Toolset -I have PCAN USB dongle to record CANbus traces and a few Proteus units for Man-in-the-middle research. I've also created my own suite of CANbus trace processing utilities https://github.com/rusefi/can-log-tools/ +* PCAN USB dongle to record CANbus traces +* a few Proteus units for Man-in-the-middle research +* VAG diagnostics cable to read/reset error codes +* I've also created my own suite of CANbus trace processing utilities https://github.com/rusefi/can-log-tools/ ## First experiments @@ -22,7 +25,14 @@ Comparing these two files we confirm which packets are clearly originating from ## Now let's cut the wires +I am going to use the https://en.wikipedia.org/wiki/Man-in-the-middle_attack approach meaning I want to drop the CANbus wire coming into TCU, install my Proteus and by means of Lua scripting alter the flow between +vehicle and TCU. By doing that I hope to understand what TCU cares about and what it does care about while running OEM ECU in order to later apply that knowledge while making my own ECU cooperate with same TCU. +On this Passat TCU is located under the fender, I've cut and extended the wires. Proteus now sits between TCU and rest of the vehicle. + +First script would just pass all messages and just print ``isShiftActive`` + +https://github.com/rusefi/rusefi_documentation/blob/master/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_1_mim.lua ``` 2024-02-10_18_43_23_440: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0 @@ -30,9 +40,22 @@ Comparing these two files we confirm which packets are clearly originating from 2024-02-10_18_43_23_839: EngineState: LUA: TCU isShiftActive=1 tcuError=0 EGSRequirement=0 ``` +## Let's drop a packet or two + +Next step: let's drop MOTOR_BRE 0x284, i.e. not let it through. + +https://github.com/rusefi/rusefi_documentation/blob/master/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_bre.lua ``` 2024-02-10_18_54_03_328: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0 2024-02-10_18_54_03_517: EngineState: LUA: Total from vehicle 123015 from TCU 15380 dropped=3796 replaced 0 2024-02-10_18_54_03_718: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0 -``` \ No newline at end of file +``` + +Well, TCU did care. Let's drop something else, let's drop MOTOR_5 0x480. + +https://github.com/rusefi/rusefi_documentation/blob/master/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_3_drop_motor_5.lua + +Nice! TCU reports an error now! We've learned that MOTOR_5 0x480 is required. + +Manually resetting codes gets old really quickly so I have a second Proteus constantly checking if there are error codes to reset https://github.com/rusefi/rusefi/blob/0bcf342976951a24c9e81a3524e0c897b29e5440/firmware/controllers/lua/examples/vw-tp-tcu.txt diff --git a/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_5.lua b/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_3_drop_motor_5.lua similarity index 97% rename from OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_5.lua rename to OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_3_drop_motor_5.lua index a6ec4b87..2021445d 100644 --- a/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_5.lua +++ b/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_3_drop_motor_5.lua @@ -1,4 +1,4 @@ --- scriptname script_2_drop_motor_5.lua +-- scriptname script_3_drop_motor_5.lua -- sometimes we want to cut a CAN bus and install rusEFI into that cut -- https://en.wikipedia.org/wiki/Man-in-the-middle_attack