now dropping stuff

2024-02-10 19:01:01 -05:00 · 2024-02-10 19:01:01 -05:00 · f2a0e1cc55
parent 95733725d4
commit f2a0e1cc55
5 changed files with 11019 additions and 4 deletions
--- a/HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md
+++ b/HOWTO-Make-Your-Own-ECU-Communicate-with-TCU.md
@ -2,6 +2,8 @@

 ## What is this about

+TL,DR: notes on PG35 TCU Man-in-the-middle research.
+
 As of Feb 2024 it has been _years_ since I've on and off started to work on getting an open source ECU to communicate with a transmission control unit via CANbus. So far I have not accomplished the goal which makes it a great point to write an article on the subject!

 I have a [2006 Volkswagen Passat 2.0 Turbo GDI PG35 non-DSG automatic complete running and driving test mule](https://rusefi.com/forum/viewtopic.php?f=2&t=1631) idling on rusEFI open source ECU. Attempting to engage transmission while posting only minimal dashboard CANbus messages causes something violent to happen and the engine would usually stall see https://youtu.be/rTobt4l-iEs
@ -20,8 +22,17 @@ Comparing these two files we confirm which packets are clearly originating from

 ## Now let's cut the wires

+
+
 ```
-2024-02-10_18_43_23_440: EngineState: LUA: TCU isShiftActive=0 tcuStatus=0 EGSRequirement=0
+2024-02-10_18_43_23_440: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0
 2024-02-10_18_43_23_440: EngineState: LUA: Total from vehicle 125658 from TCU 15593 dropped=0 replaced 0
-2024-02-10_18_43_23_839: EngineState: LUA: TCU isShiftActive=1 tcuStatus=0 EGSRequirement=0
+2024-02-10_18_43_23_839: EngineState: LUA: TCU isShiftActive=1 tcuError=0 EGSRequirement=0
 ```
+
+
+```
+2024-02-10_18_54_03_328: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0
+2024-02-10_18_54_03_517: EngineState: LUA: Total from vehicle 123015 from TCU 15380 dropped=3796 replaced 0
+2024-02-10_18_54_03_718: EngineState: LUA: TCU isShiftActive=0 tcuError=0 EGSRequirement=0
+```
--- a/OEM-Docs/VAG/2006-Passat-B6/2024.02/idling-stock-ecu.trc
+++ b/OEM-Docs/VAG/2006-Passat-B6/2024.02/idling-stock-ecu.trc
--- a/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_1_mim.lua
+++ b/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_1_mim.lua
@ -38,11 +38,11 @@ end
 counter440 = 0
 function onTcu440(bus, id, dlc, data)
 	isShiftActive = getBitRange(data, 0, 1)
-	tcuStatus = getBitRange(data, 1, 1)
+	tcuError = getBitRange(data, 1, 1)
 	EGSRequirement = getBitRange(data, 7, 1)
 	counter440 = counter440 + 1
 	if counter440 % 40 == 0 then
-		print("TCU isShiftActive=" ..isShiftActive .." tcuStatus=" ..tcuStatus .." EGSRequirement=" ..EGSRequirement)
+		print("TCU isShiftActive=" ..isShiftActive .." tcuError=" ..tcuError .." EGSRequirement=" ..EGSRequirement)
 	end
 	relayFromTcuToVehicle(bus, id, dlc, data)
 end
--- a/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_5.lua
+++ b/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_5.lua
@ -0,0 +1,68 @@
+-- scriptname script_2_drop_motor_5.lua
+
+-- sometimes we want to cut a CAN bus and install rusEFI into that cut
+-- https://en.wikipedia.org/wiki/Man-in-the-middle_attack
+
+-- include misc-util.lua
+-- endinclude
+
+-- include PG35-CANbus-ids.lua
+-- endinclude
+
+-- this controls onCanRx rate as well!
+setTickRate(100)
+
+VEHICLE_BUS = 1
+TCU_BUS = 2
+
+totalVehicleMessages = 0
+totalTcuMessages = 0
+totalDropped = 0
+totalReplaced = 0
+
+function relayFromVehicleToTcu(bus, id, dlc, data)
+    totalVehicleMessages = totalVehicleMessages + 1
+--    print('from ECU ' .. id .. " " .. arrayToString(data) .. " dropped=" .. totalDropped .. " replaced " .. totalReplaced)
+    if id < 0x7FF then
+        txCan(TCU_BUS, id, 0, data) -- relay non-TCU message to TCU
+    end
+end
+
+function relayFromTcuToVehicle(bus, id, dlc, data)
+    totalTcuMessages = totalTcuMessages + 1
+    if id < 0x7FF then
+        txCan(VEHICLE_BUS, id, 0, data) -- relay non-ECU message to ECU
+    end
+end
+
+counter440 = 0
+function onTcu440(bus, id, dlc, data)
+	isShiftActive = getBitRange(data, 0, 1)
+	tcuError = getBitRange(data, 1, 1)
+	EGSRequirement = getBitRange(data, 7, 1)
+	counter440 = counter440 + 1
+	if counter440 % 40 == 0 then
+		print("TCU isShiftActive=" ..isShiftActive .." tcuError=" ..tcuError .." EGSRequirement=" ..EGSRequirement)
+	end
+	relayFromTcuToVehicle(bus, id, dlc, data)
+end
+
+-- special handling for TCU 440
+canRxAdd(TCU_1088_440, onTcu440)
+-- drop MOTOR_BRE whatever it is
+canRxAdd(MOTOR_BRE, silentDrop)
+-- also drop MOTOR_5
+canRxAdd(MOTOR_5, silentDrop)
+
+-- last not least everything else
+canRxAddMask(VEHICLE_BUS, 0, 0, relayFromVehicleToTcu)
+canRxAddMask(TCU_BUS, 0, 0, relayFromTcuToVehicle)
+
+everySecondTimer = Timer.new()
+
+function onTick()
+    if everySecondTimer:getElapsedSeconds() > 1 then
+        everySecondTimer:reset()
+        print("Total from vehicle " .. totalVehicleMessages .. " from TCU " .. totalTcuMessages .. " dropped=" .. totalDropped .. " replaced " .. totalReplaced)
+    end
+end
--- a/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_bre.lua
+++ b/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_2_drop_motor_bre.lua
@ -0,0 +1,66 @@
+-- scriptname script_2_drop_motor_bre.lua
+
+-- sometimes we want to cut a CAN bus and install rusEFI into that cut
+-- https://en.wikipedia.org/wiki/Man-in-the-middle_attack
+
+-- include misc-util.lua
+-- endinclude
+
+-- include PG35-CANbus-ids.lua
+-- endinclude
+
+-- this controls onCanRx rate as well!
+setTickRate(100)
+
+VEHICLE_BUS = 1
+TCU_BUS = 2
+
+totalVehicleMessages = 0
+totalTcuMessages = 0
+totalDropped = 0
+totalReplaced = 0
+
+function relayFromVehicleToTcu(bus, id, dlc, data)
+    totalVehicleMessages = totalVehicleMessages + 1
+--    print('from ECU ' .. id .. " " .. arrayToString(data) .. " dropped=" .. totalDropped .. " replaced " .. totalReplaced)
+    if id < 0x7FF then
+        txCan(TCU_BUS, id, 0, data) -- relay non-TCU message to TCU
+    end
+end
+
+function relayFromTcuToVehicle(bus, id, dlc, data)
+    totalTcuMessages = totalTcuMessages + 1
+    if id < 0x7FF then
+        txCan(VEHICLE_BUS, id, 0, data) -- relay non-ECU message to ECU
+    end
+end
+
+counter440 = 0
+function onTcu440(bus, id, dlc, data)
+	isShiftActive = getBitRange(data, 0, 1)
+	tcuError = getBitRange(data, 1, 1)
+	EGSRequirement = getBitRange(data, 7, 1)
+	counter440 = counter440 + 1
+	if counter440 % 40 == 0 then
+		print("TCU isShiftActive=" ..isShiftActive .." tcuError=" ..tcuError .." EGSRequirement=" ..EGSRequirement)
+	end
+	relayFromTcuToVehicle(bus, id, dlc, data)
+end
+
+-- special handling for TCU 440
+canRxAdd(TCU_1088_440, onTcu440)
+-- drop MOTOR_BRE whatever it is
+canRxAdd(MOTOR_BRE, silentDrop)
+
+-- last not least everything else
+canRxAddMask(VEHICLE_BUS, 0, 0, relayFromVehicleToTcu)
+canRxAddMask(TCU_BUS, 0, 0, relayFromTcuToVehicle)
+
+everySecondTimer = Timer.new()
+
+function onTick()
+    if everySecondTimer:getElapsedSeconds() > 1 then
+        everySecondTimer:reset()
+        print("Total from vehicle " .. totalVehicleMessages .. " from TCU " .. totalTcuMessages .. " dropped=" .. totalDropped .. " replaced " .. totalReplaced)
+    end
+end