Hacking RF with the CANcrusher

A project log for CANcrusher Car Hack / Development Platform

CANcrusher is an Open Source CANbus development system for hackers and developers interested in a low-cost alternative to the $$$$ systems.

davidDavid 09/10/2015 at 10:220 Comments

I needed a fun way to test the LIN/KLINE channel with the CANcrusher (and an excuse to hack something) so I guessed that the RF receiver in my 2009 Pontiac Vibe would be using a LIN COM channel to talk with the BCM. (I was close.) Looking at the service manual for my car, I can see that there are only 5 pins with just 4 connections on the "Remote Control Door Lock Receiver (RCDLR)" module.

1. GND

2. Serial Data

3. Keyless Entry Program Enable Signal

4. NA

5. Battery Positive Voltage

This particular module, made by a company called TRW, uses a single wire serial connection which I was hoping was some type of LIN or K-LINE protocol. As it turns out, after connecting to my Picoscope, the data appears to be using a simple USART protocol, 8 bits, 1 start bit, no parity, 2 stop bits, 2400 baud. The nominal voltage on the line is 12V and the data appears to be only 1-direction, from RCDLR to the BCM. When you press a button on a learned keyfob, the serial data will start spitting out repeated 5-byte frames which I assume is the message for a specific button being pressed and held. When you release the button, a single, different frame is sent with some of the bytes only changing by 1 bit, indicating the release. At the beginning of the data stream, there is a 2-byte frame (0xF1, 0x10) which is some type of indicator message sent at the beginning of all data sequences.

Encrypted Data?....

At first I was expecting some type of encryption of the data but I'm not so sure anymore. The Service Manual says that this module can store up to 4 unique keys. When you press and release a button, you might get the following sequence:

F1 10 .... 54 02 00 1B 93 ... 54 02 00 1B 93 ... 54 02 00 1B 93 ...

Then when you release and press the button a second time you get:

F1 10 .... 54 02 00 03 AB ... (only 2 bytes change)

followed by:

F1 10 .... 54 02 00 0B A3 ... followed by

F1 10 .... 54 02 00 13 9B ...

After that, the sequence repeats. There are only 4 unique frames for that button being pressed and the sequence repeats in order. Hackable? Yes!

What's Next:

As you saw from the previous post, one of my prototypes died. Once I get prototype 2 up and running, I'll connect to the serial data line of this module using the LIN transceiver and mimic the data sent by this module to the BCM to control my door locks and panic button. From there, I'll be able to remotely control this feature via Bluetooth and through the SIM808 cell module from my server.

For those interested, this particular module uses an Infineon ASK 315MHz transceiver (TDA5201) and a Microchip PIC16F76 8-bit controller. If the protocol wasn't as straight forward as it was on the serial line, next steps would be to attempt to dump the binary image from the PIC. (Note: I can't imagine TRW would have left the fuse unlocked that would allow me to do that, but one should always try. ;)