Naughty CANbus odometer "interface". (Fakes mileage.)
Вставка
- Опубліковано 8 гру 2019
- I was sent this device by a mechanic who found it behind the instrument panel of a car. When removed another 40,000km appeared on the clock. The unit appears to "massage" the data between the ECU and the display.
The design of the circuitry is very functional. Basically two CAN (Controller Area Network) chips, a processor and some power supply components. The design is actually very neat.
The real work will be done by the processor, and I'm not sure whether the unit passes all other data through untouched except the odometer data or if it buffers everything.
From the type and spec of the processor I'd guess that this has been developed on an Arduino style platform, but I could be wrong. It just has that modular look to it. The Dupont style sockets and the way one has been hacked into a very robust plug is also a clue that this was a geeks personal project that escaped or evolved.
The keywords to find these online are "can filter 18 in 1". Here's an eBay search link:-
www.ebay.com/sch/i.html?_from...
Keep in mind that their function is to reduce the apparent mileage of a vehicle, and this may be a criminal offence in some countries.
If you enjoy these videos you can help support the channel with a dollar for coffee, cookies and random gadgets for disassembly at:-
www.bigclive.com/coffee.htm
This also keeps the channel independent of UA-cam's advertising algorithms allowing it to be a bit more dangerous and naughty. - Наука та технологія
is it well made? well it works but your mileage may vary
Well played sir!
instantrimshot.com/audio/rimshot.mp3
www.sadtrombone.com ;)
You win
Very punny. 😆😂🤷♂️
Your description was very close to how it works, Many cars store the mileage in more than one location, this particular module is setup for a mercedes to stop the dashboard getting an updated mileage from another ecu in the vehicle, not necessarily the engine ecu, it could be from the ABS, LCM or even SAM modules(other places store it too but these are the main ones). Many modules have access to the vehicles mileage so that when a fault occurs they can log the fault code, time, date, mileage, etc in the fault log.
The car this was removed from probably had the mileage "corrected/cheated" to a lower value before it was sold and this module was to stop the dashboard getting the updated mileage when the key was switched on, the module filters out the data containing the mileage from other ecu's but it cannot correct the data to show 40,000 km less, that had to be reprogrammed into the dashboard itself.
A genuine use for these is if you have some modules damaged by water/voltage surge/take your pick and need to replace them with 2nd hand units, if they came from a vehicle with higher mileage than the one your repairing then you would use a module like this to stop the dashboard loading the higher mileage into its memory, the dash will automatically increase the mileage value but wont lower it if you change the module back(BMW cars do this also).
Using the vehicles reg to do an online MOT check will usually show issues if the mileage has been tampered with.
We work on vehicle electrics here daily and have many problems with canbus systems, mainly due to condensation on the connectors & pcb's, it takes very little damp to bridge the can data wires to power wires and raise the canbus voltage above operating limits, but as the can network covers the whole vehicle it can take a long time to trace where the fault is, eg. landrover immobiliser & engine communications faults are regularly caused at the rear of the vehicle in the electric parking brake pcb, Mercedes canbus problems often are with damp underneath the drivers feet mat or in the boot beside the spare wheel. Its very interesting work but it causes some headaches and makes a weekly pub visit almost essential.
P.S. Removing this module most likely didn't do anything to fix the cars warning lights unless the module itself was faulty.
Was going to say something very similar, so thank you for saving me the time! Very well written!
Thanks for that, Im glad it made sense :-) its interesting that those of us with similar interests all end up watching Big Clive taking the same stuff apart
I did a search of the numbers on the back of the pcb and got this:
www.cardiag.com/product/can-filter/
Sounds like your theory may be correct.
Error codes...😂
Very interesting. I'm glad I found this comment, thank you.
I wonder if an increase mileage version exists for those who claim mileage against their tax.
That's an interesting thought but wouldn't more miles be more better for claiming tax back? 🤔
The chip can probably be reprogrammed
Mileage can be increased by a lot of bidirectional scan tools. That is far easier than trying to decrease it. Most legit tools can't
@@Robeight I recently claimed cents/km and don't recall providing postcodes
@@Firecul - But one might desire to have their cake, and eat it too, by claiming higher miles to the taxman, then when the car is sold on, lower the miles back to the true number, or even lower as this device did.
"The more they over think the plumbing, the easier it is to stop up the drain." Montgomery Scott.
Not to mention being sent to prison. They do not eff around with this stuff. You will get sent to prison for using this if you get caught.
@@tarstarkusz Depending on country. In Australia I think they'll just giggle like they understand the joke.
Aye.
The "W" numbers are the Mercedes model numbers.
and s4 is a audi
Yeah, more accurately the body model designations. There's good chance that each option fits far more car models than the ones printed on the PCB. They're all VAG after all.
@@PenZon Um, no they're not? Mercedes and BMW aren't part of VAG.
Yes they are! 222 chassis is the Flagship model S class, The 166 chassis covers the middle to full size suvs what used to be the ML-GL class now I think they are GL and GLC.
@@PenZon Ah, yes, I knew this wasn't the complete truth I told and that the numbers are somehow related to the chassis/body or something like that, but I didn't know how exactly, so I left it with my little half-truth ^^; .
Very interesting. I install remote starters in vehicles and these types of circuits that peel out a signal or useful control for the vehicle are referred to as 't-harnesses'. When I use a t-harness its typically to give me the information I need in order to control the car and running it down to a plug that interfaces with my remote start brain. This is the first Ive seen of something like this, very interesting, thanks for sharing.
Edit: also on the pcb itself,
S4 would be for an audi
W22 and w166 are mercedez bens chassis codes
If it was a mechanical odometer it may change the value for the stepper motor without affecting the speedometer if that possible. If it’s electronic, I believe the odometer display is stored in the ECM.
by Mercedes the odo is stored in the engine ecu the gearbox if it's automatic the body and tacho
@@Punky-Boy I wouldn't be surprised if all CAN bus comms inside high-end cars will be encrypted soon. Just like John Deere, it will require proprietary software to pair and authorize replacement parts.
@@misterprimeminister473 wel you have to learn new parts to the car and ecu's aren't switchable if you doesn't get an empty one
@@misterprimeminister473 I mean, bad guys will always do bad guy stuff. You could fudge the sensor on the trans, wheel speed sensors, or... ya know... put bigger diameter tires on a vehicle - garbage in; garbage out. In the US, the insurance companies track and sell this data. They typically audit the sensor collected data against GPS data.
Clive, you really need to read this chip and see what the secret sauce is!
See my comment in main thread.
In South Africa we call that giving the car a haircut
I love the fact that you also call traffic lights "robots". ;)
And I believe roundabouts are known as "turning circles" in a few Countries?
In spain we call that "To shave kms" :)
Hello all from the uk :).
Here in England we call it a puss cut.
@Eben van Ellewee this
@Andrew Hall Eben van Ellewee
Ahh, that sounds more like it. hehe
I think we need a part 2 where you see if the program can be read.
I used to have a very similar device about 12 years back, they can be used for many things, not just illegal ones.
Have you seen the feature on cars to program in two sets of seat/mirror/etc settings for two drivers?
Before that was standard, I made my own with a device like this. It intercepted dash controls to watch for a trigger.
If I had the accessory on but engine off, pulled forward on the high beam lever twice, I could then hit turn signal up or down, each being a different seat, mirror, ac/heat, etc profile to change to.
I suspect that's why the build quality is so high. Whomever programmed it for its illegal function probably just sourced the hardware elsewhere, programmed it for this task, and resold it labeled for this purpose.
Unfortunately, these are sold on Aliexpress and on other websites as "odometer correction" devices, so I doubt they're being used for a legitimate purpose.
Interesting that you bring up memory seats - Wasn't that a common option on many cars before OBD-II was even standardized? I'm pretty sure you could get Buicks, Oldsmobiles, and Cadillacs with that feature as early as 1982.
You could certainly get those features, but here (US) they were never "base package" options, they always cost more and/or were on the higher end models. Plus I am very frugal when it comes to cars.
But a cheap $20 OBD-II micro and the chance to learn how the bus works in general and I was beyond happy. Not to mention the fact I was the only cars driver and didn't even need seat profiles :P It was more about learning to hack on it for me
@@lorddissy I mean, I'm here in the US, and Buick, Oldsmobile, and Cadillac are all General Motors, which is a US brand...
Indeed, the fact that you could re-program it suggests it has legal uses as well. Just this particular one isn't so legitimate. A multi-purpose device that in this case was on the naughty side
If they're sold on AliExpress, would it come with a programmer? How would the purchaser set the number of miles to be subtracted?
I fitted one of these kinds of devices some years back for a friend with an imported Subaru Legacy B4 Blitzen. In this case it wasn’t specifically an attempt reduce the mileage but circumvent the speed limiter which came in at around 112 mph. When fitted it converted the speedo so that the km/h section of the dial then became the mph reading.
mine is chipped as well one that disables the active fuel management (gm's AFM does not even save gas it will just transfer the costs into expensive repairs so you end up saving nothing at all)
Those kind of devices worked differently in most cases. In older Toyota's at least, this was implemented by the vehicle speed sensor, which was a mechanical device that created a variable clock square wave pulse interpreted by the ECU. This was also sent to the cluster to drive the odometer by routing the same wire from the sensor back to the ECU. The odometer had no smarts, it just used to drive a small motor, where the square wave ended up being interpreted as variable voltage based on speed. The speed cut bypass was achieved by sending a square wave pulse back to the ECU at just below the frequency for the max speed. The dumb ones just cut the wire to the ECU, but that caused problems. The avast ones would look for a frequency above X and only modulate the signal down when the VSS was sending a frequency above the limited speed. This signal was usually generated by an NE 555. Similar approach but no CANBUS
That really restores my faith in buying second hand cars!
The dominant state in CAN bus is a 0, so the lower node or message ID gets higher priority, so message or node 0 has the biggest priority and will 'win' any collision if two nodes start transmitting at the same time.
Technically the dominant state could be a 1, but the the highest priority ID would depend on implemented specification (CAN 2.0A vs CAN 2.0B).
On such comments and knowing nothing, am I right in thinking there's a bus clock ?
Please Miss, what does 'CAN' stand for ?
@@millomweb Car Area Network
If you want an easier way if understanding the CANBUS this video is ideal: ua-cam.com/video/PL0TPdrhMuI/v-deo.html
@@millomweb There's no bus clock line - the bus is asynchronous, it means that every node generates it's own clock, roughly equal to bit rate, and during communication any node receiving a frame synchronizes it's own clock to the clock derived from the transitions in the frame. There's also bit stuffing mechanism to ensure transitions are separated by max. 5 same bits. More pretty good info you can read on Wiki.
The W166 refers to the 3rd generation of Mercedes M-class, W222 are the short wheel based saloons in the s-class. S-4 might be for the Audi S-4
well, the new Toyota supra and the BMW Z4 is basically the same car ;)
That explains why the E-class was throwing codes -- if this was designed for an M-class and they installed it on an E-class, it's probably hosering some of the data.
Pity there isn't an "AS" - for auto select - surely you can tell what 'car' it is by asking the ECU ? (No, number of wheels, body shape etc. irrelevant - what car in terms of electronic control !
@@eformance such that when the A/C reached its set point, the dash reported low engine oil.
A typical multi-application board.
With Clive's accent I kept hearing him say "Cannabis" and for a minute my brain kept getting confused...
Some might say that's a CAN-A-BUS effect.
Yes very confusing
It was smoking, wasn't it. Or was it what I ate.
The dominant "0" implements an ID priority system. When 2 devices write at the same time, the smaller ID will override the other one. This is sensed by each device and when it recognizes a difference between sent and read data, it stops and lets the other one continue.
i thought it was whoever wrote the 0 wins. the 0 is dominant. whoever wrote the 1 but reads the 0 will know to yield. that way the device that won the right to transmit doesnt have to restart his transmission.
This is a classic "Man-in-the-middle Attack"
I initially thought 'evil maid' type mitm. But in this case it's definitely friendly criminal maid mitm.
AKA a splice.
Really old school stuff. I’d have thought there’d be some sort of authentication layer based on SN or something in the operating software by now.
@@boonedockjourneyman7979 Yes, I was wondering why there doesn't seem to be any efford to make that kind of attack more difficult. This seems less safe than a physical lead seal.
@@TheYear-dm9op CAN allows you to send eight bytes at a time. CANopen structures this a bit, so now you have four bytes header and four bytes data. There really isn't that much space for any authentication. For authentication to be of any use, the signature would have to be added to the message itself, and I know of no crypto suite that would fit in those size constraints. And if you want the dash and the ECU to exchange magic packets, then this device can just forward those.
CAN is made for low-bandwidth real-time communication. The various sensors need their guaranteed bandwidth to send the data.
Also threat models: No hacker gets into the CAN without physical tampering, so why waste resources on security? This particular attack only changes one part of the display. It does not, for example, disable the breaks. So no safety hazard. And only a safety hazard would motivate the manufacturers to do something about it. And that would likely be a seal of some kind, since that is still cheaper than changing the software of every single sensor, ECU, dashboard and radio on the CAN bus. Oh yes, these days the stereo is on the CAN bus, to see when you use the steering wheel buttons.
Maybe a criminal hazard (fraud), if the buyer ever finds out.
This is what it says on the back - a CAN gateway. Messages received on one CAN interface will be blocked or re-transmitted on the other, and vice-versa. (Here odometer messages going in the direction of the instrument cluster will have their payload doctored to represent a lower value before being sent on.)
These sort of things are used legitimately by vehicle manufacturers, usually to filter what messages can be read from the diagnostics port and especially to filter what messages can be sent from the diagnostics port onto the vehicle bus - which could be very dangerous.
I really like this little board - whoever made it has done a neat job!
@J Jimenez You don't have to be a criminal to be interested in customizing your car's software. I read another comment of someone using a similar method to add a 'driver profile settings' functionality to their car, before it became more standard package. To quickly switch between settings of the mirrors, A/C, etc. for different drivers in the same car, basically.
I could also see some diagnostics functions for the enthusiast. If they are looking to learn a bit about this stuff.
Could prevent some trips to the mechanic's, in the right hands.
Ofc people also use this to rip you off, but that's not gonna change anytime soon, now is it? Learning about that stuff does change things however. (allows you the opportunity to check for this stuff, for instance)
@@FroggyMosh exactly! I am annoyed that the panic button on my key fob sets off the horn, but does not shut down the engine.... I remember back in the late 70s when car alarms were rare and expensive we saw someone stealing a car in a restaurant parking lot, horn was going off for 20 minutes.... 80 some people standing around watching, no one called the police... now that you hear one going off every 5 minutes or so, effectiveness of a horn alarm is zero unless you (the owner) are within hearing distance.
I want to have the horn (when oscillating in alarm mode) trip a circuit that will disable the car so it's not moving unless it's towed... also effective for car jacking...
@@rosebarnes9625 Any decent alarm system will have an immobilizer. Though with modern keys having chips in them. Cars are basically impossible to hotwire. The car will just refuse to start without the correct cryptographic key.
@@2009dudeman you missed my point.... the panic button on my key fob sounds the horn..... that's it.... If I get car jacked, I want the panic button to shut off the engine, not sound the horn while he drives away....
@@rosebarnes9625 If you get car jacked, and for some reason you kept the remote but not the key. Shutting off the car when they are 20 feet away is going to cause them to get out of the car, pissed off and come back 20 feet to beat the crap out of you. Or just crash the car into something like they do with baitcars when those get shut down while they are driving.
You're better off just putting lojack or something on it and having the police follow them to where they are parking it.
For sale: E36 BMW, runs great, cold AC, good tires, lots of extras.
LOW MILEAGE!
$10k. No lowballers, I kno wut I have!
Sold for $10k, though as you didn't specify which country, it's $10k Zimbabwean, which comes to less than 1 cent US. xD
Those prints just continue to impress me every time.
Here in the states when I was a young child, my father worked as an auto mechanic and I remember him bringing home the “analog” ancestor of such a device he found installed in-line with a cars Speedometer drive cable. About the size of a D cell with a couple on each end. It contained a set of planetary gears that would down-covert the cars speed measurement from “Miles per Hour” to Kilometers per Hour." So if you were going 60 MPH for one hour the Speedometer would only indicate a little over 35 MPH, and likewise, the Odometer would only increment 35 miles, not the 60 miles traveled! What is more by that time most American vehicles had speedometer's that indicated both MPH and kM/h so the driver could just use the kM/h scale to accurately know their true speed in MPH.
Probably from km/h to Miles/h (eg from 100km to 62miles) 🤓
Michæl Alan Baker My fathers 1976 GMC pickup had one of these devices as well, except it was marketed for use to change the indicated speed as he used larger tires than what came on the truck. It was used to correct the speedometer, not cheat it.
Conservator About how many miles is 60 km?
@@SudaNIm103 about 40
@@SudaNIm103 40
as a professional mechanic & electrical enthusiast this was very interesting. a good example of why I subscribed; all the random electronics you find and show.
I've been wondering how long it would take for a device like this to surface.
@@Jimmeh_B one time I made a circuit that disabled all the abs & wheel speed sensors so that the car could go above the factory limiter @ 115mph. it had the side effect of stopping the odometer & speedo from working. but it was on my car & I checked the odometer discrepancy thing on the title just to be safe.
the circuit was just N.C. relays at every sensor, all powered from a switch under the dash. when on they all interrupted each sensor. the car couldn't tell how fast it was going so it didn't know when to limit speed. just used a gps speedometer app and away you go.
@@jankcitycustoms I like it, simple and effective. :)
The first thing I do on any car with ABS is pull the ABS fuse. Not a fan of ABS.
@@Jimmeh_B haha that's funny, I am the same way.
my girlfriend's car has traction control you can't shut off. so I always pull the ABS fuse when I drive because it disables all of that shit by the one fuse.
edit* especially during winter. once you practice it's fun to keep the wheel truned and pulse brakes to alternate between sliding straight & turning
@ADEBISI ADEBISI lol. na, handjobs are near the bottom; I'll see ya down there later. this is the bullshitin' story time thread.
Its so nice to see they went to the effort to color code it for us
Its similar to a device that Taxi drivers use to display the journey to charge their customers.
In reverse you mean?
years ago I had a boss who had me and another co-worker install a switch into his leased car.
The switch replaced a fuse that powered the dashboard and the odometer.
What he would do is get out on the highway, engage the cruise control and then disable the dash and odometer, presumably saving money on his lease.
Great guy.
@Dave Micolichek Correct. One of the cars i have stopped counting on the dash at 299999KM, but i have the option to take it in and get it flashed to the right mileage because its still stored.
@@JackReacheround Toyota? The older Corollas and Prius have a glitch in the odometer that make them stop counting at 299,999. It doesn't matter if it is in miles or kilometers.
No odometer no cruise control.
@@nukelauncher95 Pontiac vibe, The cousin car to the Matrix
The keyword for this on aliexpress is "can filter universal odometer adjust", only 12$ or something....
Thanks, I've narrowed that down further to "can filter 18 in 1" and they seem very common. I've added a search link in the description.
@@bigclivedotcom "BMW Mileage Correction" should help too. They don't reverse mileage on BMW's but they prevent it going up
@@bigclivedotcom I've found this, which seems extremely similar. www.truckdiag.com/shop/can-gateway-can-filter/
Quite a few other interesting devices on that site :)
Think this is the oem... www.yanhuaacdp.com/
Tempted to buy a couple to try and read the MCU's firmware out. The test pads are likely to be SWD and power.
It is a naughty little part.
BTW, I really enjoy your channel and along with helping me understand some of the "useless (or useful depending on your bent), I too have had a parent with dementia and your sharing has helped me quite a bit. Keep up the good work. :O)
I remember a case where a used car dealer was brought up on charges for "rolling back" a speedometer..(that is how the law was written)..in the days when cars used mechanical speedometers. At the trial, they had him cold with all their evidence. But he threw them for a loop. He rolled the speedometer "forward" until it 99,999 miles and then it all went to 000,000 and then he went a bit further and shaved off 40k. He walked and they had to reword the law.
I have never seen a law that is that poorly written ;D
In Germany there is no specific law for it, but it is "computer fraud", which basically means manipulating data in a computer to gain financial benefits. We do not care if you go back, go forward, or in which order you do it ;D
That's fascinating that the mileage suddenly changed when it was removed. That means the ECU is accumulating the mileage and storing it locally in a non-volatile flash or eeprom to make the vehicles mileage inaccessible to most modifications. Reminds me of the "black box" functionality I found while reverse engineering some GM OBD-II ECU software. The ECU keeps a rolling buffer of vehicle telemetry data (speed, braking, engine parameters, pitch/roll/yaw data if available, etc.). In the event you crash the car, the entire buffer is dumped to the flash memory to tattle on you and investigators can then tell exactly what you were doing in the moments leading up to the crash.
Not sure if you’ll see this, but here comes a few Q’s...
1. Any clue on how a device like this would interact w/ an analog odometer *when removed* ?? Would the rollers spin away until the true ECU recorded miles were displayed?
2. Is there an available database that lists all vehicles that are outfitted w/ this big brother black box? I have a 2015 Wrangler JK - electronic amenities aren’t exactly the focus - So I feel if there ARE some more modern vehicles that do not have a BBox, it would be one like mine. On the flip side, if mine DOES have a bBox, then it’s safe to assume ALL vehs do.. which is very annoying.
3. Have you figured out any more cool tricks since this 2 Yr Old comment???
@@flojotube Depends on how the odometer is driven. If it’s cable driven then they spin away regardless. Analog gauges with a digital odometer will potentially be effected depending on how it is stored by the vehicle. Not all ECUs have the BB feature. I have a 99 PCM from a GM/Isuzu gas truck in my 88 Camaro with a PFI conversion that does not have it. But I have another from a Firebird on the shelf that does have that option to record data to the internal flash of the airbag deploys. It can be disabled, at least in the GM ECUs I was working with. I can’t vouch for the Wrangler. It may be there, and a search on the ‘net might help. Keep in mind it’s not comprehensive like one for a passenger plane. It simply records things like speed, vehicle status, if the brakes are applied or not, etc. In a standard crash it’s not much of a liability, but years ago someone did get burned by it when they were speeding in a corvette and crashed. As long as you don’t plan on speeding it’s not an issue. A bigger concern is if the vehicle has connectivity (i.e. OnStar for GMs). Those seem to be VERY intrusive. I think I have even had them do stealth reflashes in the middle of the night. Get in and the car will have different features enabled like suddenly having auto start when the key is turned. I have heard the HVAC actuators some on randomly when I had my window open while sleeping. This is indicative that the vehicles ECU/BCU are active for one reason or another. I would consider removing the cell antenna and associated electronics if you can and have such concerns. But that is not an easy task since it’s tied into the CAN bus and other controllers interface with it.
@@flojotube All 2012 and new vehicles in the US have black boxes, I know because I had a 2011 and it was 1 out of the 5 models that sold in the US that year that didn't have one.
Videos from two of my favorite creators (Great Scott is the other) making content on CANBus?! YAY!
@@Okurka. feel that way too sometimes
they're actually used after changing the mileage in the cluster via an eeprom dump, it blocks CAN signals to stop the dash synchronizing with the EZS module and putting the mileage back to what it was before (info is stored in both and it will "correct" itself to whichever number is higher)
Wow I'm not even a driver and I learned so much from this video.
I have very basic knowledge about circuits and the explanations here filled in so many little questions I had.
Thanks for that.
16:33 Maybe you can. Mercedes writes any changes on the can-bus to a log every 10 miles. I remember it because one victim of airbag/radio theft decided to drive his car to a shop and practically strip the interior before reporting it. The shop then saw that the seats, radio, dash etc etc were disconnected after the car had been driven and pieced one and eleven together: insurance fraud.
Ahh yes, it's the "Ferris Bueller" mileage fluffing unit.
nah you just gotta run it in reverse :P
@@sawspitfire422 that didn't work nearly as well on the Ferrari in the movie as it did on my dad's Honda..... 😁
So thats why im watching this then.... I just watched that and was listenting to Danke Schoen a little while ago lol
@@BitKing_Ross I recall ... Central Park in fall ... 🎵
Love the video! It reminds me that some car manufacturers “hard burn” the mileage from the canbus into other modules like anti lock break control modules. That way if the car is in an accident you can get a 30 second last condition of the car sensors. It records actual mileage. It should also prevent modules like what you have in lease cars. They check the ABS system mileage to the dash board. Thanks Clive!
Thats right. Chrysler started that with their CCD bus in 1989. I was surprised that with the right diagnostic tools you can read out mileage from the Engine control module for example. Worked on a 1990 New Yorker, quite astounding. Apparently it works on the Trans control module too of that era.
I need to learn more about can bus always hearing about it. So thanks for the canbus introduction.
"I had to do a lot of test driving to find the issue, if you don't believe me, check the odometer."
These are somewhat common in Central Europe (basically every car has had the miles clocked). Although the drawback I’ve heard from a few people is that the dash (even on a modern car with a fully digital dash) will display the speed wrong, presumably lower than reality so the dash doesn’t think you’ve travelled so far.
this should absolutely be forwarded to Ben Heck! I have no idea what he could do but you know it's going to be epic!
CANbus in vehicles (Beyond the engine and transmission) started with the power windows. Vehicle manufacturers had reached a point around 2000 in shaving weight where all the low hanging fruit was gone. They were shaving weight because of the MPG requirements of the EPA and other regulatory agencies around the world. At some point, I believe it was Chrysler... an engineer said in a meeting, what about the power window system? At the time a power window system had wires looping from door switch to door switch all over the vehicle, wired basically like 3 way switches in a house. This system had well over 200 pounds of wiring, JUST to control the windows!!! Easch door had a thick bundle of wires going into it just to control raising and lowering the windows, since all doors were connected through the main panel on the driver's door. This engineer realized he could reduce the wiring in each door to 12 volt power and ground, and two thin communication CAN wires looping around to each component of the window system within the door - a total of 4 wires passing into the door.... So instead of 12 volts in a heavy wire going from the drivers door to the passenger motor to drive it. The drivers door switch module puts commands on the CANbus to tell the passenger door to roll down. (on some vehicles the modules talk directly, on others it must go through the ECM). Thus, vehicle wide CAN control was quickly adopted throughout the vehicle, on some vehicles to include things as basic as brake lights and turn signals.... All, in the interest of losing weight in the wiring harness for fuel economy as well cost savings reasons. By doing this, they reduced the over 2 miles of wire required in a late 1990's vehicle to less than half that by 2008.
But I digress... as for this little gem... No bit banging... with proper construction of the circuit and hardware to meet CANbus communication standards... Well done !!!! except for, wow that's LOW.....
CANbus has been around since the early 80s.
@@shmehfleh3115 yep, it was used on factory floors for many years. It is nothing but RS-422. The first diagnostic connectors were introduced around 1990 and were very basic (the ALDL... a basic serial connector with hardly any data)
J1850 was introduced in 1995 1/2 on both GM amd Ford, with dodge continuing to use its old serial bus but with a J1850 style connector ... till roughly 1997-1998. (Confusin as heck huh) the J1850 was fine for engine control but only ran at 9600 baud so it's use was limited to very basic functions. Later, the J2284 with 112k baud came out by demand of the manufacturers so they could expand the bus as I described and connect more devices without bogging it down.
Memories of Danny DeVito in 'Matilda'...though he took a little different of an approach :P
Cheers for sending this, Dave. Very interesting!
Makes me wonder though, is my State the only one which requires an odemeter reading be written on the title when the vehicle changes hands? I am aware that these are actually entered into the State DMV computer, the computer kicks them back if the difference does not make sense, for example if the car went back 30 thousand miles from the last sale, the title would be frozen till the State Highway Patrol did a basic investigation. (I was a cop for 24 years,)
This generation was in need of replacement due to power drain issues.
CANbus explained in a way that thick people understand..even though your " not very organised ' as you say.
thanks buddy. Learned a lot 😀
Squiggz 👍
It makes totally sense. The jumper in the lower right say "W222" (Mercedes S-Class) and "W166" (Mercedes M-Class). It makes sense to manipulate the mileage of these models, as they are the biggest factors for resale. That moves (with us) in the area of a clear imprisonment because of "heavy fraud".
Very interesting, I may have to check this out as my car lost 40k miles when I disconnected the battery. 63 plate audi. As you said in the video, very had to prove when it was done if this was installed.
D*** you're cute
the CAN bus has 0 being active due to how the CAN bus handles Arbitration; i.e. what happens when two devices go to talk at once.
Each CAN message has a priority code which works as follows;
lets say we have three nodes that want to transmit at practically the same time, one of 3 (0011) one of 1 (0001) and one of 5 (0101)
rather than messing with baud rates lets just say call each step a Tick;
first tick;
All send the first bit, this is 0 for all of them
So they all go high, and the bus is high
They all check the bus value and all see it is high
So they all transmit the next bit, this is 0 for all but the last one for which it is 1
so the first two go high, and the last one goes low
as such the bus goes low!
they all check the bus value and the last one sees the bus is not the right level and goes into receive mode
finally the first two transmit again
the bus goes low
and the first one drops out to going into receive
the remaining node transmits it's remaining bit, sees no conflict (which as its the last bit would otherwise produce an error) and transmits its data onto the bus
What a clever system
very big thanks BigClive for the autopsy of that delinquent device 😀✔
Hi there B.C ! - This is very interesting ! - Thankyou for showing & sharing this ! - I have passed this episode? - On to my mechanic son !
All the best S.B. British Isles
If you want an interesting look into figuring out the special sauce for programming an ECU over CAN, look up Just4Trionic. Used it extensively while tuning my 1997 SAAB 900, to avoid having to take the ECU out every time I needed to program it (using Motorola's proprietary "BDM" interface; kinda like JTAG for the embedded Motorola 68K's). Unfortunately the 1994-1998 900's didn't have the CAN lines brought out to the OBD port, so I had to make a custom adapter cable for SAAB's proprietary 'debug' plug hidden behind the glove box. Neat stuff, especially given how old the SAAB Trionic 5 ECU design is.
Ha, Trionic5 fan here too. Ive got two 9000 Aero's. Do you know Jules from the UKSaabs forum ?. Possibly the best T5 tuner in the UK.
A 👍and a subscription for that "If your getting illegal electronics, you ot to make sure that they are made to a good standards" lol too funny 🤣🤣🤣
Best comment I have heard so far this year
Also to make sure you know what to look for if you looking for a new used car
"you ot to" ?? Seriously? *facepalm*
Yes, I enjoyed that sardonic comment too.
@@AureliusR ... and in the same sentence, "If your getting ..." - that's the second face-palm in one sentence.
Some vehicles will store the mileage in both the cluster and ecu, and in some cases other modules. ABS units will provide speed data and this is usually passed on to ECU, Instrument cluster and any other modules that need it via CAN.
Thanks for explaining what a can bus wiring system is for. Had to install an aftermarket stereo in a 2000 Chevy several years ago and the install kit came with a similar device and a new buzzer for when the keys are in the ignition and the doors are open. Guess the old radio had the buzzer and can bus wiring. Now I know. Thanks
Can it make me look ten years younger?
@Dave Micolichek Doesn't work without the 9v battery to the tongue.
Only if you're Johnny-5.
The Circuit is good, but not a miracle device.
No, but it might make your pecker hard if you shove up your arse and apply mains voltage.😉😯😄
That's a different mushroom. Go ask Alice. 🍄 🤶👀
Nice coincidence this comes up after me diving into the STM32 microcontroller family in the last few months.
Yes it *could* be programmed in the Arduino environment, but I suspect the makers used the ST Microsystems development tools which are free and provide fairly easy access to all the powerful features of these chips, including software libraries that make using the CAN ports easy. The STM32 chips seem to be a favorite of the Chinese advanced gadget makers, probably because of their really good cost/feature ratio. And your guess is going to be right about the read-protect feature being enabled - it's so easy to do that it would be a huge error NOT to enable it.
BTW and as I'm sure you know, the magic sauce is not in the circuit but in the code. What's happening in software on the chip is not very difficult itself, but the knowledge behind it might very well represent untold hours of reverse engineering the dashboard/ECU communications in various cars. There's a lot of value in that. The board itself could probably be sold for $15 to $20 US while still making a small profit on the hardware, but I bet it costs at least 10x more for a scumbag used car dealer to acquire. Edit: Unless they know where to buy it firsthand. I saw some of the links in here and they're going for $40. Still a tidy profit for the Chinese maker(s).
Well you certainly can't argue against their quality of work - impressive.
Excellent little device. Possible expansionism ideas as well. Monitor or even monitor and location. Professional piece of hardware. Shame the criminal wasn’t professional enough to remove it.. I may have to contact the thieves guild on this one. :). Good video, cheers Clive.
The old way of fudging miles was to disable the cluster, you would loose all output information on the IC. guys would install a external programmer into the DLC and use that as there cluster. things have changed now due to the fact that most ICs contain the vehicle security module. very smart little gadget if you ignore its intended use. I actually have a module that us used to provide feed back information for the new electronic power steering systems. if your interested in taking a look at it let me know, i can also get you all the relevant OEM wiring diagrams CHEERS!!
The old old way was to take the dash out and use a screwdriver or such to roll the numbers back, or all the way around, without scratching them up or making them horribly misaligned.
Usually the dash is part of the immobiliser System, also in most New cars, the mileage is ttansmitted from the abs Controller and stored there.
@@st_us Only in older VAG cars the IMMO is in the cluster. Nobody else does this stupid design.
or buy one from the wreckers with lower mileage and swap it over
Back in the day, ‘clocking’ was rampant amongst the back street car traders...the Arfur Daley’s. The U.K. introduced a mileage statement on each MOT. so I’m not sure if it can still be fiddled or not?
The speed/distance data for the instruments comes from the ABS unit, but is also sent to the engine ECU, and the auto gearbox if fitted.
Looks fairly well made,
The messages are sent periodically, this is intercepting the odometer message and modifying the reading, the other messages will be relayed.
The jumpers in the bottom right are to change the vehicle it's configured for
W222 and W166 are Mercedes chassis generation numbers and there is BMW support.
The CAN chips are Transceivers, the controllers are in the MCU itself. They'll have used Microchip as they are the cheapest in low volume.
A CAN gateway is a device that bridges 2 CAN bus networks, bit like a router in Ethernet.
I can't help but think, this channel is like Scott Manley's secret electrical engineer brother...
Thank you! As I'm watching I'm like someone has to have mentioned it... Because the entire time I'm watching I'm waiting to hear "Hi I'm Scott Maaaaanley"
Looks like a classic Man In The Middle ( MITM) hardware attack. Very slick.
You are a master in that info, thank you for sharing, love the site.
The bus termination resistor is also to stop the signal wave bouncing off the end of the transmission line and echoing back and forth. Like a rope tied to a fixed point and pulled a bit tight, twitch one end of the rope and watch a wave travel -- then bounce off the tie point and return. The resistor absorbs the signal instead.
Slope control allows reduction of EMI and power supply peak draw in CAN bus networks with lower data rates (slower edges = doesn't transmit as much, takes less current to slew the bus voltage) and high speed operation for e.g. 1MBPS networks.
Would really like to see you revisit this when you have the facilities or access to facilities to read the programing on the chip, hopefully they haven't locked it. Keep the great videos coming I really enjoy them all. Best wishes to you Big Clive.
It's that way around so that device zero is the highest priority..
If 1 was the active state then device 255 would have to be the highest priority..
Kind of a brilliant system
Good point!
Very interesting, love your content 👍🏽
"If you're getting illegal electronics you want to make sure they're made to good standards" 😂😂 Brilliant Clive. Interestingly, I had a BMW Motorcyle and due to their particular take on CANBUS you couldn't just plug your battery maintainer (e.g Optimate) straight into the 12v accessory output socket as it goes dead a few seconds after the ignition is turned off. So you actually need a special (expensive) version of battery maintainer. What I did instead is to unplug the wiring from the back of the pillion seat accessory socket, insulate and tie these back carefully (for easy reversal of my mod). Then I simply connected the battery (with a suitable in-line fuse) directly to the accessory socket terminals. Voilà! A simple way to use my standard Optimate device with this particular bike 👍
Wow that's f'd up, good catch to the guy who found it!
8:44 - "It's actually quite well designed." Probably so that it minimizes any technical issues it might cause. You wouldn't want this causing problems on the network thus causing a technician to find it.
Except that he did find it .... due to numerous dashboard issues.
@@HappyQuailsLC Then I guess it wasn't designed well enough. ;)
HappyQuails well I’d say given how the device works, it worked pretty well for a considerable time of it managed to shave 25,000 off the mileage.
Either it failed and caused an issue with the CAN or it was just found by chance when then mechanic was investigating the other issues.
i am thinking it is a "generic" piece of kit "repurposed" for this usage and NOT MADE FOR THIS USAGE
jason riddell considering there are pads to select 4 different vehicle programs I’d say it’s being used for exactly what it was designed for.
Doing a quick search on CAN gateway and CAN gateway module brought up some interesting results.
I believe the slope control is enabled to meet more stringent EMC levels, it softens the edge of the signal making it easier to filter it from the outside world.
Hmmmm, I think I see how it works (7:00) but Merc have got wise to the 'mileage correction' game for a while now, the mileage is stored in 3/4 different places, the ECM (engine ecu), EIS (electronic ignition/key (yes the mileage is stored in the key)) and the IC (instrument cluster). If the mileage is significantly higher in any of these 3/4 places the rest of the modules will adopt the higher mileage. This has happened to a customer of a garage I used to work for where they used one of their spare keys and the mileage jumped up by 50,000 miles
How is that even possible it would mean the Old key would have had to travel 50000 miles in a another vehicle. My brother is a locksmith and we retrieve the data off of a key to find there is no mileage being stored on the key what we did find was a counter that was counting down the amount of times you could use the key before it would deactivate itself.
@@obviouslytwo4u The mileage had been 'corrected' and the previous owner had probably not supplied the spare key when the mileage had been changed. The car wasn't in the best of condition either with lots of stone chips and corrosion here and there so the actual mileage may have been even higher than the additional 50k as the key stored the mileage it was last used at
@@obviouslytwo4u amount of times a key can be used on a car? That sounds like a pain in the ass waiting to happen. Actually that would give me anxiety and I'd try to get rid of that. Unless you're not talking about a car key.
This isn't reprogramming the mileage value with a lower value, this is reducing the amount that is added. Therefore mileage data would be consistent in all storage devices. You couldn't use this to give a car a "haircut" (as the trade call a car with the odometer wound back), you stop the hair from growing as quickly.
@@renyn21 He's talking about manufacturers programming keys to self disable after X number of starts, to force you to buy a new $300 Smart key from the manufacturer. (after the warranty expires, of course.)
The adjustable slew is used to "relax" the leading and trailing edges of the CAN signal. It cuts down on unnecessary noise. Anyone who has ever lived through DeviceNet knows what happens when the slew is set for "Flat out". :)
Do you mean it slows the rise/fall times of the signal to eliminate the high frequency overtones of the signal as it changes? Just curious
@@SteveJones172pilot Yes it does, and it certainly helps in that regard. And DeviceNet is an abuse of the CAN spec in the first place, so it needs all of the help that it can get.
FWIW, my Railstar Io CAN boards have their slew rates "hard-coded" into the board by way of resistors (RC time constant). www.dcctrain.com/shop/item.aspx?itemid=6273
At GM Holdens there was a discussion about encrypting HSCAN data for sensitive information - we pushed for ALL data to be encrypted to obfuscate all sensitive communications. GM didn't want to spend the money.
GM knew that it helps devalue older vehicles and make people lean towards something new
I actually built a very similar circuit a few weeks ago. But in my case I did it to translate the data and that I could retrofit an instrument cluster from a newer car :-D
Sounds interesting, I would totally watch a video about it
I know there are videos of people using OLD BMW clusters wired up to PC's for racing games and having REAL gauges in your "car"
could you build me one id gladly pay davidv8522@gmail.com i would like to install a different cluster in my vehecle
Love the technique of using the blow-up photos!
The STM32F1 chip was used on a lot of earlier quadcopter flight controllers like the NAZE32.
This has one of the funniest moments I ever saw! Nice one, Big Clive!
I'm guessing the circuit board was developed as a generic device that could be programmed for whatever use the owner needed and was then used by someone nefarious to defraud car purchasers.
No I think they're purpose designed for this - someone above has linked sites selling them in bulk. There are even expensive devices that reflash the ECU and dashboard with new mileages etc.
the bottom right side of the board (looking at his big photos) has solder joins labelled for different versions of the protocol, i would guess that this is purpose built for "being naughty" as clive calls it
although, you could repurpose it as something else that used 2 separate can busses and only 4 other IO (the 4 protocol choices are just gpio, could be configured as input or output) stm32 microcontrollers are really nice/easy to work with (although the can bus speeds are a bitch to get at first)
It's called a CAN filter. You can find them on DHgate and Aliexpress.
www.dhgate.com/product/yanhua-mb-can-filter-18-in-1-benz-bmw-universal/422061032.html#s1-7-1;searl|1741375639
@@ebthepcguy I don't see a mileage set in the description. I'm curious if you program it or is it set from the factory?
What printer do you use to print out your stunning PCB photos?
Epson eco tank.
Pretty much any modern printer will print photos of that high quality. The source matters more. So if you use a high quality camera to take high quality photos, you can print them out in high quality in most printers.
@@bigclivedotcom I would be interested to know which model of Epson EcoTank you went for. I am about to take the plunge myself after much debate......
@@xenonram I work in said industry - the paper stock makes a huge difference also - Clive must be using good Inkjet Coated Paper.
@@cameradoctor205 He certainly is, when he picks the photo up it barely sags, it's almost card weight and super gloss.
I’ve designed Soooooooo many PCBs with STM32 chips. That guy has a dual CAN controller so the firmware is just intercepts the traffic and sends it back out with the data overwritten. Very clever!
The 5 empty pins on the bottom of the board are for a micro USB connection. From left to right it is 5V, Data -, Data +, Mode Detect, and GND. That's how they programmed it. Likely it is programmed with Arduino but could also be Python. Judging by the CANBUS controller chips tell me it is Arduino. You can extract the code in binary and use a disassembler to convert the code.
I see many of these on ebay at the moment - one title "Yanhua MB CAN Filter 18 in 1 For Benz/BMW Odometer Adjustment Universal Filter"
Would love a in-depth, loooong video with scope, DMM, PC, datasheet orgy. =)
Please Clive!
A big Fan out here in Kenya.
It would really help if the various videos were categorized into some playlists based on the 'genre' of equipment.
The bottom contacts are certainly for the SWD to program the mcu with pogo pins. Also, some STM32F1's can be read out even when the lock bit is set.
I wouldn't mind connecting it to a debugger and see if they protected the flash on it :D
evil Bunny yes they do
As others have mentioned - it would be cool to get the hex dump of the ARM chip.
Not sure how similar the process is for the STM32 chips, but for basic Arduino family of chips it's not too hard - as long as the fuses haven't been burned to prevent it. Put the dump.on paste bin and see what we can discover as a community. Perhaps it's really simple or mega complex ..??
its programmed through the steering wheel media buttons
ua-cam.com/video/wrUP9y0P0S0/v-deo.html&feature=emb_logo
It's a node broadcast on the CAN if they adhere to standard protocols, a dominant controller will be allowed a specific number of Ms per second to broadcast it's information, some are 1Hz some are 5 or 10Hz depending on the data priority. A dominant controller can pull voltage to 12V on some systems to tell others controllers a fault has occured, some use 5V on CAN HI for this signalling. It can be 100 meters long with hundreds of nodes on the same bus. 2 120Ohm resistors, usually "active" termination are installed along the way.
In over 40 years of buying cars I cannot recall ever paying much attention to the recorded mileage. But then most of my cars come from a period when body condition was much more important and the greasy bits could be fixed relatively easily.
Having said that, I did once go as far as replacing the luminous paint on the dials of a 1954 Pathfinder. On that model the instruments were lit via UV filters which gave a rather pleasing glow to them.
Hah that QA sticker. They put it on top of the ARM chip surely as there's no doubt the ARM chip itself has passed QA ;) Can't say that's false.
I reckon that, in this context, it means "Questionable Application"
i know on Lincoln's from the mid '90s the mileage was stored locally on the dash, i had a customer who pulled the dash fuse to keep the mileage low :/ and yes it worked
I bought a used car with a bunch of parts once, including a dash cluster... when I asked why the guy told me “It’s only got 50K on it, if YOU ever sell the car swap it in and make a few extra bucks” :-S
Great video! I was aware of these devices but not a lot of data on the web.
Like others have said, the w222 is a Mercedes S class and w166 is an ML. What I didn’t see mentioned is Mercedes models share CAN architecture. Theses two models CAN architecture cover the whole range of Mercedes models. From my experience these blockers do not cause error codes and are usually found by accident. There’s other control modules that redundantly store the mileage and you’re able to check the mileage in those modules with a MB scan tool.
Not if you change them too
"Keep in mind that their function is to reduce the apparent mileage of a vehicle, and this may be a criminal offence in some countries."
It definately is in the Isle of Man, and in fact the UK :-)
It's not an offence until you sell the vehicle with an illegitimate mileage to a buyer without telling them the mileage has been lowered. It seems here that the device has been used in illegitimate circumstances
@@stevietheg2580 you are suggesting that it is just for thick people that want to cheat themselves legally?? HA HA!!
@@fredflintstone1 nice name! Kinda weird to run into you here!
Best solved with a street sweeper.
@@stevietheg2580 But it's not an offence to sell a car with 50k on it if the car had an engine replaced without the buyers knowledge. It happened to me and trading standards told me 'tough luck m8'.
Hey Clive, you just needed a USB - FTDI and connect headers to the 4 solder points shown @ 9:10 and read in Arduino's console :)
The slope control input is used to control emf noise. The higher the slew rate, the more noise the chip produces.
You should do more videos like this explaining the PSB circuits and how they work please.
For us old timers that is a Berg header plugged into a wire wrap header. I wonder if That ARM 7 is hardwired to simply subtract 40,000 km or does it compute a proportional mileage reduction, say 75% of actual mileage.
Between seeing this and the GPS tracker gizmos found on used cars glad we buy ours new and use them until the wheels fall off.
Well...you could answer that question yourself...because what if the actual mileage is less than 40k?
@@mojoblues66 True but what is the point of putting this gizmo on a low mileage car? I assume it is installed by a car dealer so they can charge more.