Hello All,

I am new to the Fit scene, recently bought a 2013, excited to be a part of the community!

A little background info:

I used to work for a VW/Audi tuning company where my primary job was to locate exploits in engine control modules and create methods for re-flashing and unlocking. This involved extensive work using ISO-15756, ISO-142230,l ISO-14229. After developing a skillset in embedded systems security I was offered a job with a research lab at MIT. I now reside in Boston where I work in computer systems security.

I am coming to this forum to see if there would be any interest in an open source Honda Fit flashing/modification tool. I have already done a fair amount of work in designing a tool for performing this operation. My ultimate dream would be to design an open source hardware platform and software suite to allow users to modify their FITs as they see..well fit!

Anyways, I hope to use this forum to post my findings and also recruit any other software/hardware developers who might be interested in this project!

 

This would be awesome since Hondata is draggin their feet for the ge8

 

I noticed that! I'm hoping to first get my hands on a used ECU and possibly a stock stereo first to get things really rolling, there may be a USB exploit in the 2013 stereos that might lead us to an easy reflashing method. I've managed to get it to spit out some interesting data, but I'm too scared to keep trying on my personal car haha

 

Destinaxe, I would love to help you hack this ECU. I just happen to have a spare stock stereo I would be willing to donate to the cause. I purchased it used (just for the bezel) and believe it was from a 2012 or 2013 model.

Recently I have been getting to know the GE's ECU because I have been trying to find a way around using TPMS sensors. This has lead me into the world of CAN bus and OBDII. I would love to help you out on this project if I can! I also have a background in electronics, mostly hardware and manufacturing though.

 

This is excellent news! I plan on creating a simple website this weekend to post various files/progress/documents related to the goal here. Ultimately what I would like to eventually gather is a nice open source online repo that would allow most users to learn about what is going on in their ECU. I would be more than happy to compensate you for the Stereo if you are willing to part with it! Shoot me a PM sometime!

 

Hey, any chance you might have actually done any of this?

I've got a OBDII connector here and am trying to dig in to which CAN protocol Honda uses on the Fit. I would assume it's not ISO-14229 or GMLAN... which are the only two which I have found information on as of yet.

Any information would be really sweet...

 

If you could send me some CAN logs, that would be amazing. I have some experience reverse engineering proprietary protocols and am in the process of developing a framework for doing such automatically. Just running at idle for a few seconds and maybe some logs of the vehicle driving would be great.

I have done some reverse engineering work on the module that mounts USB drives and will be posting my findings soon. I have a data sheet for the processors that are used on that board and have discovered JTAG access which may allow for reprogramming and allowing iPod support in the future.

 

Sweet! I'll try to get some clean, full (including all addresses) log captures tonight.

Note that I have a manual transmission with no nav so I'm not sure how much that will help in stitching up the other end of the USB/radio module... But there IS a USB port even on the non-nav version so there may be some similarities...

Also, how are you fuzzing/reversing the USB port? I've got a facedancer if you need some other USB reversing help. I've also got some preliminary Designs for a more complete facedancer design built on the PIC32MX platform... If the facedancer doesn't support the needed endpoints.

Also, I've got a github account if you do... GitHub.com/JamesHagerman....

I'm glad to have found another fit hacker!

Jamis

 

That would be excellent, thank you so much!

I have some experience with USB fuzzing as well, but have never gotten my hands dirty with a face dancer! My initial plan with the USB module is to see if I can get a firmware dump via JTAG, the chip that handles the actual audio transmission is an ARM Cortex M0 (I believe, may be an M3). I am working on a write up about the board right now but between work and recently having moved I am struggling for time!

Also happy to find another security enthusiast on here as well!

 

Cool! Honestly, JTAG is probably the way to go with that. I hope they didn't enable any security features on that chip whatever it ends up being!

I hit a roadblock with the CAN dumps tonight but I don't know exactly what's going on.

Either the OBD II port isn't actually hooked up to any of the other busses, or I'm telling this STN1100/ELM327 interface board to do the wrong thing when it enters monitor mode. I'm going to tweak the filter tomorrow morning before I head in to work to see if that spits back the raw CAN data.

If that doesn't work I might have to dig into the dash a bit and find one of the real bus lines... or finally call Helm's, ask where the hell their 61TK604 service manual is, order the 61TK603 and 61TK603EL service manuals, and find the real pinout for this OBD II port under the dash.

I could also throw the Logic8 at it and see if I see anything... CAN like... on any of those extra pins...

Good luck! I'll let you know when I have more! I'm also going to throw some of the documentation and notes up on my site which you can find on github.

 

I just picked up a OBDlink MX, that has the stn1100 chipset so I should be able to log CAN.

Here is some info I was looking at:
https://www.scantool.net/forum/index.php?topic=6956.0

These commands from the link above:

ATZ
STP31
STCMM1
ATH1
STMA

 

Oh cool! "Undocumented" commands!

That thread links over to this link which is titled "OBDLink MX Protocol Commands":

http://www.scantool.net/downloads/11...l_commands.pdf

That's the documentation for the commands added in version v3.1.0 of the STN1100 firmware. I'll have to update today since I'm still on v2.1.3.

That said, as far as I can tell for the Honda Fit, the second command is wrong. The Honda Fit uses the ISO 15765-4 (CAN 29/500) protocol. That's High Speed, HS CAN which runs at 500kbps using 29 bit communication. Therefore, the second command should be STP 34.

Also, if you're interested in doing this yourself, you might want to run these commands to get your OBD II to be human readable:


AT Z reset the STN1100
AT E1 echo on
AT L1 linefeeds on
AT S1 spaces on
AT AT2 respond faster
AT H1 show all detailed header info
AT AL allow long (>7 byte) messages
AT SP 7 force protocol ISO 15765-4 (CAN 29/500)
AT DP show current protocol


After that, if the document jibberjabbs linked to is correct and you have the newer version of the STN1100 firmware on your device, the following commands should start logging all HS CAN traffic on the bus:


STP 34 set the CAN protocol to ISO 15765-4 (CAN 29/500)
ST CMM1 enable CAN monitor mode (Undocumented at this time)
ST MA start logging CAN messages


So, that helps! I'm not sure why ST MA is what the ScanTool people tell us to use in that thread because their documentation specifically says to use ST M along with the correct filter stack to log raw CAN messages...

But whatever. I'll upgrade the STN1100 firmware and try again!

Thanks jibberjabbs! That helps! I forgot about the firmware upgrade!

jamis

 

Ah ha! I was able to capture a tiny amount of data from the OBD II port before the serial buffer overflowed. I need to up the baud rate to at least the 500kbps the bus itself runs at or I'm going to drop data... Or I can filter it more...

I don't think the formatting is correct but I'll work on that too. jibberjabbs info totally helped!

Here's the log. Sorry for the mess!

OKT L1 v1.3a

>AT S1
OK

>AT AT2
OK

>AT H1
OK

>AT AL
OK

>AT SP 7
OK

>AT DP
ISO 15765-4 (CAN 29/500)

>0100
18 DA F1 10 06 41 00 BE 3F A8 13 55

>STP 34
OK

>ST CMM1
OK

>ST MA
1A4 00 00 00 00 00 00 00 36
1AA 7F FF 00 00 00 00 65 31 <DATA ERROR
1B0 00 00 00 00 00 00 39
1D0 00 00 00 00 00 00 00 0A
136 00 00 00 05 00 00 00 27
13A 00 00 00 00 00 00 00 28
13F 00 42 00 1E 00 0A 00 24
158 00 00 00 00 00 00 00 28
164 04 00 40 39 79 00 00 18
17C 00 00 03 FA 00 00 00 26
1DC 02 03 FA 3D
294 04 16 40 00 05 11 00 12
320 00 00 30
324 5D 4B 01 DC 00 00 00 31 <DATA ERROR
18E 00 00 10
095 7F C0 07 E4 00 00 00 1E <DATA ERROR
136 00 00 00 05 00 00 00 36
13A 00 00 00 00 00 00 00 37
13F 00 42 00 1E 00 00 00 3D
158 00 00 00 00 00 00 00 37
164 04 00 40 39 79 00 00 27
17C 00 00 03 FA 00 00 00 35
18E 00 00 2F
095 7F C0 07 E8 00 00 00 29 <DATA ERROR
1A4 00 00 00 00 00 00 00 09
1AA 7F FF 00 00 00 00 66 03 <DATA ERROR
1B0 00 00 00 00 00 00 0C
1D0 00 00 00 00 00 00 00 0A
136 00 00 00 05 00 00 00 09
13A 00 00 00 00 00 00 00 0A
13F 00 42 00 1E 00 14 00 0B
158 00 00 00 00 00 00 00 0A
164 04 00 40 39 79 00 00 36
17C 00 00 03 FC 00 00 00 06
1DC 02 03 FC 0E
18E 00 00 3E
095 7F C0 07 E8 00 00 00 38 <DATA ERROR
039 00 39
136 00 00 00 05 00 00 00 18
13A 00 00 00 00 00 00 00 19
13F 00 42 00 1E 00 00 00 1F
158 00 00 00 00 00 00 00 19
164 04 00 40 39 79 00 00 09
17C 00 00 03 FC 00 00 00 15
18E 00 00 01
095 7F C0 07 E8 00 00 00 0B <DATA ERROR
1A4 00 00 00 00 00 00 00 18
1AA 7F FF 00 00 00 00 66 12 <DATA ERROR
1B0 00 00 00 00 00 00 1B
1D0 00 00 00 00 00 00 00 0A
136 00 00 00 05 00 00 00 27
13A 00 00 00 00 00 00 00 28
13F 00 42 00 1E 00 00 00 2E
158 00 00 00 00 00 00 00 28
17C 00 00 03 FC 00 00 00 24
164 04 00 40 39 79 00 00 18
1DC 02 03 FC 1D
294 04 16 40 00 05 11 00 21
18E 00 00 10
095 7F C0 07 E8 00 00 00 1A <DATA ERROR
136 00 00 00 05 00 00 00 36
13A 00 00 00 00 00 00 00 37
13F 00 41 00 1D 00 3C 00 30
158 00 00 00 00 00 00 00 37
164 04 00 40 39 79 00 00 27
17C 00 00 04 02 00 00 00 3B
18E 00 00 2F
095 7F C0 07 E8 00 00 00 29 <DATA ERROR
305 80 08 <DATA ERROR
1A4 00 00 00 00 00 00 00 27
1AA 7F FF 00 00 00 00 65 22 <DATA ERROR
1B0 00 00 00 00 00 00 2A
1D0 00 00 00 00 00 00 00 0A
136 00 00 00 05 00 00 00 09
BUFFER FULL

>

 

Once I get the data a bit cleaner, I'll write some simple data visualization software to make the data a little more visual. Hopefully that'll let us see more about what exactly is going on.

I like the idea of having a full data visualizer running in the car all the time...

 

I noticed my MX has firmware v3.4.1. Wonder why they don't have that on their site?

Also found this company Intrepid Control Systems that have some interesting CAN development products. A couple good video tutorials too. Vehicle Spy 3 Training Videos

 

This is slightly OT, but I'm wondering about the USB stock radio data interface Destinaxe mentioned. Does anyone have any details about the USB interface box? Do the Helm manuals (e.g. 61TK603) have detailed pinouts for the factory radio wiring harnesses? I'm interested in the harness that goes between the radio receiver (stock non-navi) and the electronics box that provides the ipod/flash drive USB interface. I'm trying to build some electronics that can display messages on the factory radio screen.

This is the harness I'd like to know about:


The USB interface box is the smaller box under the main radio electronics enclosure. This is what's inside:



I assume this board implements the logic that can access iPod/flash drive devices and control the radio display and audio. Any info or pointers appreciated.