3 posts / 0 new
Last post
Jaime
Door unlock can message spoofing not working?

Hi, I am currently working to reverse engineer the can bus of the Maxus Euniq6.

I have managed to read all of the data I want, but have not been able to make changes by sending messages. 

When looking at SavvyCan logs I noticed the message 02 00 00 02 00 00 12 50  on pid 0x1F1 is send to open the doors and 02 00 00 01 00 00 42 60 is send to close. Dont worry about the las two bytes, it is a counter which adds 1010 on every step. 

I have tried spamming the can bus with:

can can1 tx standard 0x1F1 02 00 00 02 00 00 12 50

but nothing happens.

Any ideas on how to figure out what is happening?

Thanks.

Jaime

JMK2020
Is this the only ID?

Sometimes ther are mirrored IDs with the same info need to be send or also is you car awake?

Typical issue, the ecus need to be wake up before they could react on the command

Jaime
Hi JMK

Hi JMK

Yep the ecu is awake. I later found that six messages with a certain combination of the last two bytes were send. I replicated the formula but the same result. afaik it is the only message sent to open/close the door.

Reading a lot of threads and videos, it apears there are IDs for the diferent ECUs, all of which should respond to "can can1 tx standard 0x7df 02 3e 00 00 00 00 00 00". After sending that message i get a response for 780, 782, 7A6, 7AA, 7BB, 7C1, 7A0, 7B3, 7C2, 7C8, 7EB, 790, 769, 7CA, 786, 7B0, 7A2, 7C5, 7A1, 7A9, 7B6, 7B5, 7C9. The problem is that during normal usage (driving, charging, starting, opening the doors, etc) those pids are not anywhere to bee seen. Any ideas on how this works? I have not been able to completely understand how are they related to the messages normaly sent. The normal pids are in the range 000 to 6FF.

Thanks, Jaime

 

Log in or register to post comments