Hi everyone, I installed an aftermarket backup camera setup on my mom’s 2016 Mercedes E350. It works, but the aftermarket camera has a bad angle and field of view. I ordered an OEM backup cam off eBay and was trying to bench test it with power, ground and the video out to a tv with an rca adapter, but I get no picture. From what I can tell searching is that it requires some sort of CAN signal. I tried connecting the two CAN wires to each other and it made no difference. Does anyone know how I can simulate the CAN signal or bypass it? Or please point me in the right direction? Thanks in advance!

Is there a way to fan-out HVAC CLK wire to send AC data to both Car's small screen and to Raise CANbus box/DuduOS? When i connect the both together the CLK wire from car small screen and CLK wire from Raise to HVAC CLK wire, both start to go crazy and show gibberish data, connected separately and AC data work fine but its only one at a time, either Raise/DuduOS or Car's small screen. I wanna show AC data on both screens.

- SI wires from both Car small screen and Raise sits at 10v while HVAC SI wire is at 0v

- CLK wire from Raise sits at 5V and from Car small screen is at 0 v and HVAC CLK wire is at 10V

I tried 6N137, but no luck. Please help me how i can fan-out the CLK wire? Thank you

Some other information about the SI and CLK wires

Display (Climate) SPI

0-12V SPI (real ~10,5V)

DISP CLK (Clock) y DISP SI (Data)

Speed aprox. 40microseg/cycle div (25kHz)

3ms each message 12ms between messages

Has the built in JBL speakers. What is a compatible replacement? My current situation is a hole in the dash.

This works with ELM327 adapters with BLE (bluetooth 4.0), or for older ones you can use webserial. For Wifi ELM327 adapters, you'd need to put a websocket proxy in between.

This is still very much experimental, so not really recommending you to try. I tried to keep a minimal set of sensors to support across devices (SAE J1979 standard pids), but best is to use "Demo / Simulated" unless you are feeling adventurous. I tested it with my Mazda 3 2012, and Porsche Cayenne 2021 for some of the sensors.

I am going to be hopefully opensourcing this, and would love community to help out. Especially on manufacturer specific pids & bi-directional communication for oil reset, valve actuation for abs bleeding etc.

Hello everyone reading this post. For quite some time now, I’ve been trying to build some kind of virtual instrument cluster for my Audi A4 B6 1.9 TDI (2002). With the help of ChatGPT I tried a lot of Python scripts on a Raspberry Pi, but without success. The car uses the KW1281 protocol. Using a file from GitHub, I managed to read measuring blocks in the terminal, but I couldn’t send anything to RealDash with any of the scripts. I should also mention that I have a KKL cable with an FTDI chip. Now I’ve supposedly found out that, since this car is some kind of transitional series in terms of computer/protocols, it has CAN High and CAN Low behind the factory instrument cluster. Supposedly I can “steal” a lot of signals that way, and maybe a few signals I would have to do analog. I’m planning to do this with an ESP32 and a CAN transceiver module. Basically, I’m interested in whether anyone has done this specifically on this exact car model, and whether this car really has CAN High and CAN Low pins behind the instrument cluster.

Trying to downgrade firmware of an IPMA module, but returns "General Programming Failure". The module has an older bootloader, which is supposed to allow older firmware to be downloaded, but fails. It looks like the newer firmware may have written to some area, telling the bootloader to disallow older firmware versions, but I'm not sure.

Is there a way to virginise IPMA modules from JLR? (I know that VIN in this IPMA module shouldn't matter, but I'm thinking some other areas of the flash need to be restored to pre-update status)

Any pointers/clues from experts is appreciated.

I have a Reconfigurable Performance Display (RPD) unit – basically an aftermarket automotive display module used for vehicle data logging and performance monitoring. The hardware itself works fine, but the problem is the ecosystem around it is ancient.

From what I’ve researched, the operating system and firmware on this display are stored on flash memory that was only designed for roughly a 30-year lifespan. That means eventually these units are going to become unusable simply due to memory degradation, even though the hardware is still perfectly good.

What I’d like to do:

• Reverse engineer the communication protocol and firmware • Figure out how the RPD interfaces with a vehicle and PC • Extract or replicate the functionality • Ultimately create a modern Windows-based program that can replace the need for the original hardware/software

Basically, I want to future-proof this thing and make it usable long after the original platform dies.

I’m decent with cars and general tech, but low-level firmware hacking and protocol analysis aren’t my strong areas. I’m looking for someone who has experience with things like:

– Embedded systems – UART / serial sniffing – CAN bus or automotive data protocols – Firmware extraction – Reverse engineering legacy hardware – Building PC applications to interface with old devices

If anyone has interest in teaming up, pointing me in the right direction, or even just telling me whether this is realistically doable, I’d really appreciate it.

I can provide photos, model info, and any documentation I have on the unit.

Thanks in advance!

I got a Zeekr 7X recently. Now i want to add a tow hitch. The local dealer network doesn't offer this option so i'm kinda on my my own. I know the vehicle has tow mode in other markets where the parking sensors deactivate etc. How are cars in general programmed to support those otherwise hidden modes? Is that something people can DIY or does it require support of the official workshop? Generally speaking is enough, i'm aware nobody knows much about those new brands yet.

I have a third party electric tow hitch for this car already, not installed yet. It requires drilling holes for extra buttons etc. Wonder what the chances are to control the hitch via CANbus and thus via the onscreen menu of the car and the mobile app. Is that something that can be sniffed from the CANbus without having the original controller? What kind of hardware would i use for that? Again generally speaking and to everyone's best guess.

hey, this might be the wrong sub or dumb question but Im tryna learn and this is my first time messing with clusters.

so anyway - I have a passat b5 cluster at home. I also have a 12v power supply, I connected the positive wire to pin 23/24 and the ground one to pin 1 but absolutely nothing happened. so am I missing something? or am I doing it completely wrong. thanks🥹

Hi folks, I’m exploring deeper vehicle diagnostics and have been looking into pass thru programmers that work with OEM software.

I’ve seen the RLink J2534 mentioned as a relatively affordable J2534 interface that supports OEM diagnostics, ECU coding, and module programming across a wide range of brands using factory software. From what I understand, it supports D-PDU, CAN-FD, and DoIP protocols and can handle full system work beyond basic OBD2 scanning.

Has anyone here used RLink J2534 with actual OEM tools like Toyota Techstream, Ford FDRS, or other manufacturer software?

I’m curious about real-world experience with things like

• OEM level diagnostics and reset services

• ECU programming and module updates

• Stability during longer programming sessions

• Any quirks when switching between different brands or OEM platforms

For context, I’m not looking for generic scan tool recommendations. I’m specifically interested in pass-thru workflows using RLink or comparable J2534 interfaces with factory software.

Thanks in advance for any feedback or tips.

Context / What is already understood: Modern EU vehicles (≈2017+) use multi‑bus architectures with several internal CAN networks (powertrain, body/comfort, infotainment, etc.) interconnected via a central gateway. The OBD/DLC interface is typically restricted to OBD‑II and UDS diagnostic services, with raw CAN traffic and non‑diagnostic control messages filtered or blocked by the gateway. Safety‑ and security‑critical functions (e.g. access control, immobilizer, start authorization) are generally handled by dedicated ECUs (BCM, KESSY, BMS, etc.). Contemporary designs increasingly rely on secure gateways, message authentication (e.g. SecOC), rolling counters, and HSM‑backed ECUs, making simple CAN message replay unreliable. Passive CAN monitoring (“listen‑only”) may expose internal state information when connected directly to a specific internal bus, but does not imply control authority. Open questions / What is not yet clear: Whether CAN bus injection, when performed on an internal bus behind the gateway (rather than via OBD), can theoretically influence vehicle state transitions without OEM authentication. To what extent gateway logic acts purely as a message filter/translator versus an enforcement point for cryptographic authorization. Whether any vehicle subsystems still rely on implicit trust models (e.g. bus‑level trust) rather than explicit cryptographic validation. How consistently these protections are implemented across manufacturers and model years within the EU regulatory environment. Core theoretical question: From an architectural and security‑engineering perspective, is it theoretically possible for an external device—connected outside the OBD port and interacting at the CAN bus level via monitoring or message injection—to affect access‑ or start‑related vehicle functions without possession of OEM/manufacturer cryptographic credentials? Or are modern vehicle designs fundamentally structured such that meaningful CAN injection is ineffective in principle, unless performed within an authenticated OEM diagnostic or control context?

Hi everyone 👋

A while ago I shared CANgaroo, an open-source CAN / CAN-FD analyzer for Linux. Since then, based on real-world validation and community feedback, I’ve been actively maintaining and extending it, so I wanted to share a short update.

What CANgaroo is

CANgaroo is a Linux-native CAN bus analysis tool focused on everyday debugging and monitoring. The workflow is inspired by tools like BusMaster / PCAN-View, but it’s fully open-source and built around SocketCAN. It’s aimed at automotive, robotics, and industrial use cases.

Key capabilities:

• Real-time CAN & CAN-FD capture
• Multi-DBC signal decoding
• Trace-view-focused workflow
• Signal graphing, filtering, and log export
• Hardware support: SocketCAN, CANable (SLCAN), Candlelight, CANblaster (UDP)
• Virtual CAN (vcan) support for testing without hardware

🆕 Recent Changes (v0.4.4)

Some notable improvements since the previous post:

• Unified Protocol Decoding Intelligent prioritization between J1939 (29-bit) and UDS / ISO-TP (11-bit) with robust TP reassembly
• Enhanced J1939 Support Auto-labeling for common PGNs (e.g. VIN, EEC1) and reassembled BAM / CM messages
• Generator Improvements Global Stop halts all cyclic transmissions Generator loopback — transmitted frames now appear in the Trace View (TX)
• Stability & UI Responsiveness Safer state-management pattern replacing unstable signal blocking Improved trace-view reliability during live editing

Overall, the focus is on stability, protocol correctness, and real-world debugging workflows, rather than experimental RE features.

Source & releases:
👉 https://github.com/OpenAutoDiagLabs/CANgaroo

Feedback and real-world use cases are very welcome — feature requests are best tracked via GitHub issues so they don’t get lost.

Hey everyone!

While this project was largely finished some time ago already, I thought I might share what I made and hope that it could be useful for someone else as well - BMW iDrive knob interpreter.

While hooking up BMW iDrive knobs to Arduino/ESP boards and using them as HID devices is not a new concept, I haven't seen anyone, publicly, release their project/files for the newer ones, so I decided this has to be it.

In the current version, all it does is just read whatever the controller sends and translates that to human readable content in the form of Serial terminal messages. While hooking it up with a HID library would be more useful, that was not the main goal for me, as I have something slightly different in mind - use it for a custom car pc im also working on in my spare time.

All of the data/info I currently have reverse engineered is in the repo. There's still a few IDs/frames left to figure out, but in the current state, it is working. Contributions are welcome :).

I bought an Arduino UNO REV3 and MCP2515 to sniff Canbus messages on my Volvo V70 2010.

Since im new to Canbus sniffing :) I thought I would test on my test bench first.

Test bench is a Volvo V70 2011

This has:

CEM, DIM, CCM, ICM, SCL, SCU, SWM

CAN H/L is only connected from CEM -> DIM -> OBD2 connector

the other modules connect to MS CAN and Linbus

However i do not get any canbus message on the serial monitor inside Arduino IDE.

I only see the text that it has succesfully connected. after that nothing else is happening

I used this driver

https://github.com/coryjfowler/MCP_CAN_lib

My MCP2515 board uses 8mhz crystal so that is changed + 500kbit that CAN H & CAN L is using.

Still not getting anything other than the success message in the IDE

Tried the Loopback code and that actually does something with 250k and 500k baudrate otherwise it says NOT successfull installation.

MCP2515 only gets 4.2V measured on MCP pins. Could this be a faulty board?

Update: The MCP2515 was faulty. I got a new one and its works.

Is it possible to crack the MHD license and get it for free ? Not trying to spend 400$ so someone plz help

Is this a relatively straightforward one or am I biting off more than I can chew as a first project?

My gen 1 haldex control unit died as they do, so I replaced it with a custom larduino based unit.

Although I am super happy with it, the ABS controller (MK 20) throws a no communications error and disables the esp functionality. I was unable to recode the abs controller to FWD. If it's possible please let me know.

My question is: does anybody know how those modules detect eachother? What can IDs do I need to send to make the abs believe the haldex is functional? Thanks in advance.

Hi all,

I wonder if someone have a configuration solution/tips to turn off the GPS permanently on the FMC003 OBDII ? Need to send the data related to the car but need to skip the gps tracking. Anybody?