├── .gimp_images
    ├── 203_ic_wires.xcf
    └── xsmonitor_frame.xcf
├── Chapter 1 Vehicle Bus Protocols and Diagnostics.md
├── Chapter 2 Tools and Equipment.md
├── Chapter 3 Connecting to the Vehicle.md
├── Chapter 4 Understanding Controller Area Networks (CAN) Messages.md
├── Chapter 5 Understanding Mercedes-Benz Signal Acquisition Modules (SAM).md
├── Chapter 6 Exploring the Engine Control Unit (ECU).md
├── Chapter 7 In Car Entertainment.md
├── Chapter 8 Performance Tuning.md
├── Chapter 9 Debugging and Fault Finding.md
├── README.md
└── images
    ├── 203_ic_wires.png
    ├── CANframes.jpeg
    ├── OBDIIport.jpg
    ├── canbuslocation1.jpg
    ├── canbuslocation2.jpg
    ├── canbuslocation3.jpg
    ├── candump.jpeg
    ├── cantactpro.jpg
    ├── macchinabreakout.jpg
    ├── macchinam2.jpg
    ├── macchinam2board.png
    ├── obdii-port-diagnostics.jpg
    ├── obdii_y_splitter.jpg
    ├── selectdevice.png
    └── xsmonitor_frame.png


/.gimp_images/203_ic_wires.xcf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/.gimp_images/203_ic_wires.xcf


--------------------------------------------------------------------------------
/.gimp_images/xsmonitor_frame.xcf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/.gimp_images/xsmonitor_frame.xcf


--------------------------------------------------------------------------------
/Chapter 1 Vehicle Bus Protocols and Diagnostics.md:
--------------------------------------------------------------------------------
 1 | # Chapter 1: Vehicle Bus Protocols and Diagnostics
 2 | 
 3 | ## Methodology
 4 | 
 5 | First you need to work out what you actually have in your car. What type of CAN (there are many). Google is your friend, or by looking at the OBD-II port under the dash
 6 | 
 7 | ![](images/OBDIIport.jpg)
 8 | 
 9 | The OBD Standard allows for (five)[https://en.wikipedia.org/wiki/On-board_diagnostics#OBD-II_signal_protocols] signalling protocols. To check which one your car has, look to see which pins are active (you might need a flashlight)
10 | 
11 | ![](images/obdii-port-diagnostics.jpg)
12 | 
13 | 
14 | 
15 | ### CAN Frames
16 | 
17 | Before you sniff traffic, you need to know what you are looking at. Most likely, it will be like so:
18 | 
19 | ![](images/candump.jpeg)
20 | 
21 | Seems hectic right? Well actually not that hectic, if you understand how the frames are created.
22 | 
23 | ![](images/CANframes.jpeg)
24 | 
25 | ### Unified Diagnostic Services
26 | 
27 | Unified Diagnostic Service (**UDS**) according to the ISO 14229 standard is a protocol used by diagnostic systems to communicate with ECUs in vehicles. The protocol is used to diagnose errors and reprogram ECUs. For example, it is possible to read and delete the fault memory of an ECU or to flash a new firmware on the ECU.
28 | 
29 | It's important to note that Mercedes-Benz do not use standard UDS Arbitration IDs 0x7DF - 0x7E7. In order to use UDS, you should set the IDs lower, such as 0x300.
30 | 
31 | ### Mercedes-Benz Specifics
32 | 
33 | The OBD-II port on all models are filtered (Either via the EIZ or SAM Module), they will allow reading of all can messages from all CAN networks within the car, however they **WILL ONLY** write diagnostic CAN ID's to write to the car's canbus networks, attempting to write a standard CAN ID to the cars network via the ODB-II Port will be rejected. They also require a wake-up code, which will be discussed in detail in Chapter 3. Unlike other models where you can simply plug into the CAN network and see a flurry of messages, this doesn't work like that with Mercedes-Benzs. 
34 | 


--------------------------------------------------------------------------------
/Chapter 2 Tools and Equipment.md:
--------------------------------------------------------------------------------
 1 | # Chapter 2: Tools and Equipment
 2 | 
 3 | This chapter talks about a subject that is often the source of confusion for many who are getting involved in hacking their cars: what tools do I need? 
 4 | 
 5 | Whilst we could write an entire book on the subject, we will aim to reference tools that are easily accessible from a cost and usability perspective and offer the best bang for buck. We want as many people as possible to participate in tinkering with their cars so have excluded some good tools that are expensive, such as the official Mercedes-Benz *XENTRY* vehicle diagnosis systems. 
 6 | 
 7 | As with all things hacking, you use the tools that work with the targets in question, namely the protocols in use as shown in Chapter 1: Vehicle Bus Protocols and Diagnostics. The tools listed below work with Mercedes-Benz models and whilst not all models use the same protocols, we will show at the start of each recommendation which model this particular tool works best with. 
 8 | 
 9 | ## Hardware
10 | 
11 | There has been an immense amount of research and development gone into low-cost tools for us car hackers in recent years. Companies like https://www.macchina.cc/ and http://www.linklayer.com/ have produced two of the best tools, namely the [Macchina M2](https://www.macchina.cc/catalog) and [CANtact Pro](https://www.crowdsupply.com/linklayer-labs/cantact-pro). 
12 | 
13 | ### Macchina M2
14 | 
15 | ![](images/macchinam2.jpg)
16 | 
17 | The Macchina M2 is based on the Arduino Due and makes use of a SAM3X ARM Cortex-M3 processor processor, which gives it support for the following protocols:
18 | 
19 | - 2 CAN
20 | - 1 SWCAN
21 | - J1850
22 | - LIN
23 | - IOS9141
24 | 
25 | The choice of an ARM-Cortex-M3 also gives amazing options to add additional mods to the board, like Wireless/BLE and GSM
26 | 
27 | ![](images/macchinam2board.png)
28 | 
29 | 
30 | 
31 | ### CANtact Pro
32 | 
33 | Eric Evenchick of Linklayer Labs has been a car hacker for a long time and as such, is uniquely positioned to design and develop tools for budding car hackers. The CANtact Pro is a new addition to the tool lineup and incredibly powerful. 
34 | 
35 | ![](images/cantactpro.jpg)
36 | 
37 | It supports CAN and CAN-FD (Flexible Data) and is found on more modern vehicles. It has software support for Windows, macOS, and Linux 
38 | 
39 | ## Software
40 | 


--------------------------------------------------------------------------------
/Chapter 3 Connecting to the Vehicle.md:
--------------------------------------------------------------------------------
  1 | # Chapter 3: Connecting to the Vehicle
  2 | 
  3 | This chapter is possibly the most important of all chapters. You need to be in the car and communicating with the car in order to play around. As introduced in Chapter 1, finding the OBD-II port is the first step along with plugging in the cable and software to interface with the various CAN bus networks.
  4 | 
  5 | ## Hardware Needed
  6 | 
  7 | In order to connect to the car in question, you'll need a number of parts, namely:
  8 | 
  9 | - 6Pin OBD2 Splitter Extension Cable Male to Dual Female Y Cable
 10 | - An interface to communicate with the car (via OBD-II or directly to the CANbus).
 11 | 
 12 | ![](images/obdii_y_splitter.jpg)
 13 | 
 14 | If possible, try and get the longest cable you can find, this makes it a lot easier to have loads of cables in the footwell of the car and not get all tangled up.
 15 | 
 16 | ## Software Needed
 17 | 
 18 | @ash to add what he uses, VS code, flashing the macchina etc.
 19 | 
 20 | ## Wake Up Command
 21 | 
 22 | Many modules require constant power in order to keep configurations stored and accessible, but for the best part, most modules will go into a sleep mode when the car is turned off. In order to query these components, a unique wake-up packet is required. For Mercedes-Benz, this wake-up sequence is unique to the model, and although some do share the same, it does vary from model to model.
 23 | 
 24 | Depending on your model, you should have already performed reconnaisance on what networks are present. For example:
 25 | 
 26 | - powertrain/chassis M-CAN (ISO CAN C high speed)
 27 | - interior (body) I-CAN (ISO CAN B low speed)
 28 | - diagnosis D-CAN (high speed proprietary MB protocol)
 29 | - Digital Media Bus for radio/navigation system (MOST).
 30 | 
 31 | The reconnaisance stage is really important as this sets the scene for everything else you do. Thankfully there exists a huge amount of documentation for Mercedes-Benz that shows exactly where the components are, what the wiring is and what networks are present.
 32 | 
 33 | ![](images/canbuslocation1.jpg)
 34 | 
 35 | ![](images/canbuslocation2.jpg)
 36 | 
 37 | ![](images/canbuslocation3.jpg)
 38 | 
 39 | Some newer vehicles do a better job of isolating the diagnostic port. It works for diagnostics but since it doesn’t have a steady stream of data, due to it only responding with data as requested, it makes it much harder to "sniff" the bus.
 40 | 
 41 | ### K-line ISO 9141
 42 | 
 43 | This protocol, also known as Keyword Protocol 2000 or KWP. One underlying physical layer used for KWP2000 is identical to [ISO 9141](https://en.wikipedia.org/wiki/ISO_9141), with bidirectional [serial communication](https://en.wikipedia.org/wiki/Serial_communication) on a single line called the K-line. In addition, there is an optional L-line for wakeup. The data rate is between 1.2 and 10.4 [kilobaud](https://en.wikipedia.org/wiki/Baud), and a message may contain up to 255 bytes in the data field.
 44 | 
 45 | When implemented on a K-line physical layer KWP2000 requires special *wakeup* sequences: *5-baud wakeup* and *fast-initialisation*. Both of these wakeup methods require timing critical manipulation of the K-line signal. (thanks Wikipedia!)
 46 | 
 47 | The initialization consists of either a 25ms low followed by a 25ms high and 10.4kbps communication OR the 5 baud init which begins with a 200ms low, a 400ms high, a 400ms low, a 400ms high, a 400ms low and ends with a 200ms high.
 48 | 
 49 | ### Mercedes-Benz model codes
 50 | 
 51 | As mentioned above, each model makes use of a unique wake-up code. There is no central repository that houses these codes, so we hope that we can crowdsource this table to all in the hope that we can create a single repository of all known codes.
 52 | 
 53 | Wake up packets below are all listed in **HEX**
 54 | 
 55 | | Mercedes-Benz model codes |Wake-up Packet ID| DLC | Wake-Up Packet Content|
 56 | | ------------------------- |:-:              | :-: |:-:                    |
 57 | | W164 (M class)            | 04E4            | 8   |02 10 92 00 00 00 00 00|
 58 | | W169 (A class)            | 001C            | 8   |02 10 92 00 00 00 00 00|
 59 | | W203 (C class)            | 001C            | 8   |02 10 92 00 00 00 00 00|
 60 | | W209 (CLK class)          | 001C            | 8   |02 10 92 00 00 00 00 00|
 61 | | W211 (E class)            | 001C            | 8   |02 10 92 00 00 00 00 00|
 62 | | W215 (CL class)           | 001C            | 8   |02 10 92 00 00 00 00 00|
 63 | | W216 (CL class)           | 0692            | 8   |02 10 92 00 00 00 00 00|
 64 | | W221 (S class)            | 0692            | 8   |02 10 92 00 00 00 00 00|
 65 | | W240 (Maybach S class)    | 04E4            | 8   |02 10 92 00 00 00 00 00|
 66 | | W245 (B class)            | 001C            | 8   |02 10 92 00 00 00 00 00|
 67 | | W251 (R class)            | 04E4            | 8   |02 10 92 00 00 00 00 00|
 68 | 
 69 | 
 70 | #### Manual Code Discovery
 71 | 
 72 | If you do not have the unique code needed to wake the bus up, you can sniff for the sequence by plugging in a common diagnostics tool, such as any handheld reader or using the official Mercedes-Benz DAS Xentry software. This can be achieved by following these steps:
 73 | 
 74 | ##### Requirments
 75 | * DAS/Xentry *Important: Must be passthru edition*
 76 | * [Macchina M2 Under-the-dash](https://www.macchina.cc/catalog/m2-boards/m2-under-dash)
 77 | * [M2UTD Passthru J2534 DLL](https://github.com/rnd-ash/m2-utd-passthru)
 78 | * Visual studio (Driver must be compiled at this time)
 79 | * Windows WSL recommended for monitoring packet log files
 80 | 
 81 | ##### Configuring DAS/Xentry to use Custom DLL
 82 | 1. Clone the M2UTD repository
 83 | 2. Compile Driver DLL
 84 | 3. Upload the Arduino code to your M2 UTD Unit using the Arduino IDE
 85 | 4. From the driver repository, run `installer\install.bat`, this will install the necessary registry entries
 86 | 5. Copy the driver DLL to `C:\Program Files (x86)\macchina\passthru\driver.dll`
 87 | 6. When launching Xentry passthru, choose the M2 UTD Passthru:
 88 | ![](images/selectdevice.png)
 89 | 
 90 | ##### Capturing the wakeup packet
 91 | 1. Connect your M2 Under the dash to the ODB2 Port, and launch Xentry
 92 | 2. Once DAS has launched and has connected to your vehicle, analyze the log file at `C:\Program Files (x86)\macchina\passthru\activity.log`
 93 | 3. Your wakeup packet will be the FIRST Can frame Xentry writes
 94 | 
 95 | Below is an output of the Activity log after connecting to my W203
 96 | ```
 97 | [15:35:59.563] [INFO ] commserver::CreateCommThread - Creating events for thread
 98 | [15:35:59.564] [INFO ] commserver::CreateCommThread - Creating threads
 99 | [15:35:59.564] [INFO ] commserver::CreateCommThread - Threads created!
100 | [15:35:59.565] [INFO ] commserver::Wait - Waiting for Macchina
101 | [15:35:59.568] [INFO ] commserver::Wait - Macchina ready!
102 | [15:35:59.569] [INFO ] DllExport - PassThruOpen called
103 | [15:35:59.569] [INFO ] commserver::startPingComm - started!
104 | [15:35:59.569] [INFO ] commserver::startComm - started!
105 | [15:35:59.569] [INFO ] DllExport - passThruReadVersion called
106 | [15:35:59.571] [INFO ] DllExport - passThruReadVersion called
107 | [15:35:59.574] [INFO ] M_READ - Macchina message: 'Voltage: 8.02, Active channels: 0'
108 | [15:35:59.800] [INFO ] DllExport - PassThruIOCTL called
109 | [15:36:00. 44] [INFO ] DllExport - PassThruConnect called
110 | [15:36:00. 45] [DEBUG] ISO15765 - Handler created
111 | [15:36:00. 50] [INFO ] M_READ - Macchina message: 'Setting up ISO15765 Handler'
112 | [15:36:00. 50] [INFO ] M_READ - Macchina message: 'Locking CAN Interface'
113 | [15:36:00. 51] [INFO ] M_READ - Macchina message: 'CAN Enabled and baud set to 500000l bps'
114 | [15:36:00. 53] [DEBUG] CHAN_GROUP - Created channel OK. Id is 1
115 | [15:36:00. 53] [INFO ] DllExport - PassThruStartMsgFilter called
116 | [15:36:00. 61] [DEBUG] CAN_FILT - Adding filter with ID 1
117 | [15:36:00. 62] [INFO ] DllExport - PassThruIOCTL called
118 | [15:36:00. 65] [INFO ] M_READ - Macchina message: 'Setting filter. Type: 03, Mask: FFFFFFFF, Filter: 05FF, Resp: 04E0'
119 | [15:36:00. 66] [INFO ] M_READ - Macchina message: 'Setting Rx Filters - MASK: 0xFFFFFFFF, Filter: 0x05FF'
120 | [15:36:00. 70] [INFO ] DllExport - PassThruIOCTL called
121 | [15:36:00. 70] [INFO ] DllExport - PassThruWriteMsgs called
122 | [15:36:00. 71] [INFO ] CHAN_SEND - Sending 1 messages to channel 1
123 | [15:36:00. 72] [DEBUG] LB - 6 bytes
124 | [15:36:00. 72] [DEBUG] HANDLER - WRITE --> Contents: 00 00 00 1C 10 92
125 | [15:36:00. 78] [INFO ] M_READ - Macchina message: 'SEND FRMAE: 001C (8) 02 10 92 00 00 00 00 00 '
126 | ```
127 | 
128 | The important line here is:
129 | ```
130 | Macchina message: 'SEND FRAME: 001C (8) 02 10 92 00 00 00 00 00 '
131 | ```
132 | 
133 | This is your wakeup packet!
134 | 
135 | 
136 | #### Sending the Code
137 | 
138 | In order to use the above code, you will need to send it to the ECU/SAMs in order to wake them up and receive messages back.
139 | 
140 | ### Receiving your first CAN frame
141 | 
142 | If you followed the above methodology, have the wake-up code, here is what you need to do.
143 | 


--------------------------------------------------------------------------------
/Chapter 4 Understanding Controller Area Networks (CAN) Messages.md:
--------------------------------------------------------------------------------
 1 | Chapter 4: Understanding Controller Area Networks (CAN) Messages
 2 | 
 3 | Within Most Mercedes vehicles, there are 2 forms of CAN Messages
 4 | 1. Regular CAN Messages (Up to 8 byte payloads)
 5 | 2. ISO15765 messages (These are multi-frame payloads that can represent up to a 4096 byte payload).
 6 | 
 7 | 
 8 | # Regular CAN Message
 9 | TBA
10 | 
11 | # ISO15765 CAN Message
12 | 
13 | ## Observed uses in Mercedes
14 | 1. Diagnostic messages between DAS/Xentry and ECUs
15 | 2. Communication between Radio and Cluster
16 | 3. Communication between GPS and Radio
17 | 4. Communication between Telematics module and other ECUs in the car
18 | 
19 | 
20 | ## How it works
21 | 
22 | A ISO15765 message can have 2 forms. A single payload, or a multi-frame payload.
23 | 
24 | **AN ISO15765 CAN FRAME IS ALWAYS 8 BYTES LONG! - REGARDLESS OF THE ACTUAL PAYLOAD SIZE
25 | 
26 | ### Single frame payload
27 | Below is an example of a single frame payload
28 | ```
29 | ID: 0x01A4 DLC: 8 DATA: [0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0A, 0x0A]
30 | ```
31 | In this style of packet, the first byte (shows the number of bytes that are in the payload itself, so for this packet, the actual data would be:
32 | ```
33 | [0x00, 0x01]
34 | ```
35 | 
36 | ### Multi-frame payload
37 | Below is an example of a trace of a multi-frame payload
38 | ```
39 | ID: 0x01A4, DLC: 8, DATA: [0x10, 0x17, 0x03, 0x24, 0x02, 0x60, 0x01, 0x01]
40 | ID: 0x01D0, DLC: 8, DATA: [0x30, 0x08, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00]
41 | ID: 0x01A4, DLC: 8, DATA: [0x21, 0x00, 0x00, 0x00, 0x13, 0x00, 0x01, 0x00]
42 | ID: 0x01A4, DLC: 8, DATA: [0x22, 0x02, 0x00, 0x04, 0x00, 0x20, 0x20, 0x20]
43 | ID: 0x01A4, DLC: 8, DATA: [0x23, 0x20, 0x00, 0xF3, 0x00, 0x00, 0x12, 0xC0]
44 | ```
45 | Notice the `0x01D0` ID Can frame? That is whats called a Flow control frame. More about that below
46 | 
47 | ISO15765 dictates that to start sending a multi-frame payload, the sender must send a packet starting with `0x1`, followed by the total number of bytes that the payload contains, in this case its `0x017` (0 is carried from the first byte).
48 | 
49 | When the receiver has sent the first frame, the receiver MUST send a Flow control frame. Broken down, the flow control frame can be interpreted like so:
50 | ```
51 | 0x30 - Flow control frame (0x3) - Clear to send (0)
52 | 0x08 - Block size is 8 frames
53 | 0x28 - Send delay between frames is 40 milliseconds
54 | ```
55 | 
56 | Once the sender receives the flow control frame, and is allowed to send, it begins sending the rest of the payload 7 bytes at a time (the first byte of each frame is an ID that starts at `0x21` and sequentially increases until it hits `0x29`, at which point it rolls back to `0x21`. After every frame is sent, the sender waits for the specified delay time set by the receiving ECU.
57 | 
58 | If the sender hits the specified block size, it must wait for another flow control frame from the receiver before continuing sending the payload.
59 | 
60 | In the above example, the full payload sent by `0x01A0` would be
61 | ```
62 | [0x17, 0x03, 0x24, 0x02, 0x60, 0x01, 0x01, 0x00, 0x00, 0x00, 0x13, 0x00, 0x01, 0x00, 0x02, 0x00, 0x04, 0x00, 0x20, 0x20, 0x20, 0x20, 0x00, 0xF3]
63 | ```
64 | 


--------------------------------------------------------------------------------
/Chapter 5 Understanding Mercedes-Benz Signal Acquisition Modules (SAM).md:
--------------------------------------------------------------------------------
1 | Chapter 5: Understanding Mercedes-Benz Signal Acquisition Modules (SAM)


--------------------------------------------------------------------------------
/Chapter 6 Exploring the Engine Control Unit (ECU).md:
--------------------------------------------------------------------------------
1 | Chapter 6: Exploring the Engine Control Unit (ECU)


--------------------------------------------------------------------------------
/Chapter 7 In Car Entertainment.md:
--------------------------------------------------------------------------------
  1 | # Chapter 7: In Car Entertainment
  2 | This chapter talks about creating a custom car infotainment system for a Merc, using a W203 as an example. The code base here is compatible with the following Merc models:
  3 | 
  4 | * W203 (C class 2001-2007)
  5 | * W211 (E class 2003-2009)
  6 | * W215 (CL class 1998-2006)
  7 | * W220 (S class 1998-2005)
  8 | * W230 (SL class 2001-2007)
  9 | 
 10 | ## Videos (How to and showcases)
 11 | [Ashcon has a playlist here showing his android based system in his W203](https://www.youtube.com/playlist?list=PLxrw-4Vt7xtstJgl7B1ayPXBFBRulu41J)
 12 | 
 13 | ## Hardware required
 14 | The cars stated above have very simple CAN networks, where there is an Interior CAN network (CAN B 83.3Kbps) for the interior ECU's, and an Engine CAN Network (CAN C 500Kbps) used for the drivetrain ECU's.
 15 | 
 16 | It is therefore possible to very simple to connect an Arduino to both busses at the same time:
 17 | 
 18 | ### Connection points
 19 | The connection points listed below are places where 2 wires can be easily connected for Both CAN H/L, in order to tap into canbus directly without any firewall blocking traffic
 20 | 
 21 | #### CAN B
 22 | * Instrument cluster connector (Pins 17L, 18H)
 23 | 
 24 | #### CAN C
 25 | * Instrument cluster connector (Pins 12L, 13H)
 26 | 
 27 | 
 28 | #### Connection diagrams
 29 | ##### Instrument cluster
 30 | ![](images/203_ic_wires.png)
 31 | 
 32 | ## Hardware list (Ashcon's setup)
 33 | * Arduino Uno
 34 | * 2x 16Mhz Canbus shields (16Mhz since 8Mhz oscilators do not play well with the 83.3kbps bus speed of interior CAN)
 35 | * Android headunit (Pre-rooted with Malysk ROM)
 36 | * USB Cable for connecting headunit to arduino
 37 | 
 38 | ### Code base
 39 | * [Arduino code](https://github.com/rnd-ash/MBUX-Port/tree/master/UNO_CODE)
 40 | * [Android app code](https://github.com/rnd-ash/MBUX-Port/tree/master/app)
 41 | 
 42 | 
 43 | ## Code generation for CANBUS interfacing
 44 | I (Ashcon) have built a system to convert DAT Files from XSMonitor to actual JVM Class files. XSMonitor was a tool shipped with older versions of DAS that was built for verifying SDConnect via CANBUS emulation. It contains a ton of canbus descriptor files in binary form, that contain the CAN ID of each Frame on the cars canbus network, as well as what each bit does within each frame. To convert the raw data into something that can be interfaced with in code, I built a couple scripts to do the converting.
 45 | 1. Convert the RAW Dat file to an English translated descriptor file [Source code](https://github.com/rnd-ash/MBUX-Port/blob/master/parse_dat_v3.py)
 46 | 2. Convert the descriptor file into Kotlin (JVM) source files [Source code](https://github.com/rnd-ash/MBUX-Port/blob/master/db_converter.py)
 47 | 
 48 | 
 49 | ### Example of XSMonitor conversion
 50 | Raw XS Monitor frame content:
 51 | ![](images/xsmonitor_frame.png)
 52 | 
 53 | Processed Data from parse_dat script (+Translated):
 54 | ```
 55 | FRAME MRM_A3 (0x0296)
 56 | 		B: LSVH_OB, OFFSET 5 LEN 1 - Steering column adjustment lever turned up
 57 | 		B: LSVH_UN, OFFSET 4 LEN 1 - Steering column adjustment lever turned down
 58 | 		B: LS_AUF_MRM, OFFSET 3 LEN 1 - steering column up
 59 | 		B: LS_AB_MRM, OFFSET 2 LEN 1 - steering column down
 60 | 		B: LS_VOR_MRM, OFFSET 1 LEN 1 - steering column forward
 61 | 		B: LS_ZUR_MRM, OFFSET 0 LEN 1 - steering column to the rear (towards the driver)
 62 | ```
 63 | 
 64 | Kotlin class generated by db_converter.py:
 65 | ```kotlin
 66 | @file:Suppress("unused", "FunctionName", "ClassName")
 67 | package com.rndash.mbheadunit.nativeCan.canB
 68 | import com.rndash.mbheadunit.CanFrame // AUTO GEN
 69 | import com.rndash.mbheadunit.nativeCan.CanBusNative // AUTO GEN
 70 | 
 71 | /**
 72 |  *   Generated by db_converter.py
 73 |  *   Object for MRM_A3 (ID 0x0296)
 74 | **/
 75 | 
 76 | object MRM_A3 {
 77 | 
 78 |     /**
 79 |      *  Returns the most recent Can Frame representing the state
 80 |      *  of MRM_A3
 81 |     **/
 82 |     fun get_frame() : CanFrame? = CanBusNative.getBFrame(CanBAddrs.MRM_A3)
 83 | 
 84 | 	/** Gets Steering column adjustment lever turned up **/
 85 | 	fun get_lsvh_ob() : Boolean = CanBusNative.getECUParameterB(CanBAddrs.MRM_A3, 5, 1) != 0
 86 | 
 87 | 	/** Sets Steering column adjustment lever turned up **/
 88 | 	fun set_lsvh_ob(f: CanFrame, p: Boolean) {
 89 | 		checkFrame(f)
 90 | 		CanBusNative.setFrameParameter(f, 5, 1, if(p) 1 else 0)
 91 | 	}
 92 | 
 93 | 	/** Gets Steering column adjustment lever turned down **/
 94 | 	fun get_lsvh_un() : Boolean = CanBusNative.getECUParameterB(CanBAddrs.MRM_A3, 4, 1) != 0
 95 | 
 96 | 	/** Sets Steering column adjustment lever turned down **/
 97 | 	fun set_lsvh_un(f: CanFrame, p: Boolean) {
 98 | 		checkFrame(f)
 99 | 		CanBusNative.setFrameParameter(f, 4, 1, if(p) 1 else 0)
100 | 	}
101 | 
102 | 	/** Gets steering column up **/
103 | 	fun get_ls_auf_mrm() : Boolean = CanBusNative.getECUParameterB(CanBAddrs.MRM_A3, 3, 1) != 0
104 | 
105 | 	/** Sets steering column up **/
106 | 	fun set_ls_auf_mrm(f: CanFrame, p: Boolean) {
107 | 		checkFrame(f)
108 | 		CanBusNative.setFrameParameter(f, 3, 1, if(p) 1 else 0)
109 | 	}
110 | 
111 | 	/** Gets steering column down **/
112 | 	fun get_ls_ab_mrm() : Boolean = CanBusNative.getECUParameterB(CanBAddrs.MRM_A3, 2, 1) != 0
113 | 
114 | 	/** Sets steering column down **/
115 | 	fun set_ls_ab_mrm(f: CanFrame, p: Boolean) {
116 | 		checkFrame(f)
117 | 		CanBusNative.setFrameParameter(f, 2, 1, if(p) 1 else 0)
118 | 	}
119 | 
120 | 	/** Gets steering column forward **/
121 | 	fun get_ls_vor_mrm() : Boolean = CanBusNative.getECUParameterB(CanBAddrs.MRM_A3, 1, 1) != 0
122 | 
123 | 	/** Sets steering column forward **/
124 | 	fun set_ls_vor_mrm(f: CanFrame, p: Boolean) {
125 | 		checkFrame(f)
126 | 		CanBusNative.setFrameParameter(f, 1, 1, if(p) 1 else 0)
127 | 	}
128 | 
129 | 	/** Gets steering column to the rear (towards the driver) **/
130 | 	fun get_ls_zur_mrm() : Boolean = CanBusNative.getECUParameterB(CanBAddrs.MRM_A3, 0, 1) != 0
131 | 
132 | 	/** Sets steering column to the rear (towards the driver) **/
133 | 	fun set_ls_zur_mrm(f: CanFrame, p: Boolean) {
134 | 		checkFrame(f)
135 | 		CanBusNative.setFrameParameter(f, 0, 1, if(p) 1 else 0)
136 | 	}
137 | 
138 | 	/**
139 |      * Auto generated function
140 |      * Throws exception if user tries to set a value in a frame
141 |      * Not designated from the correct ECU
142 |     **/
143 |     private fun checkFrame(f: CanFrame) {
144 |         if (f.canID != CanBAddrs.MRM_A3.addr) {
145 |             throw IllegalArgumentException("CAN ID does not match object!")
146 |         }
147 |     }
148 | 
149 | 	override fun toString() = """
150 | 		|Frame MRM_A3 (0x0296):
151 | 		|	Steering column adjustment lever turned up: ${get_lsvh_ob()}
152 | 		|	Steering column adjustment lever turned down: ${get_lsvh_un()}
153 | 		|	steering column up: ${get_ls_auf_mrm()}
154 | 		|	steering column down: ${get_ls_ab_mrm()}
155 | 		|	steering column forward: ${get_ls_vor_mrm()}
156 | 		|	steering column to the rear (towards the driver): ${get_ls_zur_mrm()}
157 | 	""".trimMargin("|")
158 | }
159 | ```
160 | 


--------------------------------------------------------------------------------
/Chapter 8 Performance Tuning.md:
--------------------------------------------------------------------------------
1 | # Chapter 8: Performance Tuning


--------------------------------------------------------------------------------
/Chapter 9 Debugging and Fault Finding.md:
--------------------------------------------------------------------------------
1 | # Chapter 9: Debugging and Fault Finding


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # A Guide to Hacking and Exploring Your Mercedes-Benz
 2 | This repository is a journey on how one would go about hacking and reverse engineering Mercedes vehicles. When we use the term hacking, we pay homage to the original hackers of the day, the [MIT’s Tech Model Railroad Club](http://catb.org/esr/writings/hacker-history/hacker-history-3.html) who way back in 1961 hacked their high-tech train sets in order to modify their functions. It is not criminal in any way but is about exploring our cars and understanding how they work and more importantly, how we can modify functions to our liking. 
 3 | 
 4 | It will be a living document that is continually edited and updated. This is a new area of car research that takes into account both the mechanical and engineering from yesteryear but also embedded electronics, networking and protocols. 
 5 | 
 6 | Chapter 1: Vehicle Bus Protocols and Diagnostics
 7 | 
 8 | Chapter 2: Tools and Equipment
 9 | 
10 | Chapter 3: Connecting to the Vehicle
11 | 
12 | Chapter 4: Understanding Controller Area Networks (CAN) Messages
13 | 
14 | Chapter 5: Understanding Mercedes-Benz Signal Acquisition Modules (SAM)
15 | 
16 | Chapter 6: Exploring the Engine Control Unit (ECU)
17 | 
18 | Chapter 7: In Car Entertainment
19 | 
20 | Chapter 8: Performance Tuning
21 | 
22 | Chapter 9: Debugging and Fault Finding
23 | 
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/images/203_ic_wires.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/203_ic_wires.png


--------------------------------------------------------------------------------
/images/CANframes.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/CANframes.jpeg


--------------------------------------------------------------------------------
/images/OBDIIport.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/OBDIIport.jpg


--------------------------------------------------------------------------------
/images/canbuslocation1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/canbuslocation1.jpg


--------------------------------------------------------------------------------
/images/canbuslocation2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/canbuslocation2.jpg


--------------------------------------------------------------------------------
/images/canbuslocation3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/canbuslocation3.jpg


--------------------------------------------------------------------------------
/images/candump.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/candump.jpeg


--------------------------------------------------------------------------------
/images/cantactpro.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/cantactpro.jpg


--------------------------------------------------------------------------------
/images/macchinabreakout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/macchinabreakout.jpg


--------------------------------------------------------------------------------
/images/macchinam2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/macchinam2.jpg


--------------------------------------------------------------------------------
/images/macchinam2board.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/macchinam2board.png


--------------------------------------------------------------------------------
/images/obdii-port-diagnostics.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/obdii-port-diagnostics.jpg


--------------------------------------------------------------------------------
/images/obdii_y_splitter.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/obdii_y_splitter.jpg


--------------------------------------------------------------------------------
/images/selectdevice.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/selectdevice.png


--------------------------------------------------------------------------------
/images/xsmonitor_frame.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xplatforms/mercedes-hacking-docs/a1558badd80020c79a561c25223f31b5745131de/images/xsmonitor_frame.png


--------------------------------------------------------------------------------