Chrysler 300C & SRT8 Forums banner

Hacking this computer on wheels

111K views 176 replies 54 participants last post by  BigIronRam 
#1 · (Edited)
Just thought I would start a thread to discuss hacking the software in our cars - what we wish we could hack, technical information, tools, etc.

Here are some things I'd love to hack on my 2011:

- Disable in-motion lockout (I know it can be done with the lock pick, but a direct firmware modification would be better)
- Turn on rear camera any time. An additional button in the "More" tab is a great place for it!
- Add performance pages from SRT8.
- Tweak ACC parameters, such as minimum speed, reaction time, etc. It'd be so cool to set min speed to zero, so the car will come to a complete stop and take off for you in traffic or at a red light.
- Add a close all feature. I would love to be able to push 1 button to have the car roll up all the windows and close the sunroof. Surely the body control module or whatever can already talk to all the power window and sunroof modules to do this. Actually, we already have the ability to roll down the front windows from the key fob (press and release unlock, and then immediately press it again but hold it).

Anyone have anything else to add?

If I could somehow dump the firmware used in the Uconnect unit then I could take a stab at removing the in-motion lockout... Anyone have any insight on this?

-Andrew
 
See less See more
#2 · (Edited)
Well, the rear camera being enabled at any time can also be achieved with a lock pick. :)

On a more technical note, I know this nav uses .KWI files similar to our 2008 Tahoe and 2010 Escalade. I wanted to hack those as well and discovered that those types of Nav's, and maybe these UConnects, base their settings and config on these .KWI files and you'd have to have a way of reading and editing the .KWI files to manipulate the system, which others have found out it was nearly impossible to do because there isn't any software readily available to do so.

It's been a while since I researched it but that is what I came up with. :)
 
#3 ·
The iPod update they released for the 8.4 is a file with a KWI extension (CTPMY11.KWI), leading me to believe it was in KIWI format. When I tried to read the file according to the KIWI specification, it is clearly not in the standard KIWI format. Chrysler must be using a variation or compressing/obfuscating the file... if I could figure out the format it'd bring me one step closer...
 
#4 ·
Good find, I guess they are using a combo because I think the GM Nav's ran only on KIWI format files. A wild guess here but maybe an OBD II tool can help with the nav, they're expensive but I know they programmed my Tahoe's nav with one over at Chevrolet.
 
#5 · (Edited)
I know its against the rules to resurrect an old thread, but as the OP I decided it was time to share the amazing progress I've achieved on Powernet (even CUSW) vehicles.

I have managed to successfully reverse engineer the Powernet and CUSW vehicle message matrix (VMM). I know the format of EVERY message that is going through the CAN-C, CAN-IHS, and CAN-AT buses on Powernet and CUSW architectures (except for CAN-AT on CUSW as it doesn't exist). I did this using a combination of isolating each module (disconnecting each one, and bridging communication to the rest of the car, reverse engineering, among getting much more advanced such as dumping the modules memory and reading the disassembly to determine the VMM).

So using this on my Chrysler 300S 2012 with Powernet, I have been able to completely replace my ACC module with my *own* implementation (using code I wrote which talks to a CAN transceiver on a Raspberry Pi) to enable features such as Stop-And-Go (really AWESOME in bumper to bumper traffic) and even remote control gas and brake via Xbox controller (which is not practical and for fun only). I am working on using GPS data combined with computer vision to stop at stop signs, stop lights, etc.

I have made some videos and will post them on YouTube soon and will provide a link.

But basically I have successfully "hacked" my computer on wheels. I can do anything from change the climate control, to controlling exterior and interior lights (every single one, something as mundane as the license plate light). I can even detonate the AIRBAGS (which I've of course never tried but from the information I have no reason to believe it will not work). It has taken me years in my spare time to pull this off but I have succeeded.

I have also enabled SRT pages on my non-SRT vehicle in both the UConnect and the EVIC. It is really neat to have those screens. This was accomplished by determining which UDS (unified diagnostic services) data identifier used to write to the CBC (Common Body Controller) which changes the "Performance Pages Present" to 1 (enables in Uconnect) and "Is Vehicle SRT" to 1 (enables in EVIC). I can even change "Vehicle Model" to think its Jeep, so when the Uconnect and Evic boots, its shows the Jeep logo. That's just scratching the surface. I can modify the entire vehicle configuration. Add ParkAssist to your car? No problem, I know what the data identifier to set that Present = 1. In addition I have changed the Vehicle Max Speed to remove the speed limiter.

I pretty much have the car's CAN bus and modules at my fingertips. Have been using my stop-and-go ACC for about a year now and it has been flawless. I've also added a few gimmick features such as auto blinker when approaching a turn (as long as your route is in GPS), to enabling "Police Car Mode", so when you put the light knob all the way down to the last detent, ALL interior lights go off, and much more.

Quick background, I am a software and hardware engineer for a company in downtown Austin. In my spare time this is what I did, day and night - a kind of obsession if you will.

Another thing to mention, my younger brother has a 2014 Jeep (CUSW architecture). As those are equipped with EPS (electric power steering, full), I was actually able to plug into his diagnostic port and activate the steering torque overlay interface, and was able to turn his steering wheel left or right straight from my code. It was AWESOME! The possibilities of self controlling one's own steering wheel via TWO CAN bus wires is amazing. I already have computer vision algorithms ready to go to enable "full lane keep assist" (albeit illegal if you have yours hands off the wheel, but the coolness factor is outstanding).

So if anyone else is interested in my breakthrough, just reply in this thread - especially with any ideas you may have. I should have YouTube videos up soon.

Take care everyone,
-Andrew
 
#16 · (Edited)
I don't think I have the sensors in my base model 300 for ACC. :( Do I even have an ACC module?

I've also added a few gimmick features such as auto blinker when approaching a turn (as long as your route is in GPS)...
Oooh now here's a thought. Can you turn my 8.4 into an 8.4N? I believe the antenna is there and integrated with the satellite radio antenna. Maybe our radios have an additional nav module inside that would prevent me from doing this.
 
#7 ·
Thats the first thing I thought if when I read that. You took the words right out of my mind.
Considering we already know what the solution is but just can't implement it.
 
#22 · (Edited)
Well, the ACC module responds to steering wheel button presses, drives the EVIC screen, and sends torque and brake requests to the ECM (all measurements are in newton-meters) to control speed/break.

I enabled Stop-and-Go ACC in mine utilizing a Raspberry Pi (if you don't know what that is, its a ARM based computer the size of a credit card). I used a dual-channel USB to CAN adapter connected to the PI. One channel I connected the car's CAN-C bus (the primary 500k bus), and the other channel is connected directly the the DASM (Driving Assistance Module, aka ACC module). Now, the only dirty work involved was disconnecting the DASM module from the rest of the network by removing it from the STAR connector located behind the glove box. Pretty easily actually, just a few screws to pull the glove back to reveal the STAR connector. I found the one which is connected to the DASM, disconnected it, and used the CAT5 twisted pair cabling to run it to where I have my CAN bus transceiver connected to.

The DASM module itself is only good for sending across the bus the number of meters away the "object of interest" is in front. That information is crucial into determining how much to slow down or speed up to determine the amount of braking and engine torque to send to the ECM. So with a lot of math, extensive use of PID (proportional, integral, and derivative) controllers, I tuned it pretty well.

Again its a little involved but as long as you know the messages the car expects it all comes together...

-Andrew
 
#18 ·
Sure if you have a Powernet vehicle with 8.4 screen. I can even to to CUSW architectures but may take longer due to the way CUSW syncs vehicle configuration on each module by using PROXI.

Anyway, the process is highly technical and I would have to develop some software which interfaces with your specific CAN transceiver connected to your car. I've been debating whether or not to develop a software solution to sell - but I feel like Chrysler could get mad at me :/

If you lived in the Austin, TX area I could hook you up.

-Andrew
 
#11 ·
So are these things that us normal folks will be able to do now that you have figured it out, or things that are "possible" but not really practical for the rest of us? Stop and go ACC would be nice, SRT pages would be interesting, if they don't disable the rear sunshade.
Removing top speed limit would be of interest, only because I think it's crazy that Chrysler thought it was a good idea to put a 118 limit on a 360HP car!
 
#12 ·
I have a Gen 1, but this is very cool that you were able to hack this computer. Always impressed when people figure this stuff out, especially when they do it in their free time just for fun.
 
#27 ·
It's really great that you were able to figure this out.

I think the stop and go feature as well as the additional performance pages would be worthwhile, but the simplest of things to make me happy would be to separate album art display from that stupid music cleanup setting. Album art should be read from the mp3 file.
Doing that would make me most happy.
 
#28 · (Edited)
...but the simplest of things to make me happy would be to separate album art display from that stupid music cleanup setting.
Same here but... I do not think Andrew can hack the firmware in our radios, which is what I think it would take to fix this infuriating bug. He did mention above that he had the (2011 iPod playlist?) update, but couldn't decompile it into anything useful. Maybe tanbam would like to take a swing at that update. :D It would be sweet if one of them could figure the darn thing out. I'd happily pay significant $'s if they could.
 
#31 ·
Great work on this stuff, just some advice....
I wouldn't speak too loudly that your building something that interfaces with the car like this. It was done on another forum and was greeted with a letter and some other things from Chrysler.
Second, the vehicle configuration can be changed via autoenginuity software or the software from Chrysler and a wi-tech.

I think this is all very cool and would love to keep up and mess around with my car as well. Just a a friendly word to keep it quiet.
 
#36 · (Edited)
Ekaz couldnt be more correct as I have seen it on another forum as well. The guy that posted instructions on how to update the Garmin maps in the 8.4 without purchasing a disc from Chrysler will probably get a letter too. I did the update and couldn't be happier with his instructions, however, I'm sure Chrysler isn't going to feel the same way. The problem with Chrysler trolling forums is they avoid pressing technical issues and never seem to really help, IMO.
 
#32 · (Edited)
What are they going to say? Don't mess with our proprietary property that we don't care to support anyway?

Seems as if we are in the you break it you bought it territory where you can void your warranty and stuff like that.

Shouldn't be an issue until there is an actual product for sale (or stop and go). I'm sure they'd have a problem with stop and go. But if we turned on a screen in the car or changed album art, not sure why they'd care about that.
 
  • Like
Reactions: TheKrell
#34 ·
What are they going to say? Don't mess with our proprietary property that we don't care to support anyway?
I know someone who's been through a similar situation. ekaz is exactly correct, messing with proprietary software is taken VERY seriously.

My car will be out of warranty in short order (6,000 miles) so I don't have any concerns in that regard.
 
#37 ·
This is amazing. Just name your price already! :p I would LOVE the Stop and Go feature alone, but definitely would not mind the SRT8 pages as well. I also changed my Beats amp to the factory Harman/Kardon so I'd also like to change the boot logo from Beats to the Chrysler wing.
 
#40 ·
I have a 2013 SRT8 and can get into the EVIC in limited way. One thing I can bring up is a screen that has a DAB radio touch screen button that is not active. Does that mean that somewhere in there we have DAB? Does the car have a DAB antenna? Can the DAB be activated? I guess I should mention the car is an Australian version.
 
#41 ·
Interesting...I wonder if the OP could activate said button now that he knows how.
 
#42 · (Edited)
Regarding Chrysler having issues with this stuff, why is it any different than the Predator tuners, or LockPick? Both of those offer ways to defeat factory safety mechanisms (top speed limiter, DVD while driving, etc) and of course the Predator gives you the ability to change a wide variety of performance characteristics that could affect the way things run.

Other than the Stop and Go ACC nothing the OP has mentioned would have any impact on the vehicle's safety systems, and I actually think having stop and go ACC would be safer than having it let go at 20mph (unless there is some significant hardware issue with the radar sensor working in that way.

Here's another question. You brought up being able to change the start up logo... Is it feasible to be able to actually change it to a custom boot image? I know you mentioned you do it by way of tricking the car into thinking it's a Jeep or whatever, but what if you could access the source file for the Chrysler logo and replace it? Or is that getting way too technical?
 
#44 ·
I could see some issues with some features, but not others. Changing some of the performance details like tuning may not be such a big deal, nor would the DVD-in-motion, but some features like SRT Performance Pages may be more than they would tolerate. I asked Coastaletech about the SRT pages, and they were adamant that it was not something that they would consider adding due to licensing issues. I don't think that there could be any real issues with doing it to your own car, but actually selling it might be a problem. On the other hand, maybe Chrysler doesn't really care, since there are other commercially available means to add the SRT pages.

The start up logos and themes are all preprogrammed into the radio. The radio displays the theme that the car tells it to use. I'm pretty sure that you could not add a new one without being able to modify the firmware, which I still don't think is possible yet without the source code. If you can modify the car to identify itself to the radio as a different make, it will display whatever is appropriate, Chrysler, Jeep, Dodge, Masarari, or whatever else may be living in there.
 
#46 ·
If only Garmin/Chrysler would allow manually input of destinations while moving. Seems they didn't consider a passenger using the system. Perhaps this would be something to look at.
 
  • Like
Reactions: TheKrell
#48 ·
Actually the Chrysler system is much more user frienldy in this than other OEM nav systems I've used. For instance in my mom's 2007 Jaguar if you're moving you can ONLY "go home" no POI, no recently found, just home.

Also, you can still do a manual address search using voice control.

I think that Lockpick also enables this feature.

From an OEM standpoint I'd think since they have a switch in the passenger seat for the airbag you could use that signal to also "unlock" the extra nav screen functions...
 
  • Like
Reactions: Cool_V_300C
#47 ·
There is a new software-based Lockpick available for the newer, 2nd generation 8.4A/8.4N radios that can enable the SRT pages, but not for US region cars. I don't know if the restriction is because of a licensing issue or a compatibility issue.

There are also places where you can send your BCM to get programmed and add the feature, too.

Chrysler has pretty well covered their butts regarding the safety issue. It's difficult enough to bypass those features that they can claim that they've done their job well enough, I would imagine.
 
#53 ·
Hey guy sorry for not getting back to some of you. I'm out of town right now and don't have much time to follow up.

I did manage to get this video up showing the stop and go ACC: https://www.youtube.com/watch?v=Njwm6veT7Qw. I took it a few weeks ago. Sorry the video isn't the greatest was trying to pay attention to the road and record at the same time :) But the system was controlling 100% during the whole video.

Get this - yesterday I walk out to my baby and someone backed hard into the front passenger side! Light assembly is busted, HID bulb/igniter destroyed, bumper is all cracked and bent in, worst of all my beloved ACC module was busted off and on the ground :'( Totally freaking sucks! People these days...

-Andrew
 
#54 ·
Shit...that sucks. Was it anywhere public that might have cameras?

BTW, I wouldn't mind buying a pre-made stop-and-go ACC module from you to help you recoup the cost of repairing your car. :) How hard is it to wire in? I live 7 hours or so away from Austin but if I *have* to go down there to get the hookup I just might. I use the ACC every single day so this would be a lifesaver, please let me know!
 
Top