Hacking the GM Low Speed LAN

Ross

Goblin Guru
I want to hack into the GM Low Speed LAN for a few reasons.
- to find & fix my intermittent instrument cluster gauges issue
- add an oil pressure sender to my HP Tuners logs, and a new dash gauge.
- be able to add future functionality similar to what BradR has done.
17440


Today I had some success.
My oscilloscope is showing data on the GM Low Speed LAN when my instrument cluster (IC) goes dead.
So I'm guessing that some data is missing that the IC needs.

I went and bought a CAN BUS module for an arduino, did a little circuit board soldering, then plugged then into my PC.
I was able to modify Mike McGuire's code, to read the GM Low Speed LAN.

17443


Now I am hacking, by logging events at specific times, then looking for the event in the data.

Playing. Having fun. Hacking.
 
Last edited:

Ross

Goblin Guru
The GMLANs (both high speed and low speed) both go to the OBD port, so they are the same. Same speed. Edit: Same ping time, but the high speed LAN is used for engine millisecond response times... the low speed is for human interfaces.
The high speed LAN bounces thru each computer, so there would be a little delay from one end ot the network to the other,
but the low speed LAN is direct to each device.
 
Last edited:

Ross

Goblin Guru
Same.
The low speed GMLAN is the 33.3Kb/second green wire that goes to the BCM, OBD, gauge cluster, etc.
The high speed GMLAN is the 500Kb/sec brown and tan wires that go to the BCM, OBD, power steering, PCM.

I haven't hacked the high speed LAN yet, but the hardware I have can do that too.
In 2006, my donor was pre-CANBUS, but the GMLANs were the pre-cursors to it. I think 2007 followed the CANBUS protocol.
The hardware I bought is made for CANBUS protocol, but can be modified to talk the slower speeds of my 2006 GMLAN.
 
Last edited:

jamesm

Goblin Guru
Year model difference. Got it. At first I thought that seemed like a lot of work to get data that should be trivial to access.
 

Anks329

Well-Known Member
Did you have any success with this project? I just purchased a Can Bus board for a Raspberry Pi that should enable me to pull data from the GMLAN as well. I'm mainly interested in grabbing the odometer information from these data wires.
 

Ross

Goblin Guru
Glad to have another hacker!

I succeeded at reading the low speed GMLAN, and can log files on my PC. I haven't found a source "GM Bible" that explains what the data is yet.
I moved on to adding a second MCP2515 to the arduino project, so I can start transmitting the collected data. I have a spare instrument cluster that I can use for hacking, and hope to be able to transmit to it. That should allow me to isolate what the data does, by delivering data one piece at a time, and then seeing what it does to the instrument cluster.

Here is a small snippet of data, lasting 1 second, when the engine is running. The Extended ID is the header, all the data seems to be of the Extended type on my engine. DLC is the number of data bytes, and then the data is shown.
17:12:41.144 -> Extended ID: 0x00000108 DLC: 7 Data: 0x30 0x00 0x00 0x00 0x00 0x00 0x00
17:12:41.222 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.255 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.343 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.385 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.431 -> Extended ID: 0x00000108 DLC: 7 Data: 0x30 0x00 0x00 0x00 0x00 0x00 0x00
17:12:41.508 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.578 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.612 -> Extended ID: 0x00000344 DLC: 3 Data: 0x00 0x7E 0x7E
17:12:41.703 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.737 -> Extended ID: 0x00000268 DLC: 8 Data: 0x00 0x0F 0x00 0x00 0x09 0x90 0x11 0x09
17:12:41.814 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.893 -> Extended ID: 0x00000126 DLC: 3 Data: 0x01 0x57 0x30
17:12:41.961 -> Extended ID: 0x00000108 DLC: 7 Data: 0x30 0x00 0x00 0x00 0x00 0x00 0x00

I tried to hack into the GM high speed LAN (500Khz), but haven't succeeded yet in capturing the data with the arduino, but I can see it on the oscilliscope. It barely gets up to voltage before the next data bit arrives. Not the nice square wave of the 33.3Khz data, just sweeping lines that go up and start over from 0v on the next bit.
 

Yustas

Active Member
If you just listen GMLAN (hi or low), there is no odometer information going there (AFAIK), except the one shoot by BCM to instrument cluster (16 bytes message screen) addressed to 142# (first 8 chars) and 148# (last 8 chars) by GMLAN LO. You can listen for them or even send custom message to IC.
If you wanna get actual ODO reading you need to talk to BCM services.

I found https://github.com/YustasSwamp/caringcaribou tool useful for GMLAN hacking.
I improved it a little to pull full ECM e37 image. Didn't work with BCM yet. But list of GMLAN services very well documented.
 
Last edited:

Anks329

Well-Known Member
Awesome, thanks for the information @Ross and @Yustas. I'm building this device to pull the odometer information occasionally. So the details around the onetime send to the IC is very helpful!
 

Ross

Goblin Guru
Nice Yustas! I found those 16 bytes in my data log:

17:12:15.587 -> Extended ID: 0x00000148 DLC: 8 Data: 0x20 0x20 0x20 0x20 0x36 0x36 0xB0 0x46
17:13:01.179 -> Extended ID: 0x00000142 DLC: 8 Data: 0x43 0x4F 0x4F 0x4C 0x41 0x4E 0x54 0x20

Do you know of a source of documentation of the GMLAN services? Or is this not public information, but paid for only?
My odometer is 163,000 ish, just running from memory. Should be hidden in these 16 bytes.
 

Yustas

Active Member
Ross, GMW3110-2010.pdf is good to start with. Should be easy to find.

One more GMLAN LO finding.
If you want to emulate SRS Airbag Module presence, you can send these packets:
Address: 098# + 4 bytes data
73737300 - I’m ok - normal mode (send every 2 seconds)
7373b300 - blink airbag warning lamp
7373b320 - blink airbag warning lamp and display message “SERVICE AIR BAG”
7373f300 - airbag warning lamp on (what you usually see when SRS module is not present)
7373f320 - airbag warning lamp on and display message “SERVICE AIR BAG”

By sending 098#73737300 every 2 seconds, it will light off the airbag lamp on IC.
Hacky way to eliminate airbag. Proper way is to code BCM.
 

Ross

Goblin Guru
I was able to find and download GMW3110-2010.pdf
I guess I am looking more for the GMLAN device specifications for my BCM, P12 PCM, IC, and Power steering box.
How did you know address 142# and 148# have 16 bytes from the BCM to the IC?
Can we find what these 16 bytes represent from a document, or is hacking my best method?

The Car Hackers Handbook had some interesting chapters:
Chapter 4: Diagnostics and Logging
Chapter 5: Reverse Engineering the CAN Bus
But nothing specific for my car, just methods to hack the system.
 

Yustas

Active Member
How did you know address 142# and 148# have 16 bytes from the BCM to the IC?
Just reverse engineering. I didn't find any documentation about messages on GMLAN. But I believe it might be GMW3107-2010.pdf

GMLAN generic device specification is GMW3110-2010.pdf. All GMLAN units follow it.
Every unit provides list of services where you can get status, error codes, properties from any unit.
Some of these services are not GM specific and common for all car manufactures. That's how tools such as "Torque Pro" work. Standards are: ISO-14229-1 and ISO-15765-2 (easy to find)

I didn't hear about per unit GM documentation publicly available. It would be _really_ nice to have.
 

Anks329

Well-Known Member
Nice Yustas! I found those 16 bytes in my data log:

17:12:15.587 -> Extended ID: 0x00000148 DLC: 8 Data: 0x20 0x20 0x20 0x20 0x36 0x36 0xB0 0x46
17:13:01.179 -> Extended ID: 0x00000142 DLC: 8 Data: 0x43 0x4F 0x4F 0x4C 0x41 0x4E 0x54 0x20

Do you know of a source of documentation of the GMLAN services? Or is this not public information, but paid for only?
My odometer is 163,000 ish, just running from memory. Should be hidden in these 16 bytes.
If you just listen GMLAN (hi or low), there is no odometer information going there (AFAIK), except the one shoot by BCM to instrument cluster (16 bytes message screen) addressed to 142# (first 8 chars) and 148# (last 8 chars) by GMLAN LO. You can listen for them or even send custom message to IC.
If you wanna get actual ODO reading you need to talk to BCM services.

I found https://github.com/YustasSwamp/caringcaribou tool useful for GMLAN hacking.
I improved it a little to pull full ECM e37 image. Didn't work with BCM yet. But list of GMLAN services very well documented.
These two IDs definitely have the info that is sent to the IC. I had been trying to figure out what the math was to translate the hex information here into the actual odometer reading and had been driving myself crazy coming up with an excel formula to translate this into to something close to the 160k miles mentioned and I wasn't getting anywhere with it. Rereading what Yustas wrote, that this is 16 byte message screen, I wondered if it was something simpler, and it is. These two lines are just Hex encoded ASCII text. What we have here is 66* F COOLANT. I'm guessing this is the ambient temp and then the start of the coolant temp here.

@Ross, would it be possible to share some more of your data dump? I think if I can go through the data file, I might be able to find the odometer info that I'm searching for.
 

Ross

Goblin Guru
"COOLANT 66°F" if you put the lines in the correct order. Wow, I didn't expect it to be that easy.

Once I can transmit CAN data, it will be easier to hack this. My dash is intermittent, and I will check my wiring harness for rub spots this winter, when I pull the engine... but an accurate odometer reading would help a lot too.

The file I created with an engine start is here.
Also created a file where I turned the key on, but didn't start the engine.
 
Top