Giter VIP home page Giter VIP logo

pacific-tpms's Introduction

pacific-tpms

Experimental decoder and encoder for the Pacific PMV-107J TPMS (315MHz) sensors used by Toyota

I was inspired by the excellent TPMS work by Jared Boone (https://github.com/jboone/gr-tpms and https://github.com/jboone/tpms) that did have a packet_type listed that looked a lot like what I got out of my sensors, but no crc/checksum function was listed. Trying to make sense of the stated 64 bits got me some partial matches trying to bruteforce the CRC as described in the tpms project (using https://github.com/sitsec/bruteforce-crc), but it wasn't until I realized that the packets were actually 66 bits in length that it fit perfectly.

This is what I came up with after decoding a lot of messages from the real sensors (9 different ones) and sending custom messages to the TPMS unit in the car while watching the diagnostic tool:

FSK modulation at 314.98MHz, deviation around +/- 35kHz. Raw bitrate around 9910bps Preamble 0001111110 (the last two bits are probably a first, ignored, manchester encoded bit) as the remaining message assumes a diffman decode starting at 1

Packet bit format after differential manchester decoding (MSB first)

Offset Length Description           Notes
0 28 Sensor ID 7 hex digits
28 1 Battery status 1 if low, 0 if ok or 'over' in Toyota speak
29 2 Counter Counts 1,2,3 for every message out of the sensor. Car seems to ignore this and happily accepts the same counter over and over without ever changing
31 1 Unknown Must be zero for the packet to be recognized by the car (haven't seen a real sensor ever set this bit)
32 1 Rapid pressure drop? Seems to be ignored by the car, I've seen some sensors setting this bit to 1 when pressure is changing fast. This also triggers multiple transmissions in rapid succession
33 1 Self-test failed? My sensors sets this to 0 but when I send a message with this bit set to 1 to the car the TPMS light starts flashing and the values in the message are ignored
34 8 Tire pressure PSI/0.363 + 40 or kPa/2.48 + 40, diagnostics reports this in PSI
42 8 Inverted tire pressure xor 0xff of above
50 8 Tire temperature Celsius + 40 resulting in a range from -40 to +215C, diagnostics insists on reporting this in Fahrenheit though
58 8 CRC over bits 0 - 57 Truncated polynomial 19, init value 0

A trick I used in order to be able to use the Python crcmod to calculate this CRC was to prepend 6 dummy zero bits in front to make the message fit into complete bytes (won't affect CRC8 as long as padding is done in front)

The code will utilize the super handy HackRF One through GNURadio to either sniff existing sensors decoding the data above, or encode and transmit custom messages. This is a major Python hack, and Python is definitely not my primary choice of programming languages. The code here is built upon code that was generated by the GNU Radio Companion and I only added a custom source and sink respectively.

No warranties that this won't cause issues with your car, but it works for me. Transmit responsibly.

pacific-tpms's People

Contributors

xnk avatar

Stargazers

avatar Chris Tomkins-Tinch avatar Kamil Ciastoń avatar John Robinson avatar Jared Szechy avatar avatar avatar avatar PickedItMate avatar avatar Christian W. avatar dpierce avatar Fed avatar avatar avatar avatar Karl avatar avatar avatar avatar avatar Kemal Dogan avatar RatZillaS avatar avatar

Watchers

Stuart Wilkins avatar avatar avatar avatar

Forkers

dudeinamotorhome stuwilkins jysrfeng jimilinuxguy dreamonthego

pacific-tpms's Issues

8 character id

Thanks for your code, I'm doing thesis research on wireless vulnerabilities in vehicles and it's been helpful. I'm attempting to spoof my 2020 Toyota Tacoma's tpms messages, but as you can see in the picture below the id field is either 8 hex digits long, or maybe just has "d" as a prefix. (I'm using two HackRFs, one listening with RTL_433, and the other transmitting your code) When I attempt to add the additional character to your code, I do not receive anything on RTL_433, which I'm assuming is because the payload is very length-dependent as far as the CRC. Is there anyway to change this prefix from "0" to "d", or just add the additional character into the id field? Thanks so much for your help!

Tacoma_TPMS
TPMS Messages received from 2020 Toyota Tacoma

Spoofed_TPMS
TPMS Messages generated by the tpmsxmit.py code

Transmitting question

bitstream = '00000000000000001111110' + differential_manchester_encode('1'+payload+crc_bits+'1') + '000000'

I'm curious, how come you have the preamble not encoded?

Wrong frequency

Official information about this FCC ID PAXPMV107J says that Frequency Range is 314.98 MHz, but not 315.98MHz as you mentioned in README.md. Using radio receiver I can confirm, that every 90 seconds on this frequency I can see short signal.

https://fccid.io/PAXPMV107J

Invalid sample rate: 96000 Hz?

Thanks for your efforts. I am playing with your code and getting following error. any thoughts?
`./tpmsrecv.py
linux; GNU C++ version 7.2.1 20171224; Boost_106600; UHD_003.010.002.000-0-unknown

gr-osmosdr 0.1.4 (0.1.4) gnuradio 3.7.11
built-in source types: file fcd rtl rtl_tcp uhd hackrf bladerf rfspace airspy
Using device #0 Realtek RTL2838UHIDIR SN: 00000001
Found Rafael Micro R820T tuner
Invalid sample rate: 96000 Hz
Traceback (most recent call last):
File "./tpmsrecv.py", line 213, in
main()
File "./tpmsrecv.py", line 208, in main
tb = top_block_cls()
File "./tpmsrecv.py", line 160, in init
self.freq_xlating_fir_filter_xxx_0 = filter.freq_xlating_fir_filter_ccc(self.decim, (firdes.low_pass(1, throttle_rate, 180000, 20000, firdes.WIN_HAMMING, 6.76)), self.freqadj, throttle_rate)
File "/usr/lib/python2.7/site-packages/gnuradio/filter/filter_swig.py", line 139, in low_pass
return _filter_swig.firdes_low_pass(*args, **kwargs)
RuntimeError: firdes check failed: 0 < fa <= sampling_freq / 2
`

Is there a way to let PMV-107J send signal out of tire?

Hi,

This is not a issue. I just try to find a way to send LF signal to activate the TPMS sensor out of tire. I have four pacific PMV-107J sensors out of tire. But they don't send signal if they're not in the tire. I know some TPMS scanners have a way to scan TPMS sensor. Could we send the signal as TPMS scanners do?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.