Skip to content

prototux/PSA-RE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 

Repository files navigation

CANBus

What is this repo about

This project is about reverse engineering the AEE2004 ("full can") architecture of PSA (Peugeot/Citroen/DS) cars. It's the continuation of my previous work @ https://github.com/prototux/PSA-CANbus-reverse-engineering

What if i have a car using VAN?

See the great work of Peter Pinter

What if i have a car using AEE2010?

Some parts here seems valid for AEE2010, some aren't, not having a car using AEE2010, i don't know how much AEE2010 is similar to AEE2004

Howto use this repo

General documentation is in the wiki
Informations about specific frames are in issues
The discord where we talk about this is here
The repo itself contains mostly documentation and some PoC code

Status

See the issue board
Basically, the I/S bus is mostly done (for ECUs we know at least), the CONF bus have a lot of documentation as well, the CAR bus is lacking

Todo

  • Start to work on the diagnostics protocol (UDS + custom bits by PSA)
    • Determine how to switch on the mux for the DiagOnCan pins of OBDII connector
    • Reverse engineer UDS services and parameters for known ECUs
    • Reverse engineer the UDS auth algorithm (derivative of the immobilizer one)
    • Try to dump firmwares using UDS after successful auth
  • List cars using AEE2004 and their possible ECUs
  • Start to work on plip protocol
    • Read frames sent by the plip
    • Dump a key for a plip and decrypt the frame
    • Implement HITAG2 and try to send valid frames
  • Clarify glossary (especially can ID vs device ID, and the buses vs LS and HS)
  • Analyze the can LS buses to map the bases IDs
  • Start to rewrite the infos in issues in .dbc files when the frames are done
  • Clarify the list of ECUs for VAN, AEE2004 and AEE2010

Beware/Warning

This project is (of course!) non-official, an thus, informations here may be incorrect (even if we try to avoid this)
Any modification you may do to your car, even based on the documentation from here, is your sole responsibility!
Similarely, we didn't got any reaction from PSA (nor know their position about FOSS projects), we cannot say if they may or not DMCA takedown your project
This project uses a mix of english and french, be prepared to use a translation tool if you don't speak both languages (and the jargon in both!)
The reason for this is that we tend to work in english, but are native french, and PSA works using french internally, so we adapt to their jargon

Contribute

The easiest way to contribute is probably to join the discord and go to the psa-can-re chan, alternatively, you can send me an email at jason [at] prototux.net

Ideas/Associated projects

  • Do a ultra-low-power module for power management using PSA's COMMANDES_BSI frame
  • Create a C "libpsa" and python bindings to easily integrate PSA's canbus into projects
  • Create a RADIO and EMF replacement with more modern options
  • Isolate the servo controllers from the front panel of CLIM to be able to move AC controls elsewhere
  • Reverse engineering the BSI as it's the main component of both AEE2004 and AEE2010
  • Create well-integrated optional modules such as ACC and DSG

Thanks

  • Wouter Bokslag for his awesome work on the reverse engineering of the immobilizer
  • Alexandre Blin for his tools, work on his 207 and for being a huge inspiration for this
  • Peter Pinter for his huge work on his own FullCAN to VAN bridge
  • Karaelyn and Kailokyra for their advices, especially on embedded dev
  • All the people who leaked parts of PSA's designs all over the internet :)