search

xnk / pacific-tpms

Experimental decoder and encoder for the Pacific PMV-107J TPMS (315MHz) sensors used by Toyota
GNU General Public License v3.0
26 stars 5 forks source link

8 character id #5

Open zacdepp opened 1 year ago

zacdepp commented 1 year ago

Thanks for your code, I'm doing thesis research on wireless vulnerabilities in vehicles and it's been helpful. I'm attempting to spoof my 2020 Toyota Tacoma's tpms messages, but as you can see in the picture below the id field is either 8 hex digits long, or maybe just has "d" as a prefix. (I'm using two HackRFs, one listening with RTL_433, and the other transmitting your code) When I attempt to add the additional character to your code, I do not receive anything on RTL_433, which I'm assuming is because the payload is very length-dependent as far as the CRC. Is there anyway to change this prefix from "0" to "d", or just add the additional character into the id field? Thanks so much for your help!

Tacoma_TPMS TPMS Messages received from 2020 Toyota Tacoma

Spoofed_TPMS TPMS Messages generated by the tpmsxmit.py code

xnk commented 1 year ago

It certainly looks like the newer Tacoma is using a different message (type “Toyota” instead of “PMV-107J”). I haven’t looked at the rtl_433 code, but it seems to handle both formats just fine, so by looking at the difference in decoding those two formats it should be relatively easy to determine what you need to transmit. The Pacific format is very much hard coded to only deal with a specific number of bits, so it’s something at least slightly different./wjOn 6 Dec 2022, at 20:36, zacdepp @.***> wrote: Thanks for your code, I'm doing thesis research on wireless vulnerabilities in vehicles and it's been helpful. I'm attempting to spoof my 2020 Toyota Tacoma's tpms messages, but as you can see in the picture below the id field is either 8 hex digits long, or maybe just has "d" as a prefix. (I'm using two HackRFs, one listening with RTL_433, and the other transmitting your code) When I attempt to add the additional character to your code, I do not receive anything on RTL_433, which I'm assuming is because the payload is very length-dependent as far as the CRC. Is there anyway to change this prefix from "0" to "d", or just add the additional character into the id field? Thanks so much for your help!

TPMS Messages received from 2020 Toyota Tacoma

TPMS Messages generated by the tpmsxmit.py code

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>