Any docs for remote start?

[Zagreus9723]

Hey! I would love to add a custom mod that turns on my car and sets the temp at a specific time, but I haven't been able to find any documentation about the calls with remote start. Any ideas on how to move forward with this?

[librick]

I'd try looking into the HondaLink app. I've been meaning to reverse engineer it to see how it works. Maybe look at the bluetooth traffic between your phone and the car with a tool like Wireshark.

[Zagreus9723]

Unfortunately I only have the remote start from my keys. Any way to capture that traffic? Get Outlook for iOS<https://aka.ms/o0ukef>

…

________________________________ From: Eric ***@***.***> Sent: Saturday, November 2, 2024 8:51:26 AM To: librick/ic1101 ***@***.***> Cc: Zagreus ***@***.***>; Author ***@***.***> Subject: Re: [librick/ic1101] Any docs for remote start? (Issue #7) I'd try looking into the HondaLink app. I've been meaning to reverse engineer it to see how it works. Maybe look at the bluetooth traffic between your phone and the car with a tool like Wireshark. — Reply to this email directly, view it on GitHub<#7 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AOS54J2L2WGPJJVT6WMQWETZ6TKF5AVCNFSM6AAAAABRAPSCUOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSHE4TMNZQGU>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[librick]

I haven't had the best luck trying to decode the keyfob traffic directly. If you wanted to try, you'd need a software defined radio (SDR) that can listen on the keyfob frequency (~433.912MHz). I've looked into this a bit; at some point I might update the repo with what I've found so far but the TLDR is it's complicated

I just looked into HondaLink more. I may have been wrong before; I assumed it can do remote start over WiFi or Bluetooth but it might require the car to have a cellular data connection. In which case it probably works by software on the headunit talking to Honda's servers via cell data, the mobile app talking to Honda's servers, and Honda's servers acting as the middleman. In which case it might be useful to look at reverse engineer any HondaLink-related libraries on the headunit to try and find what actually triggers remote start in software.

If you did want to try and decode the keyfob, here's what I've found so far:
I've observed the following when hitting the lock or unlock button on the keyfob:

• The keyfob sends 8 "bursts" of RF, centered around 433MHz
• The bursts are in pairs of two bursts each; the first burst contains an FSK clock signal, the second contains what looks like FSK-encoded data
• Each pair of bursts is centered on one of two frequencies: f0 and f1. This shouldn't be confused with the two frequencies that are used in FSK. Rather, the fob seems to jump between these two center frequencies in case there's interference on one but not the other. The first and second burst are centered on frequency f0, the third and fourth are centered on frequency f1 (where f1 > f0), the fifth and sixth are centered on f0, and the seventh and eighth are centered on f1.

I'd share some screenshots of waterfall plots I generated but I don't want to accidentally publish private keyfob data haha

In general this is probably fairly complicated unfortunately

[Zagreus9723]

Wow yep that's pretty complicated. I think that honestly approaching it from the head unit would be easier than the keys.