[londons_explore]

Hooking it up to a real car and sniffing the message bus where it connects would be by far the easiest approach to this...

Then you don't even need to understand all the messages - just replay what the car sends and figure out which byte in the response is the current gear.

You probably wouldn't even need to figure out the checksums!

[Rychard]

The messages include an incrementing counter ID, which has to be accounted for when calculating the checksum. The purpose of this is specifically to prevent "replay attacks". If the counter doesn't increment on subsequent messages, it raises an error. If you increment the counter but do not recalculate the checksum, it raises an error.

[londons_explore]

The counter is only one byte though - record 256 messages and you have the whole set.

No need to understand the protocol or anything - just record a few minutes of data, find when a message repeats (indicating whatever counter mechanism is in use has rolled over), and replay that loop repeatedly.

The only time this technique doesn't work is when a challenge-response algorithm is in use, but car stuff doesn't tend to do that except for some lock/security/firmware update type functionality.