Skip to main content

Talk: CAN Hacking, the In-vehicle network

The Bus

On the hardware side, there’s two types of CAN: differential (or high-speed) and single wire. Differential uses two wires and can operate up to 1 Mbps. Single wire runs on a single wire, and at lower speeds, but is cheaper to implement. Differential is used in more critical applications, such as engine control, and single wire is used for less important things, such as HVAC and window control.

Many controllers can connect to the same bus in a multi-master configuration. All messages are broadcast to every controller on the bus.

An oversimplified in-vehicle network



The structure of a CAN message

From a software perspective CAN message consists of 3 parts: an identifier, a data length code, and up to eight bytes of data.

The identifier (ID) is used to specify what the message means, and who’s sending it. Typically standard IDs are 11 bits, but there are also 29 bit extended type IDs. The ID also defines the priority: the lower the ID, the higher the message’s priority.

The data length code (DLC) is 4 bits, and specifies how many bytes of data will be in the message. In some applications, a DLC of 8 is always used, and unused data bytes are padded with zeros.

Finally, the 8 bytes of data contain the actual information. The meaning of the information is inferred from the message ID, and the length is specified by the DLC.
Decoding & Databases

To make sense of the 8 data bytes, the controller will decode the data into signal such as engine RPM, fuel level, or brake pedal position. Each signal has a start bit and end bit, which are used to select the correct bits out of the 8 bytes. No signal information is transmitted over the bus. Instead all controllers must agree on the layout of messages and signals beforehand. Below is the table of signals, and the graphical layout of a sample message.


A table of CAN signals that make up a message


A sample CAN message layout


To help program controllers that agree on messages and signals, a CAN database is used. This database contains definitions of all messages and signals. The most popular format is DBC, which is a proprietary (but ASCII based) format by Vector. The DBC editing tool,CANDB++, is free (as in beer). The databases are used to auto-generate code that can interpret the messages.

With a database file in hand, you can easily sniff the CAN bus and interpret all kinds of data. One example is a hack we featured that sniffed the bus for steering wheel button presses. You can also pretend to be controllers by sending spoofed data onto the bus. For example, you could send a fake engine RPM to the instrument cluster.


No, this car wasn’t actually doing 8000 RPM.

The majority of the communications during normal operation work by decoding a database. However, for diagnostic applications, there are special protocols that are used. Next time, we’ll look at how these protocols work, and what fun can be had with them.


SOURCE (and keep reading, too!)

Comments

Post a Comment

Popular posts from this blog

PRIVACY POLICY

Privacy Policy Last updated: February 20, 2024 This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You. We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy has been created with the help of the Free Privacy Policy Generator . Interpretation and Definitions Interpretation The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural. Definitions For the purposes of this Privacy Policy: Account means a unique account created for You to access our Service or parts of our Service. Affiliate means an entity that controls, is con...
Post a Comment
Read more

Child-friendly Galaxy Tab 3 Kids listed in Korean brochure

We're no experts in Korean back-to-school literature, but it looks as if one retailer has tipped Samsung's plans a little early. If the documents above are legitimate, then the company will launch a kiddie-focused Galaxy Tab in short order. The Galaxy Tab 3 Kids is said to be an 8.5-inch slate with a 1.2GHz dual-core CPU, a 1,024 x 600 WSVGA display, 8GB storage, 1GB RAM and Jelly Bean. The company has also seen fit to include 802.11 a/b/g/n WiFi, Bluetooth 3.0, a microSD card slot (no word on capacity) and a 4,000mAh battery. One thing that lends weight to the listing is that the device's model number is SM-T2105, which evleaks tersely described as a "Galaxy Tab for children" a month ago. There's more pictures over at the source, but not a single spec saying that this new device is resistant to jam-smeared fingers. Source: ENGADGET
Post a Comment
Read more

Apple Rejected This Game To Keep You From Killing Your iPhone

Rejected by Apple for “encouraging behavior that could result in damage to the user’s device”, Carrot Pop's Send Me To Heaven arrives on Google Play, because no one cares if your Android device shatters on the pavement. "Throw your phone as high as you can" reads the primary instruction on S.M.T.H., a free game that measures the altitude of your device as it soars (hopefully) gracefully through the air. Catching it isn't a requirement, of course, but if you want your phone to remain intact long enough to compare your height on the leaderboards, it's highly recommended. It's up to the player to balance their competitive nature with the safety of their expensive gadgets, at least that's the idea. The concept has me brainstorming soft, portable landing materials to increase my chances of coming out unscathed during attempts at surpassing the 5.69 meter high score. I might just purchase phone insurance and an air cannon. Source: KOTAKU
Post a Comment
Read more