What is the can bus:
Normal Mode Message?
Vehicle CAN Buses are networks that connect controllers. These controllers are repsonsible for gathering and sharing information about sensors, vehicle states, information, and calibration. Each vehicle’s network is expressly designed by the vehicle’s manufacturer. The data that goes across the networks is local to the vehicle. It is not meant to be routed or shared beyond the vehicle and its controllers (for the most part). So the data does not need to follow any protocol other than that of the physical layer itself. That’s why when you connect to a vehicles CAN Bus you’ll see a lot of data, but they’ll be little to no indication on what the data means; what the content is in the data bytes. This data is typically proprietary. It is there so controllers can share timely information with each other. This data is normally there (meaning you don’t have to request it, it just shows up). That is why it is called Normal Mode Messages. If the vehicle’s controllers are awake, they will transfer information between themselves. Many vehicles will have multiple CAN Buses and each network will have its own messages and information that needs to be shared between controllers. Some times the information will overlap with other networks, but often it does not.
Receiving Messages:
To receive information we can use open-source tools such as candump or cansniffer.
Let’s take a look at the output of the command candump can0
(can0 is our CAN network interface)
We can see the first column tells us what interface we are on. The second column tells us what Arbitraion ID (ArbID). This ID is to note the format of the data bytes. Lastly we see the data bytes. CAN Frames cannot exceed 8 bytes of data. (Press CNTL+C to escape)
You will start to see that some ArbID’s are the same with the data sometimes changing other times you could have the same ID and different data. Normal Mode messages are the data exchanged normally between controllers. Each network can have as many as 40 controllers. These messages are proprietary, so we don’t know what they mean… yet! By reverse engineering the data we can understand what the bits and bytes mean.
If you want a more in-depth knowledge of the Can bus take a look at this:
https://en.wikipedia.org/wiki/CAN_bus
Part of the problem you will see with candump is that the messages run very fast, so fast that you don’t have time to see what is going on. The candump command shows messages in a sequence order. Filtering is a simple way to allow you to see only certain frame ArbIDs. To filter with candump try the following:
candump can0,123:7FF
- or -
candump can0,1A5:700
The first command will show only the frame with ArbID == 0x123. That is because we specified a very strict filter mask of 0x7FF (in binary: 0b 111:1111:1111). The combination of the two parameters (0x123 & 0x7FF) resulted in a mask of (0b001:0010:0011 && 0b111:1111:1111 = 0b001:0010:0011 [or 0x123]). While the second command would result in any frame that starts with a 0x1XX to pass the filter mask. For example: 0b001:1010:0101 && 0b111:0000:0000 = 0b001:0000:0000). For more information about filter masks (not the kind you wear) please visit This Wikipedia Article.
With candump, the newest messages show up at the bottom and move data up as time progresses. Another tool is cansniffer. In stead of displaying data in a sequence, it arranges data by ArbID. Each time a new message arrives, cansniffer overwrites the old message and data with the latest values.
cansniffer can0 -c -t 0
The sniffer command lets us see the change in the data if we use -c then we can have the program display changing data bytes in COLOR! The -t 0 will stop messages from disappearing this can be helpful if messages are messages are showing up slowly or if we want to ran a scan since we will send one message once and look for one message coming back.
What we are seeing in the first column is the time stamp the next is the ArbID then it’s the data the last column is ascii. The most common ascii message you will see is the ascii encoded data such as the VIN.
One of the problems you will see is that cansniffer doesn’t handle a lot of messages very well. You end up getting those messages scrolling by which means you can’t really focus on a message or group of them. Similar to candump, cansniffer allows for filtering. You can see a list of how to filter just by typing in cansniffer. Also you can watch this https://www.youtube.com/watch?v=Ig2Dnh3jF-w
When send your message faster then the normally displayed message you can make something happen for example sending a frame with an ArbID of 0x300 and Data of FF:FF:FF:FF:FF:FF:FF:FF. With this you might see the lights turn on you know that ID and some of the data in that message corresponds to the lights being on. You can send on that same ID 300 FFFFFFFFFFFFFF00 if the lights no longer turn on then you know its in the last byte is that message to turn on or off the lights.
Send messages
To send a message you will be using cansend.
cansend can0 300#FFFFFFFFFFFFFFFF
We are sending using the can0 interface and sending ID 300 and the data is all F’s
We are working in the terminal we need to have two terminal sessions running. One for sending and the other for receiving. This way when we send a message, we can see that it sent on our receive terminal.
Filtering:
Why Filtering is needed.
There are two tools for viewing the data candump (sequencial view) and cansniffer (static view). Lots of data will flow, so you’ll need some way to view only what you’re interested in.
Candump:
candump uses a bitmask to filter. To learn about bitmasks check out this wikipedia.
To view all messages whose Arbitration ID is 0x100:
candump can0,100:700 -or- candump can0,1FF:700 (These are functionally equivalent because of the the bitmask 0x700)
To view two messages 0x680 and 0x690. First we think what is the binary difference between these two messages?
0x680 xor 0x690 = 0x010. Then we need to xor 0x010 with 0x7FF = 0x7EF. This is our bitmask.
candump can0,680:7EF
Cansniffer:
Cansniffer uses a different method for filtering. Rather than setting the filter at run-time. You do it while you are viewing the data. Check out this video (https://youtu.be/Ig2Dnh3jF-w?t=120) to get the effect. In short, you need to set your filter using the same type of method (ArbID and Filter Mask) but you remove and add messages by hitting the “-” and “+” keys.
To remove ALL IDs type “-000000”
To add IDs type “+6807EF” to show both 0x680 and 0x690 (similar to the candump example above).
Unified Diagnostic Services:
Now let’s get more in depth with Unified Diagnostic Services (UDS). This is what a scan tool is doing when you plug it into a car. If you aren’t familiar with UDS that’s okay, you CAN learn. This require knowledge of ISO 14229 UDS Diagnostics. Check out this Wikipedia page, or this PDF (SUPER USEFUL!) for more information.
We are going to be looking for the Command ID and Response. Each Controller has a Command ID (you will send this in the Arbitration ID of the CAN Frame) and a Response ID (the controller will return this ID in the Arbitration ID of the CAN Frame).
This is an easy example to get you started!
cansniffer vcan0 -c -t 0
cansend vcan0 620#013E010000000000
When we look at the sniffer output, we will see we got a response of
520#037f3E1100000000
or 520#017E000000000000
520#037f3E1100000000
This is a negative response you can learn about that more in the Additional info section.
520#017E000000000000
This is a positive response 40 more then 3E it shows that it is supported. Showing us what you sent and this response will get you 10 points!.
You might not get a response at all! This is okay to transmit that message on another ID. Even if you are getting negative responses you are still getting a response probe around for other subfunctions (the 3E we sent is a sub function). Showing us all scanned nodes and what ID they responded with will get you
Tip
If you aren’t seeing this response it might be the network, you are on or it could be you aren’t filtering correctly or you might not see it because you are not filtering at all! Also make sure you send a few times in a row we have found that it doesn’t always see the first message that comes back.
Diagnostics:
Unified Diagnostic Services
Additional info:
ISO 14229:
ISO 14229 Messages (Arb ID#Data): (000#023E010000000000) ... (7FF#023E010000000000) <-- Increment through all IDs to PIN the Controllers.
Each Controller has a Command ID (you will send this in the Arbitration ID of the CAN Frame).
Each Controller has a Response ID (the controller will return this ID in the Arbitration ID of the CAN Frame).
With the Command and Response IDs you can command the controllers using ISO14229 services.
ISO 14229 Uses ISO 15765-2 Transport Protocol. For more information on this protocol please read this.
You will receive a lot of Negative Responses (03 7F XX YY) where XX is the Service that failed and YY is Negative Response Code. Please view the NRC List here.
http://opengarages.org/handbook/ebook/
CAN-Utils:
CAN-utils has a lot of parts to it. The basic tools are
candump: display, filter and log CAN data to files
canplayer: replay CAN log files
cansend: send a single frame
cangen: generate (random) CAN traffic
cansniffer: display CAN data content differences (just 11bit CAN IDs)
https://github.com/linux-can/can-utils
Sending and Receiving with ISO-TP:
Remember that ISO-TP CAN Transport Protocols offer support for segmented Point-to-Point communication between CAN nodes via two defined CAN Identifiers. This protocol driver implements data transfers according ISO 15765-2.
isotpsend
One tool that makes UDS a lot easier is isotpsend
Just type isotpsend to get help with it but its usage is like cansend just more advanced. This is going to be sending out our message to a node.
Usage: isotpsend [options] <CAN interface>
Example :
echo “11 22 33 44 55 66 DE AD BE EF” | isotpsend -s 620 -d 520 -p 00 vcan0
Options:
-s <can_id> (source can_id. Use 8 digits for extended IDs)
-d <can_id> (destination can_id. Use 8 digits for extended IDs)
-x <addr> (extended addressing mode. Use 'any' for all addresses)
-p <byte> (set and enable padding byte) -P <mode> (check padding in FC. (l)ength (c)ontent (a)ll)
-t <time ns> (transmit time in nanosecs) CAN IDs and addresses are given and expected in hexadecimal values. The pdu data is expected on STDIN in space separated ASCII hex values.
We need to receive the message back for that we can use candump and can sniffer but again there are more advanced tools within the iso-tp frame work.
isotprecv [options] <CAN interface>
isotpdump [options] <CAN interface>
isotpsniffer [options] <CAN interface>
Check out https://github.com/hartkopp/can-isotp for more information.
Scripting
There will be time when we need to loop our sending of messages. You might want to override a message you might need to make a loop and send the message multiple times in a row. This will also become critical when you need to send messages for a scan or you need to send a message after receiving a message. You can use Bash to build a script or you can use python if you want some nice python examples check these out!
Our Setup for virtual cons:
Three raspberry Pis and can adapters. These CAN bus run on 500kbps.
Raspberry Pi 3 with the ValueCAN3 by Intrepid Control Systems this is connected to the vehicle’s network.
We tapped the CAN lines on the car and broke out the wires out to db9 connector just made the plugging into the wires easier.