Food Living Outside Play Technology Workshop

CAN Bus Sniffing and Broadcasting with Arduino

by stvmac11 on July 8, 2014

Table of Contents

CAN Bus Sniffing and Broadcasting with Arduino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Intro: CAN Bus Sniffing and Broadcasting with Arduino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Step 1: Components and Assembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Step 2: Familiarizing yourself with the CAN Bus Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Step 3: Connect and Read / Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

File Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Step 4: What Next?? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Related Instructables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

http://www.instructables.com/id/CAN-Bus-Sniffing-and-Broadcasting-with-Arduino/
Intro: CAN Bus Sniffing and Broadcasting with Arduino
From Wikipedia, the Controller Area Network (CAN) bus is a "vehicle bus standard designed to allow microcontrollers and devices to communicate with each other within
a vehicle without a host computer." These devices can also be referred to as electronic control units (ECUs). Essentially the CAN bus is a bunch of linked ECUs within
the vehicle that communicate with each based on a broadcast. Every ECU intercepts every broadcast, but individually decide whether or not to react to it.

Here's an example:

Let's imagine there's one ECU that controls the brake lights, one ECU that controls the car horn, and one ECU that controls the braking system. Whenever you blow the
horn, the horn ECU sends a broadcast message out on the CAN bus network to every ECU it is connected to, including the brake light ECU and the braking system
ECU. The brake light ECU intercepts that broadcast message, but chooses to ignore it because it has no relevance. The brake light ECU is really only waiting on the
message from the brake system ECU. Also, the horn ECU doesn't react to the braking system ECU.

This broadcast system is broken down into different components; the two most important are message ID and message data.

For now, think of the message ID as an ECU address. The message data is the content. It is typically larger than the ID at around 8 bytes long.

Here's an example:
message ID: 620
data: 10 80 FF FF 80 20 00 80

The ECUs communicate with each other over a twisted wire pair holding CAN-high (CAN+) and CAN-low (CAN-). CAN-high and CAN-low are accessible through the
OBD-II port under the steering wheel. This is how we'll get in!

Pro-tip: Use a wire tracer/tone generator to backtrace to other CAN Bus access points within your car.

Volkswagon has a good guide to how the CAN Bus network works: http://www.volkspage.net/technik/ssp/ssp/SSP_238.pdf

Image Notes
1. Sparkfun CAN Bus shield
2. Arduino UNO R3

Step 1: Components and Assembly

Components:

1- Arduino UNO R3

2- Sparkfun (or other) CAN Bus Shield: https://www.sparkfun.com/products/10039

Note: Also available at SK Pang: http://skpang.co.uk/catalog/arduino-canbus-shield-with-usd-card-holder-p-706.html (SK Pang also supplies the needed CAN Bus
library).

Note2: At the time of this writing, there were only 6 in stock at Sparkfun.

Note3: Sparkfun's CAN Bus shield also has a joystick (up, down, left, right, center), a micro SD slot, and support for GPS and LCD modules.

Note4: If you're feeling up to it, you can order the parts from Digikey and make your own using Sparkfun's provided EAGLE CAD drawing.

3- Wire pair or Sparkfun's OBD-II to DB9 cable: https://www.sparkfun.com/products/10087

Note: I found some old speaker wire that worked great.

4- breakable header pins - the CAN Bus shield doesn't include them: https://www.sparkfun.com/products/116

Assembly:

1- Break headers into 2x8 pin, 2x6 pin, and (optional - 1x4 pin sections)

2- Solder the headers to the CAN Bus shield.

http://www.instructables.com/id/CAN-Bus-Sniffing-and-Broadcasting-with-Arduino/
Step 2: Familiarizing yourself with the CAN Bus Library
Once assembled, be sure to download the CAN Bus Library for use with your Arduino IDE.

Library: http://skpang.googlecode.com/files/Canbus_v4.zip

Other files and Arduino demos are located on the SK Pang site under Documents: http://skpang.co.uk/catalog/arduino-canbus-shield-with-usd-card-holder-p-706.html.

CAN Bus Shield Initialization:

#include <Canbus.h> // don't forget to include these
#include <defaults.h>
#include <global.h>
#include <mcp2515.h>
#include <mcp2515_defs.h>

void setup()
{
Serial.begin(9600);
//Initialise MCP2515 CAN controller at the specified speed
if(Canbus.init(CANSPEED_500))
Serial.println("CAN Init ok");
else
Serial.println("Can't Init CAN");

delay(1000);
}

Shield initialization will be required for all tasks. Here, we define our CAN bitrate and import our library. Every vehicle might use different bitrate speeds. For our example,
we use 500 kbps.

Available options are:

CANSPEED_125 //CAN speed at 125 kbps

CANSPEED_250 //CAN speed at 250 kbps

CANSPEED_500 //CAN speed at 500 kbps

If you're unsure of your vehicle's CAN bitrate, do some Googling...

Read CAN Bus Messages:

We are reading every message here. It can be a bit overwhelming as you see the traffic flow through.

ALL Messages

void loop()
{
tCAN message;

if (mcp2515_check_message())
{
if (mcp2515_get_message(&message))
{
Serial.print("ID: ");
Serial.print(message.id,HEX);
Serial.print(", ");
Serial.print("Data: ");
for(int i=0;i<message.header.length;i++)
{
Serial.print(message.data[i],HEX);
Serial.print(" ");
}
Serial.println("");
}}
}

Filtering will cut out a huge chunk of noise. (You'll see what I mean when you begin to sniff unfiltered.)
Filter Messages

void loop()
{
tCAN message;

if (mcp2515_check_message())
{
if (mcp2515_get_message(&message))
{
if(message.id == 0x631) //filtering based on CAN bus message ID.
{
Serial.print("ID: ");
Serial.print(message.id,HEX);
Serial.print(", ");
Serial.print("Data: ");
for(int i=0;i<message.header.length;i++)
{
Serial.print(message.data[i],HEX);
Serial.print(" ");
}
http://www.instructables.com/id/CAN-Bus-Sniffing-and-Broadcasting-with-Arduino/
 Serial.println("");
}}}

message.header.length is the size of the CAN message.

The above was filtered by message ID. We can also filter based on message data.
if(message.id==0x631 and message.data[3]==0x04 and message.data[4]==0x0F)

Notes:

1- Messages can be longer than 3 digits.

2- We are formatting incoming message IDs and message data as HEX.

Write CAN Bus Messages:

In order to write a CAN Bus message, we need to first assemble the message components: message ID, message size, and message data. The message is broken
down by message.id, message.header.rtr, message.header.length, and message.data[].
void loop()
{
tCAN message;

message.id = 0x631; //formatted in HEX

message.header.rtr = 0;
message.header.length = 8; //formatted in DEC
message.data[0] = 0x40;
message.data[1] = 0x05;
message.data[2] = 0x30;
message.data[3] = 0xFF; //formatted in HEX
message.data[4] = 0x00;
message.data[5] = 0x40;
message.data[6] = 0x00;
message.data[7] = 0x00;

mcp2515_bit_modify(CANCTRL, (1<<REQOP2)|(1<<REQOP1)|(1<<REQOP0), 0);

mcp2515_send_message(&essage);

delay(1000);
}

The message ID and data are written in HEX (0xFF, for example), which is the same format we read with.

mcp2515_send_message(&essage); sends the message.

Step 3: Connect and Read / Write

The attached file, CAN_read_sample, is for simply reading all messages. I commented out filtering, so you should be able to modify it easily to include filtering of
message ID and data.

I also attached a file, CAN_write_sample, for writing a message.

You have two options for connecting the Arduino to vehicle's CAN-high and CAN-low lines:

1- Hack up some speaker wire (or any wire pair) and connect the CAN-H and CAN-L through-holes on the shield to the OBD-II port.

CAN-H (shield) <-----> CAN-high (OBD-II)

CAN-L (shield) <-----> CAN-low (OBD-II)

2- Buy Sparkfun's OBD-II to DB9 Cable: https://www.sparkfun.com/products/10087. This also powers the Arduino through the car's 12v line. I haven't used it, but let me
know how it works out... YMMV

Connect the Arduino to your car and computer, load the code, open the serial monitor, and watch the magic.

http://www.instructables.com/id/CAN-Bus-Sniffing-and-Broadcasting-with-Arduino/
File Downloads

CAN_read_sample.ino (1 KB)
[NOTE: When saving, if you see .tmp as the file ext, rename it to 'CAN_read_sample.ino']

CAN_write_sample.ino (1 KB)
[NOTE: When saving, if you see .tmp as the file ext, rename it to 'CAN_write_sample.ino']
Step 4: What Next??
As you begin to read CAN bus messages, start manipulating your car.
Unlock and lock the vehicle
Pop the trunk
Roll up and down windows
Sounding the alarm
Blow your horn
Turn on and off your flashers
Turn on and off your signal lights
Turn of and off your lights and high beams
Etc.

Remember that filtering is your friend!

See if you can find messages related to the above. Once you do, write the same messages back out through your Arduino using Step 2. See if you can unlock or lock
your vehicle, pop the trunk, or blow your horn!

I hope to share my findings in the future!

Thanks for reading!

Related Instructables

Internet
An easy way to Graphical
control your How to Change
Interface for a Starter on a
XMAS Internet Arduino from
Hack your Arduino by Briggs &
vehicle CAN- Sequencer by Internet :) by Strattton Engine
Internet nearbus
BUS with nearbus nearbus Presence (video) by
Arduino and Simulator (for manlybydesign
Seeed CAN-BUS Home) by
Shield by nearbus
mviljoen2

http://www.instructables.com/id/CAN-Bus-Sniffing-and-Broadcasting-with-Arduino/
Advertisements

Comments

http://www.instructables.com/id/CAN-Bus-Sniffing-and-Broadcasting-with-Arduino/