
An Introduction to the CAN Bus: How to Programmatically Control a Car - olivercameron
https://news.voyage.auto/an-introduction-to-the-can-bus-how-to-programmatically-control-a-car-f1b18be4f377
======
spotman
CAN Bus is great. I highly recommend reading the CAN Open Spec if your going
to be implementing new systems using CAN Bus.

[https://en.wikipedia.org/wiki/CANopen](https://en.wikipedia.org/wiki/CANopen)

Many more things besides auto's use CAN. One of my current projects involves
exercise equipment that internally speaks CAN Bus. There is great support in
Arduino for interfacing with stuff like this.

~~~
weberc2
Isn't CAN very limited in terms of bandwidth? Seems like this wouldn't be
appropriate for most applications of interest? When I worked at an equipment
manufacturer, everyone was very concerned about accidentally saturating the
bus, and we even had a very compact data representation.

~~~
spotman
Some systems do up to 1mbps. MIDI for example is nowhere near this. It's not
the right protocol for media or bandwidth intensive applications but for
control systems or reading sensors its often enough.

~~~
AceJohnny2
> _but for control systems or reading sensors its often enough._

But not for the self-driving car generation, where the sensors are higher-
bandwidth.

As I recall, Mobileye worked around this by just putting the detection
intelligence with the camera and sending back synthetic data.

------
throw555555
CAN frames are not standardized. You cannot have a single command to do
operations on any car. Each manufacturer has different bit patterns and also
it varies between car models. Atleast with Chrylsers I know its true. There
should be a lookup based on the car's model with a unified API which I think
will happen soon based on the pace of car tech progress. Also note that once
the frame is on the bus, it get executed and an ACK will be sent. There is no
authentication mechanism in place. So once you put a frame into the CAN bus,
there is no way to stop it. This will be the top pain points for car techs to
fix.

------
DiJu519
Ya know Ford supports all this in the open right

[http://openxcplatform.com/](http://openxcplatform.com/)

~~~
scalio
Does that work only on US cars or internationally?

~~~
djKianoosh
[http://openxcplatform.com/hardware/vehicles.html](http://openxcplatform.com/hardware/vehicles.html)
says: "All Vehicles Sold in the U.S. Since 2008 (OBD-II on CAN)"

~~~
brogrammer_1
Ford runs a "World car" strategy so I'd expect the same thing to work
internationally. OBD-II is a worldwide standard AFAIK too.

[https://en.wikipedia.org/wiki/World_car](https://en.wikipedia.org/wiki/World_car)

------
luckydude
So this not that thrilling but my BMW r1200gs has this bus. I dropped the bike
recently and killed one of the turn signals. Canbus lit up saying you have a
light out. I fixed the turn signal and it still lit up. I thought I needed to
reset it or something.

Turns out I killed the headlight in the drop as well. Without the canbus it
would have been months before I would have caught that. I thought it was a BMW
over-the-top thing but it actually helped me, it was the daylight running
headlight that went out. Good to have that one.

Like I said, not thrilling, not programming, but an upvote for the Canbus.

~~~
mabcat
My riding school was big on checklisting the bike before every ride:
indicators front and back, low beam, high beam, brake light by the lever and
the footbrake, horn. Not thrilling either but it's how I found out about my
busted horn and busted brake light switch promptly instead of the hard way. In
most places riding in traffic is risky enough that it's worth knowing all the
bits are working every time.

------
itodd
Good talk from pycon 2017 on hacking the CAN:

[https://www.youtube.com/watch?v=3bZNhMcv4Y8](https://www.youtube.com/watch?v=3bZNhMcv4Y8)

------
eloff
Can you imagine the havok when terrorists figure out they can program cars to
hunt and kill pedestrians in crowded spaces? Currently the terrorist needs to
drive the vehicle, which makes it a suicide mission. How much more deadly
would it be if it was reduced to just the cost of the car and a low chance of
getting caught? How can we defend against this?

~~~
kayoone
I'd argue that a lot of terrorists don't care. They want to do it themselves,
die in the process and be glorified by their own. Otherwise they would
probably just hide bombs somewhere to detonate them instead of strapping them
onto themselves.

~~~
ocdtrekkie
Well, humans are capable of improvising better than something automated or
pre-positioned. That's the biggest reason. Second, for the terrorist
organization itself, people are probably close to free assets (you just
brainwash a few more), whereas spending a lot of R&D on developing an
automated explosive delivery system and then continuing to patch
vulnerabilities in it that governments would use to neutralize it would cost
exponentially more.

tl;dr: If you don't care about the sanctity of life, humans are cheap.

------
muro
Love CAN, beautifully simple. Of course the "arbitration id" needs to be
unique to an ECU, but each can send multiple different ones - the purpose of
the ID is to always send the one with the lowest number. When designing the
system, this ID defines the priority of each message - e.g. brake lights are
more important than radio volume up :)

------
wyager
Hmm, I hope they're not planning on using ROS for the final product... using a
non-hard-realtime OS to fully control a car is a spectacularly bad idea.

~~~
ansgri
A bit of a nitpick, but ROS is not an OS, it is a middleware. Who knows, maybe
somebody makes a ROS adaptation for a hard-realtime POSIX OS, would be totally
possible.

Though I agree, ROS is nowhere near the stability level needed by industrial
and automotive products. It's great for prototyping, but one has to keep in
mind the inevitable refactoring of the communication layer, and keep the core
functionality ROS-independent.

------
exabrial
One of the reasons I pulled my OnStar module from my GM Vehicle... Lack of
authentication in the GMLAN CAN network. Not a big deal for an isolated system
(well, almost isolated, there's still the FM radio) but "isolated enough" to
mitigate casual attacks.

------
pj_mukh
"we flipped the problem (and the OBD-II port) inside out and found naked
access to HS1, HS2, HS3 and MS. The solution was on the back of the OBD-II
port where all those buses arrive to a device called the Gateway Module."

This seems like a critical hack. Is this normal of all (non-ford) cars as
well?

I'm gonna guess Car mfg's are going to start encrypting the CAN bus [1].

[1]:
[http://www.eetimes.com/document.asp?doc_id=1328081](http://www.eetimes.com/document.asp?doc_id=1328081)

~~~
Matthias247
Unfortunately it's pretty much industry standard that once you have physical
access to the relevant CAN bus you can read (and write) everything. The normal
protection which is mostly deployed is that the end-user only has access to
the CAN bus on the ODB2 interface, which is behind a gateway and should not
expose safety critical things. Some car manufacturers however might also only
use a single CAN bus for everything, just to save the cost for the gateway.

I'm pretty sure we will see encryption in the future. But currently I'm only
aware of efforts for authenticating CAN (and other signal based)
communication. If anybody is interested, look for Autosar SecOC module. I'm
not too deeply into it, but if it prevents tempering around with the system
(like shown in the linked article) it's already a way forward.

~~~
kelnos
"Unfortunately"? I get what you're saying, but encryption will just mean that
hobbyists will be completely locked out of everything. It's not like the
manufacturers will go through the trouble of making it possible for a car
owner to decrypt the bus traffic in their own car.

------
neftaly
CANbus is also on boats and in industrial automation! The physical connectors
follow the DeviceNet spec.

Marine applications use a subset of CANbus (with mainly DeviceNet micro
connectors) named NMEA 2000. The best repo to get started is probably
[https://github.com/ttlappalainen/NMEA2000](https://github.com/ttlappalainen/NMEA2000)

------
camtarn
Interesting - never realized there would be multiple CAN buses in a car. That
probably makes it a lot easier to not screw things up - if you know that the
medium speed bus is only connected to non-safety-critical systems, then it's
easier to trust that when you send out your hand-crafted CAN packets, you're
not going to cause anything too drastic to happen.

~~~
mrpippy
Indeed. Especially important when you remember that most of the (many!)
devices in a car sitting on CAN buses come from outside suppliers, and black-
box testing of these modules can only go so far to verify the CAN
implementation and stability.

AFAIK, Ford actually mandates that their suppliers use a standard CAN stack
provided/licensed by Ford (FNOS, the Ford Network Operating System) to try and
ensure a level of quality in implementations. It's a good idea, one I haven't
heard of other automakers doing (although I'm not in the industry any more)

~~~
duncan_bayne
My inner five year old hopes that FNOS was developed by the Ford Network
Operating Research Division.

------
marsRoverDev
CANBus is also used on spacecraft to communicate between payloads and the on-
board computer. Sometimes it is used in concert with MilBus 1553 as the
payloads and sensors are acquired from various sources. I believe that work is
being done to standardise to one solution, but in the meantime we end up
programming for both!

------
p1ne
Reversing this stuff is a big pain in the back. I'm doing Ford (Mercury) dash
display controller as my free time pet project and it's only by reverse
engineering the protocol. I'm mimicking stock headunit and collect data from
MS CAN. But need to admit, that there's lots of logic in the protocol, so can
be reverse engineered with brains.

Some pics and text (sorry, Russian only for now)

[https://www.drive2.ru/l/474473078441641818/](https://www.drive2.ru/l/474473078441641818/)

[https://www.drive2.ru/l/473379614127816994/](https://www.drive2.ru/l/473379614127816994/)

~~~
p1ne
This controller operates when stock headunit is removed and can print out on
the stock dash display (FDIM) the following info:

\- clock (can be taken from 2010+ GPSM module or from external RTC clock -
DS3231 based) \- tire pressure (from broadcasts 2010+ or from Ford TPMS
protocol 2008+) \- tire temp (from TPMS protocol) \- RPM \- engine temp \-
current speed

units are configurable (12/24h clock, psi/kpa pressure, C/F temperature)

Probably will share code and PCBs on github soon, now this thingy is under
heavy test in my car and other cars of some enthusiastic guys

There are plans to extend the device with CAN proxy to allow it to work
together with stock headunit and also sit on both HS and MS can buses to get
more data do display

------
kensai
In the last picture in the blog post, does he really run a script for Celsius?
Because at 67 degrees you are certainly dead! :D

~~~
throwaway899
Why would you be dead at 67 celsius..? I go in to a room near 100 Celsius
every weekend (also known as sauna)

~~~
taneq
Huh, this made me curious about saunas and how they're survivable if they're
that hot, since I've never been in one myself. Apparently the air inside
saunas is very dry (making sweating very effective), even though they're
traditionally pictured as being steamy? Would I be right in saying there's
very little air movement in one, as well? I'm guessing there's a lot of
boundary layer type effects going on.

Edit: The Wikipedia entry's description makes no sense. The hottest saunas
have low humidity levels produced by pouring water on hot stones? And the
people in the sauna are below the dew point and so have condensation forming
on them rather than evaporating? How then do they shed the heat?

------
tvorog
Are there more books or sites about car hacking except "The Car Hacker’s
Handbook"? This is very interesting topic.

~~~
gens
Sure.

[https://www.youtube.com/watch?v=MEYCU62yeYk](https://www.youtube.com/watch?v=MEYCU62yeYk)
and the mentioned paper i assume is
[https://ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf](https://ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf)

------
softwarelimits
Q: What is a good simulator for car hacking?

I expected to find some vehicle simulator that allows me to load several car
specs, similar to a flight simulator. Plus integration of some advanced racing
/ driving software - I could not find any of these, but I am not an expert in
this field.

Where to find these? THANKS!

~~~
altr0n
There are some great tools here to get you started:

[https://github.com/zombieCraig](https://github.com/zombieCraig)

------
tylero
Craig Smith also released a book-length treatment of the subject online for
free, the Car Hacker's Handbook, available here:

[http://opengarages.org/handbook/](http://opengarages.org/handbook/)

~~~
Braxton_Hicks
Yep, the post author calls it his favorite book and links to it in the
article, specifically discussing the topic of Chapter 2 on Bus protocols.

------
solidr53
Ok, just to clarify... the CAN bus protocol can not be used to control
throttle, brakes or steering. Critical stuff like that must be feedback
driven.

Most manufacturers have their own communication protocol (some on top of the
CAN bus). Probably the most researched and hacked bus out there is BMW's I-BUS
(Used in MINI, BMW and Range Rover) [1].

You can however flash the ECU through most CAN buses (not in the protocol, but
info about it can be found for most cars). And from there, one can interfere
with the throttle.

[1]
[https://groups.yahoo.com/neo/groups/HackTheIBus](https://groups.yahoo.com/neo/groups/HackTheIBus)

~~~
commaai
Wrong, on certain cars it can be used to control all three.

[https://github.com/commaai/openpilot](https://github.com/commaai/openpilot)

~~~
solidr53
Okay, cool! Do you know of any more than Honda and Tesla?

------
donjoe
I wonder - did you try to ask Ford for a .dbc-file containing the desired IDs
to query? It's worth a shot plus those files save a ton of time.

~~~
exabrial
IIRC, US Law mandates a bunch of CAN IDs for general engine diagnostics like
fuel flow, o2 sensors, etc.

The rest of the CAN IDs are unique to every manufacturer. GM (for instance)
Tech Scan tool knows these CAN IDs. Independent 3rd parties can develop a
simliar tool and license the CAN IDs from GM for a hefty fee. I imagine Ford
has the same service available.

~~~
amenod
Would it be possible to feed CAN IDs to Tech Scan tool sequentially and thus
decode their meaning? Would it be legal?

~~~
emidln
Easier to bribe some intern or entry-level engineer who has the excel file
mapping all the signals from every module on the bus. These used to be passed
around pretty openly at the suppliers I worked for, and interns started out
making something like $11.50/hr with no benefits.

------
maxxxxx
Does anybody know where the trend is going? Do electric cars have standard
buses or are they moving to proprietary (and not published) buses?

~~~
_pmf_
CAN will stay for quite a while, as will LIN. However, higher speed buses
(esp. FlexRay and MOST) are very, very slowly being replaced by Automotive
Ethernet (which uses a proprietary physical layer, called BroadR-Reach). Where
CAN used checksums (additional, application layer checksum in addition to the
protocol layer) to prevent tampering (modifying live data), the Ethernet based
protocols will use what AUTOSAR calls Secure On-Board communication, which
features ECU-to-ECU end to end protection.

~~~
Matthias247
That's all true. Just two few to add:

While CAN and LIN are used everywhere Flexray and MOST are used in different
domains: Flexray for driving/safety related functions and MOST for
infotainment.

CAN will have a speed improved version CAN FD, which might see a lot of use in
the more driving related ECUs - some say it might replace FlexRay uses there.

Afaik SecOC can and will be used for all kinds of PDU based communication
(Ethernet and CAN). The amount of PDUs which will be transmitted over Ethernet
vs. classical bus systems will very heavily from OEM to OEM. Some are more
invested in Ethernet, others not.

------
afeezaziz
I am wondering whether is there a truck that have drive by wire? That would be
interesting. Monster Self Driving Truck.

~~~
bluGill
All the big John Deere tractors are drive by wire. The steering wheel has no
mechanical connection to the wheels. We (I'm an employee of Deere, though of
course I don't speak for them) do some things I cannot talk about to verify
that only authorized devices can steer the tractors. How to do this has been
given to at least one university interested in self driving tractors - after
verifying they will take care of that knowledge (exactly what this means I
don't know)

