CAN Hacking - Protocols

8/31/2014 CAN Hacking: Protocols
http://hackaday.com/2013/10/29/can-hacking-protocols/ 1/25
Hackaday
Fresh hacks every day
Home
Hackaday Projects
Our Videos
Submit a Tip
Forums
About
August 31, 2014
See the Semifinalists || Learn about The Hackaday Prize
CAN Hacking: Protocols
October 29, 2013 By Eric Evenchick 39 Comments
Weve gone over the basics of CAN and looked into how CAN databases work. Now we will look at a few protocols that are commonly used over
CAN.
In the last article we looked at CAN databases, where each bit of a message is mapped to a specific meaning. For example, bit 1 of a CAN message
with ID 0x400 might represent whether the engine is currently running or not.
However, for more complex communications we need to use protocols. These can map many meanings to a single CAN ID by agreeing on a structure
for sending and receiving data.
OBD-II
The standard OBD-II connector
Next time youre in the drivers seat, look around your left knee. Youll find a connector like the one above. This is the OBD-II connector.
The OBD-II protocol is not CAN specific, and can be implemented over UART and PWM channels as well as CAN. OBD-II became present in
cars when the California Air Resources Board demanded a diagnostic protocol for all vehicles sold in California in 1991. Since its always done over
CAN in newer vehicles, this connector gives you access to at least one vehicle CAN bus.
OBD-II is used for reading vehicle parameters and reading fault codes. By using the various OBD-II modes, you can read parameter IDs (PIDs)
containing information about the state of the vehicle. Wikipedia has a great article on the OBD-II modes and PIDs.
Theres a wealth of information out there about OBD-II, and you can buy a tool for under 20 bucks to read fault codes and clear the pesky check
engine light in your car. Instead of going into detail about OBD-II, lets talk about its big brother.
Unified Diagnostic Services
While many car enthusiasts are familiar with OBD-II, many havent heard of Unified Diagnostic Services (UDS). This is unfortunate, since OBD-II is
just a subset of UDS. While OBD-II only allows a limited set of services, UDS is the diagnostic protocol that manufacturers and technicians use. It
provides all the services needed for diagnostics, calibration, and flashing firmware.
UDS has various services, such as ReadDataByIdentifier and TransferData, which are identified with a one byte Service ID (SID). The first 0x0F
SIDs are reserved for OBD-II. The rest are defined either by standards, or by the manufacturer. Heres a list of the standard UDS services, and their
hex identifiers.
DiagnosticSessionControl 10 hex
ECUReset 11 hex
SecurityAccess 27 hex
CommunicationControl 28 hex
TesterPresent 3E hex
AccessTimingParameter 83 hex
SecuredDataTransmission 84 hex
ControlDTCSetting 85 hex
ResponseOnEvent 86 hex
LinkControl 87 hex
ReadDataByIdentifier 22 hex
ReadMemoryByAddress 23 hex
ReadScalingDataByIdentifier 24 hex
ReadDataByPeriodicIdentifier 2A hex
DynamicallyDefineDataIdentifier 2C hex
WriteDataByIdentifier 2E hex
WriteMemoryByAddress 3D hex
ClearDiagnosticInformation 14 hex
ReadDTCInformation 19 hex
InputOutputControlByIdentifier 2F hex
RoutineControl 31 hex
RequestDownload 34 hex
Follow
Follow Hackaday
Get every new post delivered
to your Inbox.
Join 92,220 other followers
Enter your email address
Sign me up
Powered by WordPress.com
RequestUpload 35 hex
TransferData 36 hex
RequestTransferExit 37 hex
UDS uses a frame structure to send data to controllers. Single Frames (SF) are for short messages, where all the data can fit into six bytes. If the data
is longer, a FirstFrame (FF) is sent to start the transaction, then Consecutive Frames (CF) are sent with data. Heres a layout of how the frames are
structured.
The structure of SF, FF, and CF messages
OBD-II only uses the first frame structure, but the others are useful for longer data such as a firmware download.
To get into how all the services work, youll need a copy of ISO 14229. Unfortunately, itll cost you about $250 USD just for the PDF. Tools that
can talk UDS are very expensive. However, with this basic knowledge you can get a grasp of whats happening on the bus.
OpenXC
While UDS is a closed protocol, researchers at Ford have been working on creating an open platform for interfacing with vehicles. The result is the
OpenXC Platform. OpenXC provides a protocol to read data from Ford vehicles over CAN.
To use it, youll need a vehicle interface. A chipKIT can be used with Fords open source firmware. Alternatively, you can buy a prebuilt solution from
CrossChasm. Once the vehicle interface is up and running, you can access data from the Android and Python APIs. Weve featured a few OpenXC
hacks on Hackaday in the past.
Its great to see an automotive manufacturer embracing open source, and hopefully Ford continues to work on the platform. That being said, the
OpenXC protocol is read only, and limited to a fairly small set of messages.
Now that weve heard all about protocols, its time to get into building CAN hardware. Next week well look at what hardware you need to start
using CAN in your own projects.
CAN Hacking
Introductions
The In-vehicle Network
CAN Protocols
Building CAN Hardware
CAN Hacking: The In-vehicle NetworkSmart Brake lights and more with OpenXCCAN Hacking: IntroductionsCAN Hacking: The Hardware
Apple And Raspberry Pis
Filed Under: Featured, Network Hacks Tagged With: automotive, CAN, CAN Hacking, ford, obd-ii, OpenXC, unified diagnostic
services
Comments
1. icanhazadd says:
October 29, 2013 at 10:23 am
You forgot the break.
Reply Report comment
Steveo says:
October 29, 2013 at 11:01 am
Give him a break
icanhazadd says:
October 29, 2013 at 3:57 pm
You toucha my comment I breaka your face!
Anybodysguess says:
Ya, somebody needs to talk to this guy about using breaks.
I dont read every HaD article that is written, so I like the breaks, I only read what interests me.
2. Q says:
October 29, 2013 at 10:30 am
Howdy. Great articles, some friends and I have been working on CAN hardware for a while now, located here:
http://goodfet.sourceforge.net/hardware/goodthopter12/ get ahold of me @theqlabs if you would like some free boards. Cheers.
matt says:
October 30, 2013 at 12:51 am
Wow, free boards to students, the unemployed, and the funemployed. As someone who has been unemployed for a while kudos to
you.
asdf says:
November 1, 2013 at 1:39 pm
I swear, these goodfet guys are the only reason the msp430 is still around. Either way, kudos! Btw you sent me boards and I sent you a
hand drawn postcard.
3. draeath says:
October 29, 2013 at 10:40 am
Theres just something about ISO charging money for standards documents that ignites, well, all of my hatred.
Rick says:
October 29, 2013 at 11:32 am
Charging money for data is so 20th century
ka1axy says:
October 29, 2013 at 12:02 pm
Apparently, others feel the same way. Google is their friend, as well as yours
treymd says:
By that you mean google is ISOs friend I am sure. Lots of DMCA takedowns are the result of a search for 14229.
flndr says:
filetype:pdf is your Google friend.
Its certainly more useful than my employers internal document library.
4. Tyler Cox says:
October 29, 2013 at 10:47 am
I really cannot wait to find out more about this. I would love to create mods for my camaro.
5. mike says:
October 29, 2013 at 11:15 am
i love this. please keep them coming!!!
6. Schwarz_Oa says:
October 29, 2013 at 11:26 am
Hello Eric Evenchick, that is a nice research.
I would like to help you a little bit, actually I work with those CAN buses.
Shawn N says:
Schwarz_Oa,
What systems do you work with?
As far as the Medium-Speed CAN bus goes, Ford is only releasing binary firmware which only includes a subset of translations, and
they dont actually release what the message IDs are.
I will post up a spread sheet of what I have so far as well as my OpenXC implementation of the JSON signals file.
I am planning on replacing my center console with an Android tablet, the next thing I need to do is sniff the Heat/AC controls so I can
write that into my andoid app as well.
7. Shawn N says:
October 29, 2013 at 12:03 pm
Ah somebody always beats me to Hackaday, but here what Ive been up to:
Eric Evenchick says:
Awesome, shoot us a tip on that if you have some code or docs to share. Thanks!
8. ee says:
It should be noted that while OBD-II was not mandatory until 1996. Some 1995 and earlier model year vehicles have it, but not many. Prior to
OBD-II, OBD (the original specification) did not require a generic connector, forcing shops to get expensive vehicle-specific diagnostic tools.
Much like the requirements for manufactures to not void vehicle warranties when after-market parts were used, OBD-II was partially ratified to
allow independent shops to more easily diagnose emission-related problems, without paying exorbitant amounts for tools
John says:
On the other hand, some OBD-I implementations didnt require a scanner at all and were able to signal faults using a led to flash out
code numbers.
J Merton says:
October 30, 2013 at 3:43 am
Snap On scanners come with a set of plug adaptors for the older cars. Check eBay & Amazon for a used one
9. Cain W Benjamin (@Krazeecain) says:
Ford just earned some serious respect from me. The expense of some of these OBD-II tools completely blew my mind, largely contributing to
my hatred of computers in cars (despite my love of computers in general!) Im very glad somebody is working to change this a bit, and hope
other car makers follow suit.
10. David Anders says:
eric,
any chance of you copying all this content over the elinux.org wiki pages? this info would be a fantastic addition to the pages! (elinux.org is
sponsored by the Linux Foundation btw)
Eric Evenchick says:
David,
Id certainly like to add it to eLinux. The info there has saved me many times. Let me check with our not-so-evil overlords about this
though.
David Anders says:
Dandy!
11. drwho8 (@drwho8) says:
Oddly enough, take a look at the specifications behind MIL-STD-1553. Its in much the same shape as the OBD families of methods of access
to vehicles (ground). Typically that one is found in military aircraft, although the Space Shuttle used it..
12. Phillip Birmingham (Killbilly) says:
October 30, 2013 at 8:35 am
OBD-II only uses the first frame structure
Does this mean the structure labeled First Frame' or does it mean the first in the list of three frame structures I just described?
flndr says:
Im not an expert on what subset of the standards ODB-II supports, but if it used the first frame (FF), it would also the consecutive
frame (CF) (because if the data could fit in a single frame, it would use the single frame format).
What the article doesnt show is the 4th kind of frame, the flow control frame (FC). After the FF is sent, the receiver sends the FC frame
to let the sender know if and how it should send the remaining consecutive frames.
You can find more info on this on Wikipedia under ISO-15765 if you dont have access to the actual standards.
13. pcf11 says:
October 30, 2013 at 12:50 pm
I looked under the dash of my 1966 Volvo P1800S and I didnt find one of these. Life is good!
14. Yo says:
Did anybody try this CAN logging software?
http://rbei-etas.github.io/busmaster/
J Merton says:
Poke around the pages. It requires special hardware.
https://github.com/rbei-etas/busmaster
J Merton says:
Note this is not the same link as above.
15. charliex says:
October 31, 2013 at 11:26 am
Heres some of my CAN hacks from 2005+ onwards.
Real time tracing and changing of internal ecu tables while tuning
watching various internal ECU parameters ( showing a steady idle in this case)
Id been developing a new gui back then, never finished it ( uses canned data for the test, but it normally reads it all off the CAN bus)
I wote the app to tie into multiple ecu types just via a DLL.
bouncy videos.
charliex says:
October 31, 2013 at 11:29 am
(the video doesnt come over the can bus, thats a sample video from the smartycam/aim which it tied into.
linked the wrong one, put google earth into it too.
16. Blufires says:
My cars VAN bus makes me sad every time I read one of these. The standards are so similar but I cant find a single project about interfacing
with it.
17. EcoCAR2 says:
November 3, 2013 at 10:47 am
Whats up EcoCAR2 Waterloo?
18. Eric Fossum says:
Has anyone had luck with BMW interfacing? I have a 95 E34 and a 12 R1200R Id love to talk to.
SamH says:
I also would like to know if anyone has done this on a pre ODBII. i have a 95 E36 I want to put a carputer in.
19. Johnd558 says:
August 3, 2014 at 9:39 pm
if making snowfall leaps Hermes purses And totes operating 3ounce throwaway duplicate Hermes cups of coffee or even a conforms icle, pour
the juices a mixture on the road to these kind of people until it is they have been perfect possessions wall plug ecommerce better than nearly full.
ecckabbkefkc
Leave a Reply
Enter your comment here...
Never Miss a Hack

Search
Search this website Search
Categories
Select Category
In case you missed it
The Inaugural Hackaday.io Meetup
5 Comments
DEFCON: Blackphone
35 Comments
[Bil's] Quest for a Lost Finger: Episode I
86 Comments
50 Semifinalists Selected for Next Stage of The Hackaday Prize
151 Comments
Fear and Loathing at DEFCON 22
11 Comments
More Posts from this Category
Our Columns
Hacklet #13 Chopper Royalty
6 Comments
Droning On: Maiden Flights
4 Comments
Retrotechtacular: Turn On the Magic of Colored Light
12 Comments
Ask Hackaday: Can Paper USB Business Cards Exist?
70 Comments
Hacklet #12 Last Minute Hackaday Prize Submissions
10 Comments
More Posts from this Category
Recent comments
metai on Purely Mechanical Display Uses 804 Balls To Create a Kinetic Display
Eirinn on Homemade Triple Monitor Mount Looks Professionally Made
DainBramage1991 on Green Light Your Commute with Americas Unsecured Traffic Lights
Mike Schaale on Jeep Wrangler gets pressurized water right out of the bumper
ANON on Custom Racing Chair with a Kinect and Haptic Feedback
Michael on Green Light Your Commute with Americas Unsecured Traffic Lights
Paul on Green Light Your Commute with Americas Unsecured Traffic Lights
gregkennedy on Rapid Fire Mod For A Wireless Mouse
Tony on Proximity Sensing LEDs Can Add a New Dynamic To Your Projects
Tony on Proximity Sensing LEDs Can Add a New Dynamic To Your Projects
Find Hacks by Date
October 2013
S M T W T F S
Sep Nov
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31
Return to top of page
Copyright 2014 Genesis Framework WordPress Log in
Hackaday, Hack A Day, and the Skull and Wrenches Logo are Trademarks of Hackaday.com
Our Policies
Powered by WordPress.com VIP

CAN Hacking - Protocols

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CAN Hacking - Protocols

Diunggah oleh

Hak Cipta:

Format Tersedia

8/31/2014 CAN Hacking: Protocols

Powered by WordPress.com VIP

Anda mungkin juga menyukai