In contrast to most guides, we'll make this practical and replicable with outset in the CLX CAN bus sniffer and our free Wireshark plugin. Below we take outset in the case of streaming from a car.
CAN Bus and OBD II Explained For Dummies, with Examples of how CAN Bus and OBD II Work!
The most common purpose of reverse engineering is to enable the decoding of proprietary CAN IDs to be able to analyze data from e.
Often, you may have a partially complete existing CAN database DBC of conversion rules - here, reverse engineering can help fill in the blanks. In many use cases, being able to reverse engineer just parameters can be make-or-break - e. A key benefit from reverse engineering raw CAN data as opposed to e.
OBD2 is to enable 'control' of e. Assume you need to log data from your windscreen wipers. Two methods exist:.
Log data to an SD card : For some parameters e. EV state of chargemonitoring live data is not practical. Instead, you can e.
This lets you manually create a timeseries of "true values" from the camera that you can compare vs. A signal can e. The next step is to identify which of the 64 CAN data bits relate to this specific signal. If this is unfamiliar, check our intro to CAN bus. In short, the equation is as below:. Also, if your parameter has an OBD2 equivalent e. RPM, Speed, This makes it easier to use the decoded signal as part of data processing in most CAN tools.
In the following, we illustrate how you can do the reverse engineering steps 1 and 2 using the CLX in Wireshark. Wireshark provides multiple tools for analyzing this view filters, column configuration, plots - but none of them are ideal for the initial reverse engineering efforts.
Instead, we recommend to use the CAN Live Wireshark plugin feature - which lets you show a 'trace' of your data. When a CAN bus data byte changes, it is colored blue - and the color fades as the byte stays constant.
This provides immediate visual feedback when comparing raw CAN bus data patterns versus physical events e. Still, the default CAN Live view has quite a lot of data. Simply click the 'Hide' check-mark to the left and the ID will disappear until you reopen the window. This lets you reduce complexity and get a clean slate for physical event testing.
For example, you can hide all the IDs that appear when your car is standing still with the ignition turned on. Once you start driving, you'll see the 'delta' event IDs only - making it easier to link IDs to correlated physical events. Another useful feature is auto trimming on by defaultwhich removes all IDs that do not have changing data bytes for a specified amount of time, to ensure focus.
How to Decode Vehicle's CAN Bus Data
New use cases unlocked In many use cases, being able to reverse engineer just parameters can be make-or-break - e. Asset control via commands A key benefit from reverse engineering raw CAN data as opposed to e. Unsure if your use case would benefit from reverse engineering? Reach out for free sparring!With four true differential channels, the PicoScope enables high-resolution measurements of differential voltage waveforms. This oscilloscope eradicates the problem of making accurate voltage waveform measurements on circuit elements that are not ground-referenced, without the risk of short circuits that could damage the device under test or the measuring instrument.
Find out more. Today it is also widely used in industrial process control and aerospace applications. It allows microcontrollers and electronic devices to communicate with each other without using a host computer and provides fast and reliable data transfer in electrically noisy environments at low cost and with minimal wiring.
This specification allows for increased data lengths as well as optionally switching to a faster bit rate after the arbitration is decided. Each device is called a node. During a recessive logic 1 transmission the bus is not actively driven and rests at around 2. CAN data is sent in Frames starting with a dominant 0 followed by an Identifier, which forms the basis of arbitration Priority where two or more nodes attempt to transmit at the same time.
Each node is assigned an Identifier which can be 11 bits CAN 2. The table shows three nodes attempting to transmit at the same time, each starting with dominant 0s. When a node transmits a recessive 1 but sees that the bus remains at dominant 0, it realizes there is a contention and ceases to transmit and waits for the next opportunity to transmit.
In this way the node with the lowest value ID wins arbitration and is given priority to transmit the rest of the frame. The RTR bit Remote transmission request determines between data frames 0 and remote frames 1.
Ack slot bit — All nodes that receive a frame without finding any errors transmit a dominant 0, which overrides a recessive 1 sent by the transmitter. If the transmitter detects a recessive 1, it knows that the frame was not received correctly. To ensure enough transitions to maintain synchronization, a bit of opposite polarity is inserted after five consecutive bits of the same polarity.
In the fields where bit-stuffing is used, six consecutive bits of the same type or are considered an error and an active error flag consisting of six consecutive dominant bits can be transmitted by a node when an error has been detected. CAN FD meets the growing need to transfer more data, more quickly, in automotive and other systems of increasing complexity.
If BRS is sent dominant, the bit rate remains the same across the whole frame. The ESI bit Error State Indicator is a dominant transmission for error active, and recessive transmission for error passive.
Errors can occur due to inductors, coils and power devices which can cause large voltage spikes, noise and ringing. An increasing number of embedded computers and devices are being added to automobile CAN buses and as more nodes are added the available bus time becomes more occupied.In this instructable we will record a CAN bus data of car or truck and convert the recorded CAN bus log data to readable values.
For decoding we will use can2sky. We can record the log by CAN-USB adapters but pay attention to the log format - it should be compatible with decoder service. CAN bus log 29bit example truck, buses, tractors, other commercial machinery. Download example. How to set up Pi for CAN-bus operation you can read there.
First string - header with names of rows. SA row is necessary but can be filled by "1". Download example Download example. Once your CAN bus log has been recorded you can upload it to the can2sky. You have to register to enter the service. Email requires confirmation, which will be sent by service. Then we can choose a parser DBC-file to decode the log. Service will check all possible parsers and show a number of matching parameters from parser and log.
Choose most suitable parser to decode your log.
Take into account that same manufacturer parser will provide you better results. For 29bit CAN bus of truck, buses and other commercial vehicles we will use one of J parsers because of this industry standard.
That means that although we can use Ford parser for decoding Mercedes data - but we will receive useless results even with great number of matching IDs.
Because different car vendors can use same IDs for different parameters. Main dashboard window appears where you can see all your logs and parsers both default and your private parsers. After some time status of your log will be changed from "progress" to "completed". Left part of screen — a list of CAN identifiers which are active in this log. Some of them are reckognized by DBC-parser, some — not marked with red background. Value column shows minimum and maximum parameter value during log.
You can change a period for analysis using Time Filter range settings. Table of values will appear and parameter plot. You may zoom plot with left mouse button and selecting a part of plot. You can built several plots at once, also you can combine plots from different log-files. To choose another source of parameters you can click on listbox of loaded logs. Filter section allows to filter out CAN bus parameters which doesn't look interesting for us. Parameters marked green appears in the list.
Electrical Engineering Stack Exchange is a question and answer site for electronics and electrical engineering professionals, students, and enthusiasts. It only takes a minute to sign up. So let's try and decode the last message from above. That would be " can0 8 40 6C 60 00 00 00 00 00 ". You haven't explained what exactly your listing shows, but it might be the message ID, followed by the number of data bytes in brackets, followed by the actual data bytes.
Nothing seems to be explicitly stating whether the IDs are 11 or 29 bit.
What each line is therefore it seems showing you is one CAN message. There is nothing more to decode to understand the CAN message.
It is shown to you explicitly. For example, the last line says that a message was seen with ID h decimalthat this message had 8 data bytes, and that the data bytes were in HEX 40, 6C, 60, 0, 0, 0, 0, and 0. The first three would be 64,and 96 in decimal. As for what the meaning of that message is to whatever device originated it or is intended to act on it, that's something you have to look up in the documentation of the specific devices. That's a layer above CAN. If your devices use the concept of a node ID, then this is something particular to a protocol layer above CAN.
The CAN standard can't help you with that. You have to consult the specific device documentation, which might refer to the higher level protocol it uses above CAN, possibly in a separate document. For the first pair, a dead giveaway is the 0x4B in the first byte of the response. This indicates that the returned data is of size two bytes for one byte and four bytes, it is 0x4F and 0x43, respectively. The 0x40 in the first byte of the request indicates it is a read request the standard uses a different term, "Upload", with the opposite meaning as on the Internet download - it is from the perspective of addressed device.
So for the first pair, 40 78 60 00, the requestor says: "Device at node ID 0x65give me your stored value at sub0". In this case the information is flowing from the addressed device to whoever made the request the requestor can not be seen from the CAN bus log, but it is usually a central controller in the system or a service tool running on a PC usually a USB-to-CAN adapter.
Thus, for the shown traffic, read requests are made for the response for the last one is not included in the posted CAN bus log :. Furthermore, even though SDOs are usually only for configuration information, the CANopen index range 0x to 0x6FFF is usually used for non-configuration information, like measured quantities or status. The direction of information flow for PDOs despite, in this case, "transmit" is a matter of definition depends on the application.
In the position control function, notation of the control effort is mode-dependent and therefore not specified.
The motor device with node ID 0x65 sends out the control effort likely at regular time intervals using a PDO. The device uses a CANopen protocol.
It comprises higher-layer protocols and profile specifications. It is used in Automation. There are several protocol analyzers to figure out the whole communication. It looks like TPDOs and their content depends on communication and mapping objects. You should to study following terms from CANopen to understand the protocol.
Sign up to join this community. The best answers are voted up and rise to the top. Home Questions Tags Users Unanswered.
Asked 2 years, 11 months ago. Active 2 years, 3 months ago. Viewed 4k times. Here is a sample of the data that I'm seeing on the CAN bus.Information sensed by one part can be shared with another.
A modern car may have up to 70 ECUs - and each of them may have information that needs to be shared with other parts of the network. Specifically, an ECU can prepare and broadcast information e. The CAN bus standard is used in practically all vehicles and many machines due to below key benefits:. ECUs communicate via a single CAN system instead of via direct complex analogue signal lines - reducing errors, weight, wiring and costs. The CAN bus provides 'one point-of-entry' to communicate with all network ECUs - enabling central diagnostics, data logging and configuration.
The system is robust towards electric disturbances and electromagnetic interference - ideal for safety critical applications e. CAN frames are prioritized by ID so that top priority data gets immediate bus access, without causing interruption of other frames.
Today, CAN is standard in automotives cars, trucks, buses, tractors, Looking ahead, the CAN bus protocol will stay relevant - though it will be impacted by major trends :.
In particular, the rise in connected vehicles and cloud will lead to a rapid growth in vehicle telematics and IoT CAN loggers. In turn, bringing the CAN bus 'online' also exposes vehicles to security risks - and may require a shift to new CAN protocols.
As vehicle functionality expands, so does the load on the CAN bus. In short, CAN FD boosts speed and efficiency - and it is therefore being rolled out in newer vehicles. The extended bit identifier frame CAN 2. It is e. OBD2 data from cars can e.
J data from trucks, buses, tractors etc. Vehicles and machinery can be monitored via IoT CAN loggers in the cloud to predict and avoid breakdowns. A CAN logger can serve as a 'blackbox' for vehicles or equipment, providing data for e.
You can e. Simply connect it to e. To extract a CAN signal, you 'carve out' the relevant bits, take the decimal value and perform a linear scaling:. Most often, these "conversion rules" are proprietary and not easily available. So, if you e.
However, in some cases standardized decoding databases exist as for e. OBD2 or J data.No problem! Open Simcenter Testlab Signature. A: Select the Can Device used for the acquisition.
Check on this option. The raw CAN stream will be acquired. However, Vector boxes will not support the recording of raw CAN streams.
Figure 4: Replace the entire run in the Input Basket. C: Select the. F: New channels are created for all decoded CAN signals. The data will be stored in the project and can be viewed in the Navigator workbook. Figure 6: Create new channels for all decoded CAN signals.
The decoded CAN Bus data is saved into the throughput file of a new folder in the Navigator workbook. Figure 7: The data is saved into the Throughput folder.
They must be actively requested during acquisition. They are not broadcast on the CAN Bus by default. Email scott. In your article, Version 16A and later it is possible to do. Lab Version 15A. Login to comment on this post. Siemens Digital Industries Software. Search the Community.
Sign in to ask the community. Close search. Information Article Body. To record the raw CAN stream: 1. Decode the raw CAN offline: 1.
Enjoy the convenience of being able to save and decode the raw CAN stream! View Channel Setup from Desktop Navigator! Filter Feed Refresh this feed. Skip Feed View This Post. August 29, at PM. View This Post.
Record Raw CAN Bus Data and Decode Offline!
July 3, at AM.Or in other words, at what voltage does the CAN node decide the signal is either high or low? You can read more about this in the following Scope School Bonus Class piece. In a perfect world, we hope to obtain a square waveform on our bus, without noise, slope or delay, whereby the CAN node could plot the rising and falling edges of each bit. Using 0 — 2 V as an example, the CAN node would choose the centre point 1 V as the threshold voltage or crossing point in order to determine the change of bus state from recessive to dominant.
However, given that we do not live in a perfect world, the CAN nodes utilise a form of adaption to the environment with a number of tolerances built into the operation of the CAN controller. Think about the environment of a typical automotive CAN bus, which is subjected to noise, connectivity challenges, harness routing limitations, wiring lengths and varying environmental operating conditions. My thoughts here turn to Agricultural vehicles.
Could we ever achieve the perfect square wave at 0 — 2 V with a centre crossing point of 1 V? While this explanation applies to setting a trigger in PicoScope, the CAN controller is performing a similar exercise around the calculated midpoint of our switched bus voltage — the transition from recessive to dominant voltage levels.
Again this is one of the true beauties of fault-tolerant CAN, given its ability to adapt within reason to the harsh environment in which it performs. Take a look at how this message decodes perfectly fine, even with a fluctuating CAN frame crossing point.
You can find the capture from above and relevant information in the following forum topic. How could we ever guarantee delivery of the perfect, noise-free, square wave with a fixed crossing for the CAN controller to decode? I think the answer is never, but Bosch has thought of this already. Or put it differently, can it be that acceptable voltage ranges in nodes maybe differ than acceptable ranges set in the Pico software? PicoScope will decode CAN data based on the threshold voltages selected during the decode set up which may not be present on the entire CAN bus.CAN BUS serial decoding - Identifying data on the Bus
We assume that all CAN controllers are receiving identical voltage levels from the CAN bus on their respective terminals, but this is actually not the case. With regards to voltage ranges in nodes, the point above will help explain how each CAN node is able to deal with varying voltage thresholds on their respective CAN bus terminals. In such a scenario where one CAN node has failed to decode due to extreme CAN bus voltage variation, we have a number of possible scenarios.
Decoding CAN data based on voltage levels captured at a single measurement point on the CAN bus physical layer is potentially floored giving that the voltage levels may not be the same throughout the CAN bus. The following forum topic looks a little deeper into unique voltage signatures associated with CAN nodes. Decoding at the silicone layer via a dedicated CAN logger allows you to capture exactly what each node can see, as each node will display its interpretation of data from the voltages present on their respective CAN terminals.
Here we bypass the physical layer measurement to obtain feedback from each CAN controller within each node on the bus. With that said, should the silicone layer display errors via your CAN loggerwe would need to check the physical layer with PicoScope, either at one erroneous node for single node decode errors or the complete bus if multiple nodes are reporting decode errors.
This was a feature I was not aware of until the question was raised during the live stream. After some considerable reading, it makes perfect sense why Active CAN bus termination would be utilized with automotive networks. Without termination, signals are reflected back into the wiring like an echo where they collide with existing CAN messages traffic.
These collisions have the adverse effect of corrupting CAN messages by altering their respective voltage levels and, of course, bit timing. Should we encounter voltage or circuit errors that change the characteristics of the BUS resistance, the passive terminating resisters will respond accordingly, resulting in fluctuations in BUS impedance and risking data corruption.