How to 'Sniff' the CANBUS?

[mdrobnak]

153 - ABS
1F0 - Wheel Speeds
1F8 - 4WD stuff
316 - RPM is in here
329 - Throttle position Driver relative (0-99.6%) torque request is byte 5.
545 - Main items to send to the dash
613 / 615 - Items from the dash like ambient temperature, fuel level, AC request.

[Alibro]

153 - ABS
1F0 - Wheel Speeds
1F8 - 4WD stuff
316 - RPM is in here
329 - Throttle position is byte 5.
545 - Main items to send to the dash
613 / 615 - Items from the dash like ambient temperature, fuel level, AC request.

WOW! Thanks mate. That's a great start.
The engine is an M47 BMW so it's the same engine found in lots of BMW's of the same era.

[Alibro]

153 - ABS
1F0 - Wheel Speeds
1F8 - 4WD stuff
316 - RPM is in here
329 - Throttle position Driver relative (0-99.6%) torque request is byte 5.
545 - Main items to send to the dash
613 / 615 - Items from the dash like ambient temperature, fuel level, AC request.

I managed to confirm three of these this evening, Wheel speed, RPM and TPS. At first I was a bit confused about byte 5, then I figured you're counting from 0. I've posted a video here showing what I found.

[mdrobnak]

I love your circuit description.

ID is from sending device, yes.

You likely only have one bus. You probably have K-Line for diagnostics. Probably some LIN variant for alternator control. That's .. about it.

Byte 0 is 0x329 is a set of multiplexed data, so you are seeing the multiplexer, and the value.

[Alibro]

Thanks again mdrobnak, I have a thread going on Landyzone about this project here if anyone is interested in following it. https://www.landyzone.co.uk/land-rover/ ... ev.360880/

I'll also start a new project thread here as I'm gonna need all the help I can get.

[m.art.y]

Hi. Anybody has an arduino code to send multiple messages to the can bus? Also any idea where to start for a novice on the savyycan? Thanks

[Alibro]

Hi. Anybody has an arduino code to send multiple messages to the can bus? Also any idea where to start for a novice on the savyycan? Thanks

I'd be interested in this too.
Also I forgot to post here when I put this up on Youtube.

[m.art.y]

I tried the same with my dash but I got absolutely no response although my ECU is missing at the moment. I was able to find a CAN message for my hazard lights but when I sent it directly to my dash screen I got no response whatsoever. It is a whole lcd dash screen. And I think it is directly connected to ECU as I was able to find 2 can bus lines that give different CAN messages (one is the screen). I am wondering if ECU processes all can messages and sends it's own CAN messages to the screen? Or it needs some sort of wake up code or something? Any ideas? Thanks

[Alibro]

Are you able to read CAN from the car at all?

[m.art.y]

Are you able to read CAN from the car at all?

Yes I was able to read CAN messages from the car same way like you did. But I was not able to light any lights on my digital lcd instrument cluster screen even though I found couple codes - one for gear shifter and another for hazard lights. Interestingly I was not able to find any CAN messages for indicators or lights - neither works nor lights any lights on the screen where they are supposed to be. I wonder how to control this screen.

[Alibro]

Are you able to read CAN from the car at all?

Yes I was able to read CAN messages from the car same way like you did. But I was not able to light any lights on my digital lcd instrument cluster screen even though I found couple codes - one for gear shifter and another for hazard lights. Interestingly I was not able to find any CAN messages for indicators or lights - neither works nor lights any lights on the screen where they are supposed to be. I wonder how to control this screen.

Maybe one of the experts here will be able to help. I'm barely a novice.

[m.art.y]

Are you able to read CAN from the car at all?

After excruciating 3 day effort trying 4 laptops etc I was able to get SavvyCAN software to run on exact same setup like yours - arduino nano and MCP2515 can bus shield. And it was actually very simple when you know what to do. It only works on a computer with Linux though through socketCAN. Canhacker was just not enough for my needs. I can only hope now that nano and MCP2515 will be fast enough for my car and won't be dropping frames. And need to learn to use SavvyCAN

[Alibro]

Are you able to read CAN from the car at all?

After excruciating 3 day effort trying 4 laptops etc I was able to get SavvyCAN software to run on exact same setup like yours - arduino nano and MCP2515 can bus shield. And it was actually very simple when you know what to do. It only works on a computer with Linux though through socketCAN. Canhacker was just not enough for my needs. I can only hope now that nano and MCP2515 will be fast enough for my car and won't be dropping frames. And need to learn to use SavvyCAN

That's brilliant, well done. A quick few lines of a 'How To' would be amazing. I might need it when I get to the stage of controlling my dash.
I found the Arduino IDE was more stable on Linux too.
I also found an UNO was more stable than a Nano but that may have been the quality of my Nano.

[mdrobnak]

You'll have no problem with regards to dropped packets in SavvyCAN - it handles the "Party" bus on the Tesla Model 3 fine (with EVTVs CAN capture device, mind you), which is pretty much everything except the HV bus. That said, you do miss out on certain pieces of information, like CAN bus resets or other oddities that more expensive solutions provide. But for most needs it works really quite well. There are some data analysis features that aren't in my commercial software (Vehicle Spy Basic)!

-Matt

[m.art.y]

https://github.com/latonita/arduino-canbus-monitor

Above is the arduino sketch and libraries that turn arduino and mcp2515 into a socketCAN useable device (using can232/Lawicel protocol). Same wiring of nano and mcp2515 as for canhacker software. It is necessary to set the correct can bus speed in the above sketch before uploading, otherwise it will not work. Then install can utils package in Linux using this command:

sudo apt-get install can-utils

Then plug the arduino+mcp2515 into the laptop and enter these commands one after the other:

sudo slcand -o -s6 -t hw -S 15200 ttyUSB0
sudo ip link set up slcan0

It is important to set the correct speeds: -s6 represents 500 kbit/s can bus speed, and -S 15200 is serial baudrate which has to be same as in the arduino sketch. If speeds are not set correctly it will not work! Now can bus traffic can be brought up with a command: candump slcan0, or cansniffer slcan0. Also if you download SavvyCan appimage for Linux and make it executable you will need to connect to: socketcan and port should be given automatically: slcan0.

After using SavvyCAN with this setup I had SavvyCan crash a couple times. However the slcan0 connection itself was crashing so often as I tried sending more than 2 can bus messages at the same time and also receiving messages (wasn't sure if it will still send when capturing was suspended). I don't know if I was doing something stupid, or the serial connection of nano+mcp2515 is just not fast enough. Capturing is no problem - it pretty much runs ok. And even frame fuzzing was pretty much ok I guess.
Can somebody tell me if using Teensy is better in regards of crashing? Would buy it if it better? I would buy EVTV device but they are not in stock, anybody got some second hand?

Regarding can bus hacking I still have not got much idea of what I am doing. My lcd dash screen is not responding to anything I send it. I found couple bytes that change when the hazard lights switch is pressed, however when I try to send these codes to the screen it does not illuminate turn signals on the screen. ECU is missing at the moment. I wonder if ECU has to process these codes from hazard lights switch and send a totally different code to the screen to render those turn signals blinking? Or simply there has to be some sort of handshaking between ecu and lcd dash for it to accept can bus messages? How would I look for that? My idea of this project was just to get some codes from a working car and inject those codes to get the dash to not show any red lights, but is it not going to be that simple? Do I need to look into checksums and message authentication etc? Where do I start? I would appreciate any advice. Thanks