We’ve gone over the basics of CAN and looked into how CAN databases work. Now we will look at a few protocols that are commonly used over CAN.
In the last article we looked at CAN databases, where each bit of a message is mapped to a specific meaning. For example, bit 1 of a CAN message with ID 0x400 might represent whether the engine is currently running or not.
However, for more complex communications we need to use protocols. These can map many meanings to a single CAN ID by agreeing on a structure for sending and receiving data.
Last time, we discussed how in-vehicle networks work over CAN. Now we’ll look into the protocol and how it’s used in the automotive industry.
On the hardware side, there’s two types of CAN: differential (or high-speed) and single wire. Differential uses two wires and can operate up to 1 Mbps. Single wire runs on a single wire, and at lower speeds, but is cheaper to implement. Differential is used in more critical applications, such as engine control, and single wire is used for less important things, such as HVAC and window control.
Many controllers can connect to the same bus in a multi-master configuration. All messages are broadcast to every controller on the bus.
We’re introducing a new series on CAN and automotive hacking. First, we’ll introduce CAN and discuss how in-vehicle networks work.
In 1986, Bosch introduced the Controller Area Network protocol. It was designed specifically for in-vehicle networks between automotive controllers. CAN became a popular option for networking controllers in automotive, industrial, and robotics applications. Starting in 2008, all vehicles sold in the US must use CAN.
Modern vehicles are distributed control systems, with controllers designed to handle specific tasks. For example, a door control module would take care of locks and windows. CAN allows these controllers to communicate. It also allows for external systems to perform diagnostic tasks by connecting to the in-vehicle network.
Some examples of CAN communication in a vehicle include:
The engine control module sending the current engine speed to the instrument cluster, where it is displayed on a tachometer.
The driver’s door controller sending a message to another door controller to actuate the window.
A firmware upgrade for a controller, sent from a diagnostics tool.
CAN is usually used with little or no security, except for the obscurity of the communications. We can use CAN to USB interfaces to listen to the traffic, and then decode it. We can also use these tools to send forged messages, or to perform diagnostic actions. Unfortunately, most of the tools for dealing with CAN are proprietary, and very expensive. The diagnostics protocols are standards, but not open ones. They must be purchased from the International Organization for Standardization.
Next time, we’ll get into the structure of CAN frames, and how traffic is encoded on the bus.
We’ve actually been on the look-out for a Network Attached Storage solution for home use. We want an embedded option just for power saving, but have you seen what a commercially available embedded RAID systems costs? It might be better to find an energy friendly PSU and use it in a PC case RAID conversion like this one that [Samimy] pulled off. He started with an old computer case and modded it to house more hard drives.
The image above shows his mounting scheme. Most of us have defunct optical drives in the junk bin. Many times they end up as a way to play with CNC, but in this case [Samimy] got rid of the guts and used a couple of angle brackets to mount a hard disk inside of the enclosure. Now that he can bolt more drives to the case he needed to power them, as the PSU didn’t have enough SATA power connectors. He clipped off a daisy-chain of connectors from a broken supply and spliced it into this one. Finally he cut a hole in the top of the case to add a bit more cooling to the system.
He’s using Windows 7 to power a RAID0 and RAID1 array using four drives. To help increase performance of the system he also used USB thumb drives as cache. This is something we’re not familiar with and we’re glad he provided a link to ReadyBoost, the software which makes it possible.
Here’s one true hack (Google cache link) for our dear Hackaday readers. On a Saturday night, as [Craig] didn’t have anything else to do, he decided to download the firmware of an old D-Link DIR-100 router (because who wouldn’t?). His goal was to see what interesting things he could find in it. He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router. As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications.
Luckily for [Craig], the guys at Alphanetworks were kind enough to prepend many of their custom function names with the string “alpha”. Looking at the disassembly of the http identification functions revealed that a backdoor is implemented on the firmware. If one malicious user has the string “xmlset_roodkcableoj28840ybtide” as his browser user agent, no authentication is required to gain access to the router. One of the comments on the reddit thread points out that reading that string backwords results in: “edit by (04882) joel backdoor”.
[Michael Fitzmayer] is a resident hacker at shackspace; der hackerspace in Stuttgart. He’s come up with this clever little ethernet adapter network-bridge that can share local controller-inputs over the internet. The entire project is open-source, and readily available on github. It’s still in the early stage of development, but it is already fully functional. The firmware is small and will fit on an ATmega8, and by the looks of the component list it’s a fairly easy build.
He’s even integrated a switch mode (hold B and Y during boot), which avoids trying to figure out which controller will be player one! After all, don’t you remember untangling the controller cords, trying to figure out which one is which?
We know you had a favorite controller and would give the other “crappy” one to your guest.
For the last few years, [Lt_Lemming] was the president of Brisbane’s hackerspace. Until several months ago, access to the local was done using 125KHz RFID tags and an Arduino board with a prototyping shield. As the hackerspace gained members and moved to bigger facilities, [Lt_Lemming] decided to build himself a more compact and advanced platform.
His Simple NetworkAble RFID Controller (SNARC) is a platform which can be connected to an Ethernet network and different RFID readers in order to implement smart access control functionalities. Through hole components were selected so even solder apprentices may assemble it. The PCB was designed using Fritzing, and development can even be done inside the Arduino IDE as ISP and serial headers are available on the board. Finally, an N-channel mosfet controls the door locking mechanism.
The project is open hardware and software, and all the sources can be downloaded from [Lt_Lemming]’s github repo.