This edition of Fail of the Week is nothing short of remarkable, and your help could really get the failed project back on track. [Snipor Bob] wanted to replace all of the dashboard readouts on his Mustang and got the idea of making the hacked hardware into a Heads-Up Display. What you see above is simply the early hardware proof of concept for tapping into the vehicle’s data system. But there’s also an interesting test rig for getting the windshield glass working as a reflector for the readout.
Unfortunately, there’s no set standard for CAN connections. The most common connector for high-speed CAN is a DE-9, with CAN high on pin 7 and CAN low on pin 2. However cables will differ, and many are incompatible.
CAN needs to be terminated, preferably by a 120 ohm resistance on either end of the bus. In practice, you can stick a single 120 ohm resistor across the bus to deal with termination.
A good CAN tool will let you transmit and receive CAN messages, interpret live data using CAN databases, and talk CAN protocols. The tools with this feature set are proprietary and expensive, but some hacker friendly options exist.
Based on [Travis Goodspeed’s] GoodFET, the GoodThopter by [Q] uses the Microchip MCP2515 CAN to SPI controller to access the bus. The open hardware tool lets you send and receive messages using Python scripts.
CAN Bus Triple
The CAN Bus Triple device provides an interface to three CAN buses, and can be programmed in an environment similar to Arduino. The open source code provided lets you muck with the second generation Mazda 3. Unfortunately, the hardware does not appear to be open source.
It’s not open source, but the Saleae Logic is a very handy and cheap tool for looking at CAN buses. It can capture, decode, and display CAN traffic. This is most useful when you’re building your own CAN hardware.
If you want to design your own hardware for CAN, you’ll need two things: a CAN controller, and a CAN transceiver.
The CAN controller generates and interprets CAN messages. There’s many microcontrollers on the market with built-in CAN controllers, such as the Atmel ATmega32M1, Freescale S08D, and the TI Tiva C Series. When using a built-in CAN controller, you’ll have to use an external oscillator, internal oscillators are not sufficiently accurate for high-speed CAN. If you want to add CAN to an existing microcontroller, the MCP2515 is an option. It’s a standalone CAN controller that communicates over SPI.
The transceiver translates signals from the controller to the bus, and from the bus to the transceiver. Different transceivers are needed for high-speed and low-speed CAN networks. The NXP TJA1050 works with high-speed buses, and the ON Semi NCV7356 works with low-speed, single wire buses.
There’s a ton of development boards out there featuring microcontrollers with a CAN controller. The Arduino Due‘s SAM3 processor has a controller, but there’s no transceiver on the board. You can pick up a CAN bus shield, and the Due CAN Library to get started.
The ChipKIT Max32 is similar to the Due. It has two CAN controllers, but you’ll need to provide external transceivers to actually get on a bus. Fortunately there’s a shield for that. The ChipKIT is officially supported by Ford’s OpenXC Platform, so you can grab their firmware.
That concludes our discussion of CAN Hacking. Hopefully you’re now ready to go out and experiment with the protocol. If you have questions, send them along to our tip line with “CAN Hacking” in the subject, and we’ll compile some answers. If you liked this series and want to suggest a topic for the next set of posts we’d love to hear that as well!
We’ve gone over the basics of CAN and looked into how CAN databases work. Now we will look at a few protocols that are commonly used over CAN.
In the last article we looked at CAN databases, where each bit of a message is mapped to a specific meaning. For example, bit 1 of a CAN message with ID 0x400 might represent whether the engine is currently running or not.
However, for more complex communications we need to use protocols. These can map many meanings to a single CAN ID by agreeing on a structure for sending and receiving data.
Last time, we discussed how in-vehicle networks work over CAN. Now we’ll look into the protocol and how it’s used in the automotive industry.
On the hardware side, there’s two types of CAN: differential (or high-speed) and single wire. Differential uses two wires and can operate up to 1 Mbps. Single wire runs on a single wire, and at lower speeds, but is cheaper to implement. Differential is used in more critical applications, such as engine control, and single wire is used for less important things, such as HVAC and window control.
Many controllers can connect to the same bus in a multi-master configuration. All messages are broadcast to every controller on the bus.
We’re introducing a new series on CAN and automotive hacking. First, we’ll introduce CAN and discuss how in-vehicle networks work.
In 1986, Bosch introduced the Controller Area Network protocol. It was designed specifically for in-vehicle networks between automotive controllers. CAN became a popular option for networking controllers in automotive, industrial, and robotics applications. Starting in 2008, all vehicles sold in the US must use CAN.
Modern vehicles are distributed control systems, with controllers designed to handle specific tasks. For example, a door control module would take care of locks and windows. CAN allows these controllers to communicate. It also allows for external systems to perform diagnostic tasks by connecting to the in-vehicle network.
Some examples of CAN communication in a vehicle include:
- The engine control module sending the current engine speed to the instrument cluster, where it is displayed on a tachometer.
- The driver’s door controller sending a message to another door controller to actuate the window.
- A firmware upgrade for a controller, sent from a diagnostics tool.
CAN is usually used with little or no security, except for the obscurity of the communications. We can use CAN to USB interfaces to listen to the traffic, and then decode it. We can also use these tools to send forged messages, or to perform diagnostic actions. Unfortunately, most of the tools for dealing with CAN are proprietary, and very expensive. The diagnostics protocols are standards, but not open ones. They must be purchased from the International Organization for Standardization.
Next time, we’ll get into the structure of CAN frames, and how traffic is encoded on the bus.
[Image via Wikipedia]
This setup is used to control a model railroad. Well, not entirely this setup. [Gerhard Bertelsmann] already has a proper railroad controller, and it just happens to offer CAN bus communications. He’s using OpenWRT and a cheap router to connect the bus to the network.
Originally he wanted to use a Raspberry Pi board for the project, but the incredible backorder situation with that hardware led him to grab an old router. After loading OpenWRT he started working out how to connect a couple of ICs (MCP2515 and MCP2551) that will take care of the CAN bus communications. The hardware connections end up being pretty simple, with five data lines (and their pull-up resistors) connecting to the router’s serial header. From there it was a matter of mapping the device in software so that the hardware can be controlled over the network.
We like this example since CAN is used is a lot of other applications.
Next time you’re making yourself a tunafish sandwich, try to figure out how to build a Stirling engine from the leftovers (translated). If you can pull it off as well as [Killerlot] did we’d say you’ve earned your hacker badge.
The can used in this project was actually sardines in tomato sauce, but the former contents are moot. The can serves as a steam chamber for the sterling engine. A cam rod, piston, and valve are all fashioned from paperclips, along with the support structure that holds them in place. Inside the can is a
damp sponge. When an alcohol lamp is placed beneath the can it heats the water air inside, which creates pressure on the piston, pushing it up until the cam opens the valve, relieving pressure just in time for the cycle to start over again. Momentum is a necessary part of the mechanism and that’s where the CD fly-wheel comes in. See it chugging along in the clip after the break.
Update: Corrected spelling thanks to [Chris Muncy] and removed references to water/steam thanks to this comment from [Khordas].