Reverse Engineering The Smart ForTwo CAN Bus

The CAN bus has become a defacto standard in modern cars. Just about everything electronic in a car these days talks over this bus, which makes it fertile ground for aspiring hackers. [Daniel Velazquez] is striking out in this area, attempting to decode the messages on the CAN bus of his Smart ForTwo.

[Daniel] has had some pitfalls – first attempts with a Beaglebone Black were somewhat successful in reading messages, but led to strange activity of the car and indicators. This is par for the course in any hack that wires into an existing system – there’s a high chance of disrupting what’s going on leading to unintended consequences.

Further work using an Arduino with the MCP_CAN library netted [Daniel] better results, but  it would be great to understand precisely why the BeagleBone was causing a disturbance to the bus. Safety is highly important when you’re hacking on a speeding one-ton metal death cart, so it pays to double and triple check everything you’re doing.

Thus far, [Daniel] is part way through documenting the messages on the bus, finding registers that cover the ignition and turn signals, among others. Share your CAN hacking tips in the comments. For those interested in more on the CAN bus, check out [Eric]’s great primer on CAN hacking – and keep those car hacking projects flowing to the tip line!

33 thoughts on “Reverse Engineering The Smart ForTwo CAN Bus

  1. I’m not sure why you might have had trouble with the BBB. We used those to tap into the CAN bus on combine harvesters for monitoring weight, humidity, vehicle speed, position, etc, and never experienced a problem with it disrupting anything. We were purely passive, as I imagine you were trying to be. All this data was uploaded to a server via GSM, where the “big data” computations would do an early yield forecast.

  2. I’m surprised anything worked at all with the state of the soldering. And also, the length of the wires to the beaglebone are probably causing some reflections. I would be trying to keep those wires less than 6″, and some twisted pair cabling wouldn’t hurt either.

    1. Additional nodes can be have legs as long as 3 feet or so. The baud in this case is 500k, which is still rather forgiving of wild connections, and poor solder joints. 250k is super robust. 1M is less forgiving.

    2. If you have proper twisted wire the length is not that critical. Of course it depends on the number of nodes on the bus, the speed and how many wire stubs there are already in the vehicle, but a couple of meters should be no problem in general. But errors in the termination, e.g. additional termination resistors, strongly reduce your signal levels.

  3. Why is he connecting at the instrument cluster? As far as I know In the United States the high-speed CAN has connections at the OBD2 connector. I believe it’d be easy to passively capture data from the network, but how does someone inject data with causing CAN bus errors?

    1. Depends on the vehicle. Some manufacturers firewall the OBD2 connector such that only OBD2 traffic runs on that CAN bus, but many just wire out the highspeed bus to that connector.

      Some vehicles have multiple buses and there’s SOME traffic on the OBD2 bus beyond OBD2, but the good stuff is elsewhere. (Tesla vehicles for example).

      Also there are some pieces of information only available on the low-speed body CAN bus.

  4. I think that Hackaday employs powers that are best left alone. Too often an article appears that has already peaked my interest. Only a week ago I ordered some CANBUS SPI boards and await their arrival from China in order to explore my ForTwo.

    It is just plain scary how you do that sometimes.

      1. Hmm – I’ve had no issues with an MCP2515 board capturing around 50% bus load on a 500k bus. (2009 Subaru Outback).

        If I filter on a given message type in a capture, I see consistent inter-packet intervals for every message type indicating nothing is getting lost.

        I can even transmit on the bus (Subaru SSM-over-CAN) with no ill effects.

  5. Hello Daniel, can you help me? I need to read gearbox status and information about which gear now, but can’t find correct address in CAN bus. I own Smart Fortwo 451 MHD, use Arduino. Thank you for help!

  6. Hi Lewin, thanks for your post and sharing. I’d like to take the opportunity to share ‘s new product, bringing HW and SW platform to SW developers interested in hacking vehicles over e.g. CAN, OBD, K- , L- buses.

  7. I have a 2012 Audi A5, I bought a USB2CAN device and connected to my car using an ODBII cable…nothing read, before this I had a USB CanSniffer again, nothing. What I want to do is intercept signals on the CAN bus for indicators, reverse, hazards, brakes and lights and read these signals into a microcontroller. Can anyone help me on what hardware I should use to achieve this?

  8. Smart 451 2010 Gas… I’m working with an OBDII dongle to reverse engineer my car using so far I’m accessing codes. I am setting my car up to install a radar, cruise control, and a camera system to watch the road. Level 2 autopilot is what I plan to achieve. Anyone else taking a stab at it?

  9. Hi, Lawin Day!
    Could you help me please?
    I have a smart fortwo 450 (2004 year). And i tried to connect a CAN-bus for listen messages. My goal – is to open doors.
    I can to connect from dashboard or SAM directly via transceiver. But messages was read only ignition was turn on.
    Is it a correctly work? Can i to open doors use CAN?

  10. Does anyone have experience of using MegaSquart 3 ECU on a Smart 451. I am looking at a project to replace the existing ECU with the MegaSquart. To do this I need to aquaria an understanding of the Smart CAN Bus. MegaSquart has a CAN Bus that can broadcast the Engine Stats to the other systems on the CAN Bus.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.