The CAN bus has become a defacto standard in modern cars. Just about everything electronic in a car these days talks over this bus, which makes it fertile ground for aspiring hackers. [Daniel Velazquez] is striking out in this area, attempting to decode the messages on the CAN bus of his Smart ForTwo.
[Daniel] has had some pitfalls – first attempts with a Beaglebone Black were somewhat successful in reading messages, but led to strange activity of the car and indicators. This is par for the course in any hack that wires into an existing system – there’s a high chance of disrupting what’s going on leading to unintended consequences.
Further work using an Arduino with the MCP_CAN library netted [Daniel] better results, but it would be great to understand precisely why the BeagleBone was causing a disturbance to the bus. Safety is highly important when you’re hacking on a speeding one-ton metal death cart, so it pays to double and triple check everything you’re doing.
Thus far, [Daniel] is part way through documenting the messages on the bus, finding registers that cover the ignition and turn signals, among others. Share your CAN hacking tips in the comments. For those interested in more on the CAN bus, check out [Eric]’s great primer on CAN hacking – and keep those car hacking projects flowing to the tip line!
I’m not sure why you might have had trouble with the BBB. We used those to tap into the CAN bus on combine harvesters for monitoring weight, humidity, vehicle speed, position, etc, and never experienced a problem with it disrupting anything. We were purely passive, as I imagine you were trying to be. All this data was uploaded to a server via GSM, where the “big data” computations would do an early yield forecast.
Yeah I had termination resistors on the BBB I/F and I shouldn’t, just removed them and it worked without interrupting the bus anymore.
Yeah, safe to assume than an already-running CAN bus will have the termination done already. Bad to change impedance, even when adding nodes.
I’m surprised anything worked at all with the state of the soldering. And also, the length of the wires to the beaglebone are probably causing some reflections. I would be trying to keep those wires less than 6″, and some twisted pair cabling wouldn’t hurt either.
I was quiet surprised too when I saw the soldering…
Additional nodes can be have legs as long as 3 feet or so. The baud in this case is 500k, which is still rather forgiving of wild connections, and poor solder joints. 250k is super robust. 1M is less forgiving.
If you have proper twisted wire the length is not that critical. Of course it depends on the number of nodes on the bus, the speed and how many wire stubs there are already in the vehicle, but a couple of meters should be no problem in general. But errors in the termination, e.g. additional termination resistors, strongly reduce your signal levels.
Why is he connecting at the instrument cluster? As far as I know In the United States the high-speed CAN has connections at the OBD2 connector. I believe it’d be easy to passively capture data from the network, but how does someone inject data with causing CAN bus errors?
There is no one canbus in the car, in my 2003 A4 I have 3 different busses and kombi instrument is routing information between them newer cars have dedicated gateway
Depends on the vehicle. Some manufacturers firewall the OBD2 connector such that only OBD2 traffic runs on that CAN bus, but many just wire out the highspeed bus to that connector.
Some vehicles have multiple buses and there’s SOME traffic on the OBD2 bus beyond OBD2, but the good stuff is elsewhere. (Tesla vehicles for example).
Also there are some pieces of information only available on the low-speed body CAN bus.
Uhh. Wouldn’t it have been easier to just plug into the OBD-II diagnostics socket that is in the car? The connections to the CAN bus are on there as well.
Often that goes directly to either the ECU (older OBDII cars) or CAN gateway.
Sometimes you gotta hit the specific canbus directly in order to get raw data.
Not all vehicles have an unfirewalled connection between the main CAN bus and the OBD2 connector.
I think that Hackaday employs powers that are best left alone. Too often an article appears that has already peaked my interest. Only a week ago I ordered some CANBUS SPI boards and await their arrival from China in order to explore my ForTwo.
It is just plain scary how you do that sometimes.
Just a warning: The SPI interface of the mcp251x is too slow to capture all packets
Well hmmph, that is not looking like a good start then. :)
Interesting, I was just about to do something similar with an MCP2515 and my BMW E83 X3. What bus load and speed did you start noticing issues?
Hmm – I’ve had no issues with an MCP2515 board capturing around 50% bus load on a 500k bus. (2009 Subaru Outback).
If I filter on a given message type in a capture, I see consistent inter-packet intervals for every message type indicating nothing is getting lost.
I can even transmit on the bus (Subaru SSM-over-CAN) with no ill effects.
Use an STM32. They typically have two controllers, and are mighty fast. Let me know if you need driver code. I have it running quickly on STM32F446 Nucleo.
Hi Tyler, could you please provide can driver, I have a bit diffuculty getting my nucleo to wotk with can
I did a talk on reverse-engineering the packets of a 2002 MINI Cooper a while ago.
Without the talking part it’s less interesting, but you can see it here: http://bobodyne.com/web-docs/robots/MINI/CAN/Presentation/index.html
I do talk about how I figured out which wheel sensor was which by driving around an S curve and over some sticks.
Haha I like your presentation, is pretty much the same process I am doing to find out what ID has what data and what it means…
https://cdn.hackaday.io/files/19931852727904/Smart%20ForTwo%20CAN%20RAW%20Data%20and%20Notes.ods
Cool…
Very similar hacking on VW and Skoda dashboards that I did recently:
https://trandi.wordpress.com/2016/11/30/automotive-can-bus-hacking/
Something useful to know about is this:
http://www.jv-technoton.com/contactless_reader/cancrocodile
It is an inductive CAN reader. The circuit outputs standard CAN signals that you can wire up to any CAN transceiver, but you don’t have to worry about bus termination or a misconfigured software borking your CAN bus.
Reverse engineering has contributed lot in the field of Car engineering. This is best way to manufactures quality automobile. I have studied this concept in my engineering college.
Hello Daniel, can you help me? I need to read gearbox status and information about which gear now, but can’t find correct address in CAN bus. I own Smart Fortwo 451 MHD, use Arduino. Thank you for help!
is ID 0x418, divide by 17 and you get the gear. Except R that is a higher number
Hi Lewin, thanks for your post and sharing. I’d like to take the opportunity to share Autopi.io ‘s new product, bringing HW and SW platform to SW developers interested in hacking vehicles over e.g. CAN, OBD, K- , L- buses.
I have a 2012 Audi A5, I bought a USB2CAN device and connected to my car using an ODBII cable…nothing read, before this I had a USB CanSniffer again, nothing. What I want to do is intercept signals on the CAN bus for indicators, reverse, hazards, brakes and lights and read these signals into a microcontroller. Can anyone help me on what hardware I should use to achieve this?
Smart 451 2010 Gas… I’m working with an comma.ai OBDII dongle to reverse engineer my car using Cabana.ai.. so far I’m accessing codes. I am setting my car up to install a radar, cruise control, and a camera system to watch the road. Level 2 autopilot is what I plan to achieve. Anyone else taking a stab at it?
Hello Bryan, have you made some code for the camera?
I have some simple and not good things here: https://github.com/dvelazquez/SelfDrivingCar
Hi, Lawin Day!
Could you help me please?
I have a smart fortwo 450 (2004 year). And i tried to connect a CAN-bus for listen messages. My goal – is to open doors.
I can to connect from dashboard or SAM directly via transceiver. But messages was read only ignition was turn on.
Is it a correctly work? Can i to open doors use CAN?
Does anyone have experience of using MegaSquart 3 ECU on a Smart 451. I am looking at a project to replace the existing ECU with the MegaSquart. To do this I need to aquaria an understanding of the Smart CAN Bus. MegaSquart has a CAN Bus that can broadcast the Engine Stats to the other systems on the CAN Bus.