It used to be that there wasn’t a problem on the average car that couldn’t be solved with a nice set of wrenches, a case of beer, and a long weekend. But the modern automobile has more in common with a spaceship than those vintage rides of yesteryear. Bristling with sensors and electronics, we’re at the point that some high-end cars need to go back to the dealer for even minor repairs. It’s a dark time for the neighborhood grease monkey.
But for those of us who are more likely to spend their free time working with a compiler than a carburetor, a modern car can be an absolute wonderland. That’s what [TJ Bruno] found when he recently started experimenting with the CAN bus on his 2017 Chevy Cruze. Not only was he able to decode how the different switches and buttons on the dashboard communicated with the vehicle’s onboard systems, he was able to hack in a forward-looking camera that’s so well integrated you’d swear it was a factory option.
The idea started simple enough: using some relays, [TJ] planned on physically switching the video feed going to the Chevy’s dashboard between the stock rear camera and his aftermarket front camera. That’s all well and good, but the car would still only bring up the video feed when the gear selector was put in reverse; not exactly helpful when he’s trying to inch his way into a tight spot. He needed to find a way to bring up the video display when the car was moving forward.
With a PCAN-USB adapter connected to the car’s OBD-II port, he shifted into and out of reverse a few times and noted which messages got transmitted on the network. It wasn’t long before he isolated the proper message, and when he injected it with his laptop, the dashboard display switched over to the backup camera regardless of what gear the car was in. Building on this success, he eventually figured out how to read the status of all the buttons on the car’s dashboard, and programmed an Arduino to listen for the appropriate signals.
The final piece of the puzzle was combing bringing both of these capabilities, so that went the appropriate button was pressed on the dashboard the Arduino would not only send the signal to turn on the video display, but kick the relays over to switch the camera source. Now [TJ] has a front-facing camera that can be called up without having to kludge together some button or switch that would never match the modern styling of the vehicle’s interior.
A couple years back we saw a similar project to add a backup camera to a Peugeot 207 that was too old to have one from the factory, and more recently we saw how CAN hacking can allow you to fight back when your car’s touch screen interface robs you of simple pleasures like pushing buttons and turning knobs.
Absolutely love it. Great write up as well, illustrating every step of the process from a complete novice to the CAN concept.
As an FYI, while the PCAN-USB is probably one of the cheapest commercial USB-CAN adapters I’ve seen, the canable is cheaper, nicer, and fully open source. Even the fully optoisolated Canable Pro is only $60
Whoops, forgot to include the link I was planning on including: https://canable.io/
+1 recommendation. This is what we use in our Shell Eco Marathon cars for CAN to USB communication.
Really the only negative thing I’ve found about the canable is this:
The candlelight firmware emulates a gs_usb device
The gs_usb device handles host endianness in an unusual way – the host sends a endianness-detection message and it’s up to the device, NOT the host driver, to handle byteswapping
The candlelight firmware will break horribly with a non-x86 host for this reason
I have a patch that fixes this device-side but it’s pretty ugly – I’m going to try and submit it this weekend though. It allows the canable to operate as a native socketcan device (as opposed to an slcan device) even with non-x86 hosts such as Atheros’ MIPS-based router SoCs.
Who says it is ugly, if it works!
“She great woman! Strong like bull!”
– Uncle Tanous
Hey Andy,
I’ve run CANables extensively on x86 and 32-bit ARM, but not much else in the embedded world. I haven’t dug deep enough into the candlelight firmware or the gs_usb kernel driver to have much exposure to the endianness negotiation. Definitely would appreciate a patch! I’ll plan on adding a note to the documentation regarding supported architectures.
Sorry for not getting back to you earlier on this, but:
What host OS/toolchain are you using to build candleLight firmware? I have successfully built/run on an old Ubuntu 16.04 box I have lying around, but anything built on an 18.04 laptop is 500-1500 bytes larger (I don’t remember exactly) and also fails to boot. Haven’t tried my personal 19.04 laptop yet. (Hoping to get to that later this week, once I can buid/boot on that laptop I’ll send you a pull request)
Glad to hear that you guys are still making good use of the CANable! Fun fact–I was a CpE student at Cedarville, and also worked on the CU eco-marathon cars on the electrical team ~2012. Back then we didn’t run any CAN on the car, but it was still a fun time!
Cool! I just graduated as a EE from Cedarville. We are using the CANable to read all of the sensor data from the car onto the tablets. We had to recompile the Linux kernel for Android to get CAN drivers, so I think the team will move to a RPi next year. I am still trying to convince Dr. Z that the team should use CAN to run the rest of the systems in the cars so that we can control the whole system from the server (I don’t think it will happen).
Thanks! I have a Chevy Volt that I’d really like to poke at via CAN, but when I saw the price of the PCAN-USB, it kind of put the breaks on that idea. Now I’m excited again. Going to order one of these right now!
https://github.com/autowp/arduino-canhacker
Super cheap way to get started.
You can also get CAN boards based on the ESP32 (which has a built-in CAN transceiver) for $50, which gives you wireless communication.
The 8devices USB2CAN was also nice and cheap, but it got replaced by a closed hardware/closed firmware device.
https://github.com/hardbyte/python-can/issues/465#issuecomment-462385775
suggests that the real successor to the USB2CAN is the TouCAN (open schematics, closed firmware AFAICS).
How important are the isolators? Is it a Bad Idea to use the non-Pro version?
I did something similar years ago with a MINI Cooper.
http://bobodyne.com/web-docs/robots/MINI/CAN/Presentation/
HEY!! Mr Kilian I used your investigation for my CAN bus hacking of a Smart Fortwo:
https://hackaday.io/project/19931-smart-fortwo-can-bus-reverse-engineering
(gave you credit of course)
Now I am reading the steering wheel from CAN to replicate a Self Driving Course from Udemy, but have not written about it yet:
https://github.com/dvelazquez/SmartLogs
(basically training Nvidia’s CNN paper running on Google’s Collab then the compiled model on a laptop model.predict(current_street_photo) )
I have some of the CAN IDs of the Smart ForTwo and a Mazda CX3, am using a Beaglebone Black with Python or C.
Cheers
Daniel Velazquez
“But the modern automobile has more in common with a spaceship than those vintage rides of yesteryear. Bristling with sensors and electronics, we’re at the point that some high-end cars need to go back to the dealer for even minor repairs. It’s a dark time for the neighborhood grease monkey.”
Just wait till someone invents the autonomous car. ;-)
Like “Christine”?
B^)
Pretty cool, but probably a good idea to be somewhat wary about telling the car you’re in reverse when you’re not. Might have unintended consequences if that flag controls any computer states related to safety features or other such important subsystems that are operational during normal forward-driving.
I wonder if he has one of the insurance policies that has you install a CAN sniffer. “Sir, we’re revoking your policy as we see you’ve been driving in reverse at 60 MPH.”
An insurance company which wants to install eavesdropping hardware in my car?
I think I would first “put” the heel of my boot on this peace of crap and then the tip to the backside of the insurance guy (forcefully).
Such a thing is an absolute No-Go.
Progressive Insurance
https://www.progressive.com/auto/discounts/snapshot/
I thought about this to, but I’m assuming part of the process that TJ glossed over was isolating the signal that pertains to the video screen somehow. They’re would certainly be some obvious side-effects if the whole car believed it suddenly was in reverse.
“They’re would certainly be some obvious side-effects if the whole car believed it suddenly was in reverse.”
Such as rolling back the odometer?
B^)
The bus he’s sniffing is the non-safety-critical bus. I imagine the command that says “hey I’m in reverse” is on the safety critical bus. The command he’s staying might just be a “trigger display” command. But I suppose there’s no way to know for sure.
Yeah, there’s certainly a decent chance this is fine, but coming from years of embedded development, nothing would surprise me as far as the software is concerned.
As an example, say you’re right and there are 2 different flags set when the car is put into reverse: “inReverse” and “enableReverseDisplay”. I would bet money that someone, somewhere used “enableReverseDisplay” to determine if the car was in reverse rather than “inReverse.” Granted, that might not mean the car will end up in a fiery crash, but there’s certainly a possibility some other car function will not operate as expected, because the software in that area of code thinks the car is in reverse. It’s hard to say without having full access to the software on board.
Read the article – he’s not using reverse select to trigger anything. He’s using a double-tap of the cancel cruise control button on the steering wheel.
But then he’s having the Arduino send a “we’re in reverse!” message onto the CANbus. So basically the same thing.
Hey, Great job! Now can you do this for VAN… bloody frickin’ Peugeot custom network? :)
Please share the code
I hole he’ll make a decent pcb instead of those jumper wires. Shorting the can bus would result in an unusable bus and failing to get any message accross.
Is there any docu on assurance companies coping with user installed can stuff? I would think if a company sells something that will connect to a can bus it should meet certain certifications.
Here are some links I found useful Prius owner here 2008 Prius w 330k miles
https://fabiobaltieri.com/2013/07/23/hacking-into-a-vehicle-can-bus-toyothack-and-socketcan/
https://attachments.priuschat.com/attachment-files/2017/04/122809_Communication_with_a_Toyota_Prius.pdf
https://community.carloop.io/t/list-of-can-id-descriptions-from-opengarages-org/104
https://medium.freecodecamp.org/hacking-cars-a-guide-tutorial-on-how-to-hack-a-car-5eafcfbbb7ec
Mattster
I’m thinking this will be an interesting method (methods based on comments too) to complete the rear view camera and reverse by-pass switch without adding an additional switch for my 2013 Prius.
Here is the link I dug up with wiring info and a system to integrate, though I picked up another brand on evil bay:
https://axxessinterfaces.com/products?Year=2013&Make=Toyota&Model=Prius&TrimOption%5B%5D=Standard%20Audio
I’ll have to read into more in regards to the grill shutters I want to implement also that can be manually or temperature controlled. That project is being fired up again with a new (used OEM) bumper guard that was a great price I paid for and need to go pick up. I’ll use the old one as either a scaffold for the new design or a mold buck since lower drag will be a priority also with ideally a tail section that swings open to the side to have a tail gate area to make more room in the back.
I also was thinking about lowering the drag over the years using a few methods that started with the 2001 Dodge Ram like I noted above with grill shutter, low drag tail for storage too and also using rear view mirrors changed to a bullet lower drag design with a camera and dedicated display for each camera on the dash behind the steering wheel. This CAN method might not be a bad idea also for that design in the Prius say if wanting to toggle through the cameras with the center console when in the car and the windows are covered.
The about feasible of my plans for the Prius only would be hacking into what controls the optimal setting(s) for fuel efficiency at say a newly adopted 75 mph speed limit versus the 2013 70 mph typical. Also, an all EV button method hacked in somehow would be cool to do too. I’d need a better graphical visual understanding of the whole system and processes involved before getting into that. The all EV button might be something more stock and easier to do since is disclosed in the older models last I knew.
Yeah… here’s a quick link on the EV button: http://www.evnut.com/prius_ev_mode.htm
Neat, keep us posted and hook us up with some code. Flowcharts would be something I’d make also for the fuel efficiency changes since something like a drive train hack could turn out scary I’m thinking.
Anyone know of a GUI that can be used to transmit data? I’ve got a Pi with a CAN hat, and I’d like a simple way to test continuously sending different values to a instrument cluster from a 2007 BMW e92!
Hoookay… So I got my CANable Pro and OBD2 cable, looked at some web sites for pinouts, metered out the wires coming from the connector, installed drivers and software on my laptop, and took the whole mess out to my Chevy Volt in the garage and plugged it in. Turned the car on and… all hell broke loose. The engine started immediately. “Check Engine! Check traction control! Check airbags! Check charging system! Navigation unavailable! Reduced traction power available! Shutting down unnecessary loads! OMG OMG!”. So I shut everything off, disconnected the cables, cleaned the driver’s seat, and turned the car back on. Some of the warnings were still there, but some had gone away. I ended up connecting and disconnecting the charger a few times and turning the car on and off a few times, but it eventually all went back to normal but the check engine light. On the Volt forums, I read that the check engine will go away after three or four drives if there’s not really an issue, and someone who had been messing with his fuses and had the car freak out confirmed it. So… because I’m stubborn, I decided to try again with the terminator jumper in the ON position. I took it off because I figured the bus should already be terminated at whatever the “ends” are in the car. Everything came up normally with the CANable connected this time. Fired up “cantact-app” on the laptop, but there was no data being displayed. Poked around and found the port setting options and the “Start” button. Pushed start and everything went crazy and caught on fire again. Dammit – I just *cleaned* that seat, too! So… got everything calmed down and then realized the CANbus speed was set wrong vs. the car. Corrected that, cleaned the seat *AGAIN*, and tried it. Got nice rows of red and black numbers scrolling up the cantact display. No idea what any of them mean, but nothing caught on fire this time, so… win, right? O.O
Sounds like a blast
I am working on a replacement instrument cluster for my 2008 Pontiac Solstice. The new instrument panel is going to bring the vehicle up to current technology offered in vehicles. Here are some of the abilities it will add to the vehicle.
more telemetry will be available, some examples are air fuel ratio, oil pressure and transmission temperature.
built in OBDII diagnostic that will list possible causes and not just DTC codes
early warning of a potential problem
parking assistance cameras
parking assist sensors
birds eye view of the vehicle
object detection with visual marking.
dynamic backup guides that curve as the steering wheel is turned
lane assistance
blind spot viewing
navigation
hands free calling
transparent OLED HUD
curve & horizon active headlamps
Inertia controlled brake lights
streaming music services integration like Pandora or Spotify
integration with the factory audio system
fuel economy calculations
automatic tire size adjustment
integration with the factory steering wheel controls
What I am making is not going to require any modification to the dashboard other then taking out the old instrument cluster and putting the new one in place. It will work with the stock bezel. It will look and function like an OE component in the vehicle.
I have the GUI and OBDII coded, I am working on reverse engineering the CAN bus data. I wrote a piece of software that will hopefully aide in identifying the CAN messages needed to display icons for various things like turn signals, door open and trunk open. All of the typical lights seen on a dashboard.