Sniffing CAN To Add New Features To A Modern Car

It used to be that there wasn’t a problem on the average car that couldn’t be solved with a nice set of wrenches, a case of beer, and a long weekend. But the modern automobile has more in common with a spaceship than those vintage rides of yesteryear. Bristling with sensors and electronics, we’re at the point that some high-end cars need to go back to the dealer for even minor repairs. It’s a dark time for the neighborhood grease monkey.

But for those of us who are more likely to spend their free time working with a compiler than a carburetor, a modern car can be an absolute wonderland. That’s what [TJ Bruno] found when he recently started experimenting with the CAN bus on his 2017 Chevy Cruze. Not only was he able to decode how the different switches and buttons on the dashboard communicated with the vehicle’s onboard systems, he was able to hack in a forward-looking camera that’s so well integrated you’d swear it was a factory option.

The idea started simple enough: using some relays, [TJ] planned on physically switching the video feed going to the Chevy’s dashboard between the stock rear camera and his aftermarket front camera. That’s all well and good, but the car would still only bring up the video feed when the gear selector was put in reverse; not exactly helpful when he’s trying to inch his way into a tight spot. He needed to find a way to bring up the video display when the car was moving forward.

With a PCAN-USB adapter connected to the car’s OBD-II port, he shifted into and out of reverse a few times and noted which messages got transmitted on the network. It wasn’t long before he isolated the proper message, and when he injected it with his laptop, the dashboard display switched over to the backup camera regardless of what gear the car was in. Building on this success, he eventually figured out how to read the status of all the buttons on the car’s dashboard, and programmed an Arduino to listen for the appropriate signals.

The final piece of the puzzle was combing bringing both of these capabilities, so that went the appropriate button was pressed on the dashboard the Arduino would not only send the signal to turn on the video display, but kick the relays over to switch the camera source. Now [TJ] has a front-facing camera that can be called up without having to kludge together some button or switch that would never match the modern styling of the vehicle’s interior.

A couple years back we saw a similar project to add a backup camera to a Peugeot 207 that was too old to have one from the factory, and more recently we saw how CAN hacking can allow you to fight back when your car’s touch screen interface robs you of simple pleasures like pushing buttons and turning knobs.

39 thoughts on “Sniffing CAN To Add New Features To A Modern Car

  1. As an FYI, while the PCAN-USB is probably one of the cheapest commercial USB-CAN adapters I’ve seen, the canable is cheaper, nicer, and fully open source. Even the fully optoisolated Canable Pro is only $60

      1. Really the only negative thing I’ve found about the canable is this:
        The candlelight firmware emulates a gs_usb device
        The gs_usb device handles host endianness in an unusual way – the host sends a endianness-detection message and it’s up to the device, NOT the host driver, to handle byteswapping
        The candlelight firmware will break horribly with a non-x86 host for this reason

        I have a patch that fixes this device-side but it’s pretty ugly – I’m going to try and submit it this weekend though. It allows the canable to operate as a native socketcan device (as opposed to an slcan device) even with non-x86 hosts such as Atheros’ MIPS-based router SoCs.

        1. Hey Andy,

          I’ve run CANables extensively on x86 and 32-bit ARM, but not much else in the embedded world. I haven’t dug deep enough into the candlelight firmware or the gs_usb kernel driver to have much exposure to the endianness negotiation. Definitely would appreciate a patch! I’ll plan on adding a note to the documentation regarding supported architectures.

          1. Sorry for not getting back to you earlier on this, but:

            What host OS/toolchain are you using to build candleLight firmware? I have successfully built/run on an old Ubuntu 16.04 box I have lying around, but anything built on an 18.04 laptop is 500-1500 bytes larger (I don’t remember exactly) and also fails to boot. Haven’t tried my personal 19.04 laptop yet. (Hoping to get to that later this week, once I can buid/boot on that laptop I’ll send you a pull request)

      2. Glad to hear that you guys are still making good use of the CANable! Fun fact–I was a CpE student at Cedarville, and also worked on the CU eco-marathon cars on the electrical team ~2012. Back then we didn’t run any CAN on the car, but it was still a fun time!

        1. Cool! I just graduated as a EE from Cedarville. We are using the CANable to read all of the sensor data from the car onto the tablets. We had to recompile the Linux kernel for Android to get CAN drivers, so I think the team will move to a RPi next year. I am still trying to convince Dr. Z that the team should use CAN to run the rest of the systems in the cars so that we can control the whole system from the server (I don’t think it will happen).

    1. Thanks! I have a Chevy Volt that I’d really like to poke at via CAN, but when I saw the price of the PCAN-USB, it kind of put the breaks on that idea. Now I’m excited again. Going to order one of these right now!

    1. HEY!! Mr Kilian I used your investigation for my CAN bus hacking of a Smart Fortwo:
      https://hackaday.io/project/19931-smart-fortwo-can-bus-reverse-engineering
      (gave you credit of course)

      Now I am reading the steering wheel from CAN to replicate a Self Driving Course from Udemy, but have not written about it yet:
      https://github.com/dvelazquez/SmartLogs
      (basically training Nvidia’s CNN paper running on Google’s Collab then the compiled model on a laptop model.predict(current_street_photo) )

      I have some of the CAN IDs of the Smart ForTwo and a Mazda CX3, am using a Beaglebone Black with Python or C.

      Cheers
      Daniel Velazquez

  2. “But the modern automobile has more in common with a spaceship than those vintage rides of yesteryear. Bristling with sensors and electronics, we’re at the point that some high-end cars need to go back to the dealer for even minor repairs. It’s a dark time for the neighborhood grease monkey.”

    Just wait till someone invents the autonomous car. ;-)

  3. Pretty cool, but probably a good idea to be somewhat wary about telling the car you’re in reverse when you’re not. Might have unintended consequences if that flag controls any computer states related to safety features or other such important subsystems that are operational during normal forward-driving.

    1. I wonder if he has one of the insurance policies that has you install a CAN sniffer. “Sir, we’re revoking your policy as we see you’ve been driving in reverse at 60 MPH.”

      1. An insurance company which wants to install eavesdropping hardware in my car?
        I think I would first “put” the heel of my boot on this peace of crap and then the tip to the backside of the insurance guy (forcefully).
        Such a thing is an absolute No-Go.

    2. I thought about this to, but I’m assuming part of the process that TJ glossed over was isolating the signal that pertains to the video screen somehow. They’re would certainly be some obvious side-effects if the whole car believed it suddenly was in reverse.

    3. The bus he’s sniffing is the non-safety-critical bus. I imagine the command that says “hey I’m in reverse” is on the safety critical bus. The command he’s staying might just be a “trigger display” command. But I suppose there’s no way to know for sure.

      1. Yeah, there’s certainly a decent chance this is fine, but coming from years of embedded development, nothing would surprise me as far as the software is concerned.

        As an example, say you’re right and there are 2 different flags set when the car is put into reverse: “inReverse” and “enableReverseDisplay”. I would bet money that someone, somewhere used “enableReverseDisplay” to determine if the car was in reverse rather than “inReverse.” Granted, that might not mean the car will end up in a fiery crash, but there’s certainly a possibility some other car function will not operate as expected, because the software in that area of code thinks the car is in reverse. It’s hard to say without having full access to the software on board.

    4. Read the article – he’s not using reverse select to trigger anything. He’s using a double-tap of the cancel cruise control button on the steering wheel.

  4. I hole he’ll make a decent pcb instead of those jumper wires. Shorting the can bus would result in an unusable bus and failing to get any message accross.

    Is there any docu on assurance companies coping with user installed can stuff? I would think if a company sells something that will connect to a can bus it should meet certain certifications.

  5. I’m thinking this will be an interesting method (methods based on comments too) to complete the rear view camera and reverse by-pass switch without adding an additional switch for my 2013 Prius.

    Here is the link I dug up with wiring info and a system to integrate, though I picked up another brand on evil bay:
    https://axxessinterfaces.com/products?Year=2013&Make=Toyota&Model=Prius&TrimOption%5B%5D=Standard%20Audio

    I’ll have to read into more in regards to the grill shutters I want to implement also that can be manually or temperature controlled. That project is being fired up again with a new (used OEM) bumper guard that was a great price I paid for and need to go pick up. I’ll use the old one as either a scaffold for the new design or a mold buck since lower drag will be a priority also with ideally a tail section that swings open to the side to have a tail gate area to make more room in the back.

    I also was thinking about lowering the drag over the years using a few methods that started with the 2001 Dodge Ram like I noted above with grill shutter, low drag tail for storage too and also using rear view mirrors changed to a bullet lower drag design with a camera and dedicated display for each camera on the dash behind the steering wheel. This CAN method might not be a bad idea also for that design in the Prius say if wanting to toggle through the cameras with the center console when in the car and the windows are covered.

    The about feasible of my plans for the Prius only would be hacking into what controls the optimal setting(s) for fuel efficiency at say a newly adopted 75 mph speed limit versus the 2013 70 mph typical. Also, an all EV button method hacked in somehow would be cool to do too. I’d need a better graphical visual understanding of the whole system and processes involved before getting into that. The all EV button might be something more stock and easier to do since is disclosed in the older models last I knew.

    Yeah… here’s a quick link on the EV button: http://www.evnut.com/prius_ev_mode.htm

    Neat, keep us posted and hook us up with some code. Flowcharts would be something I’d make also for the fuel efficiency changes since something like a drive train hack could turn out scary I’m thinking.

  6. Anyone know of a GUI that can be used to transmit data? I’ve got a Pi with a CAN hat, and I’d like a simple way to test continuously sending different values to a instrument cluster from a 2007 BMW e92!

  7. Hoookay… So I got my CANable Pro and OBD2 cable, looked at some web sites for pinouts, metered out the wires coming from the connector, installed drivers and software on my laptop, and took the whole mess out to my Chevy Volt in the garage and plugged it in. Turned the car on and… all hell broke loose. The engine started immediately. “Check Engine! Check traction control! Check airbags! Check charging system! Navigation unavailable! Reduced traction power available! Shutting down unnecessary loads! OMG OMG!”. So I shut everything off, disconnected the cables, cleaned the driver’s seat, and turned the car back on. Some of the warnings were still there, but some had gone away. I ended up connecting and disconnecting the charger a few times and turning the car on and off a few times, but it eventually all went back to normal but the check engine light. On the Volt forums, I read that the check engine will go away after three or four drives if there’s not really an issue, and someone who had been messing with his fuses and had the car freak out confirmed it. So… because I’m stubborn, I decided to try again with the terminator jumper in the ON position. I took it off because I figured the bus should already be terminated at whatever the “ends” are in the car. Everything came up normally with the CANable connected this time. Fired up “cantact-app” on the laptop, but there was no data being displayed. Poked around and found the port setting options and the “Start” button. Pushed start and everything went crazy and caught on fire again. Dammit – I just *cleaned* that seat, too! So… got everything calmed down and then realized the CANbus speed was set wrong vs. the car. Corrected that, cleaned the seat *AGAIN*, and tried it. Got nice rows of red and black numbers scrolling up the cantact display. No idea what any of them mean, but nothing caught on fire this time, so… win, right? O.O

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.