CAN Hacking: Protocols

We’ve gone over the basics of CAN and looked into how CAN databases work. Now we will look at a few protocols that are commonly used over CAN.

In the last article we looked at CAN databases, where each bit of a message is mapped to a specific meaning. For example, bit 1 of a CAN message with ID 0x400 might represent whether the engine is currently running or not.

However, for more complex communications we need to use protocols. These can map many meanings to a single CAN ID by agreeing on a structure for sending and receiving data.

Continue reading “CAN Hacking: Protocols”

A Twitter Connected Mechanical Calculator

The TwitALU

Two students at the University of Bristol wanted to create a computer to demonstrate how ALUs work. The result is the TwitALU, a Twitter connected mechanical calculator.

The device uses a custom 7400 series ALU based on the famous MOS 6502 processor. Instead of doing the calculations on a silicon die, the ALU drives mechanical relays. This produces a nice clicky-clacky sound as the calculation is computed.

To start a calculation, you tweet @twittithmetic with your input. A Raspberry Pi is used to load the instructions into the ALU. Once the computation is done, it’s tweeted back to you and displayed on the Nixie tube display. It’s not efficient, or fast, but it does the job of demonstrating the inner workings of the device while doing simple math.

The device’s schematics are all available on the website, and are helpful for understanding how a simple ALU works. After the break, check out a quick clip of the TwitALU in action.

Continue reading “A Twitter Connected Mechanical Calculator”

CAN Hacking: The In-vehicle Network

Last time, we discussed how in-vehicle networks work over CAN. Now we’ll look into the protocol and how it’s used in the automotive industry.

The Bus

On the hardware side, there’s two types of CAN: differential (or high-speed) and single wire. Differential uses two wires and can operate up to 1 Mbps. Single wire runs on a single wire, and at lower speeds, but is cheaper to implement. Differential is used in more critical applications, such as engine control, and single wire is used for less important things, such as HVAC and window control.

Many controllers can connect to the same bus in a multi-master configuration. All messages are broadcast to every controller on the bus.

An oversimplified in-vehicle network
An oversimplified in-vehicle network

Continue reading “CAN Hacking: The In-vehicle Network”

CAN Hacking: Introductions

We’re introducing a new series on CAN and automotive hacking. First, we’ll introduce CAN and discuss how in-vehicle networks work.

In 1986, Bosch introduced the Controller Area Network protocol. It was designed specifically for in-vehicle networks between automotive controllers. CAN became a popular option for networking controllers in automotive, industrial, and robotics applications. Starting in 2008, all vehicles sold in the US must use CAN.

Modern vehicles are distributed control systems, with controllers designed to handle specific tasks. For example, a door control module would take care of locks and windows. CAN allows these controllers to communicate. It also allows for external systems to perform diagnostic tasks by connecting to the in-vehicle network.

Some examples of CAN communication in a vehicle include:

  • The engine control module sending the current engine speed to the instrument cluster, where it is displayed on a tachometer.
  • The driver’s door controller sending a message to another door controller to actuate the window.
  • A firmware upgrade for a controller, sent from a diagnostics tool.

CAN is usually used with little or no security, except for the obscurity of the communications. We can use CAN to USB interfaces to listen to the traffic, and then decode it. We can also use these tools to send forged messages, or to perform diagnostic actions. Unfortunately, most of the tools for dealing with CAN are proprietary, and very expensive. The diagnostics protocols are standards, but not open ones. They must be purchased from the International Organization for Standardization.

Next time, we’ll get into the structure of CAN frames, and how traffic is encoded on the bus.

 [Image via Wikipedia]

CAN Hacking

Tips And Tricks For The C Pre-processor

C Pre-processor

The C pre-processor can help you write more concise, easy to follow code. It can also let you create a tangled ball of macros and #defines. [s1axter] wrote up a guide on how to use the pre-processor and keep your sanity.

We’ve seen some neat hacks with the C pre-processor, such as a full adder implementation, but this focuses on more practical usages. First, [s1axter] explains what the pre-processor does with your code by writing simple macros. Next up is arguments, and usage of ‘##’ directive for metaprogramming. Finally, we get a good explanation of why you need to worry about scope when using macros, and how to safe code by using ‘do {} while()’ statements.

If you’re into embedded programming, this guide will help you understand some of the more complex pre-processor techniques out there. It’s helpful for making your code clearer, and abstracting away hardware dependencies in a few lines of code.

The Bitbox Console: An Open Source Gaming Rig

Bitbox Console

A simple resistive DAC is all you need to drive a VGA display. Combining that with an on-chip DAC for audio, the STM32F405RGT6 looks like a good choice for a DIY game console. [Makapuf’s] Bitbox console is a single chip gaming machine based on the STM32 ARM processor.

We’ve seen some DIY consoles in the past. The Uzebox is a popular 8 bit open source game system, and [makapuf] was inspired by its design. His console’s use of a more powerful 32 bit processor will allow for more complex games. It will also provide more colors and higher quality audio.

One of the keys of the Uzebox’s success is the development tools around it. There’s a full emulator which allows for debugging with GDB. [Makapuf] has already built an SDL based emulator, and can debug the target remotely using GDB. This will certainly speed up game development.

After the break, check out a demo of the first game for the Bitbox: JUMP. Also be sure to read through [makapuf]’s blog for detailed information on the build.

Continue reading “The Bitbox Console: An Open Source Gaming Rig”

An Open Source Hardware Modchip

OSHW XenoGC Clone

Many Hackaday readers might remember the days of buying modchips from somewhat questionable sources. These little devices connect to a gaming system to circumvent security measures, allowing you to run homebrew games (and pirated games, but lets not focus on that). [Guillermo] built an open source hardware Gamecube modchip based on the XenoGC.

The XenoGC was a popular modchip back in the Gamecube days, and its source was released in a forum post. A Wiki page explains how to build a clone of the device based on an ATtiny2313.  Most modchips were closed source, but this project lets you look at how they work. You can browse the XenoGC source on Google Code to learn more about the exploit itself. You’ll find the AVR code, which manipulates the DVD drive over a serial interface, in the XenoAT folder.

[Guillermo]’s hardware is available from OSHPark, so you can easily order boards. He’s also hosted the design files on Github. With one in hand, you can start building homebrew for the Gamecube, which can probably be picked up for around $25 nowadays.