As cars have become more sophisticated electronically, understanding the CAN bus that forms the backbone of automotive digital systems has become more and more important for hacking cars. Inexpensive microcontroller CAN interfaces have made obtaining the raw CAN bus traffic trivial, but interpreting that traffic can be pretty challenging. In order to more easily visualize CAN traffic, [TJ Bruno] has developed CanoPy, a Python tool for visualizing CAN messages in real time.
A basic PC CAN interface simply dumps the bus’s message traffic into the terminal, while more sophisticated tools organize messages by the address of their intended recipients. Both of these approaches digitally lift the hood and let you examine what your car is thinking, but the wall-of-numbers approach makes finding the patterns that hold the keys to reverse engineering difficult. Automatically plotting the data with CanoPy makes finding correlations much easier, after which the text-based tools can be used to focus in on a few specific addresses.
Continue reading “Using CanoPy To Visualize The CAN Bus”
[Florian] and his engineering team at Munich-based bmc::labs has developed a clever set of prototyping boards for vehicle hacking and rapid product development, collectively called the bmc::board or bmc::mini. These stackable development boards were initially designed for in-house use. The team took a general purpose approach to the design so the boards could be used across a wide range of projects, and they should be useful to anyone in the field. [Florian] decided to release the boards to the community as open-source and certified by OSHWA (Open Source Hardware Association).
There are four boards currently defined, with several more in the works:
- mini::base — Main microcontroller board, STM32F103-based
- mini::out — I/O board with CAN bus, JTAG, etc.
- mini:: grid — RF board providing GPS and GSM capability
- mini::pit — local wireless connectivity, WiFi and Bluetooth, and 2nd CAN bus
At 54 x 42.5 mm, these boards are pretty small; a form-factor they describe as “exactly half a credit card”. We like the Wurth WR-MM family of stacking connectors they are using, and the symmetrical pinout means you can rotate the cards as needed. But at first glance, these thru-hole connectors seem to limit the stack to just two boards, although maybe they plan move to an SMT flavor of the connector in future designs permitting taller stacks.
If you’re into vehicle electronics and/or vehicle hacking, definitely take a look at these. You can check out [Florian]’s bmc::board Hackaday.io project page and the team’s GitHub repository for more details. Here’s another project by team member [Sebastian] using one of the future bmc::bike modules to eavesdrop on ECU communications, where he sensibly advises the reader “First, pull over and get off the bike. Never hack a two-wheeled vehicle while riding it!”.
No discussion of vehicle CAN bus tools should omit the work of Craig Smith, who literally wrote the book on hacking your car, and whose talk along with Hackaday’s own Eric Evenchick of CANtact fame we covered back in 2016. [Florian] has started a CrowdSupply campaign where you can see some more details of this project and a short promotional video.
Analog gauges gave way to all manner of fancy electroluminescent and LED gauges in the ’80s, but the trend didn’t last long. It’s only in the last decade or so that LCD digital gauges have really started to take off in premium cars. [Josh] is putting a modern engine and drivetrain into his classic Triumph GT6, and realised that he’d have to scrap the classic mechanical gauge setup. After not falling in love with anything off the shelf, he decided to whip up his own solution from scratch.
The heart of the build is a Raspberry Pi 4, which interfaces with the car’s modern aftermarket ECU via CANBUS thanks to the PiCAN3 add-on board. Analog sensors, such as those for oil pressure and coolant temperature, are interfaced with a Teensy 4.0 microcontroller which has the analog to digital converters necessary to do the job. Display is via a 12.3″ super-wide LCD sourced off Aliexpress, with the graphics generated by custom PixiJS code running in Chromium under X.
The result is comparable with digital displays in many other modern automobiles, speaking to [Josh]’s abilities not just as a programmer but a graphic designer, too. As a bonus, if he gets sick of the design, it’s trivial to change the graphics without having to dig into the car’s actual hardware.
Gauge upgrades are common on restomod projects; another route taken is to convert classical mechanical gauges to electronic drive. If you’re cooking up your own sweet set of gauges in the garage, be sure to drop us a line! Video after the break.
Continue reading “Classic Triumph Gets A Modern Digital Dash”
The Nissan Leaf is the best-selling electric car of all time so far, thanks largely to it being one of the first mass produced all-electric EVs. While getting into the market early was great for Nissan, they haven’t made a lot of upgrades that other EV manufacturers have made and are starting to lose customers as a result. One of those upgrades is charge limiting, which allows different charging rates to be set from within the car. With some CAN bus tinkering, though, this feature can be added to the Leaf.
Limiting the charging rate is useful when charging at unfamiliar or old power outlets which might not handle the default charge rate. In Europe, which has a 240V electrical distribution system, Leafs will draw around 3 kW from a wall outlet which is quite a bit of power. If the outlet looks like it won’t support that much power flow, it’s handy (and more safe) to be able to reduce that charge rate even if it might take longer to fully charge the vehicle. [Daniel Öster]’s modification requires the user to set the charge rate by manipulating the climate control, since the Leaf doesn’t have a comprehensive user interface.
The core of this project is performed over the CAN bus, which is a common communications scheme that is often used in vehicles and is well-documented and easy to take advantage of. Luckily, [Daniel] has made the code available on his GitHub page, so if you’re thinking about trading in a Leaf for something else because of its lack of features it may be time to reconsider.
Continue reading “Adding Luxury Charging Features To An Entry-Level EV”
Whilst swapping out the stereo in his car for a more modern Android based solution, [Aaron] noticed that it only utilised a single CAN differential pair to communicate with the car as opposed to a whole bundle of wires employing analogue signalling. This is no surprise, as modern cars invariably use the CAN bus to establish communication between various peripherals and sensors.
In a series of videos, [Aaron] details how he used this opportunity to explore some of the nitty-gritty of CAN communication. In Part 1 he designs a cheap, custom CAN bus sniffer using an Arduino, a MCP2515 CAN controller and a CAN bus driver IC, demonstrating how this relatively simple hardware arrangement could be used along with open source software to decode some real CAN bus traffic. Part 2 of his series revolves around duping his Android stereo into various operational modes by sending the correct CAN packets.
These videos are a great way to learn some of the basic considerations associated with the various abstraction layers typically attributed to CAN. Once you’ve covered these, you can do some pretty interesting stuff, such as these dubious devices pulling a man-in-the-middle attack on your odometer! In the meantime, we would love to see a Part 3 on CAN hardware message filtering and masks [Aaron]!
Continue reading “Custom Packet Sniffer Is A Great Way To Learn CAN”
In the days of carburetors and leaf spring suspensions, odometer fraud was pretty simple to do just by disconnecting the cable or even winding the odometer backwards. With the OBD standard and the prevalence of electronics in cars, promises were made by marketing teams that this risk had all but been eliminated. In reality, however, the manipulation of CAN bus makes odometer fraud just as easy, and [Andras] is here to show us exactly how easy with a teardown of a few cheap CAN bus adapters.
We featured another project that was a hardware teardown of one of these devices, but [Andras] takes this a step further by probing into the code running on the microcontroller. One would imagine that basic measures would have been taken by the attackers to obscure code or at least disable debugging modes, but on this one no such effort was made. [Andras] was able to dump the firmware from both of his test devices and start analyzing them.
Analyzing the codes showed identical firmware running on both devices, which made his job half as hard. It looked like the code was executing a type of man-in-the-middle attack on the CAN bus which allowed it to insert the bogus mileage reading. There’s a lot of interesting information in [Andras]’s writeup though, so if you’re interested in CAN bus or attacks like this, it’s definitely worth a read.
Progress and the proliferation of computers in automotive applications have almost made the shade tree mechanic a relic of the past. Few people brave the engine compartment of any car made after 1999 or so, and fewer still dive into the space behind the dashboard. More’s the pity, because someone may be trying to turn back the odometer with one of these nefarious controller area network (CAN bus) dongles.
Sold through the usual outlets and marketed as “CAN bus filters,” [Big Clive] got a hold of one removed from a 2015 Mercedes E-Class sedan, where a mechanic had found it installed between the instrument cluster and the OEM wiring harness. When the dongle was removed, the odometer instantly added 40,000 kilometers to its total, betraying someone’s dishonesty.
[Big Clive]’s subsequent teardown of the unit showed that remarkably little is needed to spoof a CAN bus odometer. The board has little more than an STM32F microcontroller, a pair of CAN bus transceiver chips, and some support circuitry like voltage regulators. Attached to a wiring harness that passes through most of the lines from the instrument cluster unmolested while picking off the CAN bus lines, the device can trick the dashboard display into showing whatever number it wants. The really interesting bit would be the code, into which [Clive] does not delve. That’s a pity, but as he points out, it’s likely the designers set the lock bit on the microcontroller to cover their tracks. There’s no honor among thieves.
We found this plunge into the dark recesses of the automotive world fascinating, and [Big Clive]’s tutelage top-notch as always. If you need to get up to speed on CAN bus basics, check out [Eric Evenchick]’s series on automotive network hacking.
Continue reading “Dashboard Dongle Teardown Reveals Hardware Needed To Bust Miles”