Sunday, June 8, 2014

Software to monitor the CAN BUS (CAN-BUS Super Sniffer)

Previously i developed a tool to scan new messages by dumping data from putty into a file.
But I didn't spend much time in making it user friendly, after a while i wanted to get into scanning the BUS again only to find i forgot how the utility i wrote actually works, I then realized that the utillity will be pretty much useless to anyone trying to use it.

So i revamped it completely, and it actually works allot better, you are able to find messages much quicker!

I also realized that after reading this blog that all the information im sharing is now a bit scattered all over the place.

Hopefully this Blog post will clear things up a bit.


Meet "The CAN-BUS Super Sniffer" your new best friend.


CanBus SuperSniffer Forum Thread where the Software can be downloaded

(The download now includes the SuperSniffer, SuperSniffer Source Code, Arduino Sketch & the SeeedStudio MCP Library which you need to import)
 
This software requires the Microsoft Com control
Its included in the Microsoft VB6 Run-time Libraries downloadable here.

Microsoft Visual Basic 6 Runtime Libraries

Or you can download it from an untrusted source but it's not recommended




NOTE!
You have to get the Arduino+CAN-BUS shield to return data in the following format.
<1,2,3,4,5,6,7,8,9>
"<" is used to determine the start of the Message and ">" to determine the end, if the data returned from the arduino over the serial port is not in the mentioned format it will ignore the data coming in.


I have uploaded the Arduino Sketch code i'm using to Git-Hub, If you are using the same hardware as me, Arduino UNO + Seeed Studio Shield you should be able to just copy and pase without making any changes to the .ino sketch.
https://github.com/mailmartinviljoen/CAN-BUS-Sniffer

Also remember the sketch in the above link is using the Seeedstudion CAN Library so you need to import it into the Arduino IDE
https://github.com/Seeed-Studio/CAN_BUS_Shield


CAN-BUS Super Sniffer Tool Information
The CAN-BUS Super Sniffer tool is designed to help you reverse engineer
a vehicle's CAN-BUS Messaging system in order for you to figure out the meaning of the
messages detected on the CAN-BUS.

***All information in this help file is based on research done on a Jeep JK 2010 2door Rubicon.
If you happen to see incorrect facts please bear in mind its how the information was perceived when
researching and reverse engineering the CAN-BUS. Please use this information "AS IS"
When using this information you use it on your own and cannot hold any one liable if something bad happens.***


Basic CAN-BUS Information to get you started.
In order to get the data readable by the CAN-BUs Super Sniffer, you need an Arduino UNO connected to a Seeed Studio or similar device.
The Seeed studio and similar Arduino Shields are making use of the MCP2551 and MCP2515 CAN Chip, one is in interpiter and the other is a transceiver.
All research has been done on the Interior BUS , which controls all of the internal buttons in the vehicle and is running at
125 kbps
The baud rate is important, if you connect at a lower/higher rate the bus will bot be able to communicate and the system will give an error
in the vehicle, On the Jeep it will beep and various instruments lights will come on as well as the wipers will move up and down.
Also note! – The Arduino connected to the Seeed Studio CAN-BUS shield has 2 serial ports and should not be confused with one another.
The wires connecting to the CAN-BUS of the vehicle should run at 125kbps and the connection between the computer running the Supper Sniffer tool runs at 38400 baud rate, when you see corrupted characters it’s the PC is probably not connecting at the correct rate, althought he software
is set to connect at 38400 on each connection.
More Information
The Interior CAN-BUS messaging system consist out of 9 Bits.
Bit0 = the CAN Message ID  - Each Message ID can broadcast various messages.
Bit1,Bit2,Bit3,Bit4,Bit5,Bit6,Bit7,Bit8
The Arduino sketch is programmed to deliver the messages it finds on the CAN-BUS in the following format.
<CAN_ID,BIT1,BIT2,BIT3,BIT4,BIT5,BIT6,BIT7,BIT8>
an example message will look like this. <680,1,16,255,23,0,0,0,0>
IMPORTANT TO KNOW.
When the Arduino Shield finds messages on the bus its sends the CAN_ID in normal Number format.
But when you send the ID back into the can bus to mimic pressing a button in the vehicle you need to send it in
HEX format, hence the reason why the CAN-BUS Super Sniffer, shows a hex number in the first column
and the full message including the ID bit in number format. So you are able to know to which ID you need to send the detected message.
More Information & examples (The examples are NOT Based on real data and is cannot be used)
ID 286 - Controls around the steering wheel. Left Blinker, Right Blinker,Lights, High Beams, Wipers ect.
ID 680 - Controls on the 4x4 switch pod. Swaybar Disconnect, Lockers front/Back On/Off, ESP electroninc stability program mode.

<680,1,16,0,0,0,0,0,0> = Swaybar disconnect button pressed.
<680,1,17,0,0,0,0,0,0> = ESP Button Pressed
<680,1,18,0,0,0,0,0,0> = Lockers front/Back On/Off button pressed
Note the above is from the same node on the same switch panel in the vehicle, this means that
the node and all its buttons send messages under Message ID 680.
<286,15,20,4> - Left Blinker on (It broadcasts the state on a very regular inverval)
<286,15,16,3> - Right Blinker on (It broadcasts the state on a very regular inverval)
<286,20,16,2> - Lights On (It broadcasts the state on a very regular inverval)
<286,30,16,1> - High Beams On (It broadcasts the state on a very regular inverval)
Although this was done on a Jeep’s Interior BUS, Theoretically this should work on any CAN-BUS driven Vehicle and on any BUS such as the drive terrain.

Connecting the Arduino + CAN-BUS shield to the vehicle’s CAN-BUS.
Since the Radio can be controlled by the CAN-BUS you can TAP into the network via the cable that goes into the Radio.


From the Arduino Connect a USB Cable and ensure all Arduino Drivers are installed.
also ensure when connecting with the Sniffer Tool that you are using the correct COM Port.



From the Tools Menu.
Com settings – Allows you to select the comport to connect to, this is the same port the Arduino IDE is used to program the Arduino UNO
Connect To COM – Connect the software, once connected all data will start to come in from the CAN BUS into the Sniffer tool which will then automatically start to process the data by grouping them by Message id in the Grid List.

Clear ID Ignore List – Will clear the list created to ignore messages by ID.
Clear Message Ignore list – Will clear the list created to Ignore messages.
Clear All data in the list will  - clear the Grid List but data will immediately start to fill it again.


From the List you are able to Double Click a Message and the utility on the left will pop up,

Always Ignore this message – Will ignore this specific message from the BUS I.E if <680, 0,0,0,0,0,0,0,0> was selected to be ignored then <680, 23,0,0,0,0,0,0,0> will not be ignored.

Ignore This ID – Will ignore ALL messages coming from Message ID680

Save – Will save the data to a sequential file in the same directory where the application is running.
Into a file called canmsgname.txt
(It will save it with the ID in the heading of the popup utility screen)

The black text box log, will stream all changed messages to the Log box, and  it will not duplicate messages, you are able to clear the box manually by selecting all text and press delete or backspace.
And when a message comes in which is not in the log , it will appear again.






Emulating CAN-BUS Data (For when you just want to understand how the Super Sniffer Tool Works)

Turn Emulation ON – Will generate CAN-BUS Messages

Send Sample Message – Will send a random message into the system (Not to the can bus even if its connected)













14 comments:

  1. I installed the Microsoft Visual Basic 6 runtime libraries. I can not select the serial port. It constantly defaults to port 6. Opening port 6 does nothing as well. I think there is a bug? Tried this on winxp, 7, and 8.

    Also I notice the speed is 9600. Can this be upped to 115200? 9600 really is too slow for my bus speed of 500KBPS. Any chance you would release the source code for this? I would love to add to this project.

    ReplyDelete
    Replies
    1. Hi, Sure when i have time i will send you the source code then you can just change it to suite your needs, yes you definitely can up the baud rate! (But you need to change it in the code of the software as its hard coded to 9600

      Just make sure you also update the arduino sketch to connect at the same rate. Send me your Email address then i will forward it to you in a zip file

      Delete
  2. Hi Martin, I also tried using your super sniffer but couldn't get any data displayed. I'd love to use your program to speed up my android integration project, but I'm afraid I couldn't add much to yours, since I'm totally clueless about coding. I did manage to painstakingly decode some buttons on my radio with the arduino serial monitor/putty, yay. Any pointers would be appreciated. Thanks and keep up the good work! Pit

    ReplyDelete
  3. Hey Pit.

    As far as the Arduino goes you have to get it to return data from the CAN BUS in the following format.
    <1,2,3,4,5,6,7,8,9>
    It will use 1 has the CAN-ID and the rest as the Message to the CAN ID,
    If its not in the mentioned format it wont return any data because its looking for a "<" character in the begining thats how it knows where the message starts aswell as ">" where the message ends.

    Also unfortunately you have to install the mscomctl if you dont it wont work, but as mentioned in the write up you can download the VB6 Runtime.
    .

    Then another Question if you are running the Sniffer application , does the "Emulator" work when turned on ? thats anbother way to check if the application actually works ?, I will post the code of my Arduino sketch tonight, hopefully you are able to see how it works.

    Please list all the devices you use , in my case its the Arduino UNO and SeeedStudion Can-Bus Shield


    ReplyDelete
  4. Hi Pit

    I updated the Blog post with "
    NOTE!
    You have to get the Arduino+CAN-BUS shield to return data in the following format.
    <1,2,3,4,5,6,7,8,9>
    "<" is used to determine the start of the Message and ">" to determine the end, if the data returned from the arduino over the serial port is not in the mentioned format it will ignore the data coming in.

    I have uploaded the Arduino Sketch code i'm using to Git-Hub, If you are using the same hardware as me, Arduino UNO + Seeed Studio Shield you should be able to just copy and pase without making any changes to the .ino sketch.
    https://github.com/mailmartinviljoen/CAN-BUS-Sniffer
    Also remember the sketch in the above link is using the Seeedstudion CAN Library so you need to import it into the Arduino IDE
    https://github.com/Seeed-Studio/CAN_BUS_Shield
    "

    Hopefully you are able to get going with it, Kindly please report back if you came right, I would like everyone else to also be able to use the software without any issues.

    Cheers
    Martin

    ReplyDelete
  5. Thanks for the lightning fast reply, Martin!
    I actually pretty much duplicated your setup - Arduino Uno and Seeed Can Bus Shield, Seeed Can Bus libraries, VB6 runtime, your CAN-BUS_RECEIVE_WITH_CAN-ID sketch (baud rate changed to 9600 IIRC, but 115200 works too). I do seem to be getting messages without the "<"/">" (in Arduino serial monitor/putty), I'll look at the sketches again to see where I would add that.
    The emulator feature does work, showing a list of made up messages.
    Thanks also for pointing out the to send IDs in hex, I moved through some menus on my OEM stereo from my computer, yay, proud noob. ;)

    ReplyDelete
  6. Hi no probs,

    Damn! you are right i uploaded the wrong sketch! Really Sorry! :-)
    I corrected it now, it now includes the "<" ">"

    Please re-download "CAN-BUS_RECEIVE_WITH_CAN-ID "

    Or copy and paste the below


    //This Arduino UNO Sketch requires the Seeed CAN-BUS Shield Libraries
    //https://github.com/yexiaobo-seeedstudio/CAN_BUS_Shield
    #include
    #include "mcp_can.h"

    INT32U canId = 0x000;

    unsigned char len = 0;
    unsigned char buf[8];
    char str[20];


    void setup()
    {
    Serial.begin(38400);

    START_INIT:

    if(CAN_OK == CAN.begin(CAN_125KBPS))
    {
    Serial.println("CAN BUS Shield init ok!");
    }
    else
    {
    Serial.println("CAN BUS Shield init fail");
    Serial.println("Init CAN BUS Shield again");
    delay(100);
    goto START_INIT;
    }
    }


    void loop()
    {
    if(CAN_MSGAVAIL == CAN.checkReceive())
    {
    CAN.readMsgBuf(&len, buf);
    canId = CAN.getCanId();
    Serial.print("<");Serial.print(canId);Serial.print(",");
    for(int i = 0; i");
    Serial.println();
    }
    }

    ReplyDelete
  7. One more thing I also recently found a bug in the SuperSniffer related to the ID, If the ID is longer than 3 Chars it gives the wrong HEX ID, I fixed it now, please use the same link in the Blog post to download it.

    The title should say V1.02,

    Also Important I changed the baud rate to be a bit faster, the Arduino will run at 38400, the comm controll in the SuperSniffer is also set to 38400.
    I'm using COM6, for "Duplication" purposes please use COM 6

    ReplyDelete
  8. #thumbsup ..good stuff, I had a feeling that's what was missing. I'll try it out later today.
    As a side note, your github sketch shows the Serial.print(">"); but your above post doesn't, just in case folks try to copy and paste directly from here.
    Thanks for the updates, I'll let you know how it works out.

    ReplyDelete
  9. Ok thanks,

    That's quite odd because i actually copy and pasted from the same source.

    Anyway thanks for pointing it out, Google Blogger wont allow me to edit my own posts,

    Good Luck & Thanks for the help.


    Martin

    ReplyDelete
  10. Works great now, Martin! "Decoded" pretty much all my stereo buttons in what felt like 10 minutes. BUT, my first attempt at compiling your updated github .ino gave me an error, seems it is missing this: "MCP_CAN CAN(10); // Set CS to pin 10", your earlier version does have it though.
    Happy camper I am, thanks a bunch!

    ReplyDelete
  11. Awesome! I will sort out the missing info/code!
    Glad you came right.

    ReplyDelete
  12. Hi Martin
    Thank you for all the helpful information. I received a radio from a 2010 JK that I would like to use in my TJ but it will not switch on. I assume that it needs an "ignition on" message from the canbus. I unfortunately do not have a JK to check what the canbus message is. Would you be able to give me the "ignition on", "ignition off" radio on" and "radio off" canbus message.

    regards
    Len

    ReplyDelete
  13. Join the world’s largest community of ethical hackers and start hacking today! Be challenged and earn rewarding bounties. Learn more! https://www.hackerone.com/for-hackers/how-to-start-hacking

    ReplyDelete