Go Down

Topic: CAN Bus overriding message (Read 447 times) previous topic - next topic

druckis3000

Mar 16, 2020, 02:57 pm Last Edit: Mar 16, 2020, 07:16 pm by druckis3000
Hello. I wrote a simple program for my arduino to read messages from my car's can bus, print them to the serial, and read from serial and send them to the can bus. Created simple android application so now it's easier to reverse engineer can bus with graphical interface.

I've already found interesting can bus id's, but the problem is it's not that simple to mess around with my car and I want to know if it's even possible. For example this message:
Quote
0x81C030A2 [8] C0 5B 40 1 89 3 14 0
is from window switches controller. Third byte tells what to do with front right window, 40 - nothing, 41 - roll up, 44 - roll down.

It's being sent continuously (even though nothing is touched), first byte always changing in every message, it's order: 0x00, 0x40, 0x80, 0xC0

Now if I send that message with third byte set to 41 or 44 at 50ms interval, window just rapidly roll and stop, but not rolling continuously. If I send that message faster, let's say at 1ms interval, window keeps rolling for longer period of time, but still, it stops for a few milliseconds and then again continues rolling.

So if I understand correctly, there are two messages on the bus, with same ID and window rolling mechanism interprets one message from my arduino to roll the window, and then comes message from window switch controller telling to do nothing with that window, since switch is physically not touched and this situation is probably causing such behavior, am I right?

As I understand, there's no way to catch that broadcasted message from switches controller and prevent it from reaching window rolling mechanism, so is there any way to override window switch controller message? Or is there anything else I can do? How do diagnostics software roll windows and activate all other devices? Do they use some special diagnostics messages?

Klaus_K

but the problem is it's not that simple to mess around with my car and I want to know if it's even possible.
Its no supposed to be easy. Engineers who build these components think about guys like you. They will be blamed if something does not work :)

It's being sent continuously (even though nothing is touched), first byte always changing in every message, it's order: 0x00, 0x40, 0x80, 0xC0
Its likely to ensure the window is always responsive and stops when needed. Car windows are dangerous for small humans called children. So, they are part of safety considerations in cars.

So if I understand correctly, there are two messages on the bus, with same ID and window rolling mechanism interprets one message from my arduino to roll the window, and then comes message from window switch controller telling to do nothing with that window, since switch is physically not touched and this situation is probably causing such behavior, am I right?
Sounds plausible.

As I understand, there's no way to catch that broadcasted message from switches controller and prevent it from reaching window rolling mechanism, so is there any way to override window switch controller message?
That is correct. Every CAN node will ensure the CAN message will be send and acknowledged by at least on other CAN node. If the message gets manipulated on the fly the sending node will detect that and repeat the message. The node assumes a physical issue e.g. a voltage spike or another node with a higher priority message has overwritten the CAN message. This is all done in hardware. It will happen even if the CAN software was not written with additional application layer safety features.

Or is there anything else I can do? How do diagnostics software roll windows and activate all other devices? Do they use some special diagnostics messages?
There are many ways this could be done by diagnostic equipment. One would be to have an additional ID for the same function. You could try the following. Some windows can be controlled by two door switches. e.g. the back window can be controlled by the passenger and the driver. See how this is handled. If both switches send messages continuously there must be a way for the door to know what to do.

druckis3000

There are many ways this could be done by diagnostic equipment. One would be to have an additional ID for the same function. You could try the following. Some windows can be controlled by two door switches. e.g. the back window can be controlled by the passenger and the driver. See how this is handled. If both switches send messages continuously there must be a way for the door to know what to do.
That was my thought! I've been thinking yesterday, if driver door's window switch controller sends message continuously, telling that all windows should not move, how do they roll when you press the switch in passenger door? I suppose there's different Id for every door switch, or maybe I'm wrong. This will be my next TODO in my free time

druckis3000

The situation is a little bit different than I was expecting. When I press the switch in the passenger door, it doesn't broadcast any message, it's probably directly wired to that specific door window control module. Same applies to driver's door, if I roll driver's door window, it doesnt send any message. Window rolling messages are being broadcasted only when I roll passenger door's windows from driver door's window switches.

I tried to send roll window command by changing last number of the message id, it still works in the same way, and if I change more numbers, then it's not working anymore.

Found some info in other forum, it's a volvo car, so I found that info in volvo forums, here's quote from one member:
Quote
Posting to the bus is tricky for several reasons:

- Most (if not all) message-types are repeatedly transmitted by the car (up to 35 times/second). This means that a frame posted by you is almost immediately overruled by an ordinary frame. Preventing this is a challenge.
- You are writing frames with the same identifier as normal car frames. To prevent collisions (possibly resulting in bus-offs), special actions must be taken.
His words are confirming my thoughts, but he didn't explained what actions must be taken. So after reading his messages I can be sure that it's possible to tell my car to do something. Any thoughts? I will keep trying, but if you have any ideas to share, I would be grateful.

Klaus_K

I think you should question your goals and whether they are worth the effort that might be required to achieve them.

If you are doing this for some kind of research or serious professional development there are some additional options open to you, because you can take additional risks that can be controlled in a test environment.

If you want to interfere with your personal car, you risk something going wrong while you are driving down the highway. In this case you are trying to fight the system that was designed to prevent single CAN messages from changing things in your car.

The fairly save things you can do is read CAN messages from your cars bus and use that information for your own electronics (which should not interfere with the car, but could display some information or create some special sound and light effects ...). When you start sending messages into your cars CAN bus you could create a dangerous situation. This should only be done in a safe test environment e.g. test track ...

druckis3000

Cars, electronics and programming are my hobbies, so it's just a hobby project. I do it only for my car, and I'm always testing everything in a safe place. In current situation I'm only accessing low speed can bus, there's nothing about engine, airbags, brakes on the bus, it's just lights, windows and etc.

I've been reading a lot about my car's can bus, and if I understood correctly, the only way I can inject can bus messages, is to tell specific module to enter into diagnostic mode, then it will listen to my can messages, and exit diagnostic mode after I'm done sending messages. Will try it sooner or later.

Klaus_K

If you cannot find a documentation about the messages used by your cars modules, you could try to find a friendly car dealer who would be willing to run a diagnostic sequence while you use your hardware to store a CAN message trace.

This would limit the number of potential CAN IDs and give you the IDs actually used. You could then analyse the messages further for the parameter values by trial and error.

druckis3000

Thank you for helping. I've already made my own app for easier analysis of can bus traffic, and already found a lot of interesting stuff. Actually I even made my car do things, I can control windows, show messages in the instrument cluster and etc.

The way I did it is very similar to what you said, except I have my own diagnostics tools and software, so I was just reading messages what diagnostics software was sending to the car and made arduino send same messages.

Go Up