Cookies: Our site uses cookies in order to deliver better content. By continuing you accept these cookies.

Ok

CAN Sniffer: 5 steps to CAN bus hacking

Updated at 21 Sep, 2017

— Find out how to discover hidden functions in your car using the CAN bus sniffing. See how CAN bus sniffer - reverse engineering vehicle data works like.

CAN Sniffer: 5 steps to CAN bus hacking
Find the perfect solution service for your business

All solutions are customizable and designed to meet all your needs.

Find the solution

All modern vehicles today are controlled by multiple Electronic Control Units (ECUs), which you can think of as small computers controlling all electrical components in your car.

Using the OBD-II port and an AutoPi device, it is possible to communicate with the ECUs, which essentially works like a CAN bus sniffer software.

One of the ECU’s is called the Engine Control Module (ECM). This is responsible for communication with a lot of subsystems, like transmission, power steering, windows and doors.

These subsystems communicates on a network bus called Controller Area Network (CAN), by broadcasting messages on the bus. A message could look like this:

Screenshot of CAN bus output

The ‘024’ is the sender ID of the message, and the rest is the data containing the actual data. E.g. A message containing instruction to unlock car.

With access to the CAN bus through the AutoPi device, it is possible to send commands to your vehicle, and thereby inject commands on the CAN bus. The only problem is that individual commands to control specific parts of your vehicle, is not easily achieved.

A common method to identify commands is to listen/record the data flow on the bus, and manually perform the action in your car you want to decode (e.g. unlocking car) and then identify the command on the recorded data stream.





This is commonly known as CAN bus sniffing, or by some CAN bus hacking, and is normally a very advanced way to discover hidden metrics in your car. However, with the AutoPi device, this has been reduced to only a few steps that you need to run on the AutoPi Cloud, and everyone can start CAN bus hacking their car.

You just need to follow these 5 easy steps:

  • Step 1: Use the CAN sniffer tool to find the active CAN buses. 

  • Step 2: Register the medium speed CAN bus in the vehicle's profile. (That way we can use it in the next steps).

  • Step 3: Record all CAN messages from the medium speed CAN bus, while pressing the unlock button on the key fob. (The results is stored in a file locally on the AutoPi Device).

  • Step 4: Play all CAN messages from the recording back to the CAN bus in order to verify that unlocking works.

  • Step 5: Use divide and conquer methodology to find the single CAN message which performs unlock.

It couldn’t be easier. In this blog we will go over the details and explain what you can do with your new metrics.

If you experience difficulties, you can check out our complete guide below.

What is CAN Bus Sniffer Software?

CAN bus sniffer software is a control unit that injects data on the CAN bus through the device plugged in the vehicle. It can be a telematics unit plugged in through the OBD-II port to transfer raw CAN bus messages into a readable form. It is an advanced function and you can usually discover plenty of hidden functions in your vehicle.

The CAN bus sniffer software is very helpful and can reveal several hidden functionalities, as well as prolong your vehicle lifespan. Typically, it requires advanced technical expertise, but not in our case. We have made it simple and usable by anyone interested in the functionality.

CAN bus sniffing tool explained

Monitoring the CAN bus is complicated, due to the massive amounts of data flows in modern cars. So identifying individual messages from the stream of data is difficult.

A common way of identifying a specific message is called “divide and conquer”. The idea came from a classic computer algorithm, of same name, used in many aspect (like sorting). Easily explained, you know that the message you are looking for can be compared to finding a needle in a haystack.

With the divide and conquer algorithm, you divide the haystack in two equal parts and look through half the haystack for the needle.

If you don’t find the needle, you break up the remaining half in two new stacks, and looking in one of these. You continue this process until you find the needle.

You can apply this to finding CAN messages as well. Let's say you want to discover the command for controlling the power windows, then the steps involved are:

  • Record messages flowing while pressing the window switch in the car.

  • Divide the recorded messages into two halves.

  • Replay/send all data from one part to the car’s CAN bus. If the doors unlock, you have the right part.

  • Keep doing this procedure until you have identified the exact message you are looking for.

The following CAN data dump is 34 lines out of 1797 lines, for a 5 second recording:

34 lines of CAN data with the use of AutoPi TMU device

Once you identified the specific command, you need to replay/send it to make sure you have the right one.

All of this sounds very complicated (which it can be), but with the AutoPi device, all of this has been automated in a simple tool you can access from the AutoPi Cloud. The AutoPi Telematics Unit can be considered as a CAN bus sniffer tool due to its wide variety of functionalities it offers.

Benefits of CAN bus reverse engineering

CAN bus reverse engineering has lots of benefits, however, we will tell you more about the most common ones.

  • Decoding data - also known as CAN bus hacking, stands for the ability to enable decoding of proprietary CAN IDs. Then it is able to analyze data from cars, trucks, machinery and so on.

  • Give commands - you are able to give commands to your car. This can be done by enabling control of vehicles via commands such as toggle locks, lights and so on.

  • Applications - You are able to log state-of-charge (SoC) from electric vehicles (EV).

  • DBC databases extension - CAN bus decoder tool can definitely help you with reverse engineer missing CAN messages and signals.

CAN bus reverse engineering brings you lots of useful hacks, also one of the reasons of why it's called CAN bus hacking. Read more about it below and find out how can AutoPi help you with CAN bus in your car.

Intuitive user interface of AutoPi Cloud to discover new CAN commands

Using AutoPi device to discover new commands in my car

With the AutoPi Management Cloud platform, the tedious process of finding CAN commands for your vehicle has been automated in a simple user interface.

Above image shows the user interface used to discover new CAN commands. The steps are very simple. You need to physically be in your car to do the discovery:

  • Open the CAN explorer. It will tell you if there is connection to the car

  • Press the record button

  • Now perform the function you want to record 5 times. Like pressing the “doors unlock” switch

  • Press the stop record button

The system will then analyze the data received and output the possible commands found. Because of the large data amount, the system will sometimes output a few number of possible commands. You now have to possibility to narrow it down by replaying the found commands one-by-one.

When you found the command you were looking for, you simply press the save button. You newly found command is stored for future use by you and for all other users with a similar car.

Decoding raw CAN messages might be a bit complicated and confusing, especially if you are new to that. We have prepared a guide on how to log raw CAN messages, in order to make the whole process easier for you.

Using discovered CAN commands to build something cool

So, what can you do with your new CAN command? Why not use it to tie up a cool speech command to your car. The AutoPi Cloud comes built in with an If-This-Then-That trigger system. Using this system you can add your own triggers and trigger the new found CAN command.

If-This-Then-That trigger system, enabling you to add your own triggers and trigger new found CAN command

The image above shows the interface for adding new triggers to the system. Adding a new trigger is very simple.

  • Select your input source. This is the beacon. As an example select the “googleAssistantSpeech” source

  • Add a criteria, this is the text spoken. We will add “Doors unlocked”

  • Now you add your output source. this is the reactor. We select the “carIntegrator” and from the dropdown menu, we find our new command “doors unlocked” and select this

  • Press save

The system will automatically upload the new functionality to your AutoPi device. Now all there is left for you is to test it by actually speaking to you car:

“Hey AutoPi, unlock door”. Check out our community, where you can get inspired and get lots of insightful answers from our community members.

If you want to be able to do all of that, then check out AutoPi Telematics Unit that makes all the possibilities real.

Article by

Nikola Velichkov

Software Developer

Like what we do? Contact us.

Find the perfect solution service for your business

All solutions are customizable and designed to meet all your needs.

Find the solution

Other posts you will like

Driver Management System: How to Manage Drivers and Safety
Driver Management System: How to Manage Drivers and Safety
Beginner's Guide: What is Electric Vehicles (EVs)?
Beginner's Guide: What is Electric Vehicles (EVs)?
What is Vehicle Data and Why it Matters?
What is Vehicle Data and Why it Matters?

STILL HAVE QUESTIONS?

Get in touch with us – We're ready to answer any and all questions.

* Mandatory fields

Email our engineers

We are here to help!