All modern vehicles today are controlled by multiple Electronic Control Units (ECUs), which you can think of as small computers controlling all electrical components in your car.
Using your car's OBD-II port and an AutoPi TMU device, it is possible to communicate with the ECUs, which essentially works like a CAN bus sniffer software.
ECUs are responsible for communication with subsystems, like transmission, power steering, windows, and doors.
These subsystems communicate on a network bus called Controller Area Network (CAN), by broadcasting messages on the bus. A message could look like this:
The ‘024’ is the sender ID of the message, and the rest is the data containing the actual data. E.g., a message containing instructions to unlock the car.
Access to the CAN bus makes it possible to send commands to your vehicle, and thereby inject commands into the CAN bus. The problem is that individual commands to control specific parts of your vehicle are not easily achieved.
A common method to identify commands is to listen/record the data flow on the bus, and manually perform the action in your car you want to decode (e.g., unlocking the car) and then identify the command on the recorded data stream.
Unlock the Power of Fleet Management with AutoPi Cloud
Discover the advantages of a comprehensive solution for remote vehicle monitoring, control, and optimization. Streamline your operations and enhance your bottom line by using real-time data tracking and automated software updates.
Start your journey to a smarter, more efficient fleet now!
How to build a CAN bus sniffer to remotely unlock doors
This is commonly known as CAN bus sniffing, or CAN bus hacking, and is normally a very advanced way to discover hidden metrics in your car. However, with the AutoPi device, this has been reduced to only a few steps that you need to run on the AutoPi Cloud, and everyone can start CAN bus hacking their car.
Build a can bus sniffer to remotely unlock doors by following these 5 steps:
Step: Use the CAN sniffer tool to find the active CAN buses.
Step: Register the medium-speed CAN bus in the vehicle's profile. (That way we can use it in the next steps).
Step: Record all CAN message from the medium-speed CAN bus while pressing the unlock button on the key fob. (The results are stored in a file locally on the AutoPi Device).
Step: Play all CAN messages from the recording back to the CAN bus to verify that unlocking works.
Step: Use the divide and conquer methodology to find the single CAN message which performs unlock.
It couldn’t be easier, and in this blog post, we will go over the details and explain what you can do with your new metrics.
You can check out our complete guide below.
What is CAN Bus Sniffer Software?
A CAN bus sniffer is a device or tool that monitors and analyzes data sent over a Controller Area Network (CAN) bus. A CAN bus is a communication network used in cars and industrial control systems, and a CAN bus sniffer allows technicians and engineers to analyze real-time information issued and received on the network.
This can be beneficial for troubleshooting, identifying issues, and verifying the network is operational. The CAN bus sniffer is often made up of hardware such as an interface and a cable, as well as software that displays the data in a readable format such as ASflowr hexadecimal.
CAN bus sniffing tool explained
Monitoring the CAN bus is complicated, due to the massive amounts of data flows in modern cars. So identifying individual messages from the stream of data is difficult.
A common way of identifying a specific message is called “divide and conquer”. The idea came from a classic computer algorithm, of the same name, used in many aspects (like sorting). Easily explained, you know that the message you are looking for can be compared to finding a needle in a haystack.
With the divide and conquer algorithm, you divide the haystack into two equal parts and look through half the haystack for the needle.
If you don’t find the needle, you break up the remaining half into two new stacks and look in one of these. You continue this process until you find the needle.
You can apply this to finding CAN messages as well. Let's say you want to discover the command for controlling the power windows, then the steps involved are:
Record messages flowing while pressing the window switch in the car.
Divide the recorded messages into two halves.
Replay/send all data from one part to the car’s CAN bus. If the doors unlock, you have the right part.
Keep doing this procedure until you have identified the exact message you are looking for.
The following CAN data dump is 34 lines out of 1797 lines, for a 5-second recording:
Once you identified the specific command, you need to replay/send it to make sure you have the right one.
All of this sounds very complicated (which it can be), but with the AutoPi device, all of this has been automated in a simple tool you can access from the AutoPi Cloud. The AutoPi Telematics Unit can be considered a CAN bus sniffer tool due to the wide variety of functionalities it offers.
Benefits of CAN bus reverse engineering
Reverse engineering a Controller Area Network (CAN) bus has various advantages:
Understanding system behavior: By examining CAN bus messages, engineers can acquire a better understanding of the system's behavior and detect any possible concerns.
Debugging and troubleshooting: CAN bus sniffer enables real-time network monitoring and debugging, which can aid in the identification and resolution of problems.
Improving system performance: By reverse engineering the CAN bus, bottlenecks or other issues that may be slowing down system performance can be identified. This data may be utilized to make changes and improve system performance.
Improving security: Security specialists can detect possible security flaws and devise solutions to reduce these risks by studying communications on the CAN bus.
Aftermarket product support: The knowledge collected through reverse engineering may be utilized to design and support aftermarket goods such as performance tuners that enhance or change the functionality of the original system.
Supporting legacy systems: CAN bus reverse engineering can be very valuable for outdated systems with inadequate or no documentation. It enables engineers to better understand and maintain the system in the lack of thorough documentation.
CAN bus reverse engineering brings you lots of useful hacks, also one of the reasons why it's called CAN bus hacking. Read more about it below and find out how can AutoPi help you with the CAN bus in your car.
Using AutoPi device to discover new commands in my car
With the AutoPi Management Cloud platform, the tedious process of finding the CAN command for your vehicle has been automated in a simple user interface.
The above image shows the user interface used to discover new CAN commands. The steps are very simple. You need to physically be in your car to do the discovery:
Open the CAN explorer. It will tell you if there is a connection to the car
Press the record button
Now perform the function you want to record 5 times. Like pressing the “doors unlock” switch
Press the stop record button
The system will then analyze the data received and output the possible commands found. Because of the large data amount, the system will sometimes output a few possible commands. You now have to possibility to narrow it down by replaying the found commands one by one.
When you found the command you were looking for, you simply press the save button. Your newly found command is stored for future use by you and all other users with a similar car.
Decoding raw CAN messages might be a bit complicated and confusing, especially if you are new to that. We have prepared a guide on how to log raw CAN messages, to make the whole process easier for you.
The system will automatically upload the new functionality to your AutoPi TMU device. Now, all there is left for you is to test it in real life.
If you want to be able to do all of the above, then don't hesitate to contact us, and we can help you makes all the possibilities real.