Hack Your Vehicle CAN-BUS With Arduino and Seeed CAN-BUS Shield

By in CircuitsArduino

545,908

279

75

Introduction: Hack Your Vehicle CAN-BUS With Arduino and Seeed CAN-BUS Shield

By

Modern Vehicles all come equipped with a CAN-BUS Controller Area Network, Instead of having a million wires running back and forth from various devices in your car to the battery, its making use of a more clever system.

All electronic functions are connected to the TIPM, (Totally integrated Power Module), such as solenoids/relays to lock the doors or mini motors to wind the windows ect ect.

From each node (IE Switch pod that controls your windows or electric door locks) it broadcasts a message across the CAN. When the TIPM detects a valid message it will react accordingly like, lock the doors , switch on lights and so on.

WHY?
Because you can :-)

What you need.
Arduino UNO + Seeed CAN-BUS Shields
You can get the CAN-BUS Shield from SeeedStudio.com

Step 1: Setting Up an Interface for Connecting Your Laptop.

The Seeed CAN-BUS Shield has a header dedicated for the CAN-High (+) and CAN-Low (-)

Obviously all vehicles aren’t the same so the location to tap into the CAN-BUS will differ from vehicle to vehicle.
In this instructable I’m using a Jeep Wrangler (AKA Jeep JK) 2010, Rubicon 2DR , with a manual shifter.

The easiest way into the bus is to connect into the radio, at the back of the radio it has a White/Orange (- CAN-L) and White Grey ( + CAN-H ) wire. From there I routed the cable through to the glove box of the Jeep.

Step 2: Programming the Arduino to Accept Messages From the CAN-BUS

First of all you need the Seeed CAN-BUS Shield’s Library downloadable at GIT-HUB

After downloading the CAN-BUS Library you need to import it into your Arduino Libraries folder.
In the Arduino Editor Select Sketch --> Import Library --> Add Library and then point it to the Zip file you downloaded, (No need to unzip the contents it can be imported as is.

Tip: You might have to rename the zip as the Arduino IDE does not like unusual characters , so maybe try canbus.zip instead of can-bus.zip

Something important to note:

The CAN-BUS Shield library comes with a working example, it does not include getting the CAN-ID which is quite important to know when analysing the data, So i modified it slightly to include the ID also to seperate all values with a comma so that you can use it as a csv file.

Copy and paste the below code into your Arduino Sketch Editor.

#include "mcp_can.h"<br>
INT32U canId = 0x000;
unsigned char len = 0;
unsigned char buf[8];
char str[20];

void setup()
{    
Serial.negin(115200);
START_INIT:
if(CAN_OK == CAN.begin(CAN_125KBPS))
    {
        Serial.println("CAN BUS Shield init ok!");
    }
    else
    {
        Serial.println("CAN BUS Shield init fail");
        Serial.println("Init CAN BUS Shield again");
        delay(100);
        goto START_INIT;
    }
}
void loop()<br>{
    if(CAN_MSGAVAIL == CAN.checkReceive())
    {
        CAN.readMsgBuf(&len, buf);
        canId = CAN.getCanId();
        
        Serial.print(canId);Serial.print(",");
        for(int i = 0; i<len; i++)
	{
		Serial.print(buff[i]);Serial.print(",");
	}
	Serial.println();
   }
}

Hit the upload button to upload the sketch.

Step 3: Connecting to the Arduino + CAN-BUS Shield to Get CAN Data

Now you need to make sure the CAN-BUS Shield has been connected to the vehicle's CAN-BUS, via the CAN-H & CAN-L Connector.

If you are sure everything has been connected then use putty to connect to the shield via Serial.

Putty is actually a SSH Client but can also handle serial data and it works great for this purpose.

Look at the Image attached to this step for the Serial port configuration.

Once you connect, Your vehicle's CAN-BUS will bombard putty with CAN-BUS Data.

Step 4: Analyze the Data

From here you need to figure out how to detect the messages, such as turning on lightts, open windows ect ect.

When connecting with putty you can log all incomming data to file as explained in the screenshot from the previous step.

Connect and log to a file called file1.csv and let it run with all windows closed, vehicle's key in on position but not started, and let it run for about 5 minutes, Kill the putty session, then restart the Arduino (The Sketch does not clear the buffer), And this time log all data to file2.csv , once putty starts duming data, quickly press a buton (Only one at a time cus you will not know which message goes to which button), once you pressed a button a few times quickly disconnectputty from the can bus.

So theoretically all messages in File2.csv thats also in File1.csv should be ignored/filtered the messages thats left over in File2.scv should be the message button presses.

If you have some programming skills you might find a better way to manage this.
I cretated a basic application in VB6 , you can look for more information about the tool on my Blog
Unfortunatly the application is a bit incomplete, eventhough it has the capability to connect directly to the Arduino Via Serial it doesnt work propperly, so please ignore the Serial Connection part.

It will basically take the fisrt file run which you were dumping data for ~5 Minutes (ignoredatabase.can) and incomming.can as the log file which includes button presses.

I encourage you to find a better way to analyse the data as this can be very stime consuming.

Step 5: Sending a Message Into the CAN-BUS

To send a message into the CAN-BUS is pretty straight forward.

The below will send the "Sway-Bar" disconnect on a Jeep Wrangler.

Note the CAN-ID needs to be converted into HEX format, an easy way to convert it is to use the Windows Calculator, Using "Programmer Mode" for Windows 7 Calculator

From the below code you can see its sending it to CAN-ID 2B0 = 688

#include <mcp_can.h><br>#include <spi.h></spi.h></mcp_can.h>
void setup()
{
    Serial.begin(115200);
  
START_INIT:
    if(CAN_OK == CAN.begin(CAN_125KBPS))                   // init can bus : baudrate = 500k
    {
        Serial.println("CAN BUS Shield init ok!");
    }
    else
    {
        Serial.println("CAN BUS Shield init fail");
        Serial.println("Init CAN BUS Shield again");
        delay(100);
        goto START_INIT;
    }
}
void loop()
{
    unsigned char stmp3[4] = {3, 0, 3, 0};
    CAN.sendMsgBuf(0x2B0, 0, 4, stmp3);  
    delay(10000); 
     
}

Step 6: A Prototype Built Using the Information From This Instructable

Not going into much detail, this is just to show you whats possible.

This Arduino + Seeed CAN-BUS Shield has an added feature, I built a Button & 4 LED Display.
When pressing the red button it will cycle through all posible LED states and each state represents a feature.

Pressing the yellow button will send the message to the bus.

Be the First to Share

    Recommendations

    Rubik's Cube Solver
    Rubik's Cube Solver by aaedmusa in Gadgets
    138 21K
    Rock Paper Scissors Using Tinkercad Circuits and Arduino
    Rock Paper Scissors Using Tinkercad Circuits and Arduino by CrazyScience in Arduino
    1 78 10K
    Basics of Arduino (TINKERCAD)
    Basics of Arduino (TINKERCAD) by Mukesh_Sankhla in Grades 6-8
    232 15K
    Laser-Cut Infinity Dodecahedron (Fusion 360)
    Laser-Cut Infinity Dodecahedron (Fusion 360) by thomasj152 in LEDs
    182 16K

    • For the Home Contest

      For the Home Contest

    • Make It Bridge

      Make It Bridge

    • Big and Small Contest

      Big and Small Contest

    75 Comments

    0
    edvellbr
    edvellbr

    2 years ago

    Hi people,

    I bought one radio of a JEEP Journey 2009. My car not is journey, my car is Stratus 😝
    It's radio working when a turn on the battery. However, it's only on stand by.

    My questin is how to operation the radio on the bench?
    I saw that he has two can-buses. I tried for the Arduino, simulation can-bus communication for the MCP2515. But it didn´t work!

    Someone with an idea?



    0
    AroAro
    AroAro

    Reply 6 months ago

    You have 2 problems.
    1. You must communicate with the CAN bus. For this you absolutely need a circuit board with an MCP2515 and a driver. No Arduino can simulate that. Then try to read meaningful data at different speeds.
    2. If you can communicate, you must send data to the radio. The radio expects the correct ID and at the same time meaningful data. Where do you want to get this information from?
    It's never in the radio manual.
    If you have radio switches on the steering wheel, you could use them and intercept the data. Then you know what needs to be sent for which function. If that's not possible, then forget it.

    0
    Al514
    Al514

    Reply 10 months ago

    Old post I know, but it depends on what BUS the radio is potentially on. Most likely since its not something of high priority, its not on a High Speed Can Bus. Its probably on some medium speed network in the vehicle. Also because its not for that model, it may be some security measure.

    0
    Al514
    Al514

    10 months ago

    To all, CAN Bus Networks have different speeds in vehicles depending on the priority of the Module communicating, ie Engine computer, Body Control Module etc. Data packets/Messages will be read by the module they are intended for by their message ID and importance. Many of the lower priority components you may want to control (windows, radio, mirrors, etc) are going to be on a medium speed bus. Vehicles now also have multiple CAN bus networks as well as LIN Bus, GMLAN, Newer types of High Speed CAN buses such as CAN FD(Flexible Data Rate CAN), FlexRay. Just to name a few, so getting into the correct network can be difficult without a wiring diagram. Also you dont want to just try to start sending random Data Packets across the networks. Vehicles now with Electronic Power Steering and Electronic Brake Assist is not something you want to lose or mess around with. You can tap into the networks right at the Data Link Connector, but if you dont know exactly what you are doing. Dont. Your safety is more important than making a cool little box that can roll your window down. Just a word of caution.

    3
    Toheed abbasi
    Toheed abbasi

    3 years ago

    Hello. Could somone post or send me a sample code to show how to sniff for a specific CAN ID i.e. speed, RPM, Throttle Body?

    0
    snevarez31
    snevarez31

    Reply 1 year ago

    I know its 2 years old but if you haven't figured it out in IDE under the file tab and under examples go to your seeed Arduino CAN library and you'll see ODBll_PIDS. run that and you should be able to see what you're looking for. If its not decoded for what means what. the wiki page on OBDll PID's will be decoded and you should find what parameters you're after.

    0
    menzi1973
    menzi1973

    1 year ago

    Hello, great info! Just ordered some hardware and installed the library. But it cannot find mcp_can.h and tried to install it, but there are several available. None of them seems to work for the example sketch. Which one is good?

    0
    cabana soares
    cabana soares

    Question 1 year ago on Step 2

    Olá pessoal

    queria ler dados de uma ECM EDC7 da Bosch em um equipamento via can e preciso alterar o rpm por exemplo passar de 2200 RPM para 1500 RPM.
    e possivel?

    alguem poderia me ajudar?$

    0
    elenzing
    elenzing

    2 years ago

    Has anyone actually made the above code work? My canbus passes init ok but never detects a message available. It is connected properly and have tried alternative ways of connecting (db9 and terminal block) .

    Any help is much appreciated.

    0
    ThangT24
    ThangT24

    Question 4 years ago on Introduction

    Sir, can this particular CAN bus shield be used to activate auto speed sensing door lock in Hyundai i20?

    Or, is it limited to hacking specific features?

    Would be pleased to know more of about it in details. Thanks.

    0
    Bort Plate
    Bort Plate

    7 years ago

    There are too many errors in the code above. First, there is HTML, "<br>" is found in at least two places.

    Also, I get an error:

    "exit status 1

    'CAN' was not declared in this scope"

    for this line:

    "if(CAN_MSGAVAIL == CAN.checkReceive())"

    I think I fixed it by adding code from the original example files, just before setup(), such as:

    "const int SPI_CS_PIN = 9;

    MCP_CAN CAN(SPI_CS_PIN); // Set CS pin"

    But there is also an error with "buff" being undeclared!

    I imagine there are other errors that the compiler didn't catch. Not very usable.

    0
    jokinpaha
    jokinpaha

    Reply 7 years ago

    this complies OK at least on my IDE

    #include <SPI.h>
    #include <mcp_can.h>
    INT32U canId = 0x000;

    unsigned char len = 0;
    unsigned char buff[8];
    char str[20];

    const int SPI_CS_PIN = 10; // select your can shield cs pin

    MCP_CAN CAN(SPI_CS_PIN); // Set CS pin
    void setup()
    {
    Serial.begin(115200);
    START_INIT:
    if(CAN_OK == CAN.begin(CAN_125KBPS))
    {
    Serial.println("CAN BUS Shield init ok!");
    }
    else
    {
    Serial.println("CAN BUS Shield init fail");
    Serial.println("Init CAN BUS Shield again");
    delay(100);
    goto START_INIT;
    }
    }

    void loop(){
    if(CAN_MSGAVAIL == CAN.checkReceive())
    {
    CAN.readMsgBuf(&len, buff);
    canId = CAN.getCanId();

    Serial.print(canId);Serial.print(",");
    for(int i = 0; i<len; i++)
    {
    Serial.print(buff[i]);Serial.print(",");
    }
    Serial.println();
    }
    }

    0
    BerenniceM
    BerenniceM

    Reply 5 years ago

    I take it that, but appears that errors, someone can help me?

    receive_check:33: error: 'canId' was not declared in this scope

    canId = CAN.getCanId();

    ^

    exit status 1

    'INT32U' does not name a type

    2
    SimonP47
    SimonP47

    Question 5 years ago on Step 1

    I have a CANBUS shield and Arduino Uno, I also have an Audi A5 (2012). I want to sniff data on the CANBus network, I've tried connecting via the ODBII socket under the dash, but I see nothing, where can I find information on how to find and connect via CAN-H and CAN-L ?

    Thank you,
    Simon

    0
    mcnumgun0059
    mcnumgun0059

    5 years ago

    How can i get the data if I use this board?

    6988_1_9572.jpg
    0
    PlayersZ28
    PlayersZ28

    Reply 5 years ago

    I have that board connected to a Dieciemila and downloading CANBus data. Haven't tried sending yet. Still analyzing what the data ID's are that I see (2017 Chev Silverado). Used MCP_CAN library.

    0
    HaranS
    HaranS

    5 years ago

    Nice article. Please note that autopi.io has introduced a HW and SW platform to make it easier for everyone interested in hacking vehicles to develop SW for their cars, trucks and other vehicles with e.g. CAN-, K- or L-bus.....

    0
    DaveK97
    DaveK97

    5 years ago

    Can you start the Air Con and Window demister through the Can Bus without the car key?

    0
    mviljoen2
    mviljoen2

    Reply 5 years ago

    Hi Dave. You wont be-able to. The can bus does not run all the time it shuts down after about 3 or so minutes when turning off the ignition. Also it would be draining the battery if it were to run all the time whilst the car is off. Would also be a massive security risk.

    0
    MiguelC211
    MiguelC211

    5 years ago

    Can I use the ODB2 to DB9 cable or it just only works with CANL/CANR?