Revving Up Connectivity: Revolutionizing Vehicle Networks
Chris Quigley, David Charles, and Richard McLaughlin from Warwick Control Technologies discuss using Can bus message electrical signatures for reverse engineering in the automotive field.
There are many situations where you might need to reverse engineer the Can bus, like competing vehicle analysis, fleet management telematics, and applications for disabled drivers. Typically, the process involves moving a sensor and observing changes in the Can bus messages. For instance, you could lower a car window and see if that changes the Can message data.
Many Can buses have numerous messages from various ECUs, making it hard to monitor everything simultaneously. It would be simpler if you could track fewer Can messages by isolating the ECUs transmitting those messages. By identifying the electrical signatures of Can messages, you can match known messages with unknown ones to determine which ECU is sending them.
To identify which identifiers come from which ECU, you first gather electrical signature plots of known diagnostic response messages and then compare them with real-time control messages.
An electrical signature in a Can message is mostly unique to the sending ECU. Thus, all messages from an ECU should have similar electrical characteristics. For instance, Can messages consisting of the voltages of Can High and Can Low (Can_H and Can_L) will show unique traits for each ECU due to factors like node position and bus distance.
The arbitration field (Can ID) should be ignored when assessing the electrical signature since multiple ECUs might communicate within this field, affecting the signal. Once arbitration is complete, only one ECU produces the data field, where you can see a unique electrical signature. To get this unique signature, measurements should be taken during the part of the Can frame generated solely by one ECU.
For illustration, Figs. 2 and 3 show the Can_H and Can_L voltage differences for two distinct ECUs, labeled ECU A and ECU B, in a modern passenger car. These variations in voltage levels signal different ECUs.
To generate an electrical signature for each Can message and identify the sending ECU, you need to consider the values of Can_H and Can_L voltages. The steps are:
– Log examples of Can message oscilloscope traces
– Focus on the data field only
– Separate data field bits into dominant (logic 0) and recessive (logic 1)
– Calculate the average values of Can_H and Can_L voltages for the dominant bits
With these data, you can create cluster plots.
For example, Fig. 4 shows oscilloscope displays—Can frames are logged at the top, and a highlighted Can frame’s physical signaling is shown below. From this, you can gather voltage levels of the dominant bits in the data field (Can_H, Can_L). These waveforms can be exported to an Excel file to analyze Can frame readings at specific sample points.
