Posted on

CANbus Hacking – Part 1 – Getting on the CANbus

In this article we will discuss CANbus Hacking, or CAN Hacking. Specifically, the first step into CAN hacking, to actually get on the CANbus; to plug into the network and start to see the data.

You probably already have your reason as to ‘why’ you want to get on the CANbus and hopefully this article can help you achieve your goals.

This article won’t get too bogged down with what CANbus is and why it works the way it does, there is enough information on wikipedia already for those of you who are interested in that, it’s not very relevant to our goals here. All you really need to know is, CANbus is a 2 wire communications bus, you can add more devices to the CANbus by connecting CAN high and CAN low wires to the CANbus. Pretty much anywhere on the CANbus is fine too, there are many best practices to follow to design a reliable CANbus network, but that’s not what we’re doing here today. We’re just getting on it and reading the messages.

So to start with, we’re going to find some equipment that will allow us to connect to a CANbus and view the data being broadcasted on the network, and also transmit some messages too. Once we’ve selected our equipment, we’ll set it up appropriately for connecting it temporarily to a CANbus. Then when the equipment is ready, we will inspect our target vehicle, identify the correct wire\connectors to interface with and hopefully from there we can find our CANbus information and messages.

Equipment Selection

Equipment you will need:

  1. Laptop computer.
  2. USB to CAN Device
  3. 20ga Wires
  4. 4 Position DTM Deutsch Connectors and spare pins.

So, you’ve probably still got a few questions, let’s dig in a bit deeper about the equipment we can use.

  1. Laptop Computer.

The hardware requirements aren’t going to be too high on this one, any computers that’s running windows 10 that performs well will be appropriate. I’m using windows for this demo but if you want to use Mac or Linux, they’re both workable options too.

You can use a desktop computer if you choose, it just limits your location slightly.

  1. USB to CAN device. 

There are a few USB to CAN devices out there on the market, all ranging in price and functionality. I’ve had a great amount of success with the Canable Pro from the canable.io project, but they’re no longer available unfortunately, but there are still chinese copies available from the usual suspects, they’re marketed as a “Cando Pro USB to Can Module” Untested by myself, buyer beware.

There are also a good variety of Arduino and Raspberry Pi projects you can do to make modules that will send and receive CAN data. I’ve done a few projects now and they in themselves are a bit of fun but require a significant amount of effort to get operational, so if your goal is to learn a little more about CANbus, this could be a good option.

If your goal is to get on the CANbus and see CAN messages in order to get some components, that should work together, to actually work together. Then you’ll want to skip straight to the “ECU Master USB to CAN”. This device isn’t a budget option but when you consider the software that is included and the ease with which it will be set up, it’s a no brainer.

A PT Motorsport CAN hub connects a 4 Button CAN Keypad to a ECU Master USB to CAN
  1. 20ga Wires.

We’re using the Spec 44 (M81044/12-20) wiring for our projects, it’s what we’ve got in stock but it also has the advantage of being quite stiff and the sheathing is robust. So when you’re pinning and repinning and pushing the wire into connectors, it’ll comply with your request. Colour choices are also free but at PT Motorsport, we use White for CAN high and Blue for CAN Low, unless we’re integrating with an existing harness, then we’ll match those colours.

  1. DTM Connectors and Spare Pins.

At PT Motorsport, we follow the Automotive aftermarket trend of using 4 Position Deutsch Connectors for our CAN projects. With the pinout being as follows.

Pin1. +12v (red)

Pin2. Battery Ground (Black)

Pin3. CAN Hi

Pin4. CAN Lo

Be aware, while this is the standard many popular aftermarket ECU manufacturers follow, it is not the same for all of them. Please bear that in mind and check your pinouts if you’re integrating into an existing harness or device.

Spare pins are for connecting to the hookup leads in order to probe your connectors and get a good connection. DTM Pins are a nice small size, they can be connected into many different style connectors without damaging the connector. You can also back probe connectors with them too and because the pins are nicely rounded on the tips, you lower the risk of damaging a connector or a wires sheathing in the process.

Now that we have our components and equipment selected, we can continue on our quest for CANbus information.

Arduino, Raspberry Pi, CANable.io and an ECU Master USB to CAN

USB to CAN setup

Let’s start by getting our computer and chosen USB to CAN device connected and operational.

I’m using the ECU Master USB to CAN for this article so the setup is rather straightforward.

Start by downloading and installing the latest version of “ECU Master Light Client” from the ECU Master website. You might need to download the USBtoCAN driver too, I didn’t need to, windows installed it automatically for me.

Connect the USB to CAN to the USB port of your computer and open the light client, choose any CANbus bitrate except auto or offline and just make sure the software opens without any errors to verify your computer is connecting to the USB to CAN device.

Once you’ve got the USB to CAN talking to Light Client on your computer, we’re ready for the next step!

CAN Wiring preparation

Now we’ve got the USB side of the equation organised, we will now focus on the CAN side.

At PT Motorsport, we prepare all of our CANbus test equipment with a DTM06-4S connector for easier integration with our CAN hubs and other CAN devices we are testing. You can forgo this step if you choose, but it does make it quicker and easier for other projects you might do in the future.

Using the supplied DB9 Connector, carefully solder a 20ga Blue wire into pin 2 and a 20ga White wire into pin 7. After soldering, make sure there are no stray conductors or solder that could join any other pins together, this will cause many errors and much frustration.

Leave the other pins unconnected.

Terminating the DB9 Connector for the ECU Master USB to CAN

Now you can crimp on your DTM Sockets on these wires, in order to install your DTM06-4S connector. With the White wire going into position 3 and blue wire going into position 4.

Now prepare 2 more lengths of wire, one white and one blue, I’ve opted to go for 1m in length each. Crimping DTM Pins on either end. One end we will connect to a DTM04-4P Connector. The white wire going into Pin3 and the Blue wire going into Pin 4.

Now we’re left with a DB9 to DTM06-4S connection, to rapidly connect into other projects in the future and a DTM04-4P connector to flying leads, which we’ve crimped DTM pins into, for probing around our project.

Now all the hardware is ready. We can finally get connected!

ECU Master USB to CAN – Wired up to a DTM06-4S and a CAN test lead

CANbus Connection

Now we’ve got all our software and hardware ready to make a connection. Let’s find a CANbus and get on it!

Two considerations left though, first of which is the switch on the USB to CAN device, toggling this switch will connect a 120 ohm resistor between CAN high and CAN low, this is used to terminate the CANbus wiring. This can be very useful if your USB to CAN and the device you’re testing with are directly connected to each other and not part of a network, you will need to enable this switch to make the CANbus function correctly. But in the case you’re connecting to an already established and correctly designed CANbus network, you’ll want to leave the Terminating resistor Off.

DTM pins on a test lead, back probing the CAN Wires on an AC Control unit.

Choosing the bitrate is a very easy task with the ECU Master USB to CAN. Once you’ve connected the wiring to the CANbus, open the Light client software and choose “Auto” and assuming you’ve connected your wires correctly and the CANbus is active, you’ll be greeted by all the CAN messages you were looking for. Also the bitrate displayed in the bottom left of the window.

Next, you’ll want to find out where to poke your pins into. There are a few different methods to finding the right connections and the first and most obvious one is to find any documentation for the devices you’re testing (or the devices around it) and hopefully you’ll find the pinout of the devices and connect successfully to the CANbus.

The next thing you can try is to visually inspect the device’s connectors and look for twisted pairs of wires that are not shielded, these are 9\10 the wires you’re looking for. You can test with a multimeter too.

To test with a multimeter, set your meter to DC volts and connect the common lead to ground and then probe one of the suspected CAN wires. It should be around 2.5v and if it is higher than 2.5v, maybe even approaching 3.1 volts, it’s the CAN Hi connection. If the voltage is under 2.5v, even as low as 1.9v it is the CAN Lo connection.

For a CANbus that is idle or has very low load, the voltages will be very close to 2.5v. As the data load of the bus increases, the voltages will diverge away from 2.5v. With CAN Lo getting lower and CAN Hi getting higher.

If you’ve got a Haltech ECU, you could very well connect your DTM06-4S into the CANbus port that comes with the Haltech wiring harness and be well on your way to receiving all the data the Haltech can provide.

CAN frames, streaming through into ECU Master Light Client, from a Haltech Elite 2500

If you’re connecting to an OEM harness with the standard ECU, the OBD2 connector is a really good place to start. Using your CAN test leads, put the white wire into pin 6 and the Blue wire into Pin 14. Open up your light client and you should see the CANbus messages streaming through.

CAN Frames from a Lexus’ OBD2 port

In more modern cars though, there will be multiple CANbuses and the information you’re looking for, might be on a different bus which isn’t present at the OBD2 port, so you’ll have to extend your CANbus quest to be a little closer to the device with the information you’re looking for, eg. Steering wheel controls might be on the entertainment CANbus. Engine speed information might be found at the ECU or the Dash. 

DTM Pins on a test lead connecting to an OBD2 port

Once you’re connected and you have the Light client open, you should hopefully be able to see the CAN frames coming through in the right side of the Light Client Window under “All Frames”

If nothing is coming through, observe the lights on the USB to CAN module, they should be Green flashing and yellow on\flashing if you’re connected correctly. If the Error light is on, you might have your CAN Hi and CAN Lo around the wrong way, you could also have your bit speed set incorrectly or Termination resistors set up incorrectly. If you’re adding more devices to an existing CANbus, make sure all the devices bitrate (Speed) are set up the same, else you will have problems with your CANbus (will crash most likely and no devices will communicate) add devices in one by one if you’re having problems.

One last thing I’ll add, is with the IDs of the CAN frames.

In the light client, they’re in Hexadecimal (Base16). But some documentation and software packages will have the IDs in decimal (Base10). I’m not going to explain why here, I’ll save that for the next article, you just need to be aware of these differences in expressing the same information. 

To convert from Hex to Decimal, you can use the calculator built into windows 10 and put it into programmer mode.

In light client, all the IDs have ‘h’ after the ID number, this is to illustrate to the user that the number is in Hex and the ‘h’ isn’t actually part of the ID either. You will find documentation that refers to hex numbers with an ‘0x’ in front of the number. Keep these hex and decimal numbers in mind when working with CANbus IDs and messages.

We’ll get more into hex, decimal and binary numbers in another article.

This concludes this part of the CAN Hacking journey, getting connected to the CANbus can seem like a simple step but some of the challenges are often overlooked. Hopefully this article can help you with your project!