CAN Controller Area Network

CAN (Controller Area Network) BUS is not a new network, but unlike more popular network names, CAN BUS is geared more for Embedded Controllers such as the ones found in modern automobile. So when I speak of CAN BUS 'Hacking', I am referring to automotive network reverse engineering.

The CAN BUS is now a required network on vehicles manufactured in the U.S. from 2008 and beyond. It's popularity among automotive OEMs is nearly universal. But unlike most open protocols such as TCP/IP and HTTP, CAN BUS is almost entirely implemented as a proprietary protocol. Thus if we want to understand it, we must 'hack' it.

I will be posting more about what exactly the CAN BUS is, but you can get more information on it from Wikipedia by clicking here.

One common misunderstanding about the vehicle network data is that it is limitless. The truth is that the only data on the network is the data that is required to be there. Nothing more, nothing less. What is required is different from vehicle to vehicle. For example some vehicles might have adaptive cruise control and this system might require vehicle dynamic information that is not required on vehicles that do not posses this system.

More and more data is being added to already heavily loaded networks, so automotive OEMs are adding more networks to accommodate more data. Good news for us, now we can get more info at higher data rates.

Diagnostics Messages vs. Normal Message

When I speak to most people about the vehicle network or CAN BUS there is a common misconception that there is only Diagnostic Messages or OBD II Messages. So what's the difference between Diagnostic Messages (such as OBD II) and Normal Messages on a typical CAN BUS?

Simply put Diagnostic Messages are Command/Response Messages. So if you want to get data from a controller, you have to send it a request. It will then respond to that request (hopefully). This is done using a common diagnostic protocol. There are only a handful that are used and they are typically specific to the OEM, however there is not much difference between OEMs on how they have implemented their flavor of Diagnostic Messages. That said all OEMs that sell vehicles in North America support the common OBD II protocol, those in Europe support the EOBD and in China, the new China OBD (Based on EOBD).

Normal Messages are the Messages that are transmitted between controllers. This data varies depending on the electronics systems and like the OEMs Diagnostic Protocol, this data is also proprietary. This data does not need to be requested (is nearly 100% of cases). This data is typically sent at a periodic rate by a controller as fast as it needs to be sent so that listening controllers get the most recent value. If you are doing data acquisition, this is the data you want.