REVERSE ENGINEERING THE CAN

BUS USING VEHICLE SPY 3

Matthew Snyder
Field Applications Engineer
Intrepid Control Systems
[email protected]
1
OBJECTIVES
• QUICK CAN OVERVIEW
• Disclaimer!!
• Physical layer
• OBD?
• Gateway?
• Tools
• VEHICLE SPY REVERSE ENGINEERING FEATURES
• Reverse Engineering Button/ Messages View
• Messages Editor

2
DISCLAIMERS!!!
Modifying a vehicle that you intend to drive is
DANGEROUS.

Potential “issues:”
• Car no longer drives
• Car now requires expensive repairs
• Risk of car accident
• Risk of electric shock
• Voiding warranties

3
CAN PHYSICAL LAYER
LOOK FOR THE TWISTED PAIR!
• Termination!
• 120 Ω for classical CAN
• Voltage
• CAN Hi: 2.5V up to 3.5V
• CAN Low: 2.5V down to 1.5V
• CAN-FD is more sensitive. Use shorter runs of cables
and ensure proper termination!
• Still not seeing any traffic? Is the vehicle or module asleep?

4
OBD – REVISITING SIMPLER
TIMES
OBD or On-board Diagnostics
• Provides easy physical access into the CAN bus
• Most modern vehicles have critical information
hidden from these connectors now, often by the
use of a gateway.
• Ports can still have useful information and can still often
respond to a variety of J1979 requests
• Try following the wires to either the gateway module itself or
other important ECUs!
• Standardized connector, you can look up most of the pinout!

5
TOOLS
• Network analysis tool/data logger
• NeoVI/ValueCAN/RAD-Series
• Vehicle Spy 3 Enterprise
• Piercing/Contactless wire taps
• Oscilloscope
• Multimeter
• Cable tools
• OBD Y-Splitter, wire strippers etc

6
MESSAGES VIEW
LOOK AT THESE GREAT FEATURES!
• Column sets
• Speed filters
• Header filters
• Buffer controls
• Scroll button
• Data-byte formats
• Message statistics
• Raw vs Decoded data
• Reverse Engineering features

7
COLUMN SETS AND FILTERS
• COLUMN SETS allow you to customize
messages view for specific protocols.
• For example.. CAN and Ethernet are very
different
• SPEED FILTERS are filters that can be
quickly toggled on or off
• You can build custom include/exclude
filters
• You can use our pre-defined filters like
network, changing etc
• HEADER FILTERS let you type in a filter as
you need it
• Can filter by data-bytes this way
8
BUFFER CONTROLS
PAUSE will pause the buffer
• Vehicle Spy 3 will continue to collect data, overwriting
the oldest data first when the buffer fills
SAVE is a quick way to save the current buffer
• .vsb is the native VS3 binary format
• Also available: .asc, .blf, .pcap etc
ERASE will clear the current buffer

Tip: Increase your buffer size

by clicking the setup button
near the column sets
9
SCROLL BUTTON
• SCROLL MODE shows every individual message as a unique line

• COLLAPSED MODE (scroll button off) collapses messages with

the same arbitration IDs into a single line

10
DATA-BYTE FORMATS
• You can change the default data-byte format in messages view
to something other than hexadecimal, though hex is likely the
most useful!

11
MESSAGE STATISTICS
• You can view message statistics like standard deviation,
min/maxes etc with a click near the bottom

12
RAW vs DECODED DATA
• The red squiggly line implies there is no matching Rx or
database entry matching to decode the message

13
MESSAGES EDITOR

14
LIVE EDIT
• Live edit is one of the most important features for reverse engineering raw data!
• Allows you to edit the decoding while seeing the results live, helping you to
hone in on the correct interpretation!
• Examples.. Changing the scaling, changing the bits you are focused on,
changing units, changing signal types etc

15
REVERSE ENGINEERING FEATURES
• Located along the top of messages view

Note: These features can be used on

live data or simulated data.

16
SUPPRESS HIGHLIGHTING

• Continually reduces the activity

highlighting in data-bytes.
• Extremely useful if you are seeing a lot
of data-byte highlighting that you
don’t care about currently
• Even more helpful if you are about to
do something new like turn on the AC
for the first time!
• Erase the buffer to clear this effect

17
HIGHLIGHT CHANGING
• A toggle
• Grays out messages that do not have
changing data. When message data
starts changing, the message switches
to its normal color. The purpose of this
feature is to help make messages that
are changing stand out from the
others.

18
HIGHLIGHT CHANGING

• A toggle
• Grays out messages that do not have
changing data. When message data
starts changing, the message switches
to its normal color. The purpose of this
feature is to help make messages that
are changing stand out from the
others.

19
HIGHLIGHT RECENT
• A toggle
• Any message older than 5 seconds is
de-emphasized
• Only works in static/non-scrolling mode
• See “Highlighting Style” to change the
“Recent Time” used

Note: Both “Highlight Changing”

and “Highlight Recent” can be
toggled ON at the same time.
Changing overrides Recent.

20
AUTO ADD TO RX MESSAGES
TABLE
• A toggle
• Automatically adds an entry for each
arbitration ID in the Receive section of
the messages editor
• Erases the buffer!
• Make sure to save if there is important
data in that buffer!

Note: If you added a DBC later, make

sure you understand that decoding
from Rx overrides decoding from
databases if they both match!
21
AUTO ADD TO RX MESSAGES
TABLE CONTINUED
• You can quickly export the Rx table as a .dbc!!

22
ENABLE TEMPLATE MODE
• Template mode gives the option of
quickly changing a message from
one ID to another. When this
feature is enabled and a message is
added to the Receive table by right
clicking on it, a dialog appears to
add that ID over another message.
This is very helpful when the
message decoding is known, but its
ID is not.
• I have used this when I needed to
reverse engineer signals from a
vehicle similar to one I had already
done. Think different models from
23
the same OEM/platform
SHOW ALL MESSAGES EVEN WITH
ZERO LENGTH
• Shows all messages from the
Receive table in the messages view.
If a message has not been received
yet, the message's count will remain
at 0 until it is received. (within 5
seconds)

• I have never used this with CAN but

have with LIN

• I can elaborate if you submit a

question about this
24
HIGHLIGHTING STYLE
• “MASTER CONTROL” for
highlighting considerations
• Change the “Recent Time”
used for highlighting
• Change Magnitude and
Gradient Change have options
for how much of a change is
needed before highlighting is
enabled. This option helps
give a feel of how fast the
data is changing which can
help determine what a
message is. 25
DETAILS PANE

26
QUESTIONS?
• Please submit questions via the webinar link

Contact:
MATTHEW SNYDER
P: 586.731.7950. ex: 1019
E: [email protected]

27