Our VIP Package gets you every single course at 80% off the individual price. For a limited time, save an additional $100 with coupon code 100VIP. Learn more

CAN Bus Communications Decoded: Tapping into an existing CANBus

Watch This Course

$199.00 USD $129.00 USD

-OR-
Or 8 weekly payments of only $16.13 Instant access. Easy checkout. No fees. Learn more
Course Access for Life
60 day money back guarantee

Tapping into an existing CANBus

11.08

00:00 - When we need to read the CAN bus data from an existing network, we have to make a physical connection between the bus wires and our interface tool.
00:09 In most circumstances, it is easiest to do this with a device in the vehicle that is connected to the bus by back probing its connector.
00:16 In this module, we're going to take a look at some of the key considerations that we need to keep in mind when we're tackling this job.
00:22 First we need to actually find the bus wires.
00:25 If you have access to some reliable wiring documentation for the vehicle, this is usually pretty easy because it'll tell you the CAN high and CAN low pins at particular modules within the vehicle.
00:37 You do need to be aware though that many vehicles have multiple CAN networks and it's possible the data you're looking for might not be on the first bus that you connect to.
00:45 This is a little bit of a chicken and egg scenario.
00:48 If you have reliable documentation telling you where the data that you want is, then it's likely you don't actually need to do any reverse engineering to find that data.
00:56 For this reason it usually comes down to a trial and error process, connecting to each CAN network in the vehicle in turn and looking for the data there.
01:05 If you don't have access to any reliable data then we need to do some investigation work with an oscilloscope to locate the bus.
01:12 It's relatively easy to narrow down our search though by thinking about the data that we're looking for.
01:17 If we're trying to find the engine speed parameter for example, then either the engine ECU or the instrument cluster would be 2 great places to look for a CAN bus that is going to have this data on it as we know that only the engine ECU will transmit this data and the instrument cluster is a device that is going to require that data.
01:35 To show the process we go through when connecting to an unknown OEM CAN bus for the first time, we'll have a look at locating and connecting our SysTools CAN analyser tool to an unknown CAN bus in a 2011 Audi Q7.
01:48 So the first thing we need to do when making a physical connection to our Audi here, is we're going to have to find those bus wires.
01:55 Now luckily for a vehicle like this, we're actually pretty lucky in that there's a lot of forum support and good documentation around this.
02:02 So Volkswagen/Audi group vehicles of this era all have a CAN bus point where all the CAN bus wires come together and they're connected by one single connector and that actually joins the network together between all the modules in the car.
02:18 So that's going to be a pretty good spot for us to get access to our bus wires.
02:22 Now at that point, on the majority of These vehicles and on this one is actually on the edges of the dash here behind a trim piece.
02:29 There's a connector which I've modified to get access to the pins.
02:35 So what I've done is simply bared back a little bit of the housing of our connector here, got access to the back side of the pins and have soldered on some wires.
02:45 Now the reason I've put a DTM4 pin connector on the back of this is it's just a little bit of a standard we have here at HPA.
02:52 When we're dealing with new electronic devices coming into the building and we want to power them up and see what they work like, we pop a DTM4 pin connector on them with power ground, CAN high and CAN low.
03:04 We've then got another tool that allows us to plug all of those devices in together.
03:09 It bridges all the CAN wiring, creating the network and it gives us a really easy point to power them up with 12 volts and ground as well.
03:16 So I'm going to pop this back into the vehicle, then I'm going to hook up to these wires, my oscilloscope here and we're going to determine which of those lines is actually the CAN high pin and which is the CAN low pin.
03:28 So on my oscilloscope here, I've got our time scale set to 250 ms per division and voltage scale set to 1 volt per division.
03:37 If you haven't used an oscilloscope before, I recommend checking out our wiring fundamentals course as we go through that operation there.
03:45 Now to make a connection to this, I've simply got a single DTM pin and I'm just going to insert that into our connector into either one of these lines 'cause at the moment I'm not sure which is CAN high and which is CAN low, that's what we're going to find out on our oscilloscope here.
04:02 Going to be able to make a connection to that wire and the other side of the oscilloscope probe I'm going to connect to ground.
04:10 And when we see the voltage signals on the oscilloscope, I will explain why that is.
04:16 So we're just going to connect to a good vehicle ground here.
04:19 Luckily there's good exposed metal on the side of the dash frame.
04:23 Now with that hooked up, I'm actually just going to have to start up our vehicle and we're going to see, well hopefully we're going to see some CAN traffic pop up on our scope and we'll have a look at the voltage levels.
04:34 This is going to be a really good way of showing you exactly what you'll be expecting to see when you're hunting for a CAN bus in your own project.
04:41 So I just started up the vehicle and ran it for a little bit there while we had our scope hooked up to 1 of those 2 bus wires.
04:48 I then just took a snapshot of the traffic, just so I can stand here and talk about it without the vehicle running in the background.
04:55 So if we have a look at our voltage levels here, we can see we've kind of got a baseline voltage level here, the difference from our zero point here is 2.5 volts which is exactly what we're expecting to see because that's that CAN recessive level.
05:10 Then we're jumping up to, 2.5, 3, 2, around about 3.8 volts at the top of this signal here.
05:20 So that's telling me that the signal on the wire that I'm connected to here is varying between 2.5 and 3.8 volts.
05:29 So that's going to be our CAN high line.
05:32 Just to confirm that, what I'm going to do is I'm actually going to swap to the other pin, just in our plug here, just going to start up our oscilloscope again.
05:45 Going to run the vehicle again, take another snapshot of the traffic and just see what we see on that other bus wire.
05:51 So you can see from the scope traffic on our other wire there, we've got our same baseline level of 2.5 volts but now the signal is dropping down to around about 1.2 volts which is exactly what we expect to see so that's going to be our CAN low line.
06:06 With those 2 found and identified which is which, we're going to be able to hook up our analyser tool and know that we've got it right the first time.
06:16 We're going to go 1 step further though and we're going to determine the bus speed as well.
06:23 So to do that, I'm just going to start up my scope again and I'm just going to adjust our time scale down to something a wee bit faster because this time I'm going to want to see on the CAN traffic individual bits of information, not just a general picture of some CAN traffic.
06:41 So we're going to bring this down to about 500 microseconds per division, I'm just going to start up the scope again and we'll have a look at what that looks like.
06:51 You will have to adjust the time scale on your scope, depending on the board rate or the speed of the CAN bus so I might have to adjust that once I start the vehicle up again.
07:02 So I've got a good capture of some CAN bus traffic on our scope here.
07:05 Once again I've paused it so I can turn the vehicle off, we can observe this without the vehicle running.
07:12 What I've done is on my scope here I've just used a couple of cursors just to measure the width of one bit of information here.
07:19 Now because of the way the CAN bus protocol works and an element of it called bit stuffing, you can be sure that when you're looking at scope traffic, when you're looking at CAN bus traffic on your scope, the smallest element that you see will be a single bit.
07:35 So looking at this here, there's a time period for the single bit of 2 microseconds.
07:42 So that's going to tell us our CAN bus speed.
07:45 I can take 1 and divide that by 2 microseconds and that's going to give us a result of 500,000 which is going to give us our CAN bus speed of 500 Kb per second.
07:57 So knowing all that, we're going to be able to hook up our SysTools CAN bus analyser and get that traffic displayed on our laptop.
08:05 So now we've determined our CAN high and our CAN low wires and we've got that speed of 500 Kb as well, I have plugged in our SysWorks CAN analyser.
08:14 And I can open up that software and pop those settings in.
08:19 So we've got our speed set here to 500 Kb per second.
08:26 Don't want to have any filtering of any CAN messages, we want to display the entire data stream, just as it comes in.
08:34 So we've got this screen here which will be showing us all our received traffic but currently it's empty because the car's not actually running so we'll just turn that on and see if we get any data coming through that CAN bus.
08:50 So you can see here that even before starting the engine, as soon as I've turned the ignition to the on state, all of our modules have lit up and we've got a pretty comprehensive data stream coming through here that is actually quite a lot of data to be seeing on an OEM vehicle.
09:06 A good trick to keep up our sleeve when we're doing this is the OBD2 diagnostics standard.
09:12 This standard defines that there is a diagnostic connector within the cabin and that pin 6 of this connector is CAN high and pin 14 is CAN low.
09:22 A major caveat here though is that this is the diagnostic CAN bus within the vehicle.
09:27 While many vehicles transmit data on this bus for other purposes as well, it's possible that the data you're looking for might not be on this bus so do keep that in mind.
09:37 If the bus connected to the OBD2 connector doesn't have the data we're looking for and it's impractical to back probe a connector at a device to find the bus, we're going to need to start looking inside the actual wiring harnesses within the vehicle.
09:50 While this procedure is going to be different for every vehicle, the basic operations are the same.
09:56 You want to find the spot where the main wiring harness passes through the vehicle, which you can get good access to.
10:01 Often this will be behind gloveboxes, under seats or carpet and door sill trims.
10:07 Most OEM wiring harnesses within an interior of a vehicle are not completely covered, making it possible to see the individual wires within the bundle.
10:16 Look for a twisted pair of wires here and use your probe to pierce the insulation and have a look at the signals on those wires with an oscilloscope.
10:24 Be aware though that CAN is not the only network used within modern automobiles and it's completely possible you'll find another protocol being used.
10:34 Remember to look for the specific CAN high and CAN low voltage levels and that will signify that you have found some CAN bus wiring.
10:42 If you're not willing to pierce the insulation of the wires, there are inductive style probes available that read CAN traffic from the wires without making physical contact to the copper inside the insulation.
10:53 These devices are read only though and they can't transmit onto the bus so that might be limiting depending on your application.