An upcoming project has me looking at car hacking at the moment. I watched a great video ( https://www.youtube.com/watch?v=nvxN5G21aBQ ) which caught me up to speed on the fundamentals. There are a few other videos out there on introductory car hacking, but they all seem to revolve around the virtual can interface provided by
vcan. I decided I didn’t want to test virtually because then I wouldn’t know how to work with the actual connection hardware. At the same time, being a beginner, I DID NOT want to plug into my personal vehicle’s ODB2 port.
I was looking for something between
vcan and a real car. A little googling led me to the ScanTools ECUSim 2000:
This board simulates a car. It has a ODB2 port for interfacing just like one would do with a real car, and then a serial console for manipulating the board.
The first thing I will note is that at the $200 price-point, you do not get much in terms of software features. There are a lot of additional features that you can upgrade to by buying firmware packages, but they tend to add up in cost fairly quickly. If you have the money, I would recommend the ECUSIM 5100; it has all the bells and whistles and is fully configurable and comes with a nice chassis. However, at about $1500, it isn’t cheap.
For my purposes, the $200 entry-level board was enough to get started with the hardware process of connecting to a car and transmitting and receiving data from it.
I also purchased
ScanTool OBDLink SX USB https://www.amazon.com/ScanTool-OBDLink-USB-Professional-Diagnostics/dp/B005ZWM0R4 . This is a dongle made by the same company as the board, and it works well with the sclan0 driver.
I used a Raspberry Pi 4 (2GB RAM) as the main CPU for this project. To get the Pi ready for CAN Bus hacking, I had to do some setup:
$ sudo usermod -aG dialout $USER # apt install can-utils picocom
The first command adds the current user to the
dialout group which will be then allow you to interact with serial devices without running everything as root. After you run this command, you must log out and log back in before the group change takes affect.
The second command installs the
can-utils package, which contains
slcand amongst other utility programs we will need.
The reason I decided to use a Pi for the main hardware host is because I anticipate eventually wanting to “go mobile” with my setup; meaning I might want to plug the ODB2 dongle into my car at some point strictly to record driving sessions.
Once the Pi was set up. I plugged in the power and then attached the USB cable from the board to a raspberry pi. The Pi recognized the USB connection as a serial device, assigning it to
/dev/ttyUSB1. The baud rate is 115200, so I tried using
screen /dev/ttyUSB1 115200 to connect to the device. When I did so, I received output like this:
>AN Baud Rate 500.0 kbps EA 3
Only the last line of the previously run command output was showing up, and it was the top line in screen. It turns out that the serial console on the board only outputs return carriages, and not return carriage/new line combinations. Screen has no way of handling this situation unfortunately, so I ended up using
picocom with the following command line arguments:
$ picocom -b 115200 --imap crcrlf /dev/ttyUSB1
--imap crcrlf replaces all carriage returns with carriage return/new line combinations. After interacting with the serial console this way, I can see sane input and output:
>SPI OBD Protocol ISO 15765-4 CAN ID Type 29 bit CAN Baud Rate 500.0 kbps >
The next command I ran was:
>SOMM on OK >
This enables CAN Bus traffic monitoring on the board. We will now be able to observe the CAN traffic coming and going from the board.
The aforementioned dongle doesn’t work as a raw can interface, so we must use the
slcand driver. The dongle actually apprears as a serial interface similar to the board serial interface, only the dongle serial interface doesn’t respond to commands. The donge runs at a baud rate of 115200, so we create the can0 interface by running the following command:
# slcand -o -s6 -S 115200 /dev/ttyUSB2 can0
/dev/ttyUSB2 is the block device for the serial connection that the dongle exposes.
Next, we need to bring the CAN interface up:
# ip link set up can0
At this point I received some errors when trying to generate packets with
# cangen -I i -D 0000 -g S can0 write: No buffer space available
The solution, found here:
# ifconfig can0 txqueuelen 1000
A this point we can run the
cangen command again and we should see traffic coming through on the board serial connection:
# cangen -I i -D 0000 -g S can0
And we would see something like this via the board serial console:
[...] Rx: 18DB33F1 61 A1 00 @ 4108210 ms Rx: 18DB33F1 10 @ 4108221 ms Rx: 18DB33F1 00 @ 4108223 ms Rx: 18DB33F1 62 62 00 00 @ 4108226 ms Rx: 18DB33F1 30 00 00 @ 4108233 ms Rx: 18DB33F1 62 C3 00 00 00 @ 4108236 ms Rx: 18DB33F1 62 E4 00 00 00 00 @ 4108239 ms Rx: 18DB33F1 00 00 00 00 00 @ 4108242 ms Rx: 18DB33F1 50 00 00 00 00 @ 4108250 ms Rx: 18DB33F1 00 00 00 00 00 00 00 @ 4108253 ms Rx: 18DB33F1 00 00 00 00 00 @ 4108256 ms Rx: 18DB33F1 00 00 @ 4108259 ms Rx: 18DB33F1 63 E0 @ 4108261 ms Rx: 18DB33F1 00 00 00 @ 4108264 ms Rx: 18DB33F1 31 00 @ 4108266 ms Rx: 18DB33F1 64 55 00 00 00 00 00 @ 4108269 ms Rx: 18DB33F1 64 74 00 00 00 00 @ 4108273 ms Rx: 18DB33F1 40 00 00 00 @ 4108284 ms Rx: 18DB33F1 51 60 00 00 00 00 00 @ 4108287 ms Rx: 18DB33F1 00 00 00 00 @ 4108290 ms Rx: 18DB33F1 65 54 00 00 00 00 @ 4108293 ms Rx: 18DB33F1 20 00 @ 4108309 ms Rx: 18DB33F1 66 10 @ 4108312 ms Rx: 18DB33F1 00 00 00 @ 4108314 ms Rx: 18DB33F1 00 00 @ 4108317 ms Rx: 18DB33F1 30 00 00 @ 4108321 ms Rx: 18DB33F1 A2 00 00 @ 4108324 ms Rx: 18DB33F1 01 00 @ 4112772 ms Tx: 18DAF110 06 41 00 BE 1B 30 13 @ 4112773 ms Tx: 18DAF118 06 41 00 88 18 00 10 @ 4112774 ms Tx: 18DAF128 06 41 00 80 08 00 10 @ 4112776 ms Rx: 18DB33F1 A2 00 00 @ 4112926 ms [...]
The ECUsim 2000 Command reference can be found here. However, keep in mind that at the $200 version, most of the commands in that document will not work!
The ECUSim 2000 User Manual can be found here. It has some useful information in it for first time configuration.
ScanTool also makes a linux utility called
scantool that provides a GUI for interfaces with ODB2 connections, and just like a real car, it will work with the board. You can install this free tool by running:
# apt install scantool
Technical information surrounding the limitations of the $200 model can be found in this amazon review.