This project uses the famous CANABLE (the cheapest can bus device on the market) in order to:
- sniff on the can bus (useful for debug and exploit purposes)
- decode and store some parameters sniffed on the bus (like motor rpm, accelerator pedal position and gear selection)
- control a WS281x leds strip by means of the decoded can bus data, then lighting the leds strip according to accelerator pedal position and gear selection.
- automatically disable start&stop car functionality
- act as Immobilizer, by injecting can bus messages when required.
- show SHIFT warning indicator on dashboard when configurable motor rpm speed is overcomed
BACCABLE overview (click on the following image to see the video)
Link to youtube videos playlist: https://www.youtube.com/playlist?list=PLBaS0780TbwKpBBER44QJkiz-0hAlga8X
I started the development from the famous SLCAN firmware (https://github.com/normaldotcom/canable-fw), by porting it inside stm32Cube environment (I updated usb interface), then I added:
- message decoding (watch the following video)
- leds Controlling function (watch the following video) NOTE: video was not updated after firmware optimization. Now you have to uncomment the define LED_STRIP_CONTROLLER_ENABLED in order to use the led controlling functionality
- start&stop car function disabler (more detailes in the dedicated subparagraph),
- immobilizer (more details in the dedicated subparagraph)
- Subfolder firmware contains the firmware
- Subfolder hardware/canable contains canable board layout and pcb wiring diagram. It comes from https://github.com/makerbase-mks/CANable-MKS. There are different designs of canable, but theay are all similar.
- Subfolder hardware/box contains the 3d model of the case to accomodate required components.
- Subfolder hardware/system interconnection contains interconnection diagram to connect required components
- Subfolder tools contains the famous savvyCan sniffer tool for windows (portable) and excel sheet used to calculate pwm and clocks settings.
The functionality "car start&stop disabler" is implemented by simply shorting a gpio to ground trough a resistor, in order to simulate Start&Stop button press on the car panel, with a delay after the device was switched on. The used resistor is suitable for my car. This projet was tested on alfaromeo Giulia. Each one of you, if dealing with other car, different than Alfaromeo Giulia/Stelvio, should:
- perform some checks on the panel with a multimeter, in order to find the proper resistor value for the start&stop button.
The functionality IMMOBILIZER performs the following:
- Detects if the thief is trying to connect to to RFHUB (they do it to add a key to the car)
- Starts the Panic Alarm after one second
- Continuously Resets the RFHUB in order to reset the thief connection, with this message for 10 seconds
- after 10 seconds stops to send messages and stops alarm, and return listening for thief messages
Note1: Panic alarm will start only if you previusly enabled panic alarm in your ECU, with the MES proxy alignment procedure shown in this video: Note2: The Immobilizer functionality will not detect the thief if you power the BACCAble with a voltage available only when the panel is switched on. Therefore, if you use immobilizer function, you shall remove the voltage regulator that I use to convert the 12V to 5V and directly plug the canable to the 5V usb voltage taken from the connector of the USB interface in the central area, close to cigarette lighter socket. In fact, usb voltage is switched on as soon as the thief wakes up the rfhub.
Note3: Once we start to send the rfhub reset message, neither the injition button will work. the car will appear as dead..
The leds strip is lighted accordingly to the movement of the accelerator pedal and the gear selection.
This projet was tested on alfaromeo Giulia. Each one of you, if dealing with other car, should:
- identify proprietary can bus messages, by sniffing data with savvycan.
The SHIFT warning indicator function allows you to show on dashboard the SHIFT warning label when configurable motor rpm speed is overcomed (3 levels of warning). The following video explains the behavious and the code description:
You should perform some preliminary settings inside firmware:
- If you want to use the device as usb can bus sniffer you shall uncomment #define ACT_AS_CANABLE in main.h
- If you want to use the device as leds strip controller you shall comment the line " #define ACT_AS_CANABLE " and uncomment the line " #define LED_STRIP_CONTROLLER_ENABLED " in main.h
- If you don't want to use the piece of code that disables the car start&stop at the power on, you shall comment #define DISABLE_START_STOP in main.h
- If you want to disable IMMOBILIZER functionality, you shall comment #define IMMOBILIZER_ENABLED in main.h
- In vumeter.c you shall set the number of leds in your leds strip, by modifing the following line: #define MAX_LED 46
- If you want to use SHIFT WARNING INDICATOR functionality, you shall uncomment #define SHIFT_INDICATOR_ENABLED in main.h and set the define SHIFT_THRESHOLD to the rpm speed at which the indicator will start to be shown (5000rpm by default)
Software to use:
- use stm32CubeIde to compile on windows
- use stm32CubeProgrammer to flash the firmware elf file contained in subfolder firmware\ledsStripController\Release
Note: i downloaded previous version of the programmer (v.2.15.0) since last available revision had some bug that won't allow me to flash canable.
Flash procedure:
- press reset button on the canable, then connect usb to pc (the canable will be detected as serial device named "stm32 bootloader"
- use stm32CubeProgrammer to flash the device
click on the following image to see the full hardware and interconnections video:
Used hardware:
Canable: https://a.aliexpress.com/_Ev1yBz1 Leds Strip ws2811 ip65: https://www.ebay.it/itm/325563557492?mkcid=16&mkevt=1&mkrid=711-127632-2357-0&ssspo=wTLp3UyoQGK&sssrc=4429486&ssuid=zXyeQJ2cSnu&var=514593107226&widget_ver=artemis&media=COPY Amazon alternatives: Canable: https://amzn.to/3zzeNMq Leds strip: https://amzn.to/3W3TifJ
Note: use recommended canable links cause some of them uses different st chip and I'm not sure if other chips are supported.
Note: if you use immobilizer function, you shall remove the voltage regulator that I use to convert the 12V to 5V and directly plug the CANABLE to the 5V usb voltage, taken from the connector of the USB interface in the central area, close to cigarette lighter socket.
watch the following video to see installation procedure. note: the video doesn't show the connection from usb +5V required to use immobilizer function.
The following video will show the structure of the firmware. Note: the video was made before to update the method to send rfhub reset message for 10 seconds, and before of the code optimization in the main loop.
when configured as canable the firmware acts as the classic SLCAN firmware. it means that you can use it with a pc equipped with savvycan tool, in order to sniff packets in the canbus. With such configuration the device is seen by the pc as a virtual serial port implementing the following serial commands:
- O - Open channel
- C - Close channel
- S0 - Set bitrate to 10k
- S1 - Set bitrate to 20k
- S2 - Set bitrate to 50k
- S3 - Set bitrate to 100k
- S4 - Set bitrate to 125k
- S5 - Set bitrate to 250k
- S6 - Set bitrate to 500k
- S7 - Set bitrate to 750k
- S8 - Set bitrate to 1M
- M0 - Set mode to normal mode (default)
- M1 - Set mode to silent mode
- A0 - Disable automatic retransmission
- A1 - Enable automatic retransmission (default)
- TIIIIIIIILDD... - Transmit data frame (Extended ID) [ID, length, data]
- tIIILDD... - Transmit data frame (Standard ID) [ID, length, data]
- RIIIIIIIIL - Transmit remote frame (Extended ID) [ID, length]
- rIIIL - Transmit remote frame (Standard ID) [ID, length]
- V - Returns firmware version and remote path as a string Note: Channel configuration commands must be sent before opening the channel. The channel must be opened before transmitting frames.
This firmware currently does not provide any ACK/NACK feedback for serial commands.
The approach used to control WS281x leds strip controller was derived from this: https://github.com/MaJerle/stm32-ws2811-ws2812-ws2812b-ws281x-tim-pwm-dma-timer where it is used a timer to start a pwm, then DMA allows a fast change of the duty cycle of the pwm.
Summarizing, the ws281x uses a control signal where each bit is transmitted as 1 or 0 with a pwm signal (with 2 different duty cycle for 0 and for 1 logic levels). The ws281x protocol expects a 24 bits sequence (3x8) for each led, where each 8 bits defines a color (red, green and blue). First led will get the first 24 bits, then it sends the rest to the next led. each led does the same. A pause in the transmission determines the end of the frame, then a new frame can be sent. The protocol and the timings are described in the ws281x datasheet
WS2811 and WS2812 protocol is specific one and has defined values:
- Transfer rate is
800 kHz
, or1.25us
pulse length for each bit - Transfer length is
24
pulses for each led, that's30us
for one LED - Each logical bit (
1
or0
) consists of high and low part, with different length - Reset pulse is needed prior updating led strip, to synchronize sequence
Minimum reset pulse length depends on WS281x device. Check datasheet for your particular unit. WS2812B says
> 50us
, while WS2811 says> 280us
.
DMA controllers in STM32s support various operations, one of them being super handy for our WS LED driver, called circular operation mode. Circular mode will continuously transmit data from memory to peripheral (or, in general, can also go opposite direction) and periodically send transfer-complete or half-transfer-complete interrupts to the application.
We will use HT and TC events extensively, as they will be use to prepare data for next operations to transfer all bits for all leds.
Note (added on 29/12/2024): apart what i wrote in this paragraph, more message decoding was detailed inside main.c file, as comments for now, in order to be able to decode more messages in the near future. I don't have time to update this section now.
These are information that I found and that I can share. Use everything this at your own risk.
-
These messages changes when you move accelerator pedal:
- message id 0ff, second and third byte, changes from 1D33 to 39f3
- message id 1f0, first 3 nibble changes from 000 to 1f2
- message id 412 , fourth byte, changes from 33 to E6. I use this one!!
- message id 736, second and third byte, changes from 3319 to E772
-
The following message identifies gear selection (I use this too):
- Message id 2ef, first byte (first nibble) contains current gear selection: 0x7X=Reverse , 0x0X=Neutral, 0xfX=Undefined (in example pressed clutch), 0x1X=first gear, 0x2X=second gear ...and so on up to sixt gear
- Message id 2ef, first byte (second nibble)contains suggested gear: 0xX7=Reverse , 0xX0=Neutral, 0xXf=Undefined, 0xX1=first gear, 0xX2=second gear ...and so on up to sixt gear
-
Thanks to SniZ (a famous guru - https://alfatuning.app ), we know that message id 0x0fc contains motor rpm speed in first and second byte (the least significant 2 bits of the second byte are not related to rpm speed, and should not be used)
-
Thanks to SniZ ( https://alfatuning.app ) , we know that message id 0x0ed contains the shift warning lamp directed to dashboard. The information is contained in byte6 of the message data (zero based), first 2 bits. Value 0= no indicator, 1=urgency level1, 2=urgency level2, 3=urgency level3 (the one with shift label)
-
Thanks to SniZ ( https://alfatuning.app ) , and to alfaobd developer, this is RFHUB Reset message. To make it work, this message shall be periodically sent (each 200msec should be ok, but i decided to send it each 10msec):
- T18DAC7F180211010000000000
-
The following message sequence starts (and stops) car Alarm, but it works only if the bus is not flooden with other messages:
- T1E340041488201500 //this message it is like a wake up sequence
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- T1E340041488201500
- t1EF84202E20000000156 At this point of the sequence, on my car, the main panel temporary resets, if it is on, and starts the panic alarm. If the alarm was on, it goes off.
-
msg id 0x384 (periodically sent on the bus when ecu is on):
- byte 1 indicates current DNA mode selection: 0x01=Natural, 0x09=Dynamic, 0x11=AllWeather, 0x31=Race
- byte 3, bit 6 indicates lane alarm enabling button, available on left stalk (1 when pressed)
- example of this message with dna selection dynamic: t38480809DA080004XXYY (XX= counter from 00 to 0F , YY=checksum)
-
You can Send these messages to emulate the following key Press (or you can detect when they have been pressed, by filtering received messages):
- t2FA390XXYY (XX= counter from 00 to 0F , YY=checksum) Steering wheel button - RES
- t2FA312XXYY (XX= counter from 00 to 0F , YY=checksum) Steering wheel button - Cruise control on/off
- t2FA308XXYY (XX= counter from 00 to 0F , YY=checksum) Steering wheel button - Cruise control speed gently up
- t2FA300XXYY (XX= counter from 00 to 0F , YY=checksum) Steering wheel button - Cruise control speed strong up
- t2FA318XXYY (XX= counter from 00 to 0F , YY=checksum) Steering wheel button - Cruise control speed gently down
- t2FA320XXYY (XX= counter from 00 to 0F , YY=checksum) Steering wheel button - Cruise control speed strong down
-
Experiments:
- t2EE47FE00000 This on my car, if the panel is on, temporary resets main panel ad you can ear relays switch sound
- t0FA8A0200000200400F1 this on my car, if the panel is on, generates animation on the panel like switch off and on
-
message 0x1fc (generated by CDCM) (should be on can bus C2) byte0, bit 6 is 0 with car engine off and 1 with car engine on byte0, bit 5 and 4 indicates suspension mode (0x0=mid, 0x1=soft, 0x2=firm (only on QV)