CAN Bus Message Electrical Signatures for Automotive Reverse Engineering, Bench Marking and Rogue ECU Detection
To be published on April 2, 2019 by SAE International in United States
Annotation of this paper is available
There are many applications in which you may need to reverse engineer the Controller Area Network (CAN), e.g.:
- Automotive competitor analysis
- Telematics applications such fleet management
- Disabled driver applications
The typical reverse engineering process is concerned with moving a sensor and watching the CAN bus for message changes. For example, wind down a door window and see if this kicks off changes in CAN message data.
Many CAN buses have many messages originating from many Electronic Control Units (ECUs). This means it is difficult to watch all of them at the same time. It would be far easier if you could simply watch a smaller number of CAN messages to observe changes by isolating the ECUs the messages originate from.
This paper describes a process that allows the user to identify which CAN messages are transmitted by a particular ECU. This is achieved by getting the electrical signature of each CAN message and matching known CAN messages with unknown ones. Therefore, the transmitting ECU of the unknown CAN messages can be determined.
The method for determining which Identifiers come from a particular ECU is to first get electrical signature plots of known diagnostic response messages and compare with electrical signature plots of the real time control messages. It is shown how to achieve this using Warwick Control’s tool X-Analyser coupled with a PicoScope PC oscilloscope and the a Kvaser CAN USB interface.
This paper requires prior basic knowledge of the workings of the CAN bus technology.