OBD2 data pack download for reverse engineering
OBD2 data pack download for reverse engineering
Posted inCardiagtech

CAN Bus Sniffer OBD2: A Comprehensive Guide to Reverse Engineering Vehicle Data

No Comments

Need to delve into your vehicle’s CAN data for deeper insights?

This guide provides a practical approach to reverse engineering Controller Area Network (CAN) data from your car or truck. We’ll explain how to decode proprietary data, converting raw CAN signals into understandable physical values. Unlike many generic tutorials, we focus on a replicable method using the CLX000 CAN bus sniffer and readily available, free software tools, specifically tailored for OBD2 applications.

Tip: Enhance your understanding by exploring our SavvyCAN introduction and discover the advanced capabilities of our CANmod.router for professional-grade CAN-USB streaming.

Understanding CAN Bus Reverse Engineering for OBD2

The CLX000 CAN analyzer empowers you to stream CAN bus data from any CAN-based system, including vehicles (cars, trucks, motorcycles), marine vessels, industrial machinery, and more. Here, we concentrate on automotive applications, specifically leveraging the OBD2 port.

Streaming raw CAN data via OBD2 involves these straightforward steps:

  1. Configure your CLX000: Set up the device to request specific OBD2 PIDs (Parameter IDs) or capture all CAN traffic for comprehensive analysis. Refer to our OBD2 PID table for a list of common parameters.
  2. Connect to your vehicle’s OBD2 port: Utilize an OBD2 adapter cable to establish a secure connection between the CLX000 and your car’s OBD2 port.
  3. Establish PC Connection: Connect the CLX000 to your computer using a USB cable.
  4. Initiate Data Streaming: Launch the free software (SavvyCAN or Wireshark) to start real-time CAN data streaming and capture.

For detailed instructions, consult the CLX000 Introduction.

Top Advantages of Using a CAN Bus Sniffer for OBD2 Reverse Engineering

Employing the CLX000 and SavvyCAN as your CAN bus sniffer and analysis tools for OBD2 reverse engineering offers several key advantages:

Decoding Proprietary Vehicle Data Beyond OBD2 Standards

The primary goal of CAN bus hacking, especially in the context of OBD2, is to decode proprietary CAN IDs. This allows you to access and analyze data parameters beyond the standardized OBD2 PIDs, unlocking deeper insights into vehicle operation, performance, and diagnostics for cars, trucks, and machinery.

Expanding and Enhancing DBC Databases for Comprehensive Vehicle Analysis

Often, existing CAN database files (DBC files) are incomplete. A Can Bus Sniffer Obd2 tool facilitates the reverse engineering of missing CAN messages and signals, allowing you to extend and refine these databases. This results in a more comprehensive understanding of the vehicle’s CAN network and data structure.

Unlocking New Applications and Use Cases through Deeper Data Access

In many applications, reverse engineering even a few key parameters can be transformative. For instance, accessing State of Charge (SoC) data from electric vehicles, which is often not available via standard OBD2, can be crucial for various EV-related projects and analyses. A CAN bus sniffer OBD2 makes such data accessible.

Enabling Advanced Vehicle Control and Command Capabilities

Going beyond basic OBD2 data retrieval, reverse engineering raw CAN data with a CAN bus sniffer OBD2 allows for potential vehicle control via command signals. This opens possibilities for functionalities like toggling lights, locks, or other vehicle systems through custom CAN commands, offering a deeper level of interaction with the vehicle’s electronic architecture.

Uncertain about the benefits of reverse engineering for your specific application? Contact us for a free consultation!

Step-by-Step Guide to CAN Bus Reverse Engineering via OBD2

Let’s outline a step-by-step process for conducting vehicle reverse engineering using a CAN bus sniffer connected through the OBD2 port.

Assume your objective is to monitor data from your vehicle’s windscreen wipers. The first step is to identify the specific CAN ID that carries this data. There are two primary methodologies:

Real-time Data Streaming: Utilize a CAN interface and your CAN bus sniffer OBD2 to stream raw CAN data in real-time. Employ CAN bus analysis software like SavvyCAN or Wireshark to filter out irrelevant CAN IDs. By systematically activating and deactivating the wipers while observing the data stream, you can isolate the CAN ID associated with wiper operation through a process of elimination.

Data Logging to SD Card: For parameters where live monitoring is less practical (e.g., EV State of Charge), logging data to an SD card is more effective. Set up a camera to record your vehicle’s dashboard while simultaneously logging raw CAN data using your CAN bus sniffer OBD2. This allows you to create a synchronized time-series of “true values” (from the dashboard recording) that you can compare against your logged CAN data. This comparison helps identify CAN IDs and data byte patterns that correlate with the parameter you are investigating.

Once you’ve pinpointed the CAN ID containing your wiper data, the next step is to decode the signals within the CAN frame.

A single CAN frame typically contains 1 to 8 CAN signals within its data bytes. A signal represents a specific parameter, like the wiper ‘state’ (on/off). The goal now is to determine which of the 64 CAN data bits correspond to this wiper signal.

We recommend the following approach:

  1. Byte Identification: Observe which of the 8 data bytes change when you alter the wiper state (e.g., turn wipers on/off).
  2. Bit Isolation: Within the identified byte(s), determine which specific bits are changing in relation to the wiper state transitions. Excel or similar spreadsheet software can be helpful for bit-level analysis.

Having determined the bit position and length of your wiper signal, the next phase involves scaling the raw data to obtain meaningful physical values. This is typically achieved through a linear equation involving an offset and a scale factor. If you’re unfamiliar with this concept, our CAN bus introduction provides a helpful overview. The general formula is:

physical_value = offset + scale * raw_value_decimal

In the wiper example, the signal might be a simple boolean (on/off). In such cases, setting the offset to 0 and the scale to 1 might suffice.

For continuous variables like speed, SoC, or RPM, follow these steps:

  1. Simultaneous Logging: Log CAN data while driving and record the “true parameter value” from your vehicle’s dashboard using a camera.
  2. Data Plotting: Create a plot (e.g., in Excel) of the unscaled decimal value of your CAN signal against the timestamped true values from your dashboard recording.
  3. Scale Adjustment: With a zero offset initially, overlay the two plots and adjust the scale factor until the CAN signal plot roughly aligns with the true value plot.
  4. Offset Calibration: Fine-tune the offset to achieve a precise overlap between the two graphs.

This process is simplified when you can log smooth transitions across the parameter’s MIN to MAX range. If an OBD2 equivalent exists for your parameter (e.g., RPM, Speed), comparing your reverse-engineered signal against logged OBD2 data can expedite analysis.

Once you’ve determined the bit position, length, scale, offset, and optionally min/max values for your signal, you can incorporate this reverse-engineered CAN signal into a CAN database (DBC file), effectively creating a vehicle-specific CAN bus database. This integration simplifies the utilization of the decoded signal in various CAN analysis tools. See our DBC file introduction for more information.

Below are valuable resources for vehicle reverse engineering:

Download the OBD2 Data Pack

Ready to work with real OBD2 data?

Download our comprehensive ‘data pack’, which includes:

  • Our OBD2 DBC file
  • 25+ car DBC files (reverse engineered)
  • 100+ MB of real-world data from 10+ vehicles

Download Now

The CLX000: Your Ideal CAN Bus Sniffer OBD2 Tool

In this section, we highlight the CLX000 as a powerful and user-friendly CAN bus sniffer, perfectly suited for OBD2 reverse engineering.

The CLX000 is a cost-effective CAN bus data logger and interface that excels in real-time CAN streaming with software like SavvyCAN:

PLUG & PLAY: Configuration takes just minutes. Power is conveniently supplied via the CAN connector, and bit-rate auto-detection simplifies setup.

STANDALONE OPERATION: Log CAN data directly to an 8-32GB SD card for extended periods without needing a PC connection.

FREE SOFTWARE: Configure your CLX000, stream real-time data, and convert log files using our complimentary software tools.

LIVE STREAMING: Seamlessly stream and transmit CAN data in real-time using SavvyCAN and Wireshark.

COMPACT DESIGN: Fits comfortably in the palm of your hand (6.6 x 4.3 x 2.4 CM) and is highly portable.

LOW COST: The CLX000 offers unbeatable value and cost-effectiveness in the CAN bus sniffer market. Learn more about its value.

Explore the CLX000 CAN Bus Sniffer

While some online resources suggest using Arduino modules or Raspberry Pi with CAN bus shields for DIY CAN bus sniffers, and even ELM327 modules for basic CAN sniffing, these are often compromises. These general-purpose modules lack the dedicated design and user-friendliness of tools like the CLX000 when specifically applied to CAN bus and OBD2 analysis.

The CLX000 provides significant advantages:

  • Plug & Play Convenience: The CLX000 offers true plug-and-play functionality with fully free software, letting you focus immediately on CAN sniffing and OBD2 data analysis.
  • Configurable Filtering: Easily configure CAN ID filters to focus on specific messages relevant to your OBD2 reverse engineering tasks.
  • User-Friendly Software: SavvyCAN and Wireshark provide intuitive GUIs for raw CAN data analysis and DBC decoding, making OBD2 data interpretation straightforward.
  • DBC Integration: Create DBC files based on your findings and use SavvyCAN to decode CLX000 log files directly, streamlining your OBD2 data workflow.
  • Versatile CAN Tool: The CLX000 functions as both a CAN logger and a CAN-to-USB interface, making it a flexible tool for OBD2 CAN hacking and analysis.
  • Free Expert Support: We offer free and prompt technical support for any questions regarding the CLX000 or its software, assisting you in your OBD2 reverse engineering projects.
  • Cost-Effective Solution: Considering the time saved in setup and ease of use, the CLX000 often proves more cost-effective than Arduino/Raspberry Pi based solutions for serious OBD2 CAN analysis.

If you’re unsure which solution best fits your needs, please contact us for expert guidance.

Beyond data acquisition, the CLX000 also allows for CAN data transmission, enabling you to test and validate your reverse engineering findings. You can transmit specific CAN frames to assess if they trigger certain vehicle behaviors. For example, you could attempt to control door locks, lights, or manipulate dashboard displays.

The CLX000 supports custom transmit lists for periodic messaging and real-time data transmission control via SavvyCAN. This capability allows for sending custom CAN frames, replaying log files onto the CAN bus, or even conducting advanced fuzzing tests (use with caution and only if you have expertise in this area). It’s crucial to understand the risks involved in transmitting CAN data and to proceed with caution, especially when attempting to control vehicle functions.

A safer application of the CLX000’s transmission feature is requesting OBD2 data. OBD2 PIDs provide easily accessible continuous parameters (speed, RPM, temperatures) which can be invaluable for side-by-side comparisons when reverse engineering proprietary CAN data.

Case Study: Motorcycle CAN Bus Sniffer OBD2 Application

Discover how Thomas Cobb successfully employed the CL2000 (a predecessor to CLX000) to reverse engineer CAN bus data from his Ducati Diavel 2015, utilizing both USB streaming and data logging. Thomas relied heavily on SavvyCAN throughout his project.

“The CL2000 is compact, feature-rich, highly configurable – and it just works great! – Thomas Cobb

Read the Full Case Study | Explore 30+ Case Studies

Example: OBD2 Reverse Engineering Workflow with SavvyCAN

SavvyCAN is our recommended software tool for CAN bus reverse engineering using the CLX000, especially for OBD2 applications.

Below is an outline of how SavvyCAN supports the key steps in the reverse engineering process.

Tip: Watch Dan Dulac’s excellent tutorial demonstrating the practical use of the CL1000 (another CAN bus sniffer) and SavvyCAN for a hands-on demonstration.

Initiate Raw CAN Data Streaming from OBD2

Begin by connecting your CLX000 CAN bus sniffer OBD2 to your vehicle’s OBD2 port and establish a connection in SavvyCAN to start streaming raw CAN data. This provides a real-time view of CAN frames and a general overview of the data traffic.

Utilize SavvyCAN’s auto-scroll or overwrite modes to examine the raw CAN frames. Employ CAN ID filters to narrow down the displayed data to specific areas of interest within the OBD2 data stream.

Correlate Discrete Events with OBD2 CAN Frames

Leverage SavvyCAN’s ‘sniffer’ view to obtain a concise trace of unique CAN frames. This view intelligently highlights changing data bytes and bits, simplifying the process of linking physical events (e.g., door locking/unlocking, window operation) to corresponding CAN data within the OBD2 stream.

Refine your analysis by using CAN ID filters to progressively isolate the relevant CAN IDs and data bytes associated with the OBD2 parameters or vehicle functions you are investigating.

Analyzing Continuous OBD2 Data Parameters

For reverse engineering continuous signals such as vehicle speed, RPM, coolant temperature, or battery State of Charge (SoC), utilizing the CLX000’s SD card logging functionality is often more efficient. For example, you can record a 10-minute driving session while simultaneously noting dashboard RPM values with timestamps. Create a basic plot in Excel using this data to serve as a benchmark for comparison.

Load your CLX000 log file into SavvyCAN and use the ‘range state view’. Define hypotheses regarding which CAN IDs might contain the RPM signal and how this signal might be encoded within the data bytes. SavvyCAN will then generate plots of all potential combinations, allowing you to compare them against your benchmark plot from Excel and identify the correct scaling and offset for accurate RPM decoding from the OBD2 CAN data.

Learning to Control Vehicle Functions via OBD2 CAN

If your goal is to identify CAN frames that control specific vehicle functions via the OBD2 port, utilize the CLX000’s ‘live-transmit’ feature in SavvyCAN. This allows you to send custom CAN frames into your vehicle’s CAN bus and observe the real-time response. This is particularly useful for quickly testing hypotheses about potential control functionalities before investing time in more complex implementations. Refer to our SavvyCAN introduction for examples of valuable live-transmit tools within SavvyCAN.

Develop and Refine Your OBD2 DBC File

Based on your analysis within SavvyCAN, you will gradually identify relevant CAN frames and byte/bit positions associated with OBD2 and proprietary vehicle data. Use SavvyCAN’s built-in DBC editor (or our online DBC editor) to begin documenting this information, initially using scale factors of 1 and offsets of 0.

With this preliminary DBC file, create plots of your OBD2 data (in real-time or from log files) within SavvyCAN. By comparing these plots to your physical observations or benchmark data, you can iteratively adjust the scale and offset factors in your DBC file to accurately reflect the physical values of the OBD2 parameters you are reverse engineering. For instance, if a test drive reached a maximum speed of 55 km/h, but your initial data plot shows a value of 110 (with a scale factor of 1), adjust the scale factor to 0.5 and refine the offset as needed to achieve accurate speed readings.

While the CLX000 originally integrated with Wireshark, offering CAN reverse engineering features, we now recommend SavvyCAN as the superior tool for most OBD2 CAN bus reverse engineering applications. However, if you are already proficient with Wireshark, it remains a viable option. The following sections illustrate how to perform similar reverse engineering steps using the CLX000 and Wireshark.

Streaming Raw CAN Data with Wireshark

When you initially stream raw CAN data using the CLX000 and Wireshark, you will encounter a high volume of CAN packets displayed on screen.

Wireshark offers analysis tools like filters, column configuration, and plots. However, these are not ideally suited for initial OBD2 reverse engineering efforts due to the sheer volume and complexity of raw CAN data.

Utilizing the ‘CAN Live’ Feature in Wireshark for OBD2 Analysis

Instead of raw packet views, we recommend leveraging the ‘CAN Live’ Wireshark plugin feature, which provides a streamlined ‘trace’ view of your OBD2 data.

To access this view, click Statistics/CAN Live IDs while streaming CAN data in Wireshark. This opens the trace window, displaying one row per CAN ID, offering a highly organized overview for OBD2 CAN hacking and reverse engineering.

When a CAN bus data byte changes, it is highlighted in blue, with the color gradually fading as the byte value remains constant. This visual cue provides immediate feedback when comparing raw OBD2 CAN data patterns to physical events (e.g., activating vehicle systems). This ‘CAN Live’ feature transforms Wireshark into a powerful CAN bus decoder software tool optimized for OBD2 reverse engineering.

Ready to start reverse engineering your OBD2 CAN data?

Get your CLX000 CAN bus sniffer OBD2 today!

Buy Now | Contact Us

Recommended Resources for Further Learning

SAVVYCAN: Analyze Streamed / Logged CAN Bus Data

CAN BUS INTERFACE: Streaming OBD2 Data with Wireshark

OBD2 DATA LOGGER: Easily Log & Convert OBD2 Data

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *