Anyone here into CANBus hacking?
Discussion
Firstly, I'm not sure if this is the correct sub-forum to be posting this, but you gotta start somewhere...
Basically, I'm looking for someone(s) who would like to collaborate with me on an ambitious project that I'm embarking on. In essence, I've bought a crashed Maserati QP GTS (actually, I've bought two, but don't tell the wife...), from which I'm going to transplant the engine into a derelict classic car (I'm not going into any details about that on here because I'm fed up with all the crap from the haters). The GTS is the model that has the Ferrari F154 twin-turbo engine (it's more or less the same as the 488, but with a different crank and a wet sump).
The main problem I face is dealing with all the CAN devices - I can either spend £££ and buy a Cosworth (or similar) standalone ECU, or I can keep the factory unit and bypass the unwanted modules using CAN emulation. There are only two or three aftermarket ECUs that could do the job due to the engine being Direct Injection, and all of them are big money,so I'd like to try the other option first. Or to put it another way, it's the only way I can afford right now...
Although I've spent much of my career dealing with motor racing data acquisition systems and the like, I'm not a board-level electronics engineer, so could do with some help getting the CANBus controller hacking hardware sorted out. I would therefore be keen to hear from anyone with a) the relevant skills, and b) the willingness to help out!
Basically, I'm looking for someone(s) who would like to collaborate with me on an ambitious project that I'm embarking on. In essence, I've bought a crashed Maserati QP GTS (actually, I've bought two, but don't tell the wife...), from which I'm going to transplant the engine into a derelict classic car (I'm not going into any details about that on here because I'm fed up with all the crap from the haters). The GTS is the model that has the Ferrari F154 twin-turbo engine (it's more or less the same as the 488, but with a different crank and a wet sump).
The main problem I face is dealing with all the CAN devices - I can either spend £££ and buy a Cosworth (or similar) standalone ECU, or I can keep the factory unit and bypass the unwanted modules using CAN emulation. There are only two or three aftermarket ECUs that could do the job due to the engine being Direct Injection, and all of them are big money,so I'd like to try the other option first. Or to put it another way, it's the only way I can afford right now...
Although I've spent much of my career dealing with motor racing data acquisition systems and the like, I'm not a board-level electronics engineer, so could do with some help getting the CANBus controller hacking hardware sorted out. I would therefore be keen to hear from anyone with a) the relevant skills, and b) the willingness to help out!
I do CAN Hacking on Honda IMA systems.
What you are intending/hoping to do is incredibly complicated and tricky.
What if any work has already been done on reverse engineering this particular CAN system?
You will need to capture all the relevant ECM CAN data from a working car and then decide what data/packets relates to what.
What is being sent out by the ECM and what is being received by it from other modules. ABS, SRS, TCM, Dash cluster etc etc etc
Then work out what information is actually in the packets and how it is constructed.
Then you have to work out how to provide emulated fake data to keep the OEM engine ECU happy.
You might also be dealing with security rolling checksums and other weird stuff in packets that will all have to be reverse engineered and reproduced.
There are various CAN capture hardware tools and software available from cheap to ££££..
I've used CanDo (Cheap) and PCAN Explorer (Expensive) to do my work.
What you are intending/hoping to do is incredibly complicated and tricky.
What if any work has already been done on reverse engineering this particular CAN system?
You will need to capture all the relevant ECM CAN data from a working car and then decide what data/packets relates to what.
What is being sent out by the ECM and what is being received by it from other modules. ABS, SRS, TCM, Dash cluster etc etc etc
Then work out what information is actually in the packets and how it is constructed.
Then you have to work out how to provide emulated fake data to keep the OEM engine ECU happy.
You might also be dealing with security rolling checksums and other weird stuff in packets that will all have to be reverse engineered and reproduced.
There are various CAN capture hardware tools and software available from cheap to ££££..
I've used CanDo (Cheap) and PCAN Explorer (Expensive) to do my work.
Edited by peterperkins on Friday 10th May 15:41
Thank you for your reply! As far as I've been able to determine, no-one has done any work on this system - at least, I've not been able to find anything after hours and hours of Googling.
I have a running car here to take the measurements from, and the plan is to also set up one of the engines from the wrecked cars on a standalone test bed so that I can easily access all the relevant parts, switch them around, etc. The other engine will then be used to dry-build the car.
I have a running car here to take the measurements from, and the plan is to also set up one of the engines from the wrecked cars on a standalone test bed so that I can easily access all the relevant parts, switch them around, etc. The other engine will then be used to dry-build the car.
How many CAN busses does the car have?..
The Honda IMA cars have two for instance... FCAN and IMACAN.
Have you got a full very detailed workshop manual and wiring diagram?
If the donor is a non hybrid it might only have one bus?
Once you are sniffing the bus you can unplug modules one at a time and see what CAN id's/packets disappear.
The Honda IMA cars have two for instance... FCAN and IMACAN.
Have you got a full very detailed workshop manual and wiring diagram?
If the donor is a non hybrid it might only have one bus?
Once you are sniffing the bus you can unplug modules one at a time and see what CAN id's/packets disappear.
Gentlemen - thank you for your helpful comments, they're much appreciated!
As for how many buses the car has, at this stage I have no idea - some background:
I initially bought a GTS from a salvage auction, but once I'd sorted out the various hiccups, I realised that it was far too nice to take a disc cutter to. I therefore decided to keep it until I've got everything I need in terms of running CAN info, whereupon I might put it up for sale. Or not - it's simply so nice to drive that I may have to keep it.
Since I couldn't find a crashed one in this country, I went looking (online) in the States, where I found two. Having bought the first one nice and cheap, I thus declined the second, but when it was offered to me at a price I couldn't refuse, I gave in. In my defence, I was left unsupervised at my computer...
The first of the two is due to arrive in the country in about two weeks, so until it gets here, I can't go pulling things apart to find out. The manual (5,552 pages long) has lots of detail regarding the harnesses and what they connect to, but frustratingly doesn't tell you anything at all about how all the modules relate to one another.
My plan is - as suggested, to try and determine which modules can be identified on the network by operating/unplugging them and then emulating them so they can be deleted to reduce the system to the bare minimum.
As for how many buses the car has, at this stage I have no idea - some background:
I initially bought a GTS from a salvage auction, but once I'd sorted out the various hiccups, I realised that it was far too nice to take a disc cutter to. I therefore decided to keep it until I've got everything I need in terms of running CAN info, whereupon I might put it up for sale. Or not - it's simply so nice to drive that I may have to keep it.
Since I couldn't find a crashed one in this country, I went looking (online) in the States, where I found two. Having bought the first one nice and cheap, I thus declined the second, but when it was offered to me at a price I couldn't refuse, I gave in. In my defence, I was left unsupervised at my computer...
The first of the two is due to arrive in the country in about two weeks, so until it gets here, I can't go pulling things apart to find out. The manual (5,552 pages long) has lots of detail regarding the harnesses and what they connect to, but frustratingly doesn't tell you anything at all about how all the modules relate to one another.
My plan is - as suggested, to try and determine which modules can be identified on the network by operating/unplugging them and then emulating them so they can be deleted to reduce the system to the bare minimum.
It's increasingly difficult to do, especially if the gearbox is an automatic.
Every manufacturer is different.
The engine will expect the gearbox to be there, with correct data. Without it, the engine will go into reduced torque
The engine will expect the ABS module to provide vehicle speed, which must match with the engine speed and what gear the gearbox says it is in - else it will go into reduced torque mode
One solution for competitor analysis engine dyno work which was to put the engine and transmission in the dyno cell, extending the wiring loom to the vehicle parked outside. The ABS sensors were then unplugged and "fake" signals applied to the ABS module based upon the output shaft speed of the transmission.
You are planning to take the right route though, unplug and then see when it stops working.
Every manufacturer is different.
The engine will expect the gearbox to be there, with correct data. Without it, the engine will go into reduced torque
The engine will expect the ABS module to provide vehicle speed, which must match with the engine speed and what gear the gearbox says it is in - else it will go into reduced torque mode
One solution for competitor analysis engine dyno work which was to put the engine and transmission in the dyno cell, extending the wiring loom to the vehicle parked outside. The ABS sensors were then unplugged and "fake" signals applied to the ABS module based upon the output shaft speed of the transmission.
You are planning to take the right route though, unplug and then see when it stops working.
peew - yes, this is certainly one of the issues I've been thinking about. The auto 'box will be replaced with a manual transaxle, so finding out how to maintain max torque is going to be a major aim. I may be able to use the ABS module though, as I intend to fit as much of the original suspension as possible, including the hubs, discs, calipers, and so on.
The plan is to take one of the front subframes and see if I can use it as an engine cradle (it normally carries the two main engine mountings). If this looks sensible, I'll then plumb in all the necessary services so that it can be run successfully. After that, I'll strip all the electrical parts off the car, and reconnect them to the 'test bed'. This should give me a chance to determine which modules I can live with, and which ones need to be deleted. It's going to be a steep learning curve, but if it wasn't going to push me, I wouldn't be interested!
eliot - while I'd love to simply fit a standalone aftermarket ECU, unfortunately, there are very few out there that can cope with direct injection and variable valve timing. Life would be so much easier if I were prepared to convert it to port injection, but at this stage, I'm not!
The plan is to take one of the front subframes and see if I can use it as an engine cradle (it normally carries the two main engine mountings). If this looks sensible, I'll then plumb in all the necessary services so that it can be run successfully. After that, I'll strip all the electrical parts off the car, and reconnect them to the 'test bed'. This should give me a chance to determine which modules I can live with, and which ones need to be deleted. It's going to be a steep learning curve, but if it wasn't going to push me, I wouldn't be interested!
eliot - while I'd love to simply fit a standalone aftermarket ECU, unfortunately, there are very few out there that can cope with direct injection and variable valve timing. Life would be so much easier if I were prepared to convert it to port injection, but at this stage, I'm not!
Morning Paddy, responding here from your message. My advice is to go standalone. The level of integration between modules is high: the systems themselves are very tightly coupled.
In my 430 for example, the TCU will supply gear change information to the engine ECU, which in turn supplies the suspension ECU so that the rear damping rates are increased temporarily to minimise weight transfer during a gear change.
The requirement won't only be up against spoofing data, but in some cases creating an alternative, genuine source of data to replace what was lost from a module you remove - sensor data is often shared between modules. The ABS system for example is most likely the source of VSS and the software is coupled closely with the engine ECU.
Spoofing data will be the relatively easy part. I'd be more worried about the control strategy of the systems when missing chunks of genuine source data.
Not impossible, but very complicated and time consuming, and I think the result may well be suboptimal without modification to the engine management model itself.
In my 430 for example, the TCU will supply gear change information to the engine ECU, which in turn supplies the suspension ECU so that the rear damping rates are increased temporarily to minimise weight transfer during a gear change.
The requirement won't only be up against spoofing data, but in some cases creating an alternative, genuine source of data to replace what was lost from a module you remove - sensor data is often shared between modules. The ABS system for example is most likely the source of VSS and the software is coupled closely with the engine ECU.
Spoofing data will be the relatively easy part. I'd be more worried about the control strategy of the systems when missing chunks of genuine source data.
Not impossible, but very complicated and time consuming, and I think the result may well be suboptimal without modification to the engine management model itself.
Paddy_SP said:
eliot - while I'd love to simply fit a standalone aftermarket ECU, unfortunately, there are very few out there that can cope with direct injection and variable valve timing. Life would be so much easier if I were prepared to convert it to port injection, but at this stage, I'm not!
Life/Syvecs does support DI as far as I understand it. Autobionics is doing the v6 raptor engine into a sierra cosworth and that’s both PI and DI and im sure he’s using syvecs for it.Paddy_SP said:
The auto 'box will be replaced with a manual transaxle
I fear that's digging a hole to fall into. These days if you roll out to buy a crate engine you have to specify whether it's for a manual installation or with a matching auto transmission.It sounds a big challenge building a simulator to tell an "auto" engine what it wants to hear. I'm not convinced there's an easy "maximum all the time" answer, but I hope it all works out.
As Mwstewart says, just go standalone. I work with Canbus systems, what you are proposing is nigh on impossible without a comprehensive knowledge of what all the messages are doing. Even then if you manage to replicate the missing ones by emulation they will all need to be exact to match any checksums and timestamps required by the system to detect errors.
I'd return the equipment you've bought and put that towards the standalone, if you do go ahead then I wish you the best of luck.
I'd return the equipment you've bought and put that towards the standalone, if you do go ahead then I wish you the best of luck.
Thank you all for your wise words - I do, of course, realise that every word of caution you've raised is 100% valid, so will now revisit Plan A, which was to throw all the factory stuff to one side and fit a standalone device. As part of this, I will have a good look at the Syvecs offerings and see whether they'd be suitable!
Having thought about this at some length since my earlier post, I think the smartest way ahead would be for me to try and get the engine running on its 'test bed' using the stock factory wiring/modules, etc., and then once I've proved that it all goes, switch to a standalone such as the Syvecs.
I guess the real purpose of my asking the initial question was to satisfy myself that I had considered all the available options. The first of the two wrecked cars isn't due to arrive for two weeks, so I'm trying to make the most of the time between now and then to sanity-test my plans.
While using the stock set-up may appear to be cheaper, I now think the amount of grief the process would give me would far outweigh the extra price of a standalone system, especially if you were to factor in the number of hours it'd take and relate them to £ per hour! I just need to find something to sell...
I suspect that the final decision as to which ECU I buy will be down to how much support I feel I'm likely to get from the manufacturer.
I guess the real purpose of my asking the initial question was to satisfy myself that I had considered all the available options. The first of the two wrecked cars isn't due to arrive for two weeks, so I'm trying to make the most of the time between now and then to sanity-test my plans.
While using the stock set-up may appear to be cheaper, I now think the amount of grief the process would give me would far outweigh the extra price of a standalone system, especially if you were to factor in the number of hours it'd take and relate them to £ per hour! I just need to find something to sell...
I suspect that the final decision as to which ECU I buy will be down to how much support I feel I'm likely to get from the manufacturer.
Gassing Station | In-Car Electronics | Top of Page | What's New | My Stuff