can_analysis

This is an old revision of the document!


CAN Bus Analysis on Linux

  • Get an SLCAN adapter (like the Zubax Babel or the CVRA USB dongle)
  • Follow this guide to setup your adapter as a local network interface: https://elinux.org/Bringing_CAN_interface_up
    • sudo slcand -o -s8 -t hw -S 3000000 /dev/ttyACM3 -F #8 is 1Mbps can rate (works for Maxon Bikedrive)
    • sudo ip link set up slcan0
  • Install wireshark and add your local user to the wireshark group
  • Open wireshark and select the slcan0 interface
  • If your adapter is on the bus, packets should start showing
  • If you know that your CAN bus devices are using CANopen (like the Maxon Bikedrive), you can make wireshark decode the frames: Go to “Analyze > Decode as”. Then select CAN next level dissector from the drop down and in the protocol list, select CANopen. You should see something like this:

This analysis is completely non-invasive and no messages were transmitted to the CAN bus. The adapter is in silent mode.

System Overview:

According to ref, the 11 bit identifier consist of a 7bit node id and a 4bit function code.

  • canopen.cob_id == 0x281
    • PDO2 (tx)
    • Data field changes only when motor is powered and remains at last state when stopped. Changing torque settings makes no difference.
  • canopen.cob_id == 0x181
    • PDO1 (tx)
    • Appears to be some sort of counter. Example of the data: 37:03:00:00:4a:4c:9d:40. The portion in bold remained static and the underlined was incrementing by 1 approximately every 20s. The rest was constantly changing.
  • canopen.cob_id == 0x182
    • PDO1 (tx)
    • Doesn't change when motor on
  • canopen.cob_id == 0x77f (first node)
    • NMT Error Control [0x7f is node id, 0xe is function code]
    • States: Boot-up (0x00), Operational (0x05)
  • canopen.cob_id == 0x701 (second node)
    • NMT Error Control [0x01 is node id]
    • States: Boot-up (0x00), Pre-operational (0x7f), Operational (0x05)
  • canopen.cob_id == 0x702 (third node)
    • NMT Error Control [0x02 is node id]
    • States: Boot-up (0x00), Pre-operational(0x7f), Operational (0x05)
  • canopen.node_id == 0x7f
    • only sends NMT error control messages except at startup:
    • the message stream stops if the remote is unplugged! is this the remote?
  • canopen.node_id == 0x0
    • on boot: NMT: start remote node 0x1 and 0x2
    • otherwise, while not riding: SYNC
  • canopen.node_id == 0x02
    • sends tx_PDO1, tx_PDO2, tx_PDO4 and NMT
    • no rx PDOs, so this is not an actuator? is this the battery?
    • unplugging the remote control doesn't stop this message stream
  • canopen.node_id == 0x01
    • sends PDO1 (rx, tx), PDO2 (tx), PDO3, NMT and Default-SDO (rx,tx): initiate upload request and response
    • When the remote controller is unplugged, EMCY (emergency) is seen and 2 last PDO1 are seen. After that only PDO3 and NMT operational until PDO3 also disappears. Node_id 0x01 is not the remote control?
    • As soon as remote is plugged back in this happens:
  • can_analysis.1549468555.txt.gz
  • Last modified: 3 years ago
  • by sam