can_analysis

This is an old revision of the document!


CAN Bus Analysis on Linux

  • Get an SLCAN adapter (like the Zubax Babel or the CVRA USB dongle)
  • Follow this guide to setup your adapter as a local network interface: https://elinux.org/Bringing_CAN_interface_up
    • sudo slcand -o -s8 -t hw -S 3000000 /dev/ttyACM3 -F #8 is 1Mbps can rate (works for Maxon Bikedrive)
    • sudo ip link set up slcan0
  • Install wireshark and add your local user to the wireshark group
  • Open wireshark and select the slcan0 interface
  • If your adapter is on the bus, packets should start showing
  • If you know that your CAN bus devices are using CANopen (like the Maxon Bikedrive), you can make wireshark decode the frames: Go to “Analyze > Decode as”. Then select CAN next level dissector from the drop down and in the protocol list, select CANopen. You should see something like this:

This analysis is completely non-invasive and no messages were transmitted to the CAN bus. The adapter is in silent mode.

System Overview:

  • Adapter: generic SLCAN
  • CAN bitrate: 1Mbps

According to ref, the 11 bit identifier consist of a 7bit node id and a 4bit function code.

  • canopen.cob_id == 0x281
    • PDO2 (tx)
    • Data field changes only when motor is powered and remains at last state when stopped. Changing torque settings makes no difference.
  • canopen.cob_id == 0x181
    • PDO1 (tx)
    • Appears to be some sort of counter. Example of the data: 37:03:00:00:4a:4c:9d:40. The portion in bold remained static and the underlined was incrementing by 1 approximately every 20s. The rest was constantly changing.
  • canopen.cob_id == 0x182
    • PDO1 (tx)
    • Doesn't change when motor on
  • canopen.cob_id == 0x77f (first node)
    • NMT Error Control [0x7f is node id, 0xe is function code]
    • States: Boot-up (0x00), Operational (0x05)
  • canopen.cob_id == 0x701 (second node)
    • NMT Error Control [0x01 is node id]
    • States: Boot-up (0x00), Pre-operational (0x7f), Operational (0x05)
  • canopen.cob_id == 0x702 (third node)
    • NMT Error Control [0x02 is node id]
    • States: Boot-up (0x00), Pre-operational(0x7f), Operational (0x05)
  • canopen.node_id == 0x7f
    • only sends NMT error control messages except at startup:
    • the message stream stops if the remote is unplugged! is this the remote?
  • canopen.node_id == 0x0
    • on boot: NMT: start remote node 0x1 and 0x2
    • otherwise, while not riding: SYNC
  • canopen.node_id == 0x02
    • sends tx_PDO1, tx_PDO2, tx_PDO4 and NMT
    • no rx PDOs, so this is not an actuator? is this the battery?
    • unplugging the remote control doesn't stop this message stream
  • canopen.node_id == 0x01
    • sends PDO1 (rx, tx), PDO2 (tx), PDO3, NMT and Default-SDO (rx,tx): initiate upload request and response
    • When the remote controller is unplugged, EMCY (emergency) is seen and 2 last PDO1 are seen. After that only PDO3 and NMT operational until PDO3 also disappears. Node_id 0x01 is not the remote control? I suspect this node is the motor, see below!
    • As soon as remote is plugged back in this happens:
  • canopen.node_id == 0x01 and canopen.function_code == 0x7
    • (PDO3 tx)
    • Data field: c4:07:00:00:01:00:00:00 / the bold part goes up if the motor is turning and the underlined increments when the pedals are used. If the wheel is spinning freely, both are zero. If the wheel is driven backwards, the bold part decrements down from FFFFFFFF.
  • can_analysis.1549469785.txt.gz
  • Last modified: 3 years ago
  • by sam