This is an old revision of the document!


CAN Bus Analysis on Linux

  • Get an SLCAN adapter (like the Zubax Babel or the CVRA USB dongle)
  • Follow this guide to setup your adapter as a local network interface: https://elinux.org/Bringing_CAN_interface_up
    • sudo slcand -o -s8 -t hw -S 3000000 /dev/ttyACM3 -F #8 is 1Mbps can rate (works for Maxon Bikedrive)
    • sudo ip link set up slcan0
  • Install wireshark and add your local user to the wireshark group
  • Open wireshark and select the slcan0 interface
  • If your adapter is on the bus, packets should start showing
  • If you know that your CAN bus devices are using CANopen (like the Maxon Bikedrive), you can make wireshark decode the frames: Go to “Analyze > Decode as”. Then select CAN next level dissector from the drop down and in the protocol list, select CANopen. You should see something like this:

This analysis is completely non-invasive and no messages were transmitted to the CAN bus. The adapter is in silent mode.

System Overview:

  • Adapter: generic SLCAN
  • CAN bitrate: 1Mbps

According to ref, the 11 bit identifier consist of a 7bit node id and a 4bit function code.

  • canopen.cob_id == 0x281
    • PDO2 (tx)
    • Data field changes only when motor is powered and remains at last state when stopped. Changing torque settings makes no difference.
  • canopen.cob_id == 0x181
    • PDO1 (tx)
    • Appears to be some sort of counter. Example of the data: 37:03:00:00:4a:4c:9d:40. The portion in bold remained static and the underlined was incrementing by 1 approximately every 20s. The rest was constantly changing.
  • canopen.cob_id == 0x182
    • PDO1 (tx)
    • Doesn't change when motor on
  • canopen.cob_id == 0x77f (first node)
    • NMT Error Control [0x7f is node id, 0xe is function code]
    • States: Boot-up (0x00), Operational (0x05)
  • canopen.cob_id == 0x701 (second node)
    • NMT Error Control [0x01 is node id]
    • States: Boot-up (0x00), Pre-operational (0x7f), Operational (0x05)
  • canopen.cob_id == 0x702 (third node)
    • NMT Error Control [0x02 is node id]
    • States: Boot-up (0x00), Pre-operational(0x7f), Operational (0x05)
  • canopen.node_id == 0x7f [REMOTE]
    • only sends NMT error control messages except at startup:
    • the message stream stops if the remote is unplugged! is this the remote?
  • canopen.node_id == 0x0
    • on boot: NMT: start remote node 0x1 and 0x2
    • otherwise, while not riding: SYNC
  • canopen.node_id == 0x02 [BATTERY]
    • sends tx_PDO1 (fc=3), tx_PDO2 (fc=5), tx_PDO4 (fc=9) and NMT
    • no rx PDOs, so this is not an actuator? is this the battery?
    • unplugging the remote control doesn't stop this message stream
  • canopen.node_id == 0x01 [MOTOR]
    • sends PDO1 (rx, tx), PDO2 (tx), PDO3, NMT and Default-SDO (rx,tx): initiate upload request and response
    • When the remote controller is unplugged, EMCY (emergency) is seen and 2 last PDO1 are seen. After that only PDO3 and NMT operational until PDO3 also disappears. Node_id 0x01 is not the remote control? I suspect this node is the motor, see below!
    • As soon as remote is plugged back in this happens:
  • canopen.node_id == 0x01 and canopen.function_code == 0x7
    • (PDO3 tx)
    • Data field: c4:07:00:00:01:00:00:00 / the bold part goes up if the motor is turning and the underlined increments when the pedals are used. If the wheel is spinning freely, both are zero. If the wheel is driven backwards, the bold part decrements down from FFFFFFFF.
    • canopen.node_id == 0x01 and canopen.function_code == 0x5 changes similarly but doesn't return to zero. Has some offset.
  • canopen.node_id == 0x01 and canopen.function_code == 0x4
    • pdo1 rx
    • starts at 0
    • when power is given to the motor, it increases and goes back to zero as soon as no power is fed to the motor
    • i know it must be power to the motor, because it increases even if the wheel isn't turning
  • canopen.node_id == 0x01 and canopen.function_code == 0x3
    • pdo1 tx: independent of power or wheel spin
    • 37:03:00:00:68:c3:aa:05 - bold part doesn't change after reboot, the underlined seems to be some kind of timer. the rest changes seemingly randomly. (external odometer at time of writing: 3161km)
  • canopen.node_id == 0x02 and canopen.function_code == 0x5
    • PDO2 tx: looks like battery voltage or charge. Decrements when powered and increments when charger connected.
  • canopen.node_id == 0x02 and canopen.function_code == 0x9
    • PDO4 tx: increases when charging decreases when resting, could this contain a temperature? not sent as often as the other messages (1 per 2 sec)
  • canopen.node_id == 0x02 and canopen.function_code == 0x3
    • PDO1 tx: again something that increases when charging and decreases while standby and even more when powered. could this be battery voltage?