Working with the CAN bus analyzer in the CARBUS Analyzer
Selecting and connecting to the interface
In the top menu of CARBUS Analyzer, select Settings – > Device settings
In the window that opens, select the type of your interface in the pop-up Device list. In the drop-down Device mode list, select the CAN mode.
For two-channel CAN interfaces two modes are available – with and without CAN gateway function. These modes are implemented in different firmware. If a firmware with support for CAN gateway mode is loaded into the interface, the speed of the interface with the computer is reduced by half. This is due to the fact that the interface processor must allow time to process frames cores between CAN channels. This is described in detail in the documentation for the specific interface.
The CAN speeds are configured on the Chanel 1: CAN and Chanel 2 tabs.
Both predefined baudrates and custom customization are available.
The selection of predefined baudrates is made by a simple selection of the required speeds from the drop down list of Channel baudrate.
Custom Baudrate position in the Channel baudrate drop-down list
In the Custom baudrate input field, you must enter the required CAN speed. Once the speed is entered, an attempt will be made to calculate the CAN controller clock factor. If the clock separator is an integer, then the input value will be displayed on a white background and after pressing the OK button, the CAN channel will run at the specified speed.
If the entered baudrate doesn’t allow the integer divisor to be calculated, the value entered will be highlighted in red.
In this case it is necessary to set the Low accuracy flag and CARBUS Analyzer will set the CAN channel speed as close as possible to the entered value.To know the estimated approximate value, press the button “?”
After you configure the CAN baudrates, press the OK button, the settings will be transferred to the interface and the Settings menu will close.
After configuring the CAN adapter and CAN channels in the top menu, press Connect
CAN Frames receiving
If CAN-Hacker is connected to one or two CAN buses and the speed of CAN is determined correctly, the physical connection to the CAN bus is correct and there is activity on the bus, then you will see the frames passed across the bus in the receiving window because in the image below.
For the convenience of analyzing data transmitted through different channels, click the Splitter button in the top menu (the arrow on the photo above) and the data of each channel will be displayed in its own window.
CAN Frames transmitting
To transfer frames in the Transmit window, click the Add button and form the required frame. You can select a channel, type ID 11 or type 29 bits, and the batch time when you press the Run button. For a single send, press Shot. In addition, right-click on the Transmit window – You can perform group operations – Run All and Stop All, as well as save and load the transferred frames into a file.
The Shot button sends the selected frame once.
Triggers for automatic frames transmit.
You can set the trigger for each message for automatic transmission. In this case the transfer will start only if the frame specified in the trigger settings is accepted. In the screenshot above, the trigger is configured as follows: If CAN channel #2 accepts a frame with ID=0x123, DLC=8 and data set:
12 34 56 78 12 34 56 78, then the frame with ID=0x321, DLC=8
and data sets: 87 65 43 21 87 65 43 21. In this example, channels 1 and 2 were combined physically for illustration, so the automatically sent frame via channel #2 we see accepted in channel #1. The trigger is activated by pressing the RUN button on the selected frame.
Frames can be presented as a bit field, which is convenient, for example, when searching for binary signals such as: open closed doors, lights turned off, etc. etc.
To present a frame as a bit field, right-click on the frame and click on Message bit-map in the context menu
After which the window with the bit field of the selected frame appears
Frame IDs filters
The CARBUS Analyzer software allows working with both hardware filters of CAN frames and with a software filter on a given ID range.
Hardware filters differ in that they work directly in the CAN interface controller and do not affect program and firmware speed.
The program filter works in the CARBUS Analyzer program itself, so in this case the program receives from the interface the entire flow of data from the CAN bus and if this flow is dense, it can affect the speed. However, it is much easier to configure the software filter. You only need to set the ID range that you want to accept.
Hardware CAN filters have priority over the software filter!
Hardware filters are on the Hardware Filter Table tab. The Program Filter over the ID range is on the Range tab.
Hardware ID filters
Use the tab on the right side of CARBUS Analyzer to work with CAN filters. If you are using a small screen monitor, click the funnel icon at the top of the program menu to call the filter configuration window.
For two-channel CAN interfaces, the filters 0 through 12 belong to CAN channel 1. Filters 13 through 28 belong to CAN channel 2.
For single-channel interfaces (e.g., CH-OBD.M02), all 28 CAN filters belong to the same CAN channel.
The matching of filters and CAN channels is shown in the CH column of the filter table.
Each filter and mask can be either 11 bits or 29 bits. Select the right type based on which type of ID you want to add to the table.
To configure the filter, double-click it, which will open the configuration window of the selected filter.
If you want to use 29 bit – set flag 29 bit filter
After setting the mask and filter code, set the Enable Filter flag and press Set. In the filter table, the active filter will be selected by the flag in front of it.
The filter can be switched off quickly by manually removing the flag from the filter.
You can also enter the desired ID in the filter table from the Receive Monitor window or the Stream window.
To do this, right click on the ID and click on Add message ID to filter in the context menu
Hardware filter value setting principle
The principle of CAN filters is that the mask bits indicate which bits of the inbound filter ID must be accounted for, and the value of the filter code (Filter field) indicates that these masked bits must be equal.
ID = 7E0 HEX 111 1110 0000 BIN
Mask = 7FF HEX 111 1111 1111 BIN
In this example, we tell the CAN controller that it is necessary to account for all 11 bits of the accepted ID, and these bits must be equal to = 111 1110 0000 BIN or 7E0.
Thus the filter will be configured to receive only frames with ID=7E0.
If in this example, in the mask value, replace the last four bits with zeros, the mask takes the form Mask = 7F0 HEX 111 1111 0000 BIN , we tell the CAN controller that we are not interested in the last four bits (half bytes) adopted ID and will accept all ID frames from 7E0 to 7EF.
If you set the mask and filter to 0000000000, all frames will be accepted. If at least one CAN filter of the channel is configured in this way, the other filters of this channel will have no effect.
Other examples are as follows:
Skip only frames with ID =0x7E8
ID = 7E8 HEX 111 1110 1000 BIN
Mask = 7FF HEX 111 1111 1111 BIN
Skip all ID frames with a ninth bit=1
(1xx, 3xx,5xx, 7xx, where xx-any number from 0 to FF)
ID = 100 HEX
Mask = 100 HEX
For 29-bit ID, the logic is the same, with filter and mask lengths becoming 29-bit.
Skip only frames with 29-bit ID = 0x0000000333:
ID = 0x0000000333
Mask = 1FFFFFFF
It is important to understand that the type of filter (11 or 29 bits) depends not on the value of the filter or mask, but on the special flag set by the CAN controller, the poet ID can be:
0x000333 – 29 bits
0x333 – 11 bits
IMPORTANT: If all filters are disabled, the first filters of each CAN channel are configured to pass all incoming frames.
Working with ID-range software filter
To configure the program filter to the ID range, you must enter the Range tab of the filter table.
Double-clicking the right mouse button on the selected channel filter opens the configuration window.
The range of identifiers to be ACCEPTED is set in the fields From – the initial ID of the range and To – the end point of the range. All frames with an ID from a given range will be accepted.
The Exclude field specifies the ID that SHOULD NOT be received in the range above.
On the screenshot above, the range of ID from 0x100 to 0x200 is set. However, frames with ID equal to 0x101,0x102,0x103 will not be accepted.
After the filter is configured, press the SET button and the filter will be activated.
In the example below, the CAN-1 channel accepts frames transmitted by the CAN-2 channel according to the configured software filter.
IMPORTANT: The program range filter does not distinguish between 11 bit and 29 bit Ids. Therefore, if you set the range 0x222…. 0x333, then frames with ID in the range 0x00000222,,, 0x00000333 will also be accepted.
Working with Traces
To record a stream (Trace), click the top Stream menu
In the window that opens, you will be able to record the flow of CAN frames sequentially. You need to press the red circle button to start writing. To stop the button, the blue square is used. (the red circle takes the form of a blue square after the beginning of the recording and vice versa)
To save and download trails, the buttons in the top menu are extremely right, marked with a red rectangle in the photo above. To switch to CAN monitor mode, press the Monitor button in the top menu.
To play saved Trace, click Tracer at the top of the menu
In the opened window, download the saved stream file (trace) and select the channel from the Only for Channel list that will be used in the work. This is necessary in case the flow was recorded from two channels at the same time.
Select which channel you want to transfer frames from the saved thread as in the figure above. If you select the To Monitor option, frames from the trail will be broadcast through the monitor window and will not be physically transmitted to the CAN bus.
With the Play Stop, Step and Repeat buttons, which have the corresponding graphics in the top menu, you can control the stream playback.
In the right hand side of the track window, you can mark the ID of the frames you want to play.
Right clicking on this window allows you to perform group operations with the ID table.
To control the playback rate of the Trace, press the timer icon as in the image below and select the required delay between the frames.
CAN Gateway mode
The CAN gateway (CAN Gateway) mode is available for two-channel CAN interfaces, and the interface must be loaded with the appropriate firmware (see interface manual). The Settings menu must select a mode that supports CAN Gateway.
The CAN gateway settings are on the CAN filter configuration tab.
The Transmit CAN1=>CAN2 flag involves transferring frames from channel 1 to channel 2.
The Transmit CAN2=>CAN1 flag involves transferring frames from channel 2 to channel 1.
With the help of the Lock Unlock buttons and the corresponding ID fields, it is possible to block the passage of frames with a specific ID.
CAN Bomber is a built-in tool for brute forcing on the CAN-bus. To enter Bomber mode, click Bomber in the top CARBUS Analyzer menu
После чего в нижней части формы откроется сам Bomber
In the ID from and To fields, the ID search range is set. To run 29 bit Ids, you need to set the 29 bit flag just below the Channel drop-down list.
Bomber mode is set in the drop down list Mode. The following modes are available:
– ID Counter – increment ID over 1
– ID List – by ID table
– Data counter – Fixed ID, brute force data bytes
– Data counter with shift – brute force data bytes with shift.
The easiest mode is ID Counter. In this mode, the fixed data frame and the ID overhaul are transmitted in the specified range with increment +1.
The more complex mode is the ID List. In this mode, the fixed data frame transfer is done with the ID of the Unique ID List, which is the list of Ids to be searched. You can add an ID to a table manually, from a file, or copy all the ID from the Receive Monitor window. The Unique ID List is the right-click on the Unique ID List
To manually add an ID, press Add ID. To remove – Delete ID
To add ALL ID from the received frames window in the drop-down menu, select From Receive monitor
The BruteForce starts when the Run button is pressed. The BruteForce occurs with the period specified in the Period field. With each ID, the number of frames specified in the Msg per step field is transferred.
Data counter or Data counter with shift is selected to parse the data.
In Data counter mode, a fixed ID frame and an increment of flagged bytes of data are sent. Increment is performed by the value specified in the string Increment=>, individually for each data byte.
In Data counter with shift mode, the increment to the specified value of the noted bytes of data is performed. If the more right-marked byte passes through the FF, then increment to +1 observed byte to the left. So you can go through all the possible combinations of bytes of data in the frame.
In Bomber mode, you can calculate the checksum of the frame – CRC. The checksum is applied on many cars and if it is not correct, the frames transferred are ignored. Different manufacturers may have different CRC calculation algorithms. Bomber has two calculation algorithms available: Toyota (universal) and ISO J1850. The CRC mode is set in the menu to the left of the Unique ID list.
In Toyota CRC mode, all the noted elements of the frame are added to module 2. The resulting value is inserted into the data byte selected in the drop-down list Insert CRC to.
In ISO J1850 mode, the calculation is carried out automatically and the value is transmitted to the eighth byte of data of the transferred frame.