1

I'm building a HIL/SIL test with Simulink, which tests the Vehicle Control Unit(VCU) from a vehicle. This VCU talks with a Power Distribution Module(PDM) over a J1939 CAN network. The PDM handles the in- and outputs from switches and to actuators and puts the information on the CAN bus. The VCU then knows what the PDM is seeing from connected sensors. In turn, the VCU puts info on the CAN bus on how the PDM should control the connected actuators.

My laptop is hooked to the same CAN bus with a Vector adapter and Simulink.

To test the VCU, I need to mimic the PDM and send messages to the VCU as if I were the PDM. The VCU then has to take the correct actions and control the real PDM accordingly.

Obviously, if I just mimic the PDM, my messages will interfere with those sent from the real PDM. So basically, I need the PDM to shut up and only listen. I do the talking for the PDM. However, the PDM is not configurable in a listen-only mode, so I have to intercept all messages it sends so they never arrive at the VCU.

My idea was that i'd detect(by observing the arbitration field of all messages) when the PDM starts sending, and pull a bit down in the arbitration field. It'd recognise the priority of my 'message' over its own, and it'd stop transmitting. It'd be as if the CAN bus is always to busy to give room to the PDM. This would shut up the PDM without it throwing errors. But other suggestions are welcome.

So (how) is it possible to intercept J1939 CAN messages in MATLAB/Simulink, or with a separate CAN controller?

Bart
  • 261
  • 3
  • 14

1 Answers1

2

Here is an idea, how to realize what you are looking for. You need some extra hardware, however.

This is the rough outline:

  • Setup a CAN-gateway device, which has two independent CAN-interfaces can0 and can1.
  • Disconnect the PDM from the CAN-bus and connect it to one of the interfaces of your CAN-gateway, e.g. can0
  • Connect the second interface of the CAN-gateway, can1, to the original CAN-bus, which also includes your laptop and the VCU
  • Program your CAN-gateway to forward all incoming CAN-frames on can1 to the can0 interface
  • As you want to ignore all messages from the PDM, simply ignore the CAN-frames coming in on interface can0 and not forward them to can1

Example, how to realize such a CAN-gateway:

  • Hardware: Use a Raspberry Pi and a CAN extension board with two can-interfaces, such as the PiCAN2 duo board.
  • Software: Write a small program to forward traffic between the interfaces can0 and can1, using socketcan, which is already included in the Linux kernel.
  • In case your devices are communicating via the higher layer J1939 transport protocol, you might also need to get the J1939 transport protocol running on the Raspberry Pi. If you are simply using 29-bit indentifiers with a maximum payload of 8 byte of data, this should also not be necessary.
  • Alternatively, you could also use a more expensive commercial solution, this CAN-Router for example.

Your original idea:

I think what you are envisioning is technically feasible, but might have some other drawbacks.

  • As the drivers of can controllers typically don't expose interfaces to interactively manipulate CAN-frames while their transmission is still ongoing, you could directly address a can-transceiver from a microcontroller
  • A few researchers realized a CAN Denial of service attack by turning the first recessive bit in a CAN-frame after the arbitration ID into a dominant bit for certain selected CAN-IDs. They used an Arduino Uno and a Microchip MCP2551 E/P CAN transceiver. The code used is also available online. As this interactive manipulation of CAN-frames during transmission is related to what you are looking for, this could be a good starting point for you.
  • Still I see some drawbacks, when you silence the PDM this way:
    • You will not only silence the PDM this way, but also (at least) delay the transmission of other nodes on the CAN-bus with arbitration IDs that have lower priority than the messages from the PDM
    • It is very likely that the PDM will go into some error state, when it is not able to successfully send its CAN-frames to the bus after a certain number of retries

Yet another idea:

In case you are able to adapt the software of the VCU, change it in a way that it does not consume the CAN-frames from the PDM, but CAN-frames from your laptop by using different CAN-IDs for the same messages. You will have to change the dbc-file for that purpose.

oh.dae.su
  • 607
  • 6
  • 12
  • While this is a perfect solution, it's unfortunately not an option for me. I have considered it before, but it means physically breaking into a vehicle that belongs to state defense, since it concerns military vehicles. I'm told it was not an option. Thats why i was aiming at intercepting messages rather than filtering them while relaying the PDM CAN bus to the VCU,which you propose. So i'm affraid I have to remain at detecting messages before the arbitration field is finished. I guess that's the only way to intercept messages. But i'm not sure if that's possible. Still, thanks for your input. – Bart Nov 02 '18 at 11:19
  • 1
    Too bad that this is not an option. I have added a part to my answer addressing your original idea. I hope it is helpful for your purpose. – oh.dae.su Nov 03 '18 at 20:14
  • Thanks again, good input. Luckily there are no other nodes that will be prevented from sending when I block messages fromt the PDM if I only pull down the last recessive bit. I'm not sure if the PDM will trigger errors when prevented from sending, but I don't think so. Otherwise, it won't matter as long as it keeps functioning as normal. While also a good idea, the VCU's software can't be altered, for the same reason I couldn't put in a physical break to relay the CAN bus. So that's not an option.. But i'll certainly look into the article you posted! I feel a solution hiding in there. – Bart Nov 05 '18 at 08:17
  • Sure. Best of luck for your project. – oh.dae.su Nov 06 '18 at 13:20