www.cert.ucr.edu 1 www.cert.ucr.edu

Unpacking The Engine Control Unit Using Controller Area Network

PEMS Conference 2012

March 29-30

Presented By:

Kent Johnson and Joseph Menke

University of California, Riverside

Bourns College of Engineering Center for Environmental Research and Technology

www.cert.ucr.edu 2

Controller Area Networks (CAN)

A Controller Area Network, or CAN for short, is a bus

standard designed to allow multiple microcontrollers to

communicate with each other without the need for a host

computer. It was originally designed for automotive

applications to allow the different engine components to

communicate but it has been expanded to be used in a

variety of applications. CAN is a message based protocol

that incorporates data transfer, addressing, error correction

and overload protection.

www.cert.ucr.edu 3

The Tools:

Dearborn- Is a simple device used by several PEMS

mfg.s This device requires loading max 12

messages and communicating via RS-232 using a l

limited number of commands

Kvaser- Has a variety of different tools, going from

single channel connectors that require a laptop to

standalone data loggers with a PC-104 bus that can

monitor multiple channels at once. Multiple API’s allow

for quick development of interfacing programs.

Unican- Offers a robust self contained package

that incorporates multiple CAN Channels, data

logging, GPS, wireless data transmission, and

On/Off CAN triggers (ie start with RPM > 500) to

reduce power consumption.

www.cert.ucr.edu 4

Example Code of UCR’s Dearborn III Plus

Interface: Initialize Serial Port

www.cert.ucr.edu 5

Sending, Reading and Displaying

Messages

www.cert.ucr.edu 6

Messages Sent to Dearborn III Plus

www.cert.ucr.edu 7

Converting bigEdian to Hex Then to Decimal

www.cert.ucr.edu 8

Go On Bus to see the

message stream, Go Off

Bus to change settings

Total number of messages

sent/received. Receiving error

messages usually means incorrect

baud rate.

Change baud rate: 250000 is common

for J1939. 500000 is common for OBD/

light duty vehicles

Allows user to only display messages with

11-bit (common for light duty) or 29-bit bit

CAN IDs (common for J1939)

Allows user to filter for

specific CAN ID’s

Using Kvaser Can King

www.cert.ucr.edu 9

CAN King Message Interpreters

www.cert.ucr.edu 10

J1939 Message Breakdown

www.cert.ucr.edu 11

PGN and SPN

PGN – stands for Parameter Group Number, designates a group of

related information that is broadcast by the same source in a single packet.

PGN’s are used in the CAN ID of j1939 messages to designate what

information is being broadcast in the message. Searching for a PGN in the

j1939-71 document will give information on transmission rate of the message,

location of SPN’s, total amount of data transmitted, priority, and the format of

the message.

SPN- stands for Suspect Parameter Number, used to identify a

specific piece of information. Each PGN contains a number of SPN’s which

can be searched for individually in the j1939-71 document where you can a

description of the parameter, data ranges, resolution, and data length.

www.cert.ucr.edu 12

Linking the Message to the J1939-71 PGN Index

The J1939-71 document

contains a list of PGNs that

describes what data is in each

message.

(For normal messages)

www.cert.ucr.edu 13

Converting Data and the J1939-71 SPN Index

The J1939-71

document also has a

list that provides the

conversion and data

range for each SPN

The J1939-71

document also has a

list that provides the

conversion and data

range for each SPN

www.cert.ucr.edu 14

Special Messages: Broadcast Announce Message (BAM)

A BAM message is a

specific Connection

Management (PGN

EC00) message. It

announces that a

multipacket message

is about to be

broadcast.

Subsequent messages

will be Data Transfer

(PGN EB00)

Messages.

Information on these

messages located in

J1939 - 21

www.cert.ucr.edu 15

PGN for Transport Protocol

Message HEX(20) = DEC(32), indicates that this is a BAM Message

PGN of packeted message:

Remember that the least significant bit is

always broadcast first so this PGN is

00FEE3

It is possible for multiple BAM messages to

be broadcasting at the same time so pay

attention to the source address to link the

messages together.

Each Data Transfer message contains 7

bytes of data. If not all 7 bytes are needed

the remaining bytes will have the value FF.

Number of message in sequence. FEE3 has 5 data messages in total.

PGN for Data Transfer Message

BAM Message Example: Engine Ref. Torque

www.cert.ucr.edu 16

The Complete Engine Configuration Data Set and

Obtaining Reference Torque

www.cert.ucr.edu 17

The Request Message is used to request a PGN to be broadcast. It only has 3

bytes of data which are the 3 bytes of the PGN value. This can be used to obtain a

PGN at a time where it would not normally be broadcast such as messages that

only broadcast when a system changes or messages that simply broadcast

infrequently. In many cases the response the this message will have a different

priority then the normal messages making a response easy to identify.

Special Messages: The Request Message