1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
.. SPDX-License-Identifier: (GPL-2.0-only OR BSD-3-Clause)
can327: ELM327 driver for Linux SocketCAN
==========================================
Authors
--------
Max Staudt <max@enpas.org>
Motivation
-----------
This driver aims to lower the initial cost for hackers interested in
working with CAN buses.
CAN adapters are expensive, few, and far between.
ELM327 interfaces are cheap and plentiful.
Let's use ELM327s as CAN adapters.
Introduction
-------------
This driver is an effort to turn abundant ELM327 based OBD interfaces
into full fledged (as far as possible) CAN interfaces.
Since the ELM327 was never meant to be a stand alone CAN controller,
the driver has to switch between its modes as quickly as possible in
order to fake full-duplex operation.
As such, can327 is a best effort driver. However, this is more than
enough to implement simple request-response protocols (such as OBD II),
and to monitor broadcast messages on a bus (such as in a vehicle).
Most ELM327s come as nondescript serial devices, attached via USB or
Bluetooth. The driver cannot recognize them by itself, and as such it
is up to the user to attach it in form of a TTY line discipline
(similar to PPP, SLIP, slcan, ...).
This driver is meant for ELM327 versions 1.4b and up, see below for
known limitations in older controllers and clones.
Data sheet
-----------
The official data sheets can be found at ELM electronics' home page:
https://www.elmelectronics.com/
How to attach the line discipline
----------------------------------
Every ELM327 chip is factory programmed to operate at a serial setting
of 38400 baud/s, 8 data bits, no parity, 1 stopbit.
If you have kept this default configuration, the line discipline can
be attached on a command prompt as follows::
sudo ldattach \
--debug \
--speed 38400 \
--eightbits \
--noparity \
--onestopbit \
--iflag -ICRNL,INLCR,-IXOFF \
30 \
/dev/ttyUSB0
To change the ELM327's serial settings, please refer to its data
sheet. This needs to be done before attaching the line discipline.
Once the ldisc is attached, the CAN interface starts out unconfigured.
Set the speed before starting it::
# The interface needs to be down to change parameters
sudo ip link set can0 down
sudo ip link set can0 type can bitrate 500000
sudo ip link set can0 up
500000 bit/s is a common rate for OBD-II diagnostics.
If you're connecting straight to a car's OBD port, this is the speed
that most cars (but not all!) expect.
After this, you can set out as usual with candump, cansniffer, etc.
How to check the controller version
------------------------------------
Use a terminal program to attach to the controller.
After issuing the "``AT WS``" command, the controller will respond with
its version::
>AT WS
ELM327 v1.4b
>
Note that clones may claim to be any version they like.
It is not indicative of their actual feature set.
Communication example
----------------------
This is a short and incomplete introduction on how to talk to an ELM327.
It is here to guide understanding of the controller's and the driver's
limitation (listed below) as well as manual testing.
The ELM327 has two modes:
- Command mode
- Reception mode
In command mode, it expects one command per line, terminated by CR.
By default, the prompt is a "``>``", after which a command can be
entered::
>ATE1
OK
>
The init script in the driver switches off several configuration options
that are only meaningful in the original OBD scenario the chip is meant
for, and are actually a hindrance for can327.
When a command is not recognized, such as by an older version of the
ELM327, a question mark is printed as a response instead of OK::
>ATUNKNOWN
?
>
At present, can327 does not evaluate this response. See the section
below on known limitations for details.
When a CAN frame is to be sent, the target address is configured, after
which the frame is sent as a command that consists of the data's hex
dump::
>ATSH123
OK
>DEADBEEF12345678
OK
>
The above interaction sends the SFF frame "``DE AD BE EF 12 34 56 78``"
with (11 bit) CAN ID ``0x123``.
For this to function, the controller must be configured for SFF sending
mode (using "``AT PB``", see code or datasheet).
Once a frame has been sent and wait-for-reply mode is on (``ATR1``,
configured on ``listen-only=off``), or when the reply timeout expires
and the driver sets the controller into monitoring mode (``ATMA``),
the ELM327 will send one line for each received CAN frame, consisting
of CAN ID, DLC, and data::
123 8 DEADBEEF12345678
For EFF (29 bit) CAN frames, the address format is slightly different,
which can327 uses to tell the two apart::
12 34 56 78 8 DEADBEEF12345678
The ELM327 will receive both SFF and EFF frames - the current CAN
config (``ATPB``) does not matter.
If the ELM327's internal UART sending buffer runs full, it will abort
the monitoring mode, print "BUFFER FULL" and drop back into command
mode. Note that in this case, unlike with other error messages, the
error message may appear on the same line as the last (usually
incomplete) data frame::
12 34 56 78 8 DEADBEEF123 BUFFER FULL
Known limitations of the controller
------------------------------------
- Clone devices ("v1.5" and others)
Sending RTR frames is not supported and will be dropped silently.
Receiving RTR with DLC 8 will appear to be a regular frame with
the last received frame's DLC and payload.
"``AT CSM``" (CAN Silent Monitoring, i.e. don't send CAN ACKs) is
not supported, and is hard coded to ON. Thus, frames are not ACKed
while listening: "``AT MA``" (Monitor All) will always be "silent".
However, immediately after sending a frame, the ELM327 will be in
"receive reply" mode, in which it *does* ACK any received frames.
Once the bus goes silent, or an error occurs (such as BUFFER FULL),
or the receive reply timeout runs out, the ELM327 will end reply
reception mode on its own and can327 will fall back to "``AT MA``"
in order to keep monitoring the bus.
Other limitations may apply, depending on the clone and the quality
of its firmware.
- All versions
No full duplex operation is supported. The driver will switch
between input/output mode as quickly as possible.
The length of outgoing RTR frames cannot be set. In fact, some
clones (tested with one identifying as "``v1.5``") are unable to
send RTR frames at all.
We don't have a way to get real-time notifications on CAN errors.
While there is a command (``AT CS``) to retrieve some basic stats,
we don't poll it as it would force us to interrupt reception mode.
- Versions prior to 1.4b
These versions do not send CAN ACKs when in monitoring mode (AT MA).
However, they do send ACKs while waiting for a reply immediately
after sending a frame. The driver maximizes this time to make the
controller as useful as possible.
Starting with version 1.4b, the ELM327 supports the "``AT CSM``"
command, and the "listen-only" CAN option will take effect.
- Versions prior to 1.4
These chips do not support the "``AT PB``" command, and thus cannot
change bitrate or SFF/EFF mode on-the-fly. This will have to be
programmed by the user before attaching the line discipline. See the
data sheet for details.
- Versions prior to 1.3
These chips cannot be used at all with can327. They do not support
the "``AT D1``" command, which is necessary to avoid parsing conflicts
on incoming data, as well as distinction of RTR frame lengths.
Specifically, this allows for easy distinction of SFF and EFF
frames, and to check whether frames are complete. While it is possible
to deduce the type and length from the length of the line the ELM327
sends us, this method fails when the ELM327's UART output buffer
overruns. It may abort sending in the middle of the line, which will
then be mistaken for something else.
Known limitations of the driver
--------------------------------
- No 8/7 timing.
ELM327 can only set CAN bitrates that are of the form 500000/n, where
n is an integer divisor.
However there is an exception: With a separate flag, it may set the
speed to be 8/7 of the speed indicated by the divisor.
This mode is not currently implemented.
- No evaluation of command responses.
The ELM327 will reply with OK when a command is understood, and with ?
when it is not. The driver does not currently check this, and simply
assumes that the chip understands every command.
The driver is built such that functionality degrades gracefully
nevertheless. See the section on known limitations of the controller.
- No use of hardware CAN ID filtering
An ELM327's UART sending buffer will easily overflow on heavy CAN bus
load, resulting in the "``BUFFER FULL``" message. Using the hardware
filters available through "``AT CF xxx``" and "``AT CM xxx``" would be
helpful here, however SocketCAN does not currently provide a facility
to make use of such hardware features.
Rationale behind the chosen configuration
------------------------------------------
``AT E1``
Echo on
We need this to be able to get a prompt reliably.
``AT S1``
Spaces on
We need this to distinguish 11/29 bit CAN addresses received.
Note:
We can usually do this using the line length (odd/even),
but this fails if the line is not transmitted fully to
the host (BUFFER FULL).
``AT D1``
DLC on
We need this to tell the "length" of RTR frames.
A note on CAN bus termination
------------------------------
Your adapter may have resistors soldered in which are meant to terminate
the bus. This is correct when it is plugged into a OBD-II socket, but
not helpful when trying to tap into the middle of an existing CAN bus.
If communications don't work with the adapter connected, check for the
termination resistors on its PCB and try removing them.
|