Get started exploring your vehicle’s electronics network safely and responsibly. With a Raspberry Pi 3, Nerves, Elixir, and a few open source tools, diving into your vehicle’s interior CAN-bus network is easier than you may think. This talk will demystify the process by going over how I used these tools to tap into the brain of my Jeep adventure rig, Jolene, in order to add a few new features. I gave this talk at the 2018 Lonestar ElixirConf in Austin, TX

1. Customize Your Car
An Adventure in Using Elixir and Nerves to Hack Your
Vehicle's Electronics Network
Brien Wankel
@brienwankel@handsomeanchor

2. Bootleg
Simple deployment and server
automation for Elixir.
https://labzero.github.io/bootleg/

4. IT’S NOT MY FAULT

6. CAN bus

7. Controller Area Network (CAN) bus
01 Message-based multiplex protocol first release in 1986
02 Standard on most US cars manufactured since 1996,
CAN was made mandatory in 2008.
03 One of five protocols used in the OBD-II standard.
04 Messages about speed, brakes, gear, stereo, windows,
locks, horn, gps, lights, button states, etc…

8. CAN bus

9. Quick overview of the hardware side
01 Vehicle w/ CAN bus
03 CAN bus interface
04 Wiring
02 Raspberry Pi 3

10. Find a victim test subject

11. Find an interface (RPI3 w/ PICAN2)

12. Find your OBD-II port

13. Find your OBD-II port

14. Or find an alternative CAN wire location

15. Or find an alternative CAN wire location

16. Wire it all up

17. Wire it all up

18. Wire it all up

19. Quick overview of the software side
01 RPI3 with a CAN bus serial peripheral interface (SPI)
03 CAN communication library
04 Wifi w/ remote console and remote firmware push
02 nerves_system_rpi3_pican2

20. WARNING

21. Nerves Device Tree Overlays

22. Nerves Device Tree Overlays
# config/config.exs
config :nerves, :firmware,
fwup_conf: "config/fwup.conf"
# fwup.conf
file-resource mcp2515-can0.dtbo {
host-path =
"${NERVES_SYSTEM}/images/rpi-firmware/overlays
/mcp2515-can0.dtbo"
}

23. Nerves Device Tree Overlays
# fwup.conf
task complete{
# ... look for where `on-resource` directives are
already defined and add:
on-resource mcp2515-can0.dtbo {
fat_write(${BOOT_A_PART_OFFSET},
"overlays/mcp2515-can0.dtbo")
}
}
task upgrade.a{
# ...
on-resource mcp2515-can0.dtbo {
fat_write(${BOOT_A_PART_OFFSET},
"overlays/mcp2515-can0.dtbo")
}
}
# ... follow same pattern for upgrade.b

24. Loading the device driver
# fwup.conf
file-resource config.txt {
host-path = "${NERVES_APP}/config/config.txt"
}
# config.txt
dtoverlay=mcp2515-can0,oscillator=16000000,interrupt=25

25. Reboot and check the logs
Interactive Elixir (1.5.3) - press Ctrl+C to exit (type h()
ENTER for help)
iex(1)> Nerves.Runtime.Shell.start
$ dmesg | grep mcp
[ 5.887757] mcp251x spi0.0 can0: MCP2515 successfully
initialized.

26. Bring up the can0 interface
System.cmd("ip",
~w{link set can0 up type can bitrate 125000}
iex(jolene@192.168.0.9)1> Nerves.Runtime.Shell.start
#PID<0.5075.0>
...
/srv/erlang[1]> cat /proc/net/dev
Inter-| Receive
face | bytes packets
wlan0: 22205600 121430
lo: 10409219 60935
eth0: 0 0
can0: 107198 16679

27. ng_can library
01 Requires socketcan, so it’s Linux only
02 Simple read and write capability

28. Connect to the bus
def open(pid, can_device, opts []) do
GenServer.call(pid, {:open, can_device, opts})
end
def handle_call({:open, can_device, opts},
_from_, state) do
{:ok, socket} = Ng.Can.start_link
:ok = Ng.Can.open(socket, can_device, opts)
{:reply, {:ok, device: can_device},
%{state | socket: socket}}
end

29. Listen to messages
def handle_call({:listen}, _from_, %{socket: socket} =
state) do
:ok = Ng.Can.await_read(socket)
{:reply, :ok, %{state | socket: socket}}
end
def handle_info({:can_frames, _, frames}, state) do
IO.puts "GOT: #{inspect frames}"
{:noreply, state}
end

30. Write messages
<<id::size(32)>> = <<1,2,3,4>>
frame = {id, <<1,2,3,4,5,6,7,8>>}
Ng.Can.write(can_port, frame)

31. Elixir CANd library
01 Manages socketcand socket
03 Forwards messages from the CAN bus
02 Wraps the socketcand protocol
04 Helpers for sending messages back to the CAN bus

32. Connect to the bus
alias Cand.Protocol
{:ok, pid} = Protocol.connect(pid,
{192, 168, 0, 12},
28600)
{:ok, ‘can0’} = Protocol.open(pid, ‘can0’)

33. Connect to the bus
defmodule Cand.Socket do
...
def handle_call({:connect, host, port, opts},_from_,state) do
listener = Keyword.get(opts, :listener, Listener.Stdout)
{:ok, socket} = :gen_tcp.connect(host, port, opts)
{:reply, {:ok, host: host, port: port, opts: opts},
%{state | socket: socket, listener: listener}}
end

34. Listen to messages
defmodule MyCandApp.MyListener do
@behaviour Cand.Listener
use GenServer
def listen({:error, msg}) do
IO.puts "ERROR: #{msg}"
end
def listen("2EB " <> rest = msg) do
# handle this specific id
end
def listen(data), do: IO.puts(data)
# ...
end

35. Listen to messages
{:ok, lstnr} = MyCanApp.MyListener.start_link
Cand.Protocol.set_listener(lstnr)
# or send it as option to connect
{:ok, pid} = Cand.Protocol.connect(pid,
{192,168,0,12},
28600,
listener: lstnr)

36. Listen to messages
defmodule Cand.Socket do
...
def handle_info({:tcp, _, message},
%{listener: listener} = state) do
message
|> List.to_string
|> parse_messages
|> Enum.map(fn(message) ->
listener.listen message
end)
{:noreply, state}
end

38. Write messages
Protocol.send(pid, “295”, 8, “646E7470616E6963")
Protocol.send_integer(pid, “295”, 42)
Protocol.send_string(pid, “295”, “dntpanic”)

40. Tools / Resources
01 can-utils
03 Car Hacker’s Handbook
02 Kayak
03 https://github.com/brienw/cand

41. Brien Wankel
brien@labzero.com
@brienwankel@handsomeanchor