KR20190063212A - Device and method for analysising can message using obd-ⅱ query - Google Patents

Abstract

Disclosed is a CAN message analyzing device. The CAN message analyzing device comprises: a query transmitting part which broadcasts a predetermined query message to controller area networks (CAN) through an on-board diagnostics-II (OBD-II) terminal; a message receiving part for receiving a plurality of CAN messages from the CAN; and a comparing part for analyzing the plurality of CAN messages and extracting a CAN ID corresponding to the query message. Therefore, an objective of the present invention is to provide the device and method for transmitting an OBD-II query to a vehicle and comparing the response result to the OBD-II query with a real-time CAN message to analyze the data indicated by a specific ID or field of the CAN.

Description

TECHNICAL FIELD [0001] The present invention relates to an apparatus and method for analyzing a CAN message using an OBD-II query,

The present invention relates to a method for analyzing data indicated by a specific ID or a field of a CAN by comparing an PID response result with a CAN data after sending an OBD-II PID query to the vehicle.

CAN (Controller Area Network) is a standard communication standard designed for communication between microcontrollers or devices without a host computer in the vehicle. CAN is used for stable and efficient communication between ECUs (Electronic Control Units), such as the vehicle's engine management system, transmission control, and instrument cluster.

In CAN, data (message) is not exchanged by the address of the node but CAN ID is assigned according to the priority of the message and the message is discriminated by using the assigned CAN ID. When an ECU mounts a message on the CAN bus to send data, the message is broadcast on the CAN bus and all other nodes receive all messages simultaneously. Each ECU checks the CAN ID field of the broadcasted message and, if it is a CAN ID to be processed (ie, the CAN ID of the message is its assigned CAN ID), the ECU receives the message and processes the data. The vehicle is then operated according to the value recorded in the data field.

The role of the CAN ID and data field in the vehicle depends on the make and model of the vehicle, and may even vary depending on the model in the same model. The CAN bus contains a large number of data needed to drive a vehicle, and the data includes various sensors, temperature, and status data, as well as RPM, speed, and visibility to the analyst. If you need to conduct a study on a vehicle or develop a vehicle-related product, you should directly identify how the vehicle data is transmitted and interpreted via the CAN ID.

Here is an example of dumping the CAN message generated from the LF Sonata produced by Hyundai Motors and extracting the current RPM from it. First, a CAN message with a CAN ID of 0x316 is collected as shown in FIG. Next, using Equation (1), the RPM of 1755 {= (0x1b * 0n256 + 0x6c / 0n4} can be extracted from the top data "45 4D 6C 1B 5D 1F 24 76" in the table of FIG.

However, in order to derive such a formula for each vehicle, the analyst must have sufficient understanding of the CAN analysis knowl- edge and vehicle, and considerable time is also required for analysis.

OBD-II (On-Board Diagnostics II) is a standard and protocol for vehicle diagnostics. It is used to inquire about the fault code of the vehicle or current vehicle condition. OBD-II classifies usable functions into a mode, and a list of usable modes is shown in FIG. Mode 1 can be used to query the current status of the vehicle. For OBD-II queries in commercial vehicles, a message with CAN ID = 0x7DF can be sent to the vehicle, and then the data received with CAN ID = 0x7E8 can be filtered to interpret the response. Because it is a standard protocol, it can be applied to all currently marketed vehicles regardless of vendor.

The role that the CAN ID and DATA fields play in the vehicle is only known to the vehicle manufacturer, and it is very difficult and time-consuming for third parties to grasp it directly. However, for automobile security research, third-party device development, etc., reverse engineering is required to obtain such information.

In the present invention, a method of easily identifying which CAN ID and DATA field data related to a query is stored by combining vehicle information obtainable with an OBD-II query with CAN traffic is presented.

United States Patent No. 9,703,955 Korean Patent Publication No. 2016-0071980 Korean Patent No. 1789734

SUMMARY OF THE INVENTION It is an object of the present invention to provide an apparatus and method for analyzing data indicated by a specific ID or field of a CAN by transmitting an OBD-II query to a vehicle and comparing the response result with a real-time CAN message.

A CAN message analyzing apparatus according to an embodiment of the present invention includes a query transmitter for broadcasting a predetermined query message to Controller Area Networks (CAN) through an on-board diagnostics-II (OBD-II) terminal, And a comparing unit for analyzing the plurality of CAN messages and extracting a CAN ID corresponding to the query message.

The CAN message analyzing method according to the embodiment of the present invention is performed in the CAN message analyzing apparatus, and the query transmitting unit included in the CAN message analyzing apparatus transmits a predetermined query message to an on-board diagnostics-II (OBD-II) To a CAN (Controller Area Networks) through a CAN message analyzer, a message receiver included in the CAN message analyzer receiving a plurality of CAN messages from the CAN, and a comparator included in the CAN message analyzer, Analyzing the CAN messages and extracting a CAN ID corresponding to the query message.

According to the apparatus and method for analyzing CAN message according to the embodiment of the present invention, it is possible to reverse engineer the CAN data very quickly irrespective of the vehicle type and the model year of the vehicle.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
1 is a table showing a part of actual data of a CAN message having the same CAN ID.
Figure 2 shows a table of ten modes available in OBD-II.
3 is a functional block diagram of an analysis apparatus according to an embodiment of the present invention.
4 shows an example of a query available in Mode 1 (current vehicle status inquiry) of OBD-II.
5 is a diagram for explaining the operation of the comparison unit shown in FIG.
FIG. 6 is a flowchart illustrating a method of analyzing a CAN message performed by the analysis apparatus shown in FIG.

It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.

The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto.

3 is a functional block diagram of an analysis apparatus according to an embodiment of the present invention.

Referring to FIG. 3, the analysis apparatus 100, which may also be referred to as a CAN message analyzer, includes a query transmitter 110, a message receiver 130, and a comparator 150. The analysis apparatus 100 may further include at least one of the output unit 170 and the storage unit 190 according to the embodiment.

The query transmission unit 110 may transmit (or broadcast) at least one of a plurality of predetermined queries (queries) through the CAN bus of the vehicle through the OBD-II terminal of the vehicle. Specifically, the query transmitting unit 110 can inquire the status information of the vehicle using Mode 1 among modes available in the OBD-II (see FIG. 2). At this time, the query transmitting unit 110 can perform a query on the current state of the vehicle by broadcasting a CAN message having the " 0x7DF "as the CAN ID.

The message reception unit 130 can receive a plurality of CAN messages broadcasted in the CAN of the vehicle through the OBD-II terminal of the vehicle. The messages received by the message receiving unit 130 may be stored in the storage unit 190.

The comparison unit 150 compares the CAN ID corresponding to the query transmitted by the query transmission unit 110 using a plurality of messages received by the message receiving unit 130 or a plurality of messages stored in the storage unit 190, And / or extract data. The correspondence (or matching relationship) between the extracted query and the CAN ID and / or the correspondence (or matching relationship) between the extracted query and the CAN data can be stored in the storage unit 190.

The plurality of CAN messages received by the message receiving unit 130 may include a response to the query of the query transmitting unit 110. [ At this time, it is easy to detect a response among the plurality of CAN messages since the CAN message having the CAN ID of 0x7E8 is a response to the query (response message).

The comparison unit 150 may compare the CAN messages except for the response (the response message) of the query and the response among the plurality of CAN messages to extract the CAN ID and / or data corresponding to the query.

Also, the comparison unit 150 can display the query and the corresponding CAN ID and / or data through the output unit 170. [

The output unit 170 may include a display capable of outputting a comparison result of the comparison unit 150 and may output the comparison result of the comparison unit 150 under the control of the comparison unit 150. [

The predetermined number of the queries may be stored in the storage unit 190, and a plurality of messages received from the vehicle may be stored. Also, the correspondence relationship between the query extracted by the comparison unit 150 and the CAN ID can be stored in the storage unit 190 as well.

Each of the configurations of the analysis apparatus 100 shown in FIG. 1 indicates that it is functionally and logically separable, and does not necessarily mean that each configuration is divided into separate physical devices or written in separate codes The average expert in the field of the invention will readily be able to deduce.

Also, in this specification, "part" may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the above-mentioned "part" may mean a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and it does not necessarily mean a physically connected code or a kind of hardware .

Fig. 4 shows an example of a query usable in Mode 1 (current vehicle status inquiry) of OBD-II.

The response to the OBD-II query is transmitted via CAN, and the CAN ID meaning the response is "0x7e8" (according to the OBD-II standard). Data [3], DATA [4], and DATA [5] of messages with actual CAN ID = 0x7e8 are collected to collect actual vehicle information from OBD-II response values. ] And DATA [6] fields, respectively. An example of a data interpretation method is described in detail in FIG.

The representation of the data used in the OBD-II and the representation of the data in the actual CAN message are almost identical, so that the role of some CAN messages can be easily confirmed by comparing the CAN message with the OBD-II response. There are at least 135 vehicle information available with OBD-II, and the number of information may vary from vehicle to vehicle. Nevertheless, it is possible to extract very large amounts of data from most vehicles and reverse engineer CAN data very quickly by applying this method.

5 is a diagram for explaining the operation of the comparison unit shown in FIG. A method for extracting or determining the CAN ID and data associated with the RPM through the query and the response message related to the RPM by the comparison unit 150 will be described with reference to FIG.

In FIG. 5, a plurality of CAN messages broadcasted via CAN are sequentially described during a specific period (for example, during a predetermined period before and after a query is sent). The plurality of CAN messages may be received by the message receiving unit 130 and stored in the storage unit 190.

In this example, the query transmitted by the query transmission unit 110 may be a CAN message having "0x7DF" as the CAN ID and "0x0c" as the PID. That is, the query may be a CAN message requesting data related to the RPM.

The comparison unit 150 can identify a response (i.e., a response message) to the query among the plurality of CAN messages through the CAN ID. That is, the comparing unit 150 determines the CAN message having the CAN ID of "0x7e8 " as the response message, and compares the response message with the plurality of CAN messages to compare the CAN ID and / Data can be extracted.

Specifically, the comparison unit 150 can compare the response message with the received CAN messages for a predetermined interval. The predetermined section may differ depending on the embodiment. That is, messages received during a predetermined period on the basis of a time point at which the query is transmitted, messages received during a predetermined period from the time of transmitting the query, messages before or after a predetermined number of times, A certain number of messages can be a comparison target message.

Also, the comparing unit 150 can determine the CAN ID of the message including the same data as at least a part of the data included in the response message, as the CAN ID corresponding to the query. Since the format of the response message can be predetermined, the data necessary for calculating the engine RPM (the fifth data "5c" of the response message and the fourth data "10") are "0x315" And the third data 5c and the fourth data 10 of the message. In this way, the comparison unit 150 can extract the CAN ID and / or data corresponding to the qualifications.

In the example of FIG. 5, the data of the message having the CAN ID of "0x7e8" and the data of the message of the message having the CAN ID of "0x316" are matched, and it can be confirmed that the order of the bytes is reversed. This is because data is recorded in Big Endian format in 0x7e8 format and Little Endian format in 0x316 format. Therefore, at the data crosstalk analysis, the data sequence must be inverted in the reverse direction to perform the comparison.

FIG. 6 is a flowchart illustrating a method of analyzing a CAN message performed by the analysis apparatus shown in FIG. Hereinafter, a detailed description of the overlapping description will be omitted. 6 shows a process of transmitting a single query and extracting a corresponding CAN ID and / or data. However, the scope of the present invention is not limited thereto, and a plurality of queries May be performed.

First, the query transmission unit 110 of the analysis apparatus 100 can broadcast a query through the OBD-II terminal (S100).

The message receiving unit 130 of the analyzing apparatus 100 receives the CAN messages broadcasted via the CAN, and the received messages may be stored in the storing unit 190 (S200). The receiving operation by the message receiving unit 130 may be performed for a predetermined time period. It is to be understood that step S200 is a step subsequent to step S100, but according to the embodiment, step S200 may be performed for a predetermined interval, and in some cases, may be performed before execution of step S100.

Thereafter, the comparing unit 150 of the analyzing apparatus 100 extracts a response message from among the plurality of received CAN messages (S300), and compares the extracted response message with the CAN messages (S400).

Finally, the comparison unit 150 extracts the comparison result, that is, the data corresponding to the query corresponding to the query and / or the data (specifically, the order of corresponding data among the data fields of the CAN message) (S500) And output the result through the output unit 170 of the analysis apparatus 100. [

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

100: Analyzer
110: Query sender
130: message receiver
150:
170:
190:

Claims (10)

A query transmitter for broadcasting a predetermined query message to Controller Area Networks (CAN) via an on-board diagnostics-II (OBD-II) terminal;
A message receiver for receiving a plurality of CAN messages from the CAN; And
And a comparator for analyzing the plurality of CAN messages and extracting a CAN ID corresponding to the query message.
The method according to claim 1,
Wherein the comparison unit extracts a response message that is a response to the query message among the plurality of CAN messages and extracts the CAN ID by comparing the response message and each of the plurality of CAN messages,
CAN message analyzer.
3. The method of claim 2,
Wherein the query message has "0x7DF" as the CAN ID, and the response message has the "0x7E8 &
CAN message analyzer.
3. The method of claim 2,
Wherein the comparison unit extracts, from the plurality of CAN messages, a CAN message having a predetermined value as a CAN ID in the response message,
CAN message analyzer.
5. The method of claim 4,
Wherein the comparison unit extracts a CAN ID of a CAN message having data identical to at least a part of the data included in the response message among the plurality of CAN messages to a CAN ID corresponding to the query message,
CAN message analyzer.
A method of analyzing a CAN message performed in a CAN message analyzer,
The query transmitter included in the CAN message analyzing apparatus broadcasts a predetermined query message to Controller Area Networks (CAN) through an on-board diagnostics-II (OBD-II) terminal;
Receiving a plurality of CAN messages from the CAN by a message receiver included in the CAN message analyzer; And
Wherein the comparing unit included in the CAN message analyzing apparatus analyzes the plurality of CAN messages and extracts a CAN ID corresponding to the query message.
The method according to claim 6,
Wherein the extracting of the CAN ID comprises extracting a response message which is a response to the query message among the plurality of CAN messages and extracting the CAN ID by comparing the response message and each of the plurality of CAN messages,
CAN message analysis method.
8. The method of claim 7,
Wherein the query message has "0x7DF" as the CAN ID, and the response message has the "0x7E8 &
CAN message analysis method.
8. The method of claim 7,
Wherein the step of extracting the CAN ID comprises: extracting, from the plurality of CAN messages, a CAN message having a predetermined value as a CAN ID,
CAN message analysis method.
10. The method of claim 9,
Wherein the extracting of the CAN ID comprises extracting a CAN ID of a CAN message having the same data as at least a part of the data included in the response message among the plurality of CAN messages into a CAN ID corresponding to the query message,
CAN message analysis method.

Images