Determining CAN inputs vs outputs via Scope?

Mike Mobile Technician Mount Pleasant, South Carolina Posted   Latest   Edited  

I am working on a small project concerning CAN communication. What I would like to be able to do is to be able to identify inputs vs. outputs of CAN signals.

I figure it is a long shot but I wonder if I can somehow scope amperage of can signals to be able to see which module is sending the signal by whether the current is flowing + or -?

I am wondering if there is even any measurable amperage of communication signals and if so would a low amp clamp be able to use it. I could also see putting opposing diodes inline to help create a better pattern.

Are there any other tools anyone knows about that might help me accomplish this goal? Maybe some way to use diodes maybe even LEDs, and possibly resistors with a slightly higher resistance than the LED in such a way that they could be put run parallel to each other inline to the CAN circuit to identify signal direction? I know that can communication can light LEDs in DLC bob boxes but what I would like to do is show it on a scope. If I could show the CAN waveform on one channel and use another channel to only show the waveform when it is coming from one direction. I've attached a drawing I slapped together to help me visualize this but I could use some advise from some of the bright minds on here on whether or not this may work, what type of Leds or diodes to use, and if there is a better way to do this.

+3
Brin Diagnostician
Melbourne, Florida
Brin Default
   

I've been wondering the same thing. I would imagine that a micro amp clamp would work nicely but I'm not sure if they can handle the bandwidth well enough to produce a usable signal. I planned on trying but I haven't picked up a clamp yet. I thought that I heard that Eric Ziegler mentioned this in one of his network classes but I could be mistaken. I haven't attended that class yet.

+1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Thanks. Do you know who makes the micro amp clamp? I did a little Google research but didn't see much.

0
Default Ð Bounty Awarded
Dean Owner
Albany, New York
Dean Default
 

Try Hantek. I think maybe the cc-65. As I recall, it goes down to 10 or 20 ma.

+1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Thank you looks like it's only around $50! I have an esi 695 and I don't see any specs but I also have access to a pico low amp clamp which says it goes to 10mA. I guess I'm just assuming that still might not be enough. I'm going to play around with it next week.

0
Default Ð Bounty Awarded
Brin Diagnostician
Melbourne, Florida
Brin Default
 

AEMC K100 & K110 seem like the most popular. Hans posted something of a comparison on here a while back. I think the K100 is more affordable and based off the feedback I've received, it should work fine for most of what we'd use it for in automotive testing. I would look close at bandwidth though. I think that's going to be very important with what you're trying to accomplish.

+1
Default Ð Bounty Awarded
Dean Owner
Albany, New York
Dean Default
 

This would be helpful in so many cases. I thought I saw a mirco amp clamp somewhere.

+1
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

I'm not sure you're going to be able do what you want to do by strictly checking voltages. Canbus packets are broadcasted to every module on the network. As the packet passes through a module it checks to see if the packet is meant for them. If it meant for them then it analyzes it takes any action if needed. If it's not meant for them then it's just passes it on to the network. You would need

+1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Specifically what I'm looking to do is learn a little more about scan tool commands but I would like to explore using this in diagnostic practices. A while back I worked on a vehicle that had had the can wires to the cluster swapped and with a scope on the bus it was easy to see when the cluster was outputting a signal vs. signals from other modules on the bus. I would love to be able to

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

Mike, When you hook you scanner it becomes a node (module) on the network. When you are trying to get into a specific module the scanner sends out a packet to the gateway module requesting information. The gateway module will determine which network to send that request to. It gets broadcast to that network and whatever module it is intended for will receive it and send back its own packet back

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

I understand most of that. I'm really just interested to see how much of the talking is done by the scan tool. A few weeks ago we prepped for a scope course and I wanted to demo CAN waveforms and we were trying to figure out which vehicles to demo each signals so we hooked an aftermarket scanner to my buddies 2019 RAM and got nothing on the scope. He mentioned that he had just learned about the

+1
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Hi Mike: Are you trying to determine when ANY message is transmitted as an input or output? If I'm reading your posting correctly (and please feel free to correct me), you want to use a scope to monitor CAN traffic and use an amp clamp, diodes, etc. to indicate when there is an incoming message and an outgoing message to/from a controller? Or, are you trying to determine if a controller has

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Yes I really would like to if and when a module is sending a message or in my case the scan tool. I'm not a software guy and I'm not really interested in decoding or interpretingbthe messages but more so verifying that they are present. As an example I worked on a Chrysler a few weeks ago that was sending a false alarm command from the cluster to the TIPM. There was no information in the

0
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Mike: Based on your response, if you want to see which modules are sending and receiving CAN for specific messages, you'll need to reverse engineer the CAN messages or purchase the EOBD databases for each manufacturer (very expensive). But, the EOBD databases will provide all of the CAN info that you would need to perform diagnostics. Reverse engineering the CAN bus is inexpensive method but…

0
Default Ð Bounty Awarded
Maynard Technician
Elmira, Ontario
Maynard Default
 

hmmm, wireshark..! that provides alot of info on an ethernet line, wouldv' never thought to try tapping into a CAN line with it

0
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Yep......it has a lot of tools to permit filtering by controller or message so, it makes it easier to target the result of what you’re trying see. Even if you don’t have the EOBD database CAN messages (the database that gives you the CAN message ID and it’s associated human readable meaning), with something like Wireshark (or similar tools), it makes easier to get the result you desire. It is

0
Default Ð Bounty Awarded
Maynard Technician
Elmira, Ontario
Maynard Default
 

So if one were to try one of these programs on the CAN line (like wireshark) what ineterface would be used? or can some hardwire adapter be made up to fit an Ethernet cable port on a pc?

0
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Maynard: A device like Wireshark has an small interface box that comes with 2 harnesses: One harness has a 16 pin DLC connector (for vehicle connection) the other harness will permit connection of the interface box to a laptop. The laptop will have Wireshark software loaded. That's it. This will get you started. The stuff with the microamp clamp, etc. and monitoring currents won't work…

0
Default Ð Bounty Awarded
Maynard Technician
Elmira, Ontario
Maynard Default
 

Mr Mark, I keep coming back to this, I have not loaded wireshark onto any of my PC's in quite awhile, so I did it once again yesterday. There is a list of interfaces that show up in the "interface list" but they are all wifi or ethernet or usb labeled. I googled interface for wireshark and have not turned anything up. Would you be able to provide a link to and interface unit that would connect

0
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Maynard: Here is a link to the Wireshark program that I identified previously: csselectronics​.​com/screen/page/re… Mark

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

Mike, The cluster would be broadcasting many packets. As you can imagine there is a lot of information that would be shared between the tipm and the bcm. That is a high traffic network. I don't know how you would be able to decipher what packet contains the information you want to know without CAN sniffing and then knowing what the desired packet looks like. If you are on a slower low traffic

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

I would assume it would be difficult to identify but in the case of that cluster with swapped CAN wires it was actually hard to find the signals from the cluster vs. the other traffic. In fact, I almost missed it because there was so little messages being output from the cluster vs. What was input. I know that this strategy would not be ideal in most instances but picture it this way using the

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

Hi Mike, Using your example above what would the signal look like coming from the BCM to Tipm if there was request for headlights? Mike

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Who knows. What I would be looking for is that there is a signal. We could assume that the headlight command signal would look the same everytime right? So if I was able to see a signal that looked the same, was an output from the BCM, and was sent from the BCM at the same time my headlight switch was switched on I could assume that it is the headlight command signal correct? I do understand

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

Hi Mike, You said you you found the signal. What did it look like? The signal should be a software packet. A standard CAN packet contains 11 fields (newer ones have more fields). If you were to scope it with no traffic you should ~2.5 volts steady on both CAN high and CAN low. When a packet comes to the network it will be 11 fields. To generate a zero (software guys use a series of ones and

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Yes I understand that. Are you saying that the software packet for the "turn headlights on" command will not be the same every time?

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

It will be the same but on a high traffic network I doubt you'd be able to see it through a scope pattern. Way too much traffic and it's really fast. Read up on the link that Bob sent you. You can see the scope patterns but there are so many and they buzz by fast. If you have that device it will have the capability to decipher the can packets into individual fields for each packet. If you

+1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

I don't really see a value in trying to interpret every message on the CAN bus for what I would like to do. If it is not practical for diagnostic purposes I am really not interested in pursuing it. I like the idea of using the unique identifier portion of the packet to determine where the module is headed but that is not the information I am after. Let's step away from the high traffic BCM for a

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

I wasn't really advocating this as a good diagnostic tool. I like you would like to know if I press the window switch did the message actually get to where it was supposed to go. If it did was the appropriate action taken by that module to make the window go up or down. I assume that is what you would like to see/know also. Is that correct?

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Also what is "CAN sniffing"? Is that just a term for trying to identify the packets or is there software or a process for that?

0
Default Ð Bounty Awarded
Bob Owner/Technician
East Longmeadow, Massachusetts
Bob Default
   

Pico does a good job of buss decoding. picotech​.​com/library/oscill…

+1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

That is really awesome thank you!

0
Default Ð Bounty Awarded
Robert Owner
Kennett Square, Pennsylvania
Robert Default
   

. . . . and Pico offers a video that is specific to CAN decoding and identifies the unique identifier; however, it does not indicate what module/node the identifier is applicable to. Here is the YouTube address for that video: youtube​.​com/watch?v=bNzKc… HTH - Regards, Bob

+1
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

If you read my post above you know that each software packet contains a bunch of ones and zeros (software code). The order in which they are organized means something different. A CAN sniffer takes those signals and converts it into a software developers language. That is where you'll be able to see changes when you push your window switch. Every time you press the window switch you'll see a

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

I dont think you are understanding what I am saying. I am not concerned with trying to read the signal. I am trying to identify duplicate signals in order to tie them to a command. If I turn the headlights on we could reasonably expect that command to happen within let's say 100mS but probably much less wouldn't you agree? Now imagine we have a way to identify incoming from outgoing

+1
Default Ð Bounty Awarded
Steve Technical Support Specialist
Gainesville, Florida
Steve Default
 

Mike, the CAN image you posted is way too low a resolutio. The large groups at .6 .7 and .9 time are really clumps of signals. In order to interpret who what or why you would need to see each pulse. I asked a gener question about what scope I would need to see the signals at that resolution. About 15 years ago I got a reply from Randy Bernklau. He was stating that to do what I wanted I would

-1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

I used that waveform to show the transition between an incoming and outgoing message on the bus. In that instance CAN wires to one module had been swapped. When that module was sending a message the CAN signals essentially switched colors on the screen. This created a visual indication of incoming and outgoing messages to the cluster. That is interesting about the Xentry tool. That is the last

0
Default Ð Bounty Awarded
Dean Owner
Albany, New York
Dean Default
 

I recommend a book. The car hacker's handbook. Also, without going into much detail, research a program called Kayak. It records, plays back and defines CAN definitions. It works on any platform. It is a super powerful program.

+1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

I'll look into that thanks.

0
Default Ð Bounty Awarded
Steve Technical Support Specialist
Gainesville, Florida
Steve Default
 

I have a 5m pdf file that I was going to load here, but it seems that only images are accepted. If you would like to see it send me your email address to …

+1
Default Ð Bounty Awarded
Scott Manager
Claremont, California
Scott Default
 

Hi Steve, Email me the PDF and I’ll get it embedded. … Thanks FYI, we‘re testing the new file upload system now and it soon will be ready for production. Sorry for the trouble.

0
Default Ð Bounty Awarded
Rudy Technician
Montebello, California
Rudy Default
 

Seems to me what youre saying is that you want to see the "on" or "off" command sent via a CAN bus to a specific item,yes? It also seems to me that the people responding are saying there is never just 1 command on a CAN wire and even if you see the same signal over and over,you have no way of knowing if the specific command you are looking for is in the messages being sent out by just using a

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

Hi Mark, Each module has a transceiver that analyses information packets that are broadcasted on the network. There is a unique identifier in each packet that tells the packet is meant for them. If it recognizes it is a packet for his module it passes it into the module for interpretation. If it is not meant for his module it just passes it on so it can go to the right module. There are

0
Default Ð Bounty Awarded
Robert Owner
Ypsilanti, Michigan
Robert Default
 

I would suggest constructing a gateway and placing it between the target node and rest of the network. That way you can see which part of the network each packet came from.

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

Hi Robert. I think you would still have to sniff packets because packets from every module on the network are sending messages one right after each other. A CAN sniffer is another node in the network. As the packet comes through the transceiver it is recorded and sent on.

0
Default Ð Bounty Awarded
Robert Owner
Ypsilanti, Michigan
Robert Default
 

Unfortunately without very advanced techniques like oscillator fingerprinting, or knowledge of which IDs are transmitted by which controllers, you need to physically separate the nodes to figure it out.

0
Default Ð Bounty Awarded
Keith Diagnostician
Collinsville, Oklahoma
Keith Default
 

Hoping Brandon Stecklar will chime in as we discussed this recently, he has done some testing and has determined that a micro amp clamp will show current, and he does have some theories and I believe some data that he collected while trying to make a useful analysis with this technique.

+2
Default Ð Bounty Awarded
Robby Mobile Technician
New Market, Alabama
Robby Default
 

Hi Mike, I'm a little late to this thread, so I haven't read all of the responses. I'll be reading up that later. I've played around with the K110 on CAN in the past. Take a look at this CAN waveform: That's from a 2015 Chevrolet Malibu where the HVAC module would not communicate. Periodically, I would get 12v spikes on the LS CAN. If I unplugged the HVAC module, the spikes would go away…

+3
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Robby, That is interesting. I guess I wouldn't be surprised that it is a little slower. I think I am missing something on this whole idea though. In my head if we were using a simple CAN system with two modules, the current you are measuring would be coming from whatever module is sending the signal and that current is flowing from the origin outward on the can wires which is how we are able to

+1
Default Ð Bounty Awarded
Robby Mobile Technician
New Market, Alabama
Robby Default
 

If you only had two modules, then you may be able to tell whether the module is receiving or transmitting. As others have alluded, figuring out the details of the message is a totally different story. Now you're getting into CAN hacking. It is possible without the manufacturer database, but it's waaaay above my level. To get an idea, spend a little time watching

+1
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Robby: in my opinion, the value of technicians can be significantly enhanced when they can successfully manipulate electronic and software systems. Understanding electronic devices more thoroughly and writing & coding small software scripts would go a long way in reducing diagnostic time and the dependence upon pattern failure diagnostics. As systems continue to advance and iterate, pattern

+3
Default Ð Bounty Awarded
Dean Owner
Albany, New York
Dean Default
 

Wow! Well said sir.

+1
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Thanks for sharing. I had read a little about that Jeep story a while back but I've never seen that video. While it would be nice to be able to interpret the messages I would assume that even for someone who is very familiar with CAN hacking the time involved in that process would not make it usefull in diagnostics. Especially because most of our diagnostics situations do not include a known

+1
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Hi Mike (and others who are following this thread): While I appreciate your (Mike's) comments, I have to respectfully and professionally disagree. In your original post, you were asking about the possibility of using amp clamps, LEDs, etc. to discern CAN message traffic for the purpose of identifying inputs and outputs (summarizing here). I suspect that you've learned that this likely cannot

+3
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Mark, I appreciate your passion for the subject but I cannot envision a scenario where even someone highly experienced in CAN hacking could use that skillset to effectively diagnose a vehicle in the field. Correct me if I am incorrect but if a technician got to a point in their diagnostics where CAN hacking could be useful it would likely be to verify if a signal was being sent or received…

0
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Hi Mike: Thanks for the response and comments. It appears that your mind is already convinced. Best of luck. Mark

0
Default Ð Bounty Awarded
Mike Mobile Technician
Mount Pleasant, South Carolina
Mike Default
 

Mark, Without intentions of being antagonistic I am truly interested in learning if CAN hacking has a place in the diagnostics space? I listed the reasons why I don't see it being practical above but maybe I am misinformed? Again, I would love for you to convince me otherwise. If determining signal direction cannot be accomplished by measuring the amperage of a CAN signal than I would like to

0
Default Ð Bounty Awarded
Bob Owner/Technician
East Longmeadow, Massachusetts
Bob Default
 

This boot camp sounds like a great opportunity, I'm going to try and make one of those dates next year.

0
Default Ð Bounty Awarded
Dr. Engineer
Port Angeles, Washington
Dr. Default
 

Hi Bob: The Boot Camp Class scheduled for March 2019 in Las Vegas will be running for sure. We’re unsure if the other 2019 dates will be running as of today. If you can make the March 2019 class, this would be the optimum time. Best Regards, Mark

0
Default Ð Bounty Awarded
Bob Engineer
Auburn Hills, Michigan
Bob Default
   

Sorry, late to the game, but I agree with Mark. The OP should (needs to?) take some form of CAN Communication course, either the boot camp or maybe the SAE CAN Comms class. Many have shown great patience trying to piecemeal different parts of the CAN lesson together here, it is impossible to give all the information in this forum. I'll try a few more basic points. A CAN signal is a differential

0
Default Ð Bounty Awarded
Michael Owner/Technician
Cartersville, Georgia
Michael Default
 

Hi Bob, Thanks for chiming in. I'm not sure if this is your area of expertise or not. The biggest challenge I have is with intermittent communication codes where the voltages and the resistances are correct and the waveform of the packets are seemingly good but I still get a U codes. I have a couple of questions of how information is shared amongst the different nodes. If a node is

0
Default Ð Bounty Awarded
Bob Engineer
Auburn Hills, Michigan
Bob Default
 

Hi Mike, The operative word you used here is "seemingly." Unless you know that all the bits in the waveform are correct, you are shooting in the dark. One bit failure in a message, by a malfunctioning module can cause a U-code and/or MIL. Unfortunately, the answers to your questions are all "it depends" on the implementation of each OEM's approach to these scenarios. There is no one specific way

0
Default Ð Bounty Awarded