0001 .. SPDX-License-Identifier: (GPL-2.0-only OR BSD-3-Clause)
0002
0003 can327: ELM327 driver for Linux SocketCAN
0004 ==========================================
0005
0006 Authors
0007 --------
0008
0009 Max Staudt <max@enpas.org>
0010
0011
0012
0013 Motivation
0014 -----------
0015
0016 This driver aims to lower the initial cost for hackers interested in
0017 working with CAN buses.
0018
0019 CAN adapters are expensive, few, and far between.
0020 ELM327 interfaces are cheap and plentiful.
0021 Let's use ELM327s as CAN adapters.
0022
0023
0024
0025 Introduction
0026 -------------
0027
0028 This driver is an effort to turn abundant ELM327 based OBD interfaces
0029 into full fledged (as far as possible) CAN interfaces.
0030
0031 Since the ELM327 was never meant to be a stand alone CAN controller,
0032 the driver has to switch between its modes as quickly as possible in
0033 order to fake full-duplex operation.
0034
0035 As such, can327 is a best effort driver. However, this is more than
0036 enough to implement simple request-response protocols (such as OBD II),
0037 and to monitor broadcast messages on a bus (such as in a vehicle).
0038
0039 Most ELM327s come as nondescript serial devices, attached via USB or
0040 Bluetooth. The driver cannot recognize them by itself, and as such it
0041 is up to the user to attach it in form of a TTY line discipline
0042 (similar to PPP, SLIP, slcan, ...).
0043
0044 This driver is meant for ELM327 versions 1.4b and up, see below for
0045 known limitations in older controllers and clones.
0046
0047
0048
0049 Data sheet
0050 -----------
0051
0052 The official data sheets can be found at ELM electronics' home page:
0053
0054 https://www.elmelectronics.com/
0055
0056
0057
0058 How to attach the line discipline
0059 ----------------------------------
0060
0061 Every ELM327 chip is factory programmed to operate at a serial setting
0062 of 38400 baud/s, 8 data bits, no parity, 1 stopbit.
0063
0064 If you have kept this default configuration, the line discipline can
0065 be attached on a command prompt as follows::
0066
0067 sudo ldattach \
0068 --debug \
0069 --speed 38400 \
0070 --eightbits \
0071 --noparity \
0072 --onestopbit \
0073 --iflag -ICRNL,INLCR,-IXOFF \
0074 30 \
0075 /dev/ttyUSB0
0076
0077 To change the ELM327's serial settings, please refer to its data
0078 sheet. This needs to be done before attaching the line discipline.
0079
0080 Once the ldisc is attached, the CAN interface starts out unconfigured.
0081 Set the speed before starting it::
0082
0083 # The interface needs to be down to change parameters
0084 sudo ip link set can0 down
0085 sudo ip link set can0 type can bitrate 500000
0086 sudo ip link set can0 up
0087
0088 500000 bit/s is a common rate for OBD-II diagnostics.
0089 If you're connecting straight to a car's OBD port, this is the speed
0090 that most cars (but not all!) expect.
0091
0092 After this, you can set out as usual with candump, cansniffer, etc.
0093
0094
0095
0096 How to check the controller version
0097 ------------------------------------
0098
0099 Use a terminal program to attach to the controller.
0100
0101 After issuing the "``AT WS``" command, the controller will respond with
0102 its version::
0103
0104 >AT WS
0105
0106
0107 ELM327 v1.4b
0108
0109 >
0110
0111 Note that clones may claim to be any version they like.
0112 It is not indicative of their actual feature set.
0113
0114
0115
0116
0117 Communication example
0118 ----------------------
0119
0120 This is a short and incomplete introduction on how to talk to an ELM327.
0121 It is here to guide understanding of the controller's and the driver's
0122 limitation (listed below) as well as manual testing.
0123
0124
0125 The ELM327 has two modes:
0126
0127 - Command mode
0128 - Reception mode
0129
0130 In command mode, it expects one command per line, terminated by CR.
0131 By default, the prompt is a "``>``", after which a command can be
0132 entered::
0133
0134 >ATE1
0135 OK
0136 >
0137
0138 The init script in the driver switches off several configuration options
0139 that are only meaningful in the original OBD scenario the chip is meant
0140 for, and are actually a hindrance for can327.
0141
0142
0143 When a command is not recognized, such as by an older version of the
0144 ELM327, a question mark is printed as a response instead of OK::
0145
0146 >ATUNKNOWN
0147 ?
0148 >
0149
0150 At present, can327 does not evaluate this response. See the section
0151 below on known limitations for details.
0152
0153
0154 When a CAN frame is to be sent, the target address is configured, after
0155 which the frame is sent as a command that consists of the data's hex
0156 dump::
0157
0158 >ATSH123
0159 OK
0160 >DEADBEEF12345678
0161 OK
0162 >
0163
0164 The above interaction sends the SFF frame "``DE AD BE EF 12 34 56 78``"
0165 with (11 bit) CAN ID ``0x123``.
0166 For this to function, the controller must be configured for SFF sending
0167 mode (using "``AT PB``", see code or datasheet).
0168
0169
0170 Once a frame has been sent and wait-for-reply mode is on (``ATR1``,
0171 configured on ``listen-only=off``), or when the reply timeout expires
0172 and the driver sets the controller into monitoring mode (``ATMA``),
0173 the ELM327 will send one line for each received CAN frame, consisting
0174 of CAN ID, DLC, and data::
0175
0176 123 8 DEADBEEF12345678
0177
0178 For EFF (29 bit) CAN frames, the address format is slightly different,
0179 which can327 uses to tell the two apart::
0180
0181 12 34 56 78 8 DEADBEEF12345678
0182
0183 The ELM327 will receive both SFF and EFF frames - the current CAN
0184 config (``ATPB``) does not matter.
0185
0186
0187 If the ELM327's internal UART sending buffer runs full, it will abort
0188 the monitoring mode, print "BUFFER FULL" and drop back into command
0189 mode. Note that in this case, unlike with other error messages, the
0190 error message may appear on the same line as the last (usually
0191 incomplete) data frame::
0192
0193 12 34 56 78 8 DEADBEEF123 BUFFER FULL
0194
0195
0196
0197 Known limitations of the controller
0198 ------------------------------------
0199
0200 - Clone devices ("v1.5" and others)
0201
0202 Sending RTR frames is not supported and will be dropped silently.
0203
0204 Receiving RTR with DLC 8 will appear to be a regular frame with
0205 the last received frame's DLC and payload.
0206
0207 "``AT CSM``" (CAN Silent Monitoring, i.e. don't send CAN ACKs) is
0208 not supported, and is hard coded to ON. Thus, frames are not ACKed
0209 while listening: "``AT MA``" (Monitor All) will always be "silent".
0210 However, immediately after sending a frame, the ELM327 will be in
0211 "receive reply" mode, in which it *does* ACK any received frames.
0212 Once the bus goes silent, or an error occurs (such as BUFFER FULL),
0213 or the receive reply timeout runs out, the ELM327 will end reply
0214 reception mode on its own and can327 will fall back to "``AT MA``"
0215 in order to keep monitoring the bus.
0216
0217 Other limitations may apply, depending on the clone and the quality
0218 of its firmware.
0219
0220
0221 - All versions
0222
0223 No full duplex operation is supported. The driver will switch
0224 between input/output mode as quickly as possible.
0225
0226 The length of outgoing RTR frames cannot be set. In fact, some
0227 clones (tested with one identifying as "``v1.5``") are unable to
0228 send RTR frames at all.
0229
0230 We don't have a way to get real-time notifications on CAN errors.
0231 While there is a command (``AT CS``) to retrieve some basic stats,
0232 we don't poll it as it would force us to interrupt reception mode.
0233
0234
0235 - Versions prior to 1.4b
0236
0237 These versions do not send CAN ACKs when in monitoring mode (AT MA).
0238 However, they do send ACKs while waiting for a reply immediately
0239 after sending a frame. The driver maximizes this time to make the
0240 controller as useful as possible.
0241
0242 Starting with version 1.4b, the ELM327 supports the "``AT CSM``"
0243 command, and the "listen-only" CAN option will take effect.
0244
0245
0246 - Versions prior to 1.4
0247
0248 These chips do not support the "``AT PB``" command, and thus cannot
0249 change bitrate or SFF/EFF mode on-the-fly. This will have to be
0250 programmed by the user before attaching the line discipline. See the
0251 data sheet for details.
0252
0253
0254 - Versions prior to 1.3
0255
0256 These chips cannot be used at all with can327. They do not support
0257 the "``AT D1``" command, which is necessary to avoid parsing conflicts
0258 on incoming data, as well as distinction of RTR frame lengths.
0259
0260 Specifically, this allows for easy distinction of SFF and EFF
0261 frames, and to check whether frames are complete. While it is possible
0262 to deduce the type and length from the length of the line the ELM327
0263 sends us, this method fails when the ELM327's UART output buffer
0264 overruns. It may abort sending in the middle of the line, which will
0265 then be mistaken for something else.
0266
0267
0268
0269 Known limitations of the driver
0270 --------------------------------
0271
0272 - No 8/7 timing.
0273
0274 ELM327 can only set CAN bitrates that are of the form 500000/n, where
0275 n is an integer divisor.
0276 However there is an exception: With a separate flag, it may set the
0277 speed to be 8/7 of the speed indicated by the divisor.
0278 This mode is not currently implemented.
0279
0280 - No evaluation of command responses.
0281
0282 The ELM327 will reply with OK when a command is understood, and with ?
0283 when it is not. The driver does not currently check this, and simply
0284 assumes that the chip understands every command.
0285 The driver is built such that functionality degrades gracefully
0286 nevertheless. See the section on known limitations of the controller.
0287
0288 - No use of hardware CAN ID filtering
0289
0290 An ELM327's UART sending buffer will easily overflow on heavy CAN bus
0291 load, resulting in the "``BUFFER FULL``" message. Using the hardware
0292 filters available through "``AT CF xxx``" and "``AT CM xxx``" would be
0293 helpful here, however SocketCAN does not currently provide a facility
0294 to make use of such hardware features.
0295
0296
0297
0298 Rationale behind the chosen configuration
0299 ------------------------------------------
0300
0301 ``AT E1``
0302 Echo on
0303
0304 We need this to be able to get a prompt reliably.
0305
0306 ``AT S1``
0307 Spaces on
0308
0309 We need this to distinguish 11/29 bit CAN addresses received.
0310
0311 Note:
0312 We can usually do this using the line length (odd/even),
0313 but this fails if the line is not transmitted fully to
0314 the host (BUFFER FULL).
0315
0316 ``AT D1``
0317 DLC on
0318
0319 We need this to tell the "length" of RTR frames.
0320
0321
0322
0323 A note on CAN bus termination
0324 ------------------------------
0325
0326 Your adapter may have resistors soldered in which are meant to terminate
0327 the bus. This is correct when it is plugged into a OBD-II socket, but
0328 not helpful when trying to tap into the middle of an existing CAN bus.
0329
0330 If communications don't work with the adapter connected, check for the
0331 termination resistors on its PCB and try removing them.
