前言
2021年在360搭了一套ID.4台架环境,本来快要出成果了(拿到了ODIS内网权限,还有ICAS3的root),被安排出差去搭建展示车,后续工作计划被打乱。这期间不管是工作还是生活都遇到了许多糟心事,便停止了研究。
算是一个怨念项目吧,今年5月我在机缘巧合下又研究了ID.4的ICAS1的车控逻辑,还有一个怨念项目是CAN-Pick NG,写了一半又搁置了,不知道2025可不可以完成。
ID.4 是大众MEB平台,EE架构总共有两个域控制器,ICAS1, ICAS3。其中ICAS1(J533)与车身控制有关。 下图是J533的位置,位于序号13。将线控模块装载到此处,可以实现车身监测和控制。
车内ECU拓扑
Classic CAN: 500k
CAN-FD:仲裁域500k, 数据域2M。若要分析CAN-FD,ZLG设备最合适。
通过分析 ELSA电路图 和 大众内部培训资料,发现总线命名混乱,必须重新整理才能得到正确的CAN拓扑图。
J533总共有9路CAN,4路LIN(暂不需要),关键ECU如下。
- Running-Gear CAN (CAN-FD)
- J104 - ABS
- J500 - EPS,转向助力控制单元
- NX6 - 制动控制器 (Brake Booster)
- Powertrain CAN (CAN-FD)
- J623 - 电机控制模块 Engine/Motor Control Module
- J841/J944 - 电驱单元
- J234 - 气囊 (不能在这里Fuzzing,危险)
- Driver Assistance CAN,CAN-FAS (CAN-FD)
- J428 - 车距调节控制单元
- J446 - 泊车雷达控制单元
- J769/J770 - 行驶换道辅助系统控制单元
- J928 - 全景摄像头控制单元
- Convenience CAN (Classic)
- J527 - 电控换档模块 (Steering Column Electronics Control Module)
- J605 - 行李箱盖控制单元
- J764 - 转向柱锁
- …其他车身控制
- CAN-EV (CAN-FD)
- J979 - 加热与空调控制模块 (Heater and Air Conditioning Control Module)
J533连接器T40a定义
T40a 连接器和表格对应如下。
总线安全策略
网关隔离
多功能方向盘控制信号,由Convenience CAN接收,但是底盘CAN的ECU也能收到。底盘CAN发出的多功能方向盘控制信号,不会被J533转发到目标ECU。
CRC 校验
分析CAN总线变化,可以看到大部份报文的变化规律,第一字节随机,第二字节有规律递增。第一字节是CRC,第二字节是计数器。
CRC 初始值
参考OpenDBC github
/opendbc/can/common.cc volkswagen_mqb_checksum
可以获取VM MQB平台的 Checksum 初始值,但是ID.4有很多新的CRC初始值,我通过逆向分析并记录在下面了。
大部份控制信号有CRC和计数器,ECU不会校验某些不重要功能的CRC,比如天窗,车窗,鸣笛。但是会校验转向助力,行李箱盖开启,雨刮等影响驾驶的功能。
| Signal | CAN ID | CRC Seed |
|---|---|---|
| AAA_01 | 0x12DD5502 | 0x62,0x14,0x7c,0xa1,0x49,0x95,0x43,0x04,0x78,0x46,0x74,0x19,0x39,0x17,0x9f,0x1c |
| ACC_18 | 0x14D | 0x1a,0x65,0x81,0x96,0xc0,0xdf,0x11,0x92,0xd3,0x61,0xc6,0x95,0x8c,0x29,0x21,0xb5 |
| Airbag_01 | 0x040 | 0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40 |
| Airbag_02 | 0x520 | 0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44 |
| APS_Master | 0x380 | 0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13 |
| AWV_03 | 0x0DB | 0x09,0xfa,0xca,0x8e,0x62,0xd5,0xd1,0xf0,0x31,0xa0,0xaf,0xda,0x4d,0x1a,0x0a,0x97 |
| BEM_06 | 0x48B | 0x54,0xaf,0x8a,0xfb,0x0d,0x87,0x6a,0x0f,0x47,0x78,0x31,0x4f,0x35,0x28,0x82,0x6d |
| Blinkmodi_02 | 0x366 | 0xa9,0xbd,0xfb,0x3c,0x95,0x0f,0x75,0x3a,0x4f,0x19,0x59,0x6d,0xb2,0xe9,0xd1,0x97 |
| EA_01 | 0x1A4 | 0x69,0xbb,0x54,0xe6,0x4e,0x46,0x8d,0x7b,0xea,0x87,0xe9,0xb3,0x63,0xce,0xf8,0xbf |
| EA_02 | 0x1F0 | 0x2f,0x3c,0x22,0x60,0x18,0xeb,0x63,0x76,0xc5,0x91,0x0f,0x27,0x34,0x04,0x7f,0x02 |
| ELV_01 | 0x656 | 0xab,0x2f,0xd3,0x39,0x6f,0x37,0xfa,0x59,0xa4,0x70,0xce,0x11,0x54,0x82,0x62,0x56 |
| EM1_01 | 0x0C0 | 0x2f,0x44,0x72,0xd3,0x07,0xf2,0x39,0x09,0x8d,0x6f,0x57,0x20,0x37,0xf9,0x9b,0xfa |
| EML_02 | 0x1A555541 | 0x3e,0xb4,0x25,0xc1,0x31,0x1f,0xf1,0xd7,0xb1,0xbe,0xcc,0xe0,0x0f,0x46,0x51,0xb2 |
| EML_06 | 0x20A | 0x9d,0xe8,0x36,0xa1,0xca,0x3b,0x1d,0x33,0xe0,0xd5,0xbb,0x5f,0xae,0x3c,0x31,0x9f |
| ESC_50 | 0x102 | 0xd7,0x12,0x85,0x7e,0x0b,0x34,0xfa,0x16,0x7a,0x25,0x2d,0x8f,0x04,0x8e,0x5d,0x35 |
| ESC_51 | 0x0FC | 0x77,0x5c,0xa0,0x89,0x4b,0x7c,0xbb,0xd6,0x1f,0x6c,0x4f,0xf6,0x20,0x2b,0x43,0xdd |
| ESP_10 | 0x116 | 0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac |
| ESP_20 | 0x65D | 0xac,0xb3,0xab,0xeb,0x7a,0xe1,0x3b,0xf7,0x73,0xba,0x7c,0x9e,0x06,0x5f,0x02,0xd9 |
| ESP_21 | 0x0FD | 0xb4,0xef,0xf8,0x49,0x1e,0xe5,0xc2,0xc0,0x97,0x19,0x3c,0xc9,0xf1,0x98,0xd6,0x61 |
| ESP_24 | 0x31B | 0x67,0x8a,0xae,0x22,0x4d,0xd0,0x51,0x80,0x5c,0xb9,0xce,0x1e,0xdf,0x02,0x2d,0xd4 |
| Getriebe_11 | 0x0AD | 0x3f,0x69,0x39,0xdc,0x94,0xf9,0x14,0x64,0xd8,0x6a,0x34,0xce,0xa2,0x55,0xb5,0x2c |
| GRA_ACC_01 | 0x12B | 0x6a,0x38,0xb4,0x27,0x22,0xef,0xe1,0xbb,0xf8,0x80,0x84,0x49,0xc7,0x9e,0x1e,0x2b |
| HCA_01 | 0x126 | 0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda |
| HVL_01 | 0x12DD553D | 0x1d,0x82,0x7b,0x79,0xa5,0xee,0x3a,0xb9,0xb7,0xf9,0xe4,0x67,0x7f,0x97,0x11,0xad |
| IPA_01 | 0x138 | 0x77,0x4e,0x14,0x87,0xf2,0xf8,0xb2,0x61,0xf6,0xa4,0x52,0x94,0xd4,0x81,0x2a,0xb1 |
| IPA_02 | 0x16A9545F | 0xc6,0x7f,0x85,0xb6,0xe6,0xae,0xf8,0x26,0xb0,0x8c,0x19,0x10,0x5b,0x33,0x64,0x6c |
| Klemmen_Status_01 | 0x3C0 | 0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3 |
| LH_EPS_02 | 0x11D | 0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c |
| LH_EPS_03 | 0x09F | 0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5 |
| Licht_Anf_01 | 0x3D5 | 0xc5,0x39,0xc7,0xf9,0x92,0xd8,0x24,0xce,0xf1,0xb5,0x7a,0xc4,0xbc,0x60,0xe3,0xd1 |
| LWI_01 | 0x086 | 0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86 |
| Motor_14 | 0x3BE | 0x1f,0x28,0xc6,0x85,0xe6,0xf8,0xb0,0x19,0x5b,0x64,0x35,0x21,0xe4,0xf7,0x9c,0x24 |
| Motor_51 | 0x10B | 0x77,0x5c,0xa0,0x89,0x4b,0x7c,0xbb,0xd6,0x1f,0x6c,0x4f,0xf6,0x20,0x2b,0x43,0xdd |
| Motor_54 | 0x14C | 0x16,0x35,0x59,0x15,0x9a,0x2a,0x97,0xb8,0x0e,0x4e,0x30,0xcc,0xb3,0x07,0x01,0xad |
| Motor_Code_01 | 0x641 | 0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47 |
| Parken_01 | 0x206 | 0x09,0xfa,0xca,0x8e,0x62,0xd5,0xd1,0xf0,0x31,0xa0,0xaf,0xda,0x4d,0x1a,0x0a,0x97 |
| PLA_04 | 0x407 | 0xef,0x60,0x04,0xa8,0x0c,0x1c,0xda,0x07,0x36,0xd7,0x28,0x92,0xa9,0x88,0x2c,0x4a |
| QFK_01 | 0x13D | 0x20,0xca,0x68,0xd5,0x1b,0x31,0xe2,0xda,0x08,0x0a,0xd4,0xde,0x9c,0xe4,0x35,0x5b |
| RCTA_01 | 0x2B7 | 0x5e,0xc7,0x04,0x11,0x4d,0x27,0x0d,0x31,0x91,0xb8,0x62,0x76,0x64,0x09,0xeb,0xec |
| SAL_01 | 0x12DD54C9 | 0xde,0xa9,0x83,0x0b,0x0c,0x64,0x79,0x44,0x0f,0xf6,0xc6,0xc7,0x05,0x45,0xb7,0x59 |
| SAM_01 | 0x205 | 0x19,0x36,0xd4,0x1e,0x80,0x22,0xf4,0xb8,0xad,0x41,0x0b,0x3f,0x87,0x42,0x25,0x40 |
| SMLS_01 | 0x3D4 | 0xc3,0x79,0xbf,0xdb,0xe9,0x11,0x46,0x86,0x69,0xb6,0x9b,0x29,0x15,0x9c,0x45,0x0d |
| TA_01 | 0x26B | 0xce,0xcc,0xbd,0x69,0xa1,0x3c,0x18,0x76,0x0f,0x04,0xf2,0x3a,0x93,0x24,0x19,0x51 |
| TSG_FT_02 | 0x3E5 | 0xc4,0x6a,0x69,0x30,0xcf,0x61,0x58,0x51,0x1b,0x86,0x99,0xd3,0xf6,0x1d,0x9a,0x37 |
| VMM_01 | 0x105 | 0xde,0x0e,0xa7,0x1d,0xc3,0x83,0xbd,0x82,0x8c,0xa2,0x0c,0x7b,0x4d,0x3c,0x58,0x79 |
| VMM_02 | 0x139 | 0xed,0x03,0x1c,0x13,0xc6,0x23,0x78,0x7a,0x8b,0x40,0x14,0x51,0xbf,0x68,0x32,0xba |
CRC 算法
MEB_Kennungsfolge = {
# LWI_01 Steering Angle
0x86: [0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86],
# LH_EPS_03 Electric Power Steering
0x9F: [0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5],
# HCA_01 Heading Control Assist
0x126: [0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA],
# GRA_ACC_01 Steering wheel controls for ACC
0x12B: [0x6A, 0x38, 0xB4, 0x27, 0x22, 0xEF, 0xE1, 0xBB, 0xF8, 0x80, 0x84, 0x49, 0xC7, 0x9E, 0x1E, 0x2B]
}
def gen_crc_lookup_table_8(poly):
crc_lut = [0] * 256
for i in range(256):
crc = i
for j in range(8):
if crc & 0x80:
crc = (crc << 1) ^ poly
else:
crc <<= 1
crc_lut[i] = crc & 0xFF
return crc_lut
def volkswagen_mqb_checksum(address, data):
global crc8_lut_8h2f
crc = 0xFF # CRC8 8H2F/AUTOSAR
for i in range(1, len(data)):
crc = crc ^ data[i]
# print(hex(crc), hex(i))
crc = crc8_lut_8h2f[crc]
counter = data[1] & 0x0F
if address in MEB_Kennungsfolge:
crc ^= MEB_Kennungsfolge[address][counter]
else:
# 无需校验
crc ^= [0x00] * 16 # 默认情况下,返回全 0
crc = crc8_lut_8h2f[crc] # 标准 CRC8 8H2F/AUTOSAR 最后一个 XOR
return crc ^ 0xFF
can_id = 0x126
data = bytearray(bytes(8))
crc8_lut_8h2f = gen_crc_lookup_table_8(0x2f)
crc = volkswagen_mqb_checksum(can_id, data)
data[0] = crc
CAN 信号
- Convenience CAN有以下信号通信,可用于状态读取,车身功能基本上可以通过此路CAN进行控制。包括空调,前后大灯,鸣笛,雨刮,车窗,车锁,车辆状态等信息。
0x12B GRA_ACC_01 自适应巡航,GRA系统,ACC,
0x1F0 EA_02 应急辅助
0x205 SAM_01 开关和执行模块
0x2B7 RCTA_01 Rear Cross Traffic Alert,后方交通警示
0x31B ESP_24
0x366 Blinkmodi_02 闪烁模式
0x397 LDW_02 车道偏离警示系统
0x3BE Motor_14 电机控制
0x3C0 Klemmen_Status_01 端子状态
0x3CE TSG_HFS_01 后座门窗功能系统
0x3CF TSG_HBFS_01 后门窗户功能系统
0x3D0 TSG_FT_01 前门功能系统
0x3D4 SMLS_01 转向柱开关模块
0x3D5 Licht_Anf_01 灯光要求
0x3D6 Licht_hinten_01 后部灯光状态
0x3DC Gateway_73 这些信息涉及车辆的各种信号和状态,包括系统提示、安全提示、故障诊断、信号更新和旧信号的替换
0x48B BEM_06 低电压能源管理
0x520 Airbag_02 气囊2
0x551 WFS_01 车钥匙防盗
0x582 HDSG_01 后备箱管理状态
0x583 ZV_02 中央门锁系统
0x585 Systeminfo_01 诊断和生产模式设置
0x592 Kessy_04 智能钥匙系统(Kessy)以及远程停车功能的状态和控制
0x5A0 RLS_01 光传感器和雨量传感器
0x5A7 TM_01 Telematics
0x5F0 Dimmung_01 调光
0x5F4 Innenlicht_11 车内灯光
0x641 Motor_Code_01 电机设码
0x643 Einheiten_01 单位设置
0x656 ELV_01 电子转向柱锁
0x658 Licht_vorne_01 前灯状态
0x65D ESP_20
0x668 Klima_12 空调系统
0x670 Motor_18
0x6AE Spiegel_01 后视镜
0x6AF Rear_View_01 后视摄像头
0x6B2 Diagnose_01
0x6B4 VIN_01
0x12DD54C9 SAL_01 照明模块
其他信号
DBC已经分析出来了,暂时不公开。
0x184
1. 锁车
1. 第二字节 后视镜开 0x20 开
2. 第三字节 后视镜关 0x40 关
2. 车窗
1. 第六字节 车窗 04 左前下,02 左前上,40 左后下,08右前上,10右前下
2. 第七字节,01右后下
0x185
1. 车窗控制,10 20 up 40 80 down
1. 第一字节 前排
2. 第二字节 后排
0x598
1. 天窗控制
1. 第三字节 0x20 无 0x21 tap 0x22 滑动 0x25 长按
2. 第七字节:04 关一下,08 一直关,0C 开一下,10 一直开, 14,1c其他
控制转向
要求档位在D/B或者R档。以下五个信号可以用于控制方向盘。
- LWI_01 Lenkwinkelsensor
- LH_EPS_03 Lenkhilfe Electric Power Steering
- HCA_01 Heading Control Assist
- GRA_ACC_01 Geschwindigkeitsregelanlage & Adaptive Cruise Control
- PLA_05 Park Lane Assist
提示
- 组合使用0x86, 0x9f, 0x126, 0x12b, 0x302信号,在CAN-FAS发送,可以实现泊车方向盘转向功能。
- 组合使用0x86, 0x9f, 0x302信号,在Gear-Running CAN发送,可以实现方向盘转向。
- 其中0x9f(LH_EPS_03)和0x302(PLA_05)两个信号都可以直接控制方向盘。
- 0x302没有CRC校验,因此控制方向盘比0x9f容易
DEMO
def create_pla_control(sendestatus, positive, degree):
data = bytearray(bytes(24))
data[1] = 0x40
# PLA_QFK_Spuerb
data[2] = 0xFA
# PLA_QFK_KruemmSoll
data = set_value(data, degree, 32, 15)
# PLA_QFK_KruemmSoll_VZ
if positive:
data = set_value(data, 1, 47, 1)
else:
data = set_value(data, 0, 47, 1)
# PLA_05_Sendestatus
if sendestatus:
data = set_value(data, 1, 74, 1)
else:
data = set_value(data, 0, 74, 1)
return data
hca_01_counter = 0
degree = 0
for i in range(20):
# data = create_steering_control(10 * i, 1)
# meb_can_send(0x126, 0.1, data)
degree += 0x10
data = create_pla_control(1, 1, degree)
can_send(0x302, 0.1, data)
RPi CAN HAT
控制方向盘Demo,仅让方向盘动起来,真正要实现远控,需要有力学的知识,还要设计控制算法。
import os
import can
import time
can0 = can.interface.Bus(channel = 'can0', bustype = 'socketcan', fd=True, bitrate=500000)
# msg = can.Message(is_extended_id=False, arbitration_id=0x123, data=[0, 1, 2, 3, 4, 5, 6, 7])
# can0.send(msg)
MEB_Kennungsfolge = {
# LWI_01 Steering Angle
0x86: [0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86],
# LH_EPS_03 Electric Power Steering
0x9F: [0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5],
# HCA_01 Heading Control Assist
0x126: [0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA],
# GRA_ACC_01 Steering wheel controls for ACC
0x12B: [0x6A, 0x38, 0xB4, 0x27, 0x22, 0xEF, 0xE1, 0xBB, 0xF8, 0x80, 0x84, 0x49, 0xC7, 0x9E, 0x1E, 0x2B]
}
def volkswagen_mqb_checksum(address, data):
global crc8_lut_8h2f
crc = 0xFF # CRC8 8H2F/AUTOSAR
for i in range(1, len(data)):
crc = crc ^ data[i]
# print(hex(crc), hex(i))
crc = crc8_lut_8h2f[crc]
counter = data[1] & 0x0F
if address in MEB_Kennungsfolge:
crc ^= MEB_Kennungsfolge[address][counter]
else:
print("Attempt to CRC check undefined Volkswagen message 0x%02X" % address)
crc ^= [0x00] * 16 # 默认情况下,返回全 0
crc = crc8_lut_8h2f[crc] # 标准 CRC8 8H2F/AUTOSAR 最后一个 XOR
return crc ^ 0xFF
def gen_crc_lookup_table_8(poly):
crc_lut = [0] * 256
for i in range(256):
crc = i
for j in range(8):
if crc & 0x80:
crc = (crc << 1) ^ poly
else:
crc <<= 1
crc_lut[i] = crc & 0xFF
return crc_lut
def meb_can_send(can_id, interval, data):
global hca_01_counter
data[1] = data[1] | hca_01_counter
crc = volkswagen_mqb_checksum(can_id, data)
data[0] = crc
hca_01_counter += 1
for j in data:
print(hex(j), end=", ")
time.sleep(interval)
msg = can.Message(is_extended_id=False, arbitration_id=can_id, data=data, is_fd=True)
can0.send(msg)
def can_send(can_id, interval, data):
time.sleep(interval)
msg = can.Message(is_extended_id=False, arbitration_id=can_id, data=data, is_fd=True)
can0.send(msg)
crc8_lut_8h2f = gen_crc_lookup_table_8(0x2f)
def set_value(data, value, start_pos, value_length):
end_pos = start_pos + value_length
for bit_index in range(start_pos, end_pos):
byte_index = bit_index // 8
bit_offset = bit_index % 8
bit_value = (value >> (bit_index - start_pos)) & 1
# print("\n")
# print("index", bit_index, start_pos, end_pos, "byte_index:", byte_index, "bit_offset:", bit_offset, "v:", bit_value)
if bit_value:
data[byte_index] |= 1 << bit_offset
else:
data[byte_index] &= ~(1 << bit_offset)
# for i in data:
# print(bin(i), end=",")
return data
def set_bit(b, bit, bit_index):
if bit_index < 0 or bit_index > 7:
raise ValueError("bit_index must be between 0 and 7")
mask = 1 << bit_index
flipped_byte = b ^ mask
return flipped_byte
def create_steering_control(apply_steer, lkas_enabled):
data = bytearray(bytes(8))
if lkas_enabled:
# HCA_01_Sendestatus
data = set_value(data, 5, 30, 1)
# HCA_01_Status_HCA
data = set_value(data, 1, 32, 4)
else:
# HCA_01_Sendestatus
data = set_value(data, 3, 30, 1)
# HCA_01_Status_HCA
data = set_value(data, 0, 32, 4)
# HCA_01_LM_Offset
print("create_steering_control", apply_steer)
data = set_value(data, abs(apply_steer), 16, 9)
# HCA_01_LM_OffSign
v = 1 if apply_steer < 0 else 0
data = set_value(data, v, 31, 1)
# HCA_01_Vib_Freq
data = set_value(data, 3, 12, 4)
# HCA_01_Vib_Amp
data = set_value(data, 10, 36, 4)
return data
def create_pla_control(sendestatus, positive, degree):
data = bytearray(bytes(24))
data[1] = 0x40
# PLA_QFK_Spuerb
data[2] = 0xFA
# PLA_QFK_KruemmSoll
data = set_value(data, degree, 32, 15)
# PLA_QFK_KruemmSoll_VZ
if positive:
data = set_value(data, 1, 47, 1)
else:
data = set_value(data, 0, 47, 1)
# PLA_05_Sendestatus
if sendestatus:
data = set_value(data, 1, 74, 1)
else:
data = set_value(data, 0, 74, 1)
return data
hca_01_counter = 0
degree = 0
for i in range(20):
# data = create_steering_control(10 * i, 1)
# meb_can_send(0x126, 0.1, data)
degree += 0x10
data = create_pla_control(1, 1, degree)
can_send(0x302, 0.1, data)
注意事项
- 离开车辆之前,确保CAN总线处于接通状态,否则会大量耗电。
- 不要对Powertrain 和Running Gear CAN 进行 Fuzzing,可能直接会导致人身伤害,另外,也可能导致ECU异常,产生潜在隐患。比如转向灯失效,后视镜无法打开。