TSLA
来自Jack's Lab
(版本间的差异)
(→Tesla EDR) |
(→CAN Frame) |
||
| (未显示1个用户的74个中间版本) | |||
| 第1行: | 第1行: | ||
== Overview == | == Overview == | ||
| − | * https:// | + | [[文件:Tesla-hw-overview.png]] |
| − | * | + | |
| + | * CID (Central Information Display) – the large console at the centre of the dash | ||
| + | * IC (Instrument Cluster) | ||
| + | * Conventional CAN connected ECUs | ||
| + | |||
| + | |||
| + | CAN Buses: | ||
| + | |||
| + | * 1 – dedicated connection to diagnostic OBD-II port | ||
| + | * 2 – body – door, lights, mirrors | ||
| + | * 3 – powertrain – drive inverters, battery management system, charger, thermal controller(动力总成 – 驱动逆变器、电池管理系统、充电器、热控制器) | ||
| + | * 4 – body – climate control, seats | ||
| + | * There is no ‘5’ – although the hardware is present on the CID it is not used. | ||
| + | * 6 – chassis – suspension, instrument cluster, stability controller, power steering (底盘 – 悬架、仪表盘、稳定控制器、动力转向) | ||
| + | |||
| + | |||
| + | 例如 Model S 的诊断口 (20pin): | ||
| + | |||
| + | [[文件:Connector TeslaModelS X437A.jpg]] | ||
| + | |||
| + | |||
| + | '''Model 3 & Y 诊断口:''' | ||
| + | |||
| + | [[文件:Diagnostic connector-3Y.jpg]] | ||
| + | |||
| + | 26pin,右上 P1,左上 P14,右下 P15,P18(CanH), P19(CanL) | ||
| + | |||
| + | |||
| + | |||
| + | [[文件:Obd2-pinout.png | 600px]] | ||
| + | |||
| + | <br> | ||
| + | |||
| + | == CAN Frame == | ||
| + | |||
| + | [[文件:CAN-frame-msg.png]] | ||
| + | |||
| + | * '''SOF:''' The Start of Frame is a 'dominant 0' to tell the other nodes that a CAN node intends to talk | ||
| + | * '''ID:''' The ID is the frame identifier - lower values have higher priority | ||
| + | * '''RTR:''' The Remote Transmission Request indicates whether a node sends data or requests dedicated data from another node | ||
| + | * Control: The Control contains the Identifier Extension Bit (IDE) which is a 'dominant 0' for 11-bit. It also contains the 4 bit Data Length Code (DLC) that specifies the length of the data bytes to be transmitted (0 to 8 bytes) | ||
| + | * Data: The Data contains the data bytes aka payload, which includes CAN signals that can be extracted and decoded for information | ||
| + | * CRC: The Cyclic Redundancy Check is used to ensure data integrity | ||
| + | * ACK: The ACK slot indicates if the node has acknowledged and received the data correctly | ||
| + | * EOF: The EOF marks the end of the CAN frame | ||
| + | |||
| + | |||
| + | 命令行 Send 时,常需指定的就两个: ID 和 Data,12Bit 和 8 Bytes | ||
| + | |||
| + | <br> | ||
| + | |||
| + | == Model 3 CAN MSG == | ||
| + | |||
| + | [https://www.csselectronics.com/pages/can-bus-simple-intro-tutorial CAN Bus Quick Tutorial] | ||
| + | |||
| + | * [https://www.teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/ Diagnostic Port & Data access] | ||
| + | * https://github.com/joshwardell/model3dbc | ||
| + | * https://github.com/commaai/opendbc | ||
| + | |||
| + | <source lang=bash> | ||
| + | $ git clone https://github.com/linux-can/can-utils.git | ||
| + | $ cd can-utils/ && make && make install | ||
| + | |||
| + | $ ip link set can0 type can bitrate 500000 listen-only on | ||
| + | $ ifconfig can0 up | ||
| + | |||
| + | # output all of the CAN messages (including errors) to your terminal: | ||
| + | $ candump -cae can0,0:0,#FFFFFFFF | ||
| + | (1423606588.555165) can0 00E#1E563FFF08FFA066 | ||
| + | (1423606588.555434) can0 102#CA98F8FFEEFF | ||
| + | (1423606588.555881) can0 202#845E6B9D00007102 | ||
| + | (1423606588.556169) can0 6F2#1634B40D1D43C3D0 | ||
| + | (1423606588.556193) can0 212#5800227400 | ||
| + | (1423606588.556455) can0 23A#000B001200050000 | ||
| + | (1423606588.556678) can0 21A#FE0000FE000000B7 | ||
| + | (1423606588.556902) can0 222#0000DA98F01070 | ||
| + | (1423606588.557139) can0 29A#0000FE0000000000 | ||
| + | (1423606588.557481) can0 27A#292903DC092600 | ||
| + | |||
| + | # log out all the data to a file in your current working directory (name like: candump-2023-02-10_221628.log | ||
| + | $ candump -l any,0:0,#FFFFFFFF | ||
| + | </source> | ||
| + | |||
| + | |||
| + | |||
| + | <br> | ||
| + | |||
| + | == DBC (CAN Databases) == | ||
| + | |||
| + | [[文件:CAN-DBC-File-Format-01.png]] | ||
| + | |||
| + | '''DBC Message Format:''' | ||
| + | * A message starts with BO_ and the ID must be unique and in decimal (not hexadecimal) | ||
| + | * The DBC ID adds 3 extra bits for 29 bit CAN IDs to serve as an 'extended ID' flag | ||
| + | * The name must be unique, 1-32 characters and may contain [A-z], digits and underscores | ||
| + | * The length (DLC) must be an integer between 0 and 1785 | ||
| + | * The sender is the name of the transmitting node, or Vector__XXX if no name is available | ||
| + | |||
| + | |||
| + | '''DBC Signal Format:''' | ||
| + | * Each message contains 1+ signals that start with SG_ | ||
| + | * The name must be unique, 1-32 characters and may contain [A-z], digits and underscores | ||
| + | * The bit start counts from 0 and marks the start of the signal in the data payload | ||
| + | * The bit length is the signal length | ||
| + | * The @1 specifies that the byte order is little-endian/Intel (vs @0 for big-endian/Motorola) | ||
| + | * The + informs that the value type is unsigned (vs - for signed signals) | ||
| + | * The (scale,offset) values are used in the physical value linear equation (more below) | ||
| + | * The [min|max] and unit are optional meta information (they can e.g. be set to [0|0] and "") | ||
| + | * The receiver is the name of the receiving node (again, Vector__XXX is used as default) | ||
| + | |||
| + | |||
| + | * [https://www.csselectronics.com/screen/page/can-dbc-file-database-intro/ CAN DBC File - QuickStart] | ||
| + | * [https://www.csselectronics.com/pages/dbc-editor-can-bus-database Online DBC Editor] | ||
| + | * https://github.com/joshwardell/model3dbc/blob/master/README.md | ||
| + | * https://github.com/commaai/opendbc | ||
<br> | <br> | ||
| 第8行: | 第122行: | ||
== Tesla EDR == | == Tesla EDR == | ||
| − | EDR: Event Data | + | EDR: Event Data Recorder,汽车事件数据记录系统,用于记录车辆碰撞前、碰撞时、碰撞后三个阶段的汽车运行关键数据,包括速度、方向盘的转向角度、气囊状态、制动状态、加速踏板状态、ABS 状态等数据,能有效还原事故发生前后的真实状态,可视为 Tesla 的 “黑匣子”。 |
| + | |||
| + | 当系统检测到碰撞或类似碰撞的情況(例如撞到道路障碍物)时,EDR 会记录与车辆动力学和安全系统有关的数据。该数据存储在车辆的约束控制模块 (RCM) 中。Tesla Model S/X/3/Y 都有 RCM (Restraint Control Module),在 Model 3 & Y 上,其位于中央扶手箱的底部。 | ||
| + | |||
| + | 记录的数据可以帮助调查人员更准确地还原事故原因。在正常行驶条件下,EDR不会记录数据;仅当车辆检测到异常事件时,才会记录事件数据。 | ||
| + | |||
| + | |||
| + | |||
| + | 官方读取工具软件: Tesla EDR https://edr.tesla.com | ||
| + | |||
| + | 官方推荐 CAN 硬件:[https://www.peak-system.com/PCAN-USB.199.0.html PCAN USB] (不带隔离 IPEH-002021 € 188, 带隔离 IPEH-002022 € 228)[https://www.peak-system.com/fileadmin/media/linux/index.htm Linux and PEAK-System's CAN Interfaces] | ||
| + | |||
| + | 官方连接线:Tesla Model 3 Direct-To Module EDR Retrieval Cable (Tesla part number 1492139) 约 $200 | ||
| + | |||
| + | 官方读取指南:https://edr.tesla.com/guides/CD-20-20-003_Model_3_EDR_Data_Retrieval_Guide.pdf | ||
| + | |||
| + | Hacking: https://www.teslaownersonline.com/threads/tesla-event-data-recorder-access-by-can.6175/page-2 | ||
| + | |||
| + | |||
| + | 标准:[http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=CC68F6BFD3E104560914271598AFE8C8 强制国标 GB 39732-2020 汽车事件数据记录系统], 美标 [https://www.ecfr.gov/current/title-49/subtitle-B/chapter-V/part-563 CFR-49-563] | ||
| + | |||
| + | [《机动车运行安全技术条件》(GB7258-2017)] | ||
| + | |||
| + | <br> | ||
| + | |||
| + | == Model 3 Display & MCU == | ||
| + | |||
| + | * [https://teslamotorsclub.com/tmc/threads/model-3-mcu-on-the-bench.268621/ Model 3 MCU on the bench] | ||
| + | |||
| + | <br> | ||
| + | |||
| + | == CAN Chip == | ||
| + | |||
| + | * [https://www.nxp.com/docs/en/data-sheet/TJA1042.pdf TJA1042] | ||
| + | * [https://www.ti.com/lit/ds/symlink/sn65hvd231.pdf SN65HVD231] | ||
| + | |||
| + | |||
| + | CAN (Controller Area Network),即控制器局域网总线,是一种有效支持分布式控制或实时控制的串行通信网络。 | ||
| + | |||
| + | 广泛应用于工业现场控制、智能楼宇、医疗器械、交通工具以及传感器等领域。 | ||
| + | |||
| + | CAN 总线规范为 ISO11898。 | ||
| + | |||
| + | CAN 总线就两条连线,CAN_H 和 CAN_L,通常电压值为: CAN_H = 3.5V,CAN_L= 1.5V | ||
| + | |||
| + | |||
| + | '''MCP2515:''' | ||
| + | * 工作电压 2.7V ~ 5.5V | ||
| + | * 5mA 典型工作电流 | ||
| + | * CAN V2.0B @ 1 Mb/s, 0 ~ 8 byte length in the data field | ||
| + | |||
| + | <br> | ||
| + | |||
| + | == CAN Tools == | ||
| + | |||
| + | canutils 包含canconfig、canecho、cansend、candump、cansequence 五个命令,用于检测和监控 Socket CAN接口。 | ||
| + | |||
| + | 编译 canutils 依赖 libsocketcan, 可用 canutils-4.0.6 和 libsocketcan-0.0.12 版本。 | ||
| + | |||
| + | * canutils:https://github.com/linux-can/can-utils Old: https://public.pengutronix.de/software/socket-can/canutils/ | ||
| + | * libsocketcan:https://git.pengutronix.de/cgit/tools/libsocketcan https://public.pengutronix.de/software/libsocketcan/ | ||
| + | |||
| + | |||
| + | 如出现如下错误: | ||
| + | |||
| + | <source lang=bash> | ||
| + | $ ifconfig can0 up | ||
| + | ifconfig: SIOCSIFFLAGS: Invalid argument | ||
| + | mcp251x spi1.0: bit-timing not yet defined | ||
| + | mcp251x spi1.0: unable to set initial baudrate! | ||
| + | |||
| + | $ ip link set can0 type can bitrate 125000 triple-sampling on | ||
| + | </source> | ||
| + | |||
| + | 需要使用 iproute2 中的 ip 工具: | ||
| + | |||
| + | <source lang=bash> | ||
| + | /buildroot-2020.11.2$ scp output/build/iproute2-5.7.0/ip/ip | ||
| + | |||
| + | $ ip link set can0 type can bitrate 500000 listen-only on | ||
| + | $ ifconfig can0 up | ||
| + | $ candump -cae can0,0:0,#FFFFFFFF | ||
| + | $ candump -l any,0:0,#FFFFFFFF | ||
| + | |||
| + | $ candump -cae -tA can0,0:0,#FFFFFFFF | ||
| + | (2023-07-14 17:30:09.311837) can0 07EC38C0 [7] remote request | ||
| + | (2023-07-14 17:30:09.312132) can0 01E77C60 [2] 12 91 '..' | ||
| + | </source> | ||
| + | |||
| + | <source lang=bash> | ||
| + | $ cansend can0 -i 8 -e 0x11 0x22 0x33 0x44 0x55 0x66 0x77 0x88 | ||
| + | </source> | ||
| + | |||
| + | |||
| + | Loopback 测试模式可用于硬件自检,无需连接外部 CAN 总线: | ||
| + | |||
| + | <source lang=bash> | ||
| + | $ ip link set can0 up type can bitrate 1000000 loopback on | ||
| + | $ ip -details link show can0 | ||
| + | 2: can0: <NOARP,UP,LOWER_UP,ECHO> mtu 16 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 10 | ||
| + | link/can promiscuity 0 | ||
| + | can <LOOPBACK,LISTEN-ONLY> state ERROR-ACTIVE restart-ms 0 | ||
| + | bitrate 1000000 sample-point 0.750 | ||
| + | tq 83 prop-seg 4 phase-seg1 4 phase-seg2 3 sjw 1 | ||
| + | mcp251x: tseg1 3..16 tseg2 2..8 sjw 1..4 brp 1..64 brp-inc 1 | ||
| + | clock 12000000 numtxqueues 1 gso_max_size 65536 gso_max_segs 65535 | ||
| + | |||
| + | $ candump can0 -L & | ||
| + | |||
| + | $ cansend can0 300#AC.AB.AD.AE.75.49.AD.D0 | ||
| + | (0000000887.394367) can0 300#ACABADAE7549ADD0 | ||
| + | (0000000887.394465) can0 300#ACABADAE7549ADD0 | ||
| + | </source> | ||
| + | <br> | ||
| + | |||
| + | == Reference == | ||
| + | |||
| + | * [https://www.pentestpartners.com/security-blog/reverse-engineering-tesla-hardware/ Reverse Engineering Tesla Hardware] | ||
| + | * [https://www.pentestpartners.com/security-blog/reverse-engineering-the-tesla-firmware-update-process/ Reverse Engineering the Tesla Firmware Update Process] | ||
| + | * https://github.com/lewurm/blog/issues | ||
| + | * https://www.teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/ | ||
| + | |||
| + | * CANServer (ODBLink MX+) | ||
| + | * https://github.com/amund7/CANBUS-Analyzer | ||
| + | * [https://teslatap.com/modifications/extracting-internal-vehicle-data/ Extracting internal vehicle data] | ||
| + | |||
| + | * [http://www.inovatek.cn/index.php?case=archive&act=show&aid=332 TeslaOBD] | ||
| + | * Scan MY Tesla, TesLAX ... | ||
| + | * https://carprotool.com/forum/pinouts | ||
| + | |||
| + | |||
| + | * [https://fn.lc/post/tesla-model-3/ Hacking my Tesla Model 3 - Security Overview] | ||
| + | * [https://fn.lc/post/tesla-model-3-services/ Hacking my Tesla Model 3 - Internal API] | ||
| + | |||
| + | * [https://www.instructables.com/Exploring-the-Tesla-Model-S-CAN-Bus/ Exploring the Tesla Model S CAN Bus] | ||
| + | * [https://www.instructables.com/DIY-Beaglebone-CAN-Bus-Cape/ DIY Beaglebone CAN Bus Cape] | ||
| − | |||
| − | + | * [https://iopscience.iop.org/article/10.1149/1945-7111/ab7900#jesab7900s4 Capacity Recovery Effect in Commercial LiFePO4 / Graphite Cells] | |
<br> | <br> | ||
2023年7月27日 (四) 16:03的最后版本
目录 |
[编辑] 1 Overview
- CID (Central Information Display) – the large console at the centre of the dash
- IC (Instrument Cluster)
- Conventional CAN connected ECUs
CAN Buses:
- 1 – dedicated connection to diagnostic OBD-II port
- 2 – body – door, lights, mirrors
- 3 – powertrain – drive inverters, battery management system, charger, thermal controller(动力总成 – 驱动逆变器、电池管理系统、充电器、热控制器)
- 4 – body – climate control, seats
- There is no ‘5’ – although the hardware is present on the CID it is not used.
- 6 – chassis – suspension, instrument cluster, stability controller, power steering (底盘 – 悬架、仪表盘、稳定控制器、动力转向)
例如 Model S 的诊断口 (20pin):
Model 3 & Y 诊断口:
26pin,右上 P1,左上 P14,右下 P15,P18(CanH), P19(CanL)
[编辑] 2 CAN Frame
- SOF: The Start of Frame is a 'dominant 0' to tell the other nodes that a CAN node intends to talk
- ID: The ID is the frame identifier - lower values have higher priority
- RTR: The Remote Transmission Request indicates whether a node sends data or requests dedicated data from another node
- Control: The Control contains the Identifier Extension Bit (IDE) which is a 'dominant 0' for 11-bit. It also contains the 4 bit Data Length Code (DLC) that specifies the length of the data bytes to be transmitted (0 to 8 bytes)
- Data: The Data contains the data bytes aka payload, which includes CAN signals that can be extracted and decoded for information
- CRC: The Cyclic Redundancy Check is used to ensure data integrity
- ACK: The ACK slot indicates if the node has acknowledged and received the data correctly
- EOF: The EOF marks the end of the CAN frame
命令行 Send 时,常需指定的就两个: ID 和 Data,12Bit 和 8 Bytes
[编辑] 3 Model 3 CAN MSG
- Diagnostic Port & Data access
- https://github.com/joshwardell/model3dbc
- https://github.com/commaai/opendbc
$ git clone https://github.com/linux-can/can-utils.git $ cd can-utils/ && make && make install $ ip link set can0 type can bitrate 500000 listen-only on $ ifconfig can0 up # output all of the CAN messages (including errors) to your terminal: $ candump -cae can0,0:0,#FFFFFFFF (1423606588.555165) can0 00E#1E563FFF08FFA066 (1423606588.555434) can0 102#CA98F8FFEEFF (1423606588.555881) can0 202#845E6B9D00007102 (1423606588.556169) can0 6F2#1634B40D1D43C3D0 (1423606588.556193) can0 212#5800227400 (1423606588.556455) can0 23A#000B001200050000 (1423606588.556678) can0 21A#FE0000FE000000B7 (1423606588.556902) can0 222#0000DA98F01070 (1423606588.557139) can0 29A#0000FE0000000000 (1423606588.557481) can0 27A#292903DC092600 # log out all the data to a file in your current working directory (name like: candump-2023-02-10_221628.log $ candump -l any,0:0,#FFFFFFFF
[编辑] 4 DBC (CAN Databases)
DBC Message Format:
- A message starts with BO_ and the ID must be unique and in decimal (not hexadecimal)
- The DBC ID adds 3 extra bits for 29 bit CAN IDs to serve as an 'extended ID' flag
- The name must be unique, 1-32 characters and may contain [A-z], digits and underscores
- The length (DLC) must be an integer between 0 and 1785
- The sender is the name of the transmitting node, or Vector__XXX if no name is available
DBC Signal Format:
- Each message contains 1+ signals that start with SG_
- The name must be unique, 1-32 characters and may contain [A-z], digits and underscores
- The bit start counts from 0 and marks the start of the signal in the data payload
- The bit length is the signal length
- The @1 specifies that the byte order is little-endian/Intel (vs @0 for big-endian/Motorola)
- The + informs that the value type is unsigned (vs - for signed signals)
- The (scale,offset) values are used in the physical value linear equation (more below)
- The [min|max] and unit are optional meta information (they can e.g. be set to [0|0] and "")
- The receiver is the name of the receiving node (again, Vector__XXX is used as default)
- CAN DBC File - QuickStart
- Online DBC Editor
- https://github.com/joshwardell/model3dbc/blob/master/README.md
- https://github.com/commaai/opendbc
[编辑] 5 Tesla EDR
EDR: Event Data Recorder,汽车事件数据记录系统,用于记录车辆碰撞前、碰撞时、碰撞后三个阶段的汽车运行关键数据,包括速度、方向盘的转向角度、气囊状态、制动状态、加速踏板状态、ABS 状态等数据,能有效还原事故发生前后的真实状态,可视为 Tesla 的 “黑匣子”。
当系统检测到碰撞或类似碰撞的情況(例如撞到道路障碍物)时,EDR 会记录与车辆动力学和安全系统有关的数据。该数据存储在车辆的约束控制模块 (RCM) 中。Tesla Model S/X/3/Y 都有 RCM (Restraint Control Module),在 Model 3 & Y 上,其位于中央扶手箱的底部。
记录的数据可以帮助调查人员更准确地还原事故原因。在正常行驶条件下,EDR不会记录数据;仅当车辆检测到异常事件时,才会记录事件数据。
官方读取工具软件: Tesla EDR https://edr.tesla.com
官方推荐 CAN 硬件:PCAN USB (不带隔离 IPEH-002021 € 188, 带隔离 IPEH-002022 € 228)Linux and PEAK-System's CAN Interfaces
官方连接线:Tesla Model 3 Direct-To Module EDR Retrieval Cable (Tesla part number 1492139) 约 $200
官方读取指南:https://edr.tesla.com/guides/CD-20-20-003_Model_3_EDR_Data_Retrieval_Guide.pdf
Hacking: https://www.teslaownersonline.com/threads/tesla-event-data-recorder-access-by-can.6175/page-2
标准:强制国标 GB 39732-2020 汽车事件数据记录系统, 美标 CFR-49-563
[《机动车运行安全技术条件》(GB7258-2017)]
[编辑] 6 Model 3 Display & MCU
[编辑] 7 CAN Chip
CAN (Controller Area Network),即控制器局域网总线,是一种有效支持分布式控制或实时控制的串行通信网络。
广泛应用于工业现场控制、智能楼宇、医疗器械、交通工具以及传感器等领域。
CAN 总线规范为 ISO11898。
CAN 总线就两条连线,CAN_H 和 CAN_L,通常电压值为: CAN_H = 3.5V,CAN_L= 1.5V
MCP2515:
- 工作电压 2.7V ~ 5.5V
- 5mA 典型工作电流
- CAN V2.0B @ 1 Mb/s, 0 ~ 8 byte length in the data field
[编辑] 8 CAN Tools
canutils 包含canconfig、canecho、cansend、candump、cansequence 五个命令,用于检测和监控 Socket CAN接口。
编译 canutils 依赖 libsocketcan, 可用 canutils-4.0.6 和 libsocketcan-0.0.12 版本。
- canutils:https://github.com/linux-can/can-utils Old: https://public.pengutronix.de/software/socket-can/canutils/
- libsocketcan:https://git.pengutronix.de/cgit/tools/libsocketcan https://public.pengutronix.de/software/libsocketcan/
如出现如下错误:
$ ifconfig can0 up ifconfig: SIOCSIFFLAGS: Invalid argument mcp251x spi1.0: bit-timing not yet defined mcp251x spi1.0: unable to set initial baudrate! $ ip link set can0 type can bitrate 125000 triple-sampling on
需要使用 iproute2 中的 ip 工具:
/buildroot-2020.11.2$ scp output/build/iproute2-5.7.0/ip/ip $ ip link set can0 type can bitrate 500000 listen-only on $ ifconfig can0 up $ candump -cae can0,0:0,#FFFFFFFF $ candump -l any,0:0,#FFFFFFFF $ candump -cae -tA can0,0:0,#FFFFFFFF (2023-07-14 17:30:09.311837) can0 07EC38C0 [7] remote request (2023-07-14 17:30:09.312132) can0 01E77C60 [2] 12 91 '..'
$ cansend can0 -i 8 -e 0x11 0x22 0x33 0x44 0x55 0x66 0x77 0x88
Loopback 测试模式可用于硬件自检,无需连接外部 CAN 总线:
$ ip link set can0 up type can bitrate 1000000 loopback on
$ ip -details link show can0
2: can0: <NOARP,UP,LOWER_UP,ECHO> mtu 16 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 10
link/can promiscuity 0
can <LOOPBACK,LISTEN-ONLY> state ERROR-ACTIVE restart-ms 0
bitrate 1000000 sample-point 0.750
tq 83 prop-seg 4 phase-seg1 4 phase-seg2 3 sjw 1
mcp251x: tseg1 3..16 tseg2 2..8 sjw 1..4 brp 1..64 brp-inc 1
clock 12000000 numtxqueues 1 gso_max_size 65536 gso_max_segs 65535
$ candump can0 -L &
$ cansend can0 300#AC.AB.AD.AE.75.49.AD.D0
(0000000887.394367) can0 300#ACABADAE7549ADD0
(0000000887.394465) can0 300#ACABADAE7549ADD0
[编辑] 9 Reference
- Reverse Engineering Tesla Hardware
- Reverse Engineering the Tesla Firmware Update Process
- https://github.com/lewurm/blog/issues
- https://www.teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/
- CANServer (ODBLink MX+)
- https://github.com/amund7/CANBUS-Analyzer
- Extracting internal vehicle data
- TeslaOBD
- Scan MY Tesla, TesLAX ...
- https://carprotool.com/forum/pinouts
