Civic CAN Hack - related code & packages
This repository contains packages, code and documentation on Civic 2016 Touring / Honda with LKAS ACC System
Screenshots
[
]
Features
- Uses an XBox controller as an input device
- Controls the steering in a torque and rate limited way when rolling above 20kph (EPS firmware limitation)
- Full braking authority at any speed
Stuff Left To Do
- Achieve full steering capability at any speed. Could be done by hacking the steering torque sensors.
- Achieve full throttle control at any speed. Could be done by using the newly released comma pedal.
Try it yourself
Hardware requirements
- Panda + USB cable
- Either a Girafe or a good old soldering iron/crimper + an OBD-II connector.
- Honda Civic Touring 2016 (should work also with other Honda with LKAS functionnality)
- Decent laptop + Xbox Controller
- Bosch ScanTool to reset those errors.
Software Dependencies
- Python 2.7
- ROS Kinetic
- Ubuntu 16.04
- cantools library :
pip install cantools- pandacan library :
pip install pandacan - can_msgs :
sudo apt-get install ros-kinetic-can-msgs
- pandacan library :
"Panda in the middle attack"
In order to fake the messages comming from the camera, you need to use the panda as a gateway. To do so, you need to cut the can wires comming from the ADAS camera to insert the Panda in the middle.
In our case, can 1 (see Panda's Hardware Guide) was plugged to the camera and can 0 was wired to the rest of the car.
If you do this without a Giraffe, don't forget to insert CAN termination resistors between CANH and CANL on the newly created CAN subnet (120Ohms near the camera and 120Ohms near the Panda).
Now you need to flash the Panda with the right software branch (see below). In order to do this hack the Panda will block the relevant incomming messages from the camera.
The tricky part is that the relevant scripts need to be running and boradcasting messages before the car is booted up. Indeed, the checksum and the counters contained in those messages need to always be consistent. If the car/EPS detects an error, it may deactivate its steer/brake by wire functionnality. You may need to use an OBD-II ScanTool to reset those errors.
Flashing the panda
Use the forward-can-1-to-0 branch to flash the panda to do the full bus forwarding.
Use the steer-brake-gas branch to flash the panda in order to do the "Panda in the middle attack".
Unbricking the panda
If ever you modifiy the panda's firmware and by doing so you brick your panda, you can either use the panda paw sold here. Or open the panda's case and short the 5V from USB plug to the boot0 pin to enter DFU mode while powering up the panda.
Credits
Thanks to comma.ai for its incredible software, databases and hardware. Without it, the hacking process would have been a lot more tedious.
License
MIT