Skip to content
/ CYBERSECURITY-CAN_BYPASS_TCCharger Public

Bypassing the security pins of an Industrial Charger using the CAN Protocol and a python script.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

NorwegianLamb/CYBERSECURITY-CAN_BYPASS_TCCharger

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
README.md
README.md
 
 
can-bypass.py
can-bypass.py
 
 

Repository files navigation

CyberSecurity Project: BYPASS CAN Protocol in a TC Charger

In the image we can see a Smart TC Charger, which follows the Standard CAN Protocol.

In the scenario where your Battery Management System (BMS) is having trouble communicating with the charger, it will not start and thus not charge the battery.

The solution is to force that communication with an external device and this project is meant to unset the safety protocols of the charger and give the Battery a static charge of 100 Volts and 60 Amperes but it can be changed to your own preferences.

Code explaination

These are the instructions that our TC Charger uses to get inputs from the BMS.

We can take the BMS ID 0x1806E5F4 and use it to fake the communication.

There is a linux package called can-utils that uses the CANSEND command to send CAN packets, On the raspberry (or whatever you're using to communicate with the TC Charger), you could write:

cansend can0 1806E5F4#03E8025800010000

We can do the same in a python environment using the python-can module, this will help us by simplyfing the VOLTAGE/AMPERAGE conversion process and emulate the smart charging process.

Setting up the VCAN and the CAN pins:

Before testing our code, we have to manually connect the CAN pins to our raspberry; in the following photo we can see the instructions given to choose the right pins.

In this case CAN High and CAN Low are the ones that are gonna be connected to our raspberry to enable the communication (see the first photo of the TC Charger for reference). On the Raspberry PI (or any other linux environment), you can setup a VCAN by typing the following commands:

sudo modprobe vcan
sudo ip link add dev can0 type vcan
sudo ip link set up can0

You should be able to see the newly created VCAN by typing "ifconfig" on the terminal, to delete it you just need to use:

sudo ip link set down can0
sudo ip link delete can0

Examples

You can try running default values for voltage, amperage and time in order to check if everything works properly: (100V, 60A and 5 minutes of charging)

python3 can-bypass.py -V 100 -A 60 -m h -t 300

Here I was testing the code and checking the CAN bus and the CAN dump to understand what was going on, you can do so by running:

candump can0

And this is the final result :)

testing.MP4

About

Bypassing the security pins of an Industrial Charger using the CAN Protocol and a python script.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages