For communication between sensors and control devices in vehicles, in particular automobiles, the CAN bus system may be used for example. In the case of the CAN bus system, messages are transmitted by means of the CAN and/or CAN FD protocol, as described in the current Committee Draft of ISO11898-1 or the specification “CAN with Flexible Data-Rate, Specification Version 1.0 (released Apr. 17, 2012)” as the CAN Protocol Specification with CAN FD.
After an initial Start of Frame bit (SOF bit) with a dominant level, which signals the beginning of the frame, CAN FD messages or frames have a bit 28 to bit 18, and possibly also a bit 17 to bit 0, for an identifier of the CAN FD frame. Therefore, the bit 28 to bit 0 is also referred to as ID28, ID27, etc.
A weakness has been found in methods for carrying out a CRC (CRC=Cyclic Redundancy Check) of the CAN FD frames. The weakness only concerns FD frames with an identifier that begins with four dominant hits. These four dominant bits, together with the dominant Start of Frame bit, generate a stuff condition, on the basis of which a recessive stuff bit is inserted between the fourth and fifth identifier bits. By this predetermined rule for inserting the stuff bits it is possible to prevent that bit sequences with more than five identical bits are mistakenly interpreted as signaling an End of Frame, for example, or that the absence of signal edges or changes of level between the bits causes the bus subscribers to lose synchronization. This is so because, in the case of CAN and CAN FD, signal edges or changes of level are used for synchronizing the bus subscribers.
If in the aforementioned case of the four dominant bits the leading dominant Start of Frame bit is overwritten with a recessive bit (locally in a receiver), this receiver interprets the first dominant identifier bit as the Start of Frame bit. There is no stuff condition in the receiver if it receives the recessive stuff bit, and so the receiver will accept the recessive stuff bit as the fourth identifier bit. The following bit is accepted as the fifth identifier bit and the receiver will be in phase again with the transmitter.
The weakness is that in this case the CRC test will not include the changed fourth identifier bit; a sent identifier of for example 0x001 is received as 0x081. This occurs if the identifier begins with four dominant ‘0’ bits and the dominant Start of Frame bit is overwritten. The resultant consequence will be that the fourth identifier bit is received as ‘1’ instead of ‘0’. Affected by this are both 11-bit identifiers, such as in the case of CAN FD frames in the base format, and 29-bit identifiers, such as in the case of CAN FD frames in the extended format, and both CAN FD frames with the 17-bit CRC or CRC-17 and CAN FD frames with the 21-bit CRC or CRC-21.
Frames in the classical CAN format are not affected by the problem, since with them the stuff bits are excluded from the CRC calculation.
The weakness of the CRC method is caused by the initialization vector of ‘00000000000000000’ for the CRC generator. The first leading ‘0’ bit will not change the CRC generator register, and so is not sensed by the CRC test if there is one bit fewer before the first recessive bit in the arbitration field (the sent stuff bit, which is regarded by the receiver with the bit error as the fourth identifier bit).
Furthermore, the absent bit at the beginning of the frame is not sensed as a format error, since the stuff bit is accepted as the missing identifier bit.
To sum up, this means:
In the case of classical CAN, stuff bits are not taken into consideration for the CRC generation. Only pairs of bit-error generation/elimination stuff conditions can reduce the Hamming distance (HD) to 2.
In the case of CAN FD with the longer CRC checksums (CRC-17 and CRC-21), stuff bits are included in the CRC generation. A problem may arise if the Start of Frame bit is falsified by the receiver.
In the following two cases, it may happen that the CRC of the CAN FD frame does not sense a falsified identifier. This means that the receiver accepts the falsified frame as a valid frame.
Case 1a: Transmitter Sends ID28−ID25=“0000”
If the receiver senses a shortened Start of Frame bit, identifiers that begin with 1028−ID25=“0000” may be falsified as ID28-ID25=“0001”. The reason for this is that the receiver does not detect the Start of Frame, or detects it too late, and therefore interprets ID28 as the Start of Frame. Consequently, on account of the stuff bit inserted by the transmitter after ID25, the first four identifier bits are falsified as ID28−ID25=“0001”; all the subsequent identifier bits are received correctly. The transmitter does not detect any error when reading back the Start of Frame from the bus.
The required shortening depends on the CAN clock frequency relationship between the transmitter and the receiver. Cf. the examples for details.
The falsified bus signal may contain dominant disturbance pulses, as long as they are not sensed by the receiving CAN node.
If, for example, the CAN clock in the subscriber stations or nodes is fRX_node==fTX_node, then a shortening/falsification of the Start of Frame bit of “phase_seg2+ε” is enough to cause the problem. With 1 Mbit/s and a sample point (SP) of 80%, a shortening by 250 ns is enough to create the problem. This is explained still more precisely later on the basis of FIG. 7.
Case 1b: Transmitter Sends ID28−ID25=“0001”
If, on the other hand, for example due to a dominant disturbance pulse, the receiver senses a dominant bit in the bit time before the sent Start of Frame bit arrives, identifiers that begin with ID28−ID25=“0001” may be falsified as ID28−ID25=“0000”. The reason for this is that the receiver detects the Start of Frame bit sent by the transmitter as ID28. As a result, the receiver misinterprets the “1” as a stuff bit and removes it. Consequently, the first four identifier bits are falsified as ID28−ID25=“0000”. All of the subsequent identifier bits are received correctly.
To sum up, Table 1 shows how the two critical values of the identifier bits ID28 to ID25 of “0000” and “0001” must be falsified on the way to the receiver in order that the error is not detected by the CRC of the receiver.
TABLE 1SentReceivedID28ID27ID26ID25ID28ID27ID26ID250000→00010001→0000
A comparable situation may also arise within a CAN FD frame if a recessive bit after a series of four sent dominant bits is misinterpreted by the receiver as a stuff bit because of a shortening of a bit or a shift in the synchronization of the subscribers and at the same time the interim CRC register value is coincidentally equal to “0 . . . 0”. The interim CRC register value is the value of the CRC checksum that is respectively present in the CRC register provided for it. With each bit sent or received before the CRC field in the transmitter or receiver, the content of the CRC register is newly calculated in accordance with the specification of the respectively used CRC polynomial. The content of the register present at the last bit of the data field is then sent in the CRC field of the message from the transmitter to the receiver for testing.