For example the CAN bus system can be used for the communication between sensors and control units in vehicles, in particular automobiles. In the CAN bus system, frames are transmitted by means of the CAN protocol and/or CAN FD protocol, as described in the current Committee Draft of the 15011898-1 or the Specification “CAN with Flexible Data-Rate, Specification Version 1.0 (released Apr. 17, 2012)” as the CAN Protocol Specification with CAN FD.
CAN FD frames or messages have, after an initial start-of-frame bit (SOF-bit) with a dominant level which signals the start of the frame, a bit 28 to bit 18 and, if appropriate, also a bit 17 to bit 0 for an identifier or identifiers of the CAN FD frame. Therefore, the bit 28 to bit 0 are also referred to as ID28, ID27 etc.
A weakness has been detected in CRC (Cyclic Redundancy Check) methods of the CAN FD messages or frames. The weakness relates only to CAN FD frames with an identifier which starts with four dominant bits. These four dominant bits together with the dominant start-of-frame bit generate a stuff condition on the basis of which a recessive stuff bit is inserted between the fourth and the fifth identifier bits. This predetermined rule for the insertion of the stuff bits makes it possible to prevent bit sequences with more than five identical bits from being erroneously interpreted as, for example, signaling of an end frame, or prevent the bus users from losing synchronization as a result of the absence of signal edges or level changes between the bits. This is because in the case of CAN and CAN FD, signal edges or level changes are used for the synchronization of the bus users.
If, in the above-mentioned case of the four dominant bits the preceding dominant start-of-frame bit is overwritten (locally in a receiver) with a recessive bit, this receiver interprets the first dominant identifier bit as a start-of-frame bit. There is no stuff condition in the receiver if it receives the recessive stuff bit, with the result that the receiver will accept the recessive stuff bit as the fourth identifier bit. The following bit is accepted as the fifth identifier bit, and the receiver will be in phase again with the transmitter.
The weakness is that in this case the CRC check will not detect the modified fourth identifier bit; a transmitted identifier of, for example, 0x001 is received as 0x081. This occurs if the identifier starts with four dominant “0” bits and the dominant start-of-frame bit is overwritten. The consequence of this will be that the fourth identifier bit is received as “1” instead of as “0”. This affects 11-bit identifiers, such as in the base format in the case of CAN FD frames, 29-bit identifiers, such as in the extended format in the case of CAN FD frames, and both CAN FD frames with the 17-bit CRC as well as CAN FD frames with the 21-bit CRC.
The weakness of the CRC method is caused by the initialization vector of “00000000000000000” for the CRC generator. The first leading “0” bit will not modify the CRC generator register, with the result that it is not detected by the CRC check if one bit fewer is present before the first recessive bit in the arbitration field (the transmitted stuff bit which is considered to be the fourth identifier bit by the receiver with the bit error). Furthermore, the absent bit is not detected as a format error at the start of the frame because the stuff bit is accepted as the absent identifier bit.
In summary this means that:
In the case of classic CAN, stuff bits are not taken into account for the CRC generation. Only pairs of bit error-generation/elimination stuff conditions can reduce the Hamming distance (HD) to 2.
In the case of CAN FL) with relatively long CRC checksums (CRC-17 and CRC-21), stuff bits are included by the CRC generation. A problem can arise if the receiver falsifies the start-of-frame bit.
In the following two cases, the CRC of the CAN FD frame may not detect a falsified identifier. This means that the receiver accepts the falsified frame as a valid frame.
Case 1a: Transmitter Transmits ID28-ID25=“0000”
If the receivers detects a shortened start-of-frame bit, identifiers which start with ID28-ID25=“0000” can be falsified as ID28-ID25=“0001”. The reason for this is that the receiver does not detect the start-of-frame or detects it too late and therefore interprets ID28 as a start-of-frame. Therefore, the first four identifier bits are falsified to ID28-ID25=“0001” owing to the stuff bit which is inserted after ID25 by the transmitter, and all the subsequent identifier bits are received correctly. The transmitter does not detect an error when the start-of-frame is read hack by the bus.
The necessary shortening depends on the CAN clock frequency relationship between the transmitter and the receiver. Refer to the examples for details.
The falsified bus signal can contain dominant interference pulses as long as they are not detected by the receiving CAN nodes. The falsified bus signal can contain recessive interference pulses as long as the bit before the start-of-frame bit which was transmitted by the transmitter is sampled in a dominant fashion by the receiving CAN node. This is explained in more detail below with reference to FIG. 7 and FIG. 8.
If, for example, the CAN clock in the user stations or nodes is fRX_node==fTX_node, shortening/falsification of the start-of-frame bit of “phase_seg2+ε” is sufficient to cause the problem. With 1 Mbit/s and a sample point (SP) of 80%, shortening by 205 ns is sufficient to generate the problem. This will be explained in more detail below with reference to FIG. 7 and FIG. 8.
Case 1b: Transmitter Transmits ID28-ID25=“0001”
If, on the other hand, the receiver detects, e.g. by means of a dominant interference pulse, a dominant bit: in the bit time before the transmitted start-of-frame bit arrives, identifiers which start with ID28-ID25=“0001” can be falsified to ID28-ID25=“0000”. The reason for this is that the receiver recognizes the start-of-frame bit transmitted by the transmitter as ID28. As a result, the receiver misinterprets the “1” as a stuff bit and removes it. Therefore, the first four identifier bits are falsified to ID28-ID25=“0000”. All the subsequent identifier bits are received correctly.
In summary, table 1 shows how the critical values of the identifier bits ID28 to ID25 have to be falsified from “0000” and “0001” on the way to the receiver so that the error is not recognized by the CRC of the receiver.
TABLE 1TransmittedReceivedID28ID27ID26ID25ID28ID27ID26ID250000→00010001→0000
The same problem can also occur within a CAN FD frame if a sequence of four or five dominant bits start at the position within a frame when all the bits of the CRC generator register are at zero. In other words, a comparable problem can also arise within a CAN FD frame if a recessive bit, after a sequence of four transmitted dominant bits, is misinterpreted as a stuff bit by the receiver owing to shortening of a bit or shifting in the synchronization along the users, and at the same time the intermediate-CRC register value happens to be equal to “0 . . . 0”. The intermediate-CRC register value is the value of the CRC checksum which is present in each case in the CRC register provided for that purpose. The content of the CRC register is newly calculated in accordance with the rule of the respectively used CRC polynomial with each bit in the transmitter or receiver which is transmitted or received before the CRC field. The content of the register which is present at the last bit of the data field is then sent by the transmitter to the receiver in the CRC field of frame for checking.
Classic CAN frames are not affected since the stuff bits are extracted from CRC calculation there.
Patent Application DE102011080476A1 discloses a method in which the transmitter inserts fixed stuff bit sequences composed of one or more bits into the frame, at least in parts of the frame. The first inserted bit of the fixed stuff bit sequence (or the individual inserted fixed stuff bit) preferably has a value which is inverse with respect to the preceding bit. The fixed stuff bit sequences (or fixed stuff bits) occur at predefined positions of the frame. In contrast to this, in the classic CAN, the stuff bits are inserted as a function of the values of a plurality of preceding bits and therefore have no fixed positions.