A weakness has been found in CRC generation (CRC=Cyclic Redundancy Check) of the CAN FD frames or messages according to the current Committee Draft of ISO11898-1 or the specification “CAN with Flexible Data-Rate, Specification Version 1.0 (released Apr. 17, 2012)”, which can be downloaded from the website http://www.semiconductors.bosch.com.
The weakness is to do with the CAN stuffing mechanism, which is described in the cited document. This involves inserting after five bits with the same level a “stuff bit”, which has a different level than the five previous bits. By this predetermined rule for inserting the stuff bits it is possible to prevent that bit sequences with more than five identical bits are mistakenly interpreted as signaling an End of Frame, for example, or that the absence of signal edges or changes of level between the bits causes the bus subscribers to lose synchronization. This is so because, in the case of CAN and CAN FD, signal edges or changes of level are used for synchronizing the bus subscribers.
After an initial Start of Frame bit (SOF bit) with a dominant level, which signals the beginning of the frame, CAN FD messages or frames have a bit 28 to bit 18, and possibly also a bit 17 to bit 0, for an identifier of the CAN FD frame. Therefore, the bit 28 to bit 0 is also referred to as ID28, ID27, etc.
According to the known rule for inserting the stuff bits, a stuff bit is inserted into the CAN FD frame at the earliest after the bit ID25, that is to say when ID28-ID25=“0000”. If CAN FD frames beginning with ID28-ID25=“0000” or ID28-ID25=“0001” are sent, a Start of Frame bit erroneously detected by the receiver of the frame may have the effect that the identifier of the frame is falsified, but the CRC test does not detect this error. Since in the case of CAN FD stuff bits are included in the CRC generation, this error does not lead to a format error and is not detected. The frame is therefore accepted by the receiver as valid. Affected by this are 11-bit and 29-bit identifiers in the case of frames in the FD format (17-bit and 21-bit CRC).
The CRC weakness is caused by the initialization vector of the CRC generator. This is currently a zero vector “0 . . . 0”. This weakness can be eliminated by changing the initialization vector to for example “10 . . . 0” (final value only after further investigations). The problem here is however that two CAN FD implementations that use the same CRC generator, but with different initialization vectors, cannot communicate with one another. They would continually detect CRC errors and reject the frames received.
Frames in the classical CAN format are not affected by the problem, since with them the stuff bits are excluded from the CRC calculation.
The weakness of the CAN FD CRC only manifests itself in the following two cases:
Case 1) Transmitter Sends ID28-ID25=“0000”
The receiver does not detect the Start of Frame and therefore interprets ID28 as the Start of Frame. Consequently, on account of the stuff bit inserted by the transmitter after ID25, the first four identifier bits are falsified as ID28-ID25=“0001”; all the subsequent identifier bits are received correctly. The transmitter does not detect any error when reading back the Start of Frame from the bus.
Case 2) Transmitter Sends ID28-ID25=“0001”
The receiver sees a dominant bit in the bit time before the sent Start of Frame and interprets this disturbance as a Start of Frame. The receiver detects the Start of Frame sent by the transmitter as ID28. Consequently, the first four identifier bits are falsified as ID28-ID25=“0000”. The sent ID25=“1” is interpreted by the receiver as a stuff bit. All the subsequent identifier bits are received correctly. The transmitter does not detect a dominant bit in the bit time directly before its Start of Frame.
To sum up, Table 1 shows how, as a result of the effect described, the leading four identifier bits can be falsified on the way to the receiver, without the error being detected by the CRC test of the receiver.
TABLE 1SentReceivedID25ID27ID26ID25ID25ID27ID26ID250000→00010001→0000
In all other cases, a falsified identifier is detected by the CRC with a Hamming distance of 6.