Embedded Systems Academy

Darmstadt and Hannover, June 12th, 2019. PEAK-System Technik GmbH (www.peak-system.com) and Embedded Systems Academy GmbH (www.esacademy.de) have deepened their partnership to provide common CANopen, CANopen FD, and J1939 solutions. For more than 15 years, Embedded Systems Academy GmbH (EmSA) has offered numerous CANopen software products including monitors, analyzers, simulators, configurators, and protocol stacks for the CAN (Controller Area Network) hardware of PEAK-System Technik GmbH (PEAK). Building on that partnership, PEAK has now become a shareholder and partner of EmSA.

“By formally joining the PEAK Group of companies, we can now more easily share resources and are better positioned to streamline development processes that involve both CAN hardware and software,” says Olaf Pfeiffer, General Manager of Embedded Systems Academy GmbH.
Current projects of PEAK and EmSA include CANopen (FD) generic input and output devices, CANopen (FD) protocol libraries, security options for CAN and diagnostics and test systems for CANopen (FD) and J1939.

“The deepened partnership with EmSA will provide our hardware customers with a variety of easy-to-use software products for CANopen, CANopen FD, and J1939 applications,” says Uwe Wilhelm, General Manager of PEAK-System Technik GmbH. “We’ll announce our new joint CANopen and CANopen FD solutions on our websites and blogs over the coming months.”

The CANgineBerry (www.cangineberry.com) is a smart coprocessor module for the Raspberry Pi®, other popular embedded microprocessor systems or a PC. It allows offloading CANopen tasks from the main system while communicating with it though a regular serial port which greatly simplifies application development. Firmware for different purposes can be programmed through the same interface. New releases for the CANopen Device and Manager application firmware are now further enhancing the functionality of the CANgineBerry.

The CANopenIA-BEDS (V1.5) firmware for CANopen devices now also supports the tunneling of plain-CAN messages for special cases where CANopen is not used or the network needs custom messages. It also adds CANcrypt to support secure and authenticated CANopen communication between up to 15 participants. Lastly, it now supports an advanced manual triggering for Transmit Process Data Objects (TPDOs) where the host application can decide when exactly to trigger the transmission of a TPDO in addition to the standard fully-automatic mode, .

The CANopenIA-MGR (V1.7) firmware implements a self-configuring CANopen controller/manager. It contiuously monitors the network for new CANopen nodes and scans their configuration in order to set up automatic PDO handling. Also here, the new version implements advanced manual triggering options for TPDOs. For example, when the application wants to write data to a remote CANopen node’s Object Dictionary (OD) entry, the default behavior is that the controller automatically decides which transport — PDO or Service Data Object (SDO) — to use, depending on whether that OD entry is part of a PDO or not. In some cases, more control is desirable, though, so now the application can disable the automatic handling and manually select SDO vs. PDO as well as manually trigger TPDO transmissions.

The latest CANgineBerry software and firmware is available here: [CANgineBerry.com]

The CANgineBerry is available here: [US] [UK] [EU] [DE]

With every start of a new year, those preparing for the Embedded World and its conference in Nuremburg get busy – so do we. This year our tutors and partners present several papers, mostly around CAN (FD), CANopen (FD) and security issues. Over the last year it became clear that in embedded communication there are a variety of attack vectors as illustrated in the figure right. For protection, security is required on multiple levels, preferably at every network layer.

Find some recommended classes below. The full program is available here.

Tuesday 26th, from Communication – CAN

09:30 – 10:00 / Troubleshooting in Embedded Networks Based on CANopen FD
Reiner Zitzmann, CAN in Automation

10:00 – 10:30 / Automated Node ID Assignment in CAN and CAN(FD) Networks
Christian Keydel & Olaf Pfeiffer, Embedded Systems Academy

10:30 – 11:00 / Signal Improvement Concept for CAN FD Networks
Yao Yao, CAN in Automation

Tuesday 26th, from HW-based Security

12:00 – 12:30 / Extend MCU Security Capabilities Beyond Trusted Execution with Hardware Crypto Acceleration and Asset Protection
Saurin Choksi, NXP Semiconductors

15:00 – 15:30 / Methods for Provisioning Security Features in a Cortex-M33 based MCU Using A Physically Unclonable Function
Rob Cosaro, NXP Semiconductors

Wednesday 27th, from Architectures & Hacking

16:30 – 17:00 / Securing all Network Layers of CAN (FD) Communication
Olaf Pfeiffer, Embedded Systems Academy
Andreas Walz, Offenburg Univeristy

Meet us at Embedded World

During the show, you will find our tutors either at the CiA booth (hall 1, booth 630) with the CANopen FD Demonstrator or at the NXP booth (hall 4A, booth 220) featuring a Multi-Layer CANopen FD Security Demonstrator.

Over the past year, our authors Christian Keydel and Olaf Pfeiffer have published several security- related CAN articles in the CAN newsletter. It’s now time for an up-to-date summary, review and outlook.

How do we address security?

To analyze the application-specific attack scenarios, we can group systems with CAN-connected devices as follows:

• Private and locked:
  Only trusted persons have physical access to CAN wires and devices. There are no gateways to other networks.
• Remotely accessible:
  The CAN bus is connected to one or multiple gateways to other networks.
• Time-limited physical access:
  An untrusted party can be expected to have physical access to the CAN bus and devices for a limited time.
• Unlimited physical access:
  An untrusted party can be expected to continuously have physical access to the system.

What measures should be taken?

The recommended security measures for the mentioned groups range from none for group 1 to state-of-the-art for group 4 which presents the toughest challenge. With virtually unlimited physical access, an untrusted party can go as far as using flash/code extraction services for MCUs to obtain code and private keys. To thwart such attempts, you will have to use a secure microcontroller with built-in encrypted key and code storage like the NXP LPC54Sxx series for example. Here, the encryption is based on a private PUF (Physical Unclonable Function) which uses physical properties that vary for each chip and can never be extracted, like contents of uninitialized SRAM.

Securing CAN communications is a viable option especially for group 2 and in combination with physical protection also group 3 applications. As we’ve shown, it needs only minimal resources to implement injection monitoring in combination with a secure heartbeat (see article “Scalable CAN security”). However, due to the limited data size in CAN messages, individual message authentication often requires sending a second message with the authentication data.

With CAN FD, adding security becomes easier, as the payload and security record can often be combined in a single CAN FD data frame, avoiding the overhead of managing a second authentication message.

What can we expect in the future?

In the new CiA CAN Cyber Security group it has become clear that where security is required, it should be added to all communication layers.  To add message monitoring and flood protection to the CAN bus, there are hardware solutions like NXPs TJA115x secure CAN/CAN FD transceiver family. Similar protection can be added in software to the lowest driver layers. Just above the data link layer, CANcrypt (FD) provides a secure grouping mechanism. For the CANopen/CANopen FD and J1939 protocol layers, different security features can be implemented, including authenticated access for diagnostics or remote-control features.

Reaching highest security levels will only be possible if the hardware supports securing the software and communications, using built-in features for the protection of stored code and keys.

The new CANgineBerry is an active CAN interface with a Cortex-M0 microcontroller and various firmware options. At launch, two options are available: One for a CANopen Controller / Manager and one for a configurable CANopen slave device.

The CANopen Controller scans the network for connected slave devices within less than 50 ms after power-up, sets up process data handling, starts the network and continues monitoring it. Once the host that CANgineBerry is connected to is up and running as well, it can immediately start using the CANopen network and access any device.

The second firmware option is implementing a CANopen slave device which is fully configurable with node ID and with an Object Dictionary that the user creates with the provided CANopen Architect software (evaluation version is sufficient for this use).

The CANgineBerry’s host can be a Raspberry Pi®, another embedded computing systems or even a PC. The communication to the host system uses a regular serial channel (TTL-UART), so no special driver is required as UART support is typically part of all operating systems. The communication between host and CANgineBerry and the API is designed to serve the application. For example, heartbeats are automatically monitored but the host is only informed about changes in the heartbeat status (like “activated” or “lost”) but not about every individual heartbeat message.

This architecture of CANgineBerry addresses the shortcomings of many “CAN shields” that are passive, have no own intelligence and require the host computer to handle all CAN communication message by message. In worst case, a CAN system can have more than ten thousand individual messages per second. Sometimes the real-time requirements are below 10 ms for some responses which is not realistically achievable with a Linux or Windows® based host and a passive approach.

Summary of firmware options currently available or under development:

• CANopen self-configuring Controller / Manager
• CANopen slave device (configurable via EDS, Electronic Data Sheet)
• Lawicel CAN-RS232 protocol
• CANcrypt (secure CAN communication) for the above versions
• CiA 447 – automotive add-on electronics
• J1939 gateway

For more information about the CANgineBerry, current firmware options and availability, visit www.CANgineBerry.com

Some people try to push easily-available “Internet-proven security mechanisms” also into embedded networks like CAN and CANopen. However, in embedded systems security is never about a single network, one needs to look at the entire picture.

We have started a series of articles about embedded security issues with a focus on CAN and CANopen networks in the CAN newsletter. In the current article we are having a closer look at taxi fare calculation as one example for an attractive hacking target. How can you be sure that you are not overcharged? What would be required to make taxi fare manipulations really difficult?

Tampering with the underlying CAN/CANopen communication is just one of several attack vectors available here. Besides manipulating the wheel with the sensor – knowing that a 3% change in diameter can result in a 10% variance in the fare calculation – there is also the sealed meter. But these days, technology like 3D printers and sophisticated electronics are also easily being used by the “bad guys”. From the article:

“Think about the manipulations already performed today to banking machines. Additional keyboards and card readers can be tacked-on to banking machines in a way that users don’t recognize the difference. In the same way a meter-like display could be designed to clip onto or fully around an existing meter. The original meter “vanishes” inside a fake meter that can display whatever the taxi driver would like it to display.”

Browse the current CAN Newsletter: March 2018

Read the full article here: Security expectations vs.limitations (pdf)

Today, EmSA released a software update for both the freely downloadable and the commercial version of CANcrypt. The update implements multiple recommendations from a security assessment.

As part of the NXP secure bootloader project, the experts at MathEmbedded did a security assessment of CANcrypt. The 43-page report examined possible attack vectors and potential weaknesses. Even to the original release the report stated: “We have not identified a straightforward attack that would allow an unauthorized attacker to easily accomplish all the steps [above].” But the latest update now fixes the discovered weaknesses or adds security notes and comments for application-specific configurations that need less security.

Just in time for the Embedded World 2018 in Nuremberg we can now show a first CANcrypt adaptation to CANopen FD. As CANopen FD already provides a direct, flexible communication method with USDO (Universal Service Data Object) supporting both broadcast and point-to-point communication, the easiest way to port the CANcrypt control messages to CANopen FD is to turn them into CANopen FD objects in the Object Dictionary. The CANcrypt control messages thus are “tunneled” through CANopen using dedicated Objects and USDO services. This allows implementing the CANcrypt grouping mechanism (similar to pairing, but for multiple devices). Authenticated messages are then exchanged based on a dynamically changing key. Each data transfer includes a random value that is used to continuously update the dynamic key.

Visit the CiA (CAN in Automation) at the Embedded World 2018 (hall 1, booth 1-630) to see the CANopen FD demonstrator and to learn more about CANcrypt. To download the free evaluation software or learn more about CANcrypt, visit our web pages for download and CANcrypt.net.

It was a lengthy process. Along with other experts we from Embedded Systems Academy participated in the CANopen FD definition group for more than 2 years now. Initially some only wanted a few changes. However as CAN FD is not backward compatible to CAN (classic CAN controllers produce error frames when they see a CAN FD message) the majority saw the chance to “dump complete backward compatibility” and add new and advanced features. The previous SDO communication (request-response scheme between one master and multiple devices) was replaced with the USDO communication – the Universal Service Data Object.

A first version of the definition of CANopen FD (CiA 1301) was released by the CiA in October this year. It is available from the CiA on request (www.can-cia.org/services/publications/). Some of the new features include:

• TPDOs can now have up to 64 bytes of data (previous 8)
• Full USDO mesh definition – every node can send client requests to every other node
• USDO communication may be a broadcast to all nodes

The USDO service allows any device to send service requests to any other device, without the need for a master or manager to be involved. This greatly improves plug-and-play support and self-configuring systems, as now each device independently can analyse its surroundings: which devices are on this network and what kind of communication objects do they have available.

We at Embedded Systems Academy are now adding CANopen FD support to all our CANopen products. The first line of products supporting CANopen FD is our CANopen Magic software for the analysis and test of networks. As of the latest release (V9.0) all CANopen Magic products support both CANopen and CANopen FD. For CANopen FD an appropriate CAN FD interface must be connected. All of our current tests have been made with the PCAN-USB FD and PCAN-USB Pro FD interfaces from PEAK System.

We are currently in the process of contacting all current CANopen Magic users to inform them about their upgrade options. If you are using CANopen Magic and have not yet received an email from us about your upgrade options, please contact us.

Visit us in Nuremberg for the 28th international exhibition for Electric Automation, Systems and Components, the “sps ipc drives 2017”. The show is open from November 28th to 30th, 2017. Our software and solutions are shown on two displays at the NXP booth and the CiA (CAN in Automation) booth.

Our display at the NXP booth (Hall 10.1, Booth 325) focuses on CAN FD and security. The new features of CAN FD (bigger message frames, higher bit rate) are used to implement a more efficient and secure bootloader based on CANcrypt and AES based authentication and encryption. Join us for an informal lunch & learn session about CAN FD on Tuesday or Wednesday starting at noon (for about 45min) in the NXP on-site meeting room. Seats are limited, please register here to join.

Our display at the CiA booth (Hall 2, Booth 300) focuses on CANopen FD. A multi vendor demo setup shows one of the many new features available with CANopen FD: segmented broadcast. This transfer mode supports sharing data blocks (for example tables with data of drive acceleration ramps) instantly among multiple participants. In the demo, the data exchange is visualized using graphics, which are shared among multiple nodes.

Contact us, if you still need tickets for the event or if you would like to set an appointment to discuss your CAN FD / CANopen FD / CAN security requirements.

The CiA (CAN in Automation) user’s group released the presentation videos of the iCC 2017. Besides the keynote by Holger Zeltwanger there are three more presentations that we would like to highlight here in our blog:

Andrew Ayre and Olaf Pfeiffer (both ESAcademy): Automated trace analysis for testing of CANopen devices

This paper presents a summary of the debug information extractable from CANopen trace recordings. The functionality described in this paper are implemented in our Logxaminer software.

Olaf Pfeiffer (ESAcademy): Scalable security for CAN, CANopen, and other CAN protocols

This paper describes the main functionality of the CANcrypt security framework described in our book “Implementing Scalable CAN Security with CANcrypt”.

Bernhard Floeth (Opel) and Olaf Pfeiffer (ESAcademy): Using an enhanced condensed device configuration file format for CANopen boot-loading and/or device testing

This paper presents the enhanced CDCF player integrated in our free CANopen File Player and CANopen Diag projects. It supports spreadsheet based (.csv) Object Dictionary access with active flow control.

For a complete list of all available videos, go to: www.can-cia.org/services/conferences/icc