Teensy 4.0 With NMEA 2000 Connector And 240 x 240 IPS LCD for Marine Applications

This board carries an Arduino-compatible Teensy 4.0 microprocessor system, a 240x240 pixels IPS LCD, and a Micro C NMEA 2000 connector. The board receives power through the 12 VDC NEMA 2000 connector that feeds an onboard 5 VDC regulator. There is also a 4-way 1mm (Qwiic) IC2 connector for external sensors. The example sketch reads data from an NMEA 2000 wind sensor and a temperature sensor and displays the reading on the LCD.

Actisense 0183 to N2K Gateway w/PC Interface, ISO http://dlvr.it/TFzCY1

Oceanis 381 Clipper

Oceanis 381 Clipper, Année 2000 Bel Oceanis 381 Clipper, bien entretenu, équipé pour la grande croisière (transat en novembre 2022), nouvelle électronique NMEA2000, nouvelle installation solaire, nouveau gréement dormant, ... Pont en teck, barre à roue pliable et Propulseur d'étrave. Disponible en Martinique ou Guadeloupe en avril 2023 3 cabines doubles 2 salles de bain Carré transformable Électronique NMEA2000 (2022) Pilote automatique B&G Nac-3 (2022) Vérin du pilote révisé en usine (2022) Triducer - sondeur + speedo (2022) Girouette-anémomètre B&G (2022) Antenne VHF neuve (2022) AIS réception-émission + splitter (2022) VHF Navicom RT750 (2021) Traceur Garmin GPSmap 7407xsv VHF portable Orange Marine (2022) 3 panneaux solaires Victron de 105W => 315W (2022) Régulateur MPPT Victron (2022) 2 batteries de servitude GEL Victron de 165Ah => 330Ah (2022) Chargeur de quai Mastervolt 35A Onduleur 600W - 12V => 220V (2022) Contrôleur de batteries Victron (2021) Prises USB (2022) Éclairage LED Combi feu de hune / feu de pont LED (2022) Nombreuses prises 220V Système radio Hi-fi avec enceintes dans la carré, la cabine avant et le cockpit Chauffe-eau - eau chauffée par le moteur ou via la prise de quai Propulseur d'étrave Barre à roue pliable Guindeau électrique Ancre Delta 16kg + 60m de chaîne diamètre 10 2 ancres Britany de 16kg Radeau de survie 6 personnes Read the full article

Rebuilding CAN bus traffic from NMEA2000 logs

Summary

In this post I will cover how I identified and extracted CAN bus traffic from a NMEA2000 data log of a mixed technology network. This is an important step for untangling and reverse engineering CAN bus data, which I’ll go over in future posts.

The Challenge

HackTheMachine is a maritime cyber contest hosted by the United States Navy to raise awareness in the computer security industry about challenges and threats facing maritime networks. During the 2020 and 2021 HackTheMachine competitions, teams were given the output from a NMEA2000 logger of a network that included both NMEA2000 and CAN bus devices, and had to determine various aspects of the CAN bus devices.

Though NMEA2000 is compatible with CAN bus, these protocols have different addressing schemes and their frames need to be interpreted differently.

Separating Traffic

To rebuild CAN bus traffic from the NMEA2000 log we will need to understand the details of CAN bus and NMEA2000 frames and how they relate to each other in order to identify anomalous traffic and reconstruct them into CAN bus frames.

CAN Bus Frame Reconstruction

NMEA2000 is not directly related to CAN bus but instead is based on the SAE J1939 protocol used in commercial vehicles such as trucking and construction. The SAE J1939 protocol is based on the CAN bus protocol used in consumer vehicles most people drive. As they share the same physical standards, all three protocols can operate on the same network. What makes them different is the addressing mechanism of their MAC (media access control) layer. As the addressing mechanism is located in the first 32 bits of the CAN bus frame, we can focus on that and ignore the rest of the frame for this post.

CAN bus Identifiers

CAN bus has a single address field called an identifier. This field both identifies the sender, message format, and the message priority with the lower ID having higher priority. The CAN bus ID field can be either 11 bits (CAN bus 2.0a) or 29 bits (CAN bus 2.0b). SAE J1939 and NMEA2000 only use the CAN bus 2.0b frames. While CAN bus 2.0a frames can operate on a network with CAN bus 2.0b frames, it is unlikely that the NMEA2000 data logger would record any CAN bus 2.0a frames.

SAE J1939 PGN and Addresses

SAE J1939 splits up the CAN bus 2.0b’s 29 bit identifier field into the Message Priority, Parameter Group Number (PGN), Destination Address, and Source Address fields. The PGN number provides context on how to interpret the data field (typically 8 bytes) similar in how ICMP Data is based on the ICMP Type and Code. The PGN is formed by the Data Page, Extended Data Page, PDU Format, and PDU Specific fields.

While some messages need to be sent to a specific device, most do not require a destination address. A PDU Format value less than 240 (0xF0) indicates the message is intended for a specific device. When this occurs the PDU Specific field will contain the ID of that device, and the PGN is calculated with a PDU Specific value of 0 (0x00). PDU format values of 240 (0xF0) or more indicate a broadcast message, and the PGN is calculated with the PDU Specific value of the PDU Specific Field.

Note, a message can be sent to a specific identifier of 255 (0xFF) which is effectively a broadcast message, but the PGN would still be calculated with a PDU Specific value of 0 (0x00).

NMEA2000 PGN and Addresses

NMEA2000 inherits the PGN and address features of SAE J1939 except for the Data Page and Extended Data Page fields. Instead it enlarges the PGN field by extending into the Data Page field, and marks the Extended Data Page field as a reserved field. Besides this slight change in PGN format, what makes NMEA2000 different is mainly due to redefining the PGN values.

We can reconstitute the CAN bus identifier using the NMEA2000 Priority, PGN, Source Address, and optional Destination Address. However, as bit 4 is reserved in the NMEA2000 frame, the log doesn’t provide us its value and so our CAN bus ID will always be incomplete. In general this isn’t a great loss of information, but it is something to keep in mind.

For those interested, NMEA2000 device address assignment works similar to Automatic Private Internet Protocol Addressing (otherwise known as that annoying 169.154.0.0/16 address when your computer can’t reach the DHCP server). The NMEA2000 device selects an address value and asks the network if that address is already in use. If an address is already using that address, it’ll report “address claimed”. If the device doesn’t receive an “address claimed” message within a window of time, it will begin operating with that address. This form of self address procurement was also inherited from the SAE J1939 specification.

CAN bus Traffic Identification

Depending on how much log data is collected, you can also determine CAN Bus devices based on traffic analysis. PGN values such as 59392, 59904, 60928, and 126208 are often seen in messages between NMEA2000 devices as they pertain to network address and control function (as explained above). If a device doesn’t participate in this traffic, then it (and its associated PGN value) is likely a misinterpreted CAN bus identifier.

Additionally by determining what NMEA2000 devices exist on the network, through a visual recon, and checking for the PGN values they transmit can help you determine which PGN values you shouldn’t see and are likely misinterpreted CAN bus identifiers. For interoperability, the PGN values any NMEA2000 device transmits or accepts are well documented and can be found either in the product brochure, technical specifications, or user manual. This is true even for proprietary PGNs, the data format will of course be an industry secret, but the PGN will be documented.

Results

Examining the PGNs in the NMEA2000 log, I was able to identify three values (61184,65280,65281) via network analysis and confirmed by researching known device transmit PGN values. It appeared that there were seven devices based on the NMEA2000 source addresses. However, 14 CAN bus identifiers were revealed when these addresses and PGN values (along with the priority and destination fields) were converted.

Conclusion

Once the CAN bus frames are separated and reconstructed we are able to correctly organize the CAN bus data by the CAN bus identifier. This will help us while reverse engineering the data formats, which I will go over in a future post.

Source logs and code associated to this post can be found at https://github.com/VirusFriendly/HackTheMachine-Notes

Special thanks to Fathom5, Booz Allen Hamilton, and the United States Navy for providing the opportunity to gain hands-on experience with maritime networks, and to Ploppowaffles for review and feedback on this post.

NMEA advanced certification completed. #nmea #nmea2000 #abyc #boatlife #marineelectronics #boatelectronics #pittsburgh #diycustoms (at Team Nutz) https://www.instagram.com/p/CMOAD7EheQS/?igshid=j4hisxqstyw4

We have plenty of stock of this amazing device shipping now #nmea #nmea2000 #actisense #navico #raymarine #garminmarine #marineelectronics https://www.instagram.com/p/Bx4Iy_gAcEu/?igshid=1qefe6s19swn9

Convertidor de NMEA2000 a NMEA0183

Convertidor de NMEA2000 a NMEA0183

iKonvert, convertidor de NMEA2000 a NMEA0183 iKonvert es un convertidor bidireccional de NMEA2000 a NMEA0183 diseñado para facilitar la conexión de dispositivos nuevos y antiguos en el sistema electrónico de su embarcación.

  Está disponible en dos versiones: una versión ISO (con cables NMEA0183) y una versión USB para permitir la transmisión de datos NMEA2000 en PC, Mac o incluso en el software…

View On WordPress

Programming a nmea2000 dash @boostpowermarine #nmea #nmea2000 #nmea2000backbone #programming #technology #canbus #boostpower #boostpowermarine #alexiz

NMEA 2000 Simulator for testing NMEA 2000 devices on the bench

The NMEA 2000 simulator uses the Teensy 4.0 module (included in the scope of delivery). It is useful for testing NMEA 2000 devices on the bench. Six PGNs are adjustable via potentiometers and two per onboard switches. We also provide open-source firmware, which allows adding and modifying NMEA 2000 PGNs.

Airmar DST810 Plastic Smart Sensor 235kHz - NMEA 2000 - Bluetooth http://dlvr.it/TFgKCc

Identifying CAN bus Devices using Traffic Analysis

Summary

In this post I will cover how I use traffic analysis to determine the various functions of an unknown CAN bus protocol. I’ll use this analysis to map CAN bus addresses to physical devices, and ultimately allow me generate predictable effects by spoofing the protocol.

The Challenge

HACKtheMACHINE is a maritime cyber contest hosted by the United States Navy to raise awareness in the computer security industry about challenges and threats facing maritime networks. During the 2020 and 2021 HackTheMachine competitions, teams were given the output from a NMEA2000 logger of a network of devices using a proprietary CAN bus protocol and had to determine various aspects of the CAN bus devices.

Previous posts covered how I extracted CAN bus frames from a NMEA2000 log of a mixed network, and how I broke the CAN bus data field into smaller data types known in SAE J1939 as signals. This post is the payoff those posts were leading up to, where I analyze the protocols to determine their function and correlate them with the physical devices seen below.

The photo above is a frame of the video demonstrating the target system used in this competition. I’ve highlighted the devices of interest. The two green devices are control stations. The red box is a control unit. The yellow box to its right is a shift unit. The blue unit mounted to the wall is a mechanical actuator.

The mechanical actuator’s output is expressed through the propeller spinning, so I do not expect to see it transmitting to the network. In the previous posts, I determined there were 14 CAN bus devices using 9 different protocol formats. Now I need to figure out how they’re related to these three devices.

Traffic Analysis

In a previous post, I broke down the CAN bus data bytes into smaller fields that I’ll be referring to as signals, using SAE J1939 nomenclature. I’ve enumerated each signal, except for signals that are always constant (denoted as ZZ for constant zero, XX for constant 0xFF, and YY for any other constant value). In this post I’ll reference each signal using the CAN bus identifier hyphenated with a signal (ex: 216989712-1, 216989712-2).

The CAN bus device 216989761 only transmitted a constant value, and so I will not be able to determine any meaning from it. However, there is a neighboring device 216989760 that has a similar data format that may help determine the function of both.

I created a script to plot each signal over time to allow me to correlate each signal’s behavior with other signals to determine a relationship. Of course correlation does not imply causation normally, but as we have control stations feeding input into the control unit which then sends commands to the shift unit and actuator, I’m willing to assume causation here.

Time Span

While reviewing multiple signals, I didn’t notice any changes in values except for between the timestamps of 480000 and 560000. Limiting my analysis to this timespan will help me to narrow my analysis and magnify smaller changes in values, as seen below.

Throttle System

The following are three signals from different devices that have a strong correlation.

I believe that the first two (419365168-3, 419365169-3) are separate control stations and their input is accepted by the control unit which determines which control station is active, and sends their input (via 419365152-3) to the manual actuator.

Shift Control

Another signal (419365168-2) from the same control station (419365168), shows us that the second push in throttle was actually in reverse.

But this reversal isn’t reflected in any of the signals from the control unit (419365152), which makes sense as it is just telling the actuator how fast to go (a function of magnitude), while it is the purpose of the shift unit to communicate the direction.

The signal from 216989712-1 matches well with the vector data from the control stations (419365168-2, 419365169-2).

Control Enabling

This throttle system has two control stations that can provide throttle commands, but only one control station can be enabled at a time.

These signals change values during a pause in throttle data. Prior to these signal changes, one control station was sending throttle data, then after the signal changes the other control station began sending throttle data. These behaviors lead me to assume that these signal changes communicated the station selection.

The first two signals come from different device addresses (419364912 and 419364913) and the last two signals come from the same address (216989744). I assume the first two signals are the control stations stating their desire to be enabled, with the last two signals coming from the control unit declaring what the enable status for each station is.

Clock Signals

Notice how both control stations appear to send a clock signal when neither station is enabled. These control stations also transmit a complete clock signal in their data as follows.

Results

Now there are 24 non-constant signals, but I’ve only gone over 10 of them, as the others appear to have redundant functionality. The following is the CAN bus signal breakdown with the associated device.

Conclusion

Over three posts, I’ve shown how I identified the CAN bus traffic, dissected its data into signals, and then analyzed the signals to determine their function. Now I would be able to introduce fake signals into the system to cause the “boat” to run at full speed forward or reverse. Also, due a property of CAN bus communications which makes it easy to zero out data, I force the throttle to idle and leave the “boat” helpless in the water

This research was generated from a single log file with no interaction with the target systems. Given more time and hands-on interactions, I could refine my assumptions about each signal.

Source logs and code associated to this post can be found at https://github.com/VirusFriendly/HackTheMachine-Notes

Special thanks to Fathom5, Booz Allen Hamilton, and the United States Navy for providing the opportunity to gain hands-on experience with maritime networks, and to CaptainHaggis for review and feedback on this post.

• User selectable 2, 3 or 4 engines • Sunlight readable 1000 cd/m2 dimmable display using our BlackGlass™ technology • Direct J1939 and NMEA2000® interfaces • Remote panel with brightness up, brightness down and alarm mute buttons. • Supports inboard engine manufacturers including Caterpillar, Cummins, FPT, John Deere, MAN, MTU, Seatek, Volvo and Yanmar • Supports outboard engine manufacturers including Evinrude, Honda, Mercury, Suzuki, and Yamaha. • Switch settable imperial or metric displays units • Displays manufacturer standard engine warnings • Displays 1 to 4 fuel tank levels • Rugged IP66 front display seal • Internal and external alarm sounder @caterpillarinc @cummins @johndeereeurope @mantruckandbus @electronics_mtudiesel_service @sea.tek @volvopenta @yanmarmarine @evinrudebrp @evinrudeoutboards @hondamarineturkiye @honda_marine_croatia @hondamarine @mercurymarine @suzuki_italia_marine @suzukiturkiye @yamahaboating (at Plymouth) https://www.instagram.com/p/BtpEvd9BhNJ/?utm_source=ig_tumblr_share&igshid=1qmw7m7q2mqcs

As you evolve in your fishing abilities, you expect more and more features from your fish finder. But as they run up to thousands of dollars, where do you stop? The Lowrance Elite 7 TI fish finder with TotalScan transducer kit might be your answer. CHIRP, StructureScan with both Side and Down Imaging, touchscreen operation, Navionics capability, Wi-Fi and Bluetooth combine together in a reasonably priced package here. What gives? Let’s find out best fish finder 2018.

The Lowrance Elite 7 TI fish finder is best served by their TotalScan transducer. This single transducer can handle all frequencies from regular Echo to StructureScan. With all these SONAR technologies, you have a near-photographic view of the underwater landscape. This is supported by basic networking features like the NMEA2000 and advanced sharing features like Wi-Fi and Bluetooth which helps if you fish as a team over a large vessel.

The closest competition with similar feature set is the Garmin 7sv but it doesn’t have a touchscreen or Pre-loaded maps and costs almost half of Elite 7 TI .  The HumminBird Helix 7 is as exhaustive in its features as the Elite 7 but it does not have the touchscreen.

The Elite 7 TI fish finder is better suited for professional anglers but it can fit into the budget of expert recreational anglers too.

Source: https://fishfinderbrand.com/lowrance-elite-7-ti-reviews/

NMEA2000 BOOSTPOWER BIG INCH ENGINE AT IDLE out streaming to a GARMIN dash! @boostpowermarine #nmea2000 #canbus #cangatewayupgrade #cangateway #dynoproven

espBerry - ESP32 Development Board with NMEA 2000 & NMEA 0183 HAT for Marine Applications

The espBerry DevBoard combines the ESP32-DevKitC development board with any Raspberry Pi HAT by connecting to the onboard RPi-compatible 40-pin GPIO header. The PICAN-M (M = Marine) is a Raspberry Pi HAT with NMEA 0183 and NMEA 2000 connection. The NMEA 0183 (RS422) port is accessible via a 5-way screw terminal. The NMEA 2000 port is accessible via a Micro-C connector.

Choosing A Service To Install Or Replace Quality Mercury Marine Parts In Miami

The first step in choosing a company that supplies and installs Mercury Marine Parts in Miami is to check their acceptability and reputation in the market. If there are reputable people and firms recommending the products, you can count on them. The user feedback is always helpful in this regard. Depending on the scope and scale of your operations, you can also consult NEMA or the National Marine Electronics Association for information and leads. Operating out of Miami and other leading metros of the country, the US-based, premier marine electronics corporation has published a range of standards pertaining to the correct use and maintenance of marine electronics.

About the services

The premier companies also offer great training courses for aspiring installers of Mercury Marine Parts in Miami. They have a throng of accredited and registered marine electronics installers. You can find the names on the company website. If you’ve just purchased a boat, the showroom may also refer to you proper professionals. You need to ensure that you look at the details. It includes pricing and imminent service signs. Another way is to reach out to the people and friends in the boating community and your circle. They can always refer you to prominent shops that install common and rare equipment.

Running background checks

It’s always prudent to buy marine audio equipment, marine GPS, or any marine electronics with proper reference. In addition to safety, you also have two common reasons to install electronic Mercury Marine Parts in Miami for enhances entertainment or advanced fishing. For anglers, you can install the marine technology as part of the boat’s construction latter phases. You can talk to your boat builder and designer regarding this thing. Experts recommend you check the previous crafts and tools of the installing firm. If they have a store or showroom of the goods, you can check them out.

The brands they offer

You need to search the company’s name and read their reviews online. Do remember that a company with decades of experience and expertise is a definite sign of great management. A company selling and supplying Mercury Marine Parts in Miami for more than 20 years means they have professional and consistent customer service. A happy customer means a reliable and premier company. If you’re living in Miami and need to service your waterway vehicle, you can count on the companies that have more than 25-30 years of experience in the industry. They can work with virtually every size and type of watercraft.

In a nutshell

There are some service providers that provide great options to choose amongst brands. Notwithstanding the analysis paralysis that you might face at the initial stages and delay the installation, it’s a very important process. Choosing between marine parts brands also necessitate considerable background searches or digging, whatever you want to call. If you don’t mind going for the replacement of components and parts every two to three years, you’re free to choose a company without extensive research. Experts recommend you choose a brand that’s compliant and compatible with the current NMEA2000 standards. Visit Here: Powerhouse Marina