Squashed 'panda/' changes from 293fa33..9ee6285

9ee6285 optimize board build for size to avoid going over the limit. (#150)
20e8fa9 Start introducing Bounties
a2046e9 make it smaller
1dfcf2b update panda price
37ee289 chrysler safety: fixed comments
c2dfbad tesla safety: return -1 to block forward (#149)
74c0c1b update README
be0061d Chrysler: safety now based on motor torque
039d183 Chrysler: fixed regression test
9193eeb Chrysler: safety limits updated
04f1d44 Chrysler safety: 3 sa max rate down for now
cf3ecd6 Chrysler safety: re-using hyundai framework
49ed9bc Update CLICKS for longer bootup time of EONS and avoid unwanted fast charge mode

git-subtree-dir: panda
git-subtree-split: 9ee6285

README.md

@@ -3,7 +3,7 @@ Welcome to panda
 
 [panda](http://github.com/commaai/panda) is the nicest universal car interface ever.
 
-<a href="https://www.amazon.com/chffr-panda-OBD-II-Interface/dp/B07D6Y3GN2/"><img src="https://github.com/commaai/panda/blob/master/panda.png">
+<a href="https://comma.ai/shop/products/panda-obd-ii-dongle"><img src="https://github.com/commaai/panda/blob/master/panda.png">
 
 <img src="https://github.com/commaai/panda/blob/master/buy.png"></a>
 

VERSION

@@ -1 +1 @@
-v1.1.7
+v1.1.8

board/bootstub.c

@@ -51,6 +51,9 @@ void fail() {
 // know where to sig check
 extern void *_app_start[];
 
+// FIXME: sometimes your panda will fail flashing and will quickly blink a single Green LED
+// BOUNTY: $200 coupon on shop.comma.ai or $100 check.
+
 int main() {
   __disable_irq();
   clock_init();

board/build.mk

@@ -1,4 +1,4 @@
-CFLAGS += -I inc -I ../ -nostdlib -fno-builtin -std=gnu11 -O2
+CFLAGS += -I inc -I ../ -nostdlib -fno-builtin -std=gnu11 -Os
 
 CFLAGS += -Tstm32_flash.ld
 
@@ -51,6 +51,8 @@ obj/$(PROJ_NAME).bin: obj/$(STARTUP_FILE).o obj/main.$(PROJ_NAME).o
 	$(CC) -Wl,--section-start,.isr_vector=0x8004000 $(CFLAGS) -o obj/$(PROJ_NAME).elf $^
 	$(OBJCOPY) -v -O binary obj/$(PROJ_NAME).elf obj/code.bin
 	SETLEN=1 ../crypto/sign.py obj/code.bin $@ $(CERT)
+	@BINSIZE=$$(du -b "obj/$(PROJ_NAME).bin" | cut -f 1) ; if [ $$BINSIZE -ge 32768 ]; then echo "ERROR obj/$(PROJ_NAME).bin is too big!"; exit 1; fi;
+
 
 obj/bootstub.$(PROJ_NAME).bin: obj/$(STARTUP_FILE).o obj/bootstub.$(PROJ_NAME).o obj/sha.$(PROJ_NAME).o obj/rsa.$(PROJ_NAME).o
 	$(CC) $(CFLAGS) -o obj/bootstub.$(PROJ_NAME).elf $^

board/main.c

@@ -589,6 +589,8 @@ int main() {
     uint64_t marker = 0;
     #define CURRENT_THRESHOLD 0xF00
     #define CLICKS 8
+    // Enough clicks to ensure that enumeration happened. Should be longer than bootup time of the device connected to EON
+    #define CLICKS_BOOTUP 30
   #endif
 
   for (cnt=0;;cnt++) {
@@ -615,8 +617,8 @@ int main() {
           }
           break;
         case USB_POWER_CDP:
-          // been CLICKS clicks since we switched to CDP
-          if ((cnt-marker) >= CLICKS) {
+          // been CLICKS_BOOTUP clicks since we switched to CDP
+          if ((cnt-marker) >= CLICKS_BOOTUP ) {
             // measure current draw, if positive and no enumeration, switch to DCP
             if (!is_enumerated && current < CURRENT_THRESHOLD) {
               puts("USBP: no enumeration with current draw, switching to DCP mode\n");

board/safety/safety_chrysler.h

@@ -1,20 +1,19 @@
-// board enforces
-//   in-state
-//      ACC is active (green)
-//   out-state
-//      brake pressed
-//      stock LKAS ECU is online
-//      ACC is not active (white or disabled)
-
-// chrysler_: namespacing
-int chrysler_speed = 0;
-
-// silence everything if stock ECUs are still online
-int chrysler_lkas_detected = 0;
+const int CHRYSLER_MAX_STEER = 261;
+const int CHRYSLER_MAX_RT_DELTA = 112;        // max delta torque allowed for real time checks
+const int32_t CHRYSLER_RT_INTERVAL = 250000;  // 250ms between real time checks
+const int CHRYSLER_MAX_RATE_UP = 3;
+const int CHRYSLER_MAX_RATE_DOWN = 3;
+const int CHRYSLER_MAX_TORQUE_ERROR = 80;    // max torque cmd in excess of torque motor
+
+int chrysler_camera_detected = 0;
+int chrysler_rt_torque_last = 0;
 int chrysler_desired_torque_last = 0;
+int chrysler_cruise_engaged_last = 0;
+uint32_t chrysler_ts_last = 0;
+struct sample_t chrysler_torque_meas;         // last few torques measured
 
 static void chrysler_rx_hook(CAN_FIFOMailBox_TypeDef *to_push) {
-  int bus_number = (to_push->RDTR >> 4) & 0xFF;
+  int bus = (to_push->RDTR >> 4) & 0xFF;
   uint32_t addr;
   if (to_push->RIR & 4) {
     // Extended
@@ -26,40 +25,37 @@ static void chrysler_rx_hook(CAN_FIFOMailBox_TypeDef *to_push) {
     addr = to_push->RIR >> 21;
   }
 
-  if (addr == 0x144 && bus_number == 0) {
-    chrysler_speed = ((to_push->RDLR & 0xFF000000) >> 16) | (to_push->RDHR & 0xFF);
-  }
+  // Measured eps torque
+  if (addr == 544) {
+    int rdhr = to_push->RDHR;
+    int torque_meas_new = ((rdhr & 0x7) << 8) + ((rdhr & 0xFF00) >> 8) - 1024;
 
-  // check if stock LKAS ECU is still online
-  if (addr == 0x292 && bus_number == 0) {
-    chrysler_lkas_detected = 1;
-    controls_allowed = 0;
+    // update array of samples
+    update_sample(&chrysler_torque_meas, torque_meas_new);
   }
 
-  // ["ACC_2"]['ACC_STATUS_2'] == 7 for active (green) Adaptive Cruise Control
-  if (addr == 0x1f4 && bus_number == 0) {
-    if (((to_push->RDLR & 0x380000) >> 19) == 7) {
+  // enter controls on rising edge of ACC, exit controls on ACC off
+  if (addr == 0x1f4) {
+    int cruise_engaged = ((to_push->RDLR & 0x380000) >> 19) == 7;
+    if (cruise_engaged && !chrysler_cruise_engaged_last) {
       controls_allowed = 1;
-    } else {
+    } else if (!cruise_engaged) {
       controls_allowed = 0;
     }
+    chrysler_cruise_engaged_last = cruise_engaged;
   }
 
-  // exit controls on brake press by human
-  if (addr == 0x140) {
-    if (to_push->RDLR & 0x4) {
-      controls_allowed = 0;
-    }
+  // check if stock camera ECU is still online
+  if (bus == 0 && addr == 0x292) {
+    chrysler_camera_detected = 1;
+    controls_allowed = 0;
   }
 }
 
-// if controls_allowed
-//     allow steering up to limit
-// else
-//     block all commands that produce actuation
 static int chrysler_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
-  // There can be only one! (LKAS)
-  if (chrysler_lkas_detected) {
+
+  // There can be only one! (camera)
+  if (chrysler_camera_detected) {
     return 0;
   }
 
@@ -72,65 +68,69 @@ static int chrysler_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
     addr = to_send->RIR >> 21;
   }
 
-  // LKA STEER: Too large of values cause the steering actuator ECU to silently
-  // fault and no longer actuate the wheel until the car is rebooted.
+
+  // LKA STEER
   if (addr == 0x292) {
     int rdlr = to_send->RDLR;
-    int straight = 1024;
-    int steer = ((rdlr & 0x7) << 8) + ((rdlr & 0xFF00) >> 8) - straight;
-    int max_steer = 230;
-    int max_rate = 50; // ECU is fine with 100, but 3 is typical.
-    if (steer > max_steer) {
-      return false;
-    }
-    if (steer < -max_steer) {
-      return false;
-    }
-    if (!controls_allowed && steer != 0) {
-      // If controls not allowed, only allow steering to move closer to 0.
-      if (chrysler_desired_torque_last == 0) {
-	return false;
-      }
-      if ((chrysler_desired_torque_last > 0) && (steer >= chrysler_desired_torque_last)) {
-	return false;
-      }
-      if ((chrysler_desired_torque_last < 0) && (steer <= chrysler_desired_torque_last)) {
-	return false;
+    int desired_torque = ((rdlr & 0x7) << 8) + ((rdlr & 0xFF00) >> 8) - 1024;
+    uint32_t ts = TIM2->CNT;
+    int violation = 0;
+
+    if (controls_allowed) {
+
+      // *** global torque limit check ***
+      violation |= max_limit_check(desired_torque, CHRYSLER_MAX_STEER, -CHRYSLER_MAX_STEER);
+
+      // *** torque rate limit check ***
+      violation |= dist_to_meas_check(desired_torque, chrysler_desired_torque_last,
+        &chrysler_torque_meas, CHRYSLER_MAX_RATE_UP, CHRYSLER_MAX_RATE_DOWN, CHRYSLER_MAX_TORQUE_ERROR);
+
+      // used next time
+      chrysler_desired_torque_last = desired_torque;
+
+      // *** torque real time rate limit check ***
+      violation |= rt_rate_limit_check(desired_torque, chrysler_rt_torque_last, CHRYSLER_MAX_RT_DELTA);
+
+      // every RT_INTERVAL set the new limits
+      uint32_t ts_elapsed = get_ts_elapsed(ts, chrysler_ts_last);
+      if (ts_elapsed > CHRYSLER_RT_INTERVAL) {
+        chrysler_rt_torque_last = desired_torque;
+        chrysler_ts_last = ts;
       }
     }
-    if (steer < (chrysler_desired_torque_last - max_rate)) {
-      return false;
+
+    // no torque if controls is not allowed
+    if (!controls_allowed && (desired_torque != 0)) {
+      violation = 1;
+    }
+
+    // reset to 0 if either controls is not allowed or there's a violation
+    if (violation || !controls_allowed) {
+      chrysler_desired_torque_last = 0;
+      chrysler_rt_torque_last = 0;
+      chrysler_ts_last = ts;
     }
-    if (steer > (chrysler_desired_torque_last + max_rate)) {
+
+    if (violation) {
       return false;
     }
-
-    chrysler_desired_torque_last = steer;
   }
 
+  // FORCE CANCEL: safety check only relevant when spamming the cancel button.
+  // ensuring that only the cancel button press is sent when controls are off.
+  // This avoids unintended engagements while still allowing resume spam
+  // TODO: fix bug preventing the button msg to be fwd'd on bus 2
+
   // 1 allows the message through
   return true;
 }
 
-static int chrysler_tx_lin_hook(int lin_num, uint8_t *data, int len) {
-  // LIN is not used.
-  return false;
-}
-
-static void chrysler_init(int16_t param) {
-  controls_allowed = 0;
-}
-
-static int chrysler_fwd_hook(int bus_num, CAN_FIFOMailBox_TypeDef *to_fwd) {
-  return -1;
-}
 
 const safety_hooks chrysler_hooks = {
-  .init = chrysler_init,
+  .init = nooutput_init,
   .rx = chrysler_rx_hook,
   .tx = chrysler_tx_hook,
-  .tx_lin = chrysler_tx_lin_hook,
+  .tx_lin = nooutput_tx_lin_hook,
   .ignition = default_ign_hook,
-  .fwd = chrysler_fwd_hook,
+  .fwd = nooutput_fwd_hook,
 };
-

board/safety/safety_tesla.h

@@ -258,7 +258,7 @@ static int tesla_fwd_hook(int bus_num, CAN_FIFOMailBox_TypeDef *to_fwd)
     // remove EPB_epasControl
     if (addr == 0x214)
     {
-      return false;
+      return -1;
     }
 
     return 2; // Custom EPAS bus
@@ -269,12 +269,12 @@ static int tesla_fwd_hook(int bus_num, CAN_FIFOMailBox_TypeDef *to_fwd)
     // remove GTW_epasControl in forwards
     if (addr == 0x101)
     {
-      return false;
+      return -1;
     }
 
     return 0; // Chassis CAN
   }
-  return false;
+  return -1;
 }
 
 const safety_hooks tesla_hooks = {

tests/safety/libpandasafety_py.py

@@ -42,10 +42,13 @@
 void set_cadillac_torque_driver(int min, int max);
 void set_gm_torque_driver(int min, int max);
 void set_hyundai_torque_driver(int min, int max);
+void set_chrysler_torque_meas(int min, int max);
 void set_toyota_rt_torque_last(int t);
 void set_toyota_desired_torque_last(int t);
 int get_toyota_torque_meas_min(void);
 int get_toyota_torque_meas_max(void);
+int get_chrysler_torque_meas_min(void);
+int get_chrysler_torque_meas_max(void);
 
 void init_tests_honda(void);
 int get_ego_speed(void);
@@ -84,8 +87,9 @@
 void init_tests_chrysler(void);
 void chrysler_rx_hook(CAN_FIFOMailBox_TypeDef *to_push);
 int chrysler_tx_hook(CAN_FIFOMailBox_TypeDef *to_send);
-void chrysler_init(int16_t param);
 void set_chrysler_desired_torque_last(int t);
+void set_chrysler_rt_torque_last(int t);
+
 
 """)
 

tests/safety/test.c

@@ -26,6 +26,7 @@ struct sample_t toyota_torque_meas;
 struct sample_t cadillac_torque_driver;
 struct sample_t gm_torque_driver;
 struct sample_t hyundai_torque_driver;
+struct sample_t chrysler_torque_driver;
 
 TIM_TypeDef timer;
 TIM_TypeDef *TIM2 = &timer;
@@ -81,6 +82,19 @@ void set_hyundai_torque_driver(int min, int max){
   hyundai_torque_driver.max = max;
 }
 
+void set_chrysler_torque_meas(int min, int max){
+  chrysler_torque_meas.min = min;
+  chrysler_torque_meas.max = max;
+}
+
+int get_chrysler_torque_meas_min(void){
+  return chrysler_torque_meas.min;
+}
+
+int get_chrysler_torque_meas_max(void){
+  return chrysler_torque_meas.max;
+}
+
 int get_toyota_torque_meas_min(void){
   return toyota_torque_meas.min;
 }
@@ -105,6 +119,10 @@ void set_hyundai_rt_torque_last(int t){
   hyundai_rt_torque_last = t;
 }
 
+void set_chrysler_rt_torque_last(int t){
+  chrysler_rt_torque_last = t;
+}
+
 void set_toyota_desired_torque_last(int t){
   toyota_desired_torque_last = t;
 }
@@ -181,18 +199,22 @@ void init_tests_hyundai(void){
   set_timer(0);
 }
 
+void init_tests_chrysler(void){
+  chrysler_torque_driver.min = 0;
+  chrysler_torque_driver.max = 0;
+  chrysler_desired_torque_last = 0;
+  chrysler_rt_torque_last = 0;
+  chrysler_ts_last = 0;
+  set_timer(0);
+}
+
 void init_tests_honda(void){
   ego_speed = 0;
   gas_interceptor_detected = 0;
   brake_prev = 0;
   gas_prev = 0;
 }
 
-void init_tests_chrysler(void){
-  chrysler_desired_torque_last = 0;
-  set_timer(0);
-}
-
 void set_gmlan_digital_output(int to_set){
 }