Skip to main content

CLI-first CAN security research toolkit

Project description

README.md

CANarchy

CANarchy is a stream-first CAN analysis and manipulation runtime designed for automation, security research, and agent-driven workflows.

The project is implemented in Python and uses uv for environment, dependency, and packaging workflows.

Machine-readable output uses canonical JSON envelopes and JSONL event streams where commands produce typed events. The CLI is the interface. J1939 is a first-class citizen, not an afterthought.

Today the repository delivers:

  • a stable CLI surface for analysts, scripts, and coding agents
  • J1939-first heavy vehicle workflows: PGN decoding, SPN extraction, TP session reassembly, DM1 fault parsing
  • structured output (--json, --jsonl, --text) on every command
  • live CAN transport via python-can with support for socketcan, virtual bus, and UDP multicast
  • UDS scan and trace, DBC decode/encode, capture/filter/replay, and an interactive shell

Try it in 60 seconds

Once a CANarchy release has been published to PyPI:

pipx install canarchy
canarchy --version
canarchy doctor --text

# Stream two pre-recorded frame events from the deterministic scaffold
# backend — no hardware, no fixture files, no network. Shows the
# canonical JSONL envelope.
CANARCHY_TRANSPORT_BACKEND=scaffold canarchy capture can0 --jsonl

canarchy doctor runs eight offline health checks; everything green means the install is good. The scaffold capture demonstrates the structured-output contract that every command emits. Replace it with canarchy capture can0 --candump once you have a real interface, or clone the repo to run against the in-tree J1939 fixtures.

For development or for installs from a checkout, see Installation below.

Why CANarchy?

Most CAN tools force the wrong tradeoff: interactive but hard to automate, scriptable but too raw, protocol-aware but inconsistent across interfaces. CANarchy is built around the opposite constraint: every output is a stream of typed events you can parse, pipe, or forward to an agent.

The event schema is the stable contract. The CLI wraps it. J1939 heavy vehicle analysis is the initial focus for protocol-aware workflows, with a security-research lens throughout.

Current State

Fully implemented and tested:

  • capture, send, filter, stats — transport workflows with live python-can and deterministic scaffold backends
  • generate — cangen-style frame generation (fixed, random, incrementing modes)
  • gateway — bridge frames between two interfaces (unidirectional and bidirectional)
  • replay — deterministic replay planning from candump files
  • decode, encode — DBC-backed signal decode and encode
  • j1939 monitor, decode, pgn, spn, tp, dm1, faults, summary, inventory, compare — J1939 operator workflows across live, file-backed, and decoded views
  • uds scan, trace, services — UDS diagnostic workflows and service catalog, including initial transport-backed scan/trace heuristics
  • re signals — file-backed signal-candidate ranking across 4-bit, 8-bit, and 16-bit fields
  • re counters — file-backed counter-candidate detection for reverse-engineering workflows
  • re entropy — file-backed entropy ranking across arbitration IDs and byte positions
  • re correlate — file-backed correlation of candidate fields against timestamped reference series
  • re match-dbc, re shortlist-dbc — provider-backed DBC candidate ranking against captures
  • skills provider list, skills search, skills fetch, skills cache list, skills cache refresh — repository-backed CANarchy skill discovery, caching, and provenance workflows
  • session save, load, show — session management
  • export — structured artifact export
  • shell — interactive REPL and --command scripting mode
  • tui — terminal UI front end
  • doctor — local environment health checks (Python, python-can, caches, MCP, config)
  • completion {bash,zsh,fish} — emit a shell completion script
  • --log-level and --quiet — global stderr logging controls (place before the subcommand)
  • fuzz payload, fuzz replay, fuzz arbitration-id — active-transmit fuzzing gated by the active-transmit safety design; --dry-run is the safe planning path

Recently reintroduced under the active-transmit safety model; deeper controls (configurable rate-cap ceiling, TOML target allowlist, KILL_SWITCH_TRIGGERED alert on SIGINT, MCP ack_active=true enforcement) are tracked as Horizon 2 follow-ups (#312 and the fuzzing-extensions cluster #346–#350).

Default transport backend is python-can; set CANARCHY_TRANSPORT_BACKEND=scaffold for deterministic offline behavior.

Documentation

Community

Installation

CANarchy currently targets Python 3.12 or newer.

From PyPI (recommended for users)

pipx install canarchy        # isolated, on PATH everywhere
# or
pip install --user canarchy  # if pipx is not available

After install, confirm the environment is healthy:

canarchy --version
canarchy doctor --text

Shell completions for bash, zsh, and fish are produced by canarchy completion <shell>; see Getting Started for the install snippet for each shell.

From source (development)

CANarchy uses uv for environment, dependency, and packaging workflows.

  1. Install Python 3.12 or newer.
  2. Install uv.
  3. Clone the repository.
  4. Sync the project environment and dependencies:
uv sync
  1. Run the CLI:
uv run canarchy --help
  1. Optionally install canarchy on your PATH so you don't need uv run every time:
uv tool install --editable .
canarchy --help

If you want to verify the local environment end to end, run:

uv run python -m unittest discover -s tests -v

Notes:

  • uv sync creates the local virtual environment and installs the package from the current checkout.
  • The checked-in uv.lock file should be used for reproducible dependency resolution.
  • uv tool install --editable . puts canarchy on your PATH permanently; edits take effect without reinstalling.
  • Live transport support currently uses python-can; persist backend settings in ~/.canarchy/config.toml (see Getting Started).

Development

uv sync
uv tool install --editable .
canarchy --help

Versioning Policy

CANarchy uses Semantic Versioning.

Rules:

  • MAJOR for intentional breaking changes to the CLI contract, structured output contract, or other documented public behavior
  • MINOR for backward-compatible new commands, new output fields, or new capabilities
  • PATCH for backward-compatible fixes, documentation corrections, and implementation improvements that do not intentionally break the public contract

Prereleases:

  • prereleases should use standard SemVer prerelease identifiers such as 0.2.0a1, 0.2.0b1, or 0.2.0rc1
  • prereleases are appropriate when command behavior, output contracts, or packaging flows need release-candidate validation before a stable tag

Release tags:

  • Git tags should match the package version exactly, prefixed with v, for example v0.1.0
  • canarchy --version, package metadata, and release tags should always agree

Current implementation:

  • src/canarchy/__init__.py is the authoritative version source
  • package metadata is derived from that version during build
  • CLI and MCP server version reporting reuse the same version value

Example Usage

# Capture and decode
canarchy capture can0 --candump
canarchy capture can0 --jsonl
canarchy decode --file trace.candump --dbc vehicle.dbc --jsonl

# J1939 heavy vehicle analysis
canarchy j1939 decode --file trace.candump --text
canarchy j1939 spn 110 --file trace.candump --text   # Engine Coolant Temp
canarchy j1939 dm1 --file trace.candump --text        # Active fault codes

# Pipe events into downstream tools
canarchy j1939 spn 110 --file trace.candump --jsonl \
  | jq '[.payload.value, .payload.units, .payload.timestamp]'

# Active workflows
canarchy generate can0 --count 10 --gap 50 --id 7DF --jsonl
canarchy gateway can0 239.0.0.1 --count 100
canarchy replay --file trace.candump --rate 2.0 --json

Use --candump for a human-oriented live view. Use --jsonl when feeding output to scripts or agents — every line is a typed event from the canonical schema.

Live transport uses python-can by default. Set CANARCHY_PYTHON_CAN_INTERFACE to choose an interface type, or set CANARCHY_TRANSPORT_BACKEND=scaffold for deterministic offline behavior.

Current file support:

  • file-backed workflows such as filter, stats, decode, j1939 decode, and replay read standard timestamped candump log files
  • j1939 pgn inspects recorded traffic with --file <capture.candump>
  • the supported log form today is (timestamp) interface frame#data
  • additional supported candump forms include classic RTR id#R, CAN FD id##<flags><data>, and error frames using a CAN error-flagged identifier such as 20000080#0000000000000000
  • supported capture-file suffixes today are .candump and .log; capture-info --file -, stats --file -, and filter --file - can read candump text from stdin
  • filter --stdin, decode --stdin, and j1939 decode --stdin read JSONL FrameEvents from stdin
  • malformed candump log lines are skipped during capture parsing rather than falling back to sample data; commands that require capture metadata or explicitly validate stdin emptiness return structured errors when no valid frames are available

Structured Output

Successful commands return a stable JSON envelope:

{
  "ok": true,
  "command": "capture",
  "data": {},
  "warnings": [],
  "errors": []
}

Failures return structured errors with actionable hints:

{
  "ok": false,
  "command": "decode",
  "data": {},
  "warnings": [],
  "errors": [
    {
      "code": "DBC_LOAD_FAILED",
      "message": "Failed to parse DBC file.",
      "hint": "Validate the DBC syntax and line endings."
    }
  ]
}

Philosophy

  • CLI is the contract
  • Protocol semantics over raw frames
  • Structured outputs over formatted text
  • Reproducible workflows over ad-hoc interaction

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

canarchy-0.8.0.tar.gz (881.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

canarchy-0.8.0-py3-none-any.whl (363.8 kB view details)

Uploaded Python 3

File details

Details for the file canarchy-0.8.0.tar.gz.

File metadata

  • Download URL: canarchy-0.8.0.tar.gz
  • Upload date:
  • Size: 881.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for canarchy-0.8.0.tar.gz
Algorithm Hash digest
SHA256 44be8ad96bd6b9192e084192ec9098d4ae3602525b0da4fe0404925ad6f394d4
MD5 df7e62cb663eeb50164a773606ed63eb
BLAKE2b-256 9d3796864a1c9c0cf11aa915d59165cb4ea3614468ddb474e915699b09bbd916

See more details on using hashes here.

Provenance

The following attestation bundles were made for canarchy-0.8.0.tar.gz:

Publisher: publish.yml on hexsecs/canarchy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file canarchy-0.8.0-py3-none-any.whl.

File metadata

  • Download URL: canarchy-0.8.0-py3-none-any.whl
  • Upload date:
  • Size: 363.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for canarchy-0.8.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e2f4ebeed01d7a1af8e2f0c8792f0724c7eb0392aaf9fa614d5d550bb8a91b66
MD5 c2012895dd3d54e71c3d8a339516af22
BLAKE2b-256 c3a5a7283be2aec72ddaaca4b0fe17b746674ba3f3b527cfae6a7c4d81dddfbf

See more details on using hashes here.

Provenance

The following attestation bundles were made for canarchy-0.8.0-py3-none-any.whl:

Publisher: publish.yml on hexsecs/canarchy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page