80782bcbe4
* simple lta safety
* fix compilation error
* allow current angle when disabled
* toyota angle rate limits
* use GET_BIT
* update limits, temp fix blocked msgs (not critical safety)
* try these limits
* debug
* add setme check, double rate limit for half rate
* update safety limits to openpilot (2 bp)
* had duplicate checks here
* rm line
* better comment
* silly bug
* draft
* Revert "draft"
This reverts commit 756ef70135.
* toyota: add safety for tester present
* block ACC_HUD
* check stock ECU
* add test
* and now pass test
* safety replay: support toyota lta
* remove radar stuff
* max torque safety
max torque safety
* driver torque
* one line
* match openpilot limits
* rename to max_angle and check quality flag
* measure current angle
* clean up
* oh we can combine
* no driver torque limiting for now
* todo: decide the tolerance if any
* add max angle and prepare for to enable inactive safety
* enable inactive safety
* fix replay when inactive
fix replay when inactive
* fix qf check
* ohh this was a bug
* measure vehicle speed
* because safety is in m/s
* rm MeasurementSafetyTest
* stash very draft changes
* fix
* uncomment
* clean up
* rm
* already added
* clean up
* temp fix
* test angle measurements
* add constant
* ltl cleanup
* include this test in test_angle_measurements
* better
* order makes more sense
* fix
* clean up ford cmts
* move to base
* todo
* misra
* already do this below
* angle tests: take in max angle as argument
useful for safety modes that are limited (ford/toyota)
* fix ramp test: round measurement since toyota's scale isn't round
* clean that up
* no subtest
* back
* is tested now!
* flat is more clear
* add check for mismatching bits
* LTA is fully tested now
* clean up
* test_angle_cmd_when_enabled
* whops
* flip
* fix broken test
* need this if we type angle meas func
* should set prev torque
* no subtest
* remove default valid qf
spce
* one line
* cmt
* fixes
* vehicle speed macro
* vehicle speed macro v2
* Update board/safety_declarations.h
* easier to follow
* one line
* rightttt
* rename to toyota_lka_rx_checks, not default
Welcome to panda
panda is the nicest universal car interface ever.
panda speaks CAN, CAN FD, LIN, and GMLAN. panda supports STM32F205, STM32F413, and STM32H725.
Usage
Setup dependencies:
# Ubuntu
sudo apt-get install dfu-util gcc-arm-none-eabi python3-pip libffi-dev git
# macOS
brew install --cask gcc-arm-embedded
brew install python3 dfu-util gcc@13
Clone panda repository:
git clone https://github.com/commaai/panda.git
cd panda
Install requirements:
pip install -r requirements.txt
Install library:
python setup.py install
See the Panda class for how to interact with the panda.
For example, to receive CAN messages:
>>> from panda import Panda
>>> panda = Panda()
>>> panda.can_recv()
And to send one on bus 0:
>>> panda.can_send(0x1aa, "message", 0)
Note that you may have to setup udev rules for Linux, such as
sudo tee /etc/udev/rules.d/11-panda.rules <<EOF
SUBSYSTEM=="usb", ATTRS{idVendor}=="bbaa", ATTRS{idProduct}=="ddcc", MODE="0666"
SUBSYSTEM=="usb", ATTRS{idVendor}=="bbaa", ATTRS{idProduct}=="ddee", MODE="0666"
EOF
sudo udevadm control --reload-rules && sudo udevadm trigger
The panda jungle uses different udev rules. See the repo for instructions.
Software interface support
As a universal car interface, it should support every reasonable software interface.
Directory structure
.
├── board # Code that runs on the STM32
├── drivers # Drivers (not needed for use with python)
├── python # Python userspace library for interfacing with the panda
├── tests # Tests and helper programs for panda
Programming
See board/README.md
Debugging
To print out the serial console from the STM32, run tests/debug_console.py
Safety Model
When a panda powers up, by default it's in SAFETY_SILENT mode. While in SAFETY_SILENT mode, the buses are also forced to be silent. In order to send messages, you have to select a safety mode. Currently, setting safety modes is only supported over USB. Some of safety modes (for example SAFETY_ALLOUTPUT) are disabled in release firmwares. In order to use them, compile and flash your own build.
Safety modes optionally supports controls_allowed, which allows or blocks a subset of messages based on a customizable state in the board.
Code Rigor
The panda firmware is written for its use in conjuction with openpilot. The panda firmware, through its safety model, provides and enforces the
openpilot safety. Due to its critical function, it's important that the application code rigor within the board folder is held to high standards.
These are the CI regression tests we have in place:
- A generic static code analysis is performed by cppcheck.
- In addition, cppcheck has a specific addon to check for MISRA C:2012 violations. See current coverage.
- Compiler options are relatively strict: the flags
-Wall -Wextra -Wstrict-prototypes -Werrorare enforced. - The safety logic is tested and verified by unit tests for each supported car variant.
- A recorded drive for each supported car variant is replayed through the safety logic to ensure that the behavior remains unchanged.
- An internal Hardware-in-the-loop test, which currently only runs on pull requests opened by comma.ai's organization members, verifies the following functionalities:
- compiling the code and flashing it through USB.
- receiving, sending, and forwarding CAN messages on all buses, over USB.
In addition, we run the ruff linter on all python files within the panda repo.
Hardware
Check out the hardware guide
Licensing
panda software is released under the MIT license unless otherwise specified.