c9c3cb38f6
* set ford vehicle speed * parse yaw rate signals * misra * misra * misra * misra * draft * update module * already checked * and set it properly * some stuff * draft * clean up (will fail tests because we don't send yaw rate yet) * could do something like this * this is better and less prone to bugs * match simple op limiting, debugging * set checksum for messages in tests * clean up * fix that * one m/s fudge * fix sign of yaw rate * interpolate detects size * forgot OP flips the curvature sign. it matches yaw on can * all my debugging crap * make replay work for ford * fix panda blocking messages (array is fixed size so size-1 is 0 rate at high speed) * uncomment safety test limits * revert * round for zero blocked msgs * fix limits * meas safety checks that down rate is >=, not < * test pass * lots of comments and draft what one meas torque check would look like * fix that * add curvature meas * add debugging stuff * Revert "add debugging stuff" This reverts commit 449783fc625954868a1cfca48a655cac7b074cc1. * messy but at least one test passes now * draft * add max_steer * some safety clean up * and that * start with a test that works * another test that works (sort of, we need more strict panda safety without false positives) * no max curvature check (not safety related), allow any rate limits * add new function * also need to consider max val here, since OP will send up to that * and now use the function * lower to 10 * compilation fixes * clean up (no rate limiting) * remove that too * curvature diff test * more clean up * debug * ? * better names * more official * use _curvature_meas_msg_array here * bit faster * no i don't * revert that * why not just use angle_meas? * bb ll * bb deb * clean up debug vals * more * revert replay drive debugging changes * Update board/safety.h * rm line * only need to round the final thing * not needed, under 10 ms * make a class variable * fix a misra? * another misra? better * ? * 12.1 * need to explicitly convert * add one to not false trigger the violation (float rounding) * not really needed * rm line * cmt * use clamp * rename * in struct * comment * use max_limit_check * draft clean up * Revert "draft clean up" This reverts commit d1a0e8acd1d0eb2bd7b75618c7df14e15c16e134. * make a global make a global * this is fine
Welcome to panda
panda is the nicest universal car interface ever.
It supports 3x CAN, 2x LIN, and 1x GMLAN. It also charges a phone. On the computer side, it has USB.
It uses an STM32F413.
Usage
Setup dependencies:
# Ubuntu
sudo apt-get install dfu-util gcc-arm-none-eabi python3-pip libffi-dev git
# macOS
brew tap ArmMbed/homebrew-formulae
brew install python dfu-util arm-none-eabi-gcc gcc@12
Clone panda repository:
git clone https://github.com/commaai/panda.git
cd panda
Install requirements:
pip install -r requirements.txt
Install library:
python setup.py install
See the Panda class for how to interact with the panda.
For example, to receive CAN messages:
>>> from panda import Panda
>>> panda = Panda()
>>> panda.can_recv()
And to send one on bus 0:
>>> panda.can_send(0x1aa, "message", 0)
Note that you may have to setup udev rules for Linux, such as
sudo tee /etc/udev/rules.d/11-panda.rules <<EOF
SUBSYSTEM=="usb", ATTRS{idVendor}=="bbaa", ATTRS{idProduct}=="ddcc", MODE="0666"
SUBSYSTEM=="usb", ATTRS{idVendor}=="bbaa", ATTRS{idProduct}=="ddee", MODE="0666"
EOF
sudo udevadm control --reload-rules && sudo udevadm trigger
The panda jungle uses different udev rules. See the repo for instructions.
Software interface support
As a universal car interface, it should support every reasonable software interface.
Directory structure
.
├── board # Code that runs on the STM32
├── drivers # Drivers (not needed for use with python)
├── python # Python userspace library for interfacing with the panda
├── tests # Tests and helper programs for panda
Programming
See board/README.md
Debugging
To print out the serial console from the STM32, run tests/debug_console.py
Safety Model
When a panda powers up, by default it's in SAFETY_SILENT mode. While in SAFETY_SILENT mode, the buses are also forced to be silent. In order to send messages, you have to select a safety mode. Currently, setting safety modes is only supported over USB. Some of safety modes (for example SAFETY_ALLOUTPUT) are disabled in release firmwares. In order to use them, compile and flash your own build.
Safety modes optionally supports controls_allowed, which allows or blocks a subset of messages based on a customizable state in the board.
Code Rigor
The panda firmware is written for its use in conjuction with openpilot. The panda firmware, through its safety model, provides and enforces the
openpilot safety. Due to its critical function, it's important that the application code rigor within the board folder is held to high standards.
These are the CI regression tests we have in place:
- A generic static code analysis is performed by cppcheck.
- In addition, cppcheck has a specific addon to check for MISRA C:2012 violations. See current coverage.
- Compiler options are relatively strict: the flags
-Wall -Wextra -Wstrict-prototypes -Werrorare enforced. - The safety logic is tested and verified by unit tests for each supported car variant.
- A recorded drive for each supported car variant is replayed through the safety logic to ensure that the behavior remains unchanged.
- An internal Hardware-in-the-loop test, which currently only runs on pull requests opened by comma.ai's organization members, verifies the following functionalities:
- compiling the code and flashing it through USB.
- receiving, sending, and forwarding CAN messages on all buses, over USB.
In addition, we run the pylint and flake8 linters on all python files within the panda repo.
Hardware
Check out the hardware guide
Licensing
panda software is released under the MIT license unless otherwise specified.