Hyundai: added safety check for button spam

Author: rbiasini

board/safety/safety_hyundai.h

@@ -6,9 +6,6 @@ const int HYUNDAI_MAX_RATE_DOWN = 7;
 const int HYUNDAI_DRIVER_TORQUE_ALLOWANCE = 50;
 const int HYUNDAI_DRIVER_TORQUE_FACTOR = 2;
 
-int hyundai_brake_prev = 0;
-int hyundai_gas_prev = 0;
-int hyundai_speed = 0;
 int hyundai_camera_detected = 0;
 int hyundai_giraffe_switch_2 = 0;          // is giraffe switch 2 high?
 int hyundai_rt_torque_last = 0;
@@ -67,11 +64,6 @@ static int hyundai_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
     return 0;
   }
 
-  // disallow actuator commands if gas or brake (with vehicle moving) are pressed
-  // and the the latching controls_allowed flag is True
-  int pedal_pressed = hyundai_gas_prev || (hyundai_brake_prev && hyundai_speed);
-  int current_controls_allowed = controls_allowed && !pedal_pressed;
-
   uint32_t addr;
   if (to_send->RIR & 4) {
     // Extended
@@ -87,7 +79,7 @@ static int hyundai_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
     uint32_t ts = TIM2->CNT;
     int violation = 0;
 
-    if (current_controls_allowed) {
+    if (controls_allowed) {
 
       // *** global torque limit check ***
       violation |= max_limit_check(desired_torque, HYUNDAI_MAX_STEER, -HYUNDAI_MAX_STEER);
@@ -112,12 +104,12 @@ static int hyundai_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
     }
 
     // no torque if controls is not allowed
-    if (!current_controls_allowed && (desired_torque != 0)) {
+    if (!controls_allowed && (desired_torque != 0)) {
       violation = 1;
     }
 
     // reset to 0 if either controls is not allowed or there's a violation
-    if (violation || !current_controls_allowed) {
+    if (violation || !controls_allowed) {
       hyundai_desired_torque_last = 0;
       hyundai_rt_torque_last = 0;
       hyundai_ts_last = ts;
@@ -128,6 +120,13 @@ static int hyundai_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
     }
   }
 
+  // FORCE CANCEL: safety check only relevant when spamming the cancel button.
+  // ensuring that only the cancel button press is sent (VAL 4) when controls are off.
+  // This avoids unintended engagements while still allowing resume spam
+  if (((to_send->RIR>>21) == 1265) && !controls_allowed && ((to_send->RDTR >> 4) & 0xFF) == 0) {
+    if ((to_send->RDLR & 0x7) != 4) return 0;
+  }
+
   // 1 allows the message through
   return true;
 }

tests/safety/test_honda.py

@@ -108,7 +108,7 @@ def test_alt_disengage_on_brake(self):
     self.safety.set_controls_allowed(1)
     self.safety.honda_rx_hook(self._alt_brake_msg(1))
     self.assertFalse(self.safety.get_controls_allowed())
-    
+
     self.safety.set_honda_alt_brake_msg(0)
     self.safety.set_controls_allowed(1)
     self.safety.honda_rx_hook(self._alt_brake_msg(1))

tests/safety/test_hyundai.py

@@ -32,6 +32,12 @@ def setUp(cls):
     cls.safety.nooutput_init(0)
     cls.safety.init_tests_hyundai()
 
+  def _button_msg(self, buttons):
+    to_send = libpandasafety_py.ffi.new('CAN_FIFOMailBox_TypeDef *')
+    to_send[0].RIR = 1265 << 21
+    to_send[0].RDLR = buttons
+    return to_send
+
   def _set_prev_torque(self, t):
     self.safety.set_hyundai_desired_torque_last(t)
     self.safety.set_hyundai_rt_torque_last(t)
@@ -162,5 +168,19 @@ def test_realtime_limits(self):
       self.assertTrue(self.safety.hyundai_tx_hook(self._torque_msg(sign * (MAX_RT_DELTA + 1))))
 
 
+  def test_spam_cancel_safety_check(self):
+    RESUME_BTN = 1
+    SET_BTN = 2
+    CANCEL_BTN = 4
+    BUTTON_MSG = 1265
+    self.safety.set_controls_allowed(0)
+    self.assertTrue(self.safety.hyundai_tx_hook(self._button_msg(CANCEL_BTN)))
+    self.assertFalse(self.safety.hyundai_tx_hook(self._button_msg(RESUME_BTN)))
+    self.assertFalse(self.safety.hyundai_tx_hook(self._button_msg(SET_BTN)))
+    # do not block resume if we are engaged already
+    self.safety.set_controls_allowed(1)
+    self.assertTrue(self.safety.hyundai_tx_hook(self._button_msg(RESUME_BTN)))
+
+
 if __name__ == "__main__":
   unittest.main()