Basics of Car Hacking
For the HITB Virtual Labs, kindly download the following before proceeding
1) Install the script located in our github OR
2) Install both can-utils and ICSim
2a) can-utils: https://github.com/linux-can/can-utils
2b) ICSim: https://github.com/zombieCraig/ICSim
Main communication protocol within vehicles
(a) Vehicle CAN Bus
Known as the Controller Area Network (CAN), it serves as one of the main communication protocols within the vehicle by continuously transmitting data to devices such as the Electronic Control Unit (ECU).
Within the CAN bus contains CAN Frames which are made up of different fields.
In a normal CAN frame, the focus of interest will be on the Arbitration field, Data Length and Data Field.
The Arbitration field contains 11 bits and is what forms the identifier (ID) and priority of the message.
- Arbitration ID is proprietary to each make and model of the vehicle.
Data length contains 4 bits and determines how many bytes of data is being transmitted.
Data field contains 8 bytes and is the payload transmitted.
List of open source tools
Below are a list of open source tools that you can use, however, in this article, we will be talking about can-utils.
Octane CAN Bus Sniffer
so on and so forth..
The distribution for can-utils can be found here: https://github.com/linux-can/can-utils
Can-utils is based out of SocketCAN and has the ability to display, record, generate and replay CAN traffic. It can work on both virtual CAN and physical interface CAN. However, for the physical interface of can-utils, we will need a device to translate USB to CAN messages (i.e. CANable, Teensy, PiCAN etc.)
There are also other functionalities of can-utils (i.e. Ability to work on ISO-TP Protocol, measurement, log file converters etc.)
For more information, check out the github repository.
Basic CAN commands on can-utils include:
cansend command: To send a single CAN frame
cansend interface CAN_ID#data packet (8 databytes)
E.g. cansend slcan0 12F#FF.FF.FF.FF.FF.FF.FF.FF
candump command: To display, filter and log CAN data to files
To create a candump file, type the following:
i.e -l : Enable logging to a logfile
E.g. candump -l slcan0
The candump log file will be in the format:
Canplayer command: Provides the ability to replay CAN log files
To replay the CAN bus traffic captured earlier, type the following command:
canplayer -l candump-YYYY-MM-DD-time.log E.g. canplayer -l candump-2019-10-09_131940.log
Cangen command: Allows the generation of random CAN traffic which can perform fuzzing
E.g. cangen slcan0 -v
cansniffer command: Allows the sniffing of CAN traffic and display CAN data content differences (i.e. -c to show color)
cansniffer -c slcan0
Essentially, candump and cansniffer are pretty similar, however, candump dumps all traffic for analysing later and cansniffer display the differences in CAN data content on a fixed page.
There are many ways to practice the above can commands on multiple platforms (i.e. physical benches, actual vehicles, virtual platforms)
We will be utilizing ICSim (https://github.com/zombieCraig/ICSim) to practice the above can commands.
Install can-utils first, followed by the library distribution:
sudo apt-get install libsdl2-dev libsdl2-image-dev can-utils
Setup virtual can interface:
sudo modprobe can sudo modprobe vcan sudo ip link add dev vcan0 type vcan sudo ip link set up vcan0
Or you can utilise our script on github - https://gist.github.com/CSQDiv0/3b06fa443ab67b304ebacf6243ec78fd
Ensure that your lib.o is linking well, if not you can utilise the compiled lib.o from can-utils.
Once can-utils and ICSim installation are completed, open up 3 windows:
1) Cansniffer window
Command to launch controls:
cansniffer -c vcan0
2) ICSim window
Command to launch ICSim:
3) Controls window
Command to launch controls:
When all three windows are open, you should see the following:
In an environment where multiple CAN IDs are generating, to reverse engineer the correct CAN ID from vcan0, you will have to look for a value that changes to RED in the byte field. (some practice required to notice)
The value increases from a HEX range from 0 to F.
I.e. Locate the Acceleration CAN ID by pressing the up arrow key - look for the value that changes to red.
To display only one CAN ID, first click the cansniffer window and type -000000 and press enter to remove all CAN IDs in the window.
Press + and type in the desired [CAN ID], and enter.
I.e. If you enter the acceleration CAN ID for the above, press the UP-arrow key again and it should display the +[CAN ID] only
To include all CAN IDs back in the cansniffer window, press +000000