Search
  • alina2132

Basics of Car Hacking


For the HITB Virtual Labs, kindly download the following before proceeding

1) Install the script located in our github OR

https://gist.github.com/CSQDiv0/3b06fa443ab67b304ebacf6243ec78fd


2) Install both can-utils and ICSim

2a) can-utils: https://github.com/linux-can/can-utils

2b) ICSim: https://github.com/zombieCraig/ICSim



Main communication protocol within vehicles

(a) Vehicle CAN Bus

Known as the Controller Area Network (CAN), it serves as one of the main communication protocols within the vehicle by continuously transmitting data to devices such as the Electronic Control Unit (ECU).


Within the CAN bus contains CAN Frames which are made up of different fields.

In a normal CAN frame, the focus of interest will be on the Arbitration field, Data Length and Data Field.

  • The Arbitration field contains 11 bits and is what forms the identifier (ID) and priority of the message.

- Arbitration ID is proprietary to each make and model of the vehicle.

  • Data length contains 4 bits and determines how many bytes of data is being transmitted.

  • Data field contains 8 bytes and is the payload transmitted.

List of open source tools

Below are a list of open source tools that you can use, however, in this article, we will be talking about can-utils.

  • Can-utils

  • BUSmaster

  • SavvyCAN

  • Octane CAN Bus Sniffer

so on and so forth..


Can-utils

The distribution for can-utils can be found here: https://github.com/linux-can/can-utils


Can-utils is based out of SocketCAN and has the ability to display, record, generate and replay CAN traffic. It can work on both virtual CAN and physical interface CAN. However, for the physical interface of can-utils, we will need a device to translate USB to CAN messages (i.e. CANable, Teensy, PiCAN etc.)


There are also other functionalities of can-utils (i.e. Ability to work on ISO-TP Protocol, measurement, log file converters etc.)

For more information, check out the github repository.


Basic CAN commands on can-utils include:


cansend interface

  • cansend command: To send a single CAN frame

cansend interface CAN_ID#data packet (8 databytes)
E.g. cansend slcan0 12F#FF.FF.FF.FF.FF.FF.FF.FF

cansniffer output


candump interface

  • candump command: To display, filter and log CAN data to files

To create a candump file, type the following:

i.e -l : Enable logging to a logfile

E.g. candump -l slcan0 

The candump log file will be in the format:

candump-YYYY-MM-DD_time.log

canplayer interface

  • Canplayer command: Provides the ability to replay CAN log files

To replay the CAN bus traffic captured earlier, type the following command:

canplayer -l candump-YYYY-MM-DD-time.log
E.g. canplayer -l candump-2019-10-09_131940.log

cangen interface

  • Cangen command: Allows the generation of random CAN traffic which can perform fuzzing

E.g. cangen slcan0 -v

cansniffer interface

  • cansniffer command: Allows the sniffing of CAN traffic and display CAN data content differences (i.e. -c to show color)

cansniffer -c slcan0 

Essentially, candump and cansniffer are pretty similar, however, candump dumps all traffic for analysing later and cansniffer display the differences in CAN data content on a fixed page.



ICSim


There are many ways to practice the above can commands on multiple platforms (i.e. physical benches, actual vehicles, virtual platforms)


We will be utilizing ICSim (https://github.com/zombieCraig/ICSim) to practice the above can commands.


Install can-utils first, followed by the library distribution:

sudo apt-get install libsdl2-dev libsdl2-image-dev can-utils  

Setup virtual can interface:

  sudo modprobe can
  sudo modprobe vcan
  sudo ip link add dev vcan0 type vcan
  sudo ip link set up vcan0

Or you can utilise our script on github - https://gist.github.com/CSQDiv0/3b06fa443ab67b304ebacf6243ec78fd


Ensure that your lib.o is linking well, if not you can utilise the compiled lib.o from can-utils.


Once can-utils and ICSim installation are completed, open up 3 windows:

1) Cansniffer window


Command to launch controls:

cansniffer -c vcan0

2) ICSim window

Command to launch ICSim:

./icsim vcan0

3) Controls window

Command to launch controls:

./controls vcan0

When all three windows are open, you should see the following:


In an environment where multiple CAN IDs are generating, to reverse engineer the correct CAN ID from vcan0, you will have to look for a value that changes to RED in the byte field. (some practice required to notice)
The value increases from a HEX range from 0 to F.

I.e. Locate the Acceleration CAN ID by pressing the up arrow key - look for the value that changes to red.


TIPS

  • To display only one CAN ID, first click the cansniffer window and type -000000 and press enter to remove all CAN IDs in the window.

  • Press + and type in the desired [CAN ID], and enter.

  • I.e. If you enter the acceleration CAN ID for the above, press the UP-arrow key again and it should display the +[CAN ID] only

  • To include all CAN IDs back in the cansniffer window, press +000000


5 views
 
  • Twitter

©2020 by Car Security Quarter (CSQ) Blog.