Scribd
Upload
31 views27 pages

CarHacking 101 Rev2

Uploaded by

pcmac wall12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views27 pages

CarHacking 101 Rev2

Uploaded by

pcmac wall12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

THE INFAMOUS CAR HACKING TALK

AKA INTRO TO CAR HACKING


SPONSORED BY MACCHINA
WHOAMI
• Zach Zaffis, Most of you know me, if not, hi I’m Zach
• President of SecIC
• Works for ProCircular doing security things
• Has a friend named Will (@WillCaruana) who’s an “alcohol fueled high voltage wizard”
• Who has spurred my cybering hardcore and should be an inspiration to us all
• I am by no means a car hacking expert, despite anything you have heard. Seriously,
Depaepe and I sat down at a table at GrrCon last year and bashed or heads against
this shit writing shell scripts and what not till we won second place. If we can do it you can
do it! And here’s how!

@ZuluAlphaFoxTwo
WHAT IS CAR HACKING?
ITS KINDA LIKE OTHER HACKING, BUT WITH CARS….
SO WHERE TO START
THERE ARE MULTIPLE PROTOCOLS GOING ON IN THE CAR AT ANY GIVEN TIME
A GOOD PLACE TO START IS THE CANBUS
THE CAN BUS
SO WHAT IS CAN?

CAN is a simple protocol used in manufacturing and in the automobile industry.


Modern vehicles are full of little embedded systems and electronic control units (ECUs)
that can communicate using the CAN protocol.
HOW IT WORKS
Notes:
CAN runs on two wires: CAN high (CANH) and CAN low (CANL). CAN uses differential signaling
which means that when a signal comes in, CAN raises the voltage on one line and drops the other line an equal amount
CAN PACKET LAYOUT

Notes:
Arb Id’s run from 000-7FF
Data is sent in hex code so a single data bit length is 00 while two bit length is 00 00
with a maximim of 8 bits for standard frames you will have 16 digits. 00 00 00 00 00 00 00 00 00 00 00
TYPES OF CAN FRAMES

Notes:
• Extended Packets All of these protocols run on the can bus,
We wont be digging into any of these till later sessions,
• The ISO-TP Protocol But just note, that the canbus is just a carrier for multiple protocols.

• The CANopen Protocol There are also much more than this list.

• The GMLAN Bus


• The SAE J1850 Protocol
• The PWM Protocol
• The VPW Protocol
RIGHT SO LETS CONNECT!

• I advise moving in the digital realm first.


OPEN THE VM!

• If you are following along, here’s the vm specifics.


• (adjust the cores down to one. Sorry I did ram but missed CPU before packing it)
• U: carhacking
• P: hackingcar
• Open a terminal
WHAT ARE WE USING?

• SocketCan (CanUtils)
• Set of open source CAN drivers and a networking stack contributed by Volkswagen
Research to the Linux kernel. Formerly known as Low Level CAN Framework (LLCF).

• ICSim
• Instrument Cluster Simulator: A virtual cluster simulator by OpenGarages Craig, form
about 4 years ago or so.
LETS GET INTO IT

• Cd into the ICS folder on the desktop


• Run the Setup vcan script in the folder (sudo yo!)
• This script sets up the virtual can interface
• If config
• You should see a vcan interface
• Good to start the sim
LET’S BUILD A CLUSTER

• Run the icsim program (./icsim [options] [interface])


• -r randomizes, -s seed value, -d debug
• No random for this round, Let’s learn together
./icsim –s 0 vcan0

• Now lets openup terminator


• Single pane multi terminal
YOU NOW HAVE A VIRTUAL CAR!

• So now lets hack!


• From here its basically a mix of RE and traffic sniffing.
WHAT YOU’LL USE

• candump
• Dumps can bus to a file
• cangen
• Generate can frames based on inputs
• canplayer
• Replays candump files
CANDUMP

• candump –l to dump to file (that’s an lowercase ‘L’)


• candump –c –c vcan0 in another window to watch active can traffic
• There is none till we start sending because we are cheating.
CANGEN [OPTIONS] [INTERFACE]
• The basics of RE for this is to fuzz from bottom to top.
• -I
• I for ID/arb ID
• -r for random (good for fuzzing or making the cluster dance and sing)
• -i for increment, starts at 000 all the way up to 7FF
• -g delay in ms
• -D
• Data to send -r for random, or define manually
• -L
• Length of the packet sent
• Without it it will pad out
SO LETS LOOK AT A BASIC START

• cangen –I i –D FFFF –L 2 –g 20 vcan0


• This will send a can packet to the bus starting at 000xFFFF all the way to 7FFxFFFF
• Now watch for a change
• When we see a change stop down can dump and then the fun begins.
GOT SOMETHING!

• Once you have a change on the icsim virtual cluster, stop the dump, and stop
the can gen
• Run cangen –I i –d 0000 –L 2 –g 5 vcan0
• This will ‘clear the board’ and potentially reset the changes. Alternate is you can stop icsim
and restart it with the same seed number

• Gedit (if you have a mouse) the can dump file and we use the rule of 50% to
start the RE
RULE OF 50%

• Rule of 50% is take any problem and find a logical middle point, then cut in
in half from there.
• Is the issue external or internal? Cut there and test. Is the issue system or user level? Cut
there and test. So on and so forth.
• General engineering technique to problem solve.
• So in this instance we will look at line count and cut (yes cut) about half off.
• Pick about half, ctrl+X then Ctrl+S
CAN PLAYER TO THE RECUE!

• So now pwe play the file back with can player.


• Canplayer –i <candump.xxxxx> vcan0=vcan0
• Hit go and watch the icsim board, if the change happens then the arb Id lives in the
packets in the file.
• If it doesn’t change then pop back into the file and select all, paste the clipboard contents
save and run canplayer again.

• This is the process you will now follow until you whittle down the arb id to the
single known value.
ARB ID OBTAINED!

• So with that arb ID we can now try and manipulate further.


• Use cansend now to manipulate the packet as you please to see if there are other combinations of
data that will work
• cansend vcan0 arbid#Data
• Try something like, just a single set of FF’s
• Now try 01
• Now 11
• Now 02
• Now a0
• Go nuts
SO THERE YOU GO THE UTMOST BASICS!

• Lets add a little realism to it now.


• The can is NEVER this quiet
• ICS comes with a canbus emulator as well! Its an awesome tool!
CONTROLS ABOUND

Controls [options] [can interface]


./controls –s 0 –l 0 vcan0
THIS IS MORE LIKE IT!

• So the controller it brings up gives you the ability to play parts of the car
• Capture RE and replay, all the same idea just much more convoluted.
SO THAT’S WHERE I’LL LEAVE YOU

• There will be more car hacking talks to come! (lots)


• The 201 is all about how to connect on up to an actual car!
RESOURCES

• Macchina.cc
• Great forums with plenty of help
• Carhackingvillage.com
• Has the car hackers handbook available and good resources (also on the OVF to
accompany slides)

• https://github.com/zombieCraig/ICSim
• Icsim github page

You might also like