THE CAR HACKER’S HANDBOOK. Copyright © 2016 by Craig Smith. All rights reserved.
No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. About the Author Craig Smith () runs Theia Labs, a security research firm that focuses on security auditing and building hardware and software prototypes. He is also one of the founders of the Hive13 Hackerspace and Open Garages (@OpenGarages). He has worked for several auto manufacturers, where he provided public research on vehicle security and tools.
His specialties are reverse engineering and penetration testing. This book is largely a product of Open Garages and Craig’s desire to get people up to speed on auditing their vehicles. FOREWORD The world needs more hackers, and the world definitely needs more car hackers. Vehicle technology is trending toward more complexity and more connectivity. Combined, these trends will require a greater focus on automotive security and more talented individuals to provide this focus. But what is a hacker?
The term is widely corrupted by the mainstream media, but correct use of the term hacker refers to someone who creates, who explores, who tinkers—someone who discovers by the art of experimentation and by disassembling systems to understand how they work. In my experience, the best security professionals (and hobbyists) are those who are naturally curious about how things work. These people explore, tinker, experiment, and disassemble, sometimes just for the joy of discovery. These people hack. A car can be a daunting hacking target.
Solutions and systems for soldering, rework and repair of electronics www.paceworldwide.com. Hand Soldering Manual for Rework / Repair & Assembly. In the three basic processes of Non-destructive Component Removal, Surface Mount Land. For example many ceramic chip capacitor.
Most cars don’t come with a keyboard and login prompt, but they do come with a possibly unfamiliar array of protocols, CPUs, connectors, and operating systems. This book will demystify the common components in cars and introduce you to readily available tools and information to help get you started. By the time you’ve finished reading the book, you’ll understand that a car is a collection of connected computers—there just happen to be wheels attached. Armed with appropriate tooling and information, you’ll have the confidence to get hacking. This book also contains many themes about openness.
We’re all safer when the systems we depend upon are inspectable, auditable, and documented—and this definitely includes cars. So I’d encourage you to use the knowledge gained from this book to inspect, audit, and document. I look forward to reading about some of your discoveries! Chris Evans () January 2016. ACKNOWLEDGMENTS Thanks to the Open Garages community for contributing time, examples, and information that helped make this book possible.
Thanks to the Electronic Frontier Foundation (EFF) for supporting the Right to Tinker and just generally being awesome. Thanks to Dave Blundell for contributing several chapters of this book, and to Colin O’Flynn for making the ChipWhisperer and letting me use his examples and illustrations. Finally, thanks to Eric Evenchick for single-handedly reviewing all of the chapters of this book, and special thanks to No Starch Press for greatly improving the quality of my original ramblings.
In 2014, Open Garages—a group of people interested in sharing and collaborating on vehicle security—released the first Car Hacker’s Manual as course material for car hacking classes. The original book was designed to fit in a vehicle’s glove box and to cover the basics of car hacking in a one- or two-day class on auto security. Little did we know how much interest there would be in that that first book: we had over 300,000 downloads in the first week. In fact, the book’s popularity shut down our Internet service provider (twice!) and made them a bit unhappy with us. (It’s okay, they forgave us, which is good because I love my small ISP.
Hi SpeedSpan.net!) The feedback from readers was mostly fantastic; most of the criticism had to do with the fact that the manual was too short and didn’t go into enough detail. This book aims to address those complaints. The Car Hacker’s Handbook goes into a lot more detail about car hacking and even covers some things that aren’t directly related to security, like performance tuning and useful tools for understanding and working with vehicles. Why Car Hacking Is Good for All of Us If you’re holding this book, you may already know why you’d want to hack cars. But just in case, here’s a handy list detailing the benefits of car hacking: Understanding How Your Vehicle Works The automotive industry has churned out some amazing vehicles, with complicated electronics and computer systems, but it has released little information about what makes those systems work.
Once you understand how a vehicle’s network works and how it communicates within its own system and outside of it, you’ll be better able to diagnose and troubleshoot problems. Working on Your Vehicle’s Electrical Systems As vehicles have evolved, they’ve become less mechanical and more electronic. Unfortunately, automotive electronics systems are typically closed off to all but the dealership mechanics. While dealerships have access to more information than you as an individual can typically get, the auto manufacturers themselves outsource parts and require proprietary tools to diagnose problems. Learning how your vehicle’s electronics work can help you bypass this barrier.
Modifying Your Vehicle Understanding how vehicles communicate can lead to better modifications, like improved fuel consumption and use of third-party replacement parts. Once you understand the communication system, you can seamlessly integrate other systems into your vehicle, like an additional display to show performance or a third-party component that integrates just as well as the factory default. Discovering Undocumented Features Sometimes vehicles are equipped with features that are undocumented or simply disabled. Discovering undocumented or disabled features and utilizing them lets you use your vehicle to its fullest potential. For example, the vehicle may have an undocumented “valet mode” that allows you to put your car in a restricted mode before handing over the keys to a valet.
Validating the Security of Your Vehicle As of this writing, vehicle safety guidelines don’t address malicious electronic threats. While vehicles are susceptible to the same malware as your desktop, automakers aren’t required to audit the security of a vehicle’s electronics. This situation is simply unacceptable: we drive our families and friends around in these vehicles, and every one of us needs to know that our vehicles are as safe as can be. If you learn how to hack your car, you’ll know where your vehicle is vulnerable so that you can take precautions and be a better advocate for higher safety standards. Helping the Auto Industry The auto industry can benefit from the knowledge contained in this book as well. This book presents guidelines for identifying threats as well as modern techniques to circumvent current protections. In addition to helping you design your security practice, this book offers guidance to researchers in how to communicate their findings.
Today’s vehicles are more electronic than ever. In a report in IEEE Spectrum titled “This Car Runs on Code,” author Robert N. Charette notes that as of 2009 vehicles have typically been built with over 100 microprocessors, 50 electronic control units, 5 miles of wiring, and 100 million lines of code ( ). Engineers at Toyota joke that the only reason they put wheels on a vehicle is to keep the computer from scraping the ground.
As computer systems become more integral to vehicles, performing security reviews becomes more important and complex. WARNING Car hacking should not be taken casually. Playing with your vehicle’s network, wireless connections, onboard computers, or other electronics can damage or disable it. Be very careful when experimenting with any of the techniques in this book and keep safety as an overriding concern. As you might imagine, neither the author nor the publisher of this book will be held accountable for any damage to your vehicle. What’s in This Book The Car Hacker’s Handbook walks you through what it takes to hack a vehicle. We begin with an overview of the policies surrounding vehicle security and then delve in to how to check whether your vehicle is secure and how to find vulnerabilities in more sophisticated hardware systems.
Here’s a breakdown of what you’ll find in each chapter: • teaches you how to assess a vehicle. You’ll learn how to identify areas with the highest risk components. If you work for the auto industry, this will serve as a useful guide for building your own threat model systems.
• details the various bus networks you may run into when auditing a vehicle and explores the wiring, voltages, and protocols that each bus uses. • shows how to use the SocketCAN interface on Linux to integrate numerous CAN hardware tools so that you can write or use one tool regardless of your equipment. • covers how to read engine codes, the Unified Diagnostic Services, and the ISO-TP protocol. You’ll learn how different module services work, what their common weaknesses are, and what information is logged about you and where that information is stored. • details how to analyze the CAN network, including how to set up virtual testing environments and how to use CAN security–related tools and fuzzers. • focuses on the firmware that runs on the ECU. You’ll discover how to access the firmware, how to modify it, and how to analyze the firmware’s binary data.
• explains how to remove parts from a vehicle to set up a safe testing environment. It also discusses how to read wiring diagrams and simulate components of the engine to the ECU, such as temperature sensors and the crank shaft. • covers integrated circuit debugging pins and methodologies.
We also look at side channel analysis attacks, such as differential power analysis and clock glitching, with step-by-step examples. • details how infotainment systems work. Because the in-vehicle infotainment system probably has the largest attack surface, we’ll focus on different ways to get to its firmware and execute on the system. This chapter also discusses some open source in-vehicle infotainment systems that can be used for testing.
• explains how the proposed vehicle-to-vehicle network is designed to work. This chapter covers cryptography as well as the different protocol proposals from multiple countries. We’ll also discuss some potential weaknesses with vehicle-to-vehicle systems. • details how to turn your research into a working exploit.
You’ll learn how to convert proof-of-concept code to assembly code, and ultimately shellcode, and you’ll examine ways of exploiting only the targeted vehicle, including ways to probe a vehicle undetected. • covers how to use software-defined radio to analyze wireless communications, such as TPMS, key fobs, and immobilizer systems.
We review the encryption schemes you may run into when dealing with immobilizers as well as any known weaknesses. • discusses techniques used to enhance and modify a vehicle’s performance. We’ll cover chip tuning as well as common tools and techniques used to tweak an engine so it works the way you want it to. • provides a list of software and hardware tools that will be useful when building your automotive security lab. • lists some common modes and handy PIDS.
• explains how to get involved in the car hacking community and start your own Open Garage. By the end of the book, you should have a much deeper understanding of how your vehicle’s computer systems work, where they’re most vulnerable, and how those vulnerabilities might be exploited.
If you come from the software penetrationtesting world, you’re probably already familiar with attack surfaces. For the rest of us, attack surface refers to all the possible ways to attack a target, from vulnerabilities in individual components to those that affect the entire vehicle. When discussing the attack surface, we’re not considering how to exploit a target; we’re concerned only with the entry points into it. You might think of the attack surface like the surface area versus the volume of an object.
Two objects can have the same volume but radically different surface areas. The greater the surface area, the higher the exposure to risk. If you consider an object’s volume its value, our goal in hardening security is to create a low ratio of risk to value. Finding Attack Surfaces When evaluating a vehicle’s attack surface, think of yourself as an evil spy who’s trying to do bad things to a vehicle.
To find weaknesses in the vehicle’s security, evaluate the vehicle’s perimeter, and document the vehicle’s environment. Be sure to consider all the ways that data can get into a vehicle, which are all the ways that a vehicle communicates with the outside world.
As you examine the exterior of the vehicle, ask yourself these questions: • What signals are received? Distance sensors? • Is there physical keypad access?
• Are there touch or motion sensors? • If the vehicle is electric, how does it charge? As you examine the interior, consider the following: • What are the audio input options: CD?
• Are there diagnostic ports? • What are the capabilities of the dashboard? Is there a GPS?
As you can see, there are many ways data can enter the vehicle. If any of this data is malformed or intentionally malicious, what happens? This is where threat modeling comes in. Threat Modeling Entire books have been written about threat modeling, but I’m going to give you just a quick tour so you can build your own threat models. (If you have further questions or if this section excites you, by all means, grab another book on the subject!) When threat modeling a car, you collect information about the architecture of your target and create a diagram to illustrate how parts of the car communicate.
You then use these maps to identify higher-risk inputs and to keep a checklist of things to audit; this will help you prioritize entry points that could yield the most return. Threat models are typically made during the product development and design process.
If the company producing a particular product has a good development life cycle, it creates the threat model when product development begins and continuously updates the model as the product moves through the development life cycle. Threat models are living documents that change as the target changes and as you learn more about a target, so you should update your threat model often. Your threat model can consist of different levels; if a process in your model is complicated, you should consider breaking it down further by adding more levels to your diagrams. In the beginning, however, Level 2 is about as far as you’ll be able to go. We’ll discuss the various levels in the following sections, beginning with Threat Level 0.
Level 0: Bird’s-Eye View At this level, we use the checklist we built when considering attack surfaces. Think about how data can enter the vehicle. Draw the vehicle in the center, and then label the external and internal spaces. Illustrates a possible Level 0 diagram.
The rectangular boxes are the inputs, and the circle in the center represents the entire vehicle. On their way to the vehicle, the inputs cross two dotted lines, which represent external and internal threats. The vehicle circle doesn’t represent an input but rather a complex process—that is, a series of tasks that could be broken down further.
Processes are numbered, and as you can see, this one is number 1.0. If you had more than one complex piece in your threat model, you would number those in succession. For instance, you would label a second process 2.0; a third, 3.0; and so on. As you learn about your vehicle’s features, you update the diagram. It’s okay if you don’t recognize all of the acronyms in the diagram yet; you will soon. Figure 1-1: Level 0 inputs Level 1: Receivers To move on to the Level 1 diagram, pick a process to explore.
Because we have only the one process in our diagram, let’s dig in to the vehicle process and focus on what each input talks to. The Level 1 map shown in is almost identical to that in Level 0. The only difference is that here we specify the vehicle connections that receive the Level 0 input. We won’t look at the receivers in depth just yet; we’re looking only at the basic device or area that the input talks to. Figure 1-2: Level 1 map of inputs and vehicle connections Notice in that we number each receiver. The first digit represents the process label from the Level 0 diagram in, and the second digit is the number of the receiver. Because the infotainment unit is both a complex process and an input, we’ve given it a process circle.
We now have three other processes: immobilizer, ECU, and TPMS Receiver. The dotted lines in the Level 1 map represent divisions between trust boundaries. The inputs at the top of the diagram are the least trusted, and the ones at the bottom are the most trusted. The more trust boundaries that a communication channel crosses, the more risky that channel becomes.
Level 2: Receiver Breakdown At Level 2, we examine the communication taking place inside the vehicle. Our sample diagram () focuses on a Linux-based infotainment console, receiver 1.1. This is one of the more complicated receivers, and it’s often directly connected to the vehicle’s internal network. In, we group the communications channels into boxes with dashed lines to once again represent trust boundaries.
Now there’s a new trust boundary inside the infotainment console called kernel space. Systems that talk directly to the kernel hold higher risk than ones that talk to system applications because they may bypass any access control mechanisms on the infotainment unit. Therefore, the cellular channel is higher risk than the Wi-Fi channel because it crosses a trust boundary into kernel space; the Wi-Fi channel, on the other hand, communicates with the WPA supplicant process in user space. Figure 1-3: Level 2 map of the infotainment console This system is a Linux-based in-vehicle infotainment (IVI) system, and it uses parts common to a Linux environment. In the kernel space, you see references to the kernel modules udev, HSI, and Kvaser, which receive input from our threat model. The udev module loads USB devices, HSI is a serial driver that handles cellular communication, and Kvaser is the vehicle’s network driver.
The numbering pattern for Level 2 is now X. X, and the identification system is the same as before.
At Level 0, we took the vehicle process that was 1.0 and dove deeper into it. We then marked all processes within Level 1 as 1.1, 1.2, and so on. Next, we selected the infotainment process marked 1.1 and broke it down further for the Level 2 diagram. At Level 2, therefore, we labeled all complex processes as 1.1.1, 1.1.2, and so on. (You can continue the same numbering scheme as you dive even deeper into the processes. The numbering scheme is for documentation purposes; it allows you to reference the exact process at the appropriate level.). NOTE Ideally at this stage, you’d map out which processes handle which inputs, but we’ll have to guess for now.
In the real world, you’d need to reverse engineer the infotainment system to find this information. When building or designing an automotive system, you should continue to drill down into as many complex processes as possible. Bring in the development team, and start discussing the methods and libraries used by each application so you can incorporate them into their own threat diagrams.
You’ll likely find that the trust boundaries at the application level will usually be between the application and the kernel, between the application and the libraries, between the application and other applications, and even between functions. When exploring these connections, mark methods that have higher privileges or that handle more sensitive information. Threat Identification Now that we’ve gone two levels deep into our threat modeling maps, we can begin to identify potential threats. Threat identification is often more fun to do with a group of people and a whiteboard, but you can do it on your own as a thought exercise. Let’s try this exercise together. Start at Level 0—the bird’s-eye view—and consider potential high-level problems with inputs, receivers, and threat boundaries. Now let’s list all potential threats with our threat models.
Level 0: Bird’s-Eye View When determining potential threats at Level 0, try to stay high level. Some of these threats may seem unrealistic because you’re aware of additional hurdles or protections, but it’s important to include all possible threats in this list, even if some have already been addressed. The point here is to brainstorm all the risks of each process and input. The high-level threats at Level 0 are that an attacker could: • Remotely take over a vehicle • Shut down a vehicle • Spy on vehicle occupants • Unlock a vehicle • Steal a vehicle • Track a vehicle • Thwart safety systems • Install malware on the vehicle At first, it may be difficult to come up with a bunch of attack scenarios.
It’s often good to have people who are not engineers also participate at this stage because as a developer or an engineer, you tend to be so involved in the inner workings that it’s natural to discredit ideas without even meaning to. Be creative; try to come up with the most James Bond–villain attack you can think of. Maybe think of other attack scenarios and whether they could also apply to vehicles.
For example, consider ransomware, a malicious software that can encrypt or lock you out of your computer or phone until you pay money to someone controlling the software remotely. Could this be used on vehicles? The answer is yes. Write ransomware down. Level 1: Receivers Threat identification at Level 1 focuses more on the connections of each piece rather than connections that might be made directly to an input. The vulnerabilities that we posit at this level relate to vulnerabilities that affect what connects to the devices in a vehicle. We’ll break these down into threat groupings that relate to cellular, Wi-Fi, key fob (KES), tire pressure monitor sensor (TPMS), infotainment console, USB, Bluetooth, and controller area network (CAN) bus connections.
As you can see in the following lists, there are many potential ways into a vehicle. NOTE While we could use ISO 26262 ASIL or MIL-STD-882E when rating threats, we want more detail than just Risk = Probability × Severity. If you have to pick between these two systems for a security review, go with MIL-STD-882E from the Department of Defense (DoD). The Automotive Safety Integrity Level (ASIL) system will too often have a risk fall into the QM ranking, which basically translates to “meh.” The DoD’s system tends to result in a higher ranking, which equates to a higher value for the cost of a life. Also, MIL-STD-882E is designed to be applied throughout the life cycle of a system, including disposal, which is a nice fit with a secure development life cycle.
Working with Threat Model Results At this point, we have a layout of many of the potential threats to our vehicle, and we have them ranked by risk. Well, that depends on what team you’re on. To use military jargon, the attacker side is the “red team,” and the defender side is the “blue team.” If you’re on the red team, your next step is to start attacking the highest risk areas that are likely to have the best chance of success.
If you’re on the blue team, go back to your risk chart and modify each threat with a countermeasure. For example, if we were to take the two risks in “” on, we could add a countermeasure section to each. Includes the countermeasure for the HSI code execution risk, and includes the countermeasure for the risk of HSI interception. Table 1-5: HSI Code Execution Risk Threat Executes code in the kernel space Risk High Attack technique Exploit vulnerability in older versions of HSI Countermeasures Kernel and kernel modules should be updated with the latest kernel releases Table 1-6: Intercepting HSI Commands Threat Intercepts and injects commands from the cellular network Risk High Attack technique Intercept serial communications over HSI Countermeasures All commands sent over cellular are cryptographically signed Now you have a documented list of high-risk vulnerabilities with solutions.
You can prioritize any solutions not currently implemented based on the risk of not implementing that solution. Summary In this chapter you learned the importance of using threat models to identify and document your security posture, and of getting both technical and nontechnical people to brainstorm possible scenarios. We then drilled down into these scenarios to identify all potential risks. Using a scoring system, we ranked and categorized each potential risk. After assessing threats in this way, we ended up with a document that defined our current product security posture, any countermeasure currently in place, and a task list of high-priority items that still need to be addressed. In this chapter, we’ll discuss the different bus protocols common in vehicle communications.
Your vehicle may have only one of these, or if it was built earlier than 2000, it may have none. Bus protocols govern the transfer of packets through the network of your vehicle. Several networks and hundreds of sensors communicate on these bus systems, sending messages that control how the vehicle behaves and what information the network knows at any given time. Each manufacturer decides which bus and which protocols make the most sense for its vehicle. One protocol, the CAN bus, exists in a standard location on all vehicles: on the OBD-II connector. That said, the packets themselves that travel over a vehicle’s CAN bus aren’t standardized. Vehicle-critical communication, such as RPM management and braking, happens on high-speed bus lines, while noncritical communication, such as door lock and A/C control, happens on mid- to low-speed bus lines.
We’ll detail the different buses and protocols you may run across on your vehicle. To determine the bus lines for your specific vehicle, check its OBD-II pinout online. The CAN Bus CAN is a simple protocol used in manufacturing and in the automobile industry. Modern vehicles are full of little embedded systems and electronic control units (ECUs) that can communicate using the CAN protocol. CAN has been a standard on US cars and light trucks since 1996, but it wasn’t made mandatory until 2008 (2001 for European vehicles). If your car is older than 1996, it still may have CAN, but you’ll need to check.
CAN runs on two wires: CAN high (CANH) and CAN low (CANL). CAN uses differential signaling (with the exception of low-speed CAN, discussed in “” on ), which means that when a signal comes in, CAN raises the voltage on one line and drops the other line an equal amount (see ). Differential signaling is used in environments that must be fault tolerant to noise, such as in automotive systems and manufacturing.
Figure 2-1: CAN differential signaling shows a signal captured using a PicoScope, which listens to both CANH (darker lines at the top of the graph) and CANL (lighter lines at the bottom of the graph). Notice that when a bit is transmitted on the CAN bus, the signal will simultaneously broadcast both 1V higher and lower. The sensors and ECUs have a transceiver that checks to ensure both signals are triggered; if they are not, the transceiver rejects the packet as noise. The two twisted-pair wires make up the bus and require the bus to be terminated on each end. There’s a 120-ohm resistor across both wires on the termination ends. If the module isn’t on the end of the bus, it doesn’t have to worry about termination.
As someone who may tap into the lines, the only time you’ll need to worry about termination is if you remove a terminating device in order to sniff the wires. The OBD-II Connector Many vehicles come equipped with an OBD-II connector, also known as the diagnostic link connector (DLC), which communicates with the vehicle’s internal network. You’ll usually find this connector under the steering column or hidden elsewhere on the dash in a relatively accessible place. You may have to hunt around for it, but its outline looks similar to that in. Figure 2-2: Possible locations of the OBD-II connector In some vehicles, you’ll find these connectors behind small access panels. They’ll typically be either black or white.
Some are easy to access, and others are tucked up under the plastic. Search and you shall find! Finding CAN Connections CAN is easy to find when hunting through cables because its resting voltage is 2.5V. When a signal comes in, it’ll add or subtract 1V (3.5V or 1.5V).
CAN wires run through the vehicle and connect between the ECUs and other sensors, and they’re always in dual-wire pairs. If you hook up a multimeter and check the voltage of wires in your vehicle, you’ll find that they’ll be at rest at 2.5V or fluctuating by 1V. If you find a wire transmitting at 2.5V, it’s almost certainly CAN. You should find the CANH and CANL connections on pins 6 and 14 of your OBD-II connector, as shown in. Figure 2-3: CAN pins cable view on the OBD-II connector In the figure, pins 6 and 14 are for standard high-speed CAN lines (HS-CAN).
Mid-speed and low-speed communications happen on other pins. Some cars use CAN for the mid-speed (MS-CAN) and low-speed (LS-CAN), but many vehicles use different protocols for these communications. You’ll find that not all buses are exposed via the OBD-II connector.
You can use wiring diagrams to help locate additional “internal” bus lines. CAN Bus Packet Layout There are two types of CAN packets: standard and extended. Extended packets are like standard ones but with a larger space to hold IDs.
Standard Packets Each CAN bus packet contains four key elements: Arbitration ID The arbitration ID is a broadcast message that identifies the ID of the device trying to communicate, though any one device can send multiple arbitration IDs. If two CAN packets are sent along the bus at the same time, the one with the lower arbitration ID wins. Identifier extension (IDE) This bit is always 0 for standard CAN.
Data length code (DLC) This is the size of the data, which ranges from 0 to 8 bytes. Data This is the data itself. The maximum size of the data carried by a standard CAN bus packet can be up to 8 bytes, but some systems force 8 bytes by padding out the packet. Shows the format of standard CAN packets.
Figure 2-4: Format of standard CAN packets Because CAN bus packets are broadcast, all controllers on the same network see every packet, kind of like UDP on Ethernet networks. The packets don’t carry information about which controller (or attacker) sent what. Because any device can see and transmit packets, it’s trivial for any device on the bus to simulate any other device.
Extended Packets Extended packets are like standard ones, except that they can be chained together to create longer IDs. Extended packets are designed to fit inside standard CAN formatting in order to maintain backward compatibility. So if a sensor doesn’t have support for extended packets, it won’t break if another packet transmits extended CAN packets on the same network. Standard packets also differ from extended ones in their use of flags. When looking at extended packets in a network dump, you’ll see that unlike standard packets, extended packets use substitute remote request (SRR) in place of the remote transmission request (RTR) with SSR set to 1. They’ll also have the IDE set to 1, and their packets will have an 18-bit identifier, which is the second part of the standard 11-bit identifier. There are additional CAN-style protocols that are specific to some manufacturers, and they’re also backward compatible with standard CAN in much the same way as extended CAN.
The ISO-TP Protocol ISO 15765-2, also known as ISO-TP, is a standard for sending packets over the CAN bus that extends the 8-byte CAN limit to support up to 4095 bytes by chaining CAN packets together. The most common use of ISO-TP is for diagnostics (see “” on ) and KWP messages (an alternative protocol to CAN), but it can also be used any time large amounts of data need to be transferred over CAN. The can-utils program includes isotptun, a proof-of-concept tunneling tool for SocketCAN that allows two devices to tunnel IP over CAN. (For a detailed explanation of how to install and use can-utils, see “” on.) In order to encapsulate ISO-TP into CAN, the first byte is used for extended addressing, leaving only 7 bytes for data per packet.
Sending lots of information over ISO-TP can easily flood the bus, so be careful when using this standard for large transfers on an active bus. The CANopen Protocol Another example of extending the CAN protocol is the CANopen protocol.
CANopen breaks down the 11-bit identifier to a 4-bit function code and 7-bit node ID—a combination known as a communication object identifier (COB-ID). A broadcast message on this system has 0x for both the function code and the node ID. CANopen is seen more in industrial settings than it is in automotive ones. If you see a bunch of arbitration IDs of 0x0, you’ve found a good indicator that the system is using CANopen for communications. CANopen is very similar to normal CAN but has a defined structure around the arbitration IDs.
For example, heartbeat messages are in the format of 0x700 + node ID. CANopen networks are slightly easier to reverse and document than standard CAN bus. The GMLAN Bus GMLAN is a CAN bus implementation by General Motors. It’s based on ISO 15765-2 ISO-TP, just like UDS (see “” on ). The GMLAN bus consists of a single-wire low-speed and a dual-wire high-speed bus. The low-speed bus, a single-wire CAN bus that operates at 33.33Kbps with a maximum of 32 nodes, was adopted in an attempt to lower the cost of communication and wiring. It’s used to transport noncritical information for things like the infotainment center, HVAC controls, door locks, immobilizers, and so on.
In contrast, the high-speed bus runs at 500Kbps with a maximum of 16 nodes. Nodes in a GMLAN network relate to the sensors on that bus. The SAE J1850 Protocol The SAE J1850 protocol was originally adopted in 1994 and can still be found in some of today’s vehicles, for example some General Motors and Chrysler vehicles. These bus systems are older and slower than CAN but cheaper to implement. There are two types of J1850 protocols: pulse width modulation (PWM) and variable pulse width (VPW).
Shows where to find PWM pins on the OBD-II connector. VPW uses only pin 2.
Figure 2-5: PWM pins cable view The speed is grouped into three classes: A, B, and C. The 10.4Kbps speeds of PWM and VPW are considered class A, which means they’re devices marketed exclusively for use in business, industrial, and commercial environments. (The 10.4Kbps J1850 VPW bus meets the automotive industry’s requirements for low-radiating emissions.) Class B devices are marketed for use anywhere, including residential environments and have a second SAE standard implementation that can communicate at 100Kbps, but it’s slightly more expensive.
The final implementation can operate at up to 1Mbps, and it’s used in class C devices. As you might expect, this third implementation is the most expensive, and it’s used primarily in real-time critical systems and media networks. The PWM Protocol PWM uses differential signaling on pins 2 and 10 and is mainly used by Ford.
It operates with a high voltage of 5V and at 41.6Kbps, and it uses dual-wire differential signaling, like CAN. PMW has a fixed-bit signal, so a 1 is always a high signal and a 0 is always a low signal. Other than that, the communication protocol is identical to that of VPW. The differences are the speed, voltage, and number of wires used to make up the bus.
The VPW Protocol VPW, a single-wire bus system, uses only pin 2 and is typically used by General Motors and Chrysler. VPW has a high voltage of 7V and a speed of 10.4Kbps. When compared with CAN, there are some key differences in the way VPW interprets data. For one, because VPW uses time-dependent signaling, receiving 1 bit isn’t determined by just a high potential on the bus. The bit must remain either high or low for a set amount of time in order to be considered a single 1 bit or a 0 bit. Pulling the bus to a high position will put it at around 7V, while sending a low signal will put it to ground or near-ground levels. This bus also is at a resting, or nontransmission, stage at a near-ground level (up to 3V).
VPW packets use the format in. Figure 2-6: VPW Format The data section is a set size—always 11 bits followed by a 1-bit CRC validity check. Shows the meaning of the header bits. Table 2-1: Meaning of Header Bits Header bits Meaning Notes PPP Message priority 000 = Highest, 111 = Lowest H Header size 0 = 3 bytes, 1 = single byte K In-frame response 0 = Required, 1 = Not allowed Y Addressing mode 0 = Functional, 1 = Physical ZZ Message type Will vary based on how K and Y are set In-frame response (IFR) data may follow immediately after this message. Normally, an end-of-data (EOD) signal consisting of 200μs-long low-potential signal would occur just after the CRC, and if IFR data is included, it’ll start immediately after the EOD. If IFR isn’t being used, the EOD will extend to 280μs, causing an end-of-frame (EOF) signal.
The Keyword Protocol and ISO 9141-2 The Keyword Protocol 2000 (ISO 14230), also known as KWP2000, uses pin 7 and is common in US vehicles made after 2003. Messages sent using KWP2000 may contain up to 255 bytes. The KWP2000 protocol has two variations that differ mainly in baud initialization. The variations are: • ISO 14230-4 KWP (5-baud init, 10.4 Kbaud) • ISO 14230-4 KWP (fast init, 10.4 Kbaud) ISO 9141-2, or K-Line, is a variation of KWP2000 seen most often in European vehicles.
K-Line uses pin 7 and, optionally, pin 15, as shown in. K-Line is a UART protocol similar to serial.
UARTs use start bits and may include a parity bit and a stop bit. (If you’ve ever set up a modem, you should recognize this terminology.). Figure 2-8: KWP K-Line packet layout The Local Interconnect Network Protocol The Local Interconnect Network (LIN) is the cheapest of the vehicle protocols. It was designed to complement CAN.
It has no arbitration or priority code; instead, a single master node does all the transmission. LIN can support up to 16 slave nodes that primarily just listen to the master node. They do need to respond on occasion, but that’s not their main function.
Often the LIN master node is connected to a CAN bus. The maximum speed of LIN is 20Kbps.
LIN is a single-wire bus that operates at 12V. You won’t see LIN broken out to the OBD connector, but it’s often used instead of direct CAN packets to handle controls to simple devices, so be aware of its existence. A LIN message frame includes a header, which is always sent by the master, and a response section, which may be sent by master or slave (see ).
Figure 2-9: LIN format The SYNC field is used for clock synchroniziation. The ID represents the message contents—that is, the type of data being transmitted. The ID can contain up to 64 possibilities.
ID 60 and 61 are used to carry diagnostic information. When reading diagnostic information, the master sends with ID 60 and the slave responds with ID 61. All 8 bytes are used in diagnostics. The first byte is called the node address for diagnostics (NAD). The first half of the byte range (that is, 1–127) is defined for ISO-compliant diagnostics, while 128–255 can be specific to that device. The MOST Protocol The Media Oriented Systems Transport (MOST) protocol is designed for multimedia devices.
Typically, MOST is laid out in a ring topology, or virtual star, that supports a maximum of 64 MOST devices. One MOST device acts as the timing master, which continuously feeds frames into the ring. MOST runs at approximately 23 Mbaud and supports up to 15 uncompressed CD quality audio or MPEG1 audio/video channels. A separate control channel runs at 768 Kbaud and sends configuration messages to the MOST devices. MOST comes in three speeds: MOST25, MOST50, and MOST150. Standard MOST, or MOST25, runs on plastic optical fiber (POF). Transmission is done through the red light wavelength at 650 nm using an LED.
A similar protocol, MOST50, doubles the bandwidth and increases the frame length to 1025 bits. MOST50 traffic is usually transported on unshielded twisted-pair (UTP) cables instead of optical fiber. Finally, MOST150 implements Ethernet and increases the frame rate to 3072 bits or 150Mbps—approximately six times the bandwidth of MOST25. Each MOST frame has three channels: Synchronous Streamed data (audio/video) Asynchronous Packet distributed data (TCP/IP) Control Control and low-speed data (HMI) In addition to a timing master, a MOST network master automatically assigns addresses to devices, which allows for a kind of plug-and-play structure. Another unique feature of MOST is that, unlike other buses, it routes packets through separate inport and outport ports. MOST Network Layers Unless your goal is to hack a car’s video or audio stream, the MOST protocol may not be all that interesting to you. That said, MOST does allow access to the in-vehicle microphone or cell system, as well as traffic information that’s likely to be of interest to malware authors.
Shows how MOST is divided up amongst the seven layers of the Open Systems Interconnection (OSI) model that standardizes communication over networks. If you’re familiar with other media-based networking protocols, then MOST may look familiar. Figure 2-12: Assembled control block layout The data area contains the FblockID, InstID, FktID, OP Type, Tel ID, Tel Len, and 12 bytes of data. FblockIDs are the core component IDs, or function blocks. For example, an FblockID of 0x52 might be the navigation system. InstID is the instance of the function block.
There can be more than one core function, such as having two CD changes. InstID differentiates which core to talk to.
FktID is used to query higher-level function blocks. For instance, a FktID of 0x0 queries a list of function IDs supported by the function block. OP Type is the type of operation to perform, get, set, increment, decrement, and so forth. The Tel ID and Len are the type of telegram and length, respectively. Telegram types represent a single transfer or a multipacket transfer and the length of the telegram itself. MOST50 has a similar layout to MOST25 but with a larger data section. MOST150 provides two additional channels: Ethernet and Isochronous.
Ethernet works like normal TCP/IP and Appletalk setups. Isochronous has three mechanisms: burst mode, constant rate, and packet streaming.
Hacking MOST MOST can be hacked from a device that already supports it, such as through a vehicle’s infotainment unit or via an onboard MOST controller. The Linux-based project most4linux provides a kernel driver for MOST PCI devices and, as of this writing, supports Siemens CT SE 2 and OASIS Silicon Systems or SMSC PCI cards. The most4linux driver allows for user-space communication over the MOST network and links to the Advanced Linux Sound Architecture (ALSA) framework to read and write audio data. At the moment, most4linux should be considered alpha quality, but it includes some example utilities that you may be able to build upon, namely: most_aplay Plays a.wav file ctrl_tx Sends a broadcast control message and checks status sync_tx Constantly transmits sync_rx Constantly receives The current most4linux driver was written for 2.6 Linux kernels, so you may have your work cut out for you if you want to make a generic sniffer. MOST is rather expensive to implement, so a generic sniffer won’t be cheap.
The FlexRay Bus FlexRay is a high-speed bus that can communicate at speeds of up to 10Mbps. It’s geared for time-sensitive communication, such as drive-by-wire, steer-by-wire, brake-by-wire, and so on. FlexRay is more expensive to implement than CAN, so most implementations use FlexRay for high-end systems, CAN for midrange, and LIN for low-cost devices. Hardware FlexRay uses twisted-pair wiring but can also support a dual-channel setup, which can increase fault tolerance and bandwidth. However, most FlexRay implementations use only a single pair of wiring similar to CAN bus implementations. Network Topology FlexRay supports a standard bus topology, like CAN bus, where many ECUs run off a twisted-pair bus. It also supports star topology, like Ethernet, that can run longer segments.
When implemented in the star topology, a FlexRay hub is a central, active FlexRay device that talks to the other nodes. In a bus layout, FlexRay requires proper resistor termination, as in a standard CAN bus. The bus and star topologies can be combined to create a hybrid layout if desired. Implementation When creating a FlexRay network, the manufacturer must tell the devices about the network setup. Recall that in a CAN network each device just needs to know the baud rate and which IDs it cares about (if any).
In a bus layout, only one device can talk on the bus at a time. In the case of the CAN bus, the order of who talks first on a collision is determined by the arbitration ID. In contrast, when FlexRay is configured to talk on a bus, it uses something called a time division multiple access (TDMA) scheme to guarantee determinism: the rate is always the same (deterministic), and the system relies on the transmitters to fill in the data as the packets pass down the wire, similar to the way cellular networks like GSM operate. FlexRay devices don’t automatically detect the network or addresses on the network, so they must have that information programed in at manufacturing time. While this static addressing approach cuts down on cost during manufacturing, it can be tricky for a testing device to participate on the bus without knowing how the network is configured, as a device added to your FlexRay network won’t know what data is designed to go into which slots. To address this problem, specific data exchange formats, such as the Field Bus Exchange Format (FIBEX), were designed during the development of FlexRay. FIBEX is an XML format used to describe FlexRay, as well as CAN, LIN, and MOST network setups.
FIBEX topology maps record the ECUs and how they are connected via channels, and they can implement gateways to determine the routing behavior between buses. These maps can also include all the signals and how they’re meant to be interpreted. FIBEX data is used during firmware compile time and allows developers to reference the known network signals in their code; the compiler handles all the placement and configuration.
To view a FIBEX, download FIBEX Explorer from. FlexRay Cycles A FlexRay cycle can be viewed as a packet. The length of each cycle is determined at design time and should consist of four parts, as shown in. Figure 2-13: Four parts of a FlexRay cycle The static segment contains reserved slots for data that always represent the same meaning.
The dynamic segment slots contain data that can have different representations. The symbol window is used by the network for signaling, and the idle segment (quiet time) is used for synchronization. The smallest unit of time on FlexRay is called a macrotick, which is typically one millisecond. All nodes are time synced, and they trigger their macrotick data at the same time. The static section of a FlexRay cycle contains a set amount of slots to store data, kind of like empty train cars. When an ECU needs to update a static data unit, it fills in its defined slot or car; every ECU knows which car is defined for it. This system works because all of the participants on a FlexRay bus are time synchronized.
The dynamic section is split up into minislots, typically one macrotick long. The dynamic section is usually used for less important, intermittent data, such as internal air temperature. As a minislot passes, an ECU may choose to fill the minislots with data. If all the minislots are full, the ECU must wait for the next cycle. In, the FlexRay cycles are represented as train cars.
Transmitters responsible for filling in information for static slots do so when the cycle passes, but dynamic slots are filled in on a first-come, first-served basis. All train cars are the same size and represent the time deterministic properties of FlexRay.
Figure 2-14: FlexRay train representing cycles The symbol window isn’t normally used directly by most FlexRay devices, which means that when thinking like a hacker, you should definitely mess with this section. FlexRay clusters work in states that are controlled by the FlexRay state manager. According to AUTOSAR 4.2.1 Standard, these states are as follows: ready, wake-up, start-up, halt-req, online, online-passive, keyslot-only, and low-number-of-coldstarters. While most states are obvious, some need further explanation. Specifically, online is the normal communication state, while online-passive should only occur when there are synchronization errors. In online-passive mode, no data is sent or received. Keyslot-only means that data can be transmitted only in the key slots.
Low-number-of-coldstarters means that the bus is still operating in full communication mode but is relying on the sync frames only. There are additional operational states, too, such as config, sleep, receive only, and standby. Packet Layout The actual packet that FlexRay uses contains several fields and fits into the cycle in the static or dynamic slot (see ). Figure 2-15: FlexRay packet layout The status bits are: • Reserved bit • Payload preamble indicator • NULL frame indicator • Sync frame indicator • Startup frame indicator The frame ID is the slot the packet should be transmitted in when used for static slots. When the packet is destined for a dynamic slot (1–2047), the frame ID represents the priority of this packet. If two packets have the same signal, then the one with the highest priority wins. Payload length is the number in words (2 bytes), and it can be up to 127 words in length, which means that a FlexRay packet can carry 254 bytes of data—more than 30 times that of a CAN packet.
Header CRC should be obvious, and the cycle count is used as a communication counter that increments each time a communication cycle starts. Soal Toeic Dan Pembahasan Pdf Download. One really neat thing about static slots is that an ECU can read earlier static slots and output a value based on those inputs in the same cycle. For instance, say you have a component that needs to know the position of each wheel before it can output any needed adjustments.
If the first four slots in a static cycle contain each wheel position, the calibration ECU can read them and still have time to fill in a later slot with any adjustments. Sniffing a FlexRay Network As of this writing, Linux doesn’t have official support for FlexRay, but there are some patches from various manufacturers that add support to certain kernels and architectures. (Linux has FlexCAN support, but FlexCAN is a CAN bus network inspired by FlexRay.) At this time, there are no standard open source tools for sniffing a FlexRay network.
If you need a generic tool to sniff FlexRay traffic, you currently have to go with a proprietary product that’ll cost a lot. If you want to monitor a FlexRay network without a FIBEX file, you’ll at least need to know the baud rate of the bus. Ideally, you’ll also know the cycle length (in milliseconds) and, if possible, the size of the cluster partitioning (static-to-dynamic ratio). Technically, a FlexRay cluster can have up to 1048 configurations with 74 parameters. You’ll find the approach to identifying these parameters detailed in the paper “Automatic Parameter Identification in FlexRay based Automotive Communication Networks” (IEEE, 2006) by Eric Armengaud, Andreas Steininger, and Martin Horauer.
When spoofing packets on a FlexRay network with two channels, you need to simultaneously spoof both. Also, you’ll encounter FlexRay implementations called Bus Guardian that are designed to prevent flooding or monopolization of the bus by any one device. Bus Guardian works at the hardware level via a pin on the FlexRay chip typically called Bus Guardian Enable (BGE). This pin is often marked as optional, but the Bus Guardian can drive this pin too high to disable a misbehaving device. Automotive Ethernet Because MOST and FlexRay are expensive and losing support (the FlexRay consortium appears to have disbanded), most newer vehicles are moving to Ethernet. Ethernet implementations vary, but they’re basically the same as what you’d find in a standard computer network.
Often, CAN packets are encapsulated as UDP, and audio is transported as voice over IP (VoIP). Ethernet can transmit data at speeds up to 10Gbps, using nonproprietary protocols and any chosen topology. While there’s no common standard for CAN traffic, manufacturers are starting to use the IEEE 802.1AS Audio Video Bridging (AVB) standard.
This standard supports quality of service (QoS) and traffic shaping, and it uses time-synchronized UDP packets. In order to achieve this synchronization, the nodes follow a best master clock algorithm to determine which node is to be the timing master. The master node will normally sync with an outside timing source, such as GPS or (worst case) an on-board oscillator. The master syncs with the other nodes by sending timed packets (10 milliseconds), the slave responds with a delay request, and the time offset is calculated from that exchange.
From a researcher’s perspective, the only challenge with vehicle Ethernet lies in figuring out how to talk to the Ethernet. You may need to make or buy a custom cable to communicate with vehicle Ethernet cables because they won’t look like the standard twisted-pair cables that you’d find in a networking closet. Typically, a connector will just be wires like the ones you find connected to an ECU. Don’t expect the connectors to have their own plug, but if they do, it won’t look like an RJ-45 connector. Some exposed connectors are actually round, as shown in. Figure 2-19: US-style DB9 connector, plug view The US version has more features and gives you more access to other OBD connectors besides just CAN.
Luckily, power is pin 9 on both style connectors, so you shouldn’t fry your sniffer if you happen to grab the wrong cable. Some sniffers, such as CANtact, have jumpers that you can set depending on which style cable you’re using. The OBD-III Standard OBD-III is a rather controversial evolution of the OBD-II standard.
OBD-II was originally designed to be compliant with emissions testing (at least from the regulators’ perspective), but now that the powertrain control module (PCM) knows whether a vehicle is within guidelines, we’re still left with the inconvenience of the vehicle owner having to go for testing every other year. The OBD-III standard allows the PCM to communicate its status remotely without the owner’s interaction. This communication is typically accomplished through a roadside transponder, but cell phones and satellite communications work as well. The California Air Resources Board (CARB) began testing roadside readers for OBD-III in 1994 and is capable of reading vehicle data from eight lanes of traffic traveling at 100 miles per hour.
If a fault is detected in the system, it’ll transmit the diagnostic trouble codes (DTC) and vehicle identification numbers (VIN) to a nearby transponder (see “” on ). The idea is to have the system report that pollutants are entering the atmosphere without having to wait up to two years for an emissions check.
Most implementations of OBD-III are manufacturer specific. The vehicle phones home to the manufacturer with faults and then contacts the owner to inform them of the need for repairs. As you might imagine, this system has some obvious legal questions that still need to be answered, including the risk of mass surveillance of private property. Certainly, there’s lots of room for abuses by law enforcement, including speed traps, tracking, immobilization, and so on.
Some submitted request for proposals to integrate OBD-III into vehicles claim to use transponders to store the following information: • Date and time of current query • Date and time of last query • VIN • Status, such as “OK,” “Trouble,” or “No response” • Stored codes (DTCs) • Receiver station number It’s important to note that even if OBD-III sends only DTC and VIN, it’s trivial to add additional metadata, such as location, time, and history of the vehicle passing the transponder. For the most part, OBD-III is the bogeyman under the bed. As of this writing, it has yet to be deployed with a transponder approach, although phone-home systems such as OnStar are being deployed to notify the car dealer of various security or safety issues.
Summary When working on your target vehicle, you may run into a number of different buses and protocols. When you do, examine the pins that your OBD-II connector uses for your particular vehicle to help you determine what tools you’ll need and what to expect when reversing your vehicle’s network. I’ve focused in this chapter on easily accessible buses via the OBD-II connector, but you should also look at your vehicle wiring diagrams to determine where to find other bus lines between sensors.
Not all bus lines are exposed via the OBD-II connector, and when looking for a certain packet, it may be easier to locate the module and bus lines leaving a specific module in order to reverse a particular packet. (See for details on how to read wiring diagrams.). When you begin using a CAN for vehicle communications, you may well find it to be a hodgepodge of different drivers and software utilities. The ideal would be to unify the CAN tools and their different interfaces into a common interface so we could easily share information between tools. Luckily, there’s a set of tools with a common interface, and it’s free! If you have Linux or install Linux on a virtual machine (VM), you already have this interface. The interface, called SocketCAN, was created on the Open Source development site BerliOS in 2006.
Today, the term SocketCAN is used to refer to the implementation of CAN drivers as network devices, like Ethernet cards, and to describe application access to the CAN bus via the network socket–programming interface. In this chapter we’ll set up SocketCAN so that we’re more easily able to communicate with the vehicle. Volkswagen Group Research contributed the original SocketCAN implementation, which supports built-in CAN chips and card drivers, external USB and serial CAN devices, and virtual CAN devices.
The can-utils package provides several applications and tools to interact with the CAN network devices, CAN-specific protocols, and the ability to set up a virtual CAN environment. In order to test many of the examples in this book, install a recent version in a Linux VM on your system.
The newest versions of Ubuntu have can-utils in their standard repositories. SocketCAN ties into the Linux networking stack, which makes it very easy to create tools to support CAN. SocketCAN applications can use standard C socket calls with a custom network protocol family, PF_CAN.
This functionality allows the kernel to handle CAN device drivers and to interface with existing networking hardware to provide a common interface and user-space utilities. Compares the implementation of traditional CAN software with that of a unified SocketCAN. Figure 3-1: SocketCAN layout (left) and traditional CAN software (right) With traditional CAN software, the application has its own protocol that typically talks to a character device, like a serial driver, and then the actual hardware driver. On the left of the figure, SocketCAN is implemented in the Linux kernel.
By creating its own CAN protocol family, SocketCAN can integrate with the existing network device drivers, thus enabling applications to treat a CAN bus interface as if it’s a generic network interface. Setting Up can-utils to Connect to CAN Devices In order to install can-utils, you must be running a Linux distribution from 2008 or later or one running the 2.6.25 Linux kernel or higher.
First we’ll install can-utils, then cover how to configure it for your particular setup. Installing can-utils You should be able to use your package manager to install can-utils. Here’s a Debian/Ubuntu example: $ sudo apt-get install can-utils If you don’t have can-utils in your package manager, install it from source with the git command: $ git clone As of this writing, can-utils has configure, make, and make install files, but in older versions, you’d just enter make to install from source. Configuring Built-In Chipsets The next step depends on your hardware. If you’re looking for a CAN sniffer, you should check the list of supported Linux drivers to ensure your device is compatible.
As of this writing, the Linux built-in CAN drivers support the following chipsets: • Atmel AT91SAM SoCs • Bosch CC770 • ESD CAN-PCI/331 cards • Freescale FlexCAN • Freescale MPC52xx SoCs (MSCAN) • Intel AN82527 • Microchip MCP251x • NXP (Philips) SJA1000 • TI’s SoCs CAN controllers, like the SJA1000, are usually built into ISA, PCI, and PCMCIA cards or other embedded hardware. For example, the EMS PCMCIA card driver implements access to its SJA1000 chip. When you insert the EMS PCMCIA card into a laptop, the ems_pcmcia module loads into the kernel, which then requires the sja1000 module and the can_dev module to be loaded.
The can_dev module provides standard configuration interfaces—for example, for setting bit rates for the CAN controllers. The Linux kernel’s modular concept also applies to CAN hardware drivers that attach CAN controllers via bus hardware, such as the kvaser_pci, peak_pci, and so on. When you plug in a supported device, these modules should automatically load, and you should see them when you enter the lsmod command. USB drivers, like usb8dev, usually implement a proprietary USB communication protocol and, therefore, do not load a CAN controller driver. For example, when you plug in a PEAK-System PCAN-USB adapter, the can_dev module loads and the peak_usb module finalizes its initialization.
NOTE If you’re using an Arduino or building your own sniffer, you must implement the LAWICEL protocol—also known as the SLCAN protocol—in your firmware in order for your device to work. For details, see and.
In order to use one of the USB-to-serial adapters, you must first initialize both the serial hardware and the baud rate on the CAN bus: $ slcand -o -s6 -t hw -S 3000000 /dev/ttyUSB0 $ ip link set up slcan0 The slcand daemon provides the interface needed to translate serial communication to the network driver, slcan0. The following options can be passed to slcand: -o Opens the device -s6 Sets the CAN bus baud rate and speed (see ) -t hw Specifies the serial flow control, either HW (hardware) or SW (software) -S 3000000 Sets the serial baud, or bit rate, speed /dev/ttyUSB0 Your USB FTDI device lists the numbers passed to -s and the corresponding baud rates. Table 3-1: Numbers and Corresponding Baud Rates Number Baud 0 10Kbps 1 20Kbps 2 50Kbps 3 100Kbps 4 125Kbps 5 250Kbps 6 500Kbps 7 800Kbps 8 1Mbps As you can see, entering -s6 prepares the device to communicate with a 500Kbps CAN bus network. With these options set, you should now have an slcan0 device. To confirm, enter the following: $ ifconfig slcan0 slcan0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:16 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Most of the information returned by ifconfig is set to generic default values, which may be all 0s.
This is normal. We’re simply making sure that we can see the device with ifconfig. If we see an slcan0 device, we know that we should be able to use our tools to communicate over serial with the CAN controller. NOTE At this point, it may be good to see whether your physical sniffer device has additional lights. Often a CAN sniffer will have green and red lights to signify that it can communicate correctly with the CAN bus.
Your CAN device must be plugged in to your computer and the vehicle in order for these lights to function properly. Not all devices have these lights. (Check your device’s manual.) Setting Up a Virtual CAN Network If you don’t have CAN hardware to play with, fear not.
You can set up a virtual CAN network for testing. To do so, simply load the vcan module. $ modprobe vcan If you check dmesg, you shouldn’t see much more than a message like this: $ dmesg  vcan: Virtual CAN interface driver Now you just set up the interface as discussed in “” on but without specifying a baud rate for the virtual interface. $ ip link add dev vcan0 type vcan $ ip link set up vcan0 To verify your setup, enter the following: $ ifconfig vcan0 vcan0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) As long as you see a vcan0 in the output, you’re ready to go. The CAN Utilities Suite With our CAN device up and running, let’s take a high-level look at the can-utils.
They’re listed and described briefly here; we’ll use them throughout the book, and we’ll explore them in greater detail as we use them. Asc2log This tool parses ASCII CAN dumps in the following form into a standard SocketCAN logfile format: 0.002367 1 390x Rx d 8 17 00 14 00 C0 00 08 00 bcmserver Jan-Niklas Meier’s proof-of-concept (PoC) broadcast manager server takes commands like the following: vcan1 A 1 0 123 8 11 22 33 44 55 66 77 88 By default, it listens on port 28600. It can be used to handle some busy work when dealing with repetitive CAN messages. Canbusload This tool determines which ID is most responsible for putting the most traffic on the bus and takes the following arguments: interface@ bitrate You can specify as many interfaces as you like and have canbusload display a bar graph of the worst bandwidth offenders. Can-calc-bit-timing This command calculates the bit rate and the appropriate register values for each CAN chipset supported by the kernel.
Candump This utility dumps CAN packets. It can also take filters and log packets. Canfdtest This tool performs send and receive tests over two CAN buses. Cangen This command generates CAN packets and can transmit them at set intervals. It can also generate random packets.
Cangw This tool manages gateways between different CAN buses and can also filter and modify packets before forwarding them on to the next bus. Canlogserver This utility listens on port 28700 (by default) for CAN packets and logs them in standard format to stdout. Canplayer This command replays packets saved in the standard SocketCAN “compact” format.
Cansend This tool sends a single CAN frame to the network. Cansniffer This interactive sniffer groups packets by ID and highlights changed bytes. Isotpdump This tool dumps ISO-TP CAN packets, which are explained in “” on. Isotprecv This utility receives ISO-TP CAN packets and outputs to stdout.
Isotpsend This command sends ISO-TP CAN packets that are piped in from stdin. Isotpserver This tool implements TCP/IP bridging to ISO-TP and accepts data packets in the format 667788. Isotpsniffer This interactive sniffer is like cansniffer but designed for ISO-TP packets. Isotptun This utility creates a network tunnel over the CAN network. Log2asc This tool converts from standard compact format to the following ASCII format: 0.002367 1 390x Rx d 8 17 00 14 00 C0 00 08 00 log2long This command converts from standard compact format to a user readable format.
Slcan_attach This is a command line tool for serial-line CAN devices. Slcand This daemon handles serial-line CAN devices. Slcanpty This tool creates a Linux psuedoterminal interface (PTY) to communicate with a serial-based CAN interface.
Installing Additional Kernel Modules Some of the more advanced and experimental commands, such as the ISO-TP–based ones, require you to install additional kernel modules, such as can-isotp, before they can be used. As of this writing, these additional modules haven’t been included with the standard Linux kernels, and you’ll likely have to compile them separately. You can grab the additional CAN kernel modules like this: $ git clone $ cd can-modules/net/can $ sudo./make_isotp.sh Once make finishes, it should create a can-isotp.ko file. If you run make in the root folder of the repository, it’ll try to compile some out-of-sync modules, so it’s best to compile only the module that you need in the current directory.
To load the newly compiled can-isotp.ko module, run insmod: # sudo insmod./can-isotp.ko dmesg should show that it loaded properly: $ dmesg  can: isotp protocol (rev 20141116 alpha). Figure 3-6: Open RAW view and press the play button to see packets from the CAN bus.
• Choose Colorize from the toolbar to make it easier to see and read the changing packets. Kayak can easily record and play back packet capture sessions, and it supports CAN definitions (stored in an open KDC format).
As of this writing, the GUI doesn’t support creating definitions, but I’ll show how to create definitions later. Kayak is a great open source tool that can work on any platform. In addition, it has a friendly GUI with advanced features that allow you to define the CAN packets you see and view them graphically. Summary In this chapter, you learned how to use SocketCAN as a unified interface for CAN devices and how to set up your device and apply the appropriate bit rate for your CAN bus. I reviewed all of the default CAN utilities in the can-utils package that come with SocketCAN support, and I showed you how to write low-level C code to directly interface with the CAN sockets. Finally, you learned how to use socketcand to allow remote interaction with your CAN devices and set up Kayak to work with socketcand. Now that you’ve set up communication with your vehicle, you’re just about ready to try out some attacks.
The OBD-II connector is primarily used by mechanics to quickly analyze and troubleshoot problems with a vehicle. (See “” on for help locating the OBD connector.) When a vehicle experiences a fault, it saves information related to that fault and triggers the engine warning light, also known as the malfunction indicator lamp (MIL).
These routine diagnostic checks are handled by the vehicle’s primary ECU, the powertrain control module (PCM), which can be made up of several ECUs (but to keep the discussion simple, we’ll refer to it only as the PCM). If you trigger faults while experimenting with the bus on a vehicle, you’ll need to able to read and write to the PCM in order to clear them. In this chapter, we’ll learn how to fetch and clear diagnostic codes as well as query the diagnostic services of the ECU.
We’ll also learn how to access a vehicle’s crash data recordings and how to brute-force hidden diagnostic codes. Diagnostic Trouble Codes The PCM stores fault codes as diagnostic trouble codes (DTCs). DTCs are stored in different places. For instance, memory-based DTCs are stored in the PCM’s RAM, which means they’re erased when power from the battery is lost (as is true for all DTCs stored in RAM). More serious DTCs are stored in areas that will survive a power failure.
Faults are usually classified as either hard or soft. Soft faults map to intermittent issues, whereas hard faults are ones that won’t go away without some sort of intervention. Often to determine whether a fault is hard or soft, a mechanic clears the DTCs and drives the vehicle to see whether the fault reappears. If it reappears, the fault is a hard fault.
A soft fault could be due to a problem such as a loose gas cap. Not all faults trigger the MIL light right away. Specifically, class A faults, which signal a gross emissions failure, light the MIL right away, while class B faults, which don’t affect the vehicle’s emissions system, are stored the first time they’re triggered as a pending fault.
The PCM waits to record several of the same faults before triggering the MIL. Class C faults often won’t turn on the MIL light but instead trigger a “service engine soon” type of message. Class D faults don’t trigger the MIL light at all. When storing the DTCs, the PCM snapshots all the relevant engine components in what is known as freeze frame data, which typically includes information such as the following: • DTC involved • Engine load • Engine revolutions per minute (RPM) • Engine temperature • Fuel trim • Manifold air pressure/mass air flow (MAP/MAF) values • Operating mode (open/close loop) • Throttle position • Vehicle speed Some systems store only one freeze frame, usually for the first DTC triggered or the highest-priority DTC, while others record multiple ones. In an ideal world, these snapshots would happen as soon the DTC occurs, but the freeze frames are typically recorded about five seconds after a DTC is triggered.
DTC Format A DTC is a five-character alphanumeric code. For example, you’ll see codes like P0477 (exhaust pressure control valve low) and U0151 (lost communication with restraint control module). The code in the first byte position represents the basic function of the component that set the code, as shown in. Table 4-1: Diagnostic Code Layouts Byte position Description 1 P (0x0) = powertrain, B (0x1) = body, C (0x2) = chassis, U (0x3) = network 2 0,2,3 (SAE standard) 1,3 (manufacturer specific) 3 Subgroup of position 1 4 Specific fault area 5 Specific fault area. NOTE When set to 3, byte 2 is both an SAE-defined standard and a manufacturer-specific code.
Originally, 3 was used exclusively for manufacturers, but pressure is mounting to standardize 3 to mean a standard code instead. In modern cars, if you see a 3 in the second position, it’s probably an SAE standard code. The five characters in a DTC are represented by just two raw bytes on the network. Shows how to break down the 2 DTC bytes into a full DTC code.
Table 4-2: Diagnostic Code Binary Breakdown. Except for the first two, the characters have a one-to-one relationship. Refer to to see how the first two bits are assigned. You should be able to look up the meaning of any codes that follow the SAE standard online. Here are some example ranges for common powertrain DTCs: • P0001–P0099: Fuel and air metering, auxiliary emissions controls • P0100–P0199: Fuel and air metering • P0200–P0299: Fuel and air metering (injector circuit) • P0300–P0399: Ignition system or misfire • P0400–P0499: Auxiliary emissions controls • P0500–P0599: Vehicle speed controls, and idle control systems • P0600–P0699: Computer output circuit • P0700–P0799: Transmission To learn the meaning of a particular code, pick up a repair book in the Chilton series at your local auto shop.
There, you’ll find a list of all OBD-II diagnostic codes for your vehicle. Reading DTCs with Scan Tools Mechanics check fault codes with scan tools. Scan tools are nice to have but not necessary for vehicle hacking.
You should be able to pick one up at any vehicle supply store or on the Internet for anywhere between $100 and $3,000. For the cheapest possible solution, you can get an ELM327 device on eBay for around $10. These are typically dongles that need additional software, such as a mobile app, in order for them to function fully as scan tools. The software is usually free or under $5. A basic scan tool should be able to probe the vehicle’s fault system and report on the common, nonmanufacturer-specific DTC codes.
Higher-end ones should have manufacturer-specific databases that allow you to perform much more detailed testing. Erasing DTCs DTCs usually erase themselves once the fault no longer appears during conditions similar to when the fault was first found. For this purpose, similar is defined as the following: • Engine speed within 375 RPM of the flagged condition • Engine load within 10 percent of the flagged condition • Engine temp is similar Under normal conditions, once the PCM no longer sees a fault after three checks, the MIL light turns off and the DTCs get erased.
There are other ways to clear these codes: you can clear soft DTCs with a scan tool (discussed in the previous section) or by disconnecting the vehicle’s battery. Permanent or hard DTCs, however, are stored in NVRAM and are cleared only when the PCM no longer sees the fault condition. The reason for this is simple enough: to prevent mechanics from manually turning off the MIL and clearing the DTCs when the problem still exists.
Permanent DTCs give mechanics a history of faults so that they’re in a better position to repair them. Unified Diagnostic Services The Unified Diagnostic Services (UDS) is designed to provide a uniform way to show mechanics what’s going on with a vehicle without their having to pay huge license fees for the auto manufacturer’s proprietary CAN bus packet layouts. Unfortunately, although UDS was designed to make vehicle information accessible to even the mom-and-pop mechanic, the reality is a bit different: CAN packets are sent the same way but the contents vary for each make, model, and even year. Auto manufacturers sell dealers licenses to the details of the packet contents. In practice, UDS just works as a gateway to make some but not all of this vehicle information available. The UDS system does not affect how a vehicle operates; it’s basically just a read-only view into what’s going on.
However, it’s possible to use UDS to perform more advanced operations, such as diagnostic tests or firmware modifications (tests that are only a feature of higher-end scan tools). Diagnostic tests like these send the system a request to perform an action, and that request generates signals, such as other CAN packets, that are used to perform the work. For instance, a diagnostic tool may make a request to unlock the car doors, which results in the component sending a separate CAN signal that actually does the work of unlocking the doors.
Sending Data with ISO-TP and CAN Because CAN frames are limited to 8 bytes of data, UDS uses the ISO-TP protocol to send larger outputs over the CAN bus. You can still use regular CAN to read or send data, but the response won’t be complete because ISO-TP allows chaining of multiple CAN packets. To test ISO-TP, connect to a CAN network that has diagnostic-capable modules such as an ECU. Then send a packet designed for ISO-TP over normal CAN using SocketCAN’s cansend application: $ cansend can0 7df#02010d Replies similar to 7e8 03 41 0d 00 In this listing, 7df is the OBD diagnostic code, 02 is the size of the packet, 01 is the mode (show current data; see for a list of common modes and PIDs), and 0d is the service (a vehicle speed of 0 because the vehicle was stationary). The response adds 0x8 to the ID ( 7e8); the next byte is the size of the response.
Responses then add 0x40 to the type of request, which is 0x41 in this case. Then, the service is repeated and followed by the data for the service. ISO-TP dictates how to respond to a CAN packet. Normal CAN packets use a “fire-and-forget” structure, meaning they simply send data and don’t wait for a return packet. ISO-TP specifies a method to receive response data. Because this response data can’t be sent back using the same arbitration ID, the receiver returns the response by adding 0x8 to the ID and noting that the response is a positive one by adding 0x40 to the request.
(If the response fails, you should see a 0x7F instead of the positive + 0x40 response.) lists the most common error responses. NOTE If you have difficulty running the ISO-TP tools, make sure you have the proper kernel module compiled and installed (see “” on ). Understanding Modes and PIDs The first byte of the data section in a diagnostic code is the mode. In automotive manuals, modes start with a $, as in $1.
The $ is used to state that the number is in hex. The mode $1 is the same as 0x01, $0A is the same as 0x0A, and so on. I’ve listed a few examples here, and there are more in for reference. 0x01: Shows current data Shows data streams of a given PID. Sending a PID of 0x00 returns 4 bytes of bit-encoded available PIDs (0x01 through 0x20). 0x02: Shows freeze frame data Has the same PID values as 0x01, except that the data returned is from the freeze frame state. 0x03: Shows stored “confirmed” diagnostic trouble codes Matches the DTCs mentioned in “” on.
0x04: Erases DTCs and clears diagnostic history Clears the DTC and freeze frame data. 0x07: Shows “pending” diagnostic codes Displays codes that have shown up once but that haven’t been confirmed; status pending. 0x08: Controls operations of onboard component/system Allows a technician to activate and deactivate the system actuators manually. System actuators allow drive-by-wire operations and physically control different devices. These codes aren’t standard, so a common scan tool won’t be able to do much with this mode. Dealership scan tools have a lot more access to vehicle internals and are an interesting target for hackers to reverse engineer.
0x09: Requests vehicle information Several pieces of data can be pulled with mode 0x09. 0x0a: Permanent diagnostic codes This mode pulls DTCs that have been erased via mode 0x04. These DTCs are cleared only once the PCM has verified the fault condition is no longer present (see “” on ). Brute-Forcing Diagnostic Modes Each manufacturer has its own proprietary modes and PIDs, which you can usually get by digging through “acquired” dealer software or by using tools or brute force. The easiest way to do brute force is to use an open source tool called the CaringCaribou (CC), available.
CaringCaribou consists of a collection of Python modules designed to work with SocketCAN. One such module is a DCM module that deals specifically with discovering diagnostic services. To get started with CaringCaribou, create an RC file in your home directory, ~/.canrc.
[default] interface = socketcan_ctypes channel = can0 Set your channel to that of your SocketCAN device. Now, to discover what diagnostics your vehicle supports, run the following: $./cc.py dcm discovery This will send the tester-present code to every arbitration ID. Once the tool sees a valid response (0x40+service) or an error (0x7f), it’ll print the arbitration ID and the reply ID. Here is an example discovery session using CaringCaribou: ------------------- CARING CARIBOU v0.1 ------------------- Loaded module 'dcm' Starting diagnostics service discovery Sending diagnostics Tester Present to 0x0244 Found diagnostics at arbitration ID 0x0244, reply at 0x0644 We see that there’s a diagnostic service responding to 0x0244. Next, we probe the different services on 0x0244: $./cc.py dcm services 0x0244 0x0644 ------------------- CARING CARIBOU v0.1 ------------------- Loaded module 'dcm' Starting DCM service discovery Probing service 0xff (16 found) Done! NOTE As of this writing, CaringCaribou is in its early stages of development, and your results may vary.
The current version available doesn’t account for older modes and parses the response incorrectly, which is why you see several services with ID 0x00. For now, just ignore those services; they’re false positives.
CaringCaribou’s discovery option stops at the first arbitration ID that responds to a diagnostic session control (DSC) request. Restart the scan from where it left off using the -min option, as follows: $./cc.py dcm discovery -min 0x245 In our example, the scan will also stop scanning a bit later at this more common diagnostic ID: Found diagnostics at arbitration ID 0x07df, reply at 0x07e8 Keeping a Vehicle in a Diagnostic State When doing certain types of diagnostic operations, it’s important to keep the vehicle in a diagnostic state because it’ll be less likely to be interrupted, thereby allowing you to perform actions that can take several minutes.
In order to keep the vehicle in this state, you need to continuously send a packet to let the vehicle know that a diagnostic technician is present. These simple scripts will keep the car in a diagnostic state that’ll prove useful for flashing ROMs or brute-forcing. The tester present packet keeps the car in a diagnostic state. It works as a heartbeat, so you’ll need to transmit it every one to two seconds, as shown here: #!/bin/sh while: do cansend can0 7df#013e sleep 1 done You can do the same things with cangen: $ cangen -g 1000 -I 7DF -D 013E -L 2 can0. NOTE As of this writing, cangen doesn’t always work on serial-line CAN devices. One possible workaround is to tell slcand to use canX style names instead of slcanX.
Use the ReadDataByID command to read data by ID and to query devices for information. 0x01 is the standard query. The enhanced version, 0x22, can return information not available with standard OBD tools. Use the SecurityAccess command (0x27) to access protected information. This can be a rolling key, meaning that the password or key changes each time, but the important thing is that the controller responds if successful. For example, if you send the key 0x1, and it’s the correct access code, then you should receive an 0x2 in return.
Some actions, such as flashing ROMs, will require you to send a SecurityAccess request. If you don’t have the algorithm to generate the necessary challenge response, then you’ll need to brute-force the key. Event Data Recorder Logging You likely know that airplanes have black boxes that record information about flights as well as conversations in the cockpit and over radio transmissions. All 2015 and newer vehicles are also required to have a type of black box, known as an event data recorder (EDR), but EDRs record only a portion of the information that a black box on an airplane would. The information stored on the EDR includes the following (you’ll find a more complete list in SAE J1698-2): • Airbag deployment • Brake status • Delta-v (longitudinal change in velocity) • Ignition cycles • Seat belt status • Steering angles • Throttle position • Vehicle speed While this data is very similar to freeze frame data, its purpose is to collect and store information during a crash. The EDR constantly stores information, typically only about 20 seconds worth at any one time. This information was originally stored in a vehicle’s airbag control module (ACM), but today’s vehicles distribute this data among the vehicle’s ECUs.
These boxes collect data from other ECUs and sensors and store them for recovery after a crash. Shows a typical EDR. Figure 4-1: A typical event data recorder Reading Data from the EDR The official way to read data from an EDR is with a crash data retrieval (CDR) tool kit. A basic CDR tool will connect to the OBD connector and pull data (or image the vehicle) from the main ECU. CDR tools can also access data in other modules, such as the ACM or the rollover sensor (ROS) module, but they’ll normally need to be plugged in directly to those devices instead of using the OBD port. (You’ll find a comprehensive list of which vehicles have black box data that can be retrieved here:.) CDR kits include both proprietary hardware and software. The hardware usually costs about $2,000, and the cost of the software will vary depending on how many vehicle types you want to support.
The format of vehicle crash data is often considered proprietary as well, and many manufacturers license the communication protocol to tool providers that make CDRs. Obviously, this is not in the best interest of the consumer. The National Highway Traffic Safety Administration (NHTSA) has proposed the adoption of a standard OBD communication method to access this data. The SAE J1698 Standard The SAE J1698 standard lists recommended practices for event data collection and defines event records by sample rate: high, low, and static. High samples are data recorded at the crash event, low samples are pre-crash data, and static samples are data that doesn’t change. Many vehicles are influenced by the SAE J1698 but don’t necessarily conform to its rules for all data retrieved from a vehicle.
Some recorded elements are: • Cruise control status • Driver controls: parking brake, headlight, front wiper, gear selection, passenger airbag disabled switch • Foremost seat track position • Hours in operation • Indicator status lights: VEDI, SRS, PAD, TPMS, ENG, DOOR, IOD • Latitude and longitude • Seating position • SRS deployment status/time • Temperature air/cabin • Vehicle mileage • VIN While the SAE J1698 states latitude and longitude recordings, many manufacturers claim not to record this information for privacy reasons. Your research may vary.
Other Data Retrieval Practices Not all manufacturers conform the to SAE J1698 standard. For example, since the 1990s, General Motors has collected a small amount of EDR data in the sensing and diagnostic module (SDM) of its vehicles. The SDM stores the vehicle’s Delta-v, which is the longitudinal change in the vehicle’s velocity. The SDM does not record any post-crash information.
Another example is Ford’s EDR, known as the restraint control module (RCM). Ford stores a vehicle’s longitudinal and lateral acceleration data rather than Delta-v. If the vehicle has electronic throttle control, the PCM stores additional EDR data, including whether the passenger was an adult or not, the percent the accelerator/brake pedal was depressed, and whether a diagnostic code was active when the crash occurred.
Automated Crash Notification Systems Automated crash notification (ACN) systems are the phone-home systems that contact a vehicle’s manufacturer or a third party with event information. These coincide with other crash recovery systems and extend the functionality by contacting the manufacturer or third party.
One major difference is that there aren’t rules or standards that determine what data is collected and sent to an ACN. ACNs are specific to each manufacturer, and each system will send different information. For example, the Veridian automated collision notification system (released in 2001) reports this information: • Crash type (frontal, side, rear) • Date and time • Delta-v • Longitude and latitude • Make, model, and year of vehicle • Principal direction of force • Probable number of occupants • Rollover (yes or no) • Seat belt use • Vehicle’s final resting position (normal, left side, right side, roof) Malicious Intent Attackers may target a vehicle’s DTCs and freeze frame data to hide malicious activity.
For example, if an exploit needs to take advantage of only a brief, temporary condition in order to succeed, a vehicle’s freeze frame data will most likely miss the event due to delays in recording. Captured freeze frame snapshots rarely contain information that would help determine whether the DTC was triggered by malicious intent. (Because black box EDR systems typically trigger only during a crash, it’s unlikely that an attacker would target them because they’re not likely to contain useful data.) An attacker fuzzing a vehicle’s system might check for fired DTCs and use the information contained in a DTC to determine which component was affected. This type of attack would most likely occur during the research phase of an attack (when an attacker is trying to determine what components the randomly generated packets were affecting), not during an active exploit.
Accessing and fuzzing manufacturer-specific PIDs—by flashing firmware or using mode 0x08—can lead to interesting results. Because each manufacturer interface is kept secret, it’s difficult to assess the actual risk of the network. Unfortunately, security professionals will need to reverse or fuzz these proprietary interfaces to determine what is exposed before work can be done to determine whether there are vulnerabilities. Malicious actors will need to do the same thing, although they won’t be motivated to share their findings. If they can keep undocumented entry points and weaknesses a secret, then their exploit will last longer without being detected. Having secret interfaces into the vehicle doesn’t increase security; the vulnerabilities are there regardless of whether people are allowed to discuss them. Because there’s money in selling these codes (sometimes upward of $50,000), the industry has little incentive to embrace the community.
Summary In this chapter, you have gone beyond traditional CAN packets to understand more complex protocols such as ISO-TP. You have learned how CAN packets can be linked together to write larger messages or to create two-directional communications over CAN. You also learned how to read and clear any DTCs. You looked at how to find undocumented diagnostic services and saw what types of data are recorded about you and your driving habits. You also explored some ways in which diagnostic services can be used by malicious parties. In order to reverse engineer the CAN bus, we first have to be able to read the CAN packets and identify which packets control what. That said, we don’t need to be able to access the official diagnostic CAN packets because they’re primarily a read-only window.
Instead, we’re interested in accessing all the other packets that flood the CAN bus. The rest of the nondiagnostic packets are the ones that the car actually uses to perform actions. It can take a long time to grasp the information contained in these packets, but that knowledge can be critical to understanding the car’s behavior. Locating the CAN Bus Of course, before we can reverse the CAN bus, we need to locate the CAN. If you have access to the OBD-II connector, your vehicle’s connector pinout map should show you where the CAN is. (See for common locations of the OBD connectors and their pinouts.) If you don’t have access to the OBD-II connector or you’re looking for hidden CAN signals, try one of these methods: • Look for paired and twisted wires. CAN wires are typically two wires twisted together.
• Use a multimeter to check for a 2.5V baseline voltage. (This can be difficult to identify because the bus is often noisy.) • Use a multimeter to check for ohm resistance. The CAN bus uses a 120-ohm terminator on each end of the bus, so there should be 60 ohms between the two twisted-pair wires you suspect are CAN.
• Use a two-channel oscilloscope and subtract the difference between the two suspected CAN wires. You should get a constant signal because the differential signals should cancel each other out. (Differential signaling is discussed in “” on.). NOTE If the car is turned off, the CAN bus is usually silent, but something as simple as inserting the car key or pulling up on the door handle will usually wake the vehicle and generate signals. Once you’ve identified a CAN network, the next step is to start monitoring the traffic.
Reversing CAN Bus Communications with can-utils and Wireshark First, you need to determine the type of communication running on the bus. You’ll often want to identify a certain signal or the way a certain component talks—for example, how the car unlocks or how the drivetrain works. In order to do so, locate the bus those target components use, and then reverse engineer the packets traveling on that bus to identify their purpose. To monitor the activity on your CAN, you need a device that can monitor and generate CAN packets, such as the ones discussed in. There are a ton of these devices on the market. The cheap OBD-II devices that sell for under $20 technically work, but their sniffers are slow and will miss a lot of packets. It’s always best to have a device that’s as open as possible because it’ll work with the majority of software tools—open source hardware and software is ideal.
However, a proprietary device specifically designed to sniff CAN should still work. We’ll look at using candump, from the can-utils suite, and Wireshark to capture and filter the packets.
Generic packet analysis won’t work for CAN because CAN packets are unique to each vehicle’s make and model. Also, because there’s so much noise on CAN, it’s too cumbersome to sort through every packet as it flows by in sequence. Using Wireshark Wireshark ( ) is a common network monitoring tool. If your background is in networking, your first instinct may be to use Wireshark to look at CAN packets. This technically works, but we will soon see why Wireshark is not the best tool for the job.
If you want to use Wireshark to capture CAN packets, you can do so together with SocketCAN. Wireshark can listen on both canX and vcanX devices, but not on slcanX because serial-link devices are not true netlink devices and they need a translation daemon in order for them to work. If you need to use a slcanX device with Wireshark, try changing the name from slcanX to canX.
(I discuss CAN interfaces in detail.) If renaming the interface doesn’t work or you simply need to move CAN packets from an interface that Wireshark can’t read to one it can, you can bridge the two interfaces. You’ll need to use candump from the can-utils package in bridge mode to send packets from slcan0 to vcan0.
$ candump -b vcan0 slcan0 Notice in that the data section isn’t decoded and is just showing raw hex bytes. This is because Wireshark’s decoder handles only the basic CAN header and doesn’t know how to deal with ISO-TP or UDS packets. The highlighted packet is a UDS request for VIN. (I’ve sorted the packets in the screen by identifier, rather than by time, to make it easier to read.).
Figure 5-1: Wireshark on the CAN bus Using candump As with Wireshark, candump doesn’t decode the data for you; that job is left up to you, as the reverse engineer. Uses slcan0 as the sniffer device.
Figure 5-2: cansniffer example output You can add the -c flag to colorize any changing bytes. $ cansniffer -c slcan0 The cansniffer tool can also remove repeating CAN traffic that isn’t changing, thereby reducing the number of packets you need to watch. Filtering the Packets Display One advantage of cansniffer is that you can send it keyboard input to filter results as they’re displayed in the terminal. (Note that you won’t see the commands you enter while cansniffer is outputting results.) For example, to see only IDs 301 and 308 as cansniffer collects packets, enter this: -000000 +301 +308 Entering -000000 turns off all packets, and entering + 301 and + 308 filters out all except IDs 301 and 308. The -000000 command uses a bitmask, which does a bit-level comparison against the arbitration ID. Any binary value of 1 used in a mask is a bit that has to be true, while a binary value of 0 is a wildcard that can match anything.
A bitmask of all 0s tells cansniffer to match any arbitration ID. The minus sign (-) in front of the bitmask removes all matching bits, which is every packet. You can also use a filter and a bitmask with cansniffer to grab a range of IDs.
For example, the following command adds the IDs from 500 through 5FF to the display, where 500 is the ID applied to the bitmask of 700 to define the range we’re interested in. +500700 To display all IDs of 5 XX, you’d use the following binary representation: ID Binary Representation 500 101 0000 0000 700 111 0000 0000 ------------------ 101 XXXX XXXX 5 X X You could specify F00 instead of 700, but because the arbitration ID is made up of only 3 bits, a 7 is all that’s required. Using 7FF as a mask is the same as not specifying a bitmask for an ID. For example +3017FF is the same as +301 This mask uses binary math and performs an AND operation on the two numbers, 0x301 and 0x7FF: ID Binary Representation 301 011 0000 0001 7FF 111 1111 1111 ______________________________ 011 0000 0001 3 0 1 For those not familiar with AND operations, each binary bit is compared, and if both are a 1 then the output is a 1. For instance, 1 AND 1 = 1, while 1 AND 0 = 0.
If you prefer to have a GUI interface, Kayak, which we discussed in “” on, is a CAN bus–monitoring application that also uses socketcand and will colorize its display of capture packets. Kayak won’t remove repeating packets the way cansniffer does, but it offers a few unique capabilities that you can’t easily get on the command line, such as documenting the identified packets in XML (.kcd files), which can be used by Kayak to display virtual instrument clusters and map data (see ). Figure 5-3: Kayak GUI interface Using Record and Playback Once you’ve used cansniffer or a similar tool to identify certain packets to focus on, the next step is to record and play back packets so you can analyze them. We’ll look at two different tools to do this: can-utils and Kayak. They have similar functionality, and your choice of tool will depend on what you’re working on and your interface preferences. The can-utils suite records CAN packets using a simple ASCII format, which you can view with a simple text editor, and most of its tools support this format for both recording and playback.
For example, you can record with candump, redirect standard output or use the command line options to record to a file, and then use canplayer to play back recordings. Shows a view of the layout of Kayak’s equivalent to cansniffer. Figure 5-4: Kayak recording to a logfile To record CAN packets with Kayak, first click the Play button in the Log files tab ➊. Then drag one or more buses from the Projects pane to the Busses field of the LogOutput Window tab ➋. Press the Record and Stop buttons at the bottom of the LogOutput window ➌ to start or stop recording.
Once your packet capture is complete, the logging should show in the Log Directory drop-down menu (see ). If you open a Kayak logfile, you’ll see something like the code snippet in.
The values in this example won’t directly correlate to those in because the GUI groups by ID, as in cansniffer, but the log is sequential, as in candump. PLATFORM NO_PLATFORM DESCRIPTION 'No description' DEVICE_ALIAS OBD Port slcan0 (1094.141850) ➊ slcan0 ➋ 128#a20001 ➌ (1094.141863) slcan0 30e0007e0e (1094.141865) slcan0 388#0110 (1094.144851) slcan0 1000000000 (1094.144857) slcan0 120#f00320 Listing 5-2: Contents of Kayak’s logfile. Figure 5-5: Right pane of Log files tab settings Other than some metadata ( PLATFORM, DESCRIPTION, and DEVICE_ALIAS), the log is pretty much the same as the one captured by the can-utils package: ➊ is the timestamp, ➋ is your bus, and ➌ is your arbitration ID and data separated by a # symbol.
To play back the capture, right-click the Log Description in the right panel, and open the recording (see ). Shows the logfile created by candump using the -l command line option: (.027238) slcan0 166#D0320018 (.028348) slcan0 1000000019 (.028370) slcan0 100108001C (.028377) slcan0 191#000B Listing 5-3: candump logfile Notice in that the candump logfiles are almost identical to those displayed by Kayak in. (For more details on different can-utils programs, see “” on.) Creative Packet Analysis Now that we’ve captured packets, it’s time to determine what each packet does so we can use it to unlock things or exploit the CAN bus. Let’s start with a simple action that’ll most likely toggle only a single bit—the code to unlock the doors—and see whether we can find the packet that controls that behavior. Using Kayak to Find the Door-Unlock Control There’s a ton of noise on the CAN bus, so finding a single-bit change can be very difficult, even with a good sniffer.
But here’s a universal way to identify the function of a single CAN packet: • Press Record. • Perform the physical action, such as unlocking a door. • Stop Record. • Press Playback. • See whether the action was repeated. For example, did the door unlock? If pressing Playback didn’t unlock the door, a couple of things may have gone wrong.
First, you may have missed the action in the recording, so try recording and performing the action again. If you still can’t seem to record and replay the action, the message is probably hardwired to the physical lock button, as is often the case with the driver’s-side door lock. Try unlocking the passenger door instead while recording. If that still doesn’t work, the message for the unlock action is either on a CAN bus other than the one you’re monitoring—you’ll need to find the correct one—or the playback may have caused a collision, resulting in the packet being stomped on. Try to replay the recording a few times to make sure the playback is working. Once you have a recording that performs the desired action, use the method shown in to filter out the noise and locate the exact packet and bits that are used to unlock the door via the CAN bus. Now, keep halving the size of the packet capture until you’re down to only one packet, at which point you should be able figure out which bit or bits are used to unlock the door.
The quickest way to do this is to open your sniffer and filter on the arbitration ID you singled out. Unlock the door, and the bit or byte that changed should highlight. Now, try to unlock the car’s back doors, and see how the bytes change.
You should be able to tell exactly which bit must be changed in order to unlock each door. Figure 5-6: Sample unlock reversing flow Using can-utils to Find the Door-Unlock Control To identify packets via can-utils, you’d use candump to record and canplayer to play back the logfile, as noted earlier. Then, you’d use a text editor to whittle down the file before playback.
Once you’re down to one packet, you can then determine which byte or bits control the targeted operation with the help of cansend. For instance, by removing different halves of a logfile, you can identify the one ID that triggers the door to unlock: slcan0 300  00 00 84 00 00 0F 00 00 Now, you could edit each byte and play back the line, or you could use cansniffer with a filter of +300 to single out just the 300 arbitration ID and monitor which byte changes when you unlock the door. For example, if the byte that controls the door unlock is the sixth byte—0x0F in the preceding example—we know that when the sixth byte is 0x00, the doors unlock, and when it’s 0x0F, the doors lock. NOTE This is a hypothetical example that assumes we’ve performed all the steps listed earlier in this chapter to identify this particular byte. The specifics will vary for each vehicle. We can verify our findings with cansend: $ cansend slcan0 30000F0000 If, after sending this, all the doors lock, we’ve successfully identified which packets control the door unlock.
Now, what happens when you change the 0x0F? To find out, unlock the car and this time send a 0x01: $ cansend slcan0 3000010000 Observe that only the driver’s-side door locks and the rest stay open. If you repeat this process with a 0x02, only the front passenger’s-side door locks. When you repeat again with a 0x03, both the driver’s-side door and the front passenger’s-side door lock. But why did 0x03 control two doors and not a different third door? The answer may make more sense when you look at the binary representation: 0x00 = 00000000 0x01 = 00000001 0x02 = 00000010 0x03 = 00000011 The first bit represents the driver’s-side door, and the second represents the front passenger’s-side door. When the bit is a 1, the door locks, and when it’s a 0, it unlocks.
When you send an 0x0F, you’re setting all bits that could affect the door lock to a binary 1, thereby locking all doors: 0x0F = 00001111 What about the remaining four bits? The best way to find out what they do is to simply set them to 1 and monitor the vehicle for changes. We already know that at least some of the 0x300 signal relates to doors, so it’s fairly safe to assume the other four bits will, too. If not, they might control different door-like behavior, such as unlatching the trunk. NOTE If you don’t get a response when you toggle a bit, it may not be used at all and may simply be reserved.
Getting the Tachometer Reading Obtaining information on the tachometer (the vehicle’s speed) can be achieved in the same way as unlocking the doors. The diagnostic codes report the speed of a vehicle, but they can’t be used to set how the speed displays (and what fun is that?), so we need to find out what the vehicle is using to control the readings on the instrument cluster (IC). To save space, the RPM values won’t display as a hex equivalent of the reading; instead, the value is shifted such that 1000 RPM may look like 0xFA0. This value is often referred to as “shifted” because in the code, the developers use bit shifting to perform the equivalent of multiplying or dividing. For the UDS protocol, this value is actually as follows. To make matters worse, you can’t monitor CAN traffic and query the diagnostic RPM to look for changing values at the same time.
This is because vehicles often compress the RPM value using a proprietary method. Although the diagnostic values are set, they aren’t the actual packets and values that the vehicle is using, so we need to find the real value by reversing the raw CAN packets. (Be sure to put the car in park before you do this, and even lift the vehicle off the ground or put it on rollers first to avoid it starting suddenly and crushing you.) Follow the same steps that you used to find the door unlock control: • Press Record. • Press the gas pedal. • Stop Record.
• Press Playback. • See whether the tachometer gauge has moved. You’ll probably find that a lot of engine lights flash and go crazy during this test because this packet is doing a lot more than just unlocking the car door. Ignore all the blinking warning lights, and follow the flowchart shown in to find the arbitration ID that causes the tachometer to change. You’ll have a much higher chance of collisions this time than when trying to find the bit to unlock the doors because there’s a lot more going on.
Consequently, you may have to play and record more traffic than before. (Remember the value conversions mentioned earlier, and keep in mind that more than one byte in this arbitration ID will probably control the reported speed.) Putting Kayak to Work To make things a bit easier, we’ll use Kayak’s GUI instead of can-utils to find the arbitration IDs that control the tachometer. Again, make sure that the car is immobilized in an open area, with the emergency brake on, and maybe even up on blocks or rollers. Start recording and give the engine a good rev. Then, stop recording and play back the data. The RPM gauge should move; if it doesn’t, you may be on the wrong bus and will need to locate the correct bus, as described earlier in this chapter.
Once you have the reaction you expect from the vehicle, repeat the halving process used to find the door unlock, with some additional Kayak options. Kayak’s playback interface lets you set the playback to loop infinitely and, more importantly, set the “in” and “out” packets (see ).
The slider represents the number of packets captured. Use the slider to pick which packet you start and stop with during playback. You can quickly jump to the middle or other sections of the recording using the slider, which makes playing back half of a section very easy. Figure 5-7: Kayak playback interface As for testing, you won’t be able to send only a single packet as you did when you tried to unlock the car because the vehicle is constantly reporting its current speed. To override this noise, you need to talk even faster than the normal communication to avoid colliding all the time. For instance, if you play your packets right after the real packet plays, then the last seen update will be the modified one.
Reducing noise on the bus results in fewer collisions and cleaner demos. If you can send your fake packet immediately after the real packet, you often get better results than you would by simply flooding the bus. To send packets continuously with can-utils, you can use a while loop with cansend or cangen. (When using Kayak’s Send Frame dialog to transmit packets, make sure to check the Interval box.) Creating Background Noise with the Instrument Cluster Simulator The instrument cluster simulator (ICSim) is one of the most useful tools to come out of Open Garages, a group that fosters open collaboration between mechanics, performance tuners, and security researchers (see ). ICSim is a software utility designed to produce a few key CAN signals in order to provide a lot of seemingly “normal” background CAN noise—essentially, it’s designed to let you practice CAN bus reversing without having to tinker around with your car. (ICSim is Linux only because it relies on the virtual CAN devices.) The methods you’ll learn playing with ICSim will directly translate to your target vehicles. ICSim was designed as a safe way to familiarize yourself with CAN reversing so that the transition to an actual vehicle is as seamless as possible.
Setting Up the ICSim Grab the source code for the ICSim from and follow the README file supplied with the download to compile the software. Before you run ICSim, you should find a sample script in the README called setup_vcan.sh that you can run to set up a vcan0 interface for the ICSim to use. ICSim comes with two components, icsim and controls, which talk to each other over a CAN bus.
To use ICSim, first load the instrument cluster to the vcan device like this: $./icsim vcan0 In response, you should see the ICSim instrument cluster with turn signals, a speedometer, and a picture of a car, which will be used to show the car doors locking and unlocking (see ). NOTE Once the control panel is loaded, you should see the speedometer idle just above 0 mph. If the needle is jiggling a bit, you know it’s working. The control application writes only to the CAN bus and has no other way to communicate with the icsim. The only way to control the virtual car is through the CAN. The main controls on the CANBus Control Panel are as follows: Accelerate (up arrow) Press this to make the speedometer go faster. The longer you hold the key down, the faster the virtual vehicle goes.
Turn (left/right arrows) Hold down a turn direction to blink the turn signals. Lock (left SHIFT), Unlock (right SHIFT) This one requires you to press two buttons at once. Hold down the left SHIFT and press a button (A, B, X, or Y) to lock a corresponding door. Hold down the right SHIFT and press one of the buttons to unlock a door. If you hold down left SHIFT and then press right SHIFT, it will unlock all the doors.
If you hold down right SHIFT and press left SHIFT, you’ll lock all the doors. Make sure you can fit both the ICSim and the CANBus Control Panel on the same screen so that you can see how they influence each other.
Then, select the control panel so that it’s ready to receive input. Play around with the controls to make sure that the ICSim is responding properly. If you don’t see a response to your controls, ensure that the ICSim control window is selected and active. Reading CAN Bus Traffic on the ICSim When you’re sure everything is working, fire up your sniffer of choice and take a look at the CAN bus traffic, as shown in. Try to identify which packets control the vehicle, and create scripts to control ICSim without using the control panel.
Most of the changing data you see in is caused by a replay file of a real CAN bus. You’ll have to sort through the messages to determine the proper packets. All methods of replay and packet sending will work with ICSim, so you can validate your findings. Figure 5-10: Screen layout for using ICSim Changing the Difficulty of ICSim One of the great things about ICSim is that you can challenge yourself by making it harder to find the target CAN traffic. ICSim supports four difficulty levels—0 through 3, with level 1 as the default. Level 0 is a super simple CAN packet that does the intended operation without any background noise, while level 3 randomizes all the bytes in the packet as well. To have the simulator choose different IDs and target byte positions, use ICSim’s randomize option: $./icsim -r vcan0 Using CAN interface vcan0 Seed: This option prints a randomized seed value to the console screen.
Pass this value into the CANBus Control Panel along with your choice of difficulty level: $./controls -s -l 3 vcan0 You can replay or share a specific seed value as well. If you find one you like or if you want to race your friends to see who can decipher the packets first, launch ICSim with a set seed value like this: $./icsim -s vcan0 Next, launch the CANBus Control Panel using the same seed value to sync up the randomized control panel to the ICSim. If the seed values aren’t the same, they won’t be able to communicate. It may take you a while to locate the proper packets the first time using ICSim, but after a few passes, you should be able to quickly identify which packets are your targets.
Try to complete the following challenges in ICSim: • Create “hazard lights.” Make both turn signals blink at the same time. • Create a command that locks only the back two doors. • Set the speedometer as close as possible to 220 mph. Reversing the CAN Bus with OpenXC Depending on your vehicle, one solution to reverse engineering the CAN bus is OpenXC, an open hardware and software standard that translates proprietary CAN protocols into an easy-to-read format. The OpenXC initiative was spearheaded by the Ford Motor Company—and as I write this, OpenXC is supported only by Ford—but it could work with any auto manufacturer that supports it.
(Visit for information on how to acquire a pre-made dongle.) Ideally, open standards for CAN data such as OpenXC will remove the need for many applications to reverse engineer CAN traffic. If the rest of the automotive industry were to agree on a standard that defines how their vehicles work, it would greatly improve a car owner’s ability to tinker and build on new innovative tools. Translating CAN Bus Messages If a vehicle supports OpenXC, you can plug a vehicle interface (VI) in to the CAN bus, and the VI should translate the proprietary CAN messages and send them to your PC so you can read the supported packets without having to reverse them. In theory, OpenXC should allow access to any CAN packet via a standard API.
This access could be read-only or allow you to transmit packets. If more auto manufacturers eventually support OpenXC, it could provide third-party tools with more raw access to a vehicle than they would have with standard UDS diagnostic commands. A vehicle typically has as many as a dozen or more electronic controllers, many of which are networked to communicate with each other. These computerized devices go by many different names, including electronic control unit or engine control unit (ECU), transmission control unit (TCU), or transmission control module (TCM). While these terms may have specific meanings in a formal setting, similar terms are often used interchangeably in practice. What may be a TCU to one manufacturer is a TCM to another, yet both electronic controllers perform the same or extremely similar functions. Most automotive control modules have measures in place to prevent you from altering their code and operation; these range from very strong to laughably weak.
You won’t know what you’re dealing with until you investigate a particular system. In this chapter, we’ll take a closer look at particular security mechanisms, but first we’ll examine strategies for gaining access to these systems. Then in we’ll look at some more specific ECU hacks, like glitch attacks and debugging. The attack vectors for ECUs fall into three different classes: Front door attacks Commandeering the access mechanism of the original equipment manufacturer (OEM) Backdoor attacks Applying more traditional hardware-hacking approaches Exploits Discovering unintentional access mechanisms We’ll look at an overview of these attack classes, and then analyze the data you find. It’s worth remembering that while the goal for ECU and other control module hacking is often the same—to gain access in order to reprogram and change behavior—it’s unlikely there’ll be a “master key” for all controllers. However, OEMs are generally not very creative and seldom change their ways, so insight into one controller likely applies to similar models from the same manufacturer.
Also, few of today’s auto manufacturers develop their own automotive computers from scratch, instead licensing prefabricated solutions from third parties like Denso, Bosch, Continental, and others. Because of this design methodology, it’s relatively common to see vehicles from different auto manufacturers using very similar computer systems sourced from the same vendors. Front Door Attacks The OBD-II standard mandates that you be able to reprogram vehicles through the OBD-II connector, and reverse engineering the original method for programming is a guaranteed attack vector. We’ll examine J2534 and KWP2000 as examples of common protocols for programming.
J2534: The Standardized Vehicle Communication API The SAE J2534-1 standard, or simply J2534, was developed to promote interoperability among digital tool vendors through the use of the J2534 API, which outlines the recommended way for Microsoft Windows to communicate with a vehicle. (You can purchase the J2534 API from the SAE at.) Prior to the adoption of the J2534 standard, each software vendor created its own proprietary hardware and drivers for communicating with a vehicle in order to perform computerized repairs. Because these proprietary tools weren’t always available to smaller shops, the EPA mandated the adoption of the J2534 standard in 2004 to allow independent shops access to the same specialized computer tools used by dealerships. J2534 introduced a series of DLLs that map standard API calls to instructions necessary to communicate with a vehicle, thereby allowing multiple manufacturers to release software designed to work with J2534-compatible hardware. Using J2534 Tools J2534 tools provide a convenient way to observe OEM tools interacting with vehicle computers. Manufacturers often leverage J2534 to update computer firmware and sometimes to provide powerful diagnostic software.
By observing and capturing information exchanged with a vehicle using J2534, you can see how OEMs perform certain tasks, which may provide you with information that you need to unlock the “front door.” When using J2534 tools to attack vehicle systems, the basic idea is to observe, record, analyze, and extend functionality. Of course, the first step is to obtain and configure a J2534 application and its corresponding interface hardware in order to perform a task you want to observe. Once you have your setup, the next step is to observe and record communications with the target while using the J2534 tools to perform an action on the target, like updating a configuration parameter.
There are two primary ways to observe J2534 transactions: by watching J2534 API calls on a PC using J2534 shim DLLs or by watching actual bus traffic using a separate sniffer tool to capture data. J2534 tools are key to eavesdropping on the protocols built into the factory embedded vehicle systems, and they’re one of the primary ways to attack the front door. Successful analysis of this communication will give you the knowledge you need to access vehicle systems the way the OEMs do. It’ll also allow you to write applications with full access to read and reprogram systems, which will in turn enable you to communicate directly with a vehicle without having to use the J2534 interface or the OEM’s J2534 software. J2534 Shim DLLs The J2534 shim is a software J2534 interface that connects to a physical J2534 interface and then passes along and logs all commands that it receives.
This dummy interface is a kind of man-in-the-middle attack that allows you to record all API calls between the J2534 application and the target. You can then examine the log of commands to determine the actual data exchanged between the J2534 interface and the device. To find an open source J2534 shim, search for J2534-logger. You should also be able to find precompiled binaries.
J2534 with a Sniffer You can also use J2534 to generate interesting traffic that you can then observe and record with a third party sniffer. There’s no magic here: this is just an excellent example of how to generate juicy packets that might otherwise be difficult to capture. (See for more information on monitoring network traffic.) KWP2000 and Other Earlier Protocols Before J2534, there were many flash-programmable ECUs and other control units, such as the Keyword Protocol 2000 (KWP2000 or ISO14230). From an OSI networking perspective, it’s primarily an application protocol. It can be used on top of CAN or ISO9141 as the physical layer. You’ll find a huge number of KWP2000 flasher tools that interface with a PC using a serial/ USB-serial interface and that support diagnostics and flashing using this protocol just by searching online.
(For more on the Keyword Protocol 2000, see.) Capitalizing on Front Door Approaches: Seed-Key Algorithms Now that we’ve discussed how legitimate tools use the front door, it’s time to capitalize on this attack vector by learning how to operate the figurative “lock on the gate.” To do this, we must understand the algorithm that the embedded controller uses to authenticate valid users; this is almost always a seed-key algorithm. Seed-key algorithms usually generate a pseudorandom seed and expect a particular response, or key, for each seed before allowing access. A typical valid exchange could look something like this: ECU seed: 01 C3 45 22 84 Tool key: 02 3C 54 22 48 or this: ECU seed: 04 57 Tool key: 05 58 Unfortunately, there’s no standard seed-key algorithm. You might have a 16-bit seed and 16-bit key, a 32-bit seed and 16-bit key, or a 32-bit seed and 32-bit key. The algorithm that generates a key from a given seed also varies from platform to platform.
Most algorithms are a combination of simple arithmetic operations and one or more values used as part of the computation. There are several techniques for figuring out these algorithms in order to give you access to the ECU: • Obtain the firmware for the device in question through other means.
Disassemble it and analyze the embedded code to find the code responsible for generating seed-key pairs. • Obtain a legitimate software tool—for example, J2534 reflash software—that’s capable of generating legitimate seed-key pairs, and analyze the PC application code with a disassembler to determine the algorithm used.
• Observe a legitimate tool exchanging keys, and analyze the pairs for patterns. • Create a device to spoof a legitimate tool into providing responses repeatedly. The main advantage of this method over purely passive observation is that it allows you to pick seeds for which you can reproduce the keys. You can find more information about reverse engineering the seed-key algorithms used by General Motors at, and those used by VAG MED9.1. Backdoor Attacks Sometimes front door attacks are too tricky; you may not have the right tools or the lock might be too hard to figure out. Don’t despair—remember that automotive control modules are embedded systems, so you can use all the usual hardware-hacking approaches. In fact, using more direct-to-hardware backdoor approaches often makes more sense than trying to reverse engineer the front door lock placed by the factory, especially when trying to reprogram engine modules.
If you can obtain a dump of the module, you can often disassemble and analyze it to figure out how the keys to the front door work. The first step in a hardware backdoor attack is analyzing the circuit board. When reversing a circuit board of any system, you should start with the largest chips first. These larger processor and memory chips are likely to be the most complex. It’s a good idea to make a list of part numbers to feed to Google,, or something similar, to obtain a copy of the data sheet. You’ll sometimes encounter custom application-specific integrated circuits (ASICs) and one-off chips, especially with older ECUs, which will prove more difficult than off-the-shelf parts. In many cases, you’ll have to infer the function of these parts based on how they’re connected to identifiable parts.
It’s critical to look out for memory chips—SRAM, EEPROM, FlashROM, one-time-programmable ROM, serial EEPROM, serial flash, NVSRAM, and so on. The type of memory used varies immensely from one platform to another; every single variety listed here has been found in the wild.
Newer designs are less likely to have parallel memories and more likely to have serial chips. Newer microcontrollers are less likely to have any external memories at all, as their internal flash capacities have dramatically increased. Any nonvolatile memory chip present can be removed from the circuit board, read, and then replaced. Goes into much more detail on reverse engineering the circuit board. Exploits Although arguably just another example of a backdoor approach, exploits deserve special attention.
Rather than taking apart a computer, exploits involve feeding a system carefully crafted inputs to make it do things outside normal operation. Typically, exploits build on a bug or problem.
This bug might cause a system to crash, reboot, or perform some undesirable behavior from the perspective of the vehicle user. Some of these bugs present the opportunity for buffer overflow attacks, which open the door for commandeering the vulnerable device merely by feeding it unexpected inputs. A cleverly crafted set of inputs triggers the bug, which then makes the device execute arbitrary code provided by the attacker instead of triggering the usual fault condition. Not all bugs can be turned into exploits, however—some bugs only cause problems or shut down core systems. And while bugs are usually discovered by accident, most exploits require careful craft. It is unlikely that you’d be able to turn a known bug into an exploit without also having prior knowledge of the system, usually gained from firmware analysis.
At a bare minimum, you’d need basic knowledge of the architecture in order to write the necessary code. Most of the time, this knowledge needs to be gathered through research prior to writing an exploit.
It’s hard to find bugs that make suitable attack vectors and it’s often just as difficult to write exploits for them, so exploits that build on bugs are fairly uncommon. While it is foolish to discount the relevance of exploits, the other methods presented here and in are much more practical paths to understanding and reprogramming automotive systems in most cases. Reversing Automotive Firmware Hacking into an automotive control module far enough to retrieve its current firmware and configuration is really just the beginning of the adventure. At this point, you probably have anywhere from 4KB to 4MB of raw machine-ready code, with a mixture of various parameters and actual code that forms the program the processor will run.
Let’s say you have a binary blob in the firmware from one of the hacks in this chapter or the chapters later in this book. Next you need to disassemble the binary. First, you must know which chip this binary is for. There are several free decompilers for different chips out on the Internet. Otherwise you can drop some cash and buy IDA Pro, which supports a large variety of chips. These tools will convert the hex values in the binary into assembler instructions. The next stage is to figure out what exactly you are looking.
When you’re starting to analyze raw data, a high-level understanding of the function of the devices you’re reverse engineering will be key to knowing what to look for. You can follow a number of breadcrumbs, or clues, for starters; these breadcrumbs are almost guaranteed to lead you to interesting and useful material. Next, we’ll look at a few specific examples of how to use common automotive controller functions to gain insight into their operation, which will hopefully allow us to change their behavior. Self-Diagnostic System Every engine controller has some type of self-diagnostic system that typically monitors most critical engine functions, and analyzing this is an excellent route to understanding firmware. A good first step in investigative disassembly is to identify the location of these procedures. This will provide you with insight into the memory locations involved in all of the sensors and functions that are checked for errors.
Any modern vehicle should support OBD-II packets, which standardize the diagnostic data reported. Even controllers created prior to OBD-II standards have a way to report faults. Some have a system where an analog input is shorted to ground and either an internal LED or the “check engine” light flashes out the code. For example, knowing that code 10 refers to a failed intake air temperature sensor means you can find the piece of code that sets error code 10 to help you identify the internal variables associated with the air temperature sensor.
For more detailed information on using diagnostics, see. Library Procedures Being able to change the behavior of a control unit is often one of the primary goals of reverse engineering ECU firmware, and identifying data used by a controller is an important step in the process. Most ECUs have a set of library functions used for routine tasks throughout the code. Library functions used for table lookups are worth identifying early on in the reverse engineering process, as these can lead straight to the parameters you’re interested in. Each time a table is used, a function is called to fetch a result.
Calls to this type of function are among the most frequent, making them easy to spot. Usually each type of data stored within the ECU—one-dimensional array of bytes; two-dimensional array of words; three-dimensional array of unsigned, signed, and float shorts; and so on—has a unique reference function.
When called, each table lookup routine needs to be passed, at a minimum, the table index (or start address) and the axis variables. Often, table lookup routines can be reused to pass information about the structure of the table, such as how many rows and columns are present. Calibration data is usually stored in program memory, along with the routines accessing them. Microcontrollers typically have special instructions to access program memory, which provide a unique signature to search for and make table lookup routines particularly easy to spot. A secondary characteristic of these lookup routines is that they tend to have lots of interpolation math. In addition, table lookup routines are often grouped closely together in program memory, making it even easier to find others after you’ve found one. After identifying reference routines, searching for all calls to them can provide a key to identifying the vast majority of data used by the controller to make decisions.
The arguments passed to these functions typically include the start address of a table, its structure or shape, and which variables index elements of the table. Armed with this information, you’re much closer to being able to change the behavior of the controller. Finding Known Tables One way to identify tables is to leverage the specific physical and electrical characteristics of vehicle sensors, which will display identifiable characteristics within ECU firmware.
For example, an ECU with a MAF sensor will have a table that translates raw readings of voltage or frequency from the MAF into airflow into the engine, providing an internal representation. Fortunately for us, the signal output from an MAF is determined by physics—that is, King’s Law—so the curve will always have a characteristic shape, though it’ll be slightly different for each sensor. This will result in the tables having a characteristic set of values that can be observed in the ROM. Armed with the knowledge that there will be universal data to identify, let’s take a closer look at how calibration data is displayed in different programs.
And show similarly shaped Ford and Nissan sensor curves; the similarity they illustrate extends to multiple manufacturers. Figure 6-3: VQ table in HxD hex editor: 128 bytes or 64- to 16-bit words and show the VQ table in analyze.exe available from. A simple visualization tool, analyze.exe colors cells based on their numeric value. You can select the precision of the data—for example, 1 = 8-bit byte, 2 = 16-bit word, and 4 = 32-bit long—and how many rows and columns you want present. This simple visual arrangement often makes it easier to identify what is code and what is data than it is when you’re using a hex editor, as in. Figure 6-8: This random code doesn’t have the neat, orderly patterns that are present in most tables.
More to Learn from the MCU Hopefully, these examples help connect knowledge of the table data you expect to find with their representation within a binary blob. Learning the capabilities of the microcontroller unit (MCU) used in a target system can shed light on the types of data to expect when looking over the binary data.
Generally, data representation formats are dictated by the hardware present. Knowing the size of registers on the MCU running the show can be a big help for identifying parameters. Most parameters tend to be the same size as or smaller than the registers of a given MCU. An 8-bit MCU, like a 68HC11, is likely to have lots of 8-bit data. It’s unusual to see mostly 4-byte, or 32-bit, unsigned long integers on an 8-bit MCU. While 16-bit data becomes more common on MCUs like the 68332, 32-bit data becomes the norm with MPC5xx Power Architecture MCUs and so on. It’s unusual to find floating-point data on an MCU that lacks a floating-point processor.
Comparing Bytes to Identify Parameters It’s often possible to get multiple bins that’ll run on the same physical ECU. The more the better! Doing a simple compare in a hex editor will show which bytes differ between the files. It’s common—but not guaranteed—for code to remain unchanged while parameters change. If less than 5 percent of the files differ, it’s generally safe to assume that the differences are parameters.
If you know what’s been changed functionally between the two bins and you know which bytes have changed, you have further clues to help correlate changes in the ROM with changes in parameters. And compare a 1996 V8 Mustang and a 1997 V6 Thunderbird, showing 6,667 differences out of 114,688 bytes. This is an extreme example of having the same code with different parameters, but there’s still only about a 5.8 percent difference compared to overall file size. Most processors use an interrupt vector table defined by the processor being used. Referencing the processor’s data sheet will define the structure of interrupt routines, allowing you to quickly identify the interrupt handlers.
Tracing interrupt pins on the processor to circuitry within the ECU to pins you can reference in a vehicle wiring diagram can help you identify code blocks used to service such hardware functions as fuel and spark control, crank and cam signal processing, and idle functions. Figure 6-10: File compare function of the HxD hex editor Identifying ROM Data with WinOLS WinOLS is a popular commercial program for modifying bins. It combines a series of tools for calculating and updating checksums within a ROM with a set of tools for identifying tables. And illustrate WinOLS in use. If the ROM type is known, it has many templates that automatically identify configuration parameters.
Most of the known built-in ROM types are geared toward Bosch Motronic ECUs. Templates and configurations can be saved, shared, and sold to enable users to make modifications to specific files with greater ease. WinOLS is arguably the most common software used for identifying interesting data within a ROM that doesn’t involve code analysis.
It’s designed to facilitate rapid tuning changes to a controller. Figure 6-12: WinOLS being used on a 2006 Volkswagen 2.0Tsi ECU Code Analysis Code analysis can be a long, complicated task. If you’re starting from scratch, with no experience, it will likely take hundreds of hours to analyze a complex piece of code. Modern control units often have upward of a megabyte or two of code, which is a huge amount of code when you’re looking at it in assembly. An ECU from 1995 with 32 kilobytes (not megabytes) of code will have upward of 10,000 assembly instructions to sort out. Bottom line: do not underestimate how much work this approach will take.
I’ll briefly introduce a few tools, but I don’t have the space to address the topic in sufficient depth for someone unfamiliar with the process. (After all, entire books have been written solely on code analysis.) Here, I’ll just talk through specific tools and methods particularly applicable to automotive embedded systems. Ethernet Controller Driver Windows Xp Professional Sp3 Free Download. When analyzing a new target, first identify the architecture you’re working with.
Knowing what processor executed the blob of binary will help you choose an appropriate software tool to further assist. If you can’t identify a processor based on the markings on the chip itself, search online for data sheets to identify it.
To analyze code, you might need to find a disassembler. A quick Google search reveals that there are lots of them out there. Some target a single architecture—for example, Dis51—and some are custom-written for automotive reverse engineering—for example, Dis66k. Others, like CATS dasm, IDA Pro, Hopper, dasmx, and objdump from the GNU Binary Utilities (binutils), target multiple processors.
IDA Pro supports more embedded targets than just about any other program, but it’s also one of the most expensive disassemblers. GNU binutils also supports a pretty wide range of architectures, but the version included on most systems will be built only for the “native” architecture. Rebuilding binutils with all architectures enabled will open a few doors. Your budget and supported processors will determine which disassemblers are an option. Bust out the disassembly tools and start trying to make sense of the mess, but as I warned earlier, this might take hundreds of hours. A divide-and-conquer mentality works best—focus on the smaller tasks rather than the project as a whole.
If you obtained the binary by backdoor methods, you probably already took the ECU apart to identify the processor. If you cracked the J2534 programming routines, you might not have a clue what processor is running the show. In this case, you’re going to need to keep running it through a disassembler over and over using different settings until you get something that makes sense. You’re looking for assembly code that disassembles cleanly, meaning that it looks like it makes logical sense. If you disassemble a binary for the wrong architecture or using the wrong settings, you’ll still see assembly instructions, but the assembler actions won’t make sense.
Disassembly is a bit of an art, and it may take a little practice at seeing a “clean” assembler to get the hang of identifying when a dissassembler is providing the correct response, especially when nonexecutable tables and data are scattered among the code. Here are some hints for making sense of disassembled code: • OEMs love to patent stuff. If you can find the patents relevant to your system, you may end up with a guided tour of the code being disassembled. This is probably the most consistently available high-level procedural guide to help you understand the logic in an automotive computer. Patents usually lead production by at least one to two years, if not more. • Look at any available software for manipulating the ECU at hand for insight into the structure and purpose of code segments. You can often infer a model of behavior from tables available to be modified in aftermarket software.
• Otherwise, start with a wiring diagram for the vehicle, and trace connections back through ECU circuitry to particular pins on the MCU. This should tell you which piece of MCU hardware handles which function. Cross reference the interrupt tables, or look for calls to service particular pieces of hardware in order to identify which piece(s) of code service that hardware function.
A plain, or old-style, disassembler will output very verbose text. Each individual instruction is parsed. Some disassemblers will attempt to mark areas referenced as data and void disassembling them. Other disassemblers need to be specifically told which areas are code and which areas are data. A Plain Disassembler at Work To see disassembly in action, we’ll look at a plain disassembly of a 1990 Nissan 300ZX Twin Turbo ROM. This ECU has a 28-pin external 27C256 EPROM, so it’s relatively easy to obtain its contents. This particular platform uses a HD6303 MCU, a derivative of the Motorola 6800 8-bit MCU that appears to be supported by the free disassembler DASMx (see ).
DASMx comes with minimal instructions: to disassemble foo.bin, create a file, foo.sym, that describes which platform is in use, and then create an entry point in memory to place the image, symbols you know about, and so on. Time for a crash course in the architecture! A critical point about the memory structure is that the MCU can address 65535 bytes (64KB). This information tells you what to expect when looking at the addresses in your binary blob. Further reading suggests that the interrupt vector table lies at the end of addressable memory, with the reset vector—where every processor starts after a reset—at 0xFFFE/0xFFFF.
Assuming that the 32KB (0x7FFF hex) binary blob we have from reading the EPROM contains the interrupt vector table, we can figure out that the binary image needs to start at memory address 0x8000 for it to end at 0xFFFF (0xFFFF – 0x7FFF = 0x8000). It also helps to search online to see whether others are trying to do something similar. For example, the post at is for a smaller 16KB binary based on settings for a 0xC000 entry point. The more legwork and research you do prior to actually invoking a disassembler, the more likely you are to get reasonable results. Shows the symbol table for the 300ZX binary. Next to each symbol is the memory address used by the firmware.
These memory addresses can hold values such as incoming data from different physical pins on the chip or internal information, like timing. Figure 6-16: Reset vector disassembly We’ve taken this example as far as obtaining a disassembled binary image and looking for basic sanity. Now, for the hard part: following the code, breaking it into routines, and trying to figure out how it works. Interactive Disassemblers As of this writing, IDA Pro is the most popular interactive disassembler available. It performs the same tasks as the simple disassembler just discussed, and more. Specifically, IDA Pro names registers and variables; once IDA Pro identifies and names a variable, or memory address—for instance, $FC50–RPM—it gives all references to that variable within the code a descriptive name rather than a less-recognizable plain hex address. IDA Pro also graphs code to visualize program flow.
One of the advantages of IDA Pro is that it’s programmable to allow additional opcodes for customizing automotive processors and plugins for further processing disassembled code (for example, decompiling assembly into higher language code); it also lets you use structs, unions, classes, and other user-defined data types. Lastly, IDA Pro supports more embedded platforms out of the box than just about any other disassembler currently available. You don’t necessarily need these functions to successfully analyze code, but they make things substantially easier. And are screenshots from real code analysis with IDA Pro.
Thanks to Matt Wallace for graciously posting these examples in a public forum. The user in obtained Acura NSX ECU firmware through a combination of hardware-hacking approaches, took the code apart, analyzed it using IDA Pro, and rewrote it. Next, the user determined the necessary functions to log data from the ECU and alter its operation. The result allowed the user to use forced induction—that is, turbochargers and superchargers—with a factory computer; this would have been impossible without ECU modification. Figure 6-18: IDA diagram of code for checking fuel injectors on NSX ECU Summary Because hacking on the ECU often involves processors that are smaller than those used in more powerful modern devices, such as cell phones, the tools used for reversing the firmware differ for each target. By using a combination of techniques, such as data visualization to locate tables, and by reversing the firmware directly, you can identify the areas you’re interested in modifying. The methods discussed in this chapter are techniques commonly used by performance tuners to adjust how a vehicle handles fuel efficiency.
All can be used to unlock features hidden in the code of your vehicle. We’ll look at performance tuning in more detail in. An ECU test bench, like the one shown in, consists of an ECU, a power supply, an optional power switch, and an OBD-II connector. You can also add an IC or other CAN-related systems for testing, but just building a basic ECU test bench is a great way to learn the CAN bus and how to create custom tools. In this chapter, we’ll walk step by step through the process of building a test bench for development and testing.
The Basic ECU Test Bench The most basic test bench is the device that you want to target and a power supply. When you give an ECU the proper amount of power, you can start performing tests on its inputs and communications. For example, shows a basic test bench containing a PC power supply and an ECU. Figure 7-1: A simple ECU test bench However, you’ll often want to at least add some components or ports to make the test bench easier to use and operate. To make it easier to turn the device on and off, you can add a switch to the power supply.
An OBD port allows for specialized mechanics tools to communicate with the vehicle’s network. In order for that OBD port to fully function, we need to expose the vehicle’s network wires from the ECU to the OBD port. Finding an ECU One place to find an ECU is, of course, at the junkyard. You’ll typically find the ECU behind a car’s radio in the center console or behind the glove box. If you’re having trouble finding it, try using the massive wiring harness to trace back to the ECU.
When pulling one out yourself (it should cost only about $150), be sure to pull it from a vehicle that supports CAN. You can use a reference website such as to help you identify a target vehicle.
Also, make sure you leave at least a pigtail’s worth of wiring when you remove the ECU; this will make it easier to wire up later. If you’re not comfortable pulling devices out of junked cars, you can order an ECU online at a site like. The cost will be a bit higher because you’re paying for someone else to get the part and ship it to you.
Be sure that the ECU you buy includes the wire bundles. NOTE One downside to buying an ECU online is that it may be difficult to acquire parts from the same car if you need multiple parts. For instance, you may need both the body control module (BCM) and the ECU because you want to include keys and the immobilizer is in the BCM.
In this case, if you mix and match from two different vehicles, the vehicle won’t “start” properly. Instead of harvesting or buying a used ECU, you could also use a prebuilt simulator, like the ECUsim 2000 by ScanTool (see ). A simulator like ECUsim will cost around $200 per protocol and will support only OBD/UDS communications. Simulators can generate faults and MIL lights, and they include fault knobs for changing common vehicle parameters, such as speed. Unless you’re building an application that uses only UDS packets, however, a simulator probably isn’t the way to go.
Figure 7-2: ECUsim OBD simulator Dissecting the ECU Wiring Once you have all of the parts, you’ll need to find the ECU’s wiring diagram to determine which wires you need to connect in order to get it to work. Visit a website such as ALLDATA ( ) or Mitchell 1 ( ) to get a complete wiring diagram.
You’ll find that off-the-shelf service manuals will sometimes have wiring diagrams, but they’re often incomplete and contain only common repair areas. Wiring diagrams aren’t always easy to read, mainly because some combine numerous small components (see ). Try to mentally break down each component to get a better idea of which wires to focus on.
Figure 7-3: Example of an ECU wiring diagram Pinouts You can get pinouts for the ECUs on several different vehicles from and from commercial resources like ALLDATA and Mitchell 1. Books like the Chilton auto repair manuals include block diagrams, but you’ll find that they typically cover only the most common repair components, not the entire ECU. Block Diagrams Block diagrams are often easier to read than wiring diagrams that show all components on the same sheet. Block diagrams usually show the wiring for only one component and offer a higher-level overview of the main components, whereas schematics show all the circuitry details. Some block diagrams also include a legend showing which connector block the diagram refers to and the connectors on that module; you’ll typically find these in the corner of the block diagram (see ). Table 7-1: Example Connector Legend CONN ID Pin count Color C1 68 WH C2 68 L-GY C3 68 M-GY C4 12 BK The legend should give the connector number, its number pin count, and the color.
For instance, the line C1 = 68 WH in means that the C1 connector has 68 pins and is white. L-GY probably means light gray, and so on. A connector number like C2-55 refers to connector 2, pin 55. The connectors usually have a number on the first and last pin in the row. Wiring Things Up Once you have information on the connector’s wiring, it’s time to wire it up. Wire the CAN to the proper ports on the connector, as discussed in “” on.
When you provide power—a power supply from an old PC should suffice—and add a CAN sniffer, you should see packets. You can use just a simple OBD-II scan tool that you can pick up at any automotive store. If you have everything wired correctly, the scan tool should be able to identify the vehicle, assuming that your test bench includes the main ECU.
NOTE A lot of components communicate with the ECU in a simple manner, either via set digital signals or through analog signals. Analog signals are easy to simulate with a potentiometer and you can often tie a 1 kilohm potentiometer to the engine temp and fuel lines to control them. Building a More Advanced Test Bench If you’re ready to take your car hacking research further, consider building a more advanced ECU test bench, like the one shown in.
This unit combines an ECU with a BCM because it also has the original keys to start the vehicle. Notice that the optional IC has two 1 kilohm potentiometers, or variable resistors, on the lower left side, both of which are tied to the engine temperature and fuel lines. We use these potentiometers to generate sensor signals, as discussed in the following section. This particular test bench also includes a small MCU that allows you to simulate sending crankshaft and camshaft signals to the ECU. Figure 7-4: More complex test bench A more complex unit like the one in makes it trivial to determine CAN traffic: just load a sniffer, adjust the knob, and watch for the packets to change. If you know which wires you’re targeting and the type of input they take, you can easily fake signals from most components. Simulating Sensor Signals As I mentioned, you can use the potentiometers in this setup to simulate various vehicle sensors, including the following: • Coolant temperature sensor • Fuel sensor • Oxygen sensors, which detect post-combustion oxygen in the exhaust • Throttle position, which is probably already a potentiometer in the actual vehicle • Pressure sensors If your goal is to generate more complex or digital signals, use a small microcontroller, such as an Arduino, or a Raspberry Pi.
For our test bench, we also want to control the RPMs and/or speedometer needle. In order to do this, we need a little background on how the ECU measures speed.
Hall Effect Sensors Hall effect sensors are often used to sense engine speed and crankshaft position (CKP) and to generate digital signals. In, the Hall effect sensor uses a shutter wheel, or a wheel with gaps in it, to measure the rotation speed. The gallium arsenate crystal changes its conductivity when exposed to a magnetic field. As the shutter wheel spins, the crystal detects the magnet and sends a pulse when not blocked by the wheel.
By measuring the frequency of pulses, you can derive the vehicle speed. Figure 7-6: Camshaft timing sprocket Using a scope on the signal wire shows that the Hall effect sensor produces a square wave.
Typically, there are three wires on the camshaft sensor: power, ground, and sensor. Power is usually 12V, but the signal wire typically operates at 5V back to the ECM. Camshaft sensors also come as optical sensors, which work in a similar fashion except an LED is on one side and a photocell is on the other. You can gauge full rotation timing with a missing tooth called a trigger wheel or with a timing mark. It’s important to know when the camshaft has made a full rotation.
An inductive camshaft sensor produces a sine wave and will often have a missing tooth to detect full rotation. Shows the camshaft sensor repeating approximately every 2 milliseconds. The jump or a gap you see in the wave at around the 40-millisecond mark occurs when the missing tooth is reached.
The location of that gap marks the point at which the camshaft has completed a full rotation. In order to fake these camshaft signals into the ECU test bench, you’d need to write a small sketch for your microcontroller. When writing microcontroller code to mimic these sensors, it’s important to know what type of sensor your vehicle uses so that you’ll know whether to use a digital or analog output when faking the teeth.
Figure 7-7: Camshaft sensor signals under a scope Simulating Vehicle Speed Now, we’ll build a test bench to simulate vehicle speed. We’ll use this test bench together with the IC shown in to pull a vehicle’s VIN via the OBD-II connector. This will give us the exact year, make, model, and engine type of the vehicle. (We looked at how to do this manually in “” on.) shows the results. Table 7-2: Vehicle Information VIN Model Year Make Body Engine 1G1ZT49 Malibu 2006 Chevrolet Sedan 4Door 3.5L V6 OHV 12V Once we know a vehicle’s year of manufacture and engine type, we can fetch the wiring diagram to determine which of the ECU wires control the engine speed (see ). Then, we can send simulated speed data to the ECU in order to measure effects.
Using wiring diagrams to simulate real engine behavior can make it easy to identify target signals on the CAN bus. You can simplify this method to taking 0xB89, which is 2953 in decimal form. When you divide this by 4, you get 738.25 RPMs. When this screenshot was taken, the needle was idling a bit below the 1 on the RPM gauge, so that’s probably the same algorithm. (Sometimes you’ll find that the values in the true CAN packets don’t always match the algorithms used by off-the-shelf diagnostic tools using the UDS service, but it’s nice when they do.) To verify that arbitration ID 0x110 with bytes 2 and 3 controls the RPM, we’ll send our own custom packet. By flooding the bus with a loop that sends the following, we’ll peg the needle at max RPMs. $ cansend slcan0 110#00ffff While this method works and, once connected, takes only a few seconds to identify the CAN packet responsible for RPMs, there are still some visible issues.
Every so often a CAN signal shows up that resets the values to 00 00 and stops the speedometer from moving. So while the ECM is fairly certain the crankshaft is spinning, it’s detecting a problem and attempting to reset. You can use the ISO-TP tools discussed in to pull data. In two different terminals, we can check whether there was a diagnostic code. (You can also use a scan tool.) In one terminal, enter the following: $ isotpsniffer -s 7df -d 7e8 slcan0 And in another terminal, send this command: $ echo '03' isotpsend -s 7DF -d 7E8 slcan0 You should see this output in the first terminal: slcan0 7DF  03 - '.' Slcan0 7E8  43 02 00 68 C1 07 - 'C.h.'
Looks like we have a DTC set. Querying PID 0x03 returned a 4-byte DTC (0x0068C107). The first two bytes make up the standard DTC (0x00 0x68). This converts to P0068, which the Chilton manual refers to as “throttle body airflow performance.” A quick Google search will let you know that this is just a generic error code that results from a discrepancy between what the PCM thinks is going on and what data it’s getting from the intake manifold. If we wanted to spoof that data as well, we’d need to spoof three additional sensors: the MAF sensor, the throttle position, and the manifold air pressure (MAP). Fixing these may not actually fix our problem, though.
The PCM may continue to think the vehicle is running smoothly, but unless you really care about fudging all the data, you may be able to find other ways to trick the signals you want out of the PCM without having to be immune to triggering DTC faults. If you don’t want to use an Arduino to send signals, you can also buy a signal generator. A professional one will cost at least $150, but you can also get one from SparkFun for around $50 ( ). Another great alternative is the JimStim for Megasquirt. This can be purchased as a kit or fully assembled for $90 from DIYAutoTune ( ).
Summary In this chapter you learned how to build an ECU test bench as an affordable solution to safe vehicle security testing. We went over where you can get parts for building a test bench and how to read wiring diagrams so you know how to hook those parts up. You also learned how to build a more advanced test bench that can simulate engine signals, in order to trick components into thinking the vehicle is present. Building a test bench can be a time-consuming process during your initial research, but it will pay off in the end. Not only is it safer to do your testing on a test bench, but these units are also great for training and can be transported to where you need them.
The ECU is a common target of reverse engineering, sometimes referred to as chip tuning. As mentioned in, the most popular ECU hack is modifying the fuel map to alter the balance of fuel efficiency and performance in order to give you a higher-performance vehicle. There’s a large community involved with these types of modifications, and we’ll go into more detail on firmware modifications like this in. This chapter will focus on generic embedded-system methods of attack as well as side-channel attacks.
These methodologies can be applied to any embedded system, not just to the ECU, and they may even be used to modify a vehicle with the help of aftermarket tools. Here, we’ll focus on debugging interfaces for hardware as well as performing side-channel analysis attacks and glitching attacks. NOTE To get the most out of this chapter, you should have a good understanding of basic electronics, but I’ve done my best to explain things within reason. Analyzing Circuit Boards The first step in attacking the ECU or any embedded system in a vehicle is to analyze the target circuit board. I touched upon circuit board analysis in, but in this chapter, I’ll go into more detail about how electronics and chips work. I’ll introduce you to techniques that can be applied to any embedded system in the vehicle.
Identifying Model Numbers When reversing a circuit board, first look at the model numbers of the microcontroller chips on the board. These model numbers can help you track down valuable information that can be key to your analysis. Most of the chips you’ll find on vehicle circuit boards are generic—companies rarely make custom ones—so an Internet search of a chip’s model number can provide you with the complete data sheet for that chip.
As mentioned in, you’ll sometimes run into custom ASIC processors with custom opcodes, especially in older systems, which will be harder to reprogram. When you encounter older chips like these, remove them from the board and plug them in to an EPROM programmer in order to read their firmware. You should be able to reprogram modern systems directly via debugging software, like JTAG. Once you locate a data sheet, try to identify the microcontrollers and memory locations on each chip to determine how things are wired together and where to find diagnostic pins—a potential way in. Dissecting and Identifying a Chip If you can’t find a model number, sometimes all you’ll have to go on is the chip’s logo (after a while, you’ll find that you start to recognize chip logos) and a few of its product codes.
The logo shown in is for STMicroelectronics. At the top of the chip is the model number—in this case, STM32F407—which may be hard to read because it’s engraved. Often, a light-up magnifier or a cheap USB microscope can prove very handy in reading these markings. Go to to find the data sheet for the STM32F series chips, specifically the 407 variety.
Much like VIN numbers, model numbers are often broken down into sections representing model number and different variations. There’s no standard for how to break down these numbers, however, and every manufacturer will represent their data differently. Figure 8-1: STM32 chipset identification Below the chip’s model number is the code—in this case, VGT6—which tells you the specific features, such as USB support, available on the chip.
If you look up the model number in conjunction with the ST code, you’ll learn that the STM32F407Vx series is an ARM Cortext M4 chip with support for Ethernet, USB, two CANs, and LIN as well as JTAG and Serial Wire Debug. To determine the function of the various pins, scan the data sheet to find the package pinout diagrams, and look for the package that matches yours for pin count. For example, as you can see in, each side of the chip has 25 pins for a total of 100, which matches the LQFP100 pinout in the data sheet shown in. Each chip will usually have a dot or dimple at pin 1 (see ), and once you identify pin 1, you can follow the pinout to determine each pin’s function.
Sometimes you’ll find two dimples, but one should be slightly more pronounced. Sometimes pin 1 on a chip is indicated by a cut-off corner.
If you find nothing on a chip that allows you to identify pin 1, look for things you can identify. For example, if another chip on the board is a common CAN transceiver, you could use a multitool to trace the lines to figure out which pins it connects to. You could then reference the data sheet to see which side of the chip contains these CAN pins. To do this, put your multimeter in continuity mode. Once in continuity mode, it will beep if you touch both pins to the same trace, indicating that they’re connected. Once you’re able to identify just one pin, you can use that information together with the pinout to deduce the pin layout.
Figure 8-2: STM32F4 data sheet pinout Debugging Hardware with JTAG and Serial Wire Debug You can use a variety of debugging protocols to debug chips just as you do software. To determine which protocol your target chip supports, you’ll need to use the chip’s data sheet. You should be able to use a chip’s debugging port to intercept its processing and download and upload modifications to the chip’s firmware. JTAG JTAG is a protocol that allows for chip-level debugging and downloading and uploading firmware to a chip. You can locate the JTAG connections on a chip using its data sheet.
JTAGulator You’ll often find pads on a chip’s circuit board that are broken out from the chip itself and that may give you access to the JTAG pins. To test the exposed pads for JTAG connections, use a tool like JTAGulator, shown in. Plug all of the chip’s exposed pins in to the JTAGulator, and set the voltage to match the chip. JTAGulator should then find any JTAG pins and even walk the JTAG chain—a method of linking chips over JTAG—to see whether any other chips are attached.
Figure 8-3: JTAGulator with a Bus Pirate cable JTAGulator supports either screw terminals or the use of a Bus Pirate cable (as in ) for probing. Both the JTAGulator and the Bus Pirate cable use a serial interface to configure and interact with a chip. Debugging with JTAG You can debug a chip with JTAG using just two wires, but it’s more common to use four or five pin connections. Of course, finding the JTAG connection is only the first step; usually, you’ll need to overcome additional protections that prevent you from just downloading the chip’s firmware in order to do anything interesting. Developers will disable JTAG firmware via either software or hardware. When disabling JTAG in software, the programmer sets the JTD bit, which is usually enabled twice via software during runtime. If the bit it isn’t called twice within a short time, it’s not set.
It’s possible to defeat a software protection like this by using a clock or power-glitching attack to skip at least one of these instructions. (We’ll discuss glitching attacks later in “” on.) The other way to disable JTAG on a chip is to attempt to permanently disable programming by setting the JTAG fuse—OCDEN and JTAGEN—and thereby disabling both registers. This is harder to bypass with glitch attacks, though voltage glitching or the more invasive optical glitches may succeed. (Optical glitches entail decapping the chip and using a microscope and a laser, so they’re very costly. We won’t be covering them in this book.) Serial Wire Debug Although JTAG is the most commonly used hardware debugging protocol, some microcontrollers—such as the STM32F4 series, which is commonly used in automotive applications because it has onboard CAN support—primarily use Serial Wire Debug (SWD).
While the ST32F4 series of ICs can support JTAG, they’re often wired to support only SWD because SWD requires only two pins instead of the five used for JTAG. SWD also allows overlapping of the JTAG pins, so these chips may support both JTAG and SWD by using the pins labeled TCK and TMS. (These pins are labeled SWCLK and SWIO in the data sheet.) When debugging ST chips, you can use a tool like ST-Link to connect, debug, and reflash the processor.
ST-Link is cheap (about $20) compared to some of its JTAG counterparts. You can also use a STM32 Discovery board.
The STM32F4DISCOVERY Kit The STM32F4DISCOVERY kit (sold by STM) is another tool you can use to debug and program these chips. These are actually developer boards with their own programmer. They cost about $15 and should be in your car hacking tool set.
The benefit of using the Discovery kit is that it’s both a cheap programmer and a development board that you can use to to test modifications to the chip’s firmware. In order to use the Discovery kit as a generic programmer, remove the jumpers from the pins labeled ST-Link, and then connect the six pins on the opposite side labeled SWD (see ). Pin 1 starts next to the white dot on the SWD connector.
Shows the pinout. Table 8-1: Pinout for the STM32F4DISCOVERY kit STM32 chip STM32F4DISCOVERY kit VDD_TARGET Pin 1 SWLCK Pin 2 GND Pin 3 SWDIO Pin 4 nRESET Pin 5 SWO Pin 6. Figure 8-4: Programming a STM32 chip via the STM32F4DISCOVERY kit You’ll most likely need to provide power to the target device, but instead of using pin 1 on the SWD connector, use the 3V pin from the Discovery portion of the board, as shown in. (Notice in the pinout that the Discovery kit doesn’t use all six pins for SWD; pins nRESET and SWO are optional.) Once you’re connected, you’ll most likely want to read and write to the firmware. If you’re running Linux, you can get the ST-Link from GitHub. Once you have those utilities installed, you’ll not only be able to read and write to the chip’s flash memory, but you can also start a gdbserver to work as a real-time debugger. The Advanced User Debugger Renesas is a popular automotive chipset used in ECUs (see ).
It has its own implementation over JTAG called the Advanced User Debugger (AUD). AUD provides the same functionality as JTAG but with its own proprietary interface. As with SWD, AUD requires an interface specific to it in order to communicate with Renesas chipsets. Figure 8-5: 2005 Acura TL ECU with Renesas SH MCU and AUD port Nexus Nexus from Freescale/Power Architecture (now NXP) is another proprietary JTAG interface. Like AUD and SWD, this in-circuit debugger requires its own device in order to interface with it. When dealing with Freescale chips, such as the MCP5xxx series, keep in mind that the debugger may be Nexus.
The Nexus interface uses a dedicated set of pins that should be defined in the chipset’s data sheet. Look for the EVTI/O pins in the auxiliary port section of the data sheet.
Side-Channel Analysis with the ChipWhisperer Side-channel analysis is another hardware attack used to bypass ECU and other microcontroller protections and to crack built-in cryptography. This type of attack takes advantage of various characteristics of embedded electronic systems instead of directly targeting specific hardware or software. Side-channel attacks take many forms, and some can cost anywhere from $30,000 to $100,000 to perform because they require specialized equipment like electron microscopes.
Expensive side-channel attacks like these are often invasive, meaning they’ll permanently alter the target. We’ll focus on simpler and cheaper side-channel attacks with the help of the ChipWhisperer, a noninvasive tool from NewAE Technologies ( ). The ChipWhisperer is an open source side-channel analysis tool and framework that costs just over $1,000—considerably less than its non–open source counterparts, which typically start around $30,000. NOTE It’s possible to accomplish the attacks I’ll discuss at less of a cost by building a specialized device, but the ChipWhisperer is the cheapest tool that covers all the main bases. Also, ChipWhisperer tutorials target open source designs, which makes them ideal for this book, since we can’t use examples from specific manufacturers due to copyright. I’ll integrate the NewAE tutorials throughout this chapter when demonstrating each attack.
The ChipWhisperer has an optional package that includes a target development board called the MultiTarget Victim Board (see ). This board is mainly used for demonstration and training, and we’ll use it as the target of our demos as well. Figure 8-8: Wiring up the MultiTarget Victim Board Finally, attach the SMA cable from the VOUT on the target board to the LNA connector in CH-A on the front of the ChipWhisperer.
Shows the pinout. We’ll use this setup for our demos unless otherwise specified. Table 8-2: Pinout for the MultiTarget Victim Board Victim Board ChipWhisperer Component 20-pin connector Back of the ChipWhisperer 20-pin ribbon cable VOUT LNA on CH-A SMA cable Computer Side of the ChipWhisperer Mini USB cable Brute-Forcing Secure Boot Loaders in Power-Analysis Attacks Now you have your Victim Board set up, we’ll look at using a power-analysis attack to brute-force a password. Power-analysis attacks involve looking at the power consumption of different chipsets to identify unique power signatures. By monitoring the power consumption for each instruction, it’s possible to determine the type of instruction being executed. For instance, a no-operation (NOP) instruction will use less power than a multiply (MUL) instruction. These differences can reveal how a system is configured or even whether a password is correct because a correct password character may use more power than an incorrect one.
In the following example, we’ll explore TinySafeBoot ( ), a small, open source bootloader designed for AVR systems. The bootloader requires a password in order to make modifications. We’ll use the ChipWhisperer to exploit a vulnerability in its password-checking method and derive the password from the chip.
This vulnerability has been fixed in newer versions of TinySafeBoot, but for practice, the old version is included in the victims folder of the ChipWhisperer framework. This tutorial is based on NewAE’s “Timing Analysis with Power for Attacking TSB” ( ). Prepping Your Test with AVRDUDESS To begin, open AVRDUDESS and select AVR ISP mkII from the Programmer drop-down menu. Make sure you have ATmega328P selected in the MCU field, and then click Detect to verify that you’re connected to the ATmega328p (see ). Select the flash file hardware/victims/firmware/ tinysafeboot-20140331 in the Flash field.
Figure 8-9: Programming TinySafeBoot in AVRDUDESS Click Program! And AVRDUDESS should write the TinySafeBoot program to the ATmega. Setting Up the ChipWhisperer for Serial Communications Now we’re ready for testing!
We’ll use the ChipWhisperer to set and monitor the power usage when the bootloader checks for the password. Then, we’ll use this information to build a tool to crack the password much faster than a traditional brute-force method would.
To begin, set up the ChipWhisperer to communicate with the bootloader over the bootloader’s serial interface, like this: $ cd software/chipwhisperer/capture $ python ChipWhispererCapture.py The ChipWhisperer has lots of options, so we’ll go step by step through each setting you’ll need to change. • In ChipWhispererCapture, go to the General Settings tab and set the Scope Module to ChipWhisperer/OpenADC and the Target Module to Simple Serial, as shown in. Figure 8-11: Setting Connection and Baud • Switch to the Target Settings tab (at the bottom of the window), and change the Connection setting to ChipWhisperer. Then under Serial Port Settings, set both TX Baud and RX Baud to 9600, as shown in. • At the top of the screen, click the red circle next to Scope with DIS in it. The circle should become green and display CON.
• The ChipWhisperer comes with a simple serial terminal interface. Choose Tools ▸ Open Terminal to open it. You should see a terminal like the one shown in. Figure 8-12: ChipWhisperer serial terminal • Set TX on Enter at the bottom of the terminal to None, and check the box that says RX: Show non-ASCII as hex (see ). Now click Connect to enable your text areas. • Enter @@@ (TinySafeBoot’s start-up password) in the text field to the left of the Send button, and click Send.
The bootloader should start with TSB and mainly contain information about the firmware version and AVR settings. TSB is just an identifier used by TinySafeBoot, most likely its initials. The output should match that in. Setting a Custom Password Now we need to set a custom password so that we can monitor the power levels when a password is entered. First, close the serial terminal. Then enter the following lines in the Python console window, which is at the bottom center of the ChipWhisperer main window.
>>>self.target.driver.ser.write('@@@') >>>self.target.driver.ser.read(255) We use the serial command self.target.driver.ser.write('@@@') to send the current password for the bootloader. Next, we enter the serial command self.target.driver.ser.read(255) to read up to the next 255 bytes from the bootloader to see its response to our sending the password (see ). Figure 8-13: Sending @@@ via ChipWhisperer’s Python console For convenience, first assign the read and write commands to their own variables so you don’t have to enter such a long command (the following examples assume you’ve completed this step): >>>read = self.target.driver.ser.read >>>write = self.target.driver.ser.write The password is stored in the last page of the device’s flash memory. We’ll grab that page, remove the confirmation! Character from the response, and write a new password— og—to the firmware. NOTE You’ll find a more detailed explanation of this procedure in the NewAE tutorials () or Python manuals. Return to the Python console, and enter.
>>>write('c') >>>lastpage = read(255) >>>lastpage = lastpage[:-1] >>>lastpage = bytearray(lastpage, 'latin-1') >>>lastpage = ord('o') >>>lastpage = ord('g') >>>lastpage = 255 >>>write('C') >>>write('!' ) >>>write(lastpage.decode('latin-1')) Listing 8-1: Modifying the last page of memory to set the password to og If the login times out, resend @@@ like so: >>>write('@@@') Once you’ve written the new characters to memory, verify that og is the new password with write('og'), followed by a read(255) in the Python console. Notice in that we first try sending @@@ but that we don’t get a TinySafeBoot response until we send the og password.