Car Hacking: The ultimate guide! - Part II

This is the second part of the series “Car Hacking: The Ultimate !”. In part I, we discussed, what is CAN Bus, enough information to get started with CAN Traffic and how to create a virtual system for Car Hacking using ICSim.

05ec55d9 4ea9 57a6 98de 11ff7d78ce17

In this place, we will dive deep by sniffing the car data through CAN Traffic.

What does a CAN message look like?

0 wt a456fspv7l js

This is exactly what messages from CAN look like when they are recorded. If I break the columns, the first is the interface, the second is the arbitration ID, the third is the size of the CAN message, it can not be larger than 8 (If you look at the CAN framework, you will better understand why this can not is greater than 8), the fourth is the CAN data itself.

The meaning of the CAN message

1 boxp7ufposl0vevaoovrdq

In this example, we will see an 8-byte frame. The message is sent with ID 0x111. Once the instrument panel sees this message, it will first confirm whether it was intended for the instrument panel or not. If yes, then it reads the message which is 0x0BB8, which translates to 3000 (decimal places). Now your instrument panel moves the needle on the tachometer to 3000.

1 xqzstino0k c8jigvunyww

Once we understand the CAN message, we can further inject modified packets via ODB-II into the CAN bus to tamper with the speedometer or whatever we want.

Before we start showing ICSim, let's see how the other utilities workthe. To do this, let's first configure the virtual interface.

Setting up the virtual CAN interface

sudo modprobe can

This will load the kernel module for CAN. Also, we need to load the kernel module for the virtual one as well .

sudo modprobe vcan

If you want to verify that the required kernel units are loaded, you can use the following command.

lsmod | grep can

This will show whether the CANs and VCANs are loaded or not.

1 ntqa doikjjitp2tundicw

Let us now configure the virtual interface

sudo ip link add dev vcan0 type vcan sudo ip link setup vcan0

You can verify if the virtual CAN interface is configured with the following command

ifconfig vcan0

1 imhtux8kwptgspsktdnklg

Once the virtual CAN interface is configured, you are now ready to send/receive the CAN packet on this interface. Let's now use one of the helpers by can-utils called cangen to generate the virtual CAN packages.

cangen

1 hkao8pnghdbgkoliwz2gpw

The cangen creates CAN frameworks for educational purposes. To use cangen, you must specify the interface in which the CAN framework will be created.

cangen vcan0

Vcan0 is the virtual CAN interface we created before.

Since you have already created the CAN framework, there must be a way to see the framework! There are many utilities available, one of which is Wireshark. Start Wireshark after creating the CAN frameworks.

1 2yrl lxahgnm0greurwzvg

You can see many interfaces available depending on how many interfaces there are, vcan0 is the interface where your CAN frames are created.
Once you click on the interface where you want to see the packages, this is what the CAN box will look like.

1 alh5 krtqkhkkefkjx owg

You can also see more detailed information about the CAN framework.

1 iueyodwb4fxno 7hqicxsg

There are also other utilities inside vcan0 such as cansniffer and candump doing pretty much the same things Wireshark does. You can use any tool or utility, with which you feel most comfortable.

candump

1 xzaq1f7ipdbv7 hqqytqla

To discard or record frames using candump , you can use the command

candump vcan0

Below we will see which will show us.

1 zd9j09vip 2s3xzmskwkwa

In one of the terminals, at the bottom, the CAN packages are created, while the terminal at the top operates the candump. If I have to parse columns, the first thing you see is the CAN interface. The second is the ID, the third is the size of the CAN message and the fourth is the message itself.

The candump can also record the framework for you. If you want to perform a repeat attack, you can first record the frames and then use a mini utility like canplayer to repeat the frames. CAN frameworks recording can be enabled using flag -l.

candump -l vcan0

1 rfzmgla1hnj437zfb3c bg

When you capture CAN frames, one will be created with the prefix candump followed by the date it was created.

If you want to see the contents of the file, you can always use the command cat on Linux to see.

1 7ogxlumf7rc v6lucxecvw

The data we recorded using candump can be played using a utility such as canplayer .

canplayer

1 t6izhg26ykim0d5dn fgda

As the name implies, the canplayer will play the can frames. Ideally, this is useful when you need to do a replay attack. First you will record the CAN frames and then you will play the CAN framework using the canplayer.

Imagine a scenario where you want to spoof the tachometer and you have no idea what ID the tachometer reading is working on, you have no idea what's in the CAN message. Ideally, you should first dump and capture the frames using candump with -l flag and then use the can to replay the captured frames.

Canplayer requires the -i option for the input file.

canplayer -I canfile.log

The canplayer has several other really useful options, you can learn them using it man canplayer.

cansniffer

1 dato8g and 54ecwa5x3 46q

Use the CAN sniffer to see the change in CAN motion. This is very useful to see a change in a specific byte. Cansniffer has a -c option very useful to see the byte change in a colorful way. What it does is it will compare the previous byte and the current byte, if there is a difference then it is indicated by the change in the color of the byte. This is very useful when you want to know if there was a change when you had some operations on a car.

cansniffer -c vcan0

1 tdgde3t7l2cpew58flyhna

I find the cansniffer very useful because it also allows ID filtering. So if you want to see the frames only from a specific ID, say 0x011, you can do that.

This can be done as soon as you start sniffing, press - and then 000000. This will clear all the frames first. Now, you can start adding the IDs using the + and then the ID you want to display and press Enter. This way you can filter the frames of individual IDs.

cansend

1 qg1qojbacysqvmpihnahqw

Cansend is used to send CAN frames to a specific CAN interface.

cansend interface frame

We will use all these utilities with ICSim.

Start ICSim

Follow the first article we made to learn how to install ICSim.
Let's start ICSim and sniff the CAN frames.

./icsim vcan0 ./controls vcan0

1 mtkvw72yh3tlmgbk umidq

If you have followed each of the steps discussed in the previous post, you should be able to see them. You may also notice that the speedometer needle moves back and forth, which is to be expected due to the noise.

Sniff of CAN frames created by ICSim

We will use cansniffer, a utility provided by can-utils, to capture the packages. You can open a new terminal and start cansniffer with the following command

cansniffer -c vcan0

The choice -c is used to indicate the change of frame bytes.

1 h ax0dq56zfbzwvqlcxu3w

You can see very fast changes in the CAN frames, difficult to keep up with the pace at which communication takes place. In a real car, this communication would happen quickly. To keep up, you can use ID ID filtering. If you want to see only the frames from ID 40C, you can always press - and then 000000 followed by the Enter key. This will delete all the IDs from the cansniffer and you can then press + followed by the ID ID for filtering and then press the Enter key.

1 7eomjrd4qai0frxo5k5s8a

Here I have filtered the 40c ID using the same steps mentioned above. You can try pressing the up arrow key to increase the throttle and then observe how fast the CAN frames change. The change is indicated again by the coloring. You can always play with it and see how things work under the hood.

Replay Attack

Understanding these huge it will be quite difficult. Also, finding the ID you need to insert the frames into is impossible from this much data.

So you need to capture the packages and then perform some actions, such as turning on the flashes or pressing the accelerator once it is connected, then splitting the packages, performing a replay attack and seeing if it works.

Now to run a replay attack with ICSim, you must have already started ICSim and you should be able to see the frames using cansniffer. We will now use the option candump with -l

candump -l vcan0

Now we will stop the candump and we will see a candump-XXXXX.log file being created.

Repetition of CAN frames

To repeat these packages we will use canplayer . Since we are going to use a file as input for the canplayer, we need the -I option to be enabled.

canplayer -I candump -2019XXXXXX.log

You can see that the replay attack has taken place and the flashes as well as the speedometer should work as we did earlier.

Package analysis

In a real car, the CAN bus can be much more complex and the CAN frames can appear much faster, so the of ID could be quite difficult. So, to easily identify the ID, you can follow the steps below.

0 9zwtfc7wxaivnow1

Divide CAN frames and execute Replay attack

If you want to split the CAN frames in half and run replay attack on each of them, the best way to do that is to capture the CAN frames using the candump and use the utility wc to count the number of CAN frames, then use split to divide it in two equally.

1 ntws7x3lcqr4rjakv4g8bq

1 grx1we4vqcz2w7j03xffra

Now, you can use canplayer to repeat CAN frames independently.

Somewhere here we came to the end of this guide as well. We have shown that we can carry out exploitation once we have access to a vehicle and perform some actions, such as increasing the throttle, turning on the turn signals and opening the doors. So with some programs and low cost components, we were able to get full access to a vehicle.

Happy (car) hacking!!!

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
car, hacking, can, bus, ICSim

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).