In the previous two parts we saw how to install the car simulation on our machine and the necessary programs that we should use along with the necessary equipment that we will need. In today's article we will present the exploitation process in detail.
We will now look at what SavvyCAN is and use it with ICSIM. After that, we will look at how to perform fuzzing and scripting with SavvyCAN.
SavvyCAN
There are various softwares that will help you to monitor and filter the CAN communication.
There are expensive and proprietary tools as well as free open source tools.
The purpose of this article is to help you get started with car hacking at no cost. So expensive tools are not on our list.
I have already written in detail about the cheap and free alternative to these expensive CAN communication tools. Tools like can-utils, Wireshark work just fine.
But SavvyCAN provides much more. For beginners, it offers a nice GUI, which helps you easily navigate, filter packages, IDs, etc. For those who are already into car hacking, SavvyCAN offers truly great features. My personal favorite features include the ability to run scripts in CAN framework,
Let's look at the definition of SavvyCAN from their website.
"SavvyCAN is a C ++ program based on multiple QT platforms. It is a tool for reverse engineering and CAN channel capture. It was originally written to use EVTV material such as EVTVDue and CANDue. It has since been expanded to use any socketCAN compatible device as well as Macchina M2 and Teensy 3.x boards. It can capture and send to multiple bus and CAN cameras simultaneously. ”
You can find more information here: https://www.savvycan.com/
I find it very easy to use SavvyCAN despite can-utils . Again, let's not start the debate between which tool is best and which is not, as long as it serves your purpose.
SavvyCAN installation
Installing SavvyCAN is a really easy and simple process. You can download prefabricated binaries for Linux, Mac and Windows from address https://www.savvycan.com
Install and run on Ubuntu
wget https://github.com/collin80/SavvyCAN/releases/download/V199.1/SavvyCAN-305dafd-x86_64.AppImage
No installation required as you download the appimage, make it executable and run it!
chmod 744 SavvyCAN-305dafd-x86_64.AppImage
# and
./SavvyCAN-305dafd-x86_64.AppImage
You can run SavvyCAN
You can play with the SavvyCAN interface for a while. If you want to use SavvyCAN with Macchina M2 or any other compatible hardware, you do not need any additional installation.
We plan to use SavvyCAN with ICSim, so we need to install it qtserialbus .
Once you open the SavvyCAN window, navigate to Connection -> Open Connection Window -> Add New Connection, and you will see that qtserialbus is off.
Let's start with its installation qtserialbus so we can use it with ICSim.
Installing qt5
$ wget https://download.qt.io/official_releases/qt/5.14/5.14.4/qt-opensource-linux-x64-5.14.2.run
After downloading qt5, you need to install / run it
$ chmod a + x ./qt-opensource-linux-x64-5.14.2.run
$ sudo ./qt-opensource-linux-x64-5.14.2.run
Make a note of the route name, you will need it later.
Once qt5 is installed, you need to install qtserialbus, as it is not included in the official Ubuntu repository. So we have to do it ourselves.
Install qtserialbus
$ sudo apt install qtdeclarative5-dev qttools5-dev g ++
$ git clone https://github.com/qt/qtserialbus
$ cd qtserialbus
$ /home/y0g3sh/Qt5.14.2/5.14.2/gcc_64/bin/qmake .
$ make
$ sudo make install
Build SavvyCAN
For the use of qtserialbus, its SavvyCAN App Image, the file you downloaded earlier will not work. SavvyCAN must be built with qmake.
$ git clone https://github.com/collin80/SavvyCAN $ cd SavvyCAN $ /home/y0g3sh/Qt5.14.2/5.14.2/gcc_64/bin/qmake CONFIG + = debug $ make
It will take some time to install.
Once everything is installed, start the ICSim simulator, start everything except the can-utils. Instead of using can-utils to record CAN communication, we will use SocketCAN.
Start SavvyCAN
Start the SavvyCAN we just created and not the appimage we downloaded earlier.
Remember, if you want to run it on a real car and not use it with qtserialbus, you can continue to use the appimage and not have to go through all the hassle of building SavvyCAN.
$ cd SavvyCAN $ ./SavvyCAN
You can now open the login window and you will notice that QT SerialBus is enabled.
Add vcan0 to SocketCAN
To make a new connection to SavvyCAN,
- Open SavvyCAN
- Transition on menu LOG IN -> Open a login window -> Add a new device connection
- Select the connection with the following setting
Connection type as QT SerialBus Devices
SerialBus Device type as socketcan
Port as vcan0
Then create a new connection.
Once the connection is complete, you can see the CAN frameworks appear in the SavvyCAN window, which is a good sign that everything is working fine and well.
To better understand SavvyCAN, let's do the same things we did earlier using can-utils, but this time with SavvyCAN.
SavvyCAN provides a nice, intuitive interface to filter ID frames. You can remove the selection of IDs you do not need from the right pane. This way you can quickly identify the associated ID.
Another very nice feature is the "Replacement Mode". If this option is enabled, the frames will be replaced in the same order.
Replay Attack
Performing a Replay Attack using SavvyCAN is much easier. You can open the playback options in the Send Frames menu. You can either upload data from a file or upload it directly from the recorded data. You can also choose which ID to repeat from the ID filter menu.
Determination of arbitration ID
Many ask me this question, about how to identify which ID does what in a car. Finding arbitration IDs can sometimes be very difficult.
SavvyCAN provides many RE tools. One of the ones I use most often is "Sniffer". This allows me to "fade" inactive bytes and quickly identify IDs.
For example, let's look at the tachometer ID. To identify the tachometer ID, I will open Sniffer and deactivate the inactive bytes.
The way I identify them is, let's say there are 20 IDs available. I turn off at least a third of them - I run the power in the car / ICSim - I notice the change in frames. I do this until I am left with a single ID.
Let's look at Sniffer, one of SavvyCAN RE tools in action.
Here I did not find any changes in the bytes that correspond to my action. So I will move on to other IDs.
It seems that 0x244 is what we are looking for. You can notice the pattern in the change bytes when the accelerator is pressed. As the speed increases, the tachometer shows the change in the 3rd and 4th bytes (counting from Zeroth Byte)
You can do this for all actions available in ICSim.
Send custom frames
SavvyCAN also has another feature that you can modify packages on the go when sending custom frames. To do this, you must open the Frame Sender from the Send Frames menu.
Let's "fool" the tachometer. From the example above, when we cleaned the packages, we noticed how the tachometer works.
The 3rd and 4th Bytes increase with increasing throttle. So what we will do is send the custom frame, modify the bytes on the go to observe the change in the tachometer.
The data column will consist of hexadecimal values, the ID must be 0x123, the trigger must be the value in ms, the delay between each frame and the modification must consist of a modification in bytes.
Example what I would like to do is, I want to send to Bus 0, ID 0x244 (tachometer), data as 0x00 0x00 0x00 0x00 0x00 and increase the 3rd byte by 2 each time, so in the modification, you can write d3 = d3 +2. When done, make sure that the Enable check box is selected.
Somewhere here ended the series of Car Hacking guides.
I hope you liked it and found it interesting. I am waiting for your comments and remarks, as well as to suggest your own similar programs and methods that you use.