This is the second part of the series "Car Hacking: The Ultimate Guide!". In Part I, we discussed what a CAN Bus is, some information to get you started with CAN Traffic, and how to set up a virtual Car Hacking system using ICSim.
In this place, we will dive deep by sniffing the car data through CAN Traffic.
What does a CAN message look like?
This is exactly what messages from CAN look like when they are recorded. If I break the columns, the first is the interface, the second is the arbitration ID, the third is the size of the CAN message, it can not be larger than 8 (If you look at the CAN framework, you will better understand why this can not is greater than 8), the fourth is the CAN data itself.
The meaning of the CAN message
In this example, we will see an 8-byte frame. The message is sent with ID 0x111. Once the instrument panel sees this message, it will first confirm whether it was intended for the instrument panel or not. If yes, then it reads the message which is 0x0BB8, which translates to 3000 (decimal places). Now your instrument panel moves the needle on the tachometer to 3000.
Once we understand the CAN message, we can further inject modified packets via ODB-II into the CAN bus to tamper with the speedometer or whatever we want.
Before we start showing ICSim, let's look at how the other utilities work. To do this, let's first configure the virtual interface.
Setting up the virtual CAN interface
sudo modprobe can
This will load the kernel unit for the CAN. We also need to load the kernel unit for the virtual machine.
sudo modprobe vcan
If you want to verify that the required kernel units are loaded, you can use the following command.
lsmod | grep can
This will show whether the CANs and VCANs are loaded or not.
Let us now configure the virtual interface
sudo ip link add dev vcan0 type vcan sudo ip link setup vcan0
You can verify if the virtual CAN interface is configured with the following command
Once the virtual CAN interface is configured, you are now ready to send / receive the CAN packet on this interface. Now let's use one of the can-utils utilities called cangen to create the virtual CAN packages.
The cangen creates CAN frameworks for educational purposes. To use cangen, you must specify the interface in which the CAN framework will be created.
Vcan0 is the virtual CAN interface we created before.
Since you have already created the CAN framework, there must be a way to see the framework! There are many utilities available, one of which is Wireshark. Start Wireshark after creating the CAN frameworks.
You can see many interfaces available depending on how many interfaces there are, vcan0 is the interface where your CAN frames are created.
Once you click on the interface where you want to see the packages, this is what the CAN box will look like.
You can also see more detailed information about the CAN framework.
There are also other utilities inside vcan0 such as cansniffer and the candump doing pretty much the same things Wireshark does. You can use any tool or utility, with which you feel most comfortable.
To discard or record frames using candump , you can use the command
Below we will see the results it will show us.
In one of the terminals, at the bottom, the CAN packages are created, while the terminal at the top operates the candump. If I have to parse columns, the first thing you see is the CAN interface. The second is the ID, the third is the size of the CAN message and the fourth is the message itself.
The candump can also record the framework for you. If you want to perform a repeat attack, you can first record the frames and then use a mini utility like canplayer to repeat the frames. CAN frameworks recording can be enabled using flag -l.
candump -l vcan0
When you record the CAN frames, a file with the prefix candump will be created followed by the date it was created.
If you want to see the contents of the file, you can always use the command cat on Linux to see.
The data we recorded using candump can be played using a utility such as canplayer .
As the name implies, the canplayer will play the can frames. Ideally, this is useful when you need to do a replay attack. First you will record the CAN frames and then you will play the CAN framework using the canplayer.
Imagine a scenario where you want to tamper with the tachometer and you have no idea in which ID the tachometer reading works, you have no idea what is in the CAN message. Ideally, you should first discard and record the frames using the candump with flag -l and then use the can player to repeat the recorded frames.
Canplayer requires the -i option for the input file.
canplayer -I canfile.log
The canplayer has several other really useful options, you can learn them using it man canplayer.
Use the CAN sniffer to see the change in CAN motion. This is very useful to see a change in a specific byte. Cansniffer has a -c option very useful to see the byte change in a colorful way. What it does is it will compare the previous byte and the current byte, if there is a difference then it is indicated by the change in the color of the byte. This is very useful when you want to know if there was a change when you had some operations on a car.
cansniffer -c vcan0
I find the cansniffer very useful because it also allows ID filtering. So if you want to see the frames only from a specific ID, say 0x011, you can do that.
This can be done as soon as you start sniffing, press - and then 000000. This will clear all the frames first. Now, you can start adding the IDs using the + and then the ID you want to display and press Enter. This way you can filter the frames of individual IDs.
Cansend is used to send CAN frames to a specific CAN interface.
cansend interface frame
We will use all these utilities with ICSim.
Follow the first article we made to learn how to install ICSim.
Let's start ICSim and sniff the CAN frames.
./icsim vcan0 ./controls vcan0
If you have followed each of the steps discussed in the previous post, you should be able to see them. You may also notice that the speedometer needle moves back and forth, which is to be expected due to the noise.
Sniff of CAN frames created by ICSim
We will use cansniffer, a utility provided by can-utils, to capture the packages. You can open a new terminal and start cansniffer with the following command
cansniffer -c vcan0
The choice -c is used to indicate the change of frame bytes.
You can see very fast changes in the CAN frames, difficult to keep up with the pace at which communication takes place. In a real car, this communication would happen quickly. To keep up, you can use ID ID filtering. If you want to see only the frames from ID 40C, you can always press - and then 000000 followed by the Enter key. This will delete all the IDs from the cansniffer and you can then press + followed by the ID ID for filtering and then press the Enter key.
Here I have filtered the 40c ID using the same steps mentioned above. You can try pressing the up arrow key to increase the throttle and then observe how fast the CAN frames change. The change is indicated again by the coloring. You can always play with it and see how things work under the hood.
Understanding this huge amount of data will be quite difficult. Also, finding the ID ID to which you need to enter the frames is impossible from this large amount of data.
So you need to capture the packages and then perform some actions, such as turning on the flashes or pressing the accelerator once it is connected, then splitting the packages, performing a replay attack and seeing if it works.
Now to run a replay attack with ICSim, you must have already started ICSim and you should be able to see the frames using cansniffer. We will now use the option candump with -l to record and save the frames, in the meantime we will increase the throttle by pressing the arrow keys <left> and <right> to activate the flash indicator.
candump -l vcan0
Now we will stop the candump and we will see a candump-XXXXX.log file being created.
Repetition of CAN frames
To repeat these packages we will use canplayer . Since we are going to use a file as input for the canplayer, we need the -I option to be enabled.
canplayer -I candump -2019XXXXXX.log
You can see that the replay attack has taken place and the flashes as well as the speedometer should work as we did earlier.
In a real car, the CAN bus can be much more complicated and the CAN frames can appear much faster, so locating the ID could be quite difficult. So, to easily identify the ID, you can follow the steps below.
Divide CAN frames and execute Replay attack
If you want to split the CAN frames in half and run replay attack on each of them, the best way to do that is to capture the CAN frames using the candump and use the utility wc to count the number of CAN frames, then use split to divide it in two equally.
Now, you can use canplayer to repeat CAN frames independently.
Somewhere here we came to the end of this guide as well. We have shown that we can carry out exploitation once we have access to a vehicle and perform some actions, such as increasing the throttle, turning on the turn signals and opening the doors. So with some programs and low cost components, we were able to get full access to a vehicle.
Happy (car) hacking !!!
Next: PART III
Previously: PART I
Originally posted here: https://en.iguru.gr/car-hacking-apolytos-odigos-part-2/
About the Author
PC Technician, Penetration Tester, Ethical Hacker, Cyber Security Expert, Malware Analyst, Information Security Researcher, Reverse engineering.
- Blog2022.05.02Lupo - Malware IOC Extractor and Debugging module for Malware Analysis Automation
- Blog2022.05.02DDexec - a technique to run binaries filelessly and stealthily on Linux using dd to replace the shell with another process
- Blog2022.04.28ADReaper - A fast enumeration tool for Windows Active Directory Pentesting written in Go
- Blog2022.04.27Shhhloader - SysWhispers Shellcode Loader
I have followed your training and it is absolutely fascinating. Can we connect in Linkedin?
Would like to learn more about Car hacking and hardware involved for physical connected car