Alberto Garcia Illera Javier Vazquez Vidal

Similar documents
How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

K-line Communication Description

Welcome to the Introduction to Controller Area Network web seminar My name is William Stuart, and I am a Applications Engineer for the Automotive

VEHICLE DIAGNOSTICS THE AUTOCOM WAY

CAN-Bus Shield Hookup Guide

User Manual. AS-Interface Programmer

PEMS Conference. Acquiring Data from In-Vehicle Networks. Rick Walter, P.E. HEM Data Corporation

ABRITES. Commander for TOYOTA LEXUS SCION. User Manual

Bluetooth in Automotive Applications Lars-Berno Fredriksson, KVASER AB

IDD-213T User Manual. (Rev. 1.0) China Aerospace Telecommunications Limited

Understanding SAE J1939. by Simma Software, Inc.

This guide will show you how to configure a Windows Mobile 6 PDA for Bluetooth connection to the KBM Systems OBDKey Bluetooth device.

Surveillance System Using Wireless Sensor Networks

Local Interconnect Network Training. Local Interconnect Network Training. Overview

USB-Link 2 Installation and Setup Manual

Event Data Recorder - Reference Document

New OBD Smart PC Tool User Manual

RA Automotive. Silver Scan-Tool for the testing of OBD functionality. Peter Stoß Senior Manager RA Automotive. Mai 2008

VeHiCle diagnostics the autocom way

WIFI OBD GPS Tracker T356 User Manual

In-Vehicle Networking

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

TMA Management Suite. For EAD and TDM products. ABOUT OneAccess. Value-Adding Software Licenses TMA

SupverVAG K+CAN User Manual

Super Vag K+Can User Manual

Waspmote. Quickstart Guide

ENABLING WIRELESS DATA COMMUNICATION IN CONSTRUCTION MANAGEMENT SYSTEM

TOTAL AND SINGLE DIAGNOSIS - READ / ERASE ALL FAULT CODES ECU INFO REPAIR INFO PRINT REPORT INTEGRATED DATABASE

AVL DISCAN Handheld-Scantool for multifunctional fields of application Faultcode-reader with integrated Informationsystem and Oscilloscope

Link 2 Vehicle Maintenance System

The BSN Hardware and Software Platform: Enabling Easy Development of Body Sensor Network Applications

MeshBee Open Source ZigBee RF Module CookBook

DAKTON µ BOX MANUAL µbox User Manual 1

PC-Based Vehicle OBD Tester

Service Manual Trucks

What is our purpose?

LIN (Local Interconnect Network):

BLUETOOTH SERIAL PORT PROFILE. iwrap APPLICATION NOTE

LOCAL INTERCONNECT NETWORK (LIN)

ConnectKey 2.0 WorkCentre 6655i 6655

Software Development for Multiple OEMs Using Tool Configured Middleware for CAN Communication

S7 for Windows S7-300/400

Road Vehicles - Diagnostic Systems

BIT COMMANDER. Serial RS232 / RS485 to Ethernet Converter

Highly Available Mobile Services Infrastructure Using Oracle Berkeley DB

Distributed Real-Time Systems (TI-DRTS) Track 2. CAN-BUS Introduction. Version Ref. VECTOR application note & Motorola note

ERIKA Enterprise pre-built Virtual Machine

Mastertech Diagnostic Software Frequently Asked Questions

ENTTEC Pixie Driver API Specification

Contents 1. Overview Structure Connection and Installation How to use...9

RS-485 Protocol Manual

Gemalto Mifare 1K Datasheet

Programming Flash Microcontrollers through the Controller Area Network (CAN) Interface

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

Bluetooth for device discovery. Networking Guide

DeviceNet Bus Software Help for Programming an Allen Bradley Control System

Smart Thermostat page 1

COS 318: Operating Systems. I/O Device and Drivers. Input and Output. Definitions and General Method. Revisit Hardware

Fondamenti su strumenti di sviluppo per microcontrollori PIC

An Example of Mobile Forensics

Automated Data Acquisition & Analysis. Revolutionize Validation Testing & Launch With Confidence

Table 1 below is a complete list of MPTH commands with descriptions. Table 1 : MPTH Commands. Command Name Code Setting Value Description

Vehicle Monitoring Quick Reference Guide

VitalJacket SDK v Technical Specifications

BLUETOOTH SMART CABLE REPLACEMENT

Quick Start Guide. MRB-KW01 Development Platform Radio Utility Application Demo MODULAR REFERENCE BOARD

User s manual. Digital input RS232. CAN-LOG connection and operation

VitalJacket SDK v Technical Specifications

ACU-1000 Manual Addendum Replacement of CPM-2 with CPM-4

1 DVR 670 Series firmware version (date )

WIZnet S2E (Serial-to-Ethernet) Device s Configuration Tool Programming Guide

4511 MODBUS RTU. Configuration Manual. HART transparent driver. No. 9107MCM100(1328)

ESE 498 Electrical Engineering Senior Design Final Project Report. Plug and Play Engine Sound Replicator

Work with Arduino Hardware

GIVE WINGS TO YOUR IDEAS TUTORIAL

The I2C Bus. NXP Semiconductors: UM10204 I2C-bus specification and user manual HAW - Arduino 1

How To Fix An Lmx9838 Bluetooth Serial Port Module With Bluetooth (Bluetooth 2) From A Bluetooth Bluetooth 4.2 Device With A Bluembee 2.2 Module

Wireless LAN g USB Adapter

Operation and Maintenance Terminal (OMT 1.2) User s Manual for use with MPW

Improving the Customer Support Experience with NetApp Remote Support Agent

Getting Started Guide with WIZ550web

WUA Mbps Wireless USB Network Adapter

VisorALARM-Manager Application Quick Guide. (Ver. 1.3) Dm 380-I. V:3.0

2.0 System Description

MCB3101 (Class I) WiRobot Serial Bluetooth Wireless Module User Manual

DiCE INSTALLATION INSTRUCTION

Quick Reference Guide VT55 & OBDII. Customer Service TPMS Version: QSG /12

Modbus and ION Technology

Secure software updates for ITS communications devices

USB-Link 2 Wi-Fi Edition Installation and Setup Manual

An Introduction To Simple Scheduling (Primarily targeted at Arduino Platform)

EARTH PEOPLE TECHNOLOGY SERIAL GRAPH TOOL FOR THE ARDUINO UNO USER MANUAL

Introduction to. LIN (Local Interconnect Network)

Modbus and ION Technology

OSI Seven Layers Model Explained with Examples

I/O Device and Drivers

PROLOGIX GPIB-USB CONTROLLER USER MANUAL VERSION May 14, 2013 PROLOGIX.BIZ

V16 Pro - What s New?

Product Information CANalyzer.J1939

Diagnostic of off-highway machinery for agriculture

Transcription:

Alberto Garcia Illera (@algillera) Javier Vazquez Vidal (@fjvva)

Javier Vázquez Vidal Hardware Security specialist Loves breaking toys security From Cádiz (Spain)

Alberto García Illera

Index Kline vs CANBus ELM327 CHT Hardware Statistical Analysis CAN ID takeover attack Car forensics

Vehicle Electronic Control Units

Vehicle Electronic Control Units Each ECU uses and accepts a set of unique IDs (addresses) in the network. They have authentication/encryption protection against non authorised (dealer) access. Data is usually stored in them for diagnose/ foresinc purposes, aswell as for car behaviour (configuration).

Vehicle communication protocols CAN Bus (ISO 11898) features K-Line (ISO 9141-2) features

ECU Tool K-LINE library V2 It was released with the idea of allowing everyone to use the ECU tool for developing their own applications with the same hardware in a flexible way. Has the following features: Holds the most common commands, and provides an easy way to use them. Includes LVL1, LVL3 and LVL41 security access algos. It is used for development of the ECU tool main FW, so it will be updated frequently with new functions and bug fixes.

Some facts about CAN data In most cases, each different model, even from the same manufacturer, uses different data (commands/format) than the others, which makes it impossible to find an universal command to perform an action. It is usually wrongly stated that the CAN data is plain. It is formatted according to the manufacturer specifications, and most of the times cannot be parsed in the same way from two different vehicles. CAN is an OSI level 1 and 2 protocol, so data security cannot exist within it, and should be implemented by the user (manufacturer).

Some facts about CAN data There are three types of commands which can trigger an action: User, Diagnostics, and System commands. Diagnostics commands cannot be captured by simply listening to the bus, as they are sent by diagnosis equipment (unless you capture them while the equipment is plugged and sending them). They usually allow triggering certain actions in order to test elements. They can be sent over the OBD2 port. System commands are generated by events such as the ABS, and most of the times cannot be sent over OBD2 since they will get filtered by the gateway. User commands are broadcasted when the user triggers an action, such as opening doors, turning lights on, opening windows, etc Most of the times, they cannot be sent over OBD2, as they will be filtered by the gateway.

ELM327 The ELM327 is the most wide-spread interface for OBD2 Generic and Enhanced diagnostics. It is handled by AT commands, and works with several protocols: SAE-J1850 PWM (41.6 kbaud) SAE-J1850 VPW (10.4 kbaud) ISO 9141-2 (5 baud init, 10.4 kbaud) ISO 14230-4 KWP (5 baud init, 10.4 kbaud) ISO 14230-4 KWP (fast init, 10.4 kbaud) ISO 15765-4 CAN (11 bit ID, 500 kbaud) ISO 15765-4 CAN (29 bit ID, 500 kbaud) ISO 15765-4 CAN (11 bit ID, 250 kbaud) ISO 15765-4 CAN (29 bit ID, 250 kbaud)

ELM327 Enhanced diagnostics allow the use of OEM specific commands (when known), and therefor, having some fun! Since it works on AT commands, only a serial interface is required to handle it. But, what happens when: The speed of the CAN bus you want to work with is 125kbaud or 800kbaud? We need to use non standard stuff?

CHT, the Can Hack Tool What is it? It is a piece of hardware based on the Arduino Mini Pro, that acts as an interface between the system (CAN bus target) and the user. Its hardware is still under development, but an alpha POC version is already being used for firmware development.

CHT, the Can Hack Tool What does it do? Capture and inject CAN data (no one would have guess that, right?) with a success rate of 92% of the frames for a SD log file on a fully used bus (no interframe space). Inject errors and manipulate the frames on realtime Perform basic analysis of the data being transmitted on the bus Store data logs for exhaustive analysis by sending them to a Back End. Firmware can be updated in the field to add/change functions (requires a second Arduino Mini Pro).

CHT, the Can Hack Tool Hardware overview 1x Arduino Mini Pro - $2,8USD 1x Wireless module (Bluetooth, Wifi or GSM) - $6,5USD for BT 1x MCP2515 DIP-18 CAN controller -$4,5USD 1x MCP2551 CAN driver - $2,8USD 1x SD Breakout board+sd card (class 4 or higher) - $5USD (2GB) 1x 12VDC to 5VDC regulator(78l05)+components - $4USD Total: $25.6USD (Sorry, things got a little bit expensive L )

But If in each car the commands have different Ids and/or payload, how I am going to know what is the ID for opening the doors in my car?

CAN Statistical Analysis What is it about? Checking for the type of data (commands, performance feedback, component status...) Determining packet structure (counters, in-frame checksums, different status byte possibilities..) Determining frame frequency (5ms, 10ms ) Determining if it is a command (sent once) or a broadcast (timed)

CAN Statistical Analysis This kind of analysis vastly improves the comprehension of the data being transmitted on the bus The data that is transmitted might be different on each vehicle, but the methodology is almost similar By doing an statistical analysis to a CAN capture, we can determine what ID correspond with a specific command in any car with a high rate of success.

CAN Statistical Analysis Why does it work? Users have common habits. Probably, one of the first frames sent will be the door unlock/alarm disable command, and it will only be sent once. Some values will only differ from zero once the engine starts or the car starts moving, which allows identification of, at least, what kind of parameter it might be (engine, chassis ). We can always wake up the bus and check for packets that exist without commands, which will ease the filtering when the bus is awaken by the user actions.

CAN Statistical Analysis What can we learn from it? Basic commands that will grant us access to several control functions in no time. Feedback of the driver habits (does he like to drive fast?).

CHT Webservice Due to the limitations of the hardware used (8bit processor, 30kB Flash, 2kB RAM), we created a website for our tests, and it will be made public so anyone can upload their captures to perform an analysis. The system is still under development, and will be improved over time. The current analysis has four different sections: List with one time IDs present in the capture (possible commands) Periodicity of active IDs. Packets sent over a timeline Possible match with some commands (still under development)

DEMO

Attacks on the CAN bus When are they useful? Some status messages are being broadcasted on a time schedule (every X milliseconds), so if you simply inject a different payload, it will be overridden by the original frame, making the injection useless. Some devices require a condition (status) to be met in order to accept a commands, so forcing this status can allow to manipulate items under circumstances that normally you would not be able to.

Attacks: ID takeover How does it work? We select a target ID we want to take over We get attached to the CAN bus with a level shifter, and no protocol handler (just a mcp2551 f.ex), being able to directly read the bits that are transmitted real-time Once we see that the target ID is transmitting, and we check the payload length, we can manipulate the frame to invalidate it in many different ways After the original frame is invalidated, we inject our own frame using the same ID with a protocol handler (MCP2515) We invalidate all future error and/or data frames from the target ID, and keep on injecting our own frames. If the attack is error generation oriented, the target module will give up transmitting after a while, which will allow to completely take over the ID without any effort.

Attacks: ID takeover Why does it work? Due to the arbitration system requirements, the bus can be driven low anytime (dominant), but not high (recessive).

Attacks: ID takeover Why does it work? The CAN frame structure allows to determine the ID (Identifier) and payload size (Data length) before the transmission is finished, so it gives you time to alter the data while it is still being transmitted

Attacks: ID takeover Why does it work? The error detection system implemented in the CAN does not contemplate this kind of errors (non standarised), so with proper actions, none will be perceived by any module.

Attacks: ID takeover Why does it work? The module sending the frame is responsible for error detection/ correction, so if it does not make it (or the error frame is not successfully broadcasted), no errors are registered by any other module.

Attacks: ID takeover Why does it work? The MCP2515 has the possibility to signal the detection of a SOF (Start of frame), making it easier for the MCU to perform the realtime analysis.

DEMO

What was the reason? Forensics

Related information Most of the cars, since 1994, have a Crash Data Retrieval (CDR) function that stores several data related to the crash. It s similar to the Black Box used in airplanes It stores information before and after the crash This info is related with speed, RPM, brake use, ABS activity, accelerator pedal position (%)

Where is the data? Almost all the cars store the crash data in the airbag ECU Usually this info is stored in a EEPROM (non volatile) memory There is costly hardware and software that must be used to retrieve and interpretate this information

The official hardware There is a official and expensive hardware/software from BOSCH to extract and parse the infomation There are three ways to connect the hardware with the Airbag ECU to retrieve the information: Connecting to the ODB port (Authentication required) Connecting with the airbag module (Authentication required) Read directly the EEPROM memory (No authentication required)

How to extract the data of a ECU? The software/hardware to use in the BOSCH ECU is called CDR The CDR Premium Tool Hardware Kit costs $8999

What about poor guys? The software can be downloaded totally free So the code about parsing the data it s just in front of us

Supported Vehicles

Once upon a time A client contacted us to do a forensic job into a car that was not supported by the CDR tool (Mercedes) Our face was something like:

What we did We did it the straight way: reading directly from the EEPROM memory

What s next? We retreived all the information stored in the EEPROM memory but we didn t have a way (with his wife) to parse it because the CDR program did not support Mercedes at that time So, we used a tool to reset the crash file data and doing after that a bindiff Doing this we knew what parts of the binary had changed and so we knew these parts of the full binary contained info about the crash

The next step to do with the already filtered data was looking for the speed of the car at the moment of the crash To do this we used WinOLS to view the graphs and be able to distinguish between the crescent and descrescent graphs The sorting was made because the speed in a car crash is always descrecent (Captain Obvious strikes again!)

We had a match!! After doing this we found a interval with values that could match with the speed in a car crash

But that s not all! You should probably look forward to the release of the ECU tool V3 HW/FW, as the following features will be added: CAN interface EDC16 support via CAN Crash data retrieval (Still on the works, but getting closer!) CHT emulation (with basic functionality) Optional OTA FW update via BT. Cost of the upgrade, including OTA, will be $10. Keep a close look at our GitHub repo: github.com/fjvva

Thank you All of you for being here today To our family and friends. They are always there when we need them All those who want to understand how and why things work Alberto Garcia Illera (@algillera) agarciaillera@gmail.com Javier Vazquez Vidal (@fjvva) javier.vazquez.vidal@gmail.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information