CAN related knowledge
Introduction to CAN Bus
CAN is the abbreviation of Controller Area Network. It is the central nervous system that realizes the communication between all or some parts of the car. It was developed by the German BOSCH company, which is known for its research and development and production of automotive electronic products, and eventually became an international standard (ISO 11898), is one of the most widely used fieldbuses in the world. Before using CAN as an in-vehicle communication system, car manufacturers used point-to-point wiring systems. When there are more and more internal electronic units in the car, this wiring system will be particularly large and the maintenance cost will be too high. Later, it was replaced by CAN. solve this problem.
To put it simply, CAN allows various electronic units on the car to communicate with each other and share data. The main reason for proposing CAN is that it allows multiple ECUs (Electronic Control Units) to share a wire for communication. There are as many as 70 ECUs in a modern car, such as engine control units, airbags, transmissions, gear units, anti-lock braking systems (ABS), infotainment systems, climate control systems, windows, and doors In order to allow these units to communicate with each other, point-to-point wiring will be extremely large. Imagine that each component is connected to all other components, which is quite bad for later fault diagnosis and troubleshooting, but with CAN, it can be replaced by a single wire, and the communication between each component is much simpler.
The CAN bus can be regarded as a noisy, crowded, slow version of the Ethernet LAN, but the traffic is UDP instead of TCP. It is worth noting that not all car control systems use CAN, and CAN is not only a communication protocol used in car systems, but also other protocols, such as Bluetooth, GSM/LTE cellular network, satellite radio, LIN (Local Interconnect Network) etc. In actual scenarios, CAN is not the only attack surface, there may be many other attack surfaces.
A car can have multiple nodes that can send or receive messages. This message basically consists of an ID. Its priority can also include CAN messages, which can be 8 bytes or less at a time. If two or more nodes start to send messages at the same time, the messages sent with the dominant ID will overwrite the messages sent by the dominant ID in turn. This is the so-called priority-based bus arbitration. The smaller the ID value, the higher the priority of the message, which is the basis for the node to determine the sequence of message transmission. The message from the brake has a higher priority than the message from the audio player.
The CAN bus is composed of two different wires. Since it is a bus, these wires can be connected to multiple devices. A CAN frame has 3 main parts:
1. Arbitration identifier
2. Data length code
3. Data field
Let’s take a look at the structure of CAN data frame:
How to access the CAN bus on a real car
In order to access the CAN bus of the car, it is necessary to first access the on-board self-diagnostic port, which is OBD. Although there may be hundreds of other diagnostic standards or ports, OBD-Ⅱ, which is basically used by all cars nowadays, is also the way for car repairers to identify car failures. OBD is the most direct access to CAN. The way to find OBD-II is very simple. It is usually located near the passenger seat or driver’s seat and can be accessed without using a screwdriver.
This is what OBD looks like:
If you want to know the pins of OBD, here are the pins of OBD port:
Hardware and software required to access CAN via OBD
Because the computer cannot be directly connected with CAN, in order to interact with the CAN bus, a tool similar to USB to CAN is needed, which is connected to the OBD-II port via USB, so that CAN data packets can be sent or received. At the same time, some tools that can read or write CAN data packets and encode or decode CAN data packets are required on the software. With a little hardware and software, you can definitely connect to CAN.
The hardware required to connect to OBD-II can be easily found on the market, and there are expensive and cheap hardware devices. High-end devices include Kvaser and EMS. These devices are expensive and overkill. The most cost-effective combination is USB2CAN and a native Linux system.
In addition, many times you will encounter ELM327, which is a Bluetooth-based device, but it is very bad for hackers, because its data rate is relatively slow, and a lot of data packets will be lost in the end.
Macchina M2 is an open source automotive interface that can communicate with CAN bus via OBD-II. The biggest advantage of Macchina M2 is that it is modular, which means that WiFi, GSM, LTE, and BLE modules can be added to Macchina M2. Macchina M2 has 2 CAN channels. Macchina M2 also has LIN, you can visit the link:
Get more information about Macchina M2.
Another low-cost option is CSS Electronics’ CLX000, which can record and stream CAN data. The data can be visualized in the free open source software Wireshark. A plug-in can realize the reverse function. CLX000 is for visualization and telematics. Ideal choice.
You can access the link:
For more information about CLX000, there are also some articles about CAN in the blog.
In terms of software, SocketCAN, can-utils, and vcan are built into the Linux kernel. Their function is to send and receive CAN packets, encode or decode data, and analyze CAN packets through Wireshark.
If you want to learn more about CAN operation, but don’t want to damage your car, ICsim will be the tool of choice:
ICSim installation and setup
Install SDL library
SDL is a cross-platform development library for computer graphics and audio. Since ISCim uses SDL to draw the animation of the virtual car dashboard, it must be installed. This can be installed via apt-get:
sudo apt-get install libsdl2-dev libsdl2-image-dev -y
Install CAN Utils
can-utils is a set of Linux-specific utility tools, which allows Linux to communicate with the CAN network on the vehicle. In order to send, receive and analyze CAN data packets, you need to install CAN utils. canutils mainly includes 5 frequently used tools:
1. Cansniffer is used to sniff data packets
2. cansend sends a piece of data
3. Candump dumps all received packets
4. Canplayer replays CAN packets
5. Cangen randomly generates CAN packets
This can be installed via apt-get:
sudo apt-get install can-utils -y
git clone https://github.com/zombieCraig/ICSim
Prepare virtual CAN network
Enter the ICSim directory, there is a shell script named setup_vcan.sh:
The modprobe command is used to load kernel modules, such as the can and vcan modules. The last two lines will create a vcan0 interface to simulate the car network. You can run the following command to set a virtual can interface:
To verify the vcan0 interface, if vcan0 is configured, it will display:
At least two components are required to run ICSim, a dashboard and a controller to simulate acceleration, braking, door control, turn signals, etc., and at least 3 terminal windows or tabs to run the dashboard, controller and can-utils.
Run the dashboard
In order to run the dashboard, you need to run a file named icsim with the parameter vcan0, which is the interface created earlier.
Run the controller
At this time, the instrument panel is still not working properly, including the speedometer, turn signals, brakes and doors. This is because there is no traffic on interface vcn0. In order to simulate the traffic on interface vcan0, the controller needs to be started here.
Controller operation dashboard
vcan0 is a virtual CAN interface through which ICsim will send and receive CAN frames. When the control panel is started, some fluctuations in the speedometer can be observed. This is because the control panel simulates noise. After starting the control panel, you can Use the keyboard to simulate traffic.
|Turn left and right||←/→|
|Unlock the front left and right doors||Right-Shift + A/B|
|Unlock the behind left and right doors||Right-Shift + X/Y|
|Lock all doors||Right-Shift + Left-Shift|
|Unlock all doors||Left-Shift + Right-Shift|
CAN bus operation
This is the specific appearance of CAN messages collected through can-utils. If these columns are subdivided, the first column is the interface, the second column is the arbitration ID, and the third column is the size of the CAN message. This cannot exceed 8 bytes. If you look at the CAN frame, you will understand why this cannot exceed 8 bytes. The fourth column is the CAN data itself.
Understand CAN messages
In this example, this is an 8-byte frame. The message is sent by an arbitration ID 0x111. After seeing this message, the dashboard will first determine whether the message is for the dashboard. If it is Then it will read this message. The data of this message is 0x0BB8, which is 3000 in decimal. Now the instrument panel will move the pointer of the tachometer to 3000.
After understanding the meaning of the CAN message, you can further inject fake or modified data packets on the CAN bus through ODB-II to deceive the tachometer or other things.
Before entering the ICsim demo, you need to see how the other tools provided by can-utils work. To do this, you first need to set up the virtual can interface. The following content mainly explains the commands in the setup_vcan.sh file. What is the meaning? In actual operation, you can directly run the setup_vcan.sh file.
Set up virtual CAN interface
Load the CAN kernel module and the virtual CAN kernel module:
sudo modprobe can
sudo modprobe vcan
Verify that the required kernel modules are loaded:
lsmod | grep can
This will show whether the kernel modules of can and vcan are loaded:
Next, set up the virtual interface:
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
The following methods can be used to verify whether the virtual CAN interface is set successfully:
After the virtual CAN interface is set successfully, you can send or receive CAN data packets on this interface, and then use a tool called cangen in can-utils to generate virtual CAN data packets.
Cangen can generate CAN frames for testing. To use cangen, you need to specify the interface to generate CAN frames. Here vcan0 is the created virtual CAN interface:
After the CAN frame is generated, there are many tools to view the content of the CAN frame. Here, Wireshark is used as an example.
You may see many interfaces available here, but you only need to pay attention to the interface vcan0 generated by the CAN frame. Click on the vcan0 interface to see the content of the CAN frame:
You can also see more detailed information about CAN frames:
In addition, you can choose to use the tools provided by can-utils, such as cansniffer and candump, whose functions are similar to Wireshark.
You can use candump to dump or record CAN frames:
candump will display the CAN frame output:
The lower terminal is running cangen to generate CAN frames, and the upper terminal is running candump to record CAN frames. The recorded CAN frames can be divided into four columns. The first column is the CAN interface, the second column is the arbitration ID, and the third column is CAN The size of the data, the fourth column is the data itself.
Candump can also dump CAN frames. If you want to perform a replay attack, you need to dump the CAN frames first, and then use canplayer to replay the dumped CAN frames. The dump of CAN frames can be started with the -l parameter:
candump -l vcan0
When using candump to dump CAN frames, a file with candump as the prefix and date command will be created. If you want to view the contents of the dumped file, you can use the cat command in Linux to view:
As the name suggests, canplayer is a tool for replaying CAN frames. Ideally, when a replay attack must be performed, the CAN frame needs to be dumped or recorded first, and then the CAN frame is replayed using canplayer.
Imagine a scenario where you want to cheat the tachometer, but you don’t know which arbitration ID the tachometer reading is working on. In this case, you need to dump the CAN frame number with the -l parameter of candump, and then use canplayer to replay the dump. When using canplayer to replay the CAN frame, you need to pass the -I parameter to accept the input file:
canplayer -I canfile.log
There are some other very useful parameters for canplayer, which can be obtained through man canplayer.
cansniffer is a tool for sniffing CAN packets. The -c parameter of cansniffer can highlight the changed bytes by color highlighting. It is used when it is necessary to determine whether certain operations will cause CAN data changes.
cansniffer -c vcan0
cansniffer can be filtered by the arbitration ID. When you need to display only the frames with a specific arbitration ID, just press the minus sign (-) and enter 000000 during the sniffing process, and then press Enter to clear all frames, and press Plus sign (+) and then enter the arbitration ID, and then press Enter to display only the frames with a specific arbitration ID.
cansend is a tool used to send CAN frames to a specific CAN interface:
cansend interface frame
The above are the tools that will be used in ICSim.
I have already introduced how to install and set up ICSim. Here, start the dashboard and controller directly:
If you follow the previous process, there should be no problem here, you can see that the speedometer pointer is moving back and forth, which is expected behavior caused by noise.
Sniff ICSim’s CAN frame
The cansniffer tool provided by can-utils will be used to sniff data packets. You can open a new terminal and start cansniffer, and display the byte changes in the CAN frame through the -c parameter:
cansniffer -c vcan0
It can be seen that the CAN frame changes very quickly, and it is difficult to keep up with the speed of communication. In a real car, this kind of communication will happen faster. In order to keep up with its speed, arbitration ID filtering can be used. If you only want to view the frames with the arbitration ID of 40C, you can press the minus sign (-) and then enter 000000, then press the Enter key to clear all frames, press the plus sign (+) then enter 40C, and then press the Enter key to display only the arbitration ID The frame is 40C.
Before performing a replay attack, you need to open ICsim. At this time, you will see the changes of CAN frames in the cansnifer tool. Use candump -l vcan0 to dump the CAN frames while operating the dashboard on the controller, such as acceleration, steering , And then stop dumping, you will see that a file named candump-XXXXX.log is created, and then use canplayer -I candump-XXXXX.log to replay the dumped CAN frames, which will be viewed in the dashboard The operation to be performed at the time of the dump.
Dump CAN frame analysis
In a real car, the noise of the CAN bus may be much larger, and the CAN frame will appear much faster, so how to identify the key arbitration ID is a difficult problem. Here are two methods: dichotomy and statistical method. The statistical method is recommended.
Divide the dumped CAN frame file into two, and then replay them to observe which file contains the key arbitration ID, and then perform operations on the corresponding file, and loop in turn.
Based on the arbitration ID or arbitration ID and CAN data, count the number of occurrences of each arbitration ID or arbitration ID and CAN data in the CAN frame file, and judge according to where it appears.
There are many softwares that can monitor and filter CAN communication, including fee-based professional tools and free open source tools. The main purpose of this article is to learn car hacking for free, so we will not introduce fee-based professional tools. The two free tools, can-utils and Wireshark, have been introduced above, and another graphical interface tool will be introduced below. SavvyCAN provides more additional functions. In addition to lightly browsing, filtering data packets and arbitrating ID, You can also execute scripts, Fuzzing, and several reverse engineering tools on CAN frames.
“SavvyCAN” is a cross-platform C++ program based on QT. It is a CAN bus reverse and capture tool. It was originally written to take advantage of EVTV hardware such as EVTVDue and CANDue hardware. It has been extended to be able to use any socketCAN compatible device as well as Macchina M2 and Teensy 3.x boards. It can collect and send to multiple buses and CAN acquisition devices at the same time. ”
SavvyCAN official website introduces this tool like this, you can follow the link:
To get more information about SavvyCAN, I personally feel that SavvyCAN is easier to use than can-utils. This is just a personal point of view, no argument, you can choose the tool you are used to to complete the corresponding operation.
The installation of SavvyCAN is very simple, you can directly access the link:
Download binary files under windows, Linux, mac os. Here is only a demonstration under Linux:
The download here is a binary file directly, which can be run without installation:
chmod 744 SavvyCAN-305dafd-x86_64.AppImage
When SavvyCAN is used with Macchina M2 or any other compatible hardware, there is no need to install other additional things, but when used with ICsim, because it needs to connect to QT SerialBus Devices, run the directly downloaded SavvyCAN binary file in Connection-> In Open Connection Window->Add New Device Connection, you can observe that QT SerialBus Devices is disabled, you need to manually compile SavvyCAN:
chmod +x ./qt-opensource-linux-x64-5.12.4.run
If you are prompted to log in to your account during the installation process, you can reinstall after disconnecting the network.
In the foreign language blog, qtserialbus was also compiled and installed. An error occurred during the compilation of qtserialbus, which may be caused by the version. Later, I found that SavvyCAN can be used normally without installing qtserialbus.
git clone https://github.com/collin80/SavvyCAN
After the compilation is completed, you can start the ICSim simulator, and then no longer use can-utils, but use SocketCAN to capture CAN communication.
Here is the newly compiled Savvycan binary file, not the previously downloaded Savvycan binary file. If it is used on a real car, then there is no need to manually compile it, just run the downloaded Savvycan binary file.
Select QT SerialBus Devices in Connection->Open Connection Window->Add New Device Connection, select SerialBus Devices as socketcan, and Port as virtual port vcan0:
After creating a new connection, you can see in the SavvyCAN window that the CAN frame has been captured:
In order to better understand the functions of SavvyCAN, SavvyCAN will be used to complete the operations previously completed with can-utils. On the right side of the SavvyCAN window, the arbitration ID may be filtered by selection:
Due to some problems, the functions of SavvyCAN are not fully used. Only a few functions are introduced below. More functions and usage still need to be explored later.
It is much easier to perform replay attacks with SavvyCAN. Select Playback in Send Frames to load data from files or directly from captured data. You can also select the ID to replay from the ID filter menu.
Identify the arbitration ID
SavvyCAN provides many reverse tools, among which Sniffer is often used, which can pop up inactive bytes, and filter the arbitration ID by dichotomy to quickly identify the key arbitration ID:
In the arbitration ID selected above, no byte changes corresponding to the operation were found. Next, select the arbitration ID that is not checked above to observe:
Send custom frame
SavvyCAN also has a very useful function, select Custom in Send Frames, it can send customized frames and modify them in real time:
SavvyCAN also has a very cool function, select Fuzzing in Send Frames, it can fuzzing CAN frames very easily.
Recognize the arbitration ID of accelerator, door and steering signals, and complete the acceleration, opening and closing doors, and steering operations through CAN.