4. CAN utilities…
Defcon Russia (DCG #7812) 4
• http://illmatics.com/content.zip - utilites by @0xcharlie and @nudehaberdasher
- A lot of cases and examples, very good and helpful
• https://github.com/ericevenchick/CANard - abstract CAN lib
- Abstract CAN lib, useful for creating own CAN tools (hardware independent)
• https://github.com/zombieCraig/UDSim - and not only .. other tools by Craig Smith
- Fuzzing, reversing and etc
• Moarrrr: http://opengarages.org/index.php/Tools
But why I need “Yet Another CAN Hacking Tool”?
A lot of tools and console scripts, for different tasks…, but I want to have one interface
If I want to use “combo” of those tools/tricks/tests (with minimum code-writing)?
If I want to do a MITM?
Not only for “hacking”, but testing framework (maybe useful for OEM/Vendors like validation scanner and etc)
Something module/scenario based – if I want to share readable test cases/scenarios with others
I need something like BurpSuite/Metasploit for CAN Network/ECU analyses. With different modules and one interface. I
want easily extend it with modules, run same modules in different “combos” and etc. So this tool I did for myself first…
but if it can be useful for others – why not, finally we can help each other with contribution
5. CANToolz (concept)
Defcon Russia (DCG #7812) 5
CANToolz
Module 1
CANToolz
Module 2 CANToolz
Module 3
CANToolz framework (MITM example)
You can configure modules in any order to create own “test scenario”.
Hardware “independent” scenarios (just need to have IO module for your hardware)
Easy to share, easy to use (for me at least, one standard interface – console, WEB API)
https://github.com/eik00d/CANToolz
PIPE 1
PIPE 2
Supported:
• ISO-TP
• UDS
6. CANToolz (concept)
Defcon Russia (DCG #7812) 6
CANToolz
Module 1
CANToolz
Module 2 CANToolz
Module 3
CANToolz framework (MITM example)
Each module have IN and OUT and can handle CAN frame. These modules can be
connected via any number of PIPES and perform different actions on any stage/step
in the scenario. This gives flexibility and power ;)
https://github.com/eik00d/CANToolz
PIPE 1
PIPE 2
7. CANToolz (hardware independent*)
Defcon Russia (DCG #7812) 7
https://github.com/eik00d/CANToolz
USBtin - http://www.fischl.de/usbtin/
Fast CAN to USB device, support extended format
CANBusTriple - https://www.canb.us/
Arduino based CAN to USB device.
Support up to 3 CAN buses!
These devices currently supported by the framework, but list will be extended in the future and
anyone can add support for any other hardware module!
Other (logical) modules are independent from
hardware!
20. Example 2: CAN Gateway scan
Defcon Russia (DCG #7812) 20
• Which frames will be blocked
• Which frames can be passed?
21. Example 2: CAN Gateway scan
Defcon Russia (DCG #7812) 21
# Load needed modules
load_modules = {
# IO hardware module connected to first BUS (IVI)
'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500},
# IO hardware module (connected to OBD2)
'hw_USBtin~2': {'port':'auto', 'debug':1, 'speed':500, 'bus': 62 },
'gen_ping' : {}, # Generator/Ping
'mod_firewall': {}, # We need firewall to block all other packets
'mod_stat': {} # Mod stat to see results
}
actions = [
{'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1 from IVI
{'hw_USBtin~2': {'action': 'read','pipe': 2}}, # Read to PIPE 2 from OBD2 port
# Block all other CAN frames, but let frames with
# data "x01x02x03x04x05x06x07x08" pass
{'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]],'pipe': 1}},
{'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]], 'pipe': 2}},
{'mod_stat': {'pipe': 1}}, {'mod_stat': {'pipe': 2}}, # read from both pipes after filtration
{'gen_ping': {'range': [1,2000],'mode':'CAN','body':'0102030405060708','pipe':3}},
# Generate CAN frames to PIPE 3
{'hw_USBtin': {'pipe': 3, 'action': 'write'}},# Write generated packets to both buses
{'hw_USBtin~2': {'pipe': 3, 'action': 'write'}}
]
22. Example 2: CAN Gateway scan
Defcon Russia (DCG #7812) 22
23. Example 2: CAN Gateway scan
Defcon Russia (DCG #7812) 23
Generated packets will be sent to both BUSes,
then if some of them pass CAN Gateway….
24. Example 2: CAN Gateway scan
Defcon Russia (DCG #7812) 24
Generated packets will be sent to both BUSes,
then if some of them pass CAN Gateway, we will receive it on other HW
Interface (mod_firewall will block all other messages except generated)
… we will receive passed frames on other HW
interface (mod_firewall will block all other
messages except generated)
25. Example 2: CAN Gateway scan
Defcon Russia (DCG #7812) 25
Generated packets will be sent to both BUSes,
then if some of them pass CAN Gateway, we will receive it on other HW
Interface (mod_firewall will block all other messages except generated)
There we can see 2 frames passes from First
bus to Second and 1 frame that can pass from
Second bus to first. (so now we have tested
filtration based on frame ID)
26. Example 3: Replay…
Defcon Russia (DCG #7812) 26
1. Collect traffic
2. Replay half
3. Another half
4. … (bin search)
How to find which frames and are
responsible for action
You commercial
could be here!
Door
control
27. Example 3: Replay…
Defcon Russia (DCG #7812) 27
load_modules = {
'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500}, # IO hardware module
'gen_replay': {'debug': 1}, # Module for sniff and replay
'mod_stat': {} # Stats
}
# Now let's describe the logic of this test
actions = [
{'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1
# We will sniff first from PIPE 1, then replay to PIPE 2
{'gen_replay': {'pipe': 1}},
{'hw_USBtin': {'action':'write','pipe': 2}} # Write generated packets (pings)
]
31. Example 3: Replay…
Defcon Russia (DCG #7812) 31
Switch gen_replay to PIPE 2.
(now we want to write sniffed
frames back to the BUS)
32. Example 3: Replay…
Defcon Russia (DCG #7812) 32
Replay first half of frames and
see if doors will be unlocked…
If not, then replay other half
and continue same way
(binary search)
33. Example 3: Replay…
Defcon Russia (DCG #7812) 33
Replay first half of frames and
see if doors will be unlocked…
If not, then replay other half
and continue same way
(binary search)
34. Example 3: Replay…
Defcon Russia (DCG #7812) 34
Than you can save found frames
to file for future work
35. UDS
Defcon Russia (DCG #7812) 35
ISO 14229-1
Most critical result - ECU firmware update
• Session HIJACKING
• Auth. brute force
• Known seeds/keys
• Weak algorithms
How an attacker can get “unauthorized access”
• RE firmware
• Debug ports (direct memory access)
• TESTER RE
37. Example 4: UDS traffic “detection”
Defcon Russia (DCG #7812) 37
(if u have TESTER or ISOTP traffic)
38. Example 4: UDS traffic “detection”
Defcon Russia (DCG #7812) 38
(if u have TESTER or ISOTP traffic)
39. Example 4.5: UDS “Scan/Ping”
Defcon Russia (DCG #7812) 39
{'gen_ping' : {
'pipe':2,
'range': [1790, 1794],
'services':[
{'service':0x01, 'sub':0x0d},
{'service':0x09, 'sub':0x02},
{'service':0x2F, 'sub':0x03,
'data':[7,3,0,0]}],
'mode':'UDS'}
Then listen “replay” with mod_stat and do anlysis of overall traffic
40. # Load modules
load_modules = {
'gen_fuzz': {},
'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500},
'mod_stat': {}
}
# Scenario
actions = [
# Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0)
{'gen_fuzz' : {'index':[0],'id': [222,[555,999]], 'data': [0,0,0,0,0,0,0,0]
'delay': 0}},
# Write generated packets
{'hw_USBtin' : {'action':'write'}},
# Read response
{'hw_USBtin' : {'action':'read', 'pipe': 2}},
{'mod_stat': {'pipe': 2}}
]
Example 5: Fuzzer (discovery, UDS, etc)
Defcon Russia (DCG #7812) 40
Run fuzzer and see results:
• Brightness level of something
have been changed something
• Blinking of something
• Got new ID in response
41. Contribution needed!!
Defcon Russia (DCG #7812) 41
• More tests and checks (new modules)
• New hardware support (new modules)
• Net tests cases and scenarios (new configs)
- sploits, scans, validation test
- more ppl, have access to more hardware (cars)
• Bugs fixing
• Python3 support ( currently old Python only)
- btw, Python3 supports SocketCAN
• Refactoring
42. Structure
Defcon Russia (DCG #7812) 42
CANToolz modules, handling single CANFrame in PIPEs.
Main “business logic” elements are here.
Main structures, to works with CAN, ISO-TP, UDS…
and main CANToolz Engine with PIPES logic…
Examples of scenarios – describes how to connect CANToolz modules
43. Init parameters and commands
Defcon Russia (DCG #7812) 43
def do_init(self, params):
if 'save_to' in params:
…
self._cmdList['p'] = ["Print count of loaded packets", 0, "", self.cnt_print]
self._cmdList['r'] = ["Replay range from loaded, from number X to number Y",
1, " <X>-<Y> ", self.replay_mode]
This method will be called when module loaded into the project
list of commands that can be triggered any time
Number of parameters of command
Command’s parameters format (just help)
Actual method that will be called by triggering the command
44. Pre/post actions
Defcon Russia (DCG #7812) 44
def do_start(self, params):
self._i = 0
self.do_something1(self.something)
def do_stop(self, params):
self._i = 0
self.do_something2(self.something)
This methods will be called just before main loop started, and when it will stooped
45. # handle message in the pipe
def do_effect(self, can_msg, args):
if can_msg.CANData:
if 'black_list' in args and can_msg.CANFrame.frame_id in args.get('black_list', []):
can_msg.CANData = False
return can_msg
Main action (CAN frame handling)
Defcon Russia (DCG #7812) 45
Main method
Message OUT
Arguments for current step
Flag, if message contains CAN frame
CAN Frame
Message IN
46. Example of module
Defcon Russia (DCG #7812) 46
Let’s say that on Example 5 (fuzzing) we have found Frames (ID and data format) that are
responsible for Dashboard panel brightness level and status. Let’s create a simple module to
control it via CANToolz.
ID DATA
111 01fa000000000000 - Brightness level, form 0-255 (second byte)
111 0201000000000000 - Idle mode (second byte, 00 – idle mode)
47. Example of module(code)
Defcon Russia (DCG #7812) 47
from libs.module import *
from libs.can import *
import copy
class mod_panel_control(CANModule):
name = "Panel control module"
help = """
This module change dahsboard panel things.
Init parameters: None
Module parameters:
'pipe' - integer, 1 or 2 - from which pipe to print, default 1
"""
def do_init(self, params):
self._active = True
self._cmdList['1'] = ["Idle mode on", 0, "", self.turn_off]
self._cmdList['0'] = ["Idle mode off", 0, "", self.turn_on]
self._cmdList['b'] = ["Change brightness level (0 - 255)", 1, "<level>",
self.change_level]
self._frame = None
48. Example of module(code)
Defcon Russia (DCG #7812) 48
# Effect (could be fuzz operation, sniff, filter or whatever)
def do_effect(self, can_msg, args):
if self._frame:
can_msg.CANFrame = copy.deepcopy(self._frame)
can_msg.CANData = True
self._frame = None
return can_msg
def turn_off(self):
self._frame = CANMessage(111,8,[2,0,0,0,0,0,0,0], False, CANMessage.DataFrame)
def turn_on(self):
self._frame = CANMessage(111,8,[2,1,0,0,0,0,0,0], False, CANMessage.DataFrame)
def change_level(self, level):
b_level = int(level)
if 0 < b_level < 256:
self._frame = CANMessage(111,8,[1,b_level,0,0,0,0,0,0], False,
CANMessage.DataFrame)
49. Example of module(cfg)
Defcon Russia (DCG #7812) 49
# Load modules
load_modules = {
'mod_panel_control': {},
'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500},
}
# Scenario
actions = [
# Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0)
{'mod_panel_control' : {}},
# Write generated packets
{'hw_USBtin' : {'action':'write'}}
]
51. Thx for contribution and help!
Defcon Russia (DCG #7812) 51
Sergey Kononenko
@kononencheg
Boris Ryutin
@dukebarman
Also to @isox_xx and all JBFC
Contributors are WELCOME!