понедельник, 30 мая 2016 г.

PHDays: CAR4ALL challenge (part 1)

CAN reversing with CANToolz

PHDays happened on May 17-18, in Moscow. It was a really great event and I believe PHDays is one of the best IT-Security event in Russia (but of course Zeronights is the best of the best). And during this event there was a small CAR/CAN-quest prepared by my friends and my small support (as CANToolz developer). Here I want to do a small write-up about it. 

On first day of the conference we had "offline" task with real CAN dumps. Those who solved this task got access to the second level on second day of the conference. And this second task was based on a real vehicle that was parked inside main venue. But let's talk more detailed.

_Saplt, _j0hnni3 and @Z0ha4

Thx to HardwareVillage and team: Michael Elizarov (@_Saplt), @Z0ha4, Anton Sysoev and  @_j0hnni3.


среда, 4 мая 2016 г.

CANToolz: ISO-TP and DIFF updates

Hello all,

Want to summarize all updates and features in CANToolz that help us to understand CAN network of vehicles.

First of all I have ported CANToolz to Python 3.x, and have added CANSocket support. So new module hw_CANSocket working with CAN device over CAN Socket. Simple and cool.

Another thing that was improved: UDS service detection and ISO TP detection methods in mod_stat. Anton Sysoev have reported that this module does some mistakes in ISO-TP detection, because on his VW all ISO-TP messages have padding to 8 bytes! So I have improved mod_stat it is now can detect padding in ISO-TP messages. Also padding feature was added to gen_ping so it is possible to generate messages with chosen padding. And as example of how it works, you can see how Anton can sniff traffic between VAG and his car's OBDII to understand which UDS services  are used (and how):

This is dump of the traffic between VAG and VW. Here we can see, that two devices are talking with each other, and padding here  '0x55' in requests and '0xAA' in responses. Also you can see that ID of UDS response is equal request's ID + 0x6A (not 0x8 as we are using by default). We  need  to change this parameter in 'UDS shift value' and then we can try to analyze traffic:

Wow! It works. Thx Andrey for testing this on your car and for feedback and advises. So here we can see that CANToolz can re-assemble ISO-TP messages and find UDS services! Yes, you can see here ERROR in 'security access', but this is because VW uses unknown (not default?) sub-commands, which CANToolz do not understand by default. But anyway we were able to get CHALLANGE and RESPONSE in security access, and looks like there is another problem, but it is out of our topic and may be Andrey will discover what he has found later. So here I am happy just because  in general my UDS detection works very good. We could do more and find how to enable and disable this feature in ECU and then we can do the same action from CANToolz, without VAG anymore. But this is another story...

One more important update related to DIFF mode. Now it is more functional and useful! And again let's see this features on real example provided by @Z0ha4. He has a BMW car, and he also preparing it for Hardware Village Russia. And now he is going to use  DIFF feature of CANToolz to find useful control messages in CAN. He will tell more about this on PHDays, but I want to tell you about CANtoolz DIFF mode which has been changed a little bit. Now it supports multiply buffers, so you can name them and dump traffic into them separately, later you can do DIFFs between those buffers and dump them or dump just diffs.  For that  use command "Switch sniffing to a new buffer", and you can give name for this buffer. In general you need a white-noise traffic as general set (with this set where we have no actions you will do all diffs to find actions in other sets). Just start car, and dump CAN traffic for one minute. Then stop mod_stat and use "Switch sniffing to a new buffer" to create a  new buffer. You can name it if you want, for example like that: "Windows Down/Up action". Then activate mod_stat and do these actions in the car. Just after that you can stop mod_stat and think about next actions. Then repeat: create buffer, activate mod_stat, do an action, disable mod_stat (or stop sniffing, because we do not need noisy frames in those buffers). After that you will have some buffers with all actions:

You can do DIFF between any two buffers by using its index (or by default last two buffers will be compared). Here we are trying to find windows action's CAN frames:

We are using "Print Diff between two buffers (new ID only)" to find only  frames with ID that not sniffed in "white-noise" buffer. And frames with ID 0xFA looks exactly like what we are looking for. Of course we can dump this diff and do a replay.. or do something else but let me show you another simple thing that can help us to validate our guess: searching by ID. Yes, simple search. Let's do a search for this ID (0xFA) in all buffers:

 And as result we can see, that this ID (0xFA) found only in dump related to car's window's action. Also low value of the ID tell us that it looks like what we want. Later we can find which frames related to up or down action and what bits means what, but this is later work and we will cover this later.

And once again I want to thanks all Hardware Village community for feedback about CANToolz and good advises. All these examples done by them just for fun and because they are enthusiasts! So I can improve CANToolz because of community help and that is great. Anyway  for last 3 month (this tool is very young, as you can see) we have >200 commits and new awesome features will be added soon! Yes, maybe Front-End/GUI part not so awesome and we have lack of documentation, but anyway I found this project very useful not only for fun and CarHacking, but for OEM/Vendor internal tests and automation (security) and we will talk about this later, for sure.