Hopping on the CAN Bus
by Eric Evenchick
Controller Area Network (CAN) is found in a number of systems, and is the main form of networking used in the automotive industry. Every new car has multiple CAN buses that let controllers communicate. This bus controls everything from the camshaft on your engine to your power seats.
In this talk, we will present and release CANard, an open-source toolkit which allows easy scripting of CAN bus tasks. This toolkit allows us to easily work with CAN, to talk to automotive controllers, perform diagnostic actions, and fuzz the protocols.
We will start with a brief introduction to CAN, look at the required hardware, and then start sending and receiving messages. We will explore CANard's features, and see several demos of real world vulnerabilities using our tool. We'll demonstrate how to read and clear fault codes, crack diagnostics security, and fuzz controllers to take over vehicle operation.
The talk will focus on practical applications. By the end of the talk, attendees will not only gain an understanding of automotive systems, but will also have the tools to attack them.
Пікірлер: 48
Excellent presentation! It does help to understand what CAN is in the Nutshell! Thank you! Great job!
Fantastic video, I learned a lot thank you. Only fact that I know of is in a production car, CAN was first implemented in the W140 S-Class, early 90's.
Great presentation.
Ahhh... Now it's all starting to make sense to me. Good info.
@lachie2002
7 жыл бұрын
that wasn't the point of the lecture tho, the point was to explain what it is and the security risks of it.
good job, thanks.
I laughed when he was talking about the tool being so expensive, you have to call for pricing. 😂 I've seen that for a few items I was interested in. I'm a poor hacker😂
@tmdrake
5 жыл бұрын
same here... Poor, only a wealth of knowlegde.
@ivotenotocensorship5247
4 жыл бұрын
I shall help fora trade...I help by showing you how you can make your own tool with MORE capabilities than the expensive ones. I can also help with interfacing and programming eeprom data and flash data for all Motorola hc11 hc12 68h microntrollers in addition to to the easy atmel soic8 EPROMs. What do you have to offer in return?
Awesome
It'd be really awesome to have that DoS attack set up to send out wirelessly to other cars, via a button on your dash, while on the road. Especially for somebody who's tailgating you. And if it was accompanied by a little LED "Goodbye!" message in the rear window it would be even better.
@iam1smiley1
2 жыл бұрын
I have a feeling the police are already capable of turning off or otherwise controlling newer internet using vehicles, otherwise it seems you'd need a dongle to communicate with any other OBD2 vehicle.
@everybot-it
8 ай бұрын
I have a feeling the police is already looking at a bunch of "JoeBob"s now lol oh, have been for 2 years I mean
Rolling seeds exist... check out Audi and VW. I have a late golf V with it, very frustrating, they imply it’s answered by the factory severs and sent remotely to the UDS dealer tool but I assume for the ecu to know the correct answer it must have the relevant clues inside. Getting ripped off 100s for a 10 buck new car key and five mins of tapping a touch screen tool for example ain’t my bag. Someone must have something!? I know the older fixed seed modules have been beaten and I’ve found some info on rolling seed cracking for Bosch ecus in Audi but they all seem to be worked/learned by sniffing while a factory type tool does the talking. Cmon, you know you wanna ;) is 14+year old tech now. Thank you for the video!
@abc123evoturbobonker
3 жыл бұрын
Ok, shoulda watched to the end, you did mention all that about immo.... stil tho, old tech not solved yet!?!?!?
I have this feeling you will be wealthy and happy in your life~ Wish you all the best young man, thanks for sharing!
engine not available. that means the engine ecu could not be found on the can
I want a car without electronics now :D
I sent HEX value to my Honda via 3 pin DLC connector and it response 0x05 ,0x00 to everything i sent!
Is there a suite of tools that is easy to use and identifies IDs to items in a vehicle as well as identifies the protocol that said vehicle uses when car is in canbus scan mode?
@alejandroperez5368
3 жыл бұрын
Can sniffer, watch "how to hack your car"
in my car, engine, ABS, Steering are on Low speed can 😂
@410kane
7 жыл бұрын
nosapi5 that's weird. my mercedes engine bus aka CAN C is a high speed bus at 500kbps
@johnmck9530
3 жыл бұрын
If it don't need the speed it don't need the speed slower is more reliable
What is SCADA
Yay XFCE
Hmmm, I just wonder if you CAN access into power steering motors and gas and breaks and then... ITS TIME TO INSTALL USB JOYSTICK!
@Mr_Smith_369
6 жыл бұрын
usb ? you will need a CAN joystick
@txdare1830
4 жыл бұрын
done with arduino
33:24
@QBelly
5 жыл бұрын
Hehee! I'm watching it again!
I have tried monitoring CAN bus and have been quite successful in pulling out CAN IDs for AC fan speed, AC temperature, Power windows, parking brakes, gear in which the car is etc., but monitoring CAN bus never gave me DTCs of ABS, BCM, Airbags etc. So, reverse engineering a scan tool feels like a plausible solution. Can anyone help me (give some personal advice or online resources) as to how to build a setup to display what commands a scan tool sends when I say click 'Show DTCs for BCM'
@Mr_Smith_369
6 жыл бұрын
what tools do you use to monitor the bus ?
Ugh, LowSpeed CAN is not single-ended. It is differential as well. I can fallback to single-ended what makes it fault-tolerant. Two minutes in and I wonder why KZread referred this video to me.
@Jack-qn4vt
6 жыл бұрын
Now I'm no engineer of this side of things but what would you call GMLAN for example? That's a single wire CAN based protocol wired bus isn't it?
Just send zero lmfao! d..
xDDDDDDD
Who says "Kay Bee Pee Ess" is kilobits per second really that hard to say?
Speaking CAN is child play... all you need is a $2, made in China, Arduino shield, hell you can even bitbang it with only 2 GPIO on a fast enough microcontroller (wouldn't suggest it for real world use). Its the PID/PGN database which are expensive, for example GM charge $50K for their PID DB, and just for the freaking SAE specs you will be down a few 10 of thousands dollars. "Vehicle manufacturer didn't expect people to plug in the port." ... Right so they put a diagnostic port, but just so you look at it and don't use it. You are basically bitching that a diagnostic port is supplying diagnostic data... No shit Sherlock. "There is usually a check to see if the VIN match" That is 100% false... I have never ever seen such a check. It is not uncommon to find vehicle in the wild where the engine has been replaced and the reported engine and chassis VIN no longer match. "Is there risk to fusing the bus" Well... lets just say that I once bricked a brand new International truck just by doing an high level scan.
@av6966
7 жыл бұрын
That's not 100% percent false, CAN controllers are coded and if you try changing mileage these days you got all sorts of error messages! Vehicles in the wild - I haven't seen that is it with Richard Attenborough
@jonharson
7 жыл бұрын
It's 200% fucking false, we have thousands of vehicle of all possible brands in our fleets, many of which have had their engine swapped, any manufacturer who would go down this road would get their head removed and anally reinserted. And since most mechanic will change an engine and never botter at all about the computer sitting under the dashboard it is common that I see vehicle reporting 3 different VIN altogether, one for the frame, one for the engine and the ECU which might or not be totally unrelated to the previous 2. The transmission and suspension system also carry their own VIN tag quite often which have absolutely no valid reason to be "matched" with anything. I am also seeing a trend that I do not fully understand (anybody with more information feel free to pitch in) where customers in Central and South America buy empty American frames, without any ECU or engine in them and then buy the engines from Europe or Australia. It result in a situation that I can best describe as a "clusterfuck" from a data collection point of view... We also have governmental client who makes a point to REQUIRE this "feature" to be on contract when buying vehicle so as to allow them to do propane/electric conversion at any point in time they might wish, in some case those engines are even build in house and they don't care one bit about playing nice with the rest of the shit on the can-bus... Changing the odometer is a special case as it is *illegal* to do so, but there is not a single "mileage" either, the frame odo is usually stored within the cluster and the engine odo within a chip in the engine itself (note, not in the ECU), and sometimes in the transmission or even the suspension system can have their own, the ECU most of the time does it's own thing and the data you get from it on this level is usually meaningless as it also include "test" data from test done on the production lines.
@brianborell4469
6 жыл бұрын
jonharson there is no mileage chip "in" the engine itself although many diesels do have a block mounted ecu which may record operating hours.
@410kane
5 жыл бұрын
jonharson I've used the arduino uno + seeed studio can bus shield for my Mercedes cluster and I knew little to nothing about electronics or can bus. I eventually upgraded to Catalyst sniffer from Amazon. Works great
@gokusaiyan1128
Жыл бұрын
Hey jonharson, is there a way to contact you ? I have few questions bro