Scribd
Upload
103 views29 pages

Reverse Engineering Vehicles Burpsuite Style

This document summarizes a presentation given by Javier Vazquez Vidal and Henrik Ferdinand Nölscher about reverse engineering vehicles using the CANBadger tool. The CANBadger is a low-cost hardware device that supports protocols like UDS and TP2.0 to interact with vehicle systems. It allows analyzing communication, manipulating data, and intercepting security authentication. The presentation demonstrates capabilities like hijacking diagnostic sessions, uploading/downloading firmware, and emulating vehicle sensors. It encourages attendees to modify and expand the open source CANBadger software and hardware designs.

Uploaded by

parvez ansari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
103 views29 pages

Reverse Engineering Vehicles Burpsuite Style

This document summarizes a presentation given by Javier Vazquez Vidal and Henrik Ferdinand Nölscher about reverse engineering vehicles using the CANBadger tool. The CANBadger is a low-cost hardware device that supports protocols like UDS and TP2.0 to interact with vehicle systems. It allows analyzing communication, manipulating data, and intercepting security authentication. The presentation demonstrates capabilities like hijacking diagnostic sessions, uploading/downloading firmware, and emulating vehicle sensors. It encourages attendees to modify and expand the open source CANBadger software and hardware designs.

Uploaded by

parvez ansari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

Reverse Engineering vehicles Burpsuite

Style
Hardwear.io 2016
Javier Vazquez Vidal & Henrik Ferdinand Nölscher
@fjvva @s1ckcc @codewhitesec
Who are we?

 Javier is a Hardware Security Specialist


 Works at Code White as a Product Security
Engineer
 He is from Cadiz (Spain)
 Enjoys reversing products that are interesting, or
could potentially be more fun
 Likes cake (when it’s not a lie) and bbqs
Who are we?

 Ferdi works as Hardware Security Researcher at


Code White in Ulm

 Among many things, he likes attacking hardware


and software systems, lasers

 Prefers BBQs over cake


Current Car Hacking status

 Focus is on the CAN bus


 Replay attacks and/or packet injection
 Some researchers also found remote exploits to take control of certain vehicles
 There are some tools to help understand the UDS protocol
So, where are the goodies?

 UDS is not the only protocol

 TP2.0 (Tunneling Protocol) is the CAN version


of KWP2000

 Both offer a series of services which are very


interesting, but often not taken into consideration

 With use of these services, a lot of Information


can be gathered and modified
What is UDS?

 UDS stands for Unified Diagnostics Service


 It is present in all modern cars
 Provides access to the Services offered by ECUs
 It takes place on the top of the CAN protocol (Layer 4)
 Allows to perform transmissions of up to 256 bytes
 It is just a Transport Protocol
What types of transmissions exist in UDS?

 Single frame transmissions (7 bytes or less payload length)

 Multiple frame transmissions (more than 7 bytes payload length)


What kind of frames exist in UDS?
 No ACK request, part of multiframe transmission(0x20)

 ACK request, part of multiframe transmission (0x10)

 No ACK request, single frame (0x00)

 ACK (0x30)

 NACK/Repeat transmission
What is TP2.0?
 TP stands for Tunneling protocol

 It is present in some ECUs and used for internal communications

 It is a port of the K-LINE protocol (KWP2000)

 It takes place on the top of the CAN protocol (Layer 4)

 Allows to perform transmissions of up to 256 bytes

 It is just a Transport Protocol


What types of transmissions exist in TP 2.0?

 Single frame transmissions (5 bytes or less payload length)

 Multiple frame transmissions (more than 5 bytes payload length)


What kind of frames exist in TP 2.0 transmissions?
 No ACK request, with following frames(0x20)

 ACK request, with following frames(0x00)

 No ACK request, last frame (0x30)

 ACK request, last frame (0x10)

 ACK (0xB0)

 NACK/Repeat transmission (0x90)


Some of the differences between UDS and TP SIDs
The most interesting Services
 SecurityAccess (0x27): Allows access to restricted Services

 ReadMemoryByAddress (0x23): Allows to read certain memory addresses

 Read/WriteDataByID(0x22/0x2E): Allows to read/write certain parameters

 RequestUpload(0x35): Service used to retrieve firmware from the ECU

 RoutineControl(0x31): Allows to start “routines”, which have different effects


Say hello to the CANBadger!
CANBadger Hardware Overview
 Powered by mBed LPC1768 or LPCXPresso LPC1769
 128KB XRAM
 2x DB9 CAN Interfaces + 2x Debug headers
 SD card
 ECU Power control by software
 UART
 4 GPIOs
 Standalone mode, USB mode (CDC Device), or Network mode
 Can be powered by PSU, External battery, or OBD2
 Has a blinky dual color LED
 Complete board assembly under $25
CANBadger POC Firmware Features
 All actions are handled by the  Dump Data Transfers to SD
CANBadger firmware  Log UDS and TP2.0 traffic with very
 Supports UDS, TP2.0 and RAW CAN detailed verbosity in standard or
 Diagnostics Sessions are interactive bridge mode
(realtime)  Log RAW CAN traffic in standard or
 MITM with rules stored in SD bridge mode
 Hijack SecurityAccess  Detect CAN speed
 Emulate SIDs/PIDs from log  Ethernet for use with GUI
Protocol Analysis

 Many SIDs already included in


firmware
 Extremely fast to add support for new
SIDs
 High verbosity
 Logging and parsing is done by the
CANBadger firmware
 Logs are stored in the SD card and can
be viewed and retrieved without
removing it
 Works with UDS and TP2.0
TP 2.0 and UDS Interactive Session

 No scripting required

 Allows to perform actions on the go

 Built-in scanners for SID parameters


CANBadger Server

Purpose:
 Make using the CanBadger even easier

 Use multiple CanBadgers in parallel

 Programmable access to automate CanBadgers


 Fuzzing
 Automated testing
Ethernet Protocol
States:
MITM
 Handled by the CANBadger Firmware (real-time!)
 Rules are set for specific IDS
 Manipulate individual bytes:
 Swap for fixed value
 Add, substract, multiply, divide..
 Increase or decrease percent
 Conditions can be set to:
 Whole payload matches
 Specific bytes match
 Specific bytes are greater or smaller than X value
Canbadger Server
SecurityAccess Hijack. Why?
 OEM tools and some third-party tools
authenticate themselves to ECUs in order to
gain access to restricted features.
Who doesn’t like restricted stuff?

 These tools have fixed functions, so you


have no control over the process other than
pressing buttons.

 Because you CAN!


SecurityAccess Hijack. How?

 Wait for a SecurityAccess request in transparent bridge


mode

 Switch to the desired type of Diagnostics Session

 SecurityAccess auth is forwarded

 Success? Cut off the external tool and take control over
the Session!
Upload and Download Capture

 Firmware updates can be distributed over UDS and TP

 To grab the data, the CanBadger does the following:


 Log CAN traffic to SD
 Parse CAN traffic and look for transfers
 Write binary file to the SD
So, we survived the demos (hopefully!)

 What else can the CANBadger do?

 Dump TP and UDS transfers, which are used for firmware updates

 Spoof OBD2 data thru MITM and Emulator

 Use GPIO pins for bootloading (Tricore f.ex)

 Manipulate other signals via UART pins


Hacking instructions

 Main IDE we used for firmware is LPCXpresso

 Has code limit in free version

 For python, you just need python 2.7 and pip

 For quick modifications you can also use the mbed online compiler
 Export to Keil/IAR/CooCox is possible
Hacking instructions

 Code and schematics are GPL

 Everything has been published on Github:


gutenshit.github.io/CANBadger

 You are encouraged to create issues for:


 Feature Requests
 Bugs
 Enhancements
Thanks!

 To all of you for being here today!

 To Code White for their support and trust in the project

 To our family and friends for supporting us even when we run out of
coffee

Javier Vazquez Ferdinand Nölscher


@fjvva @s1ckcc
javier.vazquez.vidal@code-white.com ferdinand.noelscher@code-white.com

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy