canhacking socketcan USBtinhttps://github.com/linux-can/can-utils

canhackinf.md

LINUX CAN Carhack USBtin cansocket

Links

• https://fabiobaltieri.com/2013/07/23/hacking-into-a-vehicle-can-bus-toyothack-and-socketcan/ --- Zusammenfassung canhacking siehe unten
• https://www.kernel.org/doc/Documentation/networking/can.txt socket can
• https://elinux.org/CAN_Bus
• https://elinux.org/Bringing_CAN_interface_up
• https://sgframework.readthedocs.io/en/latest/cantutorial.html --- linux-can-command-line-tools
• https://sgframework.readthedocs.io/en/latest/canadapterusage.html
• https://wiki.muc.ccc.de/_media/asm:16:workshops:kfz_diagnoseprotokolle.pdf
• http://www.emotive.de/documents/WebcastsProtected/Transport-Diagnoseprotokolle.pdf
• https://www.obd-2.de/programmierer-tips.html
• http://read.pudn.com/downloads168/doc/comm/774987/kp2000_2.pdf --- Keyword Protocol 2000
• http://www.internetsomething.com/kwp/KWP2000%20ISO%2014230-3.pdf
• http://read.pudn.com/downloads506/doc/2103567/ISO_15765-3.pdf --- ISO15765-3 UDS on CAN
• https://www.sti-innsbruck.at/sites/default/files/courses/fileadmin/documents/vn-ws0809/03-vn-CAN-HLP.pdf --- CAN-based Higher Layer Protocols
• https://hackaday.com/2013/10/29/can-hacking-protocols/ -- short UDS overview
• http://linklayer.github.io/cantact/ --- The Open Source Car Tool +Viewer siehe GITHUB
• https://medium.freecodecamp.org/hacking-cars-a-guide-tutorial-on-how-to-hack-a-car-5eafcfbbb7ec --- how-to-hack-a-car
• https://automotive.softing.com/fileadmin/sof-files/pdf/de/ae/poster/uds_info_poster_v2.pdf --- UDS INFO Poster
• https://automotive.softing.com/fileadmin/sof-files/pdf/de/ae/poster/UDS_Faltposter_softing2016.pdf
• http://illmatics.com/can%20message%20injection.pdf
• https://automotiveembeddedsite.wordpress.com/uds/
• https://www.politesi.polimi.it/bitstream/10589/141804/1/2018_07_Calin.pdf --UDS Explorative Techniques and Vulnerability Assessment on Automotive Networks Liviu Calin
• https://github.com/igkov/bcomp11hw/wiki/OBD2-pinout
• https://github.com/daedalus/carhacking -car hacking tools http://illmatics.com/carhacking.html

github links

• https://github.com/julietkilo/kcd - An open format to describe communication relationships in CAN
• https://github.com/caran/SecureGateway - Secure Gateway Framework
• https://github.com/CaringCaribou/caringcaribou - A friendly car security exploration tool for the CAN bus
• https://github.com/aster94/Keyword-Protocol-2000/blob/master/protocol.md - ISO 14230 - KWP2000
• https://github.com/hardbyte/python-can - Linux-CAN / SocketCAN user space applications
• https://elinux.org/Bringing_CAN_interface_up - Simulating Instrument Cluster
• https://github.com/topics/can-bus - Sammlung CAN spez. Software
• https://github.com/dschanoeh/Kayak
• https://github.com/dexterbg/Twizy-Virtual-BMS
• https://github.com/linklayer/pyvit - UDS support
• https://github.com/linklayer/cantact-app --Java CAN Viewer
• https://github.com/CANToolz/CANToolz - CANToolz - Black-box CAN network analysis framework
• https://github.com/pylessard/python-can-isotp
• https://github.com/hardbyte/python-can
• https://github.com/eerimoq/cantools - CAN BUS tools in Python 3
• https://github.com/caran/can4python - Useful for showing the contents of KCD files (also those converted from DBC files)
• https://github.com/pylessard/python-udsoncan --- Python implementation of UDS (ISO-14229) standard
• https://github.com/CaringCaribou/caringcaribou/blob/master/documentation/uds.md -can uds discovery
• https://github.com/collin80/SavvyCAN - QT logger Filter
• https://github.com/pylessard/python-udsoncan - UDS support benötigt python-can-iostp
• https://github.com/pylessard/python-can-isotp - transport layer unterstützung für can-isotp Loadable Kernel Module py>=3.7
• https://github.com/schutzwerk/CANalyzat0r - Security analysis toolkit for proprietary car protocols
• https://github.com/linklayer/reversegear - Offline Reverse Engineering Tools for Automotive Networks -> using pyvit

Linux Can Init

https://elinux.org/Bringing_CAN_interface_up

• Virtual Interfaces

  modprobe vcan sudo ip link add dev vcan0 type vcan sudo ip link set up vcan0

• Native Interfaces

  sudo ip link set can0 type can bitrate 125000 sudo ip link set up can0

• SLCAN based Interfaces (SerialCAN)

  SLCAN need a special daemon (slcand from can-utils), to link serial with a virtual CAN device
  sudo slcand -o -s8 -t hw -S 3000000 /dev/ttyUSB0 (example for a USB-to-CAN with Baudrate 3000000 and 1Mbit)
  sudo ip link set up slcan0

  no way to set bitrate for SLCAN based devices via ip tool only with-sx Param

ASCII Command	CAN Bitrate
s0	10 Kbit/s
s1	20 Kbit/s
s2	50 Kbit/s
s3	100 Kbit/s
s4	125 Kbit/s
s5	250 Kbit/s
s6	500 Kbit/s
s7	800 Kbit/s
s8	1000 Kbit/s

USBtin

https://www.fischl.de/usbtin/ https://github.com/fishpepper/pyUSBtin USBtin python api

Linux SocketCan

• Load kernel modules

  sudo modprobe can
  sudo modprobe can-raw
  sudo modprobe slcan
  

• install can-utils

  git clone https://github.com/linux-can/can-utils.git
  cd can-utils
  make
  

• Attach and startup interface

  sudo killall slcand  (ggf. alte slcand beenden & Freigabe /dev/ttyACM)
  'connect USBtin'
  sudo slcand -f -s6 -o /dev/ttyACM0 can0  # alles in einem rutsch      
  sudo ip link set can0 up
  ----oder
  sudo slcan_attach -f -s6 -o /dev/ttyACM0   (s6=500K CANBAUD)  
  sudo slcand ttyACM0 slcan0     
  sudo ifconfig slcan0 up
  

• Start playing with socketcan

  candump slcan0
  cat test.log 
  canplayer -l 20 -I test.log -v -g500
  

• udev autoconnect

  /etc/udev/rules.d/90-slcan.rules
       KERNEL=="ttyACM?", ATTRS{idVendor}=="04d8", ATTRS{idProduct}=="000a", ACTION=="add",SYMLINK+="USBtin", RUN+="/usr/bin/logger [udev] USBtin CANUSB detected!", RUN+="/bin/systemctl start slcan@ttyACM%E{MINOR}.service"
       
  # CAN disconnect
       KERNEL=="ttyACM?", ACTION=="remove", ATTRS{idVendor}=="04d8" , RUN+="/bin/systemctl stop slcan@ttyACM%E{MINOR}.service"
       
  /etc/systemd/system/slcan@.service
       [Unit]
       Description=Starts slcan device
  
       [Service]
       User=root
       Restart=always
       Type=forking
       ExecStartPre=/bin/sleep 1
       ExecStart=/usr/local/bin/slcan_add.sh %I
       ExecStop=/usr/local/bin/slcan_remove.sh %I
       [Install]
       WantedBy=multi-user.target
  
  /usr/local/bin/slcan_add.sh   
        !/bin/sh
        # Bind the USBCAN device
        echo "config slcan0"
        #slcand  -f -s6 -o /dev/$1 can0
        #sleep 2
        #ip link set can0 up
  
        if [ -z ${DEVNAME+x} ]; then
                if [ -z ${1+x} ]; then
                        echo "No device $DEVNAME"
                        exit 1
                fi
                DEVNAME=${1}
        fi
        # Read device name and extract the tty/usb# (id)
        ID=$(echo ${DEVNAME} | grep -o -E '[0-9]+')
        # create new slcan network device
        slcand -f -s6 -o  $DEVNAME can${ID} &> /dev/null
        sleep 1 
        ip link set up can${ID}
   
  /usr/local/bin/slcan_remove.sh    
        #!/bin/sh
        # Remove the USBCAN device
        #pkill slcand
        ID=$(echo ${DEVNAME} | grep -o -E '[0-9]+')
        PROCESS=$(echo ps ax | pgrep -f slcan[$ID])
        kill $PROCESS
        echo ${DEVNAME}
        echo "slcand killed!!!!!!"#!/bin/sh
       
  udevadm monitor --property
  udevadm monitor --environment --udev
  
  sudo udevadm control --reload-rules && udevadm trigger
  

https://www.htw-mechlab.de/index.php/automatisches-einbinden-von-usb-can-adaptern-unter-linux/

Auto enable vcan0 on boot

/etc/modules
vcan
/etc/network/interfaces
auto vcan0
   iface vcan0 inet manual
   pre-up /sbin/ip link add dev $IFACE type vcan
   up /sbin/ifconfig $IFACE up

Zusammenfassung Toyothack

https://fabiobaltieri.com/2013/07/23/hacking-into-a-vehicle-can-bus-toyothack-and-socketcan

Socketcan ip link Device Configuration and Dumping the Stream

ip link show dev can0
ip link set can0 type can help
ip link set can0 type can bitrate 500000 listen-only on
ip link set can0 type can bitrate 500000
ip link set can0 up
ip -details link show can0

candump -cae can0,0:0,#FFFFFFFF
candump -cae any,0:0,#FFFFFFFF

Disabled standard output while logging & Enabling Logfile 'candump-2013-05-06_190603.log'
candump -l can0,0:0,#FFFFFFFF  
head -n5 candump-2013-05-06_190603.log

Stream Playback on Virtual Device

modprobe vcan
ip link add vcan0 type vcan
ip link set vcan0 up

canplayer vcan0=can0 < candump-2013-05-06_190603.log

can and videosync

canplayer  < candump-2013-05-06_190603.log & mplayer SMOV0087.AVI -ss 1:17

dump all frames with a specific ID, this is an example for 0x2c4:

candump -cae vcan0,2c4:7ff

Example

ID|Bytes|Data| CRC
| --- | --- |  --- | --- |
8DAF130 X | 8 | 02 7E 00 55 55 55 55 55 | 5076
18DAF128 X | 8 | 02 7E 00 55 55 55 55 55 | 1506
18DAF110 X | 8 | 02 7E 00 55 55 55 55 55 | 1620
18DAF153 X | 8 | 02 7E 00 55 55 55 55 55 | 8639
18DAF160 X | 8 | 02 7E 00 55 55 55 55 55 | 797
18DA30F1 X | 8 | 03 22 48 00 00 00 00 00 | 417576
18DAF130 X | 8 | 10 3B 62 48 00 00 00 F8 | 4435
18DA30F1 X | 8 | 30 00 00 00 00 00 00 00 | 484
18DAF130 X | 8 | 21 C0 00 00 00 00 52 14 | 1483
18DAF130 X | 8 | 22 11 21 01 00 00 00 08 | 1466

Cansniffer

cansniffer -c can0
cansend can0 0C9#8021C0071B101000
<arb_id>#{data}
while true; do cansend can0 0C9#8021C0071B101000; sleep 0.002; done
candump can0 | grep " 0C9 " | while read line; do cansend can0 0C9#8021C0071B101000; done

cansend candump canplayer

cansend can0 7e5#22080655555555
candump -l can0,0:0,#FFFFFFFF
canplayer -v -I candump-2019-06-03_124842.log_steuergeräteabbild_8C  vcan0=can0   #replay dump on vcan0 and show
candump  vcan0,1BFC8226~1fff0000  -ta -l  #filter out extended frames
candump  vcan0,7e5:7ff,7ed:7ff  #show only 7e5 and 7ed ids
candump  vcan0,7ed:7ff -a # filter results with ascii  
cansniffer can0 -c -l 100 -h 200 -t 10