Erin sprout42

CAN Bus Reverse Engineering Challenge #1: Send the “Brake Fluid Low” Message

Prove it! Send the “brake fluid low” message to cause a spurious driver alert.

Background:

Automated embedded software is integrated from multiple sources, using a variety of code languages and practices - even in a single ECU. This creates major security risks where content comes together.

Setup:

These setup steps are only necessary if you are doing this on your own computer

Install

Based on https://github.com/qilingframework/qiling/blob/master/docs/SETUP.md with customizations to make things install nicely in my environment.

Build and install keystone. I use pyenv to manage my python versions so use pyenv local to set keystone to build with python2.7

git clone https://github.com/keystone-engine/keystone
cd keystone
pyenv local 2.7.x
mkdir build
cd build

Description

I finally figured out how to get the LimeSDR Mini working, and I'm writing it down here so I don't forget how, but also so I can get upset later when I try this again and it doesn't work mysteriously.

This was done on a Dell laptop running Ubuntu 19.10, ymmv on other versions/distros.

As far as I can tell the magic string is using the uhd-soapy driver to interact with the LimeSDR: "driver=lime,soapy=0,nchan=1".

Initially I tried installing the SDR drivers and packages through the recommended PPA that MyriadRF lists on their wiki (https://wiki.myriadrf.org/Installing_Lime_Suite_on_Linux) but that didn't work. I removed the ppa, then I was able to install the necessary packages to get the uhd-soapy interface working properly. I have a few packages now showing up as installed,local and not yet sure if I want to uninstall those. I don't think they should be necessary but it's hard to tell.

	import os
	import sys
	import struct
	import tempfile
	import subprocess
	from argparse import ArgumentParser


	def decode_binary(input_file):
	next_addr = 0

	#!/usr/bin/env python
	#
	# Adapted from
	# https://github.com/rogerclarkmelbourne/Arduino_STM32/blob/2363e7bf8821067b78571ed16fbe397a541968a0/tools/macosx/src/upload-reset/upload-reset.c#L132

	import time
	import argparse
	import serial

	-- GreatFET USB protocol decoder

	-- Run this to dump the classes and verbs in your greatfet firmare:
	--
	-- print('greatfet_classes = {')
	-- gf_classes = sorted(gf.apis.core.get_available_classes())
	-- for c in gf_classes:
	-- print(' [%#06x] = {' % (c))
	-- class_name = gf.apis.core.get_class_name(c)
	-- print(' ["name"] = "%s", ' % (class_name))

	from nmigen import *
	from nmigen_boards.icebreaker import *

	class FSMBlinker(Elaboratable):
	def __init__(self, maxperiod):
	self.maxperiod = maxperiod

	def elaborate(self, platform):
	clk12 = platform.request("clk12")
	leds = [

	#!/bin/bash -ex
	# Downloads and builds the dependencies of https://github.com/whitequark/unfork.
	# For some reason I keep getting an ENOMEM error from the kernel (Ubuntu 19.10:
	# 5.3.0-19-generic) when unfork tries to mmap the vsyscall segment of a target
	# process. For now this script works around that with a patch until I figure out why.

	# Make sure a 32bit compiler is installed
	sudo apt install -y gcc-multilib-i686-linux-gnu g++-multilib-i686-linux-gnu

	if [ ! -d unfork ]; then

	brew install tcl-tk
	brew install pyenv
	<setup .bash_profile for pyenv>

	# Make sure not to use a virtualenv! py2app doesn't work
	# we have to use a pyenv-alias instead to make a clean pythong env
	git clone https://github.com/s1341/pyenv-alias.git $(pyenv root)/plugins/pyenv-alias

	VERSION_ALIAS="2.7.16_instagiffer" \
	LDFLAGS="-L$(brew --prefix zlib)/lib -L$(brew --prefix sqlite)/lib -L$(brew --prefix tcl-tk)/lib -ltcl8.6 -ltk8.6" \