Hopping on the CAN Bus

[Music] Hello. Hi. Good afternoon. Uh, okay. So, my name is Eric and today I'm going to be talking about hopping on the canvas. We're going to talk about some car hacking stuff. Uh, cuz, you know, cars are fun. Let's break them. So, a little tiny bit about me because you have to have this slide apparently. Uh, I'm a sort of independent uh embedded systems developer. I do a lot of firmware, hardware stuff for a variety of things that I'm not going to talk about, but I've worked with Tesla in the past, which was kind of fun. Worked at little company in water called CrossCasm doing automotive stuff. I also write for this blog called Hackaday, which I'm kind of

representing because I have to. But, uh, shameless plug, go read hackday.com. Uh, I worked on cars a whole bunch when I was in university through this thing called Eco-AR. Awesome program where GM goes, "Hey, here's a car. Uh, make it more fuel efficient and stuff." Uh, we got to throw like a hydrogen fuel cell into a Saturn view which was terrifying and awesome at the same time. And also we did an ethanol electric vehicle out of a Malibu. For some reason GM didn't shell out for good cars. Uh, but oh well. So what are we talking about today? CAN controller area network. This is a way of networking some really lowcost microcontrollers together in a

fairly reliable way and it's really popular in some applications. So the whole idea is a lowcost network way cheaper than Ethernet and uh while still having some of the features of some more advanced protocols. Uh and there's a number of types of CAN you'll see out there. High speed is what you'll see in most applications like between an engine and a transmission. It's not only rather high speed up to 1 megabit a second. It also uses a differential signaling protocol which means it's got two wires not one. and it uses differential signaling which does noise immunity kind of like the twisted pairs inside of Ethernet. Don't want to get into the physics of that too much. But you'll

also see low speed. This is for things that you don't care about as much. Things like your door controllers. Yes, your car has controllers in sometimes in every single door to make the windows go up and down to make the locks lock and unlock. Uh these are on the CAN bus as well and they control all those functions. There's fault tolerant can. This is actually a really cool one. You'll see it in airbag modules mostly. And the way this works is it's differential CAN, but if you cut one wire, it becomes a single wire CAN. Hey. Uh, and then there's this CAN flexible data thing. It's new and nobody uses it yet, but it's going to address some of

the issues. Uh, now what does a CAN bus look like? It's a network of controllers. Here's a really kind of contrived, but pretty close to real example. You can't quite read it because this projector is kind of weird, but uh, basically I'll have a bunch of controllers on this high-speed bus. In this case, I have an engine controller, a body control module, think uh lights, power windows, that's usually done by a body control module, transmission control module, your automatic transmission, uh an anti-lock brake module doing your brake pulsing. But then there's a gateway on that body control module that goes to a single wire can, a low-speed bus for some of those convenience features, as they're

called in the automotive world, those things that aren't as safety critical, you know, power seats, power locks, that kind of thing. Uh, so that's what a bus looks like typically, though most cars have somewhere between like 50 and 100 controllers instead of that many. Uh, some cars have a controller in every single door handle. Why do you maybe care? Well, it's used in a lot of things. It's actually used in industrial control as well. It's used in SCADA systems, but pretty much every car, in fact, after 2008, you can almost be guaranteed that whatever car you're working with has CAN. And it will also have a connector that looks a lot like that. typically by the driver's left

knee on GM vehicles, sometimes the right knee on Toyota vehicles and uh sorry, Honda's on the right. You'll find it if you look around the wheel well there. And uh on cars after 2008, you can get on CAN from that connector that's in every vehicle. It's always the same pins. I never remember what they are, but you can look it up on Google and find them and you're on CAN. Uh it's a trusted network. the automotive companies never really thought to secure this because if you're on the canvas, you you're supposed to be there, right? That makes sense. Uh and that really is the the problem. A lot of these exploits were coming out from some folks at

Defcon last year. They were saying, "Yeah, we got on the canvas. We could do all these cool things." Everyone in the automotive industry went, "Well, of course they were on the canvas." Like, how hard is it once you're on the canvas? You It's like having a root. You have root. Uh, one thing that you can do though is if you plug into here, you'll be able to save some money. The reason being you can read your own fault codes. You can figure out what's wrong with your car without paying somebody to do it for you. Uh, which is kind of handy. Some really, really simple examples. You can actually disable a vehicle with this amazing proof of concept. Uh, while one

just keeps sending a message with ID zero, that will actually disable a car. We'll talk about it later. Uh you can get useful information things like hey how fast am I going how many RPM am I doing what are my GPS coordinates on some vehicles um all kinds of data is available on this bus you do diagnostic actions read fault codes but also set calibration values potentially flash firmware yeah and you can really confuse a car by injecting stuff and what I mean by that is things like this this car is sitting on a lift this car has no engine in it but this car is a Oh, the arrow didn't work. This car is apparently

doing 8,000 RPM. Not quite sure why. Uh, what we did is we were injecting a message that made it think it was doing 8,000 RPM and the instrument panel responds. So, what is CAN actually? How does it work? The electrical side of it looks like that. And I'm not going to get into it because it'll take a long time and this projector will not let it happen. But all you need to know from a software perspective is there's three things. There's an identifier. What is the message? What does it mean? There's a data length code. How long is the message? And then there's a payload of data. The identifier is either 11 bits or 29 bits. Almost always 11. This

extended mode 29 bit thing isn't really used too much. There's a data length code. That's a 4bit thing. Number from 0 to 8. And then there are 0 to 8 bytes of data. That is it. It's very simple. Uh compared to like Ethernet, this is just trivial. So identifier, data length, data, done. And once you have that, you'll end up with a bunch of stuff like this. You'll say, "Okay, I have a time stamp. I have the identifier. I have a data length. And I have a bunch of Well, what does it mean?" You can jump on your car's bus and you will get a big log, but what the heck does it mean? That's

where we get into canned databases. These are ways of encoding that data into real world values. So, the way that you build a database, database is a bunch of messages. And a message is just saying, "Okay, look at this particular identifier. Let's say uh in this big list I'll pick one you know 0 x 6 is the identifier I want to look at. Cool. Now that message whenever I get it I know that it has some meaning. I will now decode it into its signals and this just says what each bit in that message means. It'll pack them together into data types like floats or signed unsigned integers and uh it'll just you know decode it. And there are is

software that exists to do this. It's kind of expensive and proprietary, but once you have the database, you can do things like just look at a message and say, "Oh, here's the engine RPM because I have to multiply it by five and divide by two and I don't know, uh, add an offset of 500." But then that gets me from some bytes into actually revolutions per minute. So that's the idea of a CAN database. How do I go from bits and bittes to actually real world engineering units? Uh, you end up with messages that are laid out like this. Uh going down you have the bytes. So in the rows there we go you have bytes. So two bytes

engine RPM then this bite has both the battery voltage and gear in it. And then you got some more bytes GPS latitude ABS longitude. And then going across in the column you have the bits. So it kind of becomes a map of okay this is how I get from just bits and byes to real world values. You'll see there's some unused bits. They try to pack it in really tight to make maximum usage of these messages. And uh yeah, that's that's a canned message. So once you can do this, well, you can send any message. There's no security. Nothing stops you from sending a message with a particular identifier. And when you can get on the

bus pretty easily because we have that OBD port and well, you can send any message. So how hard is it to do things like this? Well, I just looked at the CAN database and went, okay, here's where the engine RPM is. Let's send that message. And it worked. Now, this example isn't that much fun cuz all I'm doing is controlling a tachometer. But if you, for example, convince the car that it's been in a crash, uh, it will tighten up the seat belts or activate different braking modes and things like that that could actually be pretty scary to do while someone's driving a car. The diagnostic end of CAN is also rather interesting. It's used to do

things like read fault codes, reset fault codes, set calibration values, flash firmware. Uh, some of these things when I say calibration values, that could be like your lookup table for your mass air flow sensor that could let you do some tuner stuff that people who are really into cars might know what I'm talking about. I don't know if I've lost everybody, but you know, the tuner guys, they're really focused on performance. They want to, you know, get more power. But you can also do things like, hey, I'm going to write to where my VIN number is stored on this controller. That sounds scary. I'm going to write to where my odometer value is stored on

this controller. Also scary. They do stop you from doing these things with some security, but it's really poorly implemented. And when I say it's really poorly implemented, it's a challenge response. It's a fixed seed. So you request the seed, it always sends you back the same value. And then whenever you do your response, well, both the seed and the key are a whole two bytes long. So I mean, not the best security out there. Uh, so on the diagnostic end of things, OBD2, if you just want want to play with a car and you don't want to ruin it, this is a good place to start. Um, OBD2, it's this standard. Thank you to the

California Air Resources Board for deciding that we needed this. They wanted to be able to do smog test on cars and they wanted to be able to get information out to do those tests. So, they mandated that every car sold in California had to have first OBD, which became OBD2 later. And this lets you read some generic fault codes. It lets you clear the fault codes to turn off that stupid check engine light. Who's driven around with that thing on for a very long time? Yeah. And it's annoying. It's bright. Uh the one thing is OBD2 isn't just CAN. It can be CAN. That's a confusing sentence. It also uses other protocols for different older vehicles.

If you buy one of these devices, which are super cheap, it'll do all of them. So no matter what car you have, if it's after 1991, I believe it'll support it. And yeah, they're cheap. like 11 bucks for one of these things and it talks Bluetooth to your phone and you can read fault codes. Like that sounds cool. Uh I played around with a lot of them. They're all okay. They're based on this same chip, the ELM uh 327, which actually made by a Canadian company from somewhere around here that uh basically just took a microchip pick and put their own code on it. And I'm pretty sure China has ripped it off over and over

and over again. But it was a Canadian product. uh beyond uh this OB or OBD2 it's very basic minimal you can read stuff you can't do much unified diagnostic services is how you do things this is what the manufacturers use for their own diagnostics and it's actually an ISO standard uh unfortunately standard used loosely the standard defines how the communications work but then there are manufacturer specific codes for everything so you kind of have to know how to navigate those codes and I I mean, this lets you do some really crazy things like run arbitrary routines on controllers in your car or read and write memory to the controllers in your car totally arbitrarily which sounds terrifying and

it is uh it's sort of out of scope for this presentation cuz it's a very long standard but one thing I am working on spoiler alert is a open source implementation of this so that anyone can do it because right now the tools are very expensive and really only the automotive companies can afford them or do buy them. talking about tools. How do I do this? How do I get on the CAN bus? We've talked about sort of how it works. To actually get on it, you're going to need something that can talk CAN and USB or something, right? Um, and there's a number of different tools out there. Vector is sort of like the, you know,

Rolls-Royce of CAN tools. Uh, but it's very expensive and the software is really expensive and it's kind of cluji sometimes. Uh, so you probably won't be buying a Vector unless your name is General Motors. But for a little bit cheaper, anywhere between this peak tool, which is it's actually kind of funny. Says Peak on the back, right? And then this company grid connect just puts their own sticker on the front. Uh I don't know, but uh those are about 250 bucks, somewhere between 250, $300. Uh Casser is another popular one. That's this guy. Uh two can buses on this and you know, USB can uh SD card. This is like 1,200 bucks and actually belongs to

the University of Water who I hope don't watch the YouTube video of this. Um, yeah, some people have done some open source ones which is great. The only problem being you can't buy them and some of them don't work that great, but they were trying and the thing is there's just they're not around. You can't actually buy one. If you wanted one, you'd have to build it or like download the Gerber files and get a board spun yourself and then buy the parts and most people just aren't willing to do that. Um, so the Goodthrop, which is based on the Goodfett design, if you know Travis Goodspeed stuff, and the OBDuino are two of these, obviously Arduino based, the

Obdu Duino. And then there's those cheap LM327 knockoffs. OBD2. Again, if you just want to play with this, buy one off your favorite sketchy Chinese vendor, Deal Extreme, I don't know, buy some lasers while you're at it, because we can still do that in Canada. And yeah, have fun. Um, on the software side, this is where things get tough. It's nice to be able to send and receive arbitrary messages, but unless you can know what they mean or at least have some way of decoding them, encoding them, it's not very helpful. So, a few tools we'll talk about. First off, socket can. This is a really cool thing that Volkswagen put into the Linux kernel. It's actually in

the mainline kernel now. So, if you're running like Ubuntu 1404, newer, I think even older ones, uh you can literally mod probe CAN and you'll get CAN. Um, unfortunately your laptop probably does not have a CAN port on it. So this, you know, takes CAN devices, makes them into standard Unix network devices. You can literally do if config can zero up. It also comes with this nice can utils package that provides some basic functionality things like send a message, dump all the messages to the console, uh, generate some traffic. Really handy, a really good starting point for, hey, I want to, you know, build some tools. This lets me work almost like sockets. um this canard thing uh or canard or

whatever you want to call it. It's French for a duck. So I put a little rubber ducky there. Uh essentially a lot of or vector the company that you know very expensive. They have all the good can puns. Their software is called like canoe canalizer candela and I was running out so I chose a French word. Um this is a Python toolkit I'm working on and this the whole idea is to just abstract away hardware and say let's just treat CAN frames as totally generic like you know that like I said identifier data length data we don't care what the hardware is if we can just encapsulate that we should be able to send and receive it on any CAN hardware.

So that's the main idea is to do that and then allow us to build on top of that to do these protocols but then have it be hardware agnostic and also let people actually share information like if you suddenly discover that bits 13 to19 on can identifier ox137 on your 1998 I don't know uh it wouldn't have can 2008 GM whatever car is this message you should be able to tell people that in a way where they can then take that information and do something with it. So how do we do all those things? Well, we write some code. So, I figured that I'd kind of demonstrate what you can do with this library. Just some really simple

examples. The first is that whole let's kill the canvas idea. Um, you by sending this message with ID zero. So, this is actually this will work in real life. Uh, you import the library and also a driver for this device here uh called peak because that's who actually makes it. Um, you start up that to get on the bus dev.start and we're going to make a frame. We're going to make a frame with ID zero here. We set the data length code to eight. The reason is we want to be super spammy. So we just like put eight bytes of zeros in there because why not? And while true send that frame. I have done this by accident actually on

a car. Um so I know what happens. The car was a Chevrolet Volt. It belonged to my boss who was the CEO of a company I was working at. And uh I did this on his car and what happened is all the fault codes went up. like every single fault code you could imagine. And the Chevrolet Volt, I don't know if you're familiar with it. It's a hybrid, so it's got some interesting fault codes. My favorite one though, it comes up service stable track service ABS. And one of them comes up, engine not available, space service soon. So like GM's telling you like in the next 15 km, you're really going to want to get your

car to a service station. Uh, but it will really screw that up and confuse the car and latch all these faults. That indicator lamp, the little check engine will stay on. So, how about we clear the indicator lamp? That's a good idea. Uh, again, another code example. Uh, we create the device. Same thing. We start up that device. Literally, you can find this specification on Wikipedia. It's very well documented there. It'll tell you exactly what messages you need to send for OBD2. Uh, the ID for the frame 7DF. And then this is sort of the it's a bit of a weird protocol. The first bite just says how many bytes follow in the message that are valid. And then the

second bite is the mode. M mode 04 is clear fault codes. You send that message, it clears the fault codes and they all go away. So that's like a really simple example. Um depending on how I am on time, I think I have a little bit of time. So we can take a look actually at doing this in Linux. my VM may or may Oh, it's gonna look terrible. We'll we'll sort of try it. Um, you probably can't read any of this, but anyway, uh, on the right hand side, I'm going to do can dump of VCAN zero. The reason I'm doing VCAN is cuz I didn't feel like plugging these things into each other. Uh, the VCAN module

basically just makes a software CAN device that you can pipe messages in and out of. almost like a it's like a loop back device pretty much. Uh, and I'm going to run my like kill the bus example and it's not going to be very exciting other than it's going to spam messages. But of course, if I were to hook that up to actually this peak device instead, it would be sending real CAN data. And then the other simple example that I've written, it's the code that I showed you there is this clear the MIL. And again, you you you might not be able to actually read it on the right, but uh what did I call that? reset mill.

Bam. So, it's just sending the one message on the right. It's really super pixy, but that's the can dump utility, which is kind of neat. You get into canvas, you run can dump on your computer, and you'll actually see all the data in a logable format. So, get back to play. There we go. So, I get to questions here, but I just kind of wanted to show one last thing. Uh, a lot of people have asked me about like, what device should I buy to play with this? I want to play with this. just want to play with my car. And unfortunately, the answer is maybe the Peak device, but it's expensive and you know the open source ones you can't buy.

So, I'm working on a few of them. This one I did as a sort of challenge to myself to do an all throughhole CAN device. Uh if you ever assembled electronics, through hole is really easy to solder. It's really hard to find parts that are through hole nowadays. Um, I you end up with a microchip microprocessor because it's the only throughhole USB microcontroller on the market. Uh, so this one's it's all right. It's through hole. It works. It's not great, but it works. Uh, and it actually has jumper selectable pins, so you can go straight into that OBD cable and go right onto your car, which is nice. Uh version two of this is probably

going to be surface mount and will, you know, be based on a much better ARMbased microcontroller rather than this piece of crap uh microchip thing. I hope no one from Microchip watches this video. Um but yeah, so that's one thing I'm working on is both the software side, but also a cheap hardware tool, open source hardware that people can play around with. And now I will actually take questions until I run out of time. Thanks. Uh

is there a way of

the short answer is absolutely. um like it would it would be incredibly trivial. Uh you'd probably So there's a few ways to do it. There's a few ways to break the law. Um but hypothetically speaking, by the way, the question is some of these insurance companies now have dongles that go onto your OBD port and they want to know data about your driving so that they can charge you based on how you drive. I think that's how they work. I don't know how they determine how good of a driver you are, but they claim to. So you could just sit in the middle with a device that has two CAN buses and just gateway messages, but

you could just choose to modify the data on some of them. There's pretty much no way that they could know you were doing this. Um there like it's your car and they're unless they physically look at it and find the device, you'll be able to do that. Um this has been an interesting this comes up every so often because even the emissions tests in theory that is possible but you'd have to know what to fake though if you look at the OBD standard you'll know what to fake and it's a published standard so there's number of questions I guess I'll start up here and work my way back a bit uh not wireless so just in all modern

cars the throttle is almost always by wire. There's no cables anymore. It's actually just all it's actually two analog voltages that depending on the range they validate each other. Uh brakes though are still always mechanical in some way. Uh that's actually like a legal requirement still I believe. But uh you one thing you can't do is act in most in anything that's not a hybrid or electric vehicle, you can't really control the engine because it's always a signal directly from the pedal. It's an electric signal but it's just a voltage from the pedal. Anything else back? Uh, go back there. Okay. Is that the from a Bluetooth OBD? Okay. And that gives you like your fault codes

and your Yeah.

Um, so you they'd be limited by what that So odds are if you have a Bluetooth uh OBD device, it's probably an ELM 327. Uh, almost all of them are. And it's going to limit you. The way that it works, if you uh remember the good old days of like playing with modems, you had the AT command sets. That's literally how this thing works. It's it's a serial AT command you send to it and it like gives you back data. that's how they've implemented it. So, you can't do too much with those. But, I will say it gets very scary when insurance companies and people start putting these devices on. Uh, I know at least one of them is a Linux- based

device that's connected to like GSM now on your canvas. So, if you get on one of those, you can control someone's car in a lot of ways. Uh, but odds are that through through that LM327, they'd be limited in what they could do. Uh Jeremy,

I don't know much about their autopilot and I'm not going to talk much about Tesla because there's a camera pointed at my face. Um so yeah, Tesla actually does have a security team and they're probably I was talking to some people there. They're doing a lot more than most the OEMs. So you have to understand is most these guys uh they don't write much of their own software. They just like integrate software from a bunch of different people. So like Deli makes the controller and they have like some of the code that they integrate and then they go get like a stack for diagnostics from vector and then they like write some of their own algorithms but some

like outsourcer in India actually brings it into C. So that's where things get really scary because it's all clued together and like suddenly you can access memory that's you know critical. Uh Tesla, they do a lot of their firmware development in-house and they have a security team now that's actually auditing it. They're they're actually ahead of the curve in a lot of ways, but they also have a pretty big attack surface because their cars have really serious connectivity, right? So it's they're they're dealing with it pretty well. I'd say better than most OEMs. Yep. Last question. A lot of cars.

Okay. So, the governor on most vehicles would be built into the engine control module. Um, the thing is it depend. So, it depends on the car in a lot of cases. Uh, it's an interesting question. If it is a speed limiter and the engine control module does not have the ability to know the speed of the car and that's actually what I've seen in a lot of vehicles because the engine controller doesn't know the speed. There's no way that the engine can directly know the speed of the wheels. Typically the ABS module is actually responsible for vehicle speed because it has wheel speed sensors to do or the traction control module one the two. So in a case like

that yes you could spoof that message and and uh get different tile speeds. There is probably other limiters built in though. Um, I'm willing to bet that the engine control module will probably also have it'll have a rev limiter built in. That would be harder to get around unless you actually started modifying calibration and firmware. And that gets scary because you can brick your car. And on that lovely note, uh, I think I'm done. So, thank you very much for having me and for listening. [Music]