CAN bus, батяня. Батяня, CAN bus
Defcon Russia (DCG #7812) 2
https://en.wikipedia.org/wiki/CAN_bus
120 Ohm 120 Ohm

CAN network
CAN gateway/switch*
* Different topology possible

CAN utilities…
• http://illmatics.com/content.zip - utilites by @0xcharlie and @nudehaberdasher
- A lot of cases and examples, very good and helpful
• https://github.com/ericevenchick/CANard - abstract CAN lib
- Abstract CAN lib, useful for creating own CAN tools (hardware independent)
• https://github.com/zombieCraig/UDSim - and not only .. other tools by Craig Smith
- Fuzzing, reversing and etc
• Moarrrr: http://opengarages.org/index.php/Tools
But why I need “Yet Another CAN Hacking Tool”?
 A lot of tools and console scripts, for different tasks…, but I want to have one interface
 If I want to use “combo” of those tools/tricks/tests (with minimum code-writing)?
 If I want to do a MITM?
 Not only for “hacking”, but testing framework (maybe useful for OEM/Vendors like validation scanner and etc)
 Something module/scenario based – if I want to share readable test cases/scenarios with others
I need something like BurpSuite/Metasploit for CAN Network/ECU analyses. With different modules and one interface. I
want easily extend it with modules, run same modules in different “combos” and etc. So this tool I did for myself first…
but if it can be useful for others – why not, finally we can help each other with contribution

CANToolz (concept)
CANToolz
Module 1
CANToolz
Module 2 CANToolz
Module 3
CANToolz framework (MITM example)
You can configure modules in any order to create own “test scenario”.
Hardware “independent” scenarios (just need to have IO module for your hardware)
Easy to share, easy to use (for me at least, one standard interface – console, WEB API)
https://github.com/eik00d/CANToolz
PIPE 1
PIPE 2
Supported:
• ISO-TP
• UDS

CANToolz (concept)
CANToolz
Module 1
CANToolz
Module 2 CANToolz
Module 3
Each module have IN and OUT and can handle CAN frame. These modules can be
connected via any number of PIPES and perform different actions on any stage/step
in the scenario. This gives flexibility and power ;)
PIPE 1
PIPE 2

CANToolz (hardware independent*)
USBtin - http://www.fischl.de/usbtin/
Fast CAN to USB device, support extended format
CANBusTriple - https://www.canb.us/
Arduino based CAN to USB device.
Support up to 3 CAN buses!
These devices currently supported by the framework, but list will be extended in the future and
anyone can add support for any other hardware module!
Other (logical) modules are independent from
hardware!

CANBusTriple 120 ohm

USBtin 120 Ohm

CANToolz (Arch)
hw_USBtin
PIPE 1 PIPE 2
hw_CANBusTriple
Step 1
mod_firewall
Loop
hw_USBtin
read
hw_USBtin
write
hw_CANBusTriple
read
hw_CANBusTriple
write
Step 2
Step 3
Step 4
Step 5
Step 6
mod_firewall
Block CAN frames
A,B,C
mod_firewall
Block CAN frames
X,Y,Z
• You can use same module on any step
- shared memory, same sate

Config file example:
# Load modules
load_modules = {
'hw_USBtin' :
‘hw_CANBusTriple' : {'port':'auto', 'debug':1, 'speed':500},
'mod_firewall' : {},
}
# Scenario with steps
actions = [
{'hw_USBtin' : {'pipe': 1, 'action': 'read'}},
{'hw_CANBusTriple': {'pipe': 2, 'action': 'read'}},
{'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337]}},
{'mod_firewall' : {'pipe': 2, 'black_list': [0x1122, 0x2211]}},
{'hw_CANBusTriple': {'pipe': 1, 'action': 'write'}},
{'hw_USBtin' : {'pipe': 2, 'action': ‘write'}}
]
{'port':'auto', 'debug':1, 'speed':500},

CANToolz (Arch)
hw_USBtin
PIPE 1 PIPE 2
hw_USBtin~2
Step 1
mod_firewall
Loop
hw_USBtin
read
hw_USBtin
write
hw_USBtin~2
hw_USBtin~2
Step 2
Step 3
Step 4
Step 5
Step 6
mod_firewall
Block CAN frames
A,B,C
mod_firewall
Block CAN frames
X,Y,Z
• You can use module as different instances
- not shared memory and state

# Load modules
load_modules = {
'hw_USBtin' :,
‘hw_USBtin~2' : ,
}
actions = [
{'hw_USBtin' : {'pipe': 1, 'action': 'read'}},
{'hw_USBtin~2': {'pipe': 2, 'action': 'read'}},
{'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337]}},
{'mod_firewall' : {'pipe': 2, 'black_list': [0x1122, 0x2211]}},
{'hw_USBtin~2': {'pipe': 1, 'action': 'write'}},
{'hw_USBtin' : {'pipe': 2, 'action': ‘write'}}
]
{'port':'auto', 'debug':1, 'speed':500},
{'port':'auto', 'debug':1, 'speed':500, ‘bus':62},

CANToolz (Arch)
hw_CANBUS
Triple
PIPE 1
Step 1mod_firewall
Loop
hw_CANBUSTriple
hw_CANBUSTriple
Step 2
Step 3
mod_firewall
Block CAN frames
A,B,C,X,Y,Zl
• CANBusTriple device support up to 3 buses!

# Load modules
load_modules = {
'hw_CANBUSTriple': {'bus_1': 1, 'bus_2': 2}, # Init parameters
}
actions = [
{'hw_CANBUSTriple' : {'pipe': 1, 'action': 'read'}},
{'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337, 0x1122, 0x2211]}},
{'hw_CANBUSTriple' : {'pipe': 1, 'action': ‘write'}}
]

Example 1: MITM/Firewall
Which CAN frames responsible
for action?
Unlock doors…
CAN bus
term.
120 Ohm!
or

# Load modules
load_modules = {
'mod_stat' : {},
'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500},
'hw_USBtin~2' : {'port':'auto', 'debug':1, 'speed':500,'bus':62}
}
# Scenario
actions = [
{'hw_USBtin' : {'action':'read'}},
{'mod_firewall' : {‘white_list':[1337]}},
{'hw_USBtin~2' : {'action':'read', 'pipe':2}},
{'mod_stat': {'pipe': 1}}, {'mod_stat': {'pipe': 2}},
{'hw_USBtin' : {'action':'write','pipe':2}},
{'hw_USBtin~2' : {'action':'write'}}
]

black_body [[0,0x11,0x22,0x33]]

Example 2: CAN Gateway scan
• Which frames will be blocked
• Which frames can be passed?

# Load needed modules
load_modules = {
# IO hardware module connected to first BUS (IVI)
'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500},
# IO hardware module (connected to OBD2)
'hw_USBtin~2': {'port':'auto', 'debug':1, 'speed':500, 'bus': 62 },
'gen_ping' : {}, # Generator/Ping
'mod_firewall': {}, # We need firewall to block all other packets
'mod_stat': {} # Mod stat to see results
}
actions = [
{'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1 from IVI
{'hw_USBtin~2': {'action': 'read','pipe': 2}}, # Read to PIPE 2 from OBD2 port
# Block all other CAN frames, but let frames with
# data "x01x02x03x04x05x06x07x08" pass
{'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]],'pipe': 1}},
{'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]], 'pipe': 2}},
{'mod_stat': {'pipe': 1}}, {'mod_stat': {'pipe': 2}}, # read from both pipes after filtration
{'gen_ping': {'range': [1,2000],'mode':'CAN','body':'0102030405060708','pipe':3}},
# Generate CAN frames to PIPE 3
{'hw_USBtin': {'pipe': 3, 'action': 'write'}},# Write generated packets to both buses
{'hw_USBtin~2': {'pipe': 3, 'action': 'write'}}
]

Generated packets will be sent to both BUSes,
then if some of them pass CAN Gateway….

then if some of them pass CAN Gateway, we will receive it on other HW
Interface (mod_firewall will block all other messages except generated)
… we will receive passed frames on other HW
interface (mod_firewall will block all other
messages except generated)

then if some of them pass CAN Gateway, we will receive it on other HW
Interface (mod_firewall will block all other messages except generated)
There we can see 2 frames passes from First
bus to Second and 1 frame that can pass from
Second bus to first. (so now we have tested
filtration based on frame ID)

Example 3: Replay…
1. Collect traffic
2. Replay half
3. Another half
4. … (bin search)
How to find which frames and are
responsible for action
You commercial
could be here!
Door
control

load_modules = {
'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500}, # IO hardware module
'gen_replay': {'debug': 1}, # Module for sniff and replay
'mod_stat': {} # Stats
}
# Now let's describe the logic of this test
actions = [
{'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1
# We will sniff first from PIPE 1, then replay to PIPE 2
{'gen_replay': {'pipe': 1}},
{'hw_USBtin': {'action':'write','pipe': 2}} # Write generated packets (pings)
]

Enable sniff mode

Unlock door now and then
disable sniff mode and lock
door again…

Switch gen_replay to PIPE 2.
(now we want to write sniffed
frames back to the BUS)

Replay first half of frames and
see if doors will be unlocked…
If not, then replay other half
and continue same way
(binary search)

Than you can save found frames
to file for future work

UDS
ISO 14229-1
Most critical result - ECU firmware update
• Session HIJACKING
• Auth. brute force
• Known seeds/keys
• Weak algorithms
How an attacker can get “unauthorized access”
• RE firmware
• Debug ports (direct memory access)
• TESTER RE

GTA
ISO 14229-1

Example 4: UDS traffic “detection”
(if u have TESTER or ISOTP traffic)

Example 4.5: UDS “Scan/Ping”
{'gen_ping' : {
'pipe':2,
'range': [1790, 1794],
'services':[
{'service':0x01, 'sub':0x0d},
{'service':0x09, 'sub':0x02},
{'service':0x2F, 'sub':0x03,
'data':[7,3,0,0]}],
'mode':'UDS'}
Then listen “replay” with mod_stat and do anlysis of overall traffic

# Load modules
load_modules = {
'gen_fuzz': {},
'mod_stat': {}
}
# Scenario
actions = [
# Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0)
{'gen_fuzz' : {'index':[0],'id': [222,[555,999]], 'data': [0,0,0,0,0,0,0,0]
'delay': 0}},
# Write generated packets
{'hw_USBtin' : {'action':'write'}},
# Read response
{'hw_USBtin' : {'action':'read', 'pipe': 2}},
{'mod_stat': {'pipe': 2}}
]
Example 5: Fuzzer (discovery, UDS, etc)
Run fuzzer and see results:
• Brightness level of something
have been changed something
• Blinking of something
• Got new ID in response

Contribution needed!!
• More tests and checks (new modules)
• New hardware support (new modules)
• Net tests cases and scenarios (new configs)
- sploits, scans, validation test
- more ppl, have access to more hardware (cars)
• Bugs fixing
• Python3 support ( currently old Python only)
- btw, Python3 supports SocketCAN
• Refactoring

Structure
CANToolz modules, handling single CANFrame in PIPEs.
Main “business logic” elements are here.
Main structures, to works with CAN, ISO-TP, UDS…
and main CANToolz Engine with PIPES logic…
Examples of scenarios – describes how to connect CANToolz modules

Init parameters and commands
def do_init(self, params):
if 'save_to' in params:
…
self._cmdList['p'] = ["Print count of loaded packets", 0, "", self.cnt_print]
self._cmdList['r'] = ["Replay range from loaded, from number X to number Y",
1, " <X>-<Y> ", self.replay_mode]
This method will be called when module loaded into the project
list of commands that can be triggered any time
Number of parameters of command
Command’s parameters format (just help)
Actual method that will be called by triggering the command

Pre/post actions
def do_start(self, params):
self._i = 0
self.do_something1(self.something)
def do_stop(self, params):
self._i = 0
self.do_something2(self.something)
This methods will be called just before main loop started, and when it will stooped

# handle message in the pipe
def do_effect(self, can_msg, args):
if can_msg.CANData:
if 'black_list' in args and can_msg.CANFrame.frame_id in args.get('black_list', []):
can_msg.CANData = False
return can_msg
Main action (CAN frame handling)
Main method
Message OUT
Arguments for current step
Flag, if message contains CAN frame
CAN Frame
Message IN

Example of module
Let’s say that on Example 5 (fuzzing) we have found Frames (ID and data format) that are
responsible for Dashboard panel brightness level and status. Let’s create a simple module to
control it via CANToolz.
ID DATA
111 01fa000000000000 - Brightness level, form 0-255 (second byte)
111 0201000000000000 - Idle mode (second byte, 00 – idle mode)

Example of module(code)
from libs.module import *
from libs.can import *
import copy
class mod_panel_control(CANModule):
name = "Panel control module"
help = """
This module change dahsboard panel things.
Init parameters: None
Module parameters:
'pipe' - integer, 1 or 2 - from which pipe to print, default 1
"""
def do_init(self, params):
self._active = True
self._cmdList['1'] = ["Idle mode on", 0, "", self.turn_off]
self._cmdList['0'] = ["Idle mode off", 0, "", self.turn_on]
self._cmdList['b'] = ["Change brightness level (0 - 255)", 1, "<level>",
self.change_level]
self._frame = None

Example of module(code)
# Effect (could be fuzz operation, sniff, filter or whatever)
def do_effect(self, can_msg, args):
if self._frame:
can_msg.CANFrame = copy.deepcopy(self._frame)
can_msg.CANData = True
self._frame = None
return can_msg
def turn_off(self):
self._frame = CANMessage(111,8,[2,0,0,0,0,0,0,0], False, CANMessage.DataFrame)
def turn_on(self):
self._frame = CANMessage(111,8,[2,1,0,0,0,0,0,0], False, CANMessage.DataFrame)
def change_level(self, level):
b_level = int(level)
if 0 < b_level < 256:
self._frame = CANMessage(111,8,[1,b_level,0,0,0,0,0,0], False,
CANMessage.DataFrame)

Example of module(cfg)
# Load modules
load_modules = {
'mod_panel_control': {},
}
# Scenario
actions = [
# Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0)
{'mod_panel_control' : {}},
# Write generated packets
{'hw_USBtin' : {'action':'write'}}
]

Example of module(control)

Thx for contribution and help!
Sergey Kononenko
@kononencheg
Boris Ryutin
@dukebarman
Also to @isox_xx and all JBFC
Contributors are WELCOME!

Testing CAN network with help of CANToolz