hacking cars with python
play

Hacking Cars with Python Eric Evenchick PyCon 2017 Hi Disclaimer - PowerPoint PPT Presentation

Sep 13, 2022 •231 likes •677 views

Hacking Cars with Python Eric Evenchick PyCon 2017 Hi Disclaimer You can brick a car via diagnostics You can modify a safety critical system via diagnostics Some diagnostic actions may be illegal in certain jurisdictions

  1. Hacking Cars with Python Eric Evenchick PyCon 2017

  2. Hi

  3. Disclaimer • You can brick a car via diagnostics • You can modify a safety critical system via diagnostics • Some diagnostic actions may be illegal in certain jurisdictions • Proceed at your own risk

  4. Cars are Computers

  5. Cars are Computers • Safety • Advanced Features • Emissions

  6. Cars are Networks

  7. Automotive Networks • Up to 100 Electronic Control Units (ECUs) • Typically Controller Area Network (CAN bus)

  8. CAN Bus • Controller Area Network • Low cost, integrated controllers • Types: • High speed (differential) • Low speed (single ended) • Fault Tolerant • CAN FD

  9. CAN • Controller : Network Node • Bus : Collection of Controllers • Frame : PDU containing: • ID • Type • Data Length Code • Data

  10. Communication Types Diagnostics Operational • Used at specific times, not • Used during normal normal operations operation • Allows special interactions • Relays data between ECUs with ECUs • Periodic, statically defined • Client / Server protocol frames

  11. Operational • Broadcast periodically by ECUs • Makes everything work during normal operation • Proprietary Encoding using CAN Database

  12. Operational • Lets us: • Get vehicle state • Log data • Control automotive components

  13. How CAN Works Message Structure

  14. How CAN Works Message Structure

  16. Automotive Diagnostics

  17. Diagnostics • Used during: • Manufacturing • Service • End-of-life • Forensics • Allows a wide range of features • Requires specialized tools

  18. ISOTP • How do we encode a 17 character VIN? Send firmware? • Combines frames into longer data • Up to 4095 bytes • Flow Control • Also called CANTP

  19. Diagnostic Standards • J1979 (OBD-II) • SAE J1850 • ISO 9141: K-Line / KWP2000 • ISO 14229: Unified Diagnostic Services (UDS) • and many more…

  20. OBD-II • Read Parameters (PIDs) • Clear Fault Codes • Full list of PIDs: wikipedia.org/wiki/OBD-II_PIDs

  21. OBD Session Request: [Mode, PID] Response: [Mode + 0x40, PID, Data…] Scan Tool (Client) ECU (Server)

  22. Unified Diagnostic Services • Client / Server protocol for diagnostics • Client = Scan Tool • Server = ECU • Defines 4 Functional Units containing 25 Services • Available from ISO as a PDF • 198CHF :(

  23. UDS Session Request: [service ID, req params…] Response: [service ID + 0x40, resp params…] Scan Tool (Client) ECU (Server)

  24. UDS - Diagnostic and Communication Management Functional Unit • AccessTimingParameter • DiagnosticSessionControl • SecuredDataTransmission • ECUReset • ControlDTCSetting • SecurityAccess • ResponseOnEvent • CommunicationControl • LinkControl • TesterPresent

  25. UDS - Data Transmission Functional Unit • ReadDataByIdentifier • DynamicallyDefineDataIdentifier • ReadMemoryByAddress • WriteDataByIdentifier • ReadScalingDataByIdentifier • WriteMemoryByAddress • ReadDataByPeriodicIdentifier

  26. UDS: Stored Data Transmission Functional Unit • ClearDiagnosticInformation • ReadDTCInformation

  27. UDS: InputOutput Control Functional Unit • InputOutputControlByIdentifier

  28. UDS: Remote Activation of Routine Functional Unit • RoutineControl

  29. UDS: Upload Download Functional Unit • RequestDownload • RequestUpload • TransferData • RequestTransferExit

  30. Tools

  31. Tool Types • Scan Tools • Official: expensive • Cheap options: usually OBD only • USB to CAN adapters: • Still need ISOTP and UDS…

  32. pyvit • Python Vehicle Interface Toolkit • CAN, ISOTP, and UDS support

  33. IPython Request ECU Serial Number In [57]: udsif.request( ReadDataByIdentifier.Request(0xF18C)) {'dataIdentifier': 61836, 'dataRecord': [248, 18, 131, 68]}

  34. IPython ECU Hard Reset In [62]: udsif.request(ECUReset.Request( ECUReset.ResetType.hardReset)) {'resetType': 1}

  35. UDS Decoding (37.167999) can0 6E0#0210030000000000 (37.178001) can0 51C#065003002800C800 (43.181999) can0 6E0#0210030000000000 (43.194000) can0 51C#065003002800C800 (43.222000) can0 6E0#0322F10000000000 (43.234001) can0 51C#0762F10000050103 (43.263000) can0 6E0#0322F13200000000 (43.293999) can0 51C#037F227800050103 (43.324001) can0 51C#100D62F132363832 (43.342999) can0 6E0#3000000000000000 (43.363998) can0 51C#2133333533354143 (43.402000) can0 6E0#0322F15000000000 (43.433998) can0 51C#037F227833354143 (43.464001) can0 51C#0662F15013080043

  36. UDS Decoding (37.167999) can0 6E0#0210030000000000 (37.178001) can0 51C#065003002800C800 (43.181999) can0 6E0#0210030000000000 (43.194000) can0 51C#065003002800C800 (43.222000) can0 6E0#0322F10000000000 (43.234001) can0 51C#0762F10000050103 (43.263000) can0 6E0#0322F13200000000 (43.293999) can0 51C#037F227800050103 (43.324001) can0 51C#100D62F132363832 (43.342999) can0 6E0#3000000000000000 (43.363998) can0 51C#2133333533354143 (43.402000) can0 6E0#0322F15000000000 (43.433998) can0 51C#037F227833354143 (43.464001) can0 51C#0662F15013080043 Timestamp CAN ID Data

  37. UDS Decoding 6E0#0210030000000000 51C#065003002800C800 6E0#0210030000000000 51C#065003002800C800 ISOTP Bytes 6E0#0322F10000000000 51C#0762F10000050103 Service ID 6E0#0322F13200000000 Data 51C#037F227800050103 51C#100D62F132363832 Negative Response 6E0#3000000000000000 Codes 51C#2133333533354143 6E0#0322F15000000000 Invalid Bytes 51C#037F227833354143 51C#0662F15013080043

  38. UDS Decoding 6E0#0210030000000000 51C#065003002800C800 6E0#0210030000000000 51C#065003002800C800 It looks like ISOTP Bytes 6E0#0322F10000000000 you’re trying to 51C#0762F10000050103 Service ID decode UDS… 6E0#0322F13200000000 Negative Response 51C#037F227800050103 Codes 51C#100D62F132363832 6E0#3000000000000000 Invalid Bytes 51C#2133333533354143 6E0#0322F15000000000 51C#037F227833354143 51C#0662F15013080043

  39. [->] Request [DiagnosticSessionControl / 0x10] diagnosticSessionType: 3 [<-] Response [DiagnosticSessionControl / 0x10] sessionParameterRecord: [0, 40, 0, 200] diagnosticSessionType: 3 [->] Request [DiagnosticSessionControl / 0x10] diagnosticSessionType: 3 [<-] Response [DiagnosticSessionControl / 0x10] sessionParameterRecord: [0, 40, 0, 200] diagnosticSessionType: 3 [->] Request [ReadDataByIdentifier / 0x22] dataIdentifier: 61696 [<-] Response [ReadDataByIdentifier / 0x22] dataRecord: [0, 5, 1, 3] dataIdentifier: 61696 [->] Request [ReadDataByIdentifier / 0x22] dataIdentifier: 61746 [<-] Response [ReadDataByIdentifier / 0x22] dataRecord: [54, 56, 50, 51, 51, 53, 51, 53, 65, 67] dataIdentifier: 61746 “68233535AC” [->] Request [ReadDataByIdentifier / 0x22] dataIdentifier: 61776 [<-] Response [ReadDataByIdentifier / 0x22] dataRecord: [19, 8, 0] dataIdentifier: 61776

  41. Conclusions

  42. Practical Stuff • Get an OBD-II device • Fault codes, clear MIL • Right to Repair • OpenGarages, DEF CON Car Hacking Village

  43. The Future • Ethernet Based Diagnostics: DoIP • CAN FD • Vehicle APIs • Tesla • Ford OpenXC • More tools based on pyvit :)

  44. Thanks! Questions? https://github.com/linklayer/pyvit eric@evenchick.com @ericevenchick https://linklayer.com https://atredis.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Mesh Networks | Hacking The T3lc0 Model http://arig.org.il What's a Mesh Anyway ? Mesh =

Mesh Networks | Hacking The T3lc0 Model http://arig.org.il What's a Mesh Anyway ? Mesh =

Mesh Networks | Hacking The T3lc0 Model http://arig.org.il What's a Mesh Anyway ? Mesh = topology. anything not a star / bus / ring / tree Nodes = routers, smart phones, cars anything wi-fi enabled Links = wireless connections

516 views • 25 slides
Python tools JOSE MANUEL ORTEGA @JMORTEGAC https://speakerdeck.com/jmortega INDEX

Python tools JOSE MANUEL ORTEGA @JMORTEGAC https://speakerdeck.com/jmortega INDEX

Ethical hacking with Python tools JOSE MANUEL ORTEGA @JMORTEGAC https://speakerdeck.com/jmortega INDEX Introduction Python pentesting Modules(Sockets,Requests,BeautifulSoup,Shodan) Analysis metadata Port scanning &amp; Checking

871 views • 66 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons Flying Circus 1991 Python 0.9.0 Released 2008 Python 2.6 / 3.0rc2 Current Python 2.7.1 / 3.2 *7 th most popular language

753 views • 37 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

Python Example of a MapReduce Application The mapper and reducer are both self contained Python programs Read from standard input and write to standard output ! Mapper Tell Unix: this is Python #!/usr/bin/env python3 The emit function

464 views • 3 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Ray tracing for Ray tracing for Cars challenges Cars challenges the movie Cars the movie

Ray tracing for Ray tracing for Cars challenges Cars challenges the movie Cars the movie

Per ChristensenPer Christensen Ray tracing for Ray tracing for Cars challenges Cars challenges the movie Cars the movie Cars Animation: cars that move, talk, think Animation: cars that move, talk, think

307 views • 6 slides
Getting Started with Python The Python Interpreter A piece of software that executes

Getting Started with Python The Python Interpreter A piece of software that executes

Object-Oriented Programming in Python Goldwasser and Letscher Chapter 2 Getting Started with Python The Python Interpreter A piece of software that executes commands for the Python language Start the interpreter by typing python at a

862 views • 27 slides
KMS ENTERPRISE AG, SWITZERLAND brand name of cars conversion projects ARMORTECH

KMS ENTERPRISE AG, SWITZERLAND brand name of cars conversion projects ARMORTECH

KMS ENTERPRISE AG, SWITZERLAND brand name of cars conversion projects ARMORTECH STRETCHED CARS ARMOURED CARS STRETCHED AND ARMOURED CARS TUNING OF CARS VIP LIMOUSINE SERVICE a little bit more than the best limousine

537 views • 30 slides
HO HOW MANY W MANY SMAR SMART CARS T CARS DOES IT TAKE T DOES IT T AKE TO MAKE O MAKE A

HO HOW MANY W MANY SMAR SMART CARS T CARS DOES IT TAKE T DOES IT T AKE TO MAKE O MAKE A

HO HOW MANY W MANY SMAR SMART CARS T CARS DOES IT TAKE T DOES IT T AKE TO MAKE O MAKE A SMART TRAFFIC A SMAR T TRAFFIC NETWORK? NETW ORK? C. G . G. Cassand . Cassandras as Division of Systems Engineering Dept. of Electrical and

559 views • 23 slides
An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we learn it 2. Python scripts and Jupyter 3. Fundamental data types 4. Basic Python procedures: operators, functions, methods etc. 5. Conditional

978 views • 66 slides
WELCOME 2018 NJSLA-S District Test Coordinator &amp; District Technology Coordinator Training

WELCOME 2018 NJSLA-S District Test Coordinator &amp; District Technology Coordinator Training

New Jersey DEPARTMENT OF EDUCATION WELCOME 2018 NJSLA-S District Test Coordinator &amp; District Technology Coordinator Training John Boczany, Gilbert Gonzalez, Veronica Orsi, Timothy Steele-Dadzie, and Orlando Vadel Office of Assessments

563 views • 25 slides
Presentation Title AGLF Lawyers Panel Juliet H. Huang Presenters Partner Chapman and Cutler

Presentation Title AGLF Lawyers Panel Juliet H. Huang Presenters Partner Chapman and Cutler

Presentation Title AGLF Lawyers Panel Juliet H. Huang Presenters Partner Chapman and Cutler LLP Anne L. Barragar Partner Davis Wright Tremaine Maryann Santos Internal Counsel and Business Operations Manager Capital One Public Funding, LLC

559 views • 36 slides
On Ability to Autonomously Execute Agent Programs with Sensing Sebastian Sardi na Giuseppe De

On Ability to Autonomously Execute Agent Programs with Sensing Sebastian Sardi na Giuseppe De

On Ability to Autonomously Execute Agent Programs with Sensing Sebastian Sardi na Giuseppe De Giacomo Dept. of Computer Science Dip. Informatica e Sistemistica University of Toronto Univer. di Roma La Sapienza

707 views • 41 slides
1. Physicochemistry of oil and related substances and how these properties influence

1. Physicochemistry of oil and related substances and how these properties influence

1. Physicochemistry of oil and related substances and how these properties influence environmental fate and organism exposure 2. Environmental toxicology of oil and related substances, including key mechanisms of toxicity and population-level

533 views • 27 slides
1 4 5 6 2 7 8 9 3 10 11 12 4 13 14 15 5 16 17 18 6 19 20 21 7 5613 DTC

1 4 5 6 2 7 8 9 3 10 11 12 4 13 14 15 5 16 17 18 6 19 20 21 7 5613 DTC

Solutions to the Three Primary Investment Risks in Retirement - PART ONE 1 2 3 1 4 5 6 2 7 8 9 3 10 11 12 4 13 14 15 5 16 17 18 6 19 20 21 7 5613 DTC Parkway, Suite 650,Greenwood Village, CO 80111 | T: 303-768-0007 |

430 views • 8 slides
Duration Models Introduction to Single Spell Models James J. Heckman University of Chicago Econ

Duration Models Introduction to Single Spell Models James J. Heckman University of Chicago Econ

Duration Models Introduction to Single Spell Models James J. Heckman University of Chicago Econ 312, Spring 2019 Heckman Duration Models The hazard function gives the probability that a spell, denoted by the nonnegative random variable T

643 views • 21 slides
BE PART OF THE REVOLUTION TRANSFORMING HEALTHCARE WITH AI CALIFORNIA THE RITZ-CARLTON,

BE PART OF THE REVOLUTION TRANSFORMING HEALTHCARE WITH AI CALIFORNIA THE RITZ-CARLTON,

BE PART OF THE REVOLUTION TRANSFORMING HEALTHCARE WITH AI CALIFORNIA THE RITZ-CARLTON, LAGUNA NIGUEL 1114 DECEMBER 2019 1000 ATTENDEES 80 SPEAKERS 10 WORKSHOPS www.aimed.events/northamerica-2019/ 2 SOCIAL EVENTS #AIMed19 1 AIMed19

275 views • 8 slides
Document Content 7. Text editing, DTP and Word Meaning, grammar, spelling, emphasis

Document Content 7. Text editing, DTP and Word Meaning, grammar, spelling, emphasis

Document Content 7. Text editing, DTP and Word Meaning, grammar, spelling, emphasis Processing Footnotes, illustrations, diagrams, references Structure Title, abstract, chapters, appendices, sections, sub()sections,

323 views • 4 slides

More recommend