hacking cars with python
play

Hacking Cars with Python Eric Evenchick PyCon 2017 Hi Disclaimer - PowerPoint PPT Presentation

Sep 13, 2022 •231 likes •677 views

Hacking Cars with Python Eric Evenchick PyCon 2017 Hi Disclaimer You can brick a car via diagnostics You can modify a safety critical system via diagnostics Some diagnostic actions may be illegal in certain jurisdictions

  1. Hacking Cars with Python Eric Evenchick PyCon 2017

  2. Hi

  3. Disclaimer • You can brick a car via diagnostics • You can modify a safety critical system via diagnostics • Some diagnostic actions may be illegal in certain jurisdictions • Proceed at your own risk

  4. Cars are Computers

  5. Cars are Computers • Safety • Advanced Features • Emissions

  6. Cars are Networks

  7. Automotive Networks • Up to 100 Electronic Control Units (ECUs) • Typically Controller Area Network (CAN bus)

  8. CAN Bus • Controller Area Network • Low cost, integrated controllers • Types: • High speed (differential) • Low speed (single ended) • Fault Tolerant • CAN FD

  9. CAN • Controller : Network Node • Bus : Collection of Controllers • Frame : PDU containing: • ID • Type • Data Length Code • Data

  10. Communication Types Diagnostics Operational • Used at specific times, not • Used during normal normal operations operation • Allows special interactions • Relays data between ECUs with ECUs • Periodic, statically defined • Client / Server protocol frames

  11. Operational • Broadcast periodically by ECUs • Makes everything work during normal operation • Proprietary Encoding using CAN Database

  12. Operational • Lets us: • Get vehicle state • Log data • Control automotive components

  13. How CAN Works Message Structure

  14. How CAN Works Message Structure

  16. Automotive Diagnostics

  17. Diagnostics • Used during: • Manufacturing • Service • End-of-life • Forensics • Allows a wide range of features • Requires specialized tools

  18. ISOTP • How do we encode a 17 character VIN? Send firmware? • Combines frames into longer data • Up to 4095 bytes • Flow Control • Also called CANTP

  19. Diagnostic Standards • J1979 (OBD-II) • SAE J1850 • ISO 9141: K-Line / KWP2000 • ISO 14229: Unified Diagnostic Services (UDS) • and many more…

  20. OBD-II • Read Parameters (PIDs) • Clear Fault Codes • Full list of PIDs: wikipedia.org/wiki/OBD-II_PIDs

  21. OBD Session Request: [Mode, PID] Response: [Mode + 0x40, PID, Data…] Scan Tool (Client) ECU (Server)

  22. Unified Diagnostic Services • Client / Server protocol for diagnostics • Client = Scan Tool • Server = ECU • Defines 4 Functional Units containing 25 Services • Available from ISO as a PDF • 198CHF :(

  23. UDS Session Request: [service ID, req params…] Response: [service ID + 0x40, resp params…] Scan Tool (Client) ECU (Server)

  24. UDS - Diagnostic and Communication Management Functional Unit • AccessTimingParameter • DiagnosticSessionControl • SecuredDataTransmission • ECUReset • ControlDTCSetting • SecurityAccess • ResponseOnEvent • CommunicationControl • LinkControl • TesterPresent

  25. UDS - Data Transmission Functional Unit • ReadDataByIdentifier • DynamicallyDefineDataIdentifier • ReadMemoryByAddress • WriteDataByIdentifier • ReadScalingDataByIdentifier • WriteMemoryByAddress • ReadDataByPeriodicIdentifier

  26. UDS: Stored Data Transmission Functional Unit • ClearDiagnosticInformation • ReadDTCInformation

  27. UDS: InputOutput Control Functional Unit • InputOutputControlByIdentifier

  28. UDS: Remote Activation of Routine Functional Unit • RoutineControl

  29. UDS: Upload Download Functional Unit • RequestDownload • RequestUpload • TransferData • RequestTransferExit

  30. Tools

  31. Tool Types • Scan Tools • Official: expensive • Cheap options: usually OBD only • USB to CAN adapters: • Still need ISOTP and UDS…

  32. pyvit • Python Vehicle Interface Toolkit • CAN, ISOTP, and UDS support

  33. IPython Request ECU Serial Number In [57]: udsif.request( ReadDataByIdentifier.Request(0xF18C)) {'dataIdentifier': 61836, 'dataRecord': [248, 18, 131, 68]}

  34. IPython ECU Hard Reset In [62]: udsif.request(ECUReset.Request( ECUReset.ResetType.hardReset)) {'resetType': 1}

  35. UDS Decoding (37.167999) can0 6E0#0210030000000000 (37.178001) can0 51C#065003002800C800 (43.181999) can0 6E0#0210030000000000 (43.194000) can0 51C#065003002800C800 (43.222000) can0 6E0#0322F10000000000 (43.234001) can0 51C#0762F10000050103 (43.263000) can0 6E0#0322F13200000000 (43.293999) can0 51C#037F227800050103 (43.324001) can0 51C#100D62F132363832 (43.342999) can0 6E0#3000000000000000 (43.363998) can0 51C#2133333533354143 (43.402000) can0 6E0#0322F15000000000 (43.433998) can0 51C#037F227833354143 (43.464001) can0 51C#0662F15013080043

  36. UDS Decoding (37.167999) can0 6E0#0210030000000000 (37.178001) can0 51C#065003002800C800 (43.181999) can0 6E0#0210030000000000 (43.194000) can0 51C#065003002800C800 (43.222000) can0 6E0#0322F10000000000 (43.234001) can0 51C#0762F10000050103 (43.263000) can0 6E0#0322F13200000000 (43.293999) can0 51C#037F227800050103 (43.324001) can0 51C#100D62F132363832 (43.342999) can0 6E0#3000000000000000 (43.363998) can0 51C#2133333533354143 (43.402000) can0 6E0#0322F15000000000 (43.433998) can0 51C#037F227833354143 (43.464001) can0 51C#0662F15013080043 Timestamp CAN ID Data

  37. UDS Decoding 6E0#0210030000000000 51C#065003002800C800 6E0#0210030000000000 51C#065003002800C800 ISOTP Bytes 6E0#0322F10000000000 51C#0762F10000050103 Service ID 6E0#0322F13200000000 Data 51C#037F227800050103 51C#100D62F132363832 Negative Response 6E0#3000000000000000 Codes 51C#2133333533354143 6E0#0322F15000000000 Invalid Bytes 51C#037F227833354143 51C#0662F15013080043

  38. UDS Decoding 6E0#0210030000000000 51C#065003002800C800 6E0#0210030000000000 51C#065003002800C800 It looks like ISOTP Bytes 6E0#0322F10000000000 you’re trying to 51C#0762F10000050103 Service ID decode UDS… 6E0#0322F13200000000 Negative Response 51C#037F227800050103 Codes 51C#100D62F132363832 6E0#3000000000000000 Invalid Bytes 51C#2133333533354143 6E0#0322F15000000000 51C#037F227833354143 51C#0662F15013080043

  39. [->] Request [DiagnosticSessionControl / 0x10] diagnosticSessionType: 3 [<-] Response [DiagnosticSessionControl / 0x10] sessionParameterRecord: [0, 40, 0, 200] diagnosticSessionType: 3 [->] Request [DiagnosticSessionControl / 0x10] diagnosticSessionType: 3 [<-] Response [DiagnosticSessionControl / 0x10] sessionParameterRecord: [0, 40, 0, 200] diagnosticSessionType: 3 [->] Request [ReadDataByIdentifier / 0x22] dataIdentifier: 61696 [<-] Response [ReadDataByIdentifier / 0x22] dataRecord: [0, 5, 1, 3] dataIdentifier: 61696 [->] Request [ReadDataByIdentifier / 0x22] dataIdentifier: 61746 [<-] Response [ReadDataByIdentifier / 0x22] dataRecord: [54, 56, 50, 51, 51, 53, 51, 53, 65, 67] dataIdentifier: 61746 “68233535AC” [->] Request [ReadDataByIdentifier / 0x22] dataIdentifier: 61776 [<-] Response [ReadDataByIdentifier / 0x22] dataRecord: [19, 8, 0] dataIdentifier: 61776

  41. Conclusions

  42. Practical Stuff • Get an OBD-II device • Fault codes, clear MIL • Right to Repair • OpenGarages, DEF CON Car Hacking Village

  43. The Future • Ethernet Based Diagnostics: DoIP • CAN FD • Vehicle APIs • Tesla • Ford OpenXC • More tools based on pyvit :)

  44. Thanks! Questions? https://github.com/linklayer/pyvit eric@evenchick.com @ericevenchick https://linklayer.com https://atredis.com

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Mesh Networks | Hacking The T3lc0 Model http://arig.org.il What's a Mesh Anyway ? Mesh =

Mesh Networks | Hacking The T3lc0 Model http://arig.org.il What's a Mesh Anyway ? Mesh =

Mesh Networks | Hacking The T3lc0 Model http://arig.org.il What's a Mesh Anyway ? Mesh = topology. anything not a star / bus / ring / tree Nodes = routers, smart phones, cars anything wi-fi enabled Links = wireless connections

516 views • 25 slides
Python tools JOSE MANUEL ORTEGA @JMORTEGAC https://speakerdeck.com/jmortega INDEX

Python tools JOSE MANUEL ORTEGA @JMORTEGAC https://speakerdeck.com/jmortega INDEX

Ethical hacking with Python tools JOSE MANUEL ORTEGA @JMORTEGAC https://speakerdeck.com/jmortega INDEX Introduction Python pentesting Modules(Sockets,Requests,BeautifulSoup,Shodan) Analysis metadata Port scanning &amp; Checking

871 views • 66 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons Flying Circus 1991 Python 0.9.0 Released 2008 Python 2.6 / 3.0rc2 Current Python 2.7.1 / 3.2 *7 th most popular language

753 views • 37 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

486 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

Python Example of a MapReduce Application The mapper and reducer are both self contained Python programs Read from standard input and write to standard output ! Mapper Tell Unix: this is Python #!/usr/bin/env python3 The emit function

464 views • 3 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Ray tracing for Ray tracing for Cars challenges Cars challenges the movie Cars the movie

Ray tracing for Ray tracing for Cars challenges Cars challenges the movie Cars the movie

Per ChristensenPer Christensen Ray tracing for Ray tracing for Cars challenges Cars challenges the movie Cars the movie Cars Animation: cars that move, talk, think Animation: cars that move, talk, think

307 views • 6 slides
Getting Started with Python The Python Interpreter A piece of software that executes

Getting Started with Python The Python Interpreter A piece of software that executes

Object-Oriented Programming in Python Goldwasser and Letscher Chapter 2 Getting Started with Python The Python Interpreter A piece of software that executes commands for the Python language Start the interpreter by typing python at a

862 views • 27 slides
KMS ENTERPRISE AG, SWITZERLAND brand name of cars conversion projects ARMORTECH

KMS ENTERPRISE AG, SWITZERLAND brand name of cars conversion projects ARMORTECH

KMS ENTERPRISE AG, SWITZERLAND brand name of cars conversion projects ARMORTECH STRETCHED CARS ARMOURED CARS STRETCHED AND ARMOURED CARS TUNING OF CARS VIP LIMOUSINE SERVICE a little bit more than the best limousine

537 views • 30 slides
HO HOW MANY W MANY SMAR SMART CARS T CARS DOES IT TAKE T DOES IT T AKE TO MAKE O MAKE A

HO HOW MANY W MANY SMAR SMART CARS T CARS DOES IT TAKE T DOES IT T AKE TO MAKE O MAKE A

HO HOW MANY W MANY SMAR SMART CARS T CARS DOES IT TAKE T DOES IT T AKE TO MAKE O MAKE A SMART TRAFFIC A SMAR T TRAFFIC NETWORK? NETW ORK? C. G . G. Cassand . Cassandras as Division of Systems Engineering Dept. of Electrical and

559 views • 23 slides
An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we learn it 2. Python scripts and Jupyter 3. Fundamental data types 4. Basic Python procedures: operators, functions, methods etc. 5. Conditional

978 views • 66 slides
We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less

We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less

We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less overhead than Java for the programmer. Tyler Moore Python is closer to psuedo-code on the English-pseudocode-code spectrum than Java or C/C++, but

615 views • 9 slides
AI and Self-Driving Cars Heechul Yun Autonomous Car

AI and Self-Driving Cars Heechul Yun Autonomous Car

AI and Self-Driving Cars Heechul Yun Autonomous Car https://www.latimes.com/business/autos/la-fi-waymo-self-driving-california-20181030-story.html 2 Levels of Automation (SAE J3016) L1 Some cars today L2 Tesla L3 Uber

427 views • 28 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach &amp; Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool:

First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool:

First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool: Python! Python Programming Language Python Programming Language Created in 1991 by Guido van Rossum Python Cro ross Platform Pro rogramming

662 views • 62 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Travel and transport MOTOR CYCLES Exceeding 50 cc MOTOR CARS Light Vehicle Cars including

Travel and transport MOTOR CYCLES Exceeding 50 cc MOTOR CARS Light Vehicle Cars including

Topic 6: Travel and transport MOTOR CYCLES Exceeding 50 cc MOTOR CARS Light Vehicle Cars including Campervan, MPVs (less than 8 passengers) and their effects. Taxis, limousines, Light Vehicles towing a caravan or trailer with any number

506 views • 14 slides
Peninsula Corridor JPB Caltrain Rail Transportation Group Generation II Cars Update Bicycle

Peninsula Corridor JPB Caltrain Rail Transportation Group Generation II Cars Update Bicycle

3/17/2016 Peninsula Corridor JPB Caltrain Rail Transportation Group Generation II Cars Update Bicycle Advisory Committee March 17, 2016 Agenda Item #8 Service Fleet Configuration 16 Bombardier Cars (from Metrolink) Phase 1 5 Cars

92 views • 8 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides

More recommend