Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering

Overview - canbushack

advertisement 
*
* Name: Robert Leale
* Age: (I own a Buick, don’t ask)
* Sign: Aquarius
* Hobbies: Finding time to do hobbies
* Pass-time: Reading Bytes from the CAN BUS
* Website: www.CanBusHack.com
* Twitter: @Idonttweets
* YOUR TURN:
* What do you hope to get out of this workshop?
* Any experience with connecting to a vehicle?
*
* Grab this presentation from
http://www.CanBusHack.com/defcon19/workshop.pptx
* Grab Vehicle Spy 3 Demo (used later) at
http://intrepidcs.com/support/vspytrial.htm
*
* Introduction
* Connecting to Vehicle
* What’s in the car?
* What is Vehicle Network Communications (Demo)
* Compare Vehicle Comms vs. Ethernet
* Compare Vehicle Comms vs. TCP/IP
* Types of Vehicle Network Physical Layers
*
*
*
J1850 PWM/VPW
LIN/ISO 9141
CAN Bus
*
*
*
SWCAN
LSFT CAN
DW CAN
* Devices Used to Connect to CAN BUS
*
*
*
Arduino (Demo)
neoVI/ValueCAN (Demo)
Generic ELM Tool
*
* DW CAN Bus Physical Network (Wires and Resistive Properties)
* CAN BUS Data Frame
* IPC or other Controller (Demo)
* Understanding the data on the Bus: Diagnostic Message vs. Normal Messages
* Reverse Engineering Normal Messages (Demo)
* Diagnostic Protocols
*
*
*
OBDII
ISO 14230/ISO 14229
GMLAN
*
*
Controller Security Access (Possible Demo)
Immobilizers (Possible Demo)
* Diagnostic Message Commands using CAN BUS
* Normal Message Commands using CAN BUS
* Understanding Security Systems
* Q&A
* The autoAPIa Project
* Connecting to the Vehicle
* J1962 aka OBDII Connector
* Found on all 1996 and newer automobiles
* Designed primarily as an interface for ScanTools
Pin
Signal
Description
2
J1850 Bus+
4
CGND
Chassis ground
5
SGND
Signal ground
6
CAN High
J-2284
7
K-LINE
(ISO 9141-2 and
ISO/DIS 14230-4)
10
J1850 Bus-
14
CAN Low
J-2284
15
ISO 9141-2 L-LINE
(ISO 9141-2 and
ISO/DIS 14230-4)
16
+12v
Battery power
http://pinouts.ru/connector/16_pin_car
_J1962_OBD_2_special_connector.shtml
*
* Multiple controllers connected via network controller
* Controllers can easily share information quickly and efficiently
Outside
Mirror
ABS
Air
Conditioner
Engine
Control
CAN
BUS
Seat
Position
Suspension
Instrument
Panel
Power
Window
Transmission
Battery
* What is Vehicle Network
Communications (Demo)
* Originally used for diagnostic purposes
* Used to decrease wiring harnesses.
* Distributed Systems: i.e. central locking, engine management,
much more.
* Demo.
SHOW ME!
*
* Much smaller frame size: 25 bytes vs. 1,500 bytes (average)
* More reliable data transfer: Strong CRC and Arbitration
* Low, Low Latency: Small Frames = Quicker Response
* Slower: Data rates from 9,600kpbs to 500kpbs
* Ethernet and CAN are both Differential Signals
* Either and CAN both use CDMA/CS
*
* Stateless Connection: Data transmitted may not have receivers
* Addressing is on a Message Level: Arbitration ID vs. IP Address
* Message is Small: Typically only 1 byte or 1 bit in length
* Data is often sent at a periodic rate.
* Although protocols exist, no standards are required.
*
* J1850 Variable Pulse Width (VPW) and Pulse Width Modulation
(PWM)
* Local Interconnect Network (LIN)
* ISO 9141
* Controller Area Network (CAN): DW CAN, SW CAN, and LSFT
CAN
* Media Oriented Serial Transfer (MOST)
* FlexRay
* Body Electronic Area Network (BEAN (Toyota))
*
* J1850 PWM (Pulse Width Modulation)
* Uses a Two Wire, Differential Signal
* Defined as PIN 2 and 10 on OBDII Connector
* Used by Ford, called Ford SCP
* Uses PWM to define the bit states (1 or 0)
* Really Old and no longer in use!
* PINs 2 and 10 on J1962 connector
* J1850 VPW (Variable Pulse Width)
* Uses a Single Wire
* Defined as PIN 2 on OBDII Connector
* Used by GM and Chrysler, Called Class 2 at GM
* Uses VPW to define the bit states (1 or 0)
* Old but only recently replaced entirely at GM
* PIN 2 on J1962 Connector
*
* Both LIN and ISO 9141:
* Uses a Simple One Wire line
* Data transmitted using Single Transistor to Ground
* Based on UART
* ISO9141
* Requires Initialization of either Fast Init or 5 Baud
* Often call K-Line
* CAN Be on PIN 7 (check this) of OBDII, but sometimes there are
more than 1 K-Line
* Used almost exclusively for Diagnostics (No Normal Traffic)
* PIN 7 on J1962 Connector
*
* LIN:
* Newer type of network for Sub-bus applications
* Single Master/Multi Slave network
* Designed to replace low speed networks
* Typically runs at 9,600 or 10,400 Kbps
* Monitoring the network is easy, Writing Data is difficult
* SAE Standardized Protocol J2602 (version 1.2, 1.3, 2.0 and 2.1)
* Specification available for FREE at http://www.lin-subbus.org/
*
* Defined by Bosch
* 2 Versions: 2.0A and 2.0B; only 2.0B is used in vehicles
* Has two types of Monikers: 11-bit and 29-bit
* 11-bit and 29-bit describe the size of the Arbitration ID
* Great for use in near real-time systems where latency is an issue
* CAN Controllers are on-chip peripherals used when connected to a
CAN BUS
* 3 physical Layers (Transceivers) are currently used:
* SW CAN – Found only in GM and some older Hondas
* LSFT CAN – Found in older Chrysler, VW, Mercedes, and newer KIA
* DW CAN – Standard OBDII Protocol for 2008+ Cars; found in other,
older vehicles as well.
*
* Developed by GM, but also found on 2010 and older Hondas
* Replaced GM’s J1850 VPW (Class 2) network.
* Used as a Low Speed alternative to DW CAN
* Known as the “Body Bus” because typically only used for Body
Control information
* Standard Baud rate of 33.333kbps
* Uses a Single Wire (SW)
* SAE J2411 Specifies the requirements for SW CAN
* 60 Meter total Bus Length
* 0-5Volt normal signaling levels
* Uses High Voltage Mode for Bus Wake-up
* Most Fun Network to Hack because of all of the data and
functionality found on the network.
*
* Low Speed Fault Tolerant (ISO 11898-2)
* Body network found in many older German vehicles and newer
KIAs
* 2 wire network that supports the loss of either wire
* Typical Baud Rates: 50Kbsp, 83.333Kbps, 100Kbps, and 125Kbps
* Never found at the OBDII Port
*
* Dual Wire CAN (ISO 11898-1) also known as J2284
* Most prevalent version of CAN BUS
* Fastest form of CAN with Supported Data Rates of up to 1Mbps
* OBD compliant implementation runs at 500Kbps
* Also used as the Mid-Speed Bus on Ford, GM, and others
* Typical Baud Rates of 125Kbps, 250Kbps, 500Kbps, 800Kbps
* Differential Signal to help shield against EMI
* Found on PINs 6 & 14 of OBD Connector (And others as MS CAN)
* Typically used for Real-Time data such as Powertrain and
Vehicle Dynamic information
*
* Arduino - SK Pang Arduino Shield
* Around $50.00
* Support for DW CAN (ISO 11898-1)
* neoVI/ValueCAN – Intrepid Control Systems
* ValueCAN $295, neoVI $1,200 ~ $1,995
* Engineering Level tool used by Suppliers and OEM
* Extremely versatile software called Vehicle Spy
* Costly, designed for professional applications
* ELM – ELM Electronics
* Many, Many Scantools designed around ELM platform or ELM clones
* Typically designed for Scantool Manufacturers
*
* Chipset based on Microchip PIC18
* Supports ALL OBDII protocols
* Support extensive AT command set for easy access
* Costly for high volume implementations
* Lots of current tools using ELM Chip
* Lots of Clones that offer more support and more features
*DW CAN Bus Physical
Network
* Twisted Pair similar to Ethernet
* Requires 120 Ohm Terminating
Resistors at the beginning and
end of network
* Differential Signal to protect
against EMI
* Supports between 2 and 30 nodes
* Baud Rate/Cable Length TradeOff
*CAN BUS Data Frame
* Data Frames contain: Start of Frame (SOF), Arbitration ID,
Control Field, Data Field, CRC, ACK, End of Frame (EOF), InterFrame Idle
* Can contain between 0 and 8 bytes of data
* Data protected by CRC-15 (x15 + x14 + x10 + x8 + x7 + x4 + x3 + 1)
* Most common type of Frame
16
CRC
Field
11 bits
Identifier
2
Ack
Field
Del
0 0 0
Reserved Bits
0
8N (0  N  8)
Data
Field
6
Control
Field
DLC0
12
Arbitration
Field
ID0
RTR
IDE
RB0
DLC3
Start of Frame
ID10
*
1
4 bits
Data
Length
Code
15 bits
CRC
7
End of
Frame
*
* Send and Receive CAN Data
* Don’t Forget our Resisters!
*
* Send and Receive CAN Data
* Create Simulator Script to respond
to Arduino’s Messages
* Send Data to Control Ford IPC
*Cluster Controller
* Look, Mom! I can set my vehicle speed!
(Demo)
* Diagnostic Message vs.
Normal Messages
* Diagnostic Messages:
* Strict protocol
* Designed to be used by scantools, (in other words, by people)
* Command/Response messages
* Used to Request one ore more controllers to perform an action
* Not a normal part of data across the network, must be initiated
* Normal Messages:
* Typical interaction between controllers
* Used to share data between controllers
* Used to communicate commands like door lock/unlock
* Reverse Engineering Normal
Messages (Demo)
* Look for patters in the data
* Actuate input or output to see what changes
* Use filtering as much as possible (99% of what you see is noise)
*Diagnostic Protocols
* On Board Diagnostics (OBDII)
* Many OEM Specific Application Layer Protocols
* ISO 14230 – UDS
* ISO 14229 – Keyword 2000
* GMLAN (GMW 3110)
* More…
* Often referred to as Enhanced Diagnostics
* Nearly all CAN BUS diagnostic protocols are based off of ISO
15765-2 (Data Link Layer Protocol)
*ISO 14230 & ISO 14229
* ISO 14229 – Universal Diagnostic Service
* ISO 14230 – Keyword 2000
* Many overlapping functions
* Combined, they both make up around 80% of all diagnostic
protocols for vehicles sold in North America
* Each allow for OEM Specific Functions and Responses
* Used for everything from reflahsing controller firmware to
reading DTCs to controlling outputs (My favorite!)
*
* General Motors Diagnostic Protocol (GMW 3110)
* Introduced on 2005 Saab 9-3
* Allows for Reading and Writing Data, as well as controlling
outputs on nodes
*
* On Board Diagnostics v.2
* Exists on 1996 and newer
vehicles
* Defined in SAE J1979
Specification
* Has 10 “Modes” or Defined
Functions
* For Emissions-Related
Diagnostics ONLY
* Mode $01 Supports Reading over
200 possible Parameters
* Represents about 10% of all
diagnostics on a current vehicle
Mode Description
$01
Read Data by Parameter ID (PID)
$02
Read Freeze Frame Data
$03
Read Diagnostic Trouble Codes
(DTCs)
$04
Clear Emissions-Related Codes
$05
Display O2 Sensor Info
$06
Request OBD Test Results
$07
Request DTCs During Last
Driving Cycle
$08
Control Data by PID
$09
Request Vehicle Information
$0A
Read Permanent DTCs
* OSI Model
Lay Name
er
OBD II
Enhanced Diagnostics
7
Application
J1979 / ISO 15031-5
GMLAN, FNOS, UDS, +
6
Presentation J1979 / ISO 15031-5
ISO 15031-3
5
Session
-
-
4
Transport
-
ISO 15031-3
3
Network
-
-
2
Data Link
ISO 15765-4
ISO 15031-2
1
Physical
ISO 15765-4
CAN, ISO-9141, J1850, +
* Diagnostic Commands using
CAN BUS
* Used to control Controller Outputs for testing purposes
* At the mercy of the Controller Software
* Can do things like Unlock/Lock doors, change Engine Idle
Speed, and turn on/off lights or indicators
* Commands often are in sequences of Functions in order to
yield desired result
* Typically less desired method for commands, but often results
in more vehicles covered
* Normal Message Commands
using CAN BUS
* Commands are Car’s Commands, you are just using them
yourself
* Typically harder to find
* Changes often between years and sometimes between vehicles
from the same OEM
* Can be the source of Physical Layer (CAN BUS) error frames
* Often the most appropriate method for sending commands as
you are using the vehicle’s messages for carrying out
commands
* Understanding Security
Systems
* Used to protect unauthorized access of certain commands and
functions such as software updates and commands that may do
harm to the vehicle
* Vary widely between OEMs
* Typically use Mode $27
* Send a Request for a Seed
* Apply Algorithm and Secret Key
* Send Key back to Controller to “Unlock” Security
* Often can be done via brute-force on many OEMs
* If you ‘crack’ it, it can be profitable
*Immobilizers
* System protecting your car from Nicholas Cage in “Gone in 60”
* Cuts fuel supply to engine if a valid key is not introduced in the key
cylinder or, for push-button vehicles, available in the car
* Use RFID technology to authenticate key to vehicle
* Two major companies are players in Immobilizers:
* Texas Instruments – 40bit and 80bit key
* NXP – 48bit and 96bit key
* Typically use proprietary algorithm and hash functions for authentication
* Many types of Immobilizer systems:
* Directly coupled to Engine Controller
* Indirect, mutli-authentication systems that use CAN BUS as medium
* Side Channel Attacks are very popular
* Off-the-shelf immobilizer bypass modules can be purchased to clone
existing keys for remote-start applications
*The autoAPIa Project
* Open-participation, reverse engineering project
* Got data, wanna profit?
* autoAPIa is the database of proprietary vehicle data
parameters and commands
* Contributors will be compensated when others pay for data
* Many companies need data from the vehicle, but because it is
all proprietary, only Hackers can get the data
* Got to CanBusHack.com to learn
* Then go to autoAPIa.com (coming soon) to upload your data,
get paid when others buy the data
*Q&A
* Question
* Then
* Answer
* (Maybe)
*
* Obligatory LOLCat
Related documents
How Green is Yellow?
How Green is Yellow?
Process Management and Improvement
Process Management and Improvement
Chapter 11
Chapter 11
BUS 250 Pilot Overview – Spring 2015
BUS 250 Pilot Overview – Spring 2015
Points.
Points.
Quality in Energy Management An Introduction to ISO 50001
Quality in Energy Management An Introduction to ISO 50001
digitalphoto
digitalphoto
RC14001 Changes
RC14001 Changes
Download
advertisement