*Name: Robert Leale

*Age: (I own a Buick, don’t ask)

*Sign: Aquarius

*Hobbies: Finding time to do hobbies

*Pass-time: Reading Bytes from the CAN BUS

*Website: www.CanBusHack.com

*Twitter: @Idonttweets

*YOUR TURN:

*What do you hope to get out of this workshop?

*Any experience with connecting to a vehicle?

*Introduction

*Grab this presentation from http://www.CanBusHack.com/defcon19/workshop.pptx

*Grab Vehicle Spy 3 Demo (used later) at http://intrepidcs.com/support/vspytrial.htm

*Links

*Overview* Introduction

* Connecting to Vehicle

* What’s in the car?

* What is Vehicle Network Communications (Demo)

* Compare Vehicle Comms vs. Ethernet

* Compare Vehicle Comms vs. TCP/IP

* Types of Vehicle Network Physical Layers

* J1850 PWM/VPW

* LIN/ISO 9141

* CAN Bus

* SWCAN

* LSFT CAN

* DW CAN

* Devices Used to Connect to CAN BUS

* Arduino (Demo)

* neoVI/ValueCAN (Demo)

* Generic ELM Tool

* DW CAN Bus Physical Network (Wires and Resistive Properties)

* CAN BUS Data Frame

* IPC or other Controller (Demo)

* Understanding the data on the Bus: Diagnostic Message vs. Normal Messages

* Reverse Engineering Normal Messages (Demo)

* Diagnostic Protocols

* OBDII

* ISO 14230/ISO 14229

* GMLAN

* Diagnostic Message Commands using CAN BUS

* Normal Message Commands using CAN BUS

* Understanding Security Systems

* Controller Security Access (Possible Demo)

* Immobilizers (Possible Demo)

* Q&A

* The autoAPIa Project

*Overview

*J1962 aka OBDII Connector

*Found on all 1996 and newer automobiles

*Designed primarily as an interface for ScanTools

*Connecting to the Vehicle

http://pinouts.ru/connector/16_pin_car_J1962_OBD_2_special_connector.shtml

Pin Signal Description

2 J1850 Bus+  

4 CGND Chassis ground

5 SGND Signal ground

6 CAN High J-2284

7 K-LINE(ISO 9141-2 and ISO/DIS 14230-4)

10 J1850 Bus-  

14 CAN Low J-2284

15 ISO 9141-2 L-LINE

(ISO 9141-2 and ISO/DIS 14230-4)

16 +12v Battery power

*Multiple controllers connected via network controller

*Controllers can easily share information quickly and efficiently

* What’s in the Car? What’s in the CAR!

PowerWindow

ABS

SeatPosition

EngineControl

TransmissionSuspension

OutsideMirror

Air Conditioner

InstrumentPanel

CANBUS

Battery

*Originally used for diagnostic purposes

*Used to decrease wiring harnesses.

*Distributed Systems: i.e. central locking, engine management, much more.

*Demo. SHOW ME!

*What is Vehicle Network Communications (Demo)

*Much smaller frame size: 25 bytes vs. 1,500 bytes (average)

*More reliable data transfer: Strong CRC and Arbitration

*Low, Low Latency: Small Frames = Quicker Response

*Slower: Data rates from 9,600kpbs to 500kpbs

*Ethernet and CAN are both Differential Signals

*Either and CAN both use CDMA/CS

* Vehicle Comms vs. Ethernet

*Vehicle Comms vs. TCP/IP

*Stateless Connection: Data transmitted may not have receivers

*Addressing is on a Message Level: Arbitration ID vs. IP Address

*Message is Small: Typically only 1 byte or 1 bit in length

*Data is often sent at a periodic rate.

*Although protocols exist, no standards are required.

*J1850 Variable Pulse Width (VPW) and Pulse Width Modulation (PWM)

*Local Interconnect Network (LIN)

*ISO 9141

*Controller Area Network (CAN): DW CAN, SW CAN, and LSFT CAN

*Media Oriented Serial Transfer (MOST)

*FlexRay

*Body Electronic Area Network (BEAN (Toyota))

* Types of Vehicle Network Physical Layers

* J1850 PWM (Pulse Width Modulation)

*Uses a Two Wire, Differential Signal

*Defined as PIN 2 and 10 on OBDII Connector

*Used by Ford, called Ford SCP

*Uses PWM to define the bit states (1 or 0)

*Really Old and no longer in use!

* PINs 2 and 10 on J1962 connector

* J1850 VPW (Variable Pulse Width)

*Uses a Single Wire

*Defined as PIN 2 on OBDII Connector

*Used by GM and Chrysler, Called Class 2 at GM

*Uses VPW to define the bit states (1 or 0)

*Old but only recently replaced entirely at GM

* PIN 2 on J1962 Connector

*J1850 PWM/VPW

*LIN/ISO 9141

*Both LIN and ISO 9141:

*Uses a Simple One Wire line

*Data transmitted using Single Transistor to Ground

*Based on UART

*ISO9141

*Requires Initialization of either Fast Init or 5 Baud

*Often call K-Line

*CAN Be on PIN 7 (check this) of OBDII, but sometimes there are more than 1 K-Line

*Used almost exclusively for Diagnostics (No Normal Traffic)

*PIN 7 on J1962 Connector

*LIN:

*Newer type of network for Sub-bus applications

*Single Master/Multi Slave network

*Designed to replace low speed networks

*Typically runs at 9,600 or 10,400 Kbps

*Monitoring the network is easy, Writing Data is difficult

*SAE Standardized Protocol J2602 (version 1.2, 1.3, 2.0 and 2.1)

*Specification available for FREE at http://www.lin-subbus.org/

*LIN/ISO 9141

*Defined by Bosch

*2 Versions: 2.0A and 2.0B; only 2.0B is used in vehicles

*Has two types of Monikers: 11-bit and 29-bit

*11-bit and 29-bit describe the size of the Arbitration ID

*Great for use in near real-time systems where latency is an issue

*CAN Controllers are on-chip peripherals used when connected to a CAN BUS

*3 physical Layers (Transceivers) are currently used:

*SW CAN – Found only in GM and some older Hondas

*LSFT CAN – Found in older Chrysler, VW, Mercedes, and newer KIA

*DW CAN – Standard OBDII Protocol for 2008+ Cars; found in other, older vehicles as well.

*CAN Bus

*Developed by GM, but also found on 2010 and older Hondas

*Replaced GM’s J1850 VPW (Class 2) network.

*Used as a Low Speed alternative to DW CAN

*Known as the “Body Bus” because typically only used for Body Control information

*Standard Baud rate of 33.333kbps

*Uses a Single Wire (SW)

*SAE J2411 Specifies the requirements for SW CAN

*60 Meter total Bus Length

*0-5Volt normal signaling levels

*Uses High Voltage Mode for Bus Wake-up

*Most Fun Network to Hack because of all of the data and functionality found on the network.

*CAN Bus: SW CAN

*Low Speed Fault Tolerant (ISO 11898-2)

*Body network found in many older German vehicles and newer KIAs

*2 wire network that supports the loss of either wire

*Typical Baud Rates: 50Kbsp, 83.333Kbps, 100Kbps, and 125Kbps

*Never found at the OBDII Port

*CAN Bus: LSFT CAN

*Dual Wire CAN (ISO 11898-1) also known as J2284

*Most prevalent version of CAN BUS

*Fastest form of CAN with Supported Data Rates of up to 1Mbps

*OBD compliant implementation runs at 500Kbps

*Also used as the Mid-Speed Bus on Ford, GM, and others

*Typical Baud Rates of 125Kbps, 250Kbps, 500Kbps, 800Kbps

*Differential Signal to help shield against EMI

*Found on PINs 6 & 14 of OBD Connector (And others as MS CAN)

*Typically used for Real-Time data such as Powertrain and Vehicle Dynamic information

*CAN Bus: DW CAN

*Arduino - SK Pang Arduino Shield

*Around $50.00

*Support for DW CAN (ISO 11898-1)

*neoVI/ValueCAN – Intrepid Control Systems

*ValueCAN $295, neoVI $1,200 ~ $1,995

*Engineering Level tool used by Suppliers and OEM

*Extremely versatile software called Vehicle Spy

*Costly, designed for professional applications

*ELM – ELM Electronics

*Many, Many Scantools designed around ELM platform or ELM clones

*Typically designed for Scantool Manufacturers

* Devices Used to Connect to CAN BUS

*Chipset based on Microchip PIC18

*Supports ALL OBDII protocols

*Support extensive AT command set for easy access

*Costly for high volume implementations

*Lots of current tools using ELM Chip

*Lots of Clones that offer more support and more features

*ELM

*Twisted Pair similar to Ethernet

*Requires 120 Ohm Terminating Resistors at the beginning and end of network

*Differential Signal to protect against EMI

*Supports between 2 and 30 nodes

*Baud Rate/Cable Length Trade-Off

*DW CAN Bus Physical Network

*Data Frames contain: Start of Frame (SOF), Arbitration ID, Control Field, Data Field, CRC, ACK, End of Frame (EOF), Inter-Frame Idle

*Can contain between 0 and 8 bytes of data

*Data protected by CRC-15 (x15 + x14 + x10 + x8 + x7 + x4 + x3 + 1)

*Most common type of Frame

*CAN BUS Data Frame

*CAN Bus Data Frame in Detail

7

Sta

rt o

f F

ram

e

Arbitration Field

Control Field

Data Field

CRCField

AckField

12 6 8N (0 N 8) 16 2

End ofFrame

Identifier

11 bits

ID1

0

ID0

RT

RID

ER

B0

Re

serv

ed

Bits

DL

C3

DL

C0

4 bits

DataLengthCode

CRC

15 bits

De

l

0 0 0 10

*Send and Receive CAN Data

*Don’t Forget our Resisters!

*Arduino (demo)

*Send and Receive CAN Data

*Create Simulator Script to respond to Arduino’s Messages

*Send Data to Control Ford IPC

* neoVI/ValueCAN (Demo)

*Look, Mom! I can set my vehicle speed!

* Cluster Controller (Demo)

*Diagnostic Messages:

*Strict protocol

*Designed to be used by scantools, (in other words, by people)

*Command/Response messages

*Used to Request one ore more controllers to perform an action

*Not a normal part of data across the network, must be initiated

*Normal Messages:

*Typical interaction between controllers

*Used to share data between controllers

*Used to communicate commands like door lock/unlock

*Diagnostic Message vs. Normal Messages

*Look for patters in the data

*Actuate input or output to see what changes

*Use filtering as much as possible (99% of what you see is noise)

* Reverse Engineering Normal Messages (Demo)

*On Board Diagnostics (OBDII)

*Many OEM Specific Application Layer Protocols

*ISO 14230 – UDS

*ISO 14229 – Keyword 2000

*GMLAN (GMW 3110)

*More…

*Often referred to as Enhanced Diagnostics

*Nearly all CAN BUS diagnostic protocols are based off of ISO 15765-2 (Data Link Layer Protocol)

*Diagnostic Protocols

*ISO 14229 – Universal Diagnostic Service

*ISO 14230 – Keyword 2000

*Many overlapping functions

*Combined, they both make up around 80% of all diagnostic protocols for vehicles sold in North America

*Each allow for OEM Specific Functions and Responses

*Used for everything from reflahsing controller firmware to reading DTCs to controlling outputs (My favorite!)

* ISO 14230 & ISO 14229

*General Motors Diagnostic Protocol (GMW 3110)

*Introduced on 2005 Saab 9-3

*Allows for Reading and Writing Data, as well as controlling outputs on nodes

*GMLAN

*On Board Diagnostics v.2

*Exists on 1996 and newer vehicles

*Defined in SAE J1979 Specification

*Has 10 “Modes” or Defined Functions

*For Emissions-Related Diagnostics ONLY

*Mode $01 Supports Reading over 200 possible Parameters

*Represents about 10% of all diagnostics on a current vehicle

*OBD IIMode

Description

$01 Read Data by Parameter ID (PID)

$02 Read Freeze Frame Data

$03 Read Diagnostic Trouble Codes (DTCs)

$04 Clear Emissions-Related Codes

$05 Display O2 Sensor Info

$06 Request OBD Test Results

$07 Request DTCs During Last Driving Cycle

$08 Control Data by PID

$09 Request Vehicle Information

$0A Read Permanent DTCs

*OSI Model

Layer

Name OBD II Enhanced Diagnostics

7 Application J1979 / ISO 15031-5

GMLAN, FNOS, UDS, +

6 Presentation

J1979 / ISO 15031-5

ISO 15031-3

5 Session - -

4 Transport - ISO 15031-3

3 Network - -

2 Data Link ISO 15765-4 ISO 15031-2

1 Physical ISO 15765-4 CAN, ISO-9141, J1850, +

*Used to control Controller Outputs for testing purposes

*At the mercy of the Controller Software

*Can do things like Unlock/Lock doors, change Engine Idle Speed, and turn on/off lights or indicators

*Commands often are in sequences of Functions in order to yield desired result

*Typically less desired method for commands, but often results in more vehicles covered

*Diagnostic Commands using CAN BUS

*Commands are Car’s Commands, you are just using them yourself

*Typically harder to find

*Changes often between years and sometimes between vehicles from the same OEM

*Can be the source of Physical Layer (CAN BUS) error frames

*Often the most appropriate method for sending commands as you are using the vehicle’s messages for carrying out commands

*Normal Message Commands using CAN

BUS

*Used to protect unauthorized access of certain commands and functions such as software updates and commands that may do harm to the vehicle

*Vary widely between OEMs

*Typically use Mode $27

*Send a Request for a Seed

*Apply Algorithm and Secret Key

*Send Key back to Controller to “Unlock” Security

*Often can be done via brute-force on many OEMs

*If you ‘crack’ it, it can be profitable

* Understanding Security Systems

*System protecting your car from Nicholas Cage in “Gone in 60”

*Cuts fuel supply to engine if a valid key is not introduced in the key cylinder or, for push-button vehicles, available in the car

*Use RFID technology to authenticate key to vehicle

*Two major companies are players in Immobilizers:

* Texas Instruments – 40bit and 80bit key

*NXP – 48bit and 96bit key

*Typically use proprietary algorithm and hash functions for authentication

*Many types of Immobilizer systems:

*Directly coupled to Engine Controller

* Indirect, mutli-authentication systems that use CAN BUS as medium

*Side Channel Attacks are very popular

*Off-the-shelf immobilizer bypass modules can be purchased to clone existing keys for remote-start applications

*Immobilizers

*Open-participation, reverse engineering project

*Got data, wanna profit?

*autoAPIa is the database of proprietary vehicle data parameters and commands

*Contributors will be compensated when others pay for data

*Many companies need data from the vehicle, but because it is all proprietary, only Hackers can get the data

*Got to CanBusHack.com to learn

*Then go to autoAPIa.com (coming soon) to upload your data, get paid when others buy the data

*The autoAPIa Project

*Question

*Then

*Answer

*(Maybe)

*Q&A

*Obligatory LOLCat

*Le FIN