In this tutorial, we will be installing a simulator to safely perform some car hacking magic!
Modern vehicles utilise an interface known as CAN Bus, a Controller Area Network that allows the various computerised devices and sensors in a car to communicate. Tapping into this network will enhance the level of control we have over our vehicle's systems.
Today, we will install the base-level tools required for our Linux environment to read and display data on a CAN Bus network. As manipulating a real network comes with a large learning curve, we can use the tool ICSim to simulate a car Instrument Cluster to gradually build our hacking abilities without needing to be next to a vehicle or with the risk of damaging hardware.
1.0 Getting Started
Package Updating
Before installing any new tools, it is crucial to ensure the current state of your system is up to date.
The Advanced Package Tool (APT) is a built-in tool for managing software packages within Debian-based Linux distributions (such as Kali or Mint). APT uses a range of known registers of software packages, referred to as repositories, to search for packages available for installation.
By first updating APT, your systems repositories will be up-to-date with the latest software package versions, ensuring you don't accidentally install outdated versions of new tools.
To get started, you can update the APT tool by entering the following command in the terminal:
sudo apt-get update
With the package manager updated, we can now run the upgrade command to install the new versions. Occasionally, the system may ask for permission before allowing specific changes to take effect.
sudo apt-get upgrade
With this stage complete, your system will be ready to install new tools.
Installing Can Bus Utilities
One of the key packages we require is can-utils, which includes tools such as "can dump" and "can sniffer" for reading, displaying, and sending CAN Bus messages. This package will be at the heart of our car hacking activities on Linux.
This tool can be installed by entering the following command:
sudo apt-get install can-utils
Installing the Simulator
Now we can view CAN Bus data; we need a network to analyse it. Besides connecting to actual hardware, this can be accomplished using a simulator, such as ICSim. This method will prove easier, as ICSim can be configured, offering the potential to practice hacking a multitude of "cars" that can be further specified to run at different difficulty levels. Additionally, ICSim generates less traffic than an actual vehicle, which will be incredibly beneficial when starting out.
To install the simulator, we need to download the project on Git Hub and then install another set of tools to build this project as executable files on our system.
To clone the tool, we first need to install Git (if not already installed):
sudo apt-get install git
Once done, we can clone the Git project using the following command:
git clone https://github.com/zombieCraig/ICSim.git
This will install a copy of the project onto our system.
The project will be installed as a new folder within your computer's file system. This folder contains a series of scripts for the tools to generate and visualise the simulated CAN traffic.
You can change to this directory and display its contents using the following commands:
cd ICSim
ls
The simulator is formed as parts. The controls program produces the CAN data and allows you to generate signals you would typically find within a car (e.g. Indicating and locking doors). The icsim program visualises a car Instrument Cluster and displays the outcome of the data it receives.
A file highlighted in green, "setup_vcan.sh," is a pre-produced script that sets up the simulator for you. Using the "cat" command, we can display its contents.
cat setup_vcan.sh
The file contains the necessary terminal commands to set up a virtual CAN interface. The simulator will use this connection as a substitute for a connection to an actual CAN Bus adaptor connected to a car.
When investigating the directory, it is also noticeable that "controls.c" and "icsim.c" are not highlighted as green; this is because they are not yet executable. To convert the uncompiled C code files into an executable program, we need to build them with a compiler. However, before we can do this, we need to install an additional tool to make this possible.
The following command will install the packages required in this stage:
sudo apt-get install libsdl2-dev libsdl2-image-dev
Using the "make" command, we can build all the uncompiled scripts in the ICSim directory:
make all
We can now see the "controls" and "icsim" executables available in the directory.
This concludes the installation section of this tutorial.
2.0 Running the Simulator
Starting the Interface
Running the setup script will create the connection to the virtual CAN network.
./setup_vcan.sh
This instruction has to be run every time before you run the simulator to ensure that the virtual connection has been established, as it will disappear when you shutdown your computer.
When running the network interface connection tool ifconfig, we can see "vcan0" among the listed network interfaces.
ifconfig vcan0
Starting the Simulator
The tools within the ICSim simulator will need to run in their own terminal window to execute. This can be done by opening a new terminal window when starting each tool or, if your distro permits, splitting the terminal window into separate panels.
The first part of the simulator to start is the controller; we can do this by creating a new terminal and running the following command:
start the controller
cd ICSim
./controls vcan0
This will display the UI of the control program, which allows us to influence the output of the CAN Bus transmissions.
Using a game controller, you can follow the diagram to change the signals sent by the controller program. Otherwise, you can command the program with your keyboard, referring to the key combinations below:
Command | Key Combination |
Accelerate | Up Arrow |
Left Indicator | Left Arrow |
Right Indicator | Right Arrow |
Unlock Door | Right Shift + X/Y/A/B |
Lock Door | Left Shift + X/Y/A/B |
With the controller set up, we just need to verify that it is properly generating the CAN messages.
To check that the data is being transmitted on our virtual network, we can make use of the Can Sniffer tool, which came with the can-utils package we installed earlier.
To achieve this, we need to run "cansniffer" in a new terminal, specifying the network interface we want to analyse:
cansniffer vcan0
With this, we can peak into the raw data that can be "sniffed" from our virtual network, confirming that our tools have been successfully installed.
The important parts of the received messages are the columns for the Arbitration ID and the payload data. The ayload data is the actual data being sent withib the overal message, liek the body of an email.
The data section of a standard CAN packet is 8-bytes, which in cansiffer are represented as hexadecimal characters. each hexadecimal character represents 4 bits, so each 8-bit byte of data is displayed as a group of two hex characters. Looking at the image below, you should be able to see up to 8 of these pairs per message row, though not all messages need to utilise the whole 8-byte limit.
The abundance of information can be quite challenging, and this will worsen when connecting to a real car with many more devices contributing to the network traffic. We will investigate some of the features of cansniffer later, which will overcome much of this issue.
start the dashboard
To start the virtual dashboard, we can launch the icsim program within a new terminal window:
cd ICSim
./icsim vcan0
This will display the visualisation of an Instrument cluster that reacts to the data it received, including indicator repeaters, a large MHP speedometer, and a door lock status indicator.
Can Sniffer comes with some useful tools to clarify the data presented. Firstly, you can turn on highlighting by pressing the "C" key on your keyboard, followed by the Enter key. This will cause the changing parts of the data to be coloured red, with the static parts remaining white.
This is beneficial as it is the changing parts of the messages we want to concentrate on. Mor specifically to investigate what data changes when we send our controller signals.
Even with the highlogting, there is still a vast amount of data to process,
filtering to a high frequency of changes
Comments