1 00:00:02,800 --> 00:00:06,640 hey everyone alex here coming at you 2 00:00:04,319 --> 00:00:08,080 from the cactus con discord command post 3 00:00:06,640 --> 00:00:10,480 it's my pleasure bringing you our next 4 00:00:08,080 --> 00:00:12,639 talk introduction to car hacking basics 5 00:00:10,480 --> 00:00:13,840 with kay turbo yoda singh who's an 6 00:00:12,639 --> 00:00:15,678 incident responder with blackberry 7 00:00:13,840 --> 00:00:16,480 security services and part-time car 8 00:00:15,679 --> 00:00:18,000 tinkerer 9 00:00:16,480 --> 00:00:19,840 don't forget to stay tuned after the 10 00:00:18,000 --> 00:00:21,119 talk for live q a just go ahead and 11 00:00:19,840 --> 00:00:23,600 click the link on your screen 12 00:00:21,119 --> 00:00:23,600 enjoy 13 00:00:26,640 --> 00:00:31,359 hey guys my name is kay and this is my 14 00:00:28,960 --> 00:00:34,320 cactus con 2021 presentation 15 00:00:31,359 --> 00:00:36,640 on introduction to car hacking basics 16 00:00:34,320 --> 00:00:38,640 before we begin a quick disclaimer 17 00:00:36,640 --> 00:00:40,879 if you try to actually take any of this 18 00:00:38,640 --> 00:00:43,280 to your car and fry something 19 00:00:40,879 --> 00:00:44,800 don't come after me i'm not liable i 20 00:00:43,280 --> 00:00:47,840 can't afford to pay you out if you 21 00:00:44,800 --> 00:00:48,879 decide to sue me or come after me 22 00:00:47,840 --> 00:00:50,559 if you learn something from this 23 00:00:48,879 --> 00:00:51,760 presentation which i hope you do and you 24 00:00:50,559 --> 00:00:55,280 try it on your car 25 00:00:51,760 --> 00:00:56,640 or someone else's car and you break 26 00:00:55,280 --> 00:00:58,239 something 27 00:00:56,640 --> 00:00:59,920 don't come after me you know you do this 28 00:00:58,239 --> 00:01:03,280 at your own risk it's 29 00:00:59,920 --> 00:01:04,080 pretty easy to fry a car um with that 30 00:01:03,280 --> 00:01:05,920 said 31 00:01:04,080 --> 00:01:07,600 you may have been wondering uh i'm 32 00:01:05,920 --> 00:01:09,439 actually not agent k for men in black 33 00:01:07,600 --> 00:01:11,280 which is my name suggests 34 00:01:09,439 --> 00:01:13,199 i can't pull off a suit for 30 minutes 35 00:01:11,280 --> 00:01:14,799 let alone 24 7. 36 00:01:13,200 --> 00:01:16,240 i'm just an associate incident and 37 00:01:14,799 --> 00:01:18,640 response consultant at 38 00:01:16,240 --> 00:01:20,720 blackberry and despite what my handle 39 00:01:18,640 --> 00:01:23,360 says i am not related to 40 00:01:20,720 --> 00:01:24,960 nor am i baby yoda apparently it's a 41 00:01:23,360 --> 00:01:25,520 common misconception that's been going 42 00:01:24,960 --> 00:01:28,240 around 43 00:01:25,520 --> 00:01:30,320 so sorry not that cute uh you didn't 44 00:01:28,240 --> 00:01:32,560 come here for my autobiography though 45 00:01:30,320 --> 00:01:34,880 you came here how to learn to hack a car 46 00:01:32,560 --> 00:01:35,920 but virtually because cars are expensive 47 00:01:34,880 --> 00:01:39,199 and big 48 00:01:35,920 --> 00:01:40,960 some are ugly and they're a little bit 49 00:01:39,200 --> 00:01:44,079 of an investment 50 00:01:40,960 --> 00:01:46,000 um this is video i took this video a few 51 00:01:44,079 --> 00:01:46,639 years back in college when i just got 52 00:01:46,000 --> 00:01:49,200 into this 53 00:01:46,640 --> 00:01:50,720 uh this is my 2013 camry so it's a 54 00:01:49,200 --> 00:01:52,840 fairly new car 55 00:01:50,720 --> 00:01:55,520 and i gave it a little bit of an 56 00:01:52,840 --> 00:01:57,680 aneurysm 57 00:01:55,520 --> 00:02:00,479 you see obviously the rev counter is you 58 00:01:57,680 --> 00:02:04,399 know going up and down across the range 59 00:02:00,479 --> 00:02:07,520 and the engine oil light and the key fob 60 00:02:04,399 --> 00:02:09,598 light are flickering right above it 61 00:02:07,520 --> 00:02:10,639 essentially i was spamming it with 62 00:02:09,598 --> 00:02:13,599 random packets 63 00:02:10,639 --> 00:02:14,799 and the ecu the engine control unit was 64 00:02:13,599 --> 00:02:16,720 freaking out 65 00:02:14,800 --> 00:02:19,200 trying to figure out what was going on 66 00:02:16,720 --> 00:02:21,040 and so this is where the danger comes in 67 00:02:19,200 --> 00:02:22,640 you can send a command that may 68 00:02:21,040 --> 00:02:24,480 permanently have like a 69 00:02:22,640 --> 00:02:26,319 check engine light that comes on you 70 00:02:24,480 --> 00:02:27,040 have to pay a diagnostic fee or maybe 71 00:02:26,319 --> 00:02:28,799 you 72 00:02:27,040 --> 00:02:30,239 uh do something with the brake system 73 00:02:28,800 --> 00:02:33,360 and cause it to 74 00:02:30,239 --> 00:02:35,599 not work at some point um these are 75 00:02:33,360 --> 00:02:38,480 things you kind of do at your own risk 76 00:02:35,599 --> 00:02:39,679 so if you break something i'm not liable 77 00:02:38,480 --> 00:02:41,200 and just one more look 78 00:02:39,680 --> 00:02:43,840 because i think this is absolutely 79 00:02:41,200 --> 00:02:43,839 hilarious 80 00:02:44,000 --> 00:02:48,319 so you might think guess that you know a 81 00:02:46,640 --> 00:02:49,279 car has a lot of computers i had already 82 00:02:48,319 --> 00:02:51,679 mentioned one the 83 00:02:49,280 --> 00:02:52,400 engine control unit that manages the 84 00:02:51,680 --> 00:02:55,280 engine 85 00:02:52,400 --> 00:02:56,319 and all about it but as you buy a newer 86 00:02:55,280 --> 00:02:58,319 and newer car 87 00:02:56,319 --> 00:03:00,159 as well as a more advanced car you're 88 00:02:58,319 --> 00:03:01,920 going to find that there's a lot more 89 00:03:00,159 --> 00:03:03,920 computers in a car 90 00:03:01,920 --> 00:03:05,518 a ten thousand dollar nissan sentra may 91 00:03:03,920 --> 00:03:08,958 only have like you know 92 00:03:05,519 --> 00:03:09,599 um your radio your air con your gauge 93 00:03:08,959 --> 00:03:11,360 cluster 94 00:03:09,599 --> 00:03:13,040 steering brakes engine you know like the 95 00:03:11,360 --> 00:03:14,400 bear basics uh 96 00:03:13,040 --> 00:03:16,959 then you get lucky and you buy like a 97 00:03:14,400 --> 00:03:18,239 ninety thousand dollar audi or a bmw 98 00:03:16,959 --> 00:03:20,080 all of a sudden you'll have a computer 99 00:03:18,239 --> 00:03:20,959 for things like adaptive cruise control 100 00:03:20,080 --> 00:03:24,480 and automatic 101 00:03:20,959 --> 00:03:25,120 braking uh keyless entry blind spot 102 00:03:24,480 --> 00:03:27,040 detection 103 00:03:25,120 --> 00:03:29,120 uh navigation system and you know it 104 00:03:27,040 --> 00:03:30,640 goes on and on and on 105 00:03:29,120 --> 00:03:32,720 uh the point i'm trying to get to here 106 00:03:30,640 --> 00:03:34,958 is they all have to communicate somehow 107 00:03:32,720 --> 00:03:36,959 they're all interlinked and 108 00:03:34,959 --> 00:03:39,920 that method or how they're interlinked 109 00:03:36,959 --> 00:03:43,040 is the controller area network bus 110 00:03:39,920 --> 00:03:45,119 or the canvas essentially it connects 111 00:03:43,040 --> 00:03:45,440 all of the computers and modules in a 112 00:03:45,120 --> 00:03:48,480 car 113 00:03:45,440 --> 00:03:49,120 together it doesn't matter if it's 114 00:03:48,480 --> 00:03:52,480 something as 115 00:03:49,120 --> 00:03:55,120 important as the engine controller or as 116 00:03:52,480 --> 00:03:55,518 insignificant as like your seat controls 117 00:03:55,120 --> 00:03:57,599 or 118 00:03:55,519 --> 00:03:58,799 you like your light controls or the 119 00:03:57,599 --> 00:04:00,640 charger in the back 120 00:03:58,799 --> 00:04:02,239 because who cares your kid can't charge 121 00:04:00,640 --> 00:04:04,079 your tablet you know 122 00:04:02,239 --> 00:04:07,360 they're all interconnected to this 123 00:04:04,080 --> 00:04:09,439 network in one way or another 124 00:04:07,360 --> 00:04:11,599 canvas first started being developed in 125 00:04:09,439 --> 00:04:15,280 1986 by bosch electronics 126 00:04:11,599 --> 00:04:16,798 and in 1991 mercedes uh like they tend 127 00:04:15,280 --> 00:04:18,959 to do with a lot of the newer technology 128 00:04:16,798 --> 00:04:22,078 that sort of trickles down to other cars 129 00:04:18,959 --> 00:04:23,680 uh brought a car to market with with can 130 00:04:22,079 --> 00:04:27,120 uh this is this car right here it's a 131 00:04:23,680 --> 00:04:28,800 1991 mercedes s-class it's the w140 132 00:04:27,120 --> 00:04:30,160 chassis it's old you've probably seen 133 00:04:28,800 --> 00:04:31,360 one around these things are tanks you 134 00:04:30,160 --> 00:04:34,560 know they're known for it 135 00:04:31,360 --> 00:04:35,120 but essentially mercedes brought this to 136 00:04:34,560 --> 00:04:38,240 market 137 00:04:35,120 --> 00:04:40,000 the first time for the first time 138 00:04:38,240 --> 00:04:41,600 uh you might be wondering well okay 139 00:04:40,000 --> 00:04:43,120 there's a network how do i interface 140 00:04:41,600 --> 00:04:45,280 with it you know how do i mess with it 141 00:04:43,120 --> 00:04:47,840 or how do i get information from it well 142 00:04:45,280 --> 00:04:48,400 um in your car there's a connector 143 00:04:47,840 --> 00:04:50,638 called the 144 00:04:48,400 --> 00:04:51,679 obd2 connector it's the onboard 145 00:04:50,639 --> 00:04:54,320 diagnostic 146 00:04:51,680 --> 00:04:54,800 two connector um this is a pin out right 147 00:04:54,320 --> 00:04:56,800 here 148 00:04:54,800 --> 00:04:59,919 this specific connector has been a 149 00:04:56,800 --> 00:05:02,400 worldwide standard since 1996. 150 00:04:59,919 --> 00:05:03,039 any car after 1996 if you want to be 151 00:05:02,400 --> 00:05:05,440 safer for 152 00:05:03,039 --> 00:05:06,960 like 1997 for whatever reason um they 153 00:05:05,440 --> 00:05:09,039 will have this connector 154 00:05:06,960 --> 00:05:10,239 and these pins will be standardized 155 00:05:09,039 --> 00:05:11,360 they're going to be the same no matter 156 00:05:10,240 --> 00:05:13,360 what 157 00:05:11,360 --> 00:05:15,759 four and five are going to be your 158 00:05:13,360 --> 00:05:19,039 grounds you will have a 16 159 00:05:15,759 --> 00:05:22,840 pin 16 will be your 12 volt volts and 160 00:05:19,039 --> 00:05:25,599 6 and 14 will be your can bus 161 00:05:22,840 --> 00:05:28,000 pins and this not connects not only to 162 00:05:25,600 --> 00:05:29,039 canvas but to things like lin bus and 163 00:05:28,000 --> 00:05:30,880 maybe something 164 00:05:29,039 --> 00:05:33,190 weird and proprietary the manufacturer 165 00:05:30,880 --> 00:05:34,400 has going on 166 00:05:33,190 --> 00:05:37,199 [Music] 167 00:05:34,400 --> 00:05:38,880 for the purpose of this presentation i'm 168 00:05:37,199 --> 00:05:41,759 going to be referring to 169 00:05:38,880 --> 00:05:44,639 can high and can low as just can bus 170 00:05:41,759 --> 00:05:48,479 just to keep things simpler 171 00:05:44,639 --> 00:05:51,120 and you'll see why essentially 172 00:05:48,479 --> 00:05:52,080 some things may have a higher priority 173 00:05:51,120 --> 00:05:53,919 than others on 174 00:05:52,080 --> 00:05:56,240 can high versus can low like if i go 175 00:05:53,919 --> 00:05:59,039 back you kind of want your 176 00:05:56,240 --> 00:06:01,280 brakes to be a slightly higher priority 177 00:05:59,039 --> 00:06:02,639 than your lights uh that's just my guess 178 00:06:01,280 --> 00:06:04,080 maybe the manufacturer thinks something 179 00:06:02,639 --> 00:06:04,560 different i kind of hope not but you 180 00:06:04,080 --> 00:06:06,479 know 181 00:06:04,560 --> 00:06:08,479 so can high get higher priority for 182 00:06:06,479 --> 00:06:09,758 things uh but for the purposes of this 183 00:06:08,479 --> 00:06:10,560 we're just going to assume it's a flat 184 00:06:09,759 --> 00:06:12,000 topology 185 00:06:10,560 --> 00:06:14,319 because we're not going to be doing too 186 00:06:12,000 --> 00:06:14,800 much and you guys might be wondering 187 00:06:14,319 --> 00:06:17,520 well 188 00:06:14,800 --> 00:06:20,160 okay history 101 why are we still 189 00:06:17,520 --> 00:06:22,159 talking about the 1990s 190 00:06:20,160 --> 00:06:23,440 well the answer is modern cars haven't 191 00:06:22,160 --> 00:06:25,520 changed much 192 00:06:23,440 --> 00:06:27,440 canvas is still the standard for basic 193 00:06:25,520 --> 00:06:28,318 communications between all the computers 194 00:06:27,440 --> 00:06:30,960 on a car 195 00:06:28,319 --> 00:06:31,600 there's only been a couple of minor 196 00:06:30,960 --> 00:06:34,318 revisions 197 00:06:31,600 --> 00:06:36,560 since 1991 and the core principles are 198 00:06:34,319 --> 00:06:38,080 still the same 199 00:06:36,560 --> 00:06:40,160 some manufacturers will do things like 200 00:06:38,080 --> 00:06:42,318 run multiple can buses at the same time 201 00:06:40,160 --> 00:06:43,199 in parallel but they can still be 202 00:06:42,319 --> 00:06:46,000 accessed 203 00:06:43,199 --> 00:06:48,639 through the same obd2 port with the same 204 00:06:46,000 --> 00:06:50,479 pin out 205 00:06:48,639 --> 00:06:52,880 and if you've ever been interested in 206 00:06:50,479 --> 00:06:53,359 cars you might not know that canvas 207 00:06:52,880 --> 00:06:56,400 fully 208 00:06:53,360 --> 00:06:58,160 exists essentially oems practice 209 00:06:56,400 --> 00:06:59,679 security through obscurity meaning they 210 00:06:58,160 --> 00:07:01,360 don't talk about it 211 00:06:59,680 --> 00:07:03,440 they'll talk about you know our engine 212 00:07:01,360 --> 00:07:04,639 control unit is brand new and a lot 213 00:07:03,440 --> 00:07:06,719 faster or whatever 214 00:07:04,639 --> 00:07:07,680 or we have more computers but they don't 215 00:07:06,720 --> 00:07:11,039 necessarily 216 00:07:07,680 --> 00:07:12,880 directly mention canvas so 217 00:07:11,039 --> 00:07:14,719 the most you generally are able to find 218 00:07:12,880 --> 00:07:17,520 are the original bosch white paper some 219 00:07:14,720 --> 00:07:19,520 other white papers 220 00:07:17,520 --> 00:07:21,280 and researcher researched on my other 221 00:07:19,520 --> 00:07:22,560 fellow security researchers 222 00:07:21,280 --> 00:07:24,719 maybe they've hacked their own car or 223 00:07:22,560 --> 00:07:27,840 someone else's car 224 00:07:24,720 --> 00:07:29,680 so this means that canvas is 225 00:07:27,840 --> 00:07:31,359 fairly old and still has some of the 226 00:07:29,680 --> 00:07:32,560 same vulnerabilities that it did back 227 00:07:31,360 --> 00:07:35,680 then 228 00:07:32,560 --> 00:07:36,960 um but you know so far you might be 229 00:07:35,680 --> 00:07:38,800 thinking okay well there's only one way 230 00:07:36,960 --> 00:07:41,680 to access it is through the port 231 00:07:38,800 --> 00:07:42,479 in the car well as we add newer and 232 00:07:41,680 --> 00:07:44,720 newer 233 00:07:42,479 --> 00:07:46,800 technology more computers to a car it 234 00:07:44,720 --> 00:07:48,800 adds more attack vectors 235 00:07:46,800 --> 00:07:50,960 um you might have a cellular connection 236 00:07:48,800 --> 00:07:53,440 for your navigation system you might 237 00:07:50,960 --> 00:07:54,878 have an in-car wi-fi hotspot 238 00:07:53,440 --> 00:07:56,560 you might have bluetooth to play music 239 00:07:54,879 --> 00:07:57,840 through the radio 240 00:07:56,560 --> 00:07:59,520 these are just more and more attack 241 00:07:57,840 --> 00:08:01,359 vectors it's just another way to gain 242 00:07:59,520 --> 00:08:04,560 access to the system 243 00:08:01,360 --> 00:08:06,479 um and slowly but surely this is 244 00:08:04,560 --> 00:08:08,400 starting to sound an awfully lot like 245 00:08:06,479 --> 00:08:11,758 just pen testing a network 246 00:08:08,400 --> 00:08:13,758 and the answer is it kind of is 247 00:08:11,759 --> 00:08:17,360 when you interface with canvas on a 248 00:08:13,759 --> 00:08:19,440 laptop it shows up as a network adapter 249 00:08:17,360 --> 00:08:20,879 meaning you can just pop good old 250 00:08:19,440 --> 00:08:22,800 wireshark up 251 00:08:20,879 --> 00:08:24,000 plug everything in set up the interface 252 00:08:22,800 --> 00:08:26,080 and you are 253 00:08:24,000 --> 00:08:28,879 ready to read canvas and inject packets 254 00:08:26,080 --> 00:08:31,758 if you have the hardware 255 00:08:28,879 --> 00:08:33,360 twenty dollars gets you an adapter to 256 00:08:31,759 --> 00:08:35,599 plug into your car 257 00:08:33,360 --> 00:08:36,560 and read packets uh make a packet dump 258 00:08:35,599 --> 00:08:38,080 even 259 00:08:36,559 --> 00:08:40,478 we'll get more into that at the end but 260 00:08:38,080 --> 00:08:42,479 essentially it's not that expensive 261 00:08:40,479 --> 00:08:44,399 relatively speaking to start car hacking 262 00:08:42,479 --> 00:08:46,000 if you happen to have a car 263 00:08:44,399 --> 00:08:47,680 it's just the serial connection that you 264 00:08:46,000 --> 00:08:50,320 make with the obd2 port 265 00:08:47,680 --> 00:08:51,839 and your laptop but we're not here for 266 00:08:50,320 --> 00:08:53,440 an actual car because like i said 267 00:08:51,839 --> 00:08:55,839 they're expensive and you kind of don't 268 00:08:53,440 --> 00:08:57,760 want to break a car if you only have one 269 00:08:55,839 --> 00:09:00,480 you can all do this virtually it's 270 00:08:57,760 --> 00:09:01,920 pretty easy all you need is a laptop or 271 00:09:00,480 --> 00:09:04,560 a virtual machine i will be doing this 272 00:09:01,920 --> 00:09:06,160 in a virtual machine 273 00:09:04,560 --> 00:09:07,839 you can actually do the car hacking with 274 00:09:06,160 --> 00:09:10,319 a physical car and a virtual machine 275 00:09:07,839 --> 00:09:12,200 as well but for the purposes of this i 276 00:09:10,320 --> 00:09:15,360 will be using ubuntu 277 00:09:12,200 --> 00:09:17,920 20.04 um 278 00:09:15,360 --> 00:09:19,600 you can use whatever distro you want um 279 00:09:17,920 --> 00:09:21,360 as long as it has a couple of 280 00:09:19,600 --> 00:09:22,959 prerequisites the two that we're going 281 00:09:21,360 --> 00:09:26,720 to be going over are can 282 00:09:22,959 --> 00:09:28,239 tools and icsim if you have some weird 283 00:09:26,720 --> 00:09:30,240 adversion to linux 284 00:09:28,240 --> 00:09:32,399 you can also do this on windows using a 285 00:09:30,240 --> 00:09:34,240 program called bus master 286 00:09:32,399 --> 00:09:36,480 unfortunately i found it to be a little 287 00:09:34,240 --> 00:09:38,160 finicky and you kind of do need a real 288 00:09:36,480 --> 00:09:41,360 car for the most part unless you can 289 00:09:38,160 --> 00:09:43,199 find a database online 290 00:09:41,360 --> 00:09:45,360 so i'm not going to be going over that 291 00:09:43,200 --> 00:09:48,720 last but not least most importantly 292 00:09:45,360 --> 00:09:50,800 you need patience this is really tedious 293 00:09:48,720 --> 00:09:54,240 this entire process 294 00:09:50,800 --> 00:09:55,839 and you might get a little frustrated 295 00:09:54,240 --> 00:09:57,600 anchor management classes are always 296 00:09:55,839 --> 00:09:59,519 great or you can just buy food 297 00:09:57,600 --> 00:10:01,440 i prefer the food it seems to be cheaper 298 00:09:59,519 --> 00:10:05,040 and it's pretty good 299 00:10:01,440 --> 00:10:07,279 but enough of that onto the show 300 00:10:05,040 --> 00:10:09,839 first of all i just mentioned that you 301 00:10:07,279 --> 00:10:13,200 will need can tools nice csim 302 00:10:09,839 --> 00:10:15,279 um icsim is this lovely program made by 303 00:10:13,200 --> 00:10:15,519 zombie craig and essentially it provides 304 00:10:15,279 --> 00:10:18,800 a 305 00:10:15,519 --> 00:10:22,480 virtual gauge cluster and controller for 306 00:10:18,800 --> 00:10:24,560 your quote-unquote car right here 307 00:10:22,480 --> 00:10:25,760 you need can tools and these 308 00:10:24,560 --> 00:10:27,680 prerequisites 309 00:10:25,760 --> 00:10:28,959 you also have to be able to use the make 310 00:10:27,680 --> 00:10:30,079 file in here 311 00:10:28,959 --> 00:10:33,439 this is you have to compile this 312 00:10:30,079 --> 00:10:36,000 yourself so it's pretty distro agnostic 313 00:10:33,440 --> 00:10:37,279 these controls are from ubuntu but all 314 00:10:36,000 --> 00:10:40,399 of these 315 00:10:37,279 --> 00:10:44,160 you can find on other distros and 316 00:10:40,399 --> 00:10:44,160 canutils is also on github 317 00:10:44,399 --> 00:10:49,839 if you want to get more advanced jay 318 00:10:47,360 --> 00:10:50,720 gamlin has this script which pulls a lot 319 00:10:49,839 --> 00:10:53,279 more tools 320 00:10:50,720 --> 00:10:54,399 such as kayak and care and caribou 321 00:10:53,279 --> 00:10:57,980 amongst others 322 00:10:54,399 --> 00:10:59,120 including ics ic sim and ud sim 323 00:10:57,980 --> 00:11:01,040 [Music] 324 00:10:59,120 --> 00:11:02,959 by the time you guys will see this i 325 00:11:01,040 --> 00:11:05,519 also have my own fork 326 00:11:02,959 --> 00:11:06,399 unfortunately i've run into issues with 327 00:11:05,519 --> 00:11:08,399 uh this one 328 00:11:06,399 --> 00:11:10,880 in the past and currently between 329 00:11:08,399 --> 00:11:12,720 different ubuntu versions 330 00:11:10,880 --> 00:11:14,399 there's not really much difference but 331 00:11:12,720 --> 00:11:17,200 hopefully by the time this airs 332 00:11:14,399 --> 00:11:18,240 this will be updated to work on both 18 333 00:11:17,200 --> 00:11:19,920 and 20. 334 00:11:18,240 --> 00:11:22,959 the same with gamblers this might get 335 00:11:19,920 --> 00:11:27,760 updated as well anyways 336 00:11:22,959 --> 00:11:29,359 i have a pretty clean ubuntu 220 install 337 00:11:27,760 --> 00:11:31,040 and as you can see i'm going to start 338 00:11:29,360 --> 00:11:33,120 from the bare basics i'm actually going 339 00:11:31,040 --> 00:11:33,120 to 340 00:11:33,360 --> 00:11:36,720 delete my previous directory to show you 341 00:11:34,959 --> 00:11:39,359 what you get when you first clone this 342 00:11:36,720 --> 00:11:39,360 from github 343 00:11:41,040 --> 00:11:46,719 i don't know after that i have to 344 00:11:47,360 --> 00:11:52,079 can't do that i'm going to clone it and 345 00:11:50,240 --> 00:11:55,279 i'm going to change directory 346 00:11:52,079 --> 00:11:56,160 so first you have to run the makefile 347 00:11:55,279 --> 00:11:58,079 which is to make 348 00:11:56,160 --> 00:11:59,199 you'll see that goes on pretty fast 349 00:11:58,079 --> 00:12:01,839 you'll notice you have 350 00:11:59,200 --> 00:12:03,200 controls and ic sim but before we get to 351 00:12:01,839 --> 00:12:06,000 play with that 352 00:12:03,200 --> 00:12:06,959 we actually have to set up the vcan the 353 00:12:06,000 --> 00:12:10,160 interface 354 00:12:06,959 --> 00:12:13,359 or on setup vcan i've already done it 355 00:12:10,160 --> 00:12:15,120 so no need to do that um the next steps 356 00:12:13,360 --> 00:12:18,800 are bringing up the 357 00:12:15,120 --> 00:12:20,320 actual interface 358 00:12:18,800 --> 00:12:21,920 the network interface we're gonna mod 359 00:12:20,320 --> 00:12:23,839 pro vcan i've already done this i'm just 360 00:12:21,920 --> 00:12:25,279 gonna go through the command history and 361 00:12:23,839 --> 00:12:27,519 then we're going to run 362 00:12:25,279 --> 00:12:30,000 these two commands they're just iplink 363 00:12:27,519 --> 00:12:33,120 commands to bring the interface up 364 00:12:30,000 --> 00:12:34,320 and when you run ip when you get it all 365 00:12:33,120 --> 00:12:35,519 done you'll see when you're an ip link 366 00:12:34,320 --> 00:12:37,360 you have this as a 367 00:12:35,519 --> 00:12:39,200 network adapter these instructions are 368 00:12:37,360 --> 00:12:40,320 also on a zombie qriket 369 00:12:39,200 --> 00:12:42,399 page so i'm kind of breezing through 370 00:12:40,320 --> 00:12:44,399 them real fast but 371 00:12:42,399 --> 00:12:47,440 now that we've got icsim installed we 372 00:12:44,399 --> 00:12:51,600 will change directory to 373 00:12:47,440 --> 00:12:55,279 icsem and we are going to launch icsem 374 00:12:51,600 --> 00:12:58,160 to vcan0 375 00:12:55,279 --> 00:12:59,760 see and we have a gage cluster wow this 376 00:12:58,160 --> 00:13:03,439 is your very own ferrari 377 00:12:59,760 --> 00:13:04,800 not really um i don't believe you can 378 00:13:03,440 --> 00:13:06,240 actually make this bigger so i'm sorry 379 00:13:04,800 --> 00:13:09,599 if this is a little small 380 00:13:06,240 --> 00:13:10,959 but uh you have a you speedo your 381 00:13:09,600 --> 00:13:13,519 tickers and your car 382 00:13:10,959 --> 00:13:14,479 car doors um which will be here now this 383 00:13:13,519 --> 00:13:16,720 is pretty boring 384 00:13:14,480 --> 00:13:18,320 nothing's going on to get things to 385 00:13:16,720 --> 00:13:19,920 actually work you need to also launch 386 00:13:18,320 --> 00:13:23,519 the 387 00:13:19,920 --> 00:13:25,040 controls package as well controls and 388 00:13:23,519 --> 00:13:28,720 then vcan zero 389 00:13:25,040 --> 00:13:30,560 now before we do this forget 390 00:13:28,720 --> 00:13:32,880 i'm going to show you real fast like i 391 00:13:30,560 --> 00:13:35,518 said before this shows up as a network 392 00:13:32,880 --> 00:13:36,959 adapter on wireshark 393 00:13:35,519 --> 00:13:38,079 and this i'll leave this in the corner 394 00:13:36,959 --> 00:13:40,079 here but you see it's pretty dead right 395 00:13:38,079 --> 00:13:41,839 now there's no packets going through 396 00:13:40,079 --> 00:13:43,279 as soon as we launch controls we'll see 397 00:13:41,839 --> 00:13:45,199 a couple of things happen one 398 00:13:43,279 --> 00:13:47,680 instantly packets start flooding the 399 00:13:45,199 --> 00:13:49,359 interface you know something's going on 400 00:13:47,680 --> 00:13:50,880 next you'll see this needle is slightly 401 00:13:49,360 --> 00:13:53,360 moving 402 00:13:50,880 --> 00:13:55,760 the engine quote-unquote is now idling 403 00:13:53,360 --> 00:13:58,240 now you have this amazingly drawn 404 00:13:55,760 --> 00:13:59,279 dual shock three-ish controller better 405 00:13:58,240 --> 00:14:00,959 than i can draw 406 00:13:59,279 --> 00:14:02,320 ironically despite this being you know a 407 00:14:00,959 --> 00:14:04,719 playstation controller 408 00:14:02,320 --> 00:14:06,240 or whatever you need an xbox controller 409 00:14:04,720 --> 00:14:07,040 um unfortunately i don't have one on 410 00:14:06,240 --> 00:14:09,120 hand 411 00:14:07,040 --> 00:14:10,319 uh some say i had a really rough halo 412 00:14:09,120 --> 00:14:12,240 game and it was thrown 413 00:14:10,320 --> 00:14:13,920 i'm gonna play the fifth on that one but 414 00:14:12,240 --> 00:14:15,440 if you don't have a controller like me 415 00:14:13,920 --> 00:14:17,120 you can also use arrow keys and as you 416 00:14:15,440 --> 00:14:18,399 can see i'm well i'm holding the up 417 00:14:17,120 --> 00:14:20,160 arrow on my keyboard 418 00:14:18,399 --> 00:14:21,839 and the gauge cluster is moving up 419 00:14:20,160 --> 00:14:23,680 slowly but surely 420 00:14:21,839 --> 00:14:25,760 we also have the tickers and these are 421 00:14:23,680 --> 00:14:28,000 turning green and you can also mess with 422 00:14:25,760 --> 00:14:29,920 the doors 423 00:14:28,000 --> 00:14:31,279 so that's great and all you've got a 424 00:14:29,920 --> 00:14:33,360 simulated car 425 00:14:31,279 --> 00:14:34,880 but now we have to actually read and 426 00:14:33,360 --> 00:14:36,560 inject packets 427 00:14:34,880 --> 00:14:38,240 you can either do this through wireshark 428 00:14:36,560 --> 00:14:39,040 take a packet dump go through at your 429 00:14:38,240 --> 00:14:42,399 leisure 430 00:14:39,040 --> 00:14:44,800 or there's another tool in can utils 431 00:14:42,399 --> 00:14:46,399 called can sniffer 432 00:14:44,800 --> 00:14:48,240 canned sniffer will take all these 433 00:14:46,399 --> 00:14:51,920 plackets and sort of 434 00:14:48,240 --> 00:14:55,040 congest them or compress them into this 435 00:14:51,920 --> 00:14:56,959 whatever repeated ids you have 436 00:14:55,040 --> 00:14:58,639 they will be here and whatever is 437 00:14:56,959 --> 00:15:01,760 changing will be in red 438 00:14:58,639 --> 00:15:03,199 if you use the tag c like i did see okay 439 00:15:01,760 --> 00:15:04,959 this is not packages 440 00:15:03,199 --> 00:15:06,719 but it is fairly hard to kind of 441 00:15:04,959 --> 00:15:08,800 correlate all of this together 442 00:15:06,720 --> 00:15:11,279 um so this is what i meant you need 443 00:15:08,800 --> 00:15:13,279 patience because this is a game of 444 00:15:11,279 --> 00:15:14,959 sort of recording what you see here 445 00:15:13,279 --> 00:15:17,360 correlating it with this 446 00:15:14,959 --> 00:15:18,000 injecting package and praying it works 447 00:15:17,360 --> 00:15:19,839 um 448 00:15:18,000 --> 00:15:21,519 two things we don't have time for that 449 00:15:19,839 --> 00:15:23,120 and i also like to cheat a lot 450 00:15:21,519 --> 00:15:24,959 so since i'm a dirty little cheater i 451 00:15:23,120 --> 00:15:28,639 just happen to have another vm with 452 00:15:24,959 --> 00:15:30,000 all the commands right here so real fast 453 00:15:28,639 --> 00:15:33,839 i'm going to 454 00:15:30,000 --> 00:15:36,720 copy this one here 455 00:15:33,839 --> 00:15:38,320 and i have a second terminal here and so 456 00:15:36,720 --> 00:15:42,560 this is just can send 457 00:15:38,320 --> 00:15:44,720 i'm going to send this packet to vcan 0. 458 00:15:42,560 --> 00:15:46,800 okay nothing happened let's try again 459 00:15:44,720 --> 00:15:50,240 and again and you'll see right there 460 00:15:46,800 --> 00:15:50,959 just barely it flicked to 280 or the 461 00:15:50,240 --> 00:15:52,320 other end 462 00:15:50,959 --> 00:15:54,160 but this is tedious you're not going to 463 00:15:52,320 --> 00:15:55,519 want to stand around doing that so i'm 464 00:15:54,160 --> 00:15:57,439 going to go back because i'm 465 00:15:55,519 --> 00:16:00,240 too lazy to actually write this very 466 00:15:57,440 --> 00:16:02,800 quick and dirty uh 467 00:16:00,240 --> 00:16:02,800 for loop 468 00:16:04,079 --> 00:16:08,239 we're doing 280 miles an hour one of the 469 00:16:06,880 --> 00:16:09,759 fastest cars in the world 470 00:16:08,240 --> 00:16:11,519 uh with occasional stops back to zero 471 00:16:09,759 --> 00:16:15,279 which kind of hurt if you're in the car 472 00:16:11,519 --> 00:16:17,120 so in less than like three minutes you 473 00:16:15,279 --> 00:16:18,720 already have a 474 00:16:17,120 --> 00:16:20,160 virtual car going and we're injecting 475 00:16:18,720 --> 00:16:22,320 packets but 476 00:16:20,160 --> 00:16:23,360 um add a little more time because dirty 477 00:16:22,320 --> 00:16:26,000 a little cheat 478 00:16:23,360 --> 00:16:27,600 um so that's pretty cool and all uh you 479 00:16:26,000 --> 00:16:29,199 could probably find that after like a 480 00:16:27,600 --> 00:16:30,160 couple of minutes of work if you just 481 00:16:29,199 --> 00:16:33,199 kind of 482 00:16:30,160 --> 00:16:36,240 spam all these ids 483 00:16:33,199 --> 00:16:38,000 um but let's say you get bored of that 484 00:16:36,240 --> 00:16:40,079 let's say you've already recorded all 485 00:16:38,000 --> 00:16:42,959 this well the great thing about 486 00:16:40,079 --> 00:16:45,120 uh can i see sim is that it also has a 487 00:16:42,959 --> 00:16:48,319 randomizer in it 488 00:16:45,120 --> 00:16:53,360 if you use the tag r you can generate a 489 00:16:48,320 --> 00:16:53,360 seed value please go over here 490 00:16:56,320 --> 00:17:02,160 and move this over to controls 491 00:17:00,320 --> 00:17:03,600 we're going to use the c value with the 492 00:17:02,160 --> 00:17:06,879 flag s and then v 493 00:17:03,600 --> 00:17:08,959 can zero boom so it's back to working we 494 00:17:06,880 --> 00:17:12,160 see packets 495 00:17:08,959 --> 00:17:15,199 but if i do this 496 00:17:12,160 --> 00:17:17,199 uh okay that's hoping that would be in 497 00:17:15,199 --> 00:17:19,360 my history it's not for whatever reason 498 00:17:17,199 --> 00:17:20,959 if i do this again it's not doing 499 00:17:19,359 --> 00:17:22,399 anything 500 00:17:20,959 --> 00:17:24,799 that's simply because the values have 501 00:17:22,400 --> 00:17:26,319 changed anytime you redo the c 502 00:17:24,799 --> 00:17:29,918 value it'll change the values i mean you 503 00:17:26,319 --> 00:17:31,760 have more things to work with 504 00:17:29,919 --> 00:17:33,360 if you get bored of this you can also go 505 00:17:31,760 --> 00:17:35,120 on further and further with the other 506 00:17:33,360 --> 00:17:35,840 tools mentioned in the car hacking tool 507 00:17:35,120 --> 00:17:37,199 script 508 00:17:35,840 --> 00:17:39,039 you get more things to play with and 509 00:17:37,200 --> 00:17:41,280 more things to emulate 510 00:17:39,039 --> 00:17:44,400 let's say you get bored of this you win 511 00:17:41,280 --> 00:17:47,760 the lottery and you buy a brand new car 512 00:17:44,400 --> 00:17:50,799 someone gave you a free car 513 00:17:47,760 --> 00:17:51,840 amazing i'm kind of jealous honestly and 514 00:17:50,799 --> 00:17:56,000 you want to break it 515 00:17:51,840 --> 00:17:57,678 i mean um you want to hack it 516 00:17:56,000 --> 00:17:58,799 sorry if you want to hack your car 517 00:17:57,679 --> 00:18:00,400 you're going to need a couple of things 518 00:17:58,799 --> 00:18:01,600 you're going to need a laptop unless you 519 00:18:00,400 --> 00:18:03,840 prefer dragging your 520 00:18:01,600 --> 00:18:06,000 rig out to the gardener if you can fit 521 00:18:03,840 --> 00:18:08,720 your rig in your uh your car in your 522 00:18:06,000 --> 00:18:10,080 house i'd be also jealous of that you 523 00:18:08,720 --> 00:18:11,740 need a pc 524 00:18:10,080 --> 00:18:13,360 linux windows whatever 525 00:18:11,740 --> 00:18:15,280 [Music] 526 00:18:13,360 --> 00:18:16,879 if you want to get just started off with 527 00:18:15,280 --> 00:18:19,440 looking at canvas 528 00:18:16,880 --> 00:18:20,480 this is a l327 off of amazon this 529 00:18:19,440 --> 00:18:23,520 specific one is 530 00:18:20,480 --> 00:18:25,440 20 on amazon uh you have some downsides 531 00:18:23,520 --> 00:18:27,600 with it being extremely limited 532 00:18:25,440 --> 00:18:28,559 uh there's you run out of buffer space 533 00:18:27,600 --> 00:18:30,719 real fast 534 00:18:28,559 --> 00:18:33,120 you can't inject packets but you will 535 00:18:30,720 --> 00:18:34,559 see some canvas packets 536 00:18:33,120 --> 00:18:36,479 the next step up and if you have an 537 00:18:34,559 --> 00:18:38,080 arduino like uno on hand 538 00:18:36,480 --> 00:18:40,400 this is great you just need the shield 539 00:18:38,080 --> 00:18:43,918 board uh this is the can 540 00:18:40,400 --> 00:18:47,360 the seed studio can bus shield v2 541 00:18:43,919 --> 00:18:48,240 long name put this plug this in with 542 00:18:47,360 --> 00:18:50,879 your uno 543 00:18:48,240 --> 00:18:51,360 this serial port goes out to your can 544 00:18:50,880 --> 00:18:54,000 bus 545 00:18:51,360 --> 00:18:56,159 and you have usb going to your laptop 546 00:18:54,000 --> 00:18:57,840 and you can read packets you can inject 547 00:18:56,160 --> 00:18:58,880 packets and you can have all the fun in 548 00:18:57,840 --> 00:19:00,799 the world 549 00:18:58,880 --> 00:19:02,080 um as long as you don't break something 550 00:19:00,799 --> 00:19:04,000 in your car 551 00:19:02,080 --> 00:19:06,399 if you want to be a little more 552 00:19:04,000 --> 00:19:07,200 professional i suppose or have an easier 553 00:19:06,400 --> 00:19:10,320 like 554 00:19:07,200 --> 00:19:12,080 custom built solution the cantact exists 555 00:19:10,320 --> 00:19:13,600 this is the original contact this is 556 00:19:12,080 --> 00:19:15,918 what i started out using it's by 557 00:19:13,600 --> 00:19:17,039 evan and i can't say his last name event 558 00:19:15,919 --> 00:19:20,000 chick 559 00:19:17,039 --> 00:19:21,280 sorry if i butchered it um that thing 560 00:19:20,000 --> 00:19:23,760 was like about 561 00:19:21,280 --> 00:19:25,600 70 dollars all in with the two cables 562 00:19:23,760 --> 00:19:26,960 you need to connect to the car and to 563 00:19:25,600 --> 00:19:29,439 your pc 564 00:19:26,960 --> 00:19:30,960 amazing you can do everything uh i 565 00:19:29,440 --> 00:19:32,880 believe it's being now replaced by the 566 00:19:30,960 --> 00:19:35,919 cantech pro which lets you do 567 00:19:32,880 --> 00:19:36,799 two can interfaces simultaneously and 568 00:19:35,919 --> 00:19:38,080 your pc 569 00:19:36,799 --> 00:19:40,400 it has a couple of other cool things 570 00:19:38,080 --> 00:19:43,760 like a bigger buffer i believe so 571 00:19:40,400 --> 00:19:46,160 um that's all you need to get started or 572 00:19:43,760 --> 00:19:47,600 to inject packets and stuff just one of 573 00:19:46,160 --> 00:19:51,120 these guys 574 00:19:47,600 --> 00:19:53,439 patience and probably fearlessness 575 00:19:51,120 --> 00:19:54,239 because this is kind of risky in your 576 00:19:53,440 --> 00:19:56,320 real car so 577 00:19:54,240 --> 00:19:57,520 yeah that's that i believe we are going 578 00:19:56,320 --> 00:20:07,840 to be having a quick 579 00:19:57,520 --> 00:20:07,840 q a right now so i will see you there 580 00:20:19,360 --> 00:20:21,439 you