本文共 18214 字,大约阅读时间需要 60 分钟。
by Kenny Kuchera
肯尼·库切拉(Kenny Kuchera)
The goal of this article is to get you started hacking cars — fast, cheap, and easy. In order to do this, we’ll spoof the RPM gauge as an example.
本文的目的是让您开始快速,廉价和轻松地入侵汽车。 为此,我们以RPM量规为例。
The following is by no means an exhaustive tutorial. It instead aims to provide just enough information to get you up and running. If you want to dig deeper you can checkout the must-reads at the end.
以下内容绝不是详尽的教程。 相反,它旨在提供足够的信息来使您正常运行。 如果您想更深入地学习,可以在最后阅读必读内容。
If you decide to carry out this tutorial in real life, you’ll need a Linux computer (or a virtual Linux machine), and a CAN-to-USB device (which we’ll look into later).
如果您决定在现实生活中进行本教程,则需要一台Linux计算机(或虚拟Linux计算机)和一个CAN-to-USB设备(我们将在以后进行介绍)。
A car consists of multiple computers to control the engine, transmission, windows, locks, lights, etc. These computers are called (ECU) and communicate with each other over a network.
汽车由多台计算机组成,用于控制发动机,变速箱,车窗,锁,灯等。这些计算机称为 (ECU),并通过网络相互通信。
For example, when you press the button on your steering wheel to increase the volume of the radio, the steering wheel ECU sends a command to increase volume onto the network, the radio ECU then sees this command and acts accordingly.
例如,当您按下方向盘上的按钮以增加收音机的音量时,方向盘ECU向网络发送一个增加音量的命令,然后收音机ECU会看到此命令并采取相应的措施。
There are multiple networks in a car, generally at least two:
汽车中有多个网络,通常至少两个:
The critical network uses a fast and reliable protocol whereas the non-critical network uses a slower, less reliable but cheaper protocol. The number of networks as well as which ECUs are networked together depends on the car make, model and year. An ECU could also be connected to multiple networks.
关键网络使用快速而可靠的协议,而非关键网络使用较慢,不太可靠但便宜的协议。 网络的数量以及将ECU联网在一起的数量取决于汽车的制造商,型号和年份。 ECU也可以连接到多个网络。
Some networks can be accessed via the OBD-II port. is mandatory on all cars and light trucks built in the US after 1996 and Europe after 2004.
可以通过OBD-II端口访问某些网络。 在1996年以后在美国制造的所有轿车和轻型卡车以及2004年以后在欧洲制造的所有轿车和轻型卡车都必须使用 。
The connector is in arms reach of the driver’s seat. You might need to lift off some plastic cover but it is always accessible without tools.
连接器在驾驶员座椅的靠手位置。 您可能需要提起一些塑料盖,但始终可以使用工具将其取下。
The OBD-II standard allows for signaling protocols. It’s up to the manufacturer to decide which one to use. is the most popular one and is what we will discuss. It is accessible via pins 6 and 14 of the OBD-II connector. If your car has a CAN bus, you will see metal leads on the pins as in the image above.
OBD-II标准允许信令协议。 由制造商决定使用哪个。 是最流行的一种,这就是我们将要讨论的内容。 可通过OBD-II连接器的引脚6和14进行访问。 如果您的汽车具有CAN总线,则您将在引脚上看到金属引线,如上图所示。
The CAN bus is a reliable, high speed bus that is used to send critical data. Unfortunately the data packets on the bus are not standardized so you will need to reverse them to know what they mean. The OBD-II standard also leaves room for vendor specific pins that can be used for vendor specific protocols. This makes it easier for the dealer to diagnose problems.
CAN总线是一种可靠的高速总线,用于发送关键数据。 不幸的是,总线上的数据包没有标准化,因此您需要将它们反转以了解它们的含义。 OBD-II标准还为厂商专用的引脚留出了空间,这些引脚可用于厂商专用的协议。 这使经销商更容易诊断问题。
On my car (GM), I have a standard CAN bus on pins 6 and 14, and a vendor specific single wire CAN bus on pin 1. The standard CAN bus is a reliable, high speed (500 kbps) protocol also referred to as high speed CAN (HS-CAN). It is used for critical data. The single wire CAN bus (SW-CAN) or GMLAN is slower (33.3 kbps) and less reliable but cheaper since it only uses one wire. This bus is used for non-critical data.
在我的汽车(GM)上,我在引脚6和14上具有标准的CAN总线,在引脚1上具有供应商特定的单线CAN总线。标准CAN总线是一种可靠的高速(500 kbps)协议,也称为高速CAN(HS-CAN)。 它用于关键数据。 单线CAN总线(SW-CAN)或GMLAN速度较慢(33.3 kbps),可靠性较差,但价格便宜,因为它仅使用一根线。 该总线用于非关键数据。
If you see a vendor specific pin and don’t know which protocol is being used, Google “<make> OBD pinout”. There is also low speed CAN (LS-CAN) and medium speed CAN (MS-CAN). MS-CAN is generally on pins 3 & 11, running at 125 kbps on Ford and Volvo cars.
如果看到供应商特定的引脚并且不知道正在使用哪种协议,请使用Google“ <make> OBD引脚”。 还有低速CAN(LS-CAN)和中速CAN(MS-CAN)。 MS-CAN通常位于3和11针上,在福特和沃尔沃汽车上以125 kbps的速度运行。
You will need both a device that’s capable of interpreting CAN data as well as software to analyze the data
您将需要能够解释CAN数据的设备以及用于分析数据的软件
In order to receive and transmit CAN packets, you need a device that is capable of this. You will often come across ELM327 based devices. While these have their use, they are terrible for hacking. They are way too slow to monitor the CAN bus.
为了接收和发送CAN数据包,您需要具有此功能的设备。 您将经常遇到基于ELM327的设备。 尽管这些都有其用途,但是它们对于黑客攻击来说是可怕的。 它们太慢了,无法监视CAN总线。
There are also high-end devices like Kvaser, Peak or EMS Wünsche. These will get the job done but are overkill and pretty expensive.
还有一些高端设备,例如Kvaser,Peak或EMSWünsche。 这些可以完成工作,但是价格过高且昂贵。
Some high-end devices also require you to purchase software along with it. The is a native CAN interface for Linux that offers great value for money.
某些高端设备还要求您购买软件。 是Linux的本机CAN接口,具有很高的性价比。
You could also use or . However these aren’t native CAN devices in Linux and use an ASCII based protocol. This means that they are slightly more complicated to set up and have lesser performance. On the other hand, they are well supported across multiple operating systems.
您也可以使用或 。 但是,这些不是Linux中的本机CAN设备,而是使用基于ASCII的协议。 这意味着它们的设置稍微复杂些,性能也较差。 另一方面,它们在多个操作系统中得到很好的支持。
I use which I’ve designed for my needs. It is similar to USB2CAN in that it’s an affordable native CAN interface but it uses a newer micro controller, is open source and can be built using open source tools. The rest of this tutorial assumes you are using a native CAN interface.
我使用为自己的需求而设计的 。 它与USB2CAN相似,因为它是负担得起的本机CAN接口,但是它使用更新的微控制器,是开源的,并且可以使用开源工具构建。 本教程的其余部分假定您使用的是本机CAN接口。
To communicate with the device you need to install the can-utils package on your Linux machine. You can do this via by typing the following into the Linux prompt:
要与设备通信,您需要在Linux机器上安装can-utils软件包。 您可以通过在Linux提示符下键入以下命令来完成此操作:
sudo apt-get install can-utils
Can-utils makes it extremely easy to send, receive and analyze CAN packets. These are the commands that we will use.
Can-utils使发送,接收和分析CAN数据包变得极为容易。 这些是我们将使用的命令。
cansniffer display only the packets that are changing
cansniffer仅显示正在更改的数据包
candump dump all received packets
candump转储所有收到的数据包
cansend send a packet
可以发送数据包
Linux has CAN support built in to the kernel via . This makes it easy to write your own additional programs. You can interact with the CAN bus in the same way you would interact with any other network i.e. via sockets.
Linux具有通过内置到内核的CAN支持。 这样可以轻松编写自己的其他程序。 您可以与CAN总线进行交互,就像通过套接字与其他网络进行交互一样。
Before you start reversing, you should have some understanding of how the CAN bus works. It consists of 2 wires and uses differential signaling. Since it’s a bus, multiple devices can be connected to these two wires. When a CAN frame is sent on the bus, it is received by all ECUs but is only processed if it’s useful for the ECU. If multiple CAN frames are sent at the same time, the one with the highest priority wins. A CAN frame has 3 parts that are relevant to us.
开始反转之前,您应该对CAN总线的工作方式有一些了解。 它由2条线组成,并使用差分信号。 由于是总线,因此可以将多台设备连接到这两根电线。 当CAN帧在总线上发送时,所有ECU都会接收到它,但只有在对ECU有用时才进行处理。 如果同时发送多个CAN帧,则优先级最高的帧获胜。 CAN框架包含3个与我们相关的部分。
arbitration identifier The identifier of a message. An ECU uses it to decide to process or ignore the received frame. It also represents the message’s priority. A lower number has a higher priority. So for example, if you’d be an engineer designing the network, you would give the frame for the deployment of airbags a very high priority or a low arbitration ID. On the other hand you’d give a lower priority or higher arbitration ID to data meant for the door locks.
仲裁标识符消息的标识符。 ECU使用它来决定处理还是忽略接收到的帧。 它还代表消息的优先级。 数字越小优先级越高。 因此,例如,如果您将是一名设计网络的工程师,则可以为安全气囊的部署框架赋予很高的优先级或较低的仲裁ID。 另一方面,您会为门锁提供较低的优先级或较高的仲裁ID。
data length code (DLC) Indicates the length of the data field in bytes. A CAN frame can have at most 8 bytes of data.
数据长度代码(DLC)指示数据字段的长度(以字节为单位)。 一个CAN帧最多可以有8个字节的数据。
data field Contains up to 8 bytes of data.
数据字段最多包含8个字节的数据。
The general approach to reversing the CAN bus is to generate the behavior you want to mimic and find the message that causes that behavior. For example, lets say the lane keeping assist system (LKAS) on your car is crap and you’ve made your own.
反转CAN总线的一般方法是生成您要模仿的行为并查找导致该行为的消息。 例如,假设您汽车上的车道保持辅助系统(LKAS)很烂,您已经自己制造了。
In order for it to control the steering, you need to know what messages to send. The way to figure this out is to turn on the original LKAS, monitor the CAN bus and identify the packets responsible for turning the steering wheel. Once you have identified these packets, you can have your own LKAS send these packets onto the CAN bus to control the steering wheel.
为了控制转向,您需要知道要发送什么消息。 解决此问题的方法是打开原始LKAS,监视CAN总线,并识别负责转动方向盘的数据包。 一旦识别出这些数据包,就可以让自己的LKAS将这些数据包发送到CAN总线上以控制方向盘。
In our case, we want to spoof the tachometer so we need to change the RPM by stepping on the gas with the car on and in neutral and then try to find the packet responsible for changing the RPM.
在我们的案例中,我们想欺骗转速表,因此我们需要通过在汽车处于空档和空档的情况下踩油门来更改RPM,然后尝试查找负责更改RPM的数据包。
Plug the CAN device into the car’s OBD-II port and the computer’s USB port. Bring up the CAN interface by running the following in your Linux prompt:
将CAN设备插入汽车的OBD-II端口和计算机的USB端口。 通过在Linux提示符下运行以下命令来打开CAN接口:
sudo ip link set can0 up type can bitrate 500000
which brings up the can0 interface (always can0 if you only have one device connected) at a bit rate of 500 kbps, which is standard.
它将以500 kbps的比特率打开can0接口(如果仅连接一个设备,则始终显示can0 )。
When the car is off, the ECUs are usually sleeping so you need to turn on the car or put it in accessory mode. You can look at raw CAN data by running this in your Linux prompt:
当汽车关闭时,ECU通常处于睡眠状态,因此您需要打开汽车或将其置于附件模式。 您可以通过在Linux提示符下运行以下命令来查看原始CAN数据:
candump can0
This prints CAN data to the screen as soon as it is received. This however is very unorganized and it is very difficult to see what packets correspond to a certain event. You can press ctrl+c to stop the program. To make the data more readable we use cansniffer which groups the packets by arbitration ID and only shows the packets that are changing. In order to start it run the command in your Linux prompt:
收到后立即将CAN数据打印到屏幕上。 然而,这是非常无组织的,并且很难看到哪些分组对应于某个事件。 您可以按ctrl + c停止程序。 为了使数据更具可读性,我们使用cansniffer,它通过仲裁ID对数据包进行分组,并仅显示正在更改的数据包。 为了启动它,在Linux提示符下运行命令:
cansniffer -c can0
where -c colorizes the changing bytes and can0 is the interface to sniff. It takes a few seconds to remove the constant packets.
其中-c为变化的字节着色,而can0是要can0的接口。 删除常量数据包需要花费几秒钟。
You should see something similar to the image below, though the numbers will probably be completely different.
您应该看到类似于下图的内容,尽管数字可能会完全不同。
The first column (delta) shows the rate in seconds at which the packets with that arbitration ID are being received. The second column (ID) contains the arbitration ID. The remaining alphanumeric columns (data …) contain the data bytes. If the data has an ASCII representation, it can be seen to the right, otherwise it’s a dot.
第一列(增量)显示了接收具有该仲裁ID的数据包的速率(以秒为单位)。 第二列(ID)包含仲裁ID。 其余字母数字列(数据…)包含数据字节。 如果数据具有ASCII表示形式,则可以在右侧看到,否则为点。
When you step on the throttle with the engine running in order to increase RPM, there might be new CAN messages appearing on the screen and/or existing ones changing.
当您在发动机运转的情况下踩油门以提高RPM时,屏幕上可能会出现新的CAN消息和/或现有消息正在更改。
We need to find a CAN message where the changing bytes correlate to the change in RPM. We can probably expect that the value will increase/decrease as the RPM increases/decreases.
我们需要找到一个CAN消息,其中变化的字节与RPM的变化相关。 我们可以预期值会随着RPM的增加/减少而增加/减少。
The first CAN frame in cansniffer that seems to vary with RPM is the frame with arbitration id C9. There are probably multiple potential packets that vary with RPM, this is just the first one.
Cansniffer中第一个似乎随RPM变化的CAN帧是仲裁ID为C9的帧。 可能有多个可能的数据包随RPM的不同而变化,这只是第一个。
There are 4 bytes that are changing (colored red) in this message but not all of these necessarily indicate the RPM. Variations in the third byte 07 don’t seem to correlate to varying RPM. The last byte 1B does.
此消息中有4个字节正在更改(红色),但是并非所有这些字节都必须表示RPM。 第三字节07中的变化似乎与RPM的变化无关。 最后一个字节1B起作用。
However, as soon as we take our foot off the throttle, it goes to 00 . This would indicate that it represents the throttle position and not the RPM.
但是,一旦我们松开油门踏板,它就会到达00 。 这将表明它代表节气门位置,而不是RPM。
Finally there are the two bytes 21 C0 that do seem to correspond to a change in RPM. More so, it varies as a 16 byte integer i.e. when the second byte C0 overflows, the first byte 21 gets increased by one. Also it seems that 21 corresponds to roughly 2000 RPM. This is good to note when you will replay the message.
最后,有两个字节21 C0似乎确实与RPM的变化相对应。 更进一步地,它以16字节整数变化,即,当第二字节C0溢出时,第一字节21增加1。 而且似乎21对应于大约2000 RPM。 重播消息时要注意这一点。
Once you have a candidate, send it onto the CAN bus with the following command in your Linux prompt:
找到候选人后,在Linux提示符中使用以下命令将其发送到CAN总线上:
cansend can0 0C9#8021C0071B101000
where the frame has the format <arb_id>#{data} and must be substituted with your own CAN message.
其中帧的格式为<arb_id># {data},并且必须替换为您自己的CAN消息。
Your car can be running or in accessory mode for this. Be sure to use a packet that you obtained when the engine was non-idle or else you won’t see anything change when replaying it while your engine is idle.
为此,您的汽车可以处于行驶状态或处于附件模式。 确保使用您在引擎非空闲时获得的数据包,否则在引擎空闲时重播它时不会看到任何变化。
If you just send the packet once, you will probably not see anything change on the instrument cluster. This is because the original message is still being sent continuously on the bus at 0.2 second intervals by the ECU so your message will just be ignored.
如果您只发送一次数据包,则可能不会在组合仪表上看到任何变化。 这是因为ECU仍然以0.2秒的间隔在总线上连续发送原始消息,因此您的消息将被忽略。
Recall that the rate is given in the first column of cansniffer. There are two ways to get around this aside from disconnecting the ECU that’s generating these messages. One option is to send the packets at a much higher frequency than the ones currently being sent. You can do this by running the following in your Linux prompt:
回想一下,速率在Cansniffer的第一栏中给出。 除了断开生成这些消息的ECU之外,还有两种方法可以解决此问题。 一种选择是以比当前发送的频率高得多的频率发送数据包。 您可以通过在Linux提示符下运行以下命令来执行此操作:
while true; do cansend can0 0C9#8021C0071B101000; sleep 0.002; done
and substituting the CAN message with the one you’ve identified. Press ctrl+c to stop.
并将CAN消息替换为您确定的消息。 按ctrl + c停止。
Another option is to monitor the bus, and every time you detect the packet that you want to spoof, send your own packet out immediately after. This can be done by running in your Linux prompt:
另一种选择是监视总线,并且每当您检测到要欺骗的数据包时,便立即发送自己的数据包。 这可以通过在Linux提示符下运行来完成:
candump can0 | grep " 0C9 " | while read line; do cansend can0 0C9#8021C0071B101000; done
where you need to substitute the CAN message and 0C9 with CAN message you identified and it’s arbitration id respectively. You can experiment with both approaches to see which one works better.
您需要在其中0C9用您标识的CAN消息和仲裁ID替换CAN消息和0C9 。 您可以尝试两种方法,看看哪种方法更好。
If the tachometer changes, good job, you found it! If not, identify the next message that correlates to RPM and replay it.
如果转速表发生变化,干得好,您找到了! 如果不是,请确定与RPM相关的下一条消息并重播。
Now that you have the CAN frame that sets the RPM on the instrument cluster, you can play with the data that you send to see what happens. We have noted that the the two bytes that correspond to RPM behave as a 16bit integer so in order to set the tachometer to 8k RPM, we run the following in your Linux prompt:
现在,您已经有了可以在组合仪表上设置RPM的CAN框架,现在就可以处理发送的数据以查看会发生什么。 我们已经注意到,对应于RPM的两个字节表现为16位整数,因此为了将转速表设置为8k RPM,我们在Linux提示符下运行以下命令:
while true; do cansend can0 0C9#0080000000101000; sleep 0.002; done
and the result is…
结果是……
That’s it! You can now try controlling the speedometer, radio, lights, door locks, etc. using the same approach.
而已! 现在,您可以尝试使用相同的方法来控制车速表,收音机,照明灯,门锁等。
As mentioned the exact data transmitted over CAN depends on the car’s make, model and year. Some cars use a counter in the CAN message to ensure the same message isn’t processed multiple times. This is slightly more difficult but you should be able to do it with the provided information. Some cars also use a checksum to ensure integrity of the data. Calculating this checksum can be difficult. If you have a Toyota, check out , p10, Checksum-Toyota. Everyone should really read the whole paper.
如前所述,通过CAN传输的确切数据取决于汽车的制造商,型号和年份。 有些汽车在CAN消息中使用计数器,以确保同一消息不会被多次处理。 这稍微困难些,但是您应该能够使用提供的信息来做到这一点。 有些汽车还使用校验和来确保数据的完整性。 计算此校验和可能很困难。 如果您有丰田汽车,请查看Checksum-Toyota 。 每个人都应该真正阅读整篇论文。
Charlie Miller’s and Chris Valasek’s , yes all of it
查理·米勒(Charlie Miller)和克里斯·瓦拉塞克(Chris Valasek)的 ,是全部
University of California San Diego’s and University of Washington’s .
加州大学圣地亚哥分校和华盛顿大学的 。
Be sure to also check out and their .
确保还检查了“ 及其 。
翻译自:
转载地址:http://xzyzd.baihongyu.com/