Automobile Hacking, Part 2: The can-utils or SocketCAN

Hacking

Welcome back, my aspiring automobile hackers!

Now that we laid out the basics of the most common protocol used in automobiles, the Controller Area Network or CAN, we can now proceed to installing the can-utils. can-utils is a Linux specific set of utilities that enables Linux to communicate with the CAN network on the vehicle. In this way, we can sniff, spoof and create our own CAN packets to pwn the vehicle!

What are the can-utils?

CAN is a message-based network protocol designed for vehicles. Originally created by Robert Bosch GmbH, the same folks who developed the CAN protocol. In addition, SocketCAN is a set of open-source CAN drivers and a networking stack contributed by Volkswagen Research to the Linux kernel.

Step #1: Installing the can-utils

If you are using the Kali or other Debian-based repositories, you can download and install can-utils with apt-get.

kali > apt-get install can-utils

If you are not using the Kali repository or any repository without can-utils, you can always download the can-utils from github.com using the git clone command.

kali > git clone https://github.com/linux-can/can-utils

The Basics of the can-utils

The CAN utilities are tools to work with CAN communications within the vehicle from the Linux operating system. These tools can be divided into several functional groups;

1. Basic tools to display, record, generate and play can traffic

2. CAN access via IP sockets

3. CAN in-kernel gateway configuration

4. Can Bus measurement

5. ISO-TP tools

6. Log file converters

7. Serial line discipline (slc) configuration

Initially, we will concern ourselves with just the basic tools and the log file converters.

For a complete list of the tools in can-utils and their functionality, see the table below.

1. Basic tools to display, record, generate and replay CAN traffic

  • candump : display, filter and log CAN data to files

  • canplayer : replay CAN logfiles

  • cansend : send a single frame

  • cangen : generate (random) CAN traffic

  • cansniffer : display CAN data content differences (just 11bit CAN IDs)

2. CAN access via IP sockets

  • canlogserver : log CAN frames from a remote/local host

  • bcmserver : interactive BCM configuration (remote/local)

  • socketcand : use RAW/BCM/ISO-TP sockets via TCP/IP sockets

3. CAN in-kernel gateway configuration

  • cangw : CAN gateway userpace tool for netlink configuration

4. CAN bus measurement and testing

  • canbusload : calculate and display the CAN busload

  • can-calc-bit-timing : userspace version of in-kernel bitrate calculation

  • canfdtest : Full-duplex test program (DUT and host part)

5. ISO-TP tools ISO15765-2:2016 for Linux

  • isotpsend : send a single ISO-TP PDU

  • isotprecv : receive ISO-TP PDU(s)

  • isotpsniffer : ‘wiretap’ ISO-TP PDU(s)

  • isotpdump : ‘wiretap’ and interpret CAN messages (CAN_RAW)

  • isotpserver : IP server for simple TCP/IP <-> ISO 15765-2 bridging (ASCII HEX)

  • isotpperf : ISO15765-2 protocol performance visualisation

  • isotptun : create a bi-directional IP tunnel on CAN via ISO-TP

6. Log file converters

  • asc2log : convert ASC logfile to compact CAN frame logfile

  • log2asc : convert compact CAN frame logfile to ASC logfile

  • log2long : convert compact CAN frame representation into user readable

7. Serial Line Discipline configuration (for slcan driver)

  • slcan_attach : userspace tool for serial line CAN interface configuration

  • slcand : daemon for serial line CAN interface configuration

  • slcanpty : creates a pty for applications using the slcan ASCII protocol

 

Setting Up a Virtual CAN network

In my next article in this series, we will be connecting to the CAN network in your vehicle with various hardware devices. These are relatively inexpensive ($10-20) and I highly recommend you purchase one, if you want to master automobile hacking. If you can’t or won’t purchase one of these hardware devices, you can always set up a virtual CAN network.

To set up a virtual CAN network;

first, load the vcan (virtual CAN) module;

kali > modprobe vcan

Then, set up your virtual interface;

kali > ip link add dev can0 type vcan

kali > ip link set up vcan0

Once we have set up our virtual CAN connection (vcan0), we can test to see whether it is up by using the ifconfig command, like we would with any other interface in Linux.

kali > ifconfig vcan0

Now, we are ready to begin work with CAN communications. We only need now to connect our Linux operating system to the vehicle. There are numerous devices, means and connection types to do so. We will look at a few of these in my next article in this series, so keep coming back.

Look for my upcoming course soon on Automobile Hacking!