We Hacked A Car! - CANbus injection
Вставка
- Опубліковано 24 лип 2024
- Take control of your car, redline your tachometer! We break down CAN bus basics and teach you how to hack, inject, and sniff data from your car's onboard systems. Controller Area Network (CAN) is a simple protocol, and simple to manipulate! Many of the features of a vehicle communicate over the CANbus, this is how they work together to bring you that smooth driving experience.
Most people don't know these systems can be exploited! From your speedometer and tachometer, displays, transmission, engine, and more, all use the CAN bus in some way.
We completed this project at school using a laptop, CANtact reader, and a little know how. The tools and methods have been highly simplified and more are more accessible than ever (Like a Flipper Zero)! I’d like to do an update in the near future!
If you are interested in cybersecurity and penetration testing, this is a fun project to familiarize yourselves with various aspects of the industry, its methodologies, and procedures.
Want to open an automated lock? Change the lights in a building? Display information in a car? There are so many different avenues for exploitation. BE SURE YOU HAVE LEGAL GROUNDS TO TEST ON. If you don’t own it, or fully understand the implications of your actions, please leave it alone. You can cause some havoc if you don’t know what your doing.
Resources:
Reddit Carhacking Subthread:
- / carhacking
How to hack a car - A quick Crash-Course
- medium.freecodecamp.org/hacki...
Charlie Miller and Chris Valasek’s research
- illmatics.com/carhacking.html
Car Hacker’s Handbook
- opengarages.org/handbook/
CANtact CAN to USB Converter (Unavailable):
- www.amazon.com/CANtact-Source...
Socials:
UA-cam: / @andrewgerlitz
Twitch: / wardenology)wardenology
Twitter: / andrewgerlitz
TikTok: / andrewgerlitz
Instagram: / andrewgerlitz
[Timestamps]
0:00 - Introduction
0:39 - What is a CANbus?
1:36 - Project Requirements
2:35 - Sniffing The CAN data
3:09 - CAN packet injection
3:39 - Car hacking!
5:02 - Next Steps - Авто та транспорт
Appreciate you all! It's early into my UA-cam career still and I never expected things to take off as quickly as they have. Need to keep on the gas pedal! I'm working on another video for a different project right now and hope to have it to you soon. Stay awesome, and we'll see you in the next one!
lol, the music is fine. You’re not trying to give a technical talk at a conference about your findings. Blessed the algorithm.
Noted, just wanted something fun in the background. Maybe tone it down next time. Appreciate you!
I appreciate this video and I'm glad the algorithm threw it my way. This was a good introduction to mucking around with something I'd never had interest in until today, so I thank you for that!
Glad you enjoyed it! Appreciate you!
I really wish they would publish their CAN BUS messages list.
Right? What a pain, all that trial and error haha.
Those values are on what’s called a DBC file you maybe able to find them on the web.
This was honestly a really great video! Ive always wanted to make a custom gauge cluster that could read CANbus data so i could have additional sensors along with custom displays for different bits of data from the ECU.
Appreciate you! I had noticed there's a CAN port on the back of my Sim rig wheelbase too, might have to take a look at that as well!
Small nitpick: “Every car has a CAN bus” except all the cars produced before CAN was implemented… lots of cars are still out there with some variant of Class 2 serial, and even cars that pre-date having multiple control modules and only have a PCM that runs just an engine, or an engine and transmission. In fact, ~85% of the vehicles I’ve owned thus far have not had CAN, but ~65% of them had some form of serial communication and multiple control modules.
Second small nitpick: I don’t think the music is needed, I can deal with it, but it is a little distracting at times for me at least.
Was meant as anything fairly new, I’ll have to specify next time. As for the music, it’s definitely too loud, just some growing pains haha.
@@AndrewGerlitz no worries, that’s what growth and adaptation is all about. I personally was hoping for a bit more in-depth exploration of CAN hacking, but I think this is a good “primer” video for anyone just getting their feet wet or discovering CAN stuff. You seem to have no issues presenting clearly and in a manner that I’d think was pretty easy to follow and understand for just about anyone looking for content on this topic.
I may have been a little too pedantic/nit-picky with your wording, I tend to be that way with accuracy sometimes. I feel like a majority of people ending up on this content are likely to be more familiar with what vehicles do and don’t have CAN, but I thought about it from the perspective of someone who ended up on this video with very little knowledge of cars and CAN who had a budding interest. Purely trying to provide constructive feedback, not nitpick just for the sake of it.
Canbus was introduced in the mid 80s and has been on all US cars since the late 90s
@@UnlikelyToRemember I agree with CANbus being developed and introduced in the 80s, by Bosch if I recall. But I disagree with it being in “all” US cars since the late 90s. I’ve owned, worked on, and modified a number of late 90s and early 2000s vehicles that only had single wire class 2 serial or some other variant of a single wire serial protocol to communicate between control modules as well as available at the DLC. I actually don’t recall seeing CANbus between any modules in GM vehicles until around 2004, and at least some those particular ones I can recall didn’t have the CANbus present at the DLC and still used Class 2 serial between all the modules as well. It may have indeed existed in some US vehicles since the late 90s, but certainly not “all” of them based on my experience.
@@Moddage I stand corrected, ODB-II was mandated in 1996, but it didn't have to be CANBus until 2008
Neat video, friend! I agree about the music but you're still small/learning and doing great work! Very interesting - thank you and keep it up!
Appreciate you! Noted for next time haha.
wow i never knew you could do this with an obd port! such a cool project and very underrated video!
It’s funny, I never really thought anyone else would find it all that interesting. Guess I was wrong! Appreciate you!
Really hope you keep this project going!
Long term that's the plan!
this is awesome! grats on your hardwork paying off! i've been talkin about this being possible and thought about playing with it for years, but never tried it.
Appreciate you! It's a fun and challenging project to take on, I would definitely give it a try!
Wow GG, nice project !! hope to see more in the future
Appreciate you! More to come for sure!
Great work.
If you use a scan tool you can manipulate all that but if you decode the scan tool signals for an individual action than input that and can save time. You can make a script and flash the ecm and record the way you want.
Seems like it is time to make an RC under the car inspection tool. Thanks for the video
Super cool, I'm thinking of peeking into CAN to see if i can get steering wheel angle sensor data for a backup cam project I'm working on. Depending on what's least invasive it might be easier than tapping the sensor directly. The downside might be that it would make installation more car model dependent if I want to share the project.
So many systems to look into nowadays, excited to see what you come up with!
Awesome video :)
Appreciate you!
Hello, I have an old lt46 with so it seems mercedes sprinter 14 pin diagnostic port . I have bought a connector to switch it to OBD but it fails to connect. Any idea why?
Awesome!!
Thanks for the vid, interesting
You bet, thanks for watching!
Nice! I've done some CANBUS work. Rather wide open. RIP Michael Hastings.
How I never came across him in my studies is beyond me. Unbelievable and RIP indeed.
Great Video 💯
Glad you enjoyed!
Willing to see if you can guide me to do the same for my Mercedes.
How do you determine if CAN is available at the OBD port?
I too, found the music distracting from the actual on-screen content and audio.
Noted, you can tell by the pinout of your OBD port, depending which pins are populated you can tell what protocol is used.
Subbed for more of this
That's so cool! I hope we will be able to replace the firmware one day
Custom ECU and you can customize to your hearts content!
Great video! I would like to turn on/off all systems in my own car as I like, and not be "forced" to use everything like I currently are as a European. It's my car, I decide if I want line assistant or not and so on
Right? Artificial limitations are such a joke. Appreciate you!
Wow super surprising the CANbus doesn’t use a rolling code and encryptions to prevent this sort of “attack”. Anyway cool project!
I'm sure that's all in development as we speak. Appreciate you!
ik this is a long shot, if your up to make a video on how to read the serial data from old aldl then use it back just like canbus injection, that would be beneficial and i got a 93 camaro that i can test with as i cant find any videos on how to do so, only explanations of how serial works when i want to know how to do both for my car.
Would be interesting to explore!
how do you only have 38 subs? this video singlehandedly made me want to actually learn this mythic "coding" language.
Appreciate you, Glad you enjoyed it! Still new to the whole UA-cam thing and figuring it out one video at a time. Every little bit helps!
Andrew, this was awesome to see. I have a 2022 Sentra and I have a handful of things I would like to add to my home automation server from my car, and I was thinking CAN injection would be the way to go. As an experienced electrical engineer but total noob on CAN messaging, where would you start? I want to add things like lights, remote start and a bunch of feedback sensors from the car to a device that can communicate through a cellular modem to my server at home. Its feels very overwhelming to even think about where to begin. I am trying to find someone experienced that could help me get started with some advice. Im even willing to oay, because this is some niche knowledge.
I know the feeling, I was told it was too much when I picked the project. Like any project, lay out everything you want to accomplish, and start working at it one thing at a time. In your case, I'd focus only on getting a reader, and figure out how to sniff data. Once you get a feel for that, then look at actually forging some packets (Start simple, like a traction control light! See if you can find the DBC file for your car on the internet, it'll save a ton of time). Then you should have a better idea if what you want is feasible via CAN, or if you need to make any adjustments. Worry about the transmission of the data and the server side stuff later (Something like a rasPi or arduino with a GSM module can take care of that). Feel free to DM me on X if you have questions.
I would like to have a device that could be plugged inline between the scan tool and the OBD-II port such the device would tell the scan tool the MIL is off and that there are no malfunction codes stored. It would have to pass the VIN and other vehicle specific info. Does anyone have an idea how to do that easily for someone who handy with building hardware but not so much writing code? Does such a device already exist?
Please make more content like this
Still feeling things out, Ill do my best!
@@AndrewGerlitz I think cars and their control data after a certain date should become open source or public domain
Hello Andrew, what's the entry level tools to can bus reverse engineering? I am thinking to get into automotive cyber security field. I am auto electrician by trade. Any advice?
You can use the CANtac reader I mentioned if you can find one, it was a good opener for us, all in was about $100 CAD. The software we used was also free/opensource. School bought the device for us, so I don't actually own one, I'm looking into alternatives myself.
@@AndrewGerlitz Thank you for the advice.
Hey there. Nice vid, popped up after a video I was watching. I'm hitting that 'subscribe' in a moment.
Question for you: Did/do you attend any local BSides and checkout their Car Hacking Village? If not: there's my tip for you. Keep up the good work.
Sadly the car hacking village wasn’t a thing while we were working on it, we did go to BSides at the time but topics were unrelated. Appreciate you!
@@AndrewGerlitz ever find yourself at BSidesLDN, we have a great car hacking village run by minty. I Goon there, ask for Bazza.
"CAN Sniffer" - haha...
man i spent too much time messing with stuff like this back in the day...a lot of euro cars have apps avail to toggle settings and such like turn on features that the car is capable of but not active and such , BMW have an entire community of beemer coders , the thing i htink is going to happen now is that we have ai we can take the data and map it much easier for custom changes
I feel that. My buddy had an e92 we flashed with JB4 on his cell phone. I was blown away haha.
interesting....
Challenge:
Find the telemetry code that sends data back to the manufacturer for data collection and third party sales and disable or destroy it.
That would be a huge public service!
You are my kind of people! What I can tell you is Apple Car Play will not work if you have a VPN enabled on your device (at least in my 2019 Elantra). If I figure it out, Ill let everyone know!
@@AndrewGerlitz Make it open source!... ask for donations!
Once that kind of sniffer is in the wild, those mega corps will be pulling their collective hairs out! lol
With an oscilloscope or protocol analyzer connected to the telecommunications antenna, the bitstream can be intercepted. 😉
are you able to make a mazda 3 2005 power steering pump work independent, it needs a canbus signal from the ecu, I will pay if you figure it out
The steering pump is a hydraulic system independent of the CAN system (Aside from maybe a steering angle sensor). The only potentially exploitable thing would be some sort of assisted driving mechanism, things like lane keep assists, or self driving of some kind. Even then, depending on the implementation it may require other methods to exploit.
My 1994 car doesn't have a canbus, neither does my 1971 car... lol
is it possible to have this video without the music
Reset mileage
That was on the list for sure! Maybe in the next round!
@AndrewGerlitz I think that's illegal
Buzzkill your not the funiest at parties
hahaha this gives me Ferris Buellers Fay Off vibes
@@Fredrick_6 The Odometer can be manipulated to display whatever you like, but resetting to zero is more complicated (and yes illegal as well haha)
Well CAN Bus is something that will die and be replaced with FD and XL or automotive ethernet. What you did is not actually hacking anything it’s basically using DBC information of the car to change some states in ECU‘s. Keep in mind that ECU‘s no longer have non authenticated message buses. Well at least some..
Do you CRC's?
@@honestlocksmith5428 Some manufacturers think crcs will help them but you can clearly see what changed and decode it, it’s only slightly more effort..
@platin2148 That's true. It's calculated and added to verify the authenticity of a message. Beyond that, what are you talking about? I'm curious to learn more.
@@honestlocksmith5428 MacSec and also some stuff that isn’t yet public.
Comma AI
Very cool, will check it out!
In france, anything you would do to a car would be virtually illegal, it is dumb
Artificial limitations. The bane of my existence!
This is very elementary. using the can system to tell features like lights or windows is one of the first and easiest things done when diagnosing a repair. you can pretty easily get a scan tool with the ability to use the canbus for a few hundred dollars and they work on any car with an obd2 port. is it anywhere near what you were talking about in the beginning when making a comparison to the f&f movie? not even close. no vehicles yet have the ability to be messed with any exterior programs that aren't plugged into the obd2 port. you could say stuff like onstar and remote self driving control are getting close but they are a lot more limited then what they appear to be
so be honest, how many times in a day do you say something like "well, actually...."
Dump the music. We are either having a technical discussion or we are not. Trying to talk over elevator music doesn't cut it. It is like being on a technical conference call. Somebody goes on hold... and they have hold music and the rest of the team tries to carry on.
I still gave you a thumbs up. I've been in CAN for 15 years. Nothing new. It's how the aftermarket intercepts the traffic. Huge industry.
I had wondered about that, little loud for the ambiance I wanted. Appreciate you!
No it was good for me.
you sound really hostile about some music that didn't suit you. maybe dump the forced professionalism sometimes. this isn't an office job ;)
@@AndrewGerlitzit is a little loud but don’t dump it just turn it down this guy doesn’t know what he’s talking about
The music choice itself was inoffensive, it could have been a bit quieter. However in your case the content is so interesting it doesn't really need music to distract (unlike some videos from other channels!) so if it's an artistic or personal choice, stick to it. But don't be afraid to put these videos out 'dry' because the videos, explainers to camera and editing is fundamentally well done. Liked and subbed :)