Eric Evenchick Hacking Cars with Python PyCon 2017

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good afternoon everyone our next speaker in the room is Aaron Evan chick and title of this talk is hacking cars with Bisons so please give a warm welcome to air hello welcome to the last talk slot thank you for sticking around for this one my name is Eric Evan chick and yeah today we'll be talking about hacking cars with Python a little bit about me I do security research for firm called botrytis partners we do a lot of stuff with like mobile and embedded and certainly historically I've done a lot of car security things which is what we're talking about today I also have a little company up in Canada called link layer labs that builds open-source hardware which we'll talk about a little bit today and also writes for this website called hackaday comm which I encourage you all to read as a shameless plug it's a blog about hardware hacking and and such but that's kind of enough about me what I'm curious about always when I talk about this is has anyone here done anything in the car hacking space you ever sent or received CANbus stuff a few hands that's cool and I assume like some people here probably use Python so it's kind of a good audience you know not too much for cars but lots of a Python and we'll go with that a little disclaimer though I don't want you to break your car and some of the diagnostic stuff you can do to cars gives you really high-level access and you literally can brick brick things you can also modify safety critical systems which is bad because yeah you don't want to want to do that when you're inside of a car it might be illegal if you say reset an odometer or change VIN numbers that's that's not cool so like don't do those things and proceed at your own risk and don't blame me yeah so first thing about cars or computers nowadays they're just robots that you happen to sit inside of and this happened for a few reasons the first one is safety you're probably familiar with you know airbags and other safety advances that have come in to cars one thing you might not know is that airbags are like really complex now some of them will actually detect things like how heavy the occupant is where their seat is whether their seat belt is actually done up and so on and so forth before firing the airbag and then using that data they actually determine how hard they should fire the airbag to provide the best crash resistance so you need a computer do that you can't can't do that with the mechanical system advanced features of course we have the Tesla autopilot there and also the infotainment systems generally called a das advanced driver assistance systems in the industry these are things like your auto braking your adaptive cruise you know you need computers to pull that off but the real reason is actually emissions this is why we got electronic engine controls in the first place there was requirements that went in to say hey you need to make those cars more efficient you need them to do less emissions so figure it out and the automotive companies went off and figured out all this cool stuff like exhaust gas recirculation and all sorts of fancy ways of controlling engines fuel injection the problem was it was hard to do so they needed computers to make it work but cars are also networks in fact there's a lot of computers in a car up to a hundred in a fancy car like the fancier your car is the more computers it has is just a rule of thumb you know the engine controller if your car has an internal combustion engine it probably has an engine controller if your car is unlike the super high-end it might have and I've literally seen this in the car an aromatherapy unit and that actually could be connected to the cars network automotive networks nowadays they're typically can bus controller area network that will come up a lot I'll call it can it's one way of networking stuff together there's a few older technologies there's some newer technologies the by-and-large things are still can and this shows you like why there's so many computers we have door controllers we have airbag controllers we have an engine controller a radio infotainment telematics for like OnStar and things like that body controls so on and so forth tons of parts they ought to talk so that brings us to canvas and it's important understand a little bit about this if you're going to play with cars if controller area network and the reason it exists for cars because it's cheap and the automotive industry is all about saving money it's really cheap to get work things together because unlike Ethernet you don't need a fire or a Mac really you just need this like cheap little transceiver chip the controller for it is onboard all these microcontrollers you know for a dollar you can get one of these microcontrollers like 10 20 cents you have a transceiver you're good to go and there's a bunch of different types so most you see is high-speed this is a differential thing so kind of like Ethernet you twist the wires together there's a low speed which is single-ended that's when you want to be even cheaper tolerant cans used in things like airbags for safety and there's this nuke and flexible data thing that lets you send more data faster but a typical structure you'll see is a bunch of controllers to do important things on a differential high-speed canvas in green here like your engine any lock breaks those are kind of important we want those to work quickly and transmission also needs to know about the engine pretty fast then you'll have controllers that Gateway messages through to a different can bus in this case it's a body control module that then gateways some of that across to say the instrument panel or the door modules and that's the topology that you see except in more complex vehicles you might have up to you know five six different can buses that are all gateway together in crazy ways but can itself is really simple it's a protocol that you can like learn in a day because only if like three things need to know about you have controllers and these are nodes of the network so an engine control unit might be one controller a body control unit might be another one so on and so forth they're all just connected together on this big wire that's the bus so this collection of them is called a bus and a frame you only really have to care about three things there's an ID and that's just a number that says this is what this frame means there is a data length code that tells you how many bytes are in that frame you can only have up to eight and then there are eight bytes of data that's it it's just ID they link to data if you're a programmer that's all you have to care about if you're doing like electrical stuff it's come more complicated but that's it it's just you know you have an ID you have your eight bytes you look at them you get your data there's two ways this is you one is just operational data that's what I like to call it and this is what's happening all the time in your car things are periodically broadcasting messages and they're being picked up by other controllers that want to know about that particular thing and then they use that to make decisions one example and we'll use this a bit is your engine controller may broadcast the engine speed and revolutions per minute your instrument panel might pick that up and display it on the tachometer if you have a car that still has a tachometer they're kind of going away but that's one example this obviously that's a very simple example you have more complex things like you might have a yaw rate sensor that is then connected to your traction control system and is measuring the yaw of the car and another sensor that's measuring the steering angle is receiving those two things yon steering angle over the canvas periodically being broadcast and whenever it things that you're steering this way and you're young the other way it's going to take some corrective action so that's how the operational data works just fixed broadcast times 10 milliseconds for one message 100 for another maybe based on how important it is really simple diagnostics is the more complicated one but also the more fun one to play with it's used during specific times and allows for like special interaction that you shouldn't have normally and it's a client-server approach so this operational data again it's broadcast it's periodic and it makes all the normal stuff that happens when you're driving your car works and you never think about it's just like turn the key and there's lots of canned messages flying around but don't worry about it your car still works they use proprietary encoding for this using a can database this is just saying that for this ID and these bytes it has this meaning and we can show how that works in a moment but what it lets us do is people hacking cars is get information about the vehicle if we can decode the messages we can log that data and find out you know hmm how's my engine performing or how's my electric vehicle battery degrading things like that and also we can control components by sending them our own messages and tricking them into doing what we want them to do so the way this works engine control module in this example that same 8 byte frame and we would have this canned database file which is just a big text file actually that tells us how to decode every one of these frames and in this case it might tell us that bytes 0 & 1 our engine rpm then we get o X 5 BC it's going to tell us the endedness it's going to tell us if it's signed and things like that but let's just take a simple example 5 BC convert that decimal 1500 rpm so the instrument cluster will see that message and move your tachometer to 1500 rpm telling you that your engine is in fact spinning now you can also mess with it and tell it that it's spinning a lot faster so in this example it's a injection that we're doing and actually telling it that it's doing 8,000 rpm but the real fun part of this picture is this car actually has no engine in it at all huh so we're just we're just having fun and this is kind of a silly example but practical things that I've done with this is you pull the power steering module out of one car you want to use it in a different car you need to tell it that it has 12 volt power that the engine is running it wants to know these things or doesn't kill your 12-volt battery and you also need to tell it how fast the car is going because it will apply a lot of torque when you're going slow and not so much when you're going fast so you don't flip the car over and yeah you can actually implement those things yourself and take a power steering module and put it on the bench or whatever you'd like to do diagnostics this is used during manufacturing service end of life and forensics manufacturing to set your car up service to figure out what's wrong with it end of life to deploy your airbags oddly enough and forensics for if your airbags go up they can actually get some cool data but why you crashed your ads like for a ton of features we're going to talk about them but it usually requires special tools that's a GM tech - it is one of the GM tools it is rather expensive so first thing we need to know about diagnostics is this is OTP I said the can is eight bytes and that's a problem because VIN numbers are longer than eight bytes and you might want to send a VIN number over can VIN number being a vehicle identification number every car has a unique one so that's you know displayed on your windshield but how do we send this 17 character thing and eight bytes well we just combined frames together and is OTP also called can TP is just a transport protocol lets us do that so it allows 4095 whole bytes of transmission and flow control makes the whole thing work it's really nice when you're trying to do firmware updates because doing those eight bytes at the time is not not fun so once we have the ability to send 4095 bytes we need to get into the standards I can't talk about all of them because there's a million of them but basically all cars nowadays will do obd2 and this is the one that you're probably familiar with if you've ever played with cars and they'll do unified diagnostic services and this is one that you probably aren't familiar with unless you worked in the automotive industry or have played with this a lot there's other older ones Jade 1850 and ISO 1991 41 some of these are still used a bit but they're not based on can and I don't have time to talk though over t2 this is the simplest thing to play with with a car if you own a car you might want to do this to save yourself some money if anything else you can read all these nice parameters about your car like how fast my engine spinning how fast am I going you can plot them and log them using some cool apps at least on Android you can also clear fault code so when that silly check engine light comes on you can turn it off and then it might come on again and you have a real problem but you know saves you the 50 bucks to get someone to actually do it for you and you can get the best reference of this is that Wikipedia page of obd2 pids it has everything you can request it's it's a beautiful Wikipedia page I always refer people there and yeah it has everything you need you can buy one of these cheap interfaces that's a Bluetooth one and get going pretty quick but you might get bored but how does OED work well okay we have a mode and a parameter ID so we say you know mode one is request some current data we say I want to request parameter D ID o x OC or something like that send that off to our engine control unit which is a server in this case it looks at that and then sends us back the current data so it sends mode adding ox40 to say this is a response it echoes that pidz so we know what we're actually getting and then senders the data it's a really simple request response structure but you might yeah I might get bored of OBD because like it's a finite list of these things and you know well once you go through them it's like I want more well unified diagnostic services is more it is what the actual OM uses for their diagnostic tools you have a client on the server again the client is the tool you're plugging in and the server is this engine control unit and it defines for these functional units that contain a total of 25 services we'll go over them pretty quick just to talk about the cool ones and it's available from the ISO is a PDF but that PDF cost one hundred ninety-eight it's check or no not check Swiss Swiss francs fed CHF yeah that's a lot of money for a PDF document and you know it's illegal for me to just give it to you so that's why while we get to the Python part of this it's more fun to implement that in Python than just hand around PDFs so how does DDS work very similar we say I want to do this service it has an ID and here are the parameters you send that off to the controller it thinks about it a bit and then sends you back a response you need to know how the service works to know how to encode those request parameters and how to decode those response parameters unfortunately you're going to have to buy the PDF and influent this all yourself in order to make that work but there's lots of fun things you can do once you get there there's this first functional unit which is all just about setting up the session so you know getting into the right mode getting security access if you need it you can reset them and change the bit rates and all that sort of stuff not much fun in here it's just you know set up but then we get to the cool stuff so there's just read data by identifiers there's just arbitrary IDs mapping - blocks of data and you can read them you can also write some of them which would change the functionality of that controller kind of exciting you can also read and write memory addresses if that functionality is enabled and some controllers leave that functionality enabled you can dump blocks of memory out of the controller pretty good if you're reverse engineering a system and there's some other you know scaling data to figure out how to convert to engineering units and periodic data identifiers will broadcast stuff to you but yeah this is the basic way to get data in and out you can do fault codes so you can read your fault codes and clear your fault codes useful if you're trying to fix a car nowadays you basically can't diagnose the car without being able to look at fault codes there's also input/output control this should never be enabled in production because what it does that lets you just like control the output pins of the ECU so you can just say like I would like pin five to go high right now and it will do it in practice not a good idea routine control is very exciting it does everything from let you recalibrate sensors to in fact deploy your airbags whenever you're in the special state end of life it just lets you run test routines that they left on those controllers and now you can choose one by index and tell it to start and it will do something you don't necessarily know what it's going to do but so you can run them and yeah the last thing is actually maybe the most scary it's actually upload and download data so this is how you change firmware on those controllers and yeah you can actually rewrite firmware to the engine controller in your car up until very recently most of that firmware was not signed or anything so you can actually just load your own program onto your onto your controller and then have a good time so there's like rest upload and download you transfer some data you request to transfer exit and you're done but that's a lot of services and you probably don't want to figure them all out yourself so let's talk about the tools and this is I promise where we get to Python starting with hardware you know official like the Tech 2 is expensive the cheap options they do OBD I recommend you get one if you're playing with cars they're cheap go on Amazon and search for like obd2 dongle and you'll find a bunch of them for 10 bucks you can also use a cam 2 USB adapter I happen to make one that's open source it's blue this guy called contact and it will do that for you the problem is it only does can and you still need to do this is OTP thing and they need to do the UDS stuff and that's sounds hard so let's use Python and I came up with a bunch of scripts for doing this then finally decided that they might be useful for somebody else and then try to make it into a library so if you look at this and think yeah this is some interesting Python code that sucks that's probably true but I've been trying to make it better and you know if people are interested in cars and want to play with it and you want to help make it better that would be great so apply sign vehicle interface toolkit the whole idea is to provide ways to talk to cars and Python it does can it does the ISO TP step and it also does UDS and it makes your life a lot easier because if you want to request for example an ECU serial number that's a standardized data identifier that you need to read so you need to set up the interface will omit that for brevity but you set up your interface you then say I would like to request Oh X F 180c and it comes back with a data record and that's actually the serial number just in CODIS bytes there you smash them together you get a 32 32 bit serial number for that part another simple example if you want to make your dashboard light up like a Christmas tree you can reset all the controllers in your car using the ECU reset service this is usually pretty safe as long as you're not actually running your engine while you reset the controller don't recommend that you can do a hard reset or a soft reset there's various types but this library also aims to implement all of those kind of enums that you need that are only in this PDF that you need to buy so you can do you know easy reset that reset type hard reset and an i-5 let me just keep hitting tab until you get the one that you want so it's actually pretty easy to use and that's how I play with cars nowadays so this is you know this is fun to play around you can go into ipython set up your device and make requests got this sort of stuff and that was kind of where I was at with this until you know once I had it done and actually had UDS implemented I was like cool now I can build all these tools and that's where I'm at now so one tool that I've wanted forever this slides not supposed to make sense that's actually kind of the point it's one to live on forever is when you record one of these diagnostic tools the expensive official ones you know you might get it for like a day and you can play around a bit so you record all these traces what you're actually looking at here is a timestamp a can ID and then a bunch of data represented as hex so like you have it for a day and you like push all the buttons on it you record all these logs and then you have to look at them and figure out what they mean and it's not fun so in orange you have the is OTP stuff and then any of your service IDs and then there's negative responses in there you have to filter those out and then also like the memory management when these devices is pretty funny so you'll see you know some bytes like that 3 2 3 6 3 8 3 2 repeats itself a few times that's just because they don't replace those bytes in the buffer and you just need to ignore them you need to know to do that and it is a mess so at a certain point you just realize that you need a tool and so this is currently as an example and I want to roll it out into a full tool it takes literally that data and turns it into this which is way more readable you know ok I'm doing diagnostic session control with session type 3 and this parameter record and then I'm doing it again because that's what this tool did I'm doing a read date of identifier I get back 0 5 1 3 and then I do another read dated identifier and get back this stuff which comes out to that s key string and you just keep going you can just you can keep doing this for all sorts of stuff but this was actually from reverse engineering of a CDR tool so it's a crash data recording tool your car has a black box in it hey Drake to you and it's actually the airbag unit so if you crash your car it's going to restore record about 5 seconds of data on what you were doing with the pedals how fast you were going was your seat belt done up what was the actual acceleration profile of the crash what airbags deployed so on and so forth depending on the car some cars support more of these some kind of support less but can be a lot of data this tool pulls all that data out so we were trying to reverse engineer those to be able to pull that ourselves and so actually if you take this ASCII string and you slam it into Google you'll find that's actually the part number for the occupant we're straight in touchable we were looking at and you can buy one for 188 dollars from Mopar kind of useful if you need a new airbag module but yeah this tool is still like very now demo comes out as as text but you know to live dangerously here we can we can do it with some more some more cards so this is apparently an Audi a4 we can do this on and we'll get out you know some different it works very differently we see we have this routine control instead so that's a different service and actually we see an error come up it's a request out of range so likely this was actually probing about some status for an airbag that this car didn't have so it just says not there sorry so that's a different you know different way the different vendors implemented that we can also look at there's a Prius these guys are tricky they use an unknown service they use their own special proprietary service but we can actually still see you know the data that was sent and received and get kind of an idea of how that's working uh what else do we have like looking at these uh Nissan Versa this one actually does read a memory by address so the way that they read out this airbag data is they peek at memory addresses inside of your airbag controller and you know read thirty-two pipes at a time out of it I haven't had the guts to try to do a write memory address on an airbag module but might be enabled who knows so yeah that's that's how that one worked and this is much nicer than looking at like you know looking at that I think anyway so it's a cool tool if you have something to diagnostic thing to play with just take a log and you know run it through here and you get that out and it's just a first example of once you have decent tools written for this you know how you can implement stuff on top so a little bit of the conclusions practical stuff because I'd like to leave people with something to do you should get nobody to device if you own a car because that one time your check engine light comes on and you want to know you can read the folk code kind of useful there ten dollars why not write to repair if you happen to be into this stuff you will be happy to know that there are some legal fights going on too give you the right to be able to do this you should look up right to repair in your state and see what's happening because I'm a Canadian but the u.s. kind of dictates how this works so please help us with right to repair and if you're interested in the community open garages is an awesome community of people hacking cars and if you're at DEFCON the DEFCON car hacking village is like a hands-on have fun with cars it's a great time they have like a capture the flag they have all sorts of stuff and I'm usually hanging out there so please do say hi the future well we have Ethernet based diagnostic stuff coming in we have Ethernet going into cars that'll be interesting we have can FD which is this new can with bigger frames and you know we'll need some new tools for that but it's not really any cars today vehicle api's are starting to become a thing tesla gives you a rest kind of api to your car for it a while ago came out with open XC which is an open access open source tool you can use to access data beyond just obd it actually uses UDS but they don't tell you that and more tools based on you know a library that does UDS and the cannon is OTP now it's pretty easy to write your own tools that lets do this stuff and if you have problems hopefully you'll help me fix them so that's it's kind of where I see this going I work on car projects a bunch and kind of make contributions to things as I need tools currently trying to take in electric vehicle powertrain out of a leaf and stick it in another car so yeah it's kind of tooling pretty useful when you're like what's what's going on in this canvas but that's my time and my pitch you can find the source code for all this stuff on github you can email me or Twitter's me or go to you know either those websites for more information on those things I think we have a couple minutes and I'm happy to take questions but thank you very much the people who had me here and thank you very much to sticking out for the whole time it's this [Music] hey dastan yeah cool I guess I can field questions so yeah so it's kind of a two-part one it seems like you're at the stage of messing this with this stuff where you're just poking one memory address like writing to it to see what what the value is what is like what is the level of right excess that you can get to this so like is it feasible to rewrite some functions of core functionality so in a lot of cases you can actually and this require some security access but most of those are pretty broken but in a lot of cases you can actually just change the entire form or binary running on the controller so you can even change whatever you want the harder part is actually getting that to work correctly you don't have the original firmware so you're going to need to either like patch the binary or write your own firmware for it but a lot of stuff that's a little bit more useful and interesting because of that is just peeking at the services themselves so there's let's say you want to implement something it unlocks your doors there might be a diagnostic service that unlocks your doors or a can frame you can send it unlocks your doors so then you can actually develop your own tools that do do that sort of functionality okay and just kind of a quick follow-up like how how like plug-and-play is it between manufacturers so if I have my Nissan Versa and I want to easy exited the restraint system from this Toyota I have here is that doable I wish so obd is very across the board everyone implements over these most of the same way actual functionalities on the other hand for so UDS the actual read data by identifier write data by identifier stuff that is standardized but what those data identifiers mean is not there's whole ranges that are manufacturers specific and they can define themselves and so you're kind of at the mercy of those people so one thing that's nice is you know if you have one OEM they tend to stick with it for all their cars there are exceptions even that where you'll find like different cars that have totally different can buses even though they came out of the same factory it really it really depends is the answer okay thank you a problem over here your tools for j1939 it does not yet but I want to write that or find someone who wants to help write that it does support so the idea is to make it very Hardware agnostic and then give you can frames and then make it pretty simple to you know work on those so the idea there is if you wanted to implement j1939 you can have whatever canned tool is supported by it and it should work across the board just a matter of like I need to implement j1939 and buying pricey PDFs right yeah 19:39 there's a lot more information on but if anyone wants that I meant to say that so they want to play around with this stuff if you stuck around you're probably actually somewhat adjusted I happen to have some of these tools which I don't really want a break through tsa so let me know I couldn't like and Olson that if you want to you know download this and actually have a can interface thank you all right thank you so much Eric thanks again everybody [Applause]

Info

Channel: PyCon 2017

Views: 13,755

Rating: 4.9378238 out of 5

Keywords:

Id: 3bZNhMcv4Y8

Channel Id: undefined

Length: 29min 48sec (1788 seconds)

Published: Sun May 21 2017