Difference between revisions of "MCD software"
|Line 125:||Line 125:|
[http://opengarages.org/index.php/GNU_Radio|'''GNU Radio'''] is an open source software platform providing signal processing capabilities for software defined radio (SDR) receivers and transceivers. It has a multitude of add-ons available for the processing of cellular signals, WiFi signals (to include 802.11p)
[http://opengarages.org/index.php/GNU_Radio|'''GNU Radio'''] is an open source software platform providing signal processing capabilities for software defined radio (SDR) receivers and transceivers. It has a multitude of add-ons available for the processing of cellular signals, WiFi signals (to include 802.11p)vehicle key-fobs .
Revision as of 18:35, 1 March 2016
- 1 Tools of the Trade
- 2 Hardware
- 2.1 CAN Devices
- 2.1.1 Arduino Shields
- 2.1.2 CANtact
- 2.1.3 Raspberry Pi
- 2.1.4 ChipKit Max32 Development board and NetworkShield
- 2.1.5 ELM327
- 2.1.6 GoodThopter
- 2.1.7 ELM-USB
- 2.1.8 CAN232 and CANUSB
- 2.1.9 VSCOM
- 2.1.10 USB2CAN
- 2.1.11 EVTV Due
- 2.1.12 EVTV CanDue 2.0
- 2.1.13 CrossChasm C5
- 2.1.14 CANBus Triple
- 2.1.15 Higher End CAN Devices
- 2.2 CAN Bus Y-Splitter
- 2.3 HackRF
- 2.4 USRP
- 2.5 ChipWhisperer
- 2.6 Red Pitaya
- 2.1 CAN Devices
- 3 Software
Tools of the Trade
This section discusses different tools that you may want to use when researching a vehicle. I’ve chosen to focus on low-cost devices and software because it’s important to make it possible for as many people as possible to participate in the research. If your company produces a great product, feel free to contact Open Garages.
NOTE: This page comes out of the Car Hacker's Handbook and has been placed online to keep it up to date.
Though we have seen numerous cost effective devices for communicating with the CAN bus recently, the software needed to interact with them can be lacking, so you'll often need to write your own.
In this section we’ll cover boards, like the ChipWhisperer discussed in Chapter XX, as well as dongle-like devices that provide CAN connectivity. We'll first look at lower-cost, open source hardware, then list some higher end devices for those willing to spend a bit more money.
These devices are useful to sniffing the contents of you CAN bus and injecting packets. They run the range of hobbyist level boards to professional devices that support lots of custom features can many different CAN buses simultaneously.
Numerous Arduino and Arduino-like devices for about US $20 to $30 (https://www.arduino.cc/) will support CAN with the addition of an Arduino shield. Listed below are some Arduino shields
- CANdiy Shield - MCP2515 CAN controller with two RJ45 connectors and a protoarea
- ChuangZhou CAN-BUS Shield - MCP2515 CAN controller with a D-sub connector and screw terminals
- DFRobot CAN-BUS Shield - STM32 controller with a D-sub connector
- SeeedStudio SLD01105P CAN-Bus Shield – MCP2515 CAN controller, with a D-sub connector
- SparkFun SFE CAN-BUS Shield - MCP2515 CAN controller with a D-sub connector. This shield comes with an SD card holder and has connectors for an LCD and GPS module.
These are all pretty similar. Most run the MCP2515 CAN controller, though the DFRobot shield uses a STM32 which is faster with more buffer memory.
Regardless of which shield you choose, you will have to write code for the Arduino in order to sniff packets. Each shield comes with a library designed to interface with the shield programmatically. Ideally these buses should support something like the LAWICEL protocol, which allows them to send and receive packets over serial via a userspace tool on the laptop (such as SocketCAN).
Freematics OBD-II Telematics kit
This Arduino-based OBD-II Bluetooth adapter kit has both an OBD-II device and a datalogger, and comes with GPS, accelerometer, and gyro and temperature sensors.
CANtact is an open-source device by Eric Evenchick that is very affordable USB CAN device that works with Linux SocketCAN. It uses a DSUB 9 connector and has a unique extra advantage of using jumper pins to change which pins are CAN and ground. This features enables CANtact to support both US and UK style db9 to OBD-II connectors. You can get CANtact from http://cantact.io/
The Raspberry PI is an alternative to the Arduino that costs about US $30 to $40. The Pi provides a Linux operating system but does not include a CAN transceiver, so you'll need to purchase a shield.
- Canberry - $23 MCP2515 CAN controller, with screw terminals only (no D-sub connector)
- Carberry - $81 Two CAN bus lines and two GMLAN lines, LIN, and Infrared (NOTE: the Carberry does not appear to be an open source shield)
- PICAN CAN-Bus Board- $40-$50 MCP2515 CAN controller with D-sub connector and screw terminals
ChipKit Max32 Development board and NetworkShield
The ChipKit board is a development board that together with the NetworkShield can give you a network interpretable CAN system as discussed in Chapter X Reverse Engineering the CAN Bus in section “Translating CAN bus messages with OpenXC”. This devices goes for about US $110. This open source hardware solution is touted by the OpenXC standard and supports pre-built firmware from OpenXC, but you can also write your own firmware for it.
The ELM327 chipset is by far the cheapest chipset available at anywhere from US $13-40. It’s used in just about every cheap OBD device. It communicates with the OBD over serial and comes with just about any type of connector you can think of, from USB to Bluetooth, Wi-Fi, so on. You can connect to ELM327 devices over serial and they are capable of sending packets other than OBD/UDS packets. For a full list of commands for using the ELM327 see the datasheet at http://elmelectronics.com/DSheets/ELM327DS.pdf
Unfortunately, the available CAN linux tools will not run on the ELM327, but Open Garages has begun a web initiative that includes sniffing drivers for the ELM327 called CANiBUS (see https://github.com/Hive13/CANiBUS). Be forewarned that the ELM327 has limited buffer space, so you will lose packets when sniffing, and transmission can be a bit imprecise, but if you're in a pinch this is the cheapest route.
If you are willing to open the device and solder a few wires to your ELM327 then you can reflash the firmware and convert your ELM327 into a LAWICEL compatible device. This means you can make your uber cheap ELM327 work with Linux and show up as an slcanX device! Area 515 is a makerspace in Des Moines, Iowa. See their blog posting for direction on how to reflash your ELM327 https://area515.org/elm327-hacking/.
Travis Goodspeed, a well known hardware hacker, has released an open source, low cost board called the GoodThopter with a CAN interface. The GoodThopter, based on his popular GoodFet devices, uses MCP2515 and communicates over serial with its own custom interface. You will need to completely assemble and solder together the device yourself, but doing so should could cost just a few dollars, depending on the parts you have available at your local hackerspace.
OBDTester.com sells a commercial version for around US $60. OBDTester.com are the maintainers of the PyOBD library (see the Software section).
CAN232 and CANUSB
LAWICEL AB produces the commercial CAN devices CAN232 (which plugs into an RS232 port with a DB9 connector) and a USB version called CANUSB, for about US $110 to $140. As the inventors of the LAWICEL protocol, these devices are guaranteed to work with the can-utils serial link modules.
The VSCPM is an affordable commercial USB CAN module from Vision Systems (http://www.vscom.de/usb-to-can.htm) that uses the LAWICEL protocol. VSCOM works with the Linux can-utils over serial link (slcan) and provides good results. The device costs around US $100-$130.
The USB2CAN module from 8devices (http://www.8devices.com/usb2can) is the cheapest alternative to a non-serial CAN interface. This small, commercial USB device will show up as a standard can0 device in Linux and has the most integrated support for this price range. Most devices that show up as a canX raw device are PCI cards and typically cost significantly more than this device. Note: If you are looking for a DB9 cable for this one you will want one like this (http://www.mouser.com/ProductDetail/EasySync/OBD-M-DB9-F-ES/?qs=%2fha2pyFadujDlkq35NWa0Zot3gKfnxUIBy5tgxPV7wd6AQNaRDvj%2fw%3d%3d)
EVTV.me specializes in electric car conversions. They make lots of great tools for taking your historic vehicle and doing crazy things like adding a Tesla drive train to it. One of the tools they have is a $100 open source CAN sniffer called the EVTV Due. This board is basically an Arduino Due with a built in CAN transceiver and has handle screw terminals to interface with your CAN lines. This board was originally written to work solely with their SavvyCAN software which uses their Generalized Vehicle Reverse Engineering Tool (GVRET) but recently they added support for SocketCAN as well. http://store.evtv.me/proddetail.php?prod=EVTVDue2
EVTV CanDue 2.0
The EVTV CANDue 2.0 is another product from [EVTV]. This Arduino Due based shield provides two CAN channels and one Single Wire CAN (GMLAN) channel. The board was originally written to work solely with their SavvyCAN software but should also support SocketCAN via the lawicel protocol. [CANDue 2.0]
The CrossChasm C5 (http://www.crosschasm.com/technology/data-logging/) is a commercial device that supports the Ford VI firmware for about US $120.The C5 supports the Vehicle Interface (VI, also known as the CAN Translator) to convert CAN messages to the OpenXC format, and it converts some proprietary CAN packets into a generic format to send over Bluetooth.
As I write this, the CANBus Triple (http://canb.us/) is still in development. It uses a wiring harness designed to support Mazda, but supports CAN buses of any vehicle.
Higher End CAN Devices
Higher-end devices will cost you more money, but are capable of receiving more simultaneous channels, and offer more memory to help prevent packet loss. High performance tools will often support eight channels or more, but unless you’re working on racing vehicles you probably don't need that many channels, so be sure that you need devices like these before dropping any cash.
CAN Bus Y-Splitter
A CAN Bus Y-Splitter is a very simple device that's basically one DLC connector broken into two connectors, which allows you to plug a device into one port and a CAN sniffer into the other. These typically cost around $10.
HackRF is a software defined radio from Great Scott Gadgets. This open source hardware project can receive and transmit signals from 10 MHz to 6 GHz. At about US $330 you can’t get a better SDR for the the price. HackRF and the Ubertooth are available at Great Scott Gadgets.
USRP (http://www.ettus.com) is a professional, modular SDR device that you can build to suit your needs. USRP is open source to varying degrees at a price ranging from US $500 to $2,000.
NewAE Technologies produces a system for side channel attacks, such as power analysis and clock glitching, known as the ChipWhisperer ( http://newae.com/chipwhisperer) as discussed in Chapter XX). Similar systems usually cost US $30,000 or more, but the ChipWhisperer is an open source system that costs between US $1,000 and $1,500.
Red Pitaya (http://redpitaya.com/) is an open source measurements tool that replaces expensive measurement tools such as oscilloscopes, signal generators, and spectrum analyzers. Red Pitaya has LabView and Matlab interfaces, and you can write your own tools and applications for it. It even supports extensions for things like Arduino shields. It costs around US $500.
As we did with hardware we’ll focus first on open source tools then cover more expensive ones.
GNU Radio is an open source software platform providing signal processing capabilities for software defined radio (SDR) receivers and transceivers. It has a multitude of add-ons available for the processing of cellular signals, WiFi signals (to include 802.11p), vehicle key-fobs and a multitude of other signals.
PyOBD (http://www.obdtester.com/pyobd) also known as PyOBD2 and PyOBD-II (see Figure AB-1 and AB-2), is a Python module that communicates with ELM327 devices. It’s based on the PySerial library, and is designed to give you information on your OBD setup in a convenient interface. For a specific scan tool fork of PyOBD see Austin Murphy’s OBD2 ScanTool (https://github.com/AustinMurphy/OBD2-Scantool/) which is attempting to become a more complete open source solution for diagnostic trouble shooting.
Linux supports CAN drivers out of the box, and SocketCAN provides an easy netlink (Network card interface) experience when dealing with CAN. You can use its can-utils suite for a command line implementation, and as open source software it’s easy to extend functionality to other utilities. (See Chapter XX for more on SocketCAN.)
CANiBUS (see Figure AB-3) is a web server written in Go by Open Garages to allow a room full of researchers to simultaneously work on the same vehicle, whether for instructional purposes or team reversing sessions. The Go language is portable to any OS, but you may have issues with low level drivers on certain platforms. For example, even if you're running CANiBUS on Linux you won’t be able to directly interact with SocketCAN, because Go doesn’t support the necessary socket flags to initialize the CAN interface. (This problem could be addressed by implementing SocketCANd but as of this writing, that feature has yet to be implemented.) CANiBUS does have a driver for ELM327 that supports generic sniffing. You can learn more about CANIBUS at http://wiki.hive13.org/view/CANiBUS and download the source from https://github.com/Hive13/CANiBUS
Kayak (http://kayak.2codeornot2code.org/) is a Java based GUI for analyzing CAN traffic. It has several advanced features, such as GPS tracking, and record and playback capabilities. It utilizes SocketCANd in order to work on other operating systems, so you will need at least one Linux based sniffer to support Kayak. (You’ll find more detail on setup and use in Chapter XX in the SocketCAN section.)
SavvyCAN is a tool written by Collin Kidder from EVTV.me. It uses another framework they designed called the Generalize Vehicle Reverse Engineering Tool (GVRET) to talk to HW sniffers such as the EVTVDue. SavvyCAN is a QT gui based tool that works on multiple OS platforms and is open source. It has a slew of very nice features such as DBC editor, CAN bus graphing, log file diffing, several tools built for reverse enginnering as well as all the normal CAN sniffing features you would expect. SavvyCAN does not talk to SocketCAN but it can read in several different log file formats such as, Bushmaster logs, Microchip logs, CRTD formats and generic CSV formatted log files.
O2OO (http://www.vanheusden.com/O2OO/) is an open source OBD-II data logger that works with ELM327 to record data to a SQLite database for graphing purposes. It also supports reading GPS data in NMEA format.
Caring Caribou (https://github.com/CaringCaribou/caringcaribou) is designed to be the Nmap of automotive hacking. As of this writing it is still in its infancy but it shows a lot of potential. Caring Caribou was written in Python, has some unique features, like the ability to brute force diagnostic services, and handles XCP. It also has your standard sniff and send CAN functionality and will support your own modules.
CAN of Fingers (c0f) is an open source tool for fingerprinting CAN bus systems found at https://github.com/zombieCraig/c0f. It has some basic support for identifying patterns in a CAN bus network stream which can be useful when trying to find a specific signal on a noisy bus. (See Chapter XX for an example of c0f at work.)
UDSim is a GUI tool that can monitor a CAN bus and automatically learn the devices attached to it. It does this by watching communications and is designed to be used with another diagnostic tool such as a Dealership tool or a scantool from a local automotive store. It has three modes: learning, simulation and attack. In learning mode it will identify modules that respond to UDS diagnostic queries and monitor the responses. In Simulation mode it can simulate a vehicle on the CAN bus to fool or test diagnostic tools. In attack mode it can create a Fuzzing profile for tools like Peach Fuzzer (peachfuzzer.com). UDSim can be found in zombieCraig's repo here: https://github.com/zombieCraig/UDSim
Octane (http://octane.gmu.edu/) is an open source CAN bus sniffer/injector with a very nice interface for sending and receiving CAN packets, including an XML trigger system. Currently it only runs on Windows.
AVRDUDESS (http://blog.zakkemble.co.uk/avrdudess-a-gui-for-avrdude/) is a GUI frontend for AVRDUDE written in .NET, though it works fine with Mono on Linux. You’ll see AVRDUDESS in action in Chapter XX of this book.
RomRaider (http://www.romraider.com/) shown in Figure 4 is an open source tuning suite for the Subaru engine control unit that lets you view and log data and tune the ECU. It’s one of the few open source ECU tuners and it can handle 3D views and live data logging. You will need a Tactrix Open Port 2.0 cable and Tactrix EcuFlash software in order to download and use the ECU's firmware. Once you have downloaded the flash with EcuFlash you can edit it with RomRaider.
The editor is written in Java and currently works on Windows and Linux though EcuFlash isn't supported on Linux.
Komodo is a higher end sniffer with a nice multi-operating system Python SDK. The cost is around US $350-$450 depending on whether you want a single or dual CAN interface. Komodo has isolation capabilities to prevent your computer from frying if you miswire something, as well as eight general purpose IO pins you can configure to trigger actions from external devices. Komodo comes with some decent software to get you up and running, but the real advantage is that you can write your own Komodo software.
Vehicle Spy is a commercial tool from Intrepid Control Systems (http://store.intrepidcs.com/) specifically designed for reversing CAN and other vehicle communication protocols. The software requires one license per NeoVI or ValueCAN device, proprietary devices for Vehicle Spy. The ValueCAN3 is the cheapest device that will work with Vehicle Spy. It has one CAN interface and runs about US $300. Add the Vehicle Spy Basic software and your cost will be about US $1,300.