can-bus

56 Articles

Get MOST Into Your Pi

August 3, 2023 by 15 Comments

When looking the modify a passenger vehicle, the Controller Area Network (CAN) bus is a pretty easy target. In modern vehicles it has access to most of the on-board systems — everything from the climate control to the instrument cluster and often even the throttle, braking, and steering systems. With as versatile as the CAN bus is, though, it’s not the right tool for every job. There’s also the Media Oriented Systems Transport (MOST) bus which is increasingly found in automotive systems to handle multimedia such as streaming music to the stereo. To access that system you’ll need to approach it slightly differently as [Rhys] demonstrates.

[Rhys] has been working on replacing the dated head unit in his Jaguar, and began by investigating the CAN bus. He got almost everything working with replacement hardware except the stereo, which is where the MOST bus comes into play. It provides a much higher bandwidth than the CAN bus can accommodate but with almost no documentation it was difficult to interact with at first. With the help of a Raspberry Pi and a lot of testing he is able to get the stereo working again with a much more modern-looking touchscreen for control. It is also able to do things like change CDs in the car’s CD player, gather song information from the CD to display on the panel, and can perform other functions of the infotainment center.

For more detailed information on the MOST bus, [Rhys] also maintains a website where he puts his discoveries and other information he finds about this system. Unfortunately car stereo systems in modern vehicles can get pretty complicated these days, but adapting car stereos in older vehicles to modern technology carries some interesting challenges as well.

Continue reading “Get MOST Into Your Pi”

Car Security System Monitors Tiny Voltage Fluctuations

July 25, 2023 by 43 Comments

As the old saying goes, there’s no such thing as a lock that can’t be picked. However, it seems like there are plenty of examples of car manufacturers that refuse to add these metaphorical locks to their cars at all — especially when it comes to securing the electronic systems of vehicles. Plenty of modern cars are essentially begging to be attacked as a result of such poor practices as unencrypted CAN busses and easily spoofed wireless keyfobs. But even if your car comes from a manufacturer that takes basic security precautions, you still might want to check out this project from the University of Michigan that is attempting to add another layer of security to cars.

The security system works like many others, by waiting for the user to input a code. The main innovation here is that the code is actually a series of voltage fluctuations that are caused by doing things like turning on the headlights or activating the windshield wipers. This is actually the secondary input method, though; there is also a control pad that can mimic these voltage fluctuations as well without having to perform obvious inputs to the vehicle’s electrical system. But, if the control pad isn’t available then turning on switches and lights to input the code is still available for the driver. The control unit for this device is hidden away, and disables things like the starter motor until it sees these voltage fluctuations.

One of the major selling points for a system like this is the fact that it doesn’t require anything more complicated than access to the vehicle’s 12 volt electrical system to function. While there are some flaws with the design, it’s an innovative approach to car security that, when paired with a common-sense approach to securing modern car technology, could add some valuable peace-of-mind to vehicle ownership in areas prone to car theft. It could even alleviate the problem of cars being stolen via their headlights.

Continue reading “Car Security System Monitors Tiny Voltage Fluctuations”

Sufficiently Advanced Tech: Has Bugs

April 15, 2023 by 74 Comments

Arthur C. Clarke said that “Any sufficiently advanced technology is indistinguishable from magic”. He was a sci-fi writer, though, and not a security guy. Maybe it should read “Any sufficiently advanced tech has security flaws”. Because this is the story of breaking into a car through its headlight.

In a marvelous writeup, half-story, half CAN-bus masterclass, [Ken Tindell] details how car thieves pried off the front headlight of a friend’s Toyota, and managed to steal it just by saying the right things into the network. Since the headlight is on the same network as the door locks, pulling out the bulb and sending the “open the door” message repeatedly, along with a lot of other commands to essentially jam some other security features, can pull it off.

Half of you are asking what this has to do with Arthur C. Clarke, and the other half are probably asking what a lightbulb is doing on a car’s data network. In principle, it’s a great idea to have all of the electronics in a car be smart electronics, reporting their status back to the central computer. It’s how we know when our lights are out, or what our tire pressure is, from the driver’s seat. But adding features adds attack surfaces. What seems like magic to the driver looks like a gold mine to the attacker, or to car thieves.

With automotive CAN, security was kind of a second thought, and I don’t mean this uncharitably. The first goal was making sure that the system worked across all auto manufacturers and parts suppliers, and that’s tricky enough. Security would have to come second. And more modern cars have their CAN networks encrypted now, adding layers of magic on top of magic.

But I’m nearly certain that, when deciding to replace the simple current-sensing test of whether a bulb was burnt out, the engineers probably didn’t have the full cost of moving the bulb onto the CAN bus in mind. They certainly had dreams of simplifying the wiring harness, and of bringing the lowly headlight into the modern age, but I’d bet they had no idea that folks were going to use the headlight port to open the doors. Sufficiently advanced tech.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking

April 14, 2023 by 9 Comments

You may not be familiar with the Microsoft Message Queuing (MSMQ) service, a store and forward sort of inter-process and inter-system communication service. MSMQ has become something of a legacy product, but is still available as an optional component in Windows. And in addition to other enterprise software solutions, Microsoft Exchange turns the service on by default. That’s why it’s a bit spooky that there’s a one packet Remote Code Execution (RCE) vulnerability that was just patched in the service.

CVE-2023-21554, also known as QueueJumper, is this unauthenticated RCE with a CVSS score of 9.8. It requires sending a packet to the service on TCP port 1801. The Check Point Research team scanned for listening MSMQ endpoints on the public Internet, and found approximately 360,000 of them. And no doubt far more are listening on internal networks. A one packet exploit is a prime example of a wormable problem, and now that the story has broken, and the patch is available, expect a rapid reverse engineering. Beware, the queue jumpers are coming.

JavaScript VM Escape

The VM2 library is a rather important JavaScript package that sandboxes code, letting a project run untrusted code securely. Or, that’s the idea. CVE-2023-29017 is an example of how hard sandboxing is to get right. It’s another CVSS 9.8 vulnerability, and this one allows a sandbox escape and code execution.

This one now has public Proof of Concept code, and this package has over 16 million monthly installs, so the attack surface is potentially pretty wide. The flaw is fixed in version 3.9.15. Continue reading “This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking”

Probing CAN Bus For EV Battery Info

July 27, 2022 by 8 Comments

The widespread adoption of the CAN bus (and OBD-II) in automobiles was largely a way of standardizing the maintenance of increasingly complicated engines and their needs to meet modern emissions standards. While that might sound a little dry on the surface, the existence and standardization of this communications bus in essentially all passenger vehicles for three decades has led to some interesting side effects, like it’s usage in this project to display some extra information about an electric car’s battery.

There’s not a ton of information about it, but it’s a great proof-of-concept of some of the things CAN opens up in vehicles. The build is based on a Citroën C-Zero (which is essentially just a re-badged Mitsubishi i-MiEV) and uses the information on the CAN bus to display specific information about the state of charge of the battery that isn’t otherwise shown on the car’s displays. It also includes a build of a new secondary display specifically for this purpose, and the build is sleek enough that it looks like a standard part of the car.

While there are certainly other (perhaps simpler) ways of interfacing with a CAN bus, this one uses off-the-shelf electronics like Arduino-compatible microcontrollers, is permanently installed, and has a custom case that we really like. If you’re just starting to sniff around your own vehicle’s CAN bus, there are some excellent tools available to check out.

Thanks to [James] for the tip!

Continue reading “Probing CAN Bus For EV Battery Info”

Part of a picture showing all kinds of different CAN devices in a car

CAN Peripheral For RP2040, Courtesy Of PIO

July 9, 2022 by 31 Comments

[Kevin O’Connor] writes to us about his project, can2040adding CAN support to the RP2040. The RP2040 doesn’t have a CAN peripheral, but [Kevin] wrote code for the RP2040’s PIO engine that can receive and send CAN packets. Now we can all benefit from his work by using this openly available CAN driver. This library is written in C, so it’s a good fit for the lower-level hackers among us, and in all likelihood, it wouldn’t be hard to make a MicroPython wrapper around it.

The CAN bus needs a peripheral for the messages to be handled properly, and people have been using external chips for this purpose until now. These chips, [Kevin] tells us, have lately been unavailable due to the chip shortage, making this project more valuable. The documentation is extensive and accessible, and [Kevin] details how to best use this driver. With such a tool in hand, you can now turn your Pico into a CAN tinkering toolkit, or wire up some CAN devices for use in your own projects!

[Kevin] says this code is already being used in Klipper, a framework powering 3D printers and other machines like them. As for your own purposes, you can absolutely use such a CAN tool to hack on your car – here’s a treasure trove of car hacking documentation, by the way! Thanks to the PIO engine, there seems to be no end to the RP2040’s versatility – you can even drive HDMI monitor with this PIO-based DVI code.

Continue reading “CAN Peripheral For RP2040, Courtesy Of PIO”

Volvo C30 Custom Gauge And CAN Bus Reverse Engineering

June 15, 2022 by 8 Comments

With cars being essentially CAN buses on wheels, it’s no wonder that there’s a lot of juicy information about the car’s status zipping about on these buses. The main question is usually how to get access to this information, both in terms of wiring into the relevant CAN bus, and decoding the used (proprietary) protocol. Fortunately for [Alex], decoding the Volvo VIDA protocol used with his Volvo C30 was relatively straightforward, enabling the creation of a custom gauge that displays information like boost pressure and coolant temperature.

The physical interfacing is accomplished via the car’s OBD port, which conveniently provides access to the car’s two (high-speed and low-speed) CAN buses. Hardware of choice is an M2 UTH (Under the Hood) board, sporting a SAM3X Cortex-M3-based MCU, designed for permanent automotive installations. On [Alex]’s GitHub project page it is explained how the protocol works, and which bytes to look for when replicating the project.

Rounding off the project is a round LCD display from 4D Systems that cycles through the status update screens. As a bonus, the dashboard illumination level is also read out in real-time, so the brightness of the display is adjusted to fit this level. All in all a well-rounded project, with interesting prospects for a more permanent integration of the gauge into the dashboard proper.

Continue reading “Volvo C30 Custom Gauge And CAN Bus Reverse Engineering”