Using CanoPy To Visualize The CAN Bus

As cars have become more sophisticated electronically, understanding the CAN bus that forms the backbone of automotive digital systems has become more and more important for hacking cars. Inexpensive microcontroller CAN interfaces have made obtaining the raw CAN bus traffic trivial, but interpreting that traffic can be pretty challenging. In order to more easily visualize CAN traffic, [TJ Bruno] has developed CanoPy, a Python tool for visualizing CAN messages in real time.

A basic PC CAN interface simply dumps the bus’s message traffic into the terminal, while more sophisticated tools organize messages by the address of their intended recipients. Both of these approaches digitally lift the hood and let you examine what your car is thinking, but the wall-of-numbers approach makes finding the patterns that hold the keys to reverse engineering difficult. Automatically plotting the data with CanoPy makes finding correlations much easier, after which the text-based tools can be used to focus in on a few specific addresses.

Continue reading “Using CanoPy To Visualize The CAN Bus”

Small Open Source Vehicle Hacking Platform

[Florian] and his engineering team at Munich-based bmc::labs has developed a clever set of prototyping boards for vehicle hacking and rapid product development, collectively called the bmc::board or bmc::mini. These stackable development boards were initially designed for in-house use. The team took a general purpose approach to the design so the boards could be used across a wide range of projects, and they should be useful to anyone in the field. [Florian] decided to release the boards to the community as open-source and certified by OSHWA (Open Source Hardware Association).

There are four boards currently defined, with several more in the works:

  • mini::base — Main microcontroller board, STM32F103-based
  • mini::out — I/O board with CAN bus, JTAG, etc.
  • mini:: grid — RF board providing GPS and GSM capability
  • mini::pit — local wireless connectivity, WiFi and Bluetooth, and 2nd CAN bus

At 54 x 42.5 mm, these boards are pretty small; a form-factor they describe as “exactly half a credit card”. We like the Wurth WR-MM family of stacking connectors they are using, and the symmetrical pinout means you can rotate the cards as needed. But at first glance, these thru-hole connectors seem to limit the stack to just two boards, although maybe they plan move to an SMT flavor of the connector in future designs permitting taller stacks.

If you’re into vehicle electronics and/or vehicle hacking, definitely take a look at these. You can check out [Florian]’s bmc::board project page and the team’s GitHub repository for more details. Here’s another project by team member [Sebastian] using one of the future bmc::bike modules to eavesdrop on ECU communications, where he sensibly advises the reader “First, pull over and get off the bike. Never hack a two-wheeled vehicle while riding it!”.

No discussion of vehicle CAN bus tools should omit the work of Craig Smith, who literally wrote the book on hacking your car, and whose talk along with Hackaday’s own Eric Evenchick of CANtact fame we covered back in 2016. [Florian] has started a CrowdSupply campaign where you can see some more details of this project and a short promotional video.

Raspberry Pi Hitches A Ride In A 1989 BMW Dashboard

It probably won’t surprise you to find out that a 1989 BMW 325i doesn’t have much in the way of electronic gadgetry onboard. In fact, what passes for an in-dash “computer” in this vintage Beemer is just a digital clock with a rudimentary calendar function. Not content to waste his precious dashboard space any longer, [Ryan Henderson] used his time in quarantine to replace the clock module with a Raspberry Pi.

Nestled in a custom laser-cut housing is a touch screen LCD module that connects directly to the GPIO header of a Pi Zero. Combined with some Python code, this provides a very slick multipurpose interface for pretty much anything [Ryan] wants. Right now he’s got it hooked up to a GPS receiver so he can figure out things like speed and acceleration, but the only real limit on what this little drop-in upgrade can do is how much code you want to sit down and write.

Thankfully, it sounds like [Ryan] has done a lot of the hard work for you. He’s put together a Python library that allows the user to easily draw analog gauges on the screen. The faces are parametrically sized, and even have custom minimum/maximum marks. Of course if you’d rather just throw some text and images on the screen, that’s accomplished easily enough with existing libraries such as PyGame.

[Ryan] says he’s also working on some code to better integrate the Pi into the vehicle’s systems by way of a Bluetooth OBD2 adapter. In the most basic application that would allow you to throw various bits of engine data up on the screen, but on more modern cars, you could potentially tap into the CAN bus and bend it to your will.

While the physical size and shape of this particular modification is clearly focused on this model and year of BMW, the general concepts could be applied to any car on the road. [Ryan] has recently started a GitHub repository for the project and hopes to connect with others who are interested in adding a little modern complexity convenience to their classic rides.

The reality is that cars become more dependent on their onboard computers with each passing year. Already we’re seeing Tesla owners struggle with cooked flash chips, and things are likely to get worse before they get any better. While undoubtedly there are some that would rather keep their daily driver as simplistic as possible, we’re encouraged by projects like this that at least let owners computerize their cars on their own terms.

Nissan Gives Up Root Shell Thanks To Hacked USB Drive

For the impatient Nissan owners who may be joining us from Google, a hacker by the name of [ea] has figured out how to get a root shell on the Bosch LCN2kai head unit of their 2015 Xterra, and it looks like the process should be the same for other vehicles in the Nissan family such as the Rogue, Sentra, Altima, and Frontier. If you want to play along at home, all you have to do is write the provided image to a USB flash drive and insert it.

Now for those of us who are a more interested in how this whole process works, [ea] was kind of enough to provide a very detailed account of how the exploit was discovered. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run.

The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. The first step was to locate the board’s serial port and connect it to the computer. From there, [ea] was able to change the kernel parameters in the bootloader to spawn an interactive shell. To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. With full access to the system, the search for exploits could begin.

A simple script on the flash drive enables the SSH server.

After some poking, [ea] discovered the script designed to mount USB storage devices had a potential flaw in it. The script was written in such a way that the filesystem label of the device would be used to create the mount point, but there were no checks in place to prevent a directory traversal attack. By crafting a label that read ../../usr/bin/ and placing a Bash script on the drive, it’s possible to run arbitrary commands on the head unit. The provided script permanently adds SSHd to the startup process, so when the system reboots, you’ll be able to log in and explore.

So what does [ea] want to do with this new-found exploit? It looks like the goal is to eventually come up with some custom programs that extend the functionality of the in-dash Linux system. As it seems like these “infotainment” systems are now an inescapable feature of modern automobiles, we’re certainly excited to see projects that aim to keep them under the consumer’s control.

Remoticon Video: Learn How To Hack A Car With Amith Reddy

There was a time not too long ago when hacking a car more often than not involved literal hacking. Sheet metal was cut, engine cylinders were bored, and crankshafts were machined to increase piston travel. It was all in the pursuit of milking the last ounce performance out of every drop of gasoline, along with a little personal expression in the form of paint and chrome.

While it’s still possible — and encouraged — to hack cars thus, the inclusion of engine control units and other systems to our rides has created an entirely different universe of car hacking options, which Amith Reddy distilled into his very popular workshop at the 2020 Remoticon. The secret sauce behind all the hacks you can accomplish in today’s drive-by-wire cars is the Controller Area Network (CAN), the network used to connect the array of sensors, actuators, and controllers that lie under the metal and plastic of modern cars.

Continue reading “Remoticon Video: Learn How To Hack A Car With Amith Reddy”

Developing An Automatic Tool For CAN Bus Hacking

In the old days, a physical button or switch on the dashboard of your car would have been wired to whatever device it was controlling. There was potentially a relay in the mix, but still, it wasn’t too hard to follow wires through the harness and figure out where they were going. But today, that concept is increasingly becoming a quaint memory.

Assuming your modern car even has physical buttons, pushing one of them likely sends a message over the CAN bus that the recipient device will (hopefully) respond to. Knowing how intimidating this can be to work with, [TJ Bruno] has been working on some software that promises to make working with CAN bus user interfaces faster and easier. Ultimately, he hopes that his tool will allow users to rapidly integrate custom hardware into their vehicle without having to drill a hole in the dashboard for a physical control.

But if you’re the kind of person who doesn’t like to have things done for them (a safe bet, since you’re reading Hackaday), don’t worry. [TJ] starts off his write-up with an overview of how you can read and parse CAN messages on the Arduino with the MCP2515 chip. He breaks his sample Sketch down line by line explaining how it all works so that even if you’ve never touched an Arduino before, you should be able to get the gist of what’s going on.

As it turns out, reading messages on the CAN bus and acting on them is fairly straightforward. The tricky part is figuring out what you’re looking for. That’s where the code [TJ] is working on comes in. Rather than having to manually examine all the messages passing through the network and trying to ascertain what they correspond to, his program listens while the user repeatedly presses the button they want to identify. With enough samples, the code can home in on the proper CAN ID automatically.

The upside to all this is that you can activate aftermarket functions or hardware with your vehicle’s existing controls. Need an example? Check out the forward-looking camera that [TJ] added to his his 2017 Chevy Cruze using the same techniques.

Continue reading “Developing An Automatic Tool For CAN Bus Hacking”

Juicing Up The Chevy Volt With Raspberry Pi

While Chevrolet’s innovative electric hybrid might officially be headed to that great big junkyard in the sky, the Volt will still live on in the hearts and minds of hackers who’d rather compare amp hour than horsepower. For a relatively low cost, a used Volt offers the automotive hacker a fascinating platform for upgrades and experimentation. One such Volt owner is [Katie Stafford], who’s recently made some considerable headway on hacking her hybrid ride.

In an ongoing series on her blog, [Katie] is documenting her efforts to add new features and functions to her Volt. While she loves the car itself, her main complaint (though this is certainly not limited to the Volt) was the lack of tactile controls. Too many functions had to be done through the touch screen for her tastes, and she yearned for the days when you could actually turn a knob to control the air conditioning. So her first goal was to outfit her thoroughly modern car with a decidedly old school user interface.

Like most new cars, whether they run on lithium or liquefied dinosaurs, the Volt makes extensive use of CAN bus to do…well, pretty much everything. Back in the day it only took a pair of wire cutters and a handful of butt splice connectors to jack into a car’s accessory systems, but today it’s done in software by sniffing the CAN system and injecting your own data. Depending on whether you’re a grease or a code monkey, this is either a nightmare or a dream come true.

Luckily [Katie] is more of the latter, so with the help of her Macchina M2, she was able to watch the data on the CAN bus as she fiddled with the car’s environmental controls. Once she knew what data needed to be on the line to do things like turn on the fan or set the desired cabin temperature, she just needed a way to trigger it on her terms. To that end, she wired a couple of buttons and a rotary encoder to the GPIO pins of a Raspberry Pi, and wrote some code that associates the physical controls with their digital counterparts.

That’s all well and good when you need to mess around with the AC, but what’s the Pi supposed to do the rest of the time? [Katie] decided a small HDMI display mounted to the dash would be a perfect way for the Raspberry Pi to do double duty as information system showing everything from battery charge to coolant temperature. It also offers up a rudimentary menu system for vehicle modifications, and includes functions which she wanted quick access to but didn’t think were necessarily worth their own physical button.

In the video after the break, [Katie] walks the viewer through these modifications, as well as some of the other neat new features of her battery powered bow tie. What she’s already managed to accomplish without having to do much more than plug some electronics into the OBD-II port is very impressive, and we can’t wait to see where it goes from here.

Today there are simply too many good electric cars for hybrids like the Chevy Volt and its swankier cousin the Cadillac ELR to remain competitive. But thanks to hackers like [Katie], we’re confident this isn’t the last we’ve seen of this important milestone in automotive history.

Continue reading “Juicing Up The Chevy Volt With Raspberry Pi”