In this tutorial, we will be installing a simulator to practice some car-hacking magic!
Modern vehicles utilise an interface known as CAN Bus, a Controller Area Network that allows the various computerised devices and sensors in a car to communicate. Tapping into this network will enhance the level of control we have over our vehicle's systems.
Today, we will install the base-level tools required for our Linux environment to read and display data on a CAN Bus network. As manipulating a real network comes with a large learning curve, we can use the tool ICSim to simulate a car Instrument Cluster to gradually build our hacking abilities without needing to be next to a vehicle or with the risk of damaging hardware.
1.0 Getting Started
Package Updating
Before installing any new tools, it is crucial to ensure the current state of your system is up to date.
The Advanced Package Tool (APT) is a built-in tool for managing software packages within Debian-based Linux distributions (such as Kali or Mint). APT uses a range of known registers of software packages, referred to as repositories, to search for packages available for installation.
By first updating APT, your system's repositories will be up-to-date, allowing the latest software package versions to become available. Without this, your device may be unable to find new packages, increasing the risk of accidentally installing outdated versions of new tools.
To get started, you can update the APT tool by entering the following command in the terminal:
sudo apt-get update
With the package manager updated, we can now run the upgrade command to install new versions of any out-of-date software. Occasionally, the system may ask for permission before allowing specific changes to take effect.
sudo apt-get upgrade
With this stage complete, your system will be ready to install new tools.
Installing Can Bus Utilities
One of the key packages we require is can-utils, which includes tools such as "can dump" and "can sniffer" for reading, displaying, and sending CAN Bus messages. This package will be at the heart of our car hacking activities on Linux.
This tool can be installed by entering the following command:
sudo apt-get install can-utils
Installing the Simulator
Now we can view CAN Bus data; we need a network to analyse it. Besides connecting to actual hardware, this can be accomplished using a simulator, such as ICSim. This method will prove easier, as ICSim can be configured, offering the potential to practice hacking a multitude of "cars" that can be further specified to run at different difficulty levels. Additionally, ICSim generates less traffic than an actual vehicle, which will be incredibly beneficial when starting out. In short, you can decide how hard of a network you want to hack, all without worrying about accidentally setting off your airbags!!
To install the simulator, we need to download the project stored on the Git Hub site. Then, we need to install another set of tools to build this project's files into an executable format for our system to be able to run.
We can use the Git tool to "clone" a copy of a Git Hub project onto your computer. This tool needs to be installed if not already on your system:
sudo apt-get install git
Once done, we can clone the specific Git project we want using the project's web URL:
git clone https://github.com/zombieCraig/ICSim.git
This will install a copy of the project onto our system.
The project will be installed in your computer's file system as a new folder. This folder contains a series of scripts for the tools to generate and visualise the simulated CAN traffic.
You can change to this directory (cd) and list its contents (ls) using the following commands:
cd ICSim
ls
The simulator is formed in parts by a collection of different programs. The controls program produces the CAN data, allowing you to generate signals you would typically find within a car (e.g. Indicating and locking doors). The icsim program visualises a car Instrument Cluster, displaying the outcome of the data it receives like the dashboard of a real car.
A file highlighted in green, "setup_vcan.sh," is a pre-produced script that sets up the simulator for you. Using the "cat" command, we can display its contents.
cat setup_vcan.sh
The file contains the necessary terminal commands to set up a virtual CAN interface. The simulator will use this connection as a substitute for a connection to an actual CAN Bus adaptor connected to a car.
When investigating the directory, it is also noticeable that "controls.c" and "icsim.c" are not highlighted as green; this is because they are not yet executable. To convert the uncompiled C code files into an executable program, we need to "build" them with a compiler. However, before we can do this, we need to install an additional tool to make this possible.
The following command will install the packages used by the tools required in this stage:
sudo apt-get install libsdl2-dev libsdl2-image-dev
Using the "make" command, we can build all the uncompiled scripts in the ICSim directory:
make all
We should now see the "controls" and "icsim" executables available in the directory.
This concludes the installation section of this tutorial.
2.0 Running the Simulator
Starting the Interface
Running the setup script will perform the steps to create and connect to the virtual CAN network.
./setup_vcan.sh
This instruction has to be run every time before you run the simulator to ensure that the virtual connection has been established, as it will disappear when you shut down your computer.
When running the network interface connection tool, ifconfig, we should then see Virtual CAN - 0 "vcan0" listed among the listed network interfaces.
ifconfig vcan0
Starting the Simulator
The tools within the ICSim simulator will need to run in their own terminal window to execute. This can be done by opening a new terminal window when starting each tool or, if your distro permits, splitting the terminal window into separate panels.
The first stage of running the simulator is to start the controller; we can do this by creating a new terminal and running the following command:
cd ICSim
./controls vcan0
This will display the User Interface of the control program, which allows us to influence the output of the CAN Bus transmissions.
Using a game controller, you can follow the diagram to trigger signals to be sent by the controller program. Otherwise, you can command the program with your keyboard, referring to the key combinations below:
Command | Key Combination |
Accelerate | Up Arrow |
Left Indicator | Left Arrow |
Right Indicator | Right Arrow |
Unlock Door | Right Shift + X/Y/A/B |
Lock Door | Left Shift + X/Y/A/B |
With the controller set up, we need to verify that it is properly generating the CAN messages.
To check that the data is being transmitted on our virtual network, we can use the Can Sniffer tool, which came with the can-utils package we installed earlier.
To achieve this, we need to run "cansniffer" in a new terminal, specifying the network interface we want to analyse:
cansniffer vcan0
With this, we can peak into the raw data that can be "sniffed" from our virtual network, confirming that our tools have been successfully installed.
The important parts of the received messages are the columns for the Arbitration ID and the payload data. The payload data is the actual data being sent within the overall message, like the body of an email.
The data section of a standard CAN packet is 8-bytes, which in cansiffer are represented as hexadecimal characters. A hexadecimal character represents four binary bits in a human-readable format, so every 8-bit data byte is displayed as a pair of two hex characters. Looking at the image below, you should be able to see up to 8 of these pairs per message row, though not all messages need to utilise the whole 8-byte limit.
The abundance of information can be pretty challenging, and this will worsen when connecting to a real car with many more devices contributing to the network traffic. We will investigate some of the features of cansniffer later, which will overcome much of this issue.
Starting the Dashboard
To start the virtual dashboard, we can launch the Instrument Cluster simulator program "ICSim" within a new terminal window:
cd ICSim
./icsim vcan0
This will display the visualisation of an Instrument cluster that reacts to the data it receives, including indicator repeaters, a large MPH speedometer, and a door lock status indicator.
Can Sniffer comes with some useful tools to further clean and clarify the data presented. Firstly, you can turn on highlighting by pressing the "C" key on your keyboard, followed by the Enter key. This will cause the changing parts of the data to be coloured red, with the static parts remaining white.
This is beneficial as we want to concentrate on the changing parts of the messages. More specifically, to investigate what specific data byte changes when we send our controller signals and what value it changes to.