So I’d encourage you to use the knowledge gained from this book to inspect, audit, and document.

I look forward to reading about some of your discoveries!

In my experience, the best security professionals (and hobbyists) are those who are naturally curious about how things work. Most cars don’t come with a keyboard and login prompt, but they do come with a possibly unfamiliar array of protocols, CPUs, connectors, and operating systems.

These people explore, tinker, experiment, and disassemble, sometimes just for the joy of discovery. This book will demystify the common components in cars and introduce you to readily available tools and information to help get you started.

Little did we know how much interest there would be in that that first book: we had over 300,000 downloads in the first week.

In fact, the book’s popularity shut down our Internet service provider (twice! (It’s okay, they forgave us, which is good because I love my small ISP. ) The feedback from readers was mostly fantastic; most of the criticism had to do with the fact that the manual was too short and didn’t go into enough detail. goes into a lot more detail about car hacking and even covers some things that aren’t directly related to security, like performance tuning and useful tools for understanding and working with vehicles.

While studying electrical engineering at the University of Waterloo, he worked with the University of Waterloo Alternative Fuels Team to design and build a hydrogen electric vehicle for the Eco CAR Advanced Vehicle Technology Competition.

Currently, he is a vehicle security architect for Faraday Future and a contributor to Hackaday. Foreword by Chris Evans Acknowledgments Introduction Chapter 1: Understanding Threat Models Chapter 2: Bus Protocols Chapter 3: Vehicle Communication with Socket CAN Chapter 4: Diagnostics and Logging Chapter 5: Reverse Engineering the CAN Bus Chapter 6: ECU Hacking Chapter 7: Building and Using ECU Test Benches Chapter 8: Attacking ECUs and Other Embedded Systems Chapter 9: In-Vehicle Infotainment Systems Chapter 10: Vehicle-to-Vehicle Communication Chapter 11: Weaponizing CAN Findings Chapter 12: Attacking Wireless Systems with SDR Chapter 13: Performance Tuning Appendix A: Tools of the Trade Appendix B: Diagnostic Code Modes and PIDs Appendix C: Creating Your Own Open Garage Abbreviations Index FOREWORD by Chris Evans ACKNOWLEDGMENTS INTRODUCTION Why Car Hacking Is Good for All of Us What’s in This Book 1UNDERSTANDING THREAT MODELS Finding Attack Surfaces Threat Modeling Level 0: Bird’s-Eye View Level 1: Receivers Level 2: Receiver Breakdown Threat Identification Level 0: Bird’s-Eye View Level 1: Receivers Level 2: Receiver Breakdown Threat Rating Systems The DREAD Rating System CVSS: An Alternative to DREAD Working with Threat Model Results Summary 2BUS PROTOCOLS The CAN Bus The OBD-II Connector Finding CAN Connections CAN Bus Packet Layout The ISO-TP Protocol The CANopen Protocol The GMLAN Bus The SAE J1850 Protocol The PWM Protocol The VPW Protocol The Keyword Protocol and ISO 9141-2 The Local Interconnect Network Protocol The MOST Protocol MOST Network Layers MOST Control Blocks Hacking MOST The Flex Ray Bus Hardware Network Topology Implementation Flex Ray Cycles Packet Layout Sniffing a Flex Ray Network Automotive Ethernet OBD-II Connector Pinout Maps The OBD-III Standard Summary 3VEHICLE COMMUNICATION WITH SOCKETCAN Setting Up can-utils to Connect to CAN Devices Installing can-utils Configuring Built-In Chipsets Configuring Serial CAN Devices Setting Up a Virtual CAN Network The CAN Utilities Suite Installing Additional Kernel Modules The Module Coding Socket CAN Applications Connecting to the CAN Socket Setting Up the CAN Frame The Procfs Interface The Socketcand Daemon Kayak Summary 4DIAGNOSTICS AND LOGGING Diagnostic Trouble Codes DTC Format Reading DTCs with Scan Tools Erasing DTCs Unified Diagnostic Services Sending Data with ISO-TP and CAN Understanding Modes and PIDs Brute-Forcing Diagnostic Modes Keeping a Vehicle in a Diagnostic State Event Data Recorder Logging Reading Data from the EDR The SAE J1698 Standard Other Data Retrieval Practices Automated Crash Notification Systems Malicious Intent Summary 5REVERSE ENGINEERING THE CAN BUS Locating the CAN Bus Reversing CAN Bus Communications with can-utils and Wireshark Using Wireshark Using candump Grouping Streamed Data from the CAN Bus Using Record and Playback Creative Packet Analysis Getting the Tachometer Reading Creating Background Noise with the Instrument Cluster Simulator Setting Up the ICSim Reading CAN Bus Traffic on the ICSim Changing the Difficulty of ICSim Reversing the CAN Bus with Open XC Translating CAN Bus Messages Writing to the CAN Bus Hacking Open XC Fuzzing the CAN Bus Troubleshooting When Things Go Wrong Summary 6ECU HACKING Front Door Attacks J2534: The Standardized Vehicle Communication API Using J2534 Tools KWP2000 and Other Earlier Protocols Capitalizing on Front Door Approaches: Seed-Key Algorithms Backdoor Attacks Exploits Reversing Automotive Firmware Self-Diagnostic System Library Procedures Comparing Bytes to Identify Parameters Identifying ROM Data with Win OLS Code Analysis A Plain Disassembler at Work Interactive Disassemblers Summary 7BUILDING AND USING ECU TEST BENCHES The Basic ECU Test Bench Finding an ECU Dissecting the ECU Wiring Wiring Things Up Building a More Advanced Test Bench Simulating Sensor Signals Hall Effect Sensors Simulating Vehicle Speed Summary 8ATTACKING ECUS AND OTHER EMBEDDED SYSTEMS Analyzing Circuit Boards Identifying Model Numbers Dissecting and Identifying a Chip Debugging Hardware with JTAG and Serial Wire Debug JTAG Serial Wire Debug The Advanced User Debugger Nexus Side-Channel Analysis with the Chip Whisperer Installing the Software Prepping the Victim Board Brute-Forcing Secure Boot Loaders in Power-Analysis Attacks Prepping Your Test with AVRDUDESS Setting Up the Chip Whisperer for Serial Communications Setting a Custom Password Resetting the AVR Setting Up the Chip Whisperer ADC Monitoring Power Usage on Password Entry Scripting the Chip Whisperer with Python Fault Injection Clock Glitching Setting a Trigger Line Power Glitching Invasive Fault Injection Summary 9IN-VEHICLE INFOTAINMENT SYSTEMS Attack Surfaces Attacking Through the Update System Identifying Your System Determining the Update File Type Modifying the System Apps and Plugins Identifying Vulnerabilities Attacking the IVI Hardware Dissecting the IVI Unit’s Connections Disassembling the IVI Unit Infotainment Test Benches GENIVI Meta-IVI Automotive Grade Linux Acquiring an OEM IVI for Testing Summary 10VEHICLE-TO-VEHICLE COMMUNICATION Methods of V2V Communication The DSRC Protocol Features and Uses Roadside DSRC Systems WAVE Standard Tracking Vehicles with DSRC Security Concerns PKI-Based Security Measures Vehicle Certificates Anonymous Certificates Certificate Provisioning Updating the Certificate Revocation List Misbehavior Reports Summary 11WEAPONIZING CAN FINDINGS Writing the Exploit in C Converting to Assembly Code Converting Assembly to Shellcode Removing NULLs Creating a Metasploit Payload Determining Your Target Make Interactive Probing Passive CAN Bus Fingerprinting Responsible Exploitation Summary 12ATTACKING WIRELESS SYSTEMS WITH SDR Wireless Systems and SDR Signal Modulation Hacking with TPMS Eavesdropping with a Radio Receiver TPMS Packets Activating a Signal Tracking a Vehicle Event Triggering Sending Forged Packets Attacking Key Fobs and Immobilizers Key Fob Hacks Attacking a PKES System Immobilizer Cryptography Physical Attacks on the Immobilizer System Flashback: Hotwiring Summary 13PERFORMANCE TUNING Performance Tuning Trade-Offs ECU Tuning Chip Tuning Flash Tuning Stand-Alone Engine Management Summary ATOOLS OF THE TRADE Hardware Lower-End CAN Devices Higher-End CAN Devices Software Wireshark Py OBD Module Linux Tools CANi BUS Server Kayak Savvy CAN O2OO Data Logger Caring Caribou c0f Fingerprinting Tool UDSim ECU Simulator Octane CAN Bus Sniffer AVRDUDESS GUI Rom Raider ECU Tuner Komodo CAN Bus Sniffer Vehicle Spy BDIAGNOSTIC CODE MODES AND PIDS Modes Above 0x10 Useful PIDs CCREATING YOUR OWN OPEN GARAGE Filling Out the Character Sheet When to Meet Affiliations and Private Memberships Defining Your Meeting Space Contact Information Initial Managing Officers Equipment ABBREVIATIONS INDEX The world needs more hackers, and the world definitely needs more car hackers.His specialties are reverse engineering and penetration testing.This book is largely a product of Open Garages and Craig’s desire to get people up to speed on auditing their vehicles.He is also one of the founders of the Hive13 Hackerspace and Open Garages (@Open Garages).He has worked for several auto manufacturers, where he provided public research on vehicle security and tools.Dave Blundell ([email protected]) works in product development, teaches classes, and provides support for, a small company specializing in pre-OBD ECU modification tools.