A friendly car security exploration tool
Python
Switch branches/tags
Nothing to show
Clone or download

README.md

Caring Caribou

A friendly car security exploration tool

Rationale

We are lacking a security testing tool for automotive. A zero-knowledge tool that can be dropped onto any automotive network and collect information regarding what services exist and what vulnerabilities exist. This is a start.

This work was initially done as part of the HeavenS research project.

Features and Architecture

CaringCaribou is module based with a master command (cc.py) that runs the show. The reason for this is to enable an easy drop-in architecture for new modules.

List of Modules

dcm.py - Diagnostics ISO 14229

  • discovery - ArbID Discovery. Tries to connect (02 10 01) to all possible ArbId (0x000-0x7FF) and collect valid responses (xx 7F or xx 50). Supports both manual and automatic blacklisting of arbitration IDs, in order to remove false positives.
  • services - Service Discovery. Brute force all Service Id's (SID) and report any responses (anything that is not xx F7 11)
  • subfunc - Sub-function Discovery. Brute force engine that takes SID and an index indicating which positions to brute force as input.
  • dtc - Diagnostic Trouble Codes. Fetches DTCs. Can clear DTCs and MIL (Engine Light) as well.

Detailed information on the dcm-module.

xcp.py - Universal Measurement and Calibration Protocol (XCP)

  • discovery - ArbId Discovery. Tries to connect (FF) to all possible ArbId (0x000-0x7FF) and collect all valid responses (FF or FE)
  • info - XCP Get Basic Information. Connects and gets information about XCP abilities in the target environment
  • dump - XCP Upload. Used to dump ECU memory (SRAM, flash and bootloader) to file

Detailed information on the xcp-module.

listener.py - Listener

  • ArbId listener - register all ArbIds heard on the CAN bus

Detailed information on the listener-module.

send.py - Send CAN packets

  • Raw message transmission module, used to drive manual test cases

Detailed information on the send-module.

dump.py - Dump CAN traffic

  • Dump incoming traffic to stdout or file.

Detailed information on the dump-module.

can_actions.py

This is the daddy of all shared module functionality. Imported by all modules. Provides abstraction for access to the CAN bus, CAN bruteforce engines etc.

Hardware requirements

Some sort of interface towards an automotive bus that is compatible with socketCAN (http://elinux.org/CAN_Bus#CAN_Support_in_Linux).

Software requirements

  • Python 2.7 or 3.x
  • python-can
  • a pretty modern linux kernel

How to install

Instructions available here

How to use

The best way to understand how to use Caring Caribou is by envoking cc.py's help menu:

python cc.py -h

Detailed information on the usage.

Extending the project

Create a python file with a module_main(args) function and put it in the tool/modules folder. CaringCaribou (cc.py) will automagically recognize it as a module and list it in the output of ./cc.py -h

A template for this is available in tool/template

The target

The target ECU used for the development setup is an STM32F107 based dev-board from ArcCore called Arctic EVK-M3.

Contributors

  • The HeavenS project, funded by VINNOVA
  • Christian Sandberg
  • Kasper Karlsson
  • Tobias Lans
  • Mattias Jidhage
  • Johannes Weschke
  • Filip Hesslund
  • Craig Smith (OpenGarages.org)
  • internot