Add Diagnostic State Module for hwbridge #15739
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Introduction
This module will keep the vehicle in a diagnostic state on rounds by sending tester present packet.
## Verification Steps
Fire up virtual CAN bus:
1. `sudo modprobe can`
2. `sudo modprobe vcan`
3. `sudo ip link add dev vcan0 type vcan`
4. `sudo ip link set up vcan0`
Launch msf:
5. Start `msfconsole`
6. `use auxiliary/server/local_hwbridge`
7. `set uripath testbus`
8. `run`
9. `use auxiliary/client/hwbridge/connect`
10. `set targeturi testbus`
## Options
```
Module options (post/hardware/automotive/diagnostic_state):
Name Current Setting Required Description
---- --------------- -------- -----------
ARBID 0x7DF no CAN ID to perform ECU Hard Reset
CANBUS no CAN Bus to perform scan on, defaults to connected bus
ROUNDS 500 yes Number of executed rounds
SESSION yes The session to run this module on.
```
## Scenarios
You can test this module doing a candump and you should receive a response for each can frame in a loop at 0x7E8 when running UDS Simulator.
```
msf5 auxiliary(client/hwbridge/connect) > run
[*] Running module against 127.0.0.1
[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2019-09-11 04:59:40 -0700
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true} Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf5 auxiliary(client/hwbridge/connect) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 hwbridge cmd/hardware automotive 127.0.0.1 -> 127.0.0.1 (127.0.0.1)
msf5 auxiliary(client/hwbridge/connect) > sessions -i 1
[*] Starting interaction with 1...
hwbridge > run post/hardware/automotive/diagnostic_state canbus=vcan0
[*] Putting the vehicle in a diagnostic state...
[*] In order to keep the vehicle in this state, you need to continuously send a packet to let the vehicle know that a diagnostic technician is present.
hwbridge >
```
You can use candump to verify the CAN messages being sent:
```
─$ candump vcan0
└─$ candump vcan0
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
vcan0 7E8 [4] 03 7E 00 00
vcan0 7DF [2] 01 3E
-- snippet --
```
UDS Server Output
```
└─$ ./uds-server -v -V "PWN3D" vcan0
Using CAN interface vcan0
Fuzz level set to: 0
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
Pkt: 7DF#01 3E
-- snippet --
```
shipcod3
changed the title
Release NotesAdds a new |
adfoster-r7
added
rn-enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduction
This module will keep the vehicle in a diagnostic state on rounds by sending tester present packet.
Verification Steps
Fire up virtual CAN bus:
sudo modprobe cansudo modprobe vcansudo ip link add dev vcan0 type vcansudo ip link set up vcan0Launch msf:
msfconsoleuse auxiliary/server/local_hwbridgeset uripath testbusrunuse auxiliary/client/hwbridge/connectset targeturi testbusOptions
Scenarios
You can test this module doing a candump and you should receive a response for each can frame in a loop at 0x7E8 when running UDS Simulator.
You can use candump to verify the CAN messages being sent:
UDS Server Output