So I'm messing around with some python tonight in the BusPi. I found something very useful to me. A tool to beat on the security of the ecu through the bus.
https://github.com/CaringCaribou/caringcaribou/
"a zero-knowledge tool that can be dropped onto any CAN network and collect information regarding what services and vulnerabilities exist. "
check it out... It starts by just listening to the bus
Code: Select all
(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py listener
-------------------
CARING CARIBOU v0.4
-------------------
Loading module 'listener'
Running listener (press Ctrl+C to exit)
Last ID: 0x00000772 (13 unique arbitration IDs found) ^C
Detected arbitration IDs:
Arb id 0x000004f1 29 hits
Arb id 0x00000772 29 hits
Arb id 0x000004c1 58 hits
Arb id 0x000004d1 58 hits
Arb id 0x000003f9 117 hits
Arb id 0x000003c1 293 hits
Arb id 0x000003d1 293 hits
Arb id 0x000003e9 293 hits
Arb id 0x000002c5 586 hits
Arb id 0x000001a1 1172 hits
Arb id 0x000001c1 1172 hits
Arb id 0x000000c9 2344 hits
Arb id 0x00000191 2344 hits
We can see it's alive. lets do diagnostics service discovery..
Code: Select all
(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py dcm discovery - min 0x003
-------------------
CARING CARIBOU v0.4
-------------------
Loading module 'dcm'
Starting diagnostics service discovery
Sending Diagnostic Session Control to 0x07df
Found diagnostics at arbitration ID 0x07df, reply at 0x07e8
Poll for services at the id given with reply location..
Code: Select all
(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py dcm services 0x07df 0x07e8
-------------------
CARING CARIBOU v0.4
-------------------
Loading module 'dcm'
Starting DCM service discovery
Probing service 0xff (23 found)
Done!
Supported service 0x01: Unknown service
Supported service 0x43: Unknown service
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x47: Unknown service
Supported service 0x10: DIAGNOSTIC_SESSION_CONTROL
Supported service 0x12: GMLAN_READ_FAILURE_RECORD
Supported service 0x1a: GMLAN_READ_DIAGNOSTIC_ID
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x22: READ_DATA_BY_IDENTIFIER
Supported service 0x23: READ_MEMORY_BY_ADDRESS
Supported service 0x27: SECURITY_ACCESS
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x2c: DYNAMICALLY_DEFINE_DATA_IDENTIFIER
Supported service 0x2d: DEFINE_PID_BY_MEMORY_ADDRESS
Supported service 0x34: REQUEST_DOWNLOAD
Supported service 0x36: TRANSFER_DATA
Supported service 0x3b: GMLAN_WRITE_DID
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0x00: Unknown service
Supported service 0xa5: GMLAN_ENTER_PROGRAMMING_MODE
Supported service 0xa9: GMLAN_CHECK_CODES
Supported service 0xaa: GMLAN_READ_DPID
Supported service 0xae: GMLAN_DEVICE_CONTROL
Then sub-function discovery. this shown below was after I stopped it. I'm going to run it again and let it finish.
Code: Select all
(caringcaribou) mark@buspi:~/caringcaribou/caringcaribou $ cc.py dcm subfunc 0x07df 0x07e8 0x22 2 3
-------------------
CARING CARIBOU v0.4
-------------------
Loading module 'dcm'
Starting DCM sub-function discovery
Probing sub-function 0x22 data ['09', 'db'] (found: 52)^C
Found sub-functions for service 0x22 (READ_DATA_BY_IDENTIFIER):
Sub-function 00 00
Sub-function 00 01
Sub-function 00 02
Sub-function 00 03
Sub-function 00 04
Sub-function 00 05
Sub-function 00 06
Sub-function 00 07
Sub-function 00 08
Sub-function 00 09
Sub-function 00 0a
Sub-function 00 0b
Sub-function 00 0c
Sub-function 00 0d
Sub-function 00 0e
Sub-function 00 0f
Sub-function 00 10
Sub-function 00 11
Sub-function 00 12
Sub-function 00 13
Sub-function 00 14
Sub-function 00 15
Sub-function 00 18
Sub-function 00 19
Sub-function 00 1c
Sub-function 00 1e
Sub-function 00 1f
Sub-function 00 20
Sub-function 00 21
Sub-function 00 2c
Sub-function 00 2d
Sub-function 00 2e
Sub-function 00 2f
Sub-function 00 30
Sub-function 00 31
Sub-function 00 32
Sub-function 00 33
Sub-function 00 3c
Sub-function 00 3d
Sub-function 00 40
Sub-function 00 41
Sub-function 00 42
Sub-function 00 43
Sub-function 00 44
Sub-function 00 45
Sub-function 00 46
Sub-function 00 47
Sub-function 00 49
Sub-function 00 4a
Sub-function 00 4c
Sub-function 00 51
Sub-function 00 52
Terminated by user
Currently doing XCP discovery whatever that is lol. I'll let it finish though and post here the results.