We Hacked A Car! - CANbus injection

Рет қаралды 30,988

Күн бұрын

Take control of your car, redline your tachometer! We break down CAN bus basics and teach you how to hack, inject, and sniff data from your car's onboard systems. Controller Area Network (CAN) is a simple protocol, and simple to manipulate! Many of the features of a vehicle communicate over the CANbus, this is how they work together to bring you that smooth driving experience.
Most people don't know these systems can be exploited! From your speedometer and tachometer, displays, transmission, engine, and more, all use the CAN bus in some way.
We completed this project at school using a laptop, CANtact reader, and a little know how. The tools and methods have been highly simplified and more are more accessible than ever (Like a Flipper Zero)! I’d like to do an update in the near future!
If you are interested in cybersecurity and penetration testing, this is a fun project to familiarize yourselves with various aspects of the industry, its methodologies, and procedures.
Want to open an automated lock? Change the lights in a building? Display information in a car? There are so many different avenues for exploitation. BE SURE YOU HAVE LEGAL GROUNDS TO TEST ON. If you don’t own it, or fully understand the implications of your actions, please leave it alone. You can cause some havoc if you don’t know what your doing.
Resources:
Reddit Carhacking Subthread:
- / carhacking
How to hack a car - A quick Crash-Course
- medium.freecodecamp.org/hacki...
Charlie Miller and Chris Valasek’s research
- illmatics.com/carhacking.html
Car Hacker’s Handbook
- opengarages.org/handbook/
CANtact CAN to USB Converter (Unavailable):
- www.amazon.com/CANtact-Source...
Socials:
KZfaq: / @andrewgerlitz
Twitch: / wardenology)wardenology
Twitter: / andrewgerlitz
TikTok: / andrewgerlitz
Instagram: / andrewgerlitz
[Timestamps]
0:00 - Introduction
0:39 - What is a CANbus?
1:36 - Project Requirements
2:35 - Sniffing The CAN data
3:09 - CAN packet injection
3:39 - Car hacking!
5:02 - Next Steps

Пікірлер: 108

@AndrewGerlitz 21 күн бұрын

Appreciate you all! It's early into my KZfaq career still and I never expected things to take off as quickly as they have. Need to keep on the gas pedal! I'm working on another video for a different project right now and hope to have it to you soon. Stay awesome, and we'll see you in the next one!

@WafflerSupreme Ай бұрын

lol, the music is fine. You’re not trying to give a technical talk at a conference about your findings. Blessed the algorithm.

@AndrewGerlitz Ай бұрын

Noted, just wanted something fun in the background. Maybe tone it down next time. Appreciate you!

@Dygear Ай бұрын

I really wish they would publish their CAN BUS messages list.

@AndrewGerlitz Ай бұрын

Right? What a pain, all that trial and error haha.

@AutoAnomoly 29 күн бұрын

Those values are on what’s called a DBC file you maybe able to find them on the web.

@jamesadams2676 Ай бұрын

I appreciate this video and I'm glad the algorithm threw it my way. This was a good introduction to mucking around with something I'd never had interest in until today, so I thank you for that!

@AndrewGerlitz Ай бұрын

Glad you enjoyed it! Appreciate you!

@Moddage Ай бұрын

Small nitpick: “Every car has a CAN bus” except all the cars produced before CAN was implemented… lots of cars are still out there with some variant of Class 2 serial, and even cars that pre-date having multiple control modules and only have a PCM that runs just an engine, or an engine and transmission. In fact, ~85% of the vehicles I’ve owned thus far have not had CAN, but ~65% of them had some form of serial communication and multiple control modules. Second small nitpick: I don’t think the music is needed, I can deal with it, but it is a little distracting at times for me at least.

@AndrewGerlitz Ай бұрын

Was meant as anything fairly new, I’ll have to specify next time. As for the music, it’s definitely too loud, just some growing pains haha.

@Moddage Ай бұрын

@@AndrewGerlitz no worries, that’s what growth and adaptation is all about. I personally was hoping for a bit more in-depth exploration of CAN hacking, but I think this is a good “primer” video for anyone just getting their feet wet or discovering CAN stuff. You seem to have no issues presenting clearly and in a manner that I’d think was pretty easy to follow and understand for just about anyone looking for content on this topic. I may have been a little too pedantic/nit-picky with your wording, I tend to be that way with accuracy sometimes. I feel like a majority of people ending up on this content are likely to be more familiar with what vehicles do and don’t have CAN, but I thought about it from the perspective of someone who ended up on this video with very little knowledge of cars and CAN who had a budding interest. Purely trying to provide constructive feedback, not nitpick just for the sake of it.

@UnlikelyToRemember 25 күн бұрын

Canbus was introduced in the mid 80s and has been on all US cars since the late 90s

@Moddage 24 күн бұрын

@@UnlikelyToRemember I agree with CANbus being developed and introduced in the 80s, by Bosch if I recall. But I disagree with it being in “all” US cars since the late 90s. I’ve owned, worked on, and modified a number of late 90s and early 2000s vehicles that only had single wire class 2 serial or some other variant of a single wire serial protocol to communicate between control modules as well as available at the DLC. I actually don’t recall seeing CANbus between any modules in GM vehicles until around 2004, and at least some those particular ones I can recall didn’t have the CANbus present at the DLC and still used Class 2 serial between all the modules as well. It may have indeed existed in some US vehicles since the late 90s, but certainly not “all” of them based on my experience.

@UnlikelyToRemember 24 күн бұрын

@@Moddage I stand corrected, ODB-II was mandated in 1996, but it didn't have to be CANBus until 2008

@Kayden-oo4bf 28 күн бұрын

wow i never knew you could do this with an obd port! such a cool project and very underrated video!

@AndrewGerlitz 28 күн бұрын

It’s funny, I never really thought anyone else would find it all that interesting. Guess I was wrong! Appreciate you!

@mikester9673 Ай бұрын

This was honestly a really great video! Ive always wanted to make a custom gauge cluster that could read CANbus data so i could have additional sensors along with custom displays for different bits of data from the ECU.

@AndrewGerlitz Ай бұрын

Appreciate you! I had noticed there's a CAN port on the back of my Sim rig wheelbase too, might have to take a look at that as well!

@throughdude23 Ай бұрын

If you use a scan tool you can manipulate all that but if you decode the scan tool signals for an individual action than input that and can save time. You can make a script and flash the ecm and record the way you want.

@JedIsTheOne 28 күн бұрын

Great work.

@stevenredrup7020 Ай бұрын

Really hope you keep this project going!

@AndrewGerlitz Ай бұрын

Long term that's the plan!

@VonW0lf3N5t31N Ай бұрын

Neat video, friend! I agree about the music but you're still small/learning and doing great work! Very interesting - thank you and keep it up!

@AndrewGerlitz Ай бұрын

Appreciate you! Noted for next time haha.

@tompointdll Ай бұрын

Wow GG, nice project !! hope to see more in the future

@AndrewGerlitz Ай бұрын

Appreciate you! More to come for sure!

@JayarBass 26 күн бұрын

this is awesome! grats on your hardwork paying off! i've been talkin about this being possible and thought about playing with it for years, but never tried it.

@AndrewGerlitz 25 күн бұрын

Appreciate you! It's a fun and challenging project to take on, I would definitely give it a try!

@justsomeone7501 Ай бұрын

Hello, I have an old lt46 with so it seems mercedes sprinter 14 pin diagnostic port . I have bought a connector to switch it to OBD but it fails to connect. Any idea why?

@marlo6846 23 күн бұрын

Awesome!!

@StephenSmith304 4 күн бұрын

Super cool, I'm thinking of peeking into CAN to see if i can get steering wheel angle sensor data for a backup cam project I'm working on. Depending on what's least invasive it might be easier than tapping the sensor directly. The downside might be that it would make installation more car model dependent if I want to share the project.

@AndrewGerlitz 4 күн бұрын

So many systems to look into nowadays, excited to see what you come up with!

@kevinpritchard3592 Ай бұрын

Thanks for the vid, interesting

@AndrewGerlitz Ай бұрын

You bet, thanks for watching!

@SandeepSingh-43 26 күн бұрын

Willing to see if you can guide me to do the same for my Mercedes.

@BryanTorok 18 күн бұрын

I would like to have a device that could be plugged inline between the scan tool and the OBD-II port such the device would tell the scan tool the MIL is off and that there are no malfunction codes stored. It would have to pass the VIN and other vehicle specific info. Does anyone have an idea how to do that easily for someone who handy with building hardware but not so much writing code? Does such a device already exist?

@ciciklump Ай бұрын

Awesome video :)

@AndrewGerlitz Ай бұрын

Appreciate you!

@williamheckman4597 22 күн бұрын

Please make more content like this

@AndrewGerlitz 21 күн бұрын

Still feeling things out, Ill do my best!

@williamheckman4597 21 күн бұрын

@@AndrewGerlitz I think cars and their control data after a certain date should become open source or public domain

@darleep Ай бұрын

Great Video 💯

@AndrewGerlitz Ай бұрын

Glad you enjoyed!

@braddofner6407 18 күн бұрын

Andrew, this was awesome to see. I have a 2022 Sentra and I have a handful of things I would like to add to my home automation server from my car, and I was thinking CAN injection would be the way to go. As an experienced electrical engineer but total noob on CAN messaging, where would you start? I want to add things like lights, remote start and a bunch of feedback sensors from the car to a device that can communicate through a cellular modem to my server at home. Its feels very overwhelming to even think about where to begin. I am trying to find someone experienced that could help me get started with some advice. Im even willing to oay, because this is some niche knowledge.

@AndrewGerlitz 18 күн бұрын

I know the feeling, I was told it was too much when I picked the project. Like any project, lay out everything you want to accomplish, and start working at it one thing at a time. In your case, I'd focus only on getting a reader, and figure out how to sniff data. Once you get a feel for that, then look at actually forging some packets (Start simple, like a traction control light! See if you can find the DBC file for your car on the internet, it'll save a ton of time). Then you should have a better idea if what you want is feasible via CAN, or if you need to make any adjustments. Worry about the transmission of the data and the server side stuff later (Something like a rasPi or arduino with a GSM module can take care of that). Feel free to DM me on X if you have questions.

@chefjeff415 20 күн бұрын

Wow super surprising the CANbus doesn’t use a rolling code and encryptions to prevent this sort of “attack”. Anyway cool project!

@AndrewGerlitz 19 күн бұрын

I'm sure that's all in development as we speak. Appreciate you!

@TheJensss Ай бұрын

Great video! I would like to turn on/off all systems in my own car as I like, and not be "forced" to use everything like I currently are as a European. It's my car, I decide if I want line assistant or not and so on

@AndrewGerlitz Ай бұрын

Right? Artificial limitations are such a joke. Appreciate you!

@Aviduduskar 19 күн бұрын

How do you determine if CAN is available at the OBD port? I too, found the music distracting from the actual on-screen content and audio.

@AndrewGerlitz 19 күн бұрын

Noted, you can tell by the pinout of your OBD port, depending which pins are populated you can tell what protocol is used.

@kennethbeal 24 күн бұрын

Nice! I've done some CANBUS work. Rather wide open. RIP Michael Hastings.

@AndrewGerlitz 24 күн бұрын

How I never came across him in my studies is beyond me. Unbelievable and RIP indeed.

@craigthepony6259 19 күн бұрын

ik this is a long shot, if your up to make a video on how to read the serial data from old aldl then use it back just like canbus injection, that would be beneficial and i got a 93 camaro that i can test with as i cant find any videos on how to do so, only explanations of how serial works when i want to know how to do both for my car.

@AndrewGerlitz 19 күн бұрын

Would be interesting to explore!

@ShortBusRejectz 26 күн бұрын

Subbed for more of this

@mskiptr Ай бұрын

That's so cool! I hope we will be able to replace the firmware one day

@AndrewGerlitz Ай бұрын

Custom ECU and you can customize to your hearts content!

@loychyuansu6343 18 күн бұрын

Hello Andrew, what's the entry level tools to can bus reverse engineering? I am thinking to get into automotive cyber security field. I am auto electrician by trade. Any advice?

@AndrewGerlitz 18 күн бұрын

You can use the CANtac reader I mentioned if you can find one, it was a good opener for us, all in was about $100 CAD. The software we used was also free/opensource. School bought the device for us, so I don't actually own one, I'm looking into alternatives myself.

@loychyuansu6343 11 күн бұрын

@@AndrewGerlitz Thank you for the advice.

@BarryMcCauley 27 күн бұрын

Hey there. Nice vid, popped up after a video I was watching. I'm hitting that 'subscribe' in a moment. Question for you: Did/do you attend any local BSides and checkout their Car Hacking Village? If not: there's my tip for you. Keep up the good work.

@AndrewGerlitz 27 күн бұрын

Sadly the car hacking village wasn’t a thing while we were working on it, we did go to BSides at the time but topics were unrelated. Appreciate you!

@BarryMcCauley 27 күн бұрын

@@AndrewGerlitz ever find yourself at BSidesLDN, we have a great car hacking village run by minty. I Goon there, ask for Bazza.

@Will-lo8fu Ай бұрын

how do you only have 38 subs? this video singlehandedly made me want to actually learn this mythic "coding" language.

@AndrewGerlitz Ай бұрын

Appreciate you, Glad you enjoyed it! Still new to the whole KZfaq thing and figuring it out one video at a time. Every little bit helps!

@zincfive Ай бұрын

interesting....

@fjs1111 21 күн бұрын

"CAN Sniffer" - haha...

@FarmerRiddick 26 күн бұрын

Challenge: Find the telemetry code that sends data back to the manufacturer for data collection and third party sales and disable or destroy it. That would be a huge public service!

@AndrewGerlitz 26 күн бұрын

You are my kind of people! What I can tell you is Apple Car Play will not work if you have a VPN enabled on your device (at least in my 2019 Elantra). If I figure it out, Ill let everyone know!

@FarmerRiddick 26 күн бұрын

@@AndrewGerlitz Make it open source!... ask for donations! Once that kind of sniffer is in the wild, those mega corps will be pulling their collective hairs out! lol

@honestlocksmith5428 23 күн бұрын

With an oscilloscope or protocol analyzer connected to the telecommunications antenna, the bitstream can be intercepted. 😉

@BrandonMitchell84 18 күн бұрын

man i spent too much time messing with stuff like this back in the day...a lot of euro cars have apps avail to toggle settings and such like turn on features that the car is capable of but not active and such , BMW have an entire community of beemer coders , the thing i htink is going to happen now is that we have ai we can take the data and map it much easier for custom changes

@AndrewGerlitz 17 күн бұрын

I feel that. My buddy had an e92 we flashed with JB4 on his cell phone. I was blown away haha.

@dionlawler5515 Ай бұрын

are you able to make a mazda 3 2005 power steering pump work independent, it needs a canbus signal from the ecu, I will pay if you figure it out

@AndrewGerlitz Ай бұрын

The steering pump is a hydraulic system independent of the CAN system (Aside from maybe a steering angle sensor). The only potentially exploitable thing would be some sort of assisted driving mechanism, things like lane keep assists, or self driving of some kind. Even then, depending on the implementation it may require other methods to exploit.

@bluegizmo1983 29 күн бұрын

My 1994 car doesn't have a canbus, neither does my 1971 car... lol

@Mitchs Ай бұрын

Reset mileage

@AndrewGerlitz Ай бұрын

That was on the list for sure! Maybe in the next round!

@Fredrick_6 Ай бұрын

@AndrewGerlitz I think that's illegal

@spritsnovalbertos8409 Ай бұрын

Buzzkill your not the funiest at parties

@jordangerlitz Ай бұрын

hahaha this gives me Ferris Buellers Fay Off vibes

@AndrewGerlitz Ай бұрын

@@Fredrick_6 The Odometer can be manipulated to display whatever you like, but resetting to zero is more complicated (and yes illegal as well haha)

@Failure_Is_An_Option Ай бұрын

Dump the music. We are either having a technical discussion or we are not. Trying to talk over elevator music doesn't cut it. It is like being on a technical conference call. Somebody goes on hold... and they have hold music and the rest of the team tries to carry on. I still gave you a thumbs up. I've been in CAN for 15 years. Nothing new. It's how the aftermarket intercepts the traffic. Huge industry.

@AndrewGerlitz Ай бұрын

I had wondered about that, little loud for the ambiance I wanted. Appreciate you!

@Electrically-Electronic Ай бұрын

No it was good for me.

@king_james_official Ай бұрын

you sound really hostile about some music that didn't suit you. maybe dump the forced professionalism sometimes. this isn't an office job ;)

@iclassicify3126 Ай бұрын

@@AndrewGerlitzit is a little loud but don’t dump it just turn it down this guy doesn’t know what he’s talking about

@ChristopherWoods 28 күн бұрын

The music choice itself was inoffensive, it could have been a bit quieter. However in your case the content is so interesting it doesn't really need music to distract (unlike some videos from other channels!) so if it's an artistic or personal choice, stick to it. But don't be afraid to put these videos out 'dry' because the videos, explainers to camera and editing is fundamentally well done. Liked and subbed :)

@Mitchs Ай бұрын

Comma AI

@AndrewGerlitz Ай бұрын

Very cool, will check it out!

@tme2912 Ай бұрын

is it possible to have this video without the music

@Firefrei Ай бұрын

This is very elementary. using the can system to tell features like lights or windows is one of the first and easiest things done when diagnosing a repair. you can pretty easily get a scan tool with the ability to use the canbus for a few hundred dollars and they work on any car with an obd2 port. is it anywhere near what you were talking about in the beginning when making a comparison to the f&f movie? not even close. no vehicles yet have the ability to be messed with any exterior programs that aren't plugged into the obd2 port. you could say stuff like onstar and remote self driving control are getting close but they are a lot more limited then what they appear to be

@jamesadams2676 Ай бұрын

so be honest, how many times in a day do you say something like "well, actually...."

@platin2148 26 күн бұрын

Well CAN Bus is something that will die and be replaced with FD and XL or automotive ethernet. What you did is not actually hacking anything it’s basically using DBC information of the car to change some states in ECU‘s. Keep in mind that ECU‘s no longer have non authenticated message buses. Well at least some..

@honestlocksmith5428 23 күн бұрын

Do you CRC's?

@platin2148 23 күн бұрын

@@honestlocksmith5428 Some manufacturers think crcs will help them but you can clearly see what changed and decode it, it’s only slightly more effort..

@honestlocksmith5428 23 күн бұрын

@platin2148 That's true. It's calculated and added to verify the authenticity of a message. Beyond that, what are you talking about? I'm curious to learn more.

@platin2148 23 күн бұрын

@@honestlocksmith5428 MacSec and also some stuff that isn’t yet public.