Our operatives have recovered a DeLorean in the ruins of an old mid-west US town. It appears to be locked, but we have successfully accessed its internal communications channels. According to the little data we have, the DeLorean internally uses an archaic technology called CAN bus. We need you to analyze the communications and find a way to unlock the vehicle; once unlocked, recover the secret flag stored inside. We have reason to believe that vehicle entry should be a fairly easy challenge, but to aid you in this, we have restored and reconnected the vehicle dashboard.
Best of luck.
The Dashboard app is available here.
Challenge developed by Argus Cyber Security.
PROTOCOL: each message has the following structure:
- 4-byte magic
- 1-byte operation type
- 1-byte length
- value (2 bytes for everything except Text_Op, little endian. )
FRAME_MAGIC = 'E824F65A'.decode('hex')
MPH_OP = 0x30 # <= 100
RPM_OP = 0x31 # <= 5000
Temp_OP = 0x32 # <= 160
Batt_OP = 0x33 # <= 20
AAC_OP = 0x34 # <= 100 -- possibly A/C?
MAF_OP = 0x35 # <= 500 -- Mass Air Flow (to engine)
Text_OP = 0x36
IND_OP = 0x37
IND2_OP = 0x38Just connecting and watching, we see: MPH: 32-39 RPM: 2000-2060 Temp: 74-77 degrees Batt: 12 (volts) AAC: 77-80% MAF: 286-300 mV
And no: Text: IND: IND2:
ip link show dev can0
sudo ip link set can0 type can bitrate 49500 listen-only on
sudo ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF
cansend can0 332#756e6c6f636b0000WARNING: listen-only
I connected the logic analyzer. It can't read CAN-H, but can parse CAN-L just fine. Use a bitrate of 49,500.
AAC_Value = 77 AAC_Value = 79
BATT_Value = 12
MAF_Value = 303 MAF_Value = 310
MPH_Value = 37 MPH_Value = 38 MPH_Value = 39
RPM_Value = 2040 RPM_Value = 2050 RPM_Value = 2060
TEMP_Value = 77 TEMP_Value = 78
(sorted, uniq)
* MPH RPM
0x023,0x5,0x0020 0x07C6 0x20 0x023,0x5,0x0020 0x07DA 0x20 0x023,0x5,0x0020 0x07E4 0x20 0x023,0x5,0x0021 0x07BC 0x20 0x023,0x5,0x0021 0x07C6 0x20 0x023,0x5,0x0021 0x07DA 0x20 0x023,0x5,0x0021 0x07E4 0x20 0x023,0x5,0x0022 0x07BC 0x20 0x023,0x5,0x0022 0x07C6 0x20 0x023,0x5,0x0022 0x07D0 0x20 0x023,0x5,0x0023 0x07D0 0x20 0x023,0x5,0x0024 0x07DA 0x20 0x023,0x5,0x0024 0x07E4 0x20 0x023,0x5,0x0024 0x07EE 0x20 0x023,0x5,0x0025 0x07F8 0x20 0x023,0x5,0x0025 0x0802 0x20 0x023,0x5,0x0025 0x080C 0x20 0x023,0x5,0x0026 0x07D0 0x20 0x023,0x5,0x0026 0x07DA 0x20 0x023,0x5,0x0026 0x07EE 0x20 0x023,0x5,0x0026 0x0802 0x20 0x023,0x5,0x0026 0x080C 0x20 0x023,0x5,0x0027 0x07EE 0x20 0x023,0x5,0x0027 0x080C 0x20
* Temp MAF AAC ??
0x10C,0x8, 0x004A 0x0132 0x004A 0x004B 0x10C,0x8, 0x004A 0x0132 0x004B 0x004B 0x10C,0x8, 0x004A 0x0132 0x004C 0x004A 0x10C,0x8, 0x004A 0x0139 0x0049 0x004A 0x10C,0x8, 0x004A 0x0139 0x004A 0x004A 0x10C,0x8, 0x004B 0x0132 0x004C 0x004B 0x10C,0x8, 0x004B 0x0132 0x004C 0x004C 0x10C,0x8, 0x004B 0x0132 0x004D 0x004B 0x10C,0x8, 0x004B 0x0132 0x004D 0x004C 0x10C,0x8, 0x004C 0x012B 0x004C 0x004C 0x10C,0x8, 0x004C 0x012B 0x004C 0x004D 0x10C,0x8, 0x004D 0x0124 0x004E 0x004D 0x10C,0x8, 0x004D 0x0124 0x004F 0x004E 0x10C,0x8, 0x004D 0x012B 0x004C 0x004D 0x10C,0x8, 0x004D 0x012B 0x004D 0x004E 0x10C,0x8, 0x004D 0x012B 0x004E 0x004D 0x10C,0x8, 0x004D 0x012B 0x004F 0x004D 0x10C,0x8, 0x004E 0x0124 0x004E 0x004E 0x10C,0x8, 0x004E 0x0124 0x004E 0x004F 0x10C,0x8, 0x004E 0x0124 0x004F 0x004F
0x1BF,0x6,0x00 0x0C 0x00 0x0E 0x00 0x0C
0x202,0x5,0x004A 0x004A 0x52 0x202,0x5,0x004B 0x004B 0x52 0x202,0x5,0x004B 0x004D 0x52 0x202,0x5,0x004C 0x004A 0x52 0x202,0x5,0x004C 0x004C 0x52 0x202,0x5,0x004C 0x004D 0x52 0x202,0x5,0x004D 0x004D 0x52 0x202,0x5,0x004D 0x004E 0x52
0x332,0x8,"lock\0\0\0\0"
Send a 0x332,0x8,"unlock\0\0" Packet.
At which point, we'll find out we can't because car is going too fast...
So spam 0x10c to bring that down? Maybe zero 0x1bf to protective shutoff?
1. check out the dashboard app, learn the serial protocol, enable debug prints
2. connect logic analyzer to the CAN terminals, capture some frames
* learn that the bitrate is 49.5 bps
* see the 0x332 "lock" frames
3. attach and configure our USB2CAN adapter
4. send 0x332 "unlock" frame
5. submit flag