Pages: 1 2 3 4 5 >>


Permalink 07:55:37 am, by rleale Email , 470 words   English (US) latin1
Categories: CAN BUS

Who’s In Control?

How to play with Device Control.

Once you found out the Diagnostic ID for any particular controller, you can now start sending new an exciting request to it to see what it can do. Device Control (or I/O Control) is usually to most dynamic. The premise of this service is just as it sounds, to control the hardware. This service is typically used for mechanics to test the controllers output features such as actuating door locks, turning on/off lights, etc. This is a very interesting service in that it allows you to actuate features discretely in the vehicle. So instead of turning on all Left Turn Indicators (like when you do when you push down on the turn indicator switch) you can turn on only the Left Front Indicator Lamp. Now string that together with some music and other lights and you can have a cool Car Disco Party Mode.

So how does it work? When that depend on what kind of Diagnostics your car uses. There are three common types of Diagnostics: Keyword 2000 (ISO 14230), Universal Diagnostic Services (UDS ISO 14229) and GM LAN (GMW3110). I’ll talk about them individually below. For my examples I’ll use the Engine Control Modules standard Diagnostic ID, but you can sub out your modules ID. The effects will likely be different but the concepts remain the same. Also keep in mind that its often the case the you will have to initiate a Start Diagnostics Command (0x10). I will give these in the example but the Subfunction may be different (0x03 being the most common, but also try 0xC0 or 0x90 as well)


0x7E0 02 10 03 00 00 00 00 00 – Start Diagnostics (0x03 is the Mode this may be different on some OEMS)

0x7E8 02 50 03 00 00 00 00 00 – Positive Response to Start Diagnostics

0x7E0 04 30 01 07 01 00 00 00 – IO Control of IO 0x01; Short Term Adjustment (0x07); Turn ON (0x01)

0x7E8 02 70 01 00 00 00 00 00 – Positive Response. (Be careful because it gives you a positive response but does NOTHING; no control is executed. This is rare.)

0x7E0 03 30 01 00 00 00 00 00 – Return Control of IO 0x01 back to ECM.

0x7E8 02 70 01 00 00 00 00 00 – Positive Response.


0x7E0 02 10 03 00 00 00 00 00 – Start Diagnostics (0x03 is the Mode this may be different on some OEMS)

0x7E8 02 50 03 00 00 00 00 00 – Positive Response to Start Diagnostics

0x7E0 06 2F 12 34 03 80 00 00 – IO Control of IO 0x1234; Short Term Adjustment (0x03); Turn ON (0x80, this could vary widely depending on the IO being controlled)

0x7E8 03 6F 12 34 00 00 00 00 – Positive Response.

0x7E0 04 2F 12 34 00 00 00 00 – Return Control to ECM.

0x7E8 03 6F 12 34 00 00 00 00 – Positive Response.


(Start Diagnostics not needed)

0x7E0 07 AE 01 08 00 08 00 64 – IO Control of IO 0x01; Turn on 0x0800 (Bit Map of IOs, IO Bitmap duplicated in next two bytes to prevent accidental triggering) to 100% (0x64).

0x7E8 02 EE 01 00 00 00 00 00 – Positive Response

Common Negative Responses:

0x7E8 03 7F XX 80 00 00 00 00 – Incorrect Diagnostic Session. You need to change the Subfunction in Start Diagnostics.

0x7E8 03 7F XX 22 00 00 00 00 – Condition Not Correct. Likely the Key Needs to be in the RUN Possition.

0x7E8 03 7F XX 31 00 00 00 00 – Incorrect Format. Something’s wrong with your request message.


Permalink 08:43:49 am, by rleale Email , 66 words   English (US) latin1
Categories: CAN BUS

Automotive Electrical Systems Hands-On Training at 2015 Black Hat USA (Las Vegas)


Good news training is coming to a Las Vegas near you (Again)!

TITLE: Automotive Electrical Systems Hands-On

WHEN: August 1-2, 2014 and August 3-4, 2014 (Two Sessions, Two Days Long)

WHERE: Mandalay Bay, Las Vegas, NV

WHY: BlackHat 2015

WHO: You, Me and 20 other CanBusHackers

HOW: Sign Up Now while there is still the introductory price at <>

PRIZES: That's right, Prizes.  I'll do anything to get you in the door.


Permalink 09:51:45 am, by rleale Email , 16 words   English (US) latin1
Categories: CAN BUS

CanBusHack on GMA

Watch out for this guy!  He can control your windshield wipers!  And other things....


Permalink 06:34:34 am, by rleale Email , 105 words   English (US) latin1
Categories: CAN BUS

Car Hacking Book

I just recently got my hands on a great introductory book into Car Hacking!  It’s called Car Hackers 2014 by Craig Smith.  I’ve worked with Craig in the past and was pleased to see his book.  It’s a great place to start if you want to get more information about the fundamentals of a lot of car hacking things.

Here is the Outline:

Understanding Attack Surfaces
Infotainment Systems
Vehicle Communication Systems
Engine Control Unit
CAN Bus Reversing Methodology
Breaking the Vehicle
CAN Bus Tools
Weaponizing CAN Findings
Attacking TPMS
Ethernet Attacks
Attacking Keyfobs and Immobilizers
Attacking ECUs and other Embedded Systems
What does your hacker garage need?
Creative Commons

Go to

Search Amazon for “Car Hackers 2014” ISBN: 978-0-9904901-0-4


Permalink 11:56:46 am, by rleale Email , 13 words   English (US) latin1
Categories: CAN BUS

We've Moved!

Now we have a large garage.

New address:

1848 Star Batt Rd.
Rochester Hills, MI


Permalink 02:20:06 pm, by rleale Email , 76 words   English (US) latin1
Categories: CAN BUS


Good news training is coming to a Las Vegas near you!

TITLE: Vehicle CAN Bus Communications and Diagnsotics Reverse Engineering

WHEN: August 2-3 or August 4-5, 2014 (Two Sessions of the same course each One Session, two days long)

WHERE: Mandalay Bay, Las Vegas, NV

WHY: BlackHat 2014

WHO: You, Me and 20 other CanBusHackers

HOW: Sign Up Now while there is still the introductory price at <>

PRIZES: That's right, Prizes.  I'll do anything to get you in the door.


Permalink 09:24:18 pm, by rleale Email , 1424 words   English (US) latin1
Categories: CAN BUS

Security Access or 0x27 Ways to Have Fun

So vehicle manufacturers don’t like you… why?  Because they know you want to modify your car in ways they never intended.  They know you want to break your car and make them fix it under a warrantee claim.  They know you want to Hack your car and make it do fun things.  So they put in place a service that will deter you from accessing privileged functions on your vehicle.

What are these functions? Things like reflashing a controller.  Not just anyone should be able to do this.  Resetting the Odometer.  Accessing control commands that would potentially stop a vehicle from functioning properly.

How do they stop you? Security Access a.k.a. Mode 0x27.  This is the service that validates an application is authorized to do one or more of the privileged functions.
So how does it work?  Well it varies a bit from OEM to OEM, but they all typically work the same.  First you must be in a diagnostic mode (not all OEMs require this, but many do).  So you have to use Service 0x10 – Start Diagnostics.

Start Diagnostics will typically take a Subfunction.  This Subfuction tells the ECU which Level of Diagnostics it needs to go into.  Some OEMs have two or three levels of Diagnostics: OBDII/Standard Diagnostics, Reflashing, and Enhanced Diagnostics.  These subfunctions vary widely depending on the OEM so you’ll have to poke around to find out which your vehicle supports.  Some good ones to try are 0x01, 0x02, 0x03, 0x80, 0x81, 0x82, 0x90).  I’ve found these to be common.  So an example is this: 0x7E0 02 10 82 00 00 00 00 00. If done correctly you will get back this: 0x7E8 02 50 82 00 00 00 00 00.  If not you will likely get this 0x7E8 03 7F 10 12 00 00 00 00 00 meaning that the Subfunction is not supported, so you’ll need to try another.  You might just want to increment through the entire range of 256 possible subfunction levels.  Once you’ve found one that works, you can move on.

So Security Access is a Seed/Key authentication method.  First you request a Seed from the ECU then you calculate the appropriate Key response then send it back to the ECU.  Of course you likely don’t have the appropriate algorithm to successfully calculate the Key.  So you may need to brute force it.  (I’ve spoke about this in an early post, but I’m going to reiterate it here with some more general examples).

Brute forcing the key will take a while. How long? Well that depends on how wide the Key is (is it 2 bytes wide, 3 bytes, etc.).  How do you know how wide it is?  You have to make an educated guess.  You do this by seeing how wide the Seed is.  You know this by requesting the Seed from the controller (I’ll go into how to do this in a bit).  So if the Seed is 2 bytes, likely the Key is too.  If the Seed is 4 bytes or larger, the odds that you’ll be able to brute force it in any reasonable time is unlikely as manufactures add some simple steps to slow down the brute forcing method.

So how do you request a Seed? Send this 0x7E0 02 27 01 00 00 00 00 00 (do this within 3 seconds of the Start Diagnostics command).  You should get back a Seed in the response: 0x7E8 04 67 01 XX XX 00 00 00 or 0x7E8 05 67 01 XX XX XX 00 00.  Remember that the 0x04 indicates that the Seed will be two bytes wide (two bytes for the control information and two bytes for the seed) and 0x05 means the Seed will be three bytes wide. Also, you don’t have to send 0x01 as the subfunciton, but all Seed request have odd numbers (except 0xFF) as the subfunction.  This is how you differentiate from a Seed Request from a Key (Key requests are even numbers and must be x+1 where the Seed request subfunction is x).
Now you have a Seed, that’s nice.  But you have no way of calculating the Key so why even bother asking for one?  Why not just send the Key?  Because you can’t, you must ask for a Seed before you can send a Key.  The system requires it.

Now you need to send the Key.. but wait not yet.  Because there is one thing you need to determine first.  Is the Seed static or dynamic?  You want to know this because this will let you know if you are going to increment your key or not.  If the Seed is static, then you’ll need to change the Key when you are brute forcing the system.  If the Seed is dynamic, then you’ll want to keep the Key Static. So send another Seed Request.  Did the Seed change?  If so it’s a dynamic Seed.  If not it’s static.
Now we need to send a Key.  To do this we send 0x7E0 04 27 02 XX XX 00 00 00, where XX XX is the Key (remember 0x02 subfunction is x+1 of the Seed request). Likely we will get a negative response because the odds of us guessing the exact Key for the Seed we received is 1/(2^key width).  So if key width = 65536 then we have a 1/65536 chance of getting it right.  Now if we increment through all possible Keys then our odds of getting the response approach 100% quickly (see the birthday problem).  But if the Seed is dynamic we don’t want to increment the Key.  So this is a much different problem.

However those pesky engineers at the auto manufactures thought of this brute force method and took some steps to slow us down. How? By making it so that we after 3 or 4 attempts we get locked out. How do we know that we’ve reached this condition? They let us know by sending this: 0x7E8 03 7F 27 36 00 00 00 00.  Which means “Exceeded Number of Attempts.” This means we have to someone reset the controller so we can try again.  This can be achieved by either cycling the power.  You can do this by finding the fuse for the controller and simply pulling it.  Now this could be cumbersome so you may want to automate it using your favorite open source embedded controller.  Or we may be able to reset it using the ECU Reset Service a.k.a. Mode 11.

ECU Reset is the funnest service ever… because it allows you to tell a controller to cycle its power.  (Don’t try it while you are actually driving bad things may happen……).  The problem with ECU Reset is there are so many different permutations of it, it’s hard to describe universally.  So you’ll have to do some experimenting on how your vehicle has it implemented.  But here is an example of how it may work: 0x7E0 02 11 01 00 00 00 00 00.  Because you did a reset, you may not get a response from the controller at all if you did it correctly.  However if it didn’t like the request, it will give you a negative response 0x7E8 03 7F 11 XX 00 00 00 00, where XX is the negative response code.  You’ll have to parse the code know how to handle the exception.  If the NRC is 0x12 just keep trying all subfunctions until one of them works.

Once you’ve reset the controller, send another Seed request.  If you still get “Exceeded Number of Attempts” as a response.  Then the reset didn’t work. Keep trying more subfunction of the reset command until you’ve exhausted them all.  If still no luck, you’ll have to do a hard reset of the power to the ECU (pulling the fuse).  Now try to send another Seed request.  Likely if you do this quickly (within 10 or so seconds of the ECU powering up), you’ll get another negative response, 0x7E8 03 7F 27 37 00 00 00 00, “Required Time Delay Not Expired.” Meaning that you have to wait a few seconds longer.  Keep trying until this error goes away.  This is just another way that the manufacturer has made it difficult for you to brute force the system.  Because of this delay, the brute force will take much longer.  But if you’re motivated you’ll eventually get there.

How will you know you’ve got it?  You’ll see this: 0x7E8 02 67 02 00 00 00 00 00.  Then you can be sure.  And if you missed that message you can always send another Seed request.  If you get Seed of Zero that means that the ECU security is bypassed.

Don’t let the window close.  If you want to keep the ECU “unlocked” then you’ll need to maintain this state.  To do this simply keep sending a Seed request or better, send a Tester Present message: 0x7E0 02 3E XX 00 00 00 00 00, where XX is the subfunction (you’ll have to test this first to see what works) or 0x7E0 01 3E 00 00 00 00 00 00.
Good Luck and as always feel free to contact me if you have any questions.

1 2 3 4 5 >>

March 2015
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
Controlling, Extracting, Owning the data from the Vehicle Network.



XML Feeds

free blog