1
00:00:03,070 --> 00:00:03,800
Welcome back.

2
00:00:03,820 --> 00:00:10,450
And we've got one more bonus lesson for you that's been really popular with my face to face classes

3
00:00:10,480 --> 00:00:13,570
and our cyber warrior academies each summer.

4
00:00:13,900 --> 00:00:18,970
These last few years, this is reverse engineering, the controller area network.

5
00:00:19,300 --> 00:00:24,400
Now, you've already seen how to do a replay attack where you can capture some packets and send those

6
00:00:24,400 --> 00:00:27,280
back out over the same system with the controls turned off.

7
00:00:27,700 --> 00:00:32,950
But we want to show you how to take it one step further so that you can use a cable like the one we

8
00:00:32,950 --> 00:00:33,460
have here.

9
00:00:35,070 --> 00:00:41,970
This is A can to U.S. B cable that gives us the ability to connect into a real vehicle.

10
00:00:42,360 --> 00:00:46,980
We're going to practice that safely here in this of our virtual machine.

11
00:00:47,340 --> 00:00:51,280
But a device like this costs only about 70, 80 dollars.

12
00:00:51,330 --> 00:00:52,830
To add to your system.

13
00:00:53,220 --> 00:00:59,950
This is the Courland USP to can KLR L-A in USP to control every network converter.

14
00:01:00,210 --> 00:01:06,930
This just plugs into regular USP and then connects into the automobile under the dashboard and the onboard

15
00:01:06,930 --> 00:01:08,190
diagnostic port.

16
00:01:08,280 --> 00:01:09,390
That's pretty handy there.

17
00:01:10,020 --> 00:01:13,050
So let's talk about this can bus and how we can reverse engineer it?

18
00:01:14,580 --> 00:01:17,400
Well, you've mentioned that the canvas is the controller area network.

19
00:01:17,700 --> 00:01:24,240
It's what allows our communication across all the different says sensors and actuators or devices inside

20
00:01:24,240 --> 00:01:30,420
our network to work together so that when you press on the brakes, the brakes fire, the brake lights

21
00:01:30,420 --> 00:01:30,840
turn on.

22
00:01:31,230 --> 00:01:36,510
When you press click the turn signal, your turn signal turns on and off like it's supposed to.

23
00:01:36,900 --> 00:01:44,580
A modern production car can have as many as 70 electronic control units or E.S. use for everything from

24
00:01:44,580 --> 00:01:49,090
the engine airbags, anti-lock brakes, tail lights, entertainment system, you name it.

25
00:01:49,470 --> 00:01:56,490
And the can messages for the control of the canvas is just one of the the communication systems in your

26
00:01:56,490 --> 00:01:56,790
car.

27
00:01:56,820 --> 00:02:03,690
But it's been around since nineteen ninety one and in all vehicles since 1996 sold in the U.S..

28
00:02:04,230 --> 00:02:07,800
This is a pretty common way for devices to talk to each other.

29
00:02:08,160 --> 00:02:13,430
So you can see that we've got between zero and 64 bits of data and we've got a 29 bit.

30
00:02:13,440 --> 00:02:19,220
Can idee or a three byte give or take a little bit there can I.D. identifier.

31
00:02:19,310 --> 00:02:23,240
That's those three hexadecimal digits that we've been seeing in Kansas sniffer.

32
00:02:23,610 --> 00:02:28,890
So we're going to run the newer version of Kant Sniffer and we've got that by run and make install from

33
00:02:28,890 --> 00:02:31,260
inside that can utils folder that we downloaded.

34
00:02:31,800 --> 00:02:40,110
We're going to see how to find exactly the right can I.D. and the exact message to be able to control

35
00:02:40,200 --> 00:02:44,070
our controller and at work our car from the command line.

36
00:02:44,430 --> 00:02:48,300
So let's see what we can do to reverse engineer the controller network.

37
00:02:48,570 --> 00:02:52,800
We're going to be able to send specific messages to the canvas using can send.

38
00:02:53,190 --> 00:02:55,740
So this is a command that we got from the Ken Utils.

39
00:02:56,540 --> 00:02:57,630
We'll tell it what network?

40
00:02:57,690 --> 00:03:04,650
And then we just need to give it a three hexadecimal digit I.D. number like one eight eight or zero

41
00:03:04,680 --> 00:03:11,940
six F or one nine B, then a hash tag or a pound symbol and then a message value.

42
00:03:12,000 --> 00:03:16,830
So this can send V can zero one eight eight and a message should do something.

43
00:03:17,010 --> 00:03:21,240
Two of our virtual controller area network.

44
00:03:21,570 --> 00:03:28,410
So what we're gonna do is see some of those commands fly by so that we can identify some of these messages

45
00:03:28,410 --> 00:03:29,460
that we might want to send.

46
00:03:29,850 --> 00:03:33,510
So can Sniffer, the newer version has tons of really cool commands.

47
00:03:33,510 --> 00:03:39,260
In fact, if you press can snipper and just hit enter, you're gonna see how to interact with cance

48
00:03:39,260 --> 00:03:39,810
near for a while.

49
00:03:39,810 --> 00:03:40,380
It's running.

50
00:03:40,440 --> 00:03:43,020
This is the newer version that we did from GitHub.

51
00:03:43,380 --> 00:03:48,150
And then we did the make and make installs so that we get the new can sniffer.

52
00:03:48,630 --> 00:03:52,590
We we have all of these options that we can run from the command line.

53
00:03:52,620 --> 00:03:58,320
So we could say Dasch see, so that it'll color any of the bytes that are changing.

54
00:03:58,380 --> 00:04:06,000
So our speed as it goes up our blinkers is the turn left or right and the door locks as they change,

55
00:04:06,780 --> 00:04:10,500
we can set the time out so we can have things disappear after a little bit of time.

56
00:04:10,830 --> 00:04:15,960
I'm actually going to use that Dashty option there in my cancer center so that we can see our values

57
00:04:15,960 --> 00:04:17,430
stay on the screen for a little longer.

58
00:04:18,030 --> 00:04:20,970
And then you've got some interactive mode options here.

59
00:04:21,000 --> 00:04:22,740
You can toggle color mode.

60
00:04:23,100 --> 00:04:25,770
You can press space and enter to clear the screen.

61
00:04:26,160 --> 00:04:31,470
You can actually read through each of these and come back to can sniffer and keep working with it.

62
00:04:31,950 --> 00:04:36,570
The great thing about the newer version of cance sniffer that we downloaded and installed was that when

63
00:04:36,570 --> 00:04:42,270
we run can sniffer, I'm actually I'm going to increase the font size so you can see this a little bit

64
00:04:42,270 --> 00:04:43,590
better control.

65
00:04:43,890 --> 00:04:44,400
There we go.

66
00:04:44,400 --> 00:04:45,360
We get can sniff her.

67
00:04:45,370 --> 00:04:46,520
I'm gonna say Dasch.

68
00:04:46,530 --> 00:04:51,660
See, because we want to color those bytes as they change so we can spot things as we reverse engineer

69
00:04:51,660 --> 00:04:51,840
them.

70
00:04:52,410 --> 00:04:57,630
Our we try to figure out what the values are so that we can have the intended effect on the computer.

71
00:04:58,350 --> 00:05:01,410
Then we got Dashty of zero.

72
00:05:01,410 --> 00:05:04,290
I don't ever want to see those values time out.

73
00:05:04,320 --> 00:05:07,350
So once I've got a control running, I want it.

74
00:05:07,410 --> 00:05:09,370
I want to see that I'd be permanently in there.

75
00:05:09,390 --> 00:05:15,570
So Dashty Zero turns off that timeout function so that you may have seen some of the values disappear

76
00:05:15,900 --> 00:05:16,590
on and off.

77
00:05:16,800 --> 00:05:21,060
This is how we get back to that so that they are all they are all the time.

78
00:05:21,780 --> 00:05:25,530
And then we need to tell it which virtual can network.

79
00:05:25,560 --> 00:05:27,870
We can zero.

80
00:05:30,250 --> 00:05:35,050
And right now, we only see a couple of ideas and we see one of them is changing and that happens to

81
00:05:35,050 --> 00:05:36,010
be our speedometer.

82
00:05:36,370 --> 00:05:41,730
So if I run the speedometer up, you can see those last two bytes changing.

83
00:05:41,830 --> 00:05:43,030
So we can see one a.

84
00:05:43,060 --> 00:05:45,220
Now it's two two seven.

85
00:05:45,970 --> 00:05:47,710
So you can see three.

86
00:05:48,160 --> 00:05:50,570
And it seems to top out around three, eight, nine, four.

87
00:05:50,710 --> 00:05:55,360
The way it's written by default, if you don't hack the car hacking software, it will show how to do

88
00:05:55,360 --> 00:05:56,680
that and the next bonus lesson.

89
00:05:57,040 --> 00:06:00,970
But this seems to top out at three eight nine four for those last two bytes.

90
00:06:01,270 --> 00:06:08,440
So my can I.D. two four for my can value would be zero zero zero zero zero zero.

91
00:06:08,680 --> 00:06:13,210
And if I want this pedometer to do almost 100 miles per hour, I put three eight nine four in there.

92
00:06:13,560 --> 00:06:14,650
I want it to go higher.

93
00:06:14,710 --> 00:06:16,300
Make it look like maybe it's 300.

94
00:06:16,330 --> 00:06:18,600
I might try changing those last two values more.

95
00:06:19,120 --> 00:06:21,460
Now, let's see what that one eight eight value is.

96
00:06:21,490 --> 00:06:29,220
Well, if I turn my turn signal on to the right, I see the data value change there to zero to my speedometer

97
00:06:29,220 --> 00:06:29,980
is going down.

98
00:06:30,010 --> 00:06:32,320
So that's also going to be changing on the bottom line.

99
00:06:32,350 --> 00:06:37,270
But that can be one eight eight is clearly my turn signal if I see zero two.

100
00:06:37,570 --> 00:06:41,110
What if I say left turn zero one?

101
00:06:41,560 --> 00:06:46,450
What if I could get both of them to show up at the same time by maybe alternating back and forth on

102
00:06:46,450 --> 00:06:49,150
the left and right turn signals?

103
00:06:49,990 --> 00:06:51,580
Well, if I could get it just right.

104
00:06:53,240 --> 00:06:55,160
I might be able to get both of them to show up.

105
00:06:55,190 --> 00:06:56,570
And see, that's a zero three.

106
00:06:56,570 --> 00:06:57,470
Will that make sense?

107
00:06:57,920 --> 00:06:59,930
Zero one is left, zero two is right.

108
00:07:00,380 --> 00:07:02,450
Then zero three might show both of them.

109
00:07:03,320 --> 00:07:05,990
What I'm going to do is try to get one other value to show up.

110
00:07:06,290 --> 00:07:11,990
You are just fine if you just do the left and right turn signals and the speedometer.

111
00:07:12,200 --> 00:07:16,640
But I'm going to try to get one more control to show up some click on the control panel and I'm going

112
00:07:16,640 --> 00:07:21,260
to press the left shift key and then tap the right shift key.

113
00:07:21,740 --> 00:07:26,960
And this won't work on every keyboard and it won't work through a virtual connection to a remote lab

114
00:07:26,960 --> 00:07:27,890
machine usually.

115
00:07:28,190 --> 00:07:33,380
But I saw all the doors open with nineteen B one nine B as my D.

116
00:07:34,040 --> 00:07:40,740
And then one nine B with zero zero zero zero zero F will lock the doors.

117
00:07:41,030 --> 00:07:47,300
But if I want them to open back up, I just need to feed it six pairs of zeroes so we can see our data

118
00:07:47,300 --> 00:07:47,780
message.

119
00:07:48,140 --> 00:07:49,280
We can see our I.D..

120
00:07:49,610 --> 00:07:53,660
What I want to do is type Q to quit and then press enter.

121
00:07:54,020 --> 00:07:57,350
And what that's gonna do is keep those values on the screen they're forming.

122
00:07:57,740 --> 00:08:01,550
So what I'm going to do is create a little text document control, see.

123
00:08:01,980 --> 00:08:02,110
Nope.

124
00:08:02,170 --> 00:08:02,440
Sorry.

125
00:08:02,470 --> 00:08:03,200
Shift control.

126
00:08:03,200 --> 00:08:06,610
See to copy someone to copy that selection.

127
00:08:06,620 --> 00:08:09,160
And I'm going to start my little notepad editor.

128
00:08:09,770 --> 00:08:11,120
My text editor here.

129
00:08:12,980 --> 00:08:15,710
And really what I want to do is capture.

130
00:08:18,190 --> 00:08:19,070
Some of the values.

131
00:08:19,150 --> 00:08:25,270
Oh, your your machine may be running a little bit slow because of the controller area network traffic

132
00:08:25,300 --> 00:08:28,720
that's going across, we're going to turn that off so that our machine speeds up.

133
00:08:28,720 --> 00:08:30,660
And besides, we actually don't need it anymore.

134
00:08:30,670 --> 00:08:32,830
Now, we got all of those values right there.

135
00:08:33,310 --> 00:08:35,420
So I'm going to say one eight.

136
00:08:35,530 --> 00:08:40,480
So I will actually just control shift control V to pace that two four four.

137
00:08:41,170 --> 00:08:44,020
So what I've got here is a can send message.

138
00:08:45,430 --> 00:08:49,540
Then I should be able to modify and then send right back across this controller area network.

139
00:08:49,840 --> 00:08:51,680
So I just turned off my control panel.

140
00:08:51,700 --> 00:08:55,890
That's important because we don't want something else interfering while we're typing in our Skansen

141
00:08:55,980 --> 00:08:56,450
commands.

142
00:08:56,870 --> 00:09:03,580
But what I'm going to do is change the format of this message so that it is actually can send space.

143
00:09:04,720 --> 00:09:12,220
We can zero and then two for four, we found out, was the speedometer and really what we want to change

144
00:09:12,220 --> 00:09:16,180
is we want to change the format so that this is all one strain has to be all together.

145
00:09:16,750 --> 00:09:21,250
We mentioned that oh three nine four would make it look like it was running a hundred miles per hour,

146
00:09:21,520 --> 00:09:22,000
let's say.

147
00:09:22,130 --> 00:09:22,720
Oh.

148
00:09:23,890 --> 00:09:24,640
Three.

149
00:09:26,630 --> 00:09:27,410
F f.

150
00:09:28,700 --> 00:09:35,330
And so what we have here is zero zero zero zero zero zero or six zeros, followed by zero three.

151
00:09:35,410 --> 00:09:36,190
F f.

152
00:09:36,770 --> 00:09:38,030
Let's copy that.

153
00:09:38,470 --> 00:09:42,290
Control C and come back over here with our control panel.

154
00:09:42,290 --> 00:09:42,990
Disabled.

155
00:09:43,870 --> 00:09:45,680
But our icey simulator still there.

156
00:09:45,680 --> 00:09:46,840
You can run dot slash.

157
00:09:46,850 --> 00:09:48,220
I see Sam Bekins zero.

158
00:09:48,350 --> 00:09:49,670
You need to get it back on the screen.

159
00:09:50,000 --> 00:09:54,950
But I'm going to paste this into my terminal window.

160
00:09:55,630 --> 00:10:00,860
You can send on weekend zero to four for my spirometer right now is zero.

161
00:10:00,890 --> 00:10:04,220
Let's see what happens to the speedometer when I send this command.

162
00:10:06,470 --> 00:10:06,950
Wow.

163
00:10:07,010 --> 00:10:07,220
All right.

164
00:10:07,280 --> 00:10:11,420
Well, AC zero three f f did not move it as much as we wanted it to.

165
00:10:12,720 --> 00:10:15,750
Well, what I'm going to do is can send V can zero.

166
00:10:16,910 --> 00:10:20,970
And I'm going to say zero zero with six zeros and then four FS.

167
00:10:21,620 --> 00:10:26,030
And you notice now my speedometer is pegged all the way over to the right hand side.

168
00:10:26,030 --> 00:10:29,570
It looks like I'm doing two hundred eighty or three hundred miles per hour.

169
00:10:30,050 --> 00:10:33,740
So by sending that one command, we can make the speedometer look like it's doing.

170
00:10:34,010 --> 00:10:35,480
Two hundred eighty miles per hour.

171
00:10:35,570 --> 00:10:37,460
Or if we change it just a little bit more.

172
00:10:37,820 --> 00:10:39,260
Zero zero zero zero.

173
00:10:39,890 --> 00:10:45,230
We can make it look like it's running zero miles per hour and then we can toggle just by typing each

174
00:10:45,230 --> 00:10:46,040
of those commands.

175
00:10:46,370 --> 00:10:52,670
So let's do the same thing with our turn signals so I can copy my turn signal or you can just type this

176
00:10:52,670 --> 00:10:52,790
in.

177
00:10:52,790 --> 00:10:53,780
It's not very long.

178
00:10:54,310 --> 00:10:55,550
I'm going to copy that selection.

179
00:10:55,580 --> 00:10:56,930
I'm going to say can send.

180
00:10:57,980 --> 00:10:59,960
They can zero.

181
00:11:01,880 --> 00:11:03,710
And I want to send one eight eight.

182
00:11:03,770 --> 00:11:06,530
And remember, it was the first two digits that changed.

183
00:11:08,550 --> 00:11:15,300
So one eight eight pound, if I said zero three, you remember, that would turn on both the left and

184
00:11:15,300 --> 00:11:16,530
right turn signals.

185
00:11:18,790 --> 00:11:20,480
And we get rid of the extra spaces.

186
00:11:20,520 --> 00:11:21,600
Copy this command.

187
00:11:22,850 --> 00:11:26,300
Tend to the can stand in my terminal control shift V.

188
00:11:27,520 --> 00:11:27,970
Enter.

189
00:11:29,160 --> 00:11:36,840
And I've turned on both turn signals or what would happen if I changed that three to a zero turns off

190
00:11:36,840 --> 00:11:39,360
both signals, hit the up arrow twice.

191
00:11:39,510 --> 00:11:41,010
I've got both turn signals on.

192
00:11:41,490 --> 00:11:48,060
So you get the idea with just a few commands, we're able to send a command to unlock all of the doors.

193
00:11:48,060 --> 00:11:49,770
In fact, you can give that one to try yourself.

194
00:11:49,800 --> 00:11:54,390
Try the one nine B with six pairs of zeroes after it.

195
00:11:54,810 --> 00:12:03,120
That can send that you see on the screen right here will allow you to run that 100, 300 mile per hour

196
00:12:03,120 --> 00:12:05,280
car with both turn signals on.

197
00:12:05,280 --> 00:12:08,700
So it looks like the brake lights with all four doors open.

198
00:12:09,510 --> 00:12:10,440
Hope you enjoyed this.

199
00:12:10,440 --> 00:12:12,210
Listen, hope everything works well for you.

200
00:12:12,390 --> 00:12:14,340
Come back to this section.

201
00:12:14,340 --> 00:12:18,300
And if you need to reinstall the new version of Cat Sniffer, so you get the nice clean interface,

202
00:12:18,930 --> 00:12:24,630
go back to the lesson on installing Cain utils and Icee SIM.

203
00:12:25,050 --> 00:12:28,410
You'll see how to do that when we've updated everything for 2020 and beyond.

204
00:12:29,010 --> 00:12:31,130
This is one of the most popular lessons with my students.

205
00:12:31,140 --> 00:12:36,960
Once you understand how to do this, then you can plug one of these devices into a real car and actually

206
00:12:36,960 --> 00:12:41,570
see where each one of those individual commands makes a difference in the cancer.

207
00:12:41,590 --> 00:12:45,770
Never change those values or mess with them a little bit like we did.

208
00:12:45,780 --> 00:12:51,890
We turned the speedometer all the way up to F, F, F, F, and that gave us what looks like a three

209
00:12:51,890 --> 00:12:57,240
hundred mile an hour vehicle speeding with both light, both turn signals on and all the doors unlocked.

210
00:12:58,140 --> 00:13:04,410
Reverse engineering is a tough set of skills to pick up, but once you understand it, you can do something

211
00:13:04,410 --> 00:13:09,800
like this for not just a controller area network, but Bluetooth devices in your home.

212
00:13:09,810 --> 00:13:15,570
You can sniff your network using some of the tools built in the Caleigh Linux and open a door lock or

213
00:13:15,720 --> 00:13:18,180
change commands on a camera or a thermostat.

214
00:13:18,810 --> 00:13:23,610
Reverse engineering is a really important set of skills that a lot of companies are looking for.

215
00:13:23,940 --> 00:13:26,830
So if you enjoyed this, listen, there might be a future for you in that.

216
00:13:26,850 --> 00:13:29,310
Look for reverse engineering and some job listings.

217
00:13:30,120 --> 00:13:35,610
When we come back in the next lesson, we will show you how to hack the car hacking software.

218
00:13:35,970 --> 00:13:36,400
That's right.

219
00:13:36,570 --> 00:13:43,140
We're actually going to change this so that you can take your speedometer all the way up to a thousand

220
00:13:43,140 --> 00:13:45,300
miles per hour if you want to.

221
00:13:45,660 --> 00:13:47,820
Hope you're enjoying these bonus lessons.

222
00:13:47,820 --> 00:13:51,740
And I hope it's something interesting and fun for you and that you'll learn a little bit along the way.