CARsenal is used to provide a Automotive Security toolset.

Your kernel should have CAN support enabled. For more informations, follow “Configuring the Kernel - CARsenal” documentation.

• Main : Configure CAN interface and decode VIN identification.
• Tools : Provide can-utils suite, cannelloni or Freediag.
• CAN-USB : Use CAN Analyzer USB to dump and send signals.
• Caribou : Caring Caribou automotive security exploration tool.
• Simulator : ICSim and UDSim simulators.
• MSF : Metasploit Automotive Modules.

Tools Documentations

• can-utils
• freediag
• usb-can
• cannelloni
• VIN Info
• CaringCaribou
• ICSim
• UDSim

Guide

• Introduction to Car Hacking: The CAN Bus

• Alexmohr for can-usb fork
• CaringCaribou for its tool
• Fenugrec for freediag
• idlesign for VIN Info
• Kimocoder for help and support
• Kobolt for usb-can
• Linux-Can for can-utils and socketcand
• Mguentner for cannelloni
• V0lk3n for Nethunter CARsenal tab
• Yesimxev for help and support
• zombieCraig for ICSim and UDSim
• rapid7 for Metasploit Framework.
• Craig Smith for MSF Automotive Modules.
• Pietro Biondi for MSF Automotive Modules.
• Jay Turla for MSF Automotive Modules.
• Johannes Braun for MSF Automotive Modules.
• Juergen Duerrwang for MSF Automotive Modules.

Start CAN Interface - Settings Prerequisite :

Set “CAN Interface”, “CAN Type” in Inteface. And optionally enable ‘MTU’ and ’txqueulen to set custom value’.

# For VCAN Type : create interface first
sudo ip link add dev <caniface> type vcan

# If MTU or txqueuelen value specified
sudo ip link set <caniface> mtu <Value>
sudo ip link set <caniface> txqueuelen <Value>

# Brought UP interface
sudo ip link set <caniface> up

Reset Interface - Used command :

It execute the following script to reset interfaces.

You can customize services commands, by long pressing oranges buttons.

Interface section is used to Configure your CAN interfaces. You may specify interface name in Settings, and optionally set a custom MTU and txqueuelen value.

You also may enable some Daemon/services which are :

• slcand : Daemon for Serial CAN devices.
• hlcand : Fork of slcand made for ELM327 microcontroller.
• socketcand : Daemon to bridge CAN interfaces.
• slcan_attach : Attach your serial CAN device.
• ldattach : Attach your device.
• RFCOMM
  • bind : Bind bluetooth to your device.
  • connect : Connect the RFCOMM device to the remote Bluetooth device

VIN Info is used to decode VIN identifier and check checksum.

vininfo show <vinNumber>
vininfo check <vinNumber>

Commands are updated when configuring settings. You can long press on orange buttons to edit commands as well.

• can-utils : SocketCAN userspace utilities and tools.

  • cangen : CAN frames generator for testing purposes.
  • cansniffer : Volatile CAN content visualizer.
  • candump : Dump CAN bus traffic.
  • cansend : Send CAN-frames via CAN_RAW sockets.
  • canplayer : Replay a compact CAN frame logfile to CAN devices.
  • asc2log : Convert ASC logfile to compact CAN frame logfile.
  • log2asc : Convert compact CAN frame logfile to ASC logfile.

• freediag : Access your car diagnostic system.

  • diagtest : Standalone program from Freediag, used to exercise code paths.

• cannelloni : Uses UDP, TCP or SCTP to transfer CAN frames between two machines.

• sequence_finder : Custom script that split a log files, replay theses with CanPlayer until finding the exact sequence of the desired action. Finally it replay it using CanSend.

Command is updated when configuring settings.

CAN-USB is using the low cost hardware displayed bellow.

Selecting a Module and it’s sub-module will display it’s parameters in settings field.

• Dump
• Fuzzer
  • brute
  • identify
  • mutate
  • random
  • replay
• Listener
• module_template
• Send
  • file
  • message
• UDS
  • discovery
  • services
  • subservices
  • ecu_reset
  • testerpresent
  • security_seed
  • dump_dids
  • read_mem
  • auto
• UDS_Fuzz
  • delay_fuzzer
  • seed_randomness_fuzzer
• XCP
  • discovery
  • info
  • commands
  • dump

Once simulator is running. You can make ICSim/UDSim floatable for a better control. You may also Enable/Disable Controls WebView.

While starting simulator we use display 3 to 5 to avoid issue if kex or something else is running.

• Display 3 : ICSim
• Display 4 : Controls
• Display 5 : UDSim

Then it start a virtual framebuffer (Xvfb) on each display, run fluxbox as window manager and start x11vnc as VNC Server.

Once done, it run the simulator in each VNC display and start noVNC to have access to it in the browser.

Finally, Nethunter App will load the webview of noVNC to provide display.

ICSim documentation can be found here.

ICSim is started/stopped through the following script.

UDSim documentation can be found here.

UDSim is started/stopped through the following script.

First you need to press on ‘start msfconsole’, it use screen to dettach and reattach msf session to be able to run the module in the same instance.

Once msf is started, select your module and use “Info” to read module information, “Set” to configure module, and finally “Run” to execute it.

Note : Actually, we can’t automatically close the terminal window, so keep in mind that previous terminal window will still be opened but killed.

• elm327_relay : This module requires a connected ELM327 or STN1100 is connected to the machines serial. Sets up a basic RESTful web server to communicate

• local_hwbridge : Sets up a web server to bridge communications between Metasploit and physically attached hardware.
• connect : Connect the physical HWBridge which
  will start an interactive hwbridge session (local_hwbridge should be running).

• can_flood : Floods a CAN interface with supplied frames.
• canprobe : Scans between two CAN IDs and writes data at each byte position.
• diagnostic_state : Keep the vehicle in a diagnostic state on rounds by sending tester present packet.
• ecu_hard_reset : Performs hard reset in the ECU Reset Service Identifier (0x11).
• getvinfo : This module queries DTCs, some common engine info, and vehicle information.
• identifymodules : Scan the CAN bus for any modules that can respond to UDS DSC queries.
• malibu_overheat : Simple sample temp flood for the 2006 Malibu.
• mazda_ic_mover : Moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster.
• pdt : Acting in the role of a Pyrotechnical Device Deployment Tool (PDT)