Holiday Hack 2020: Solve the Sleigh's CAN-D-BUS Problem

• Holiday Hack 2020
• 1) Uncover Santa's Gift List
• 2) Investigate S3 Bucket
• 3) Point-of-Sale Password Recovery
• 4) Operate the Santavator
• 5) Open HID Lock
• 6) Splunk Challenge
• 7) Solve the Sleigh's CAN-D-BUS Problem
• 8) Broken Tag Generator
• 9) ARP Shenanigans
• 10) Defeat Fingerprint Sensor
• 11) Naughty/Nice List with Blockchain Investigation

Objective

Terminal - CAN-Bus Investigation

Challenge

Wunorse Openslae is on the roof, next to a terminal and in front of the sleigh objective challenge, and if I’m a player, gives me hints about the terminal:

Hiya hiya - I’m Wunorse Openslae!

I’ve been playing a bit with CAN bus. Are you a car hacker?

I’d love it if you could take a look at this terminal for me.

I’m trying to figure out what the unlock code is in this CAN bus log.

When it was grabbing this traffic, I locked, unlocked, and locked the doors one more time.

It ought to be a simple matter of just filtering out the noise until we get down to those three actions.

Need more of a nudge? Check out Chris Elgee’s talk on CAN traffic!

As Santa, he’s just confused:

Hey Santa!

Those tweaks you made to the sled just don’t seem right to me.

I can’t figure out what’s wrong, but maybe you can check it out to fix it.

Solution

The terminal lays out the first challenge further:

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMWX00OkxxddcddxxkOO0XWMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMWXOxoc:c.;cccccc.ccccc:.:c:ldxOXMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMXkoc',ccccc:.:ccccc.ccccc.;cccc,'::cdOXMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMM0xc:cccc,':cccc::ccccccccccccccc:.;cccccc:lxXMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMNkl,',:ccccc;;ccccccccccccccccccccc::cccccc:,',:lOWMMMMMMMMMMMMM
MMMMMMMMMMMMNxccccc;';cccccccccccccccccccccccccccccccccc;':cccccckWMMMMMMMMMMM
MMMMMMMMMMNdcccccc:..;cccccccccccccccccccccccccccccccccccccccccccc:kWMMMMMMMMM
MMMMMMMMM0c,,,,:cccc;..;cccccccccccccccccccccccccccccccccccccc:,,,;:lKMMMMMMMM
MMMMMMMWd:cccc;:cccccc;..,cccccccccccccccccccccccccccccccccccc;:cccccckMMMMMMM
MMMMMMNlcccccccccccccccc:..,:ccccccccccccccccccccccccccccccccccccccccc:oWMMMMM
MMMMMNc,,,,,:ccccccccccccc:..':cccccccccccccccccccccccccccccccccc:,,,,,;oWMMMM
MMMMWoccccc::ccccccccccccccc:'.':cccccccccccccccccccccccccccccccc::ccccccxMMMM
MMMMkccccccccccccccccccccccccc:'..:cccccccccccccccccccccccccccccccccccccc:0MMM
MMMN::cccccccccccccccccccccccccc:'..:cccccccccccccccccccccccccccccccccccc:cWMM
MMMk,,,,,:cccccccccccccccccccccccc:,..;ccccccccccccccccccccccccccccc:,,,,,;0MM
MMMlccccccccccccccccccccccccccccccccc,.;cccccccccccccccccccccccccccccccccccdMM
MMW:ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccclMM
MMWOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO0MM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

Welcome to the CAN bus terminal challenge!

In your home folder, there's a CAN bus capture from Santa's sleigh. Some of
the data has been cleaned up, so don't worry - it isn't too noisy. What you
will see is a record of the engine idling up and down. Also in the data are
a LOCK signal, an UNLOCK signal, and one more LOCK. Can you find the UNLOCK?
We'd like to encode another key mechanism.

Find the decimal portion of the timestamp of the UNLOCK code in candump.log
and submit it to ./runtoanswer!  (e.g., if the timestamp is 123456.112233,
please submit 112233)

The candump.log file has 1369 lines:

elf@34a4edd5ecbe:~$ wc -l candump.log 
1369 candump.log

Each is of the format ([timestamp]) vcan0 [id]#[data]:

elf@34a4edd5ecbe:~$ head candump.log
(1608926660.800530) vcan0 244#0000000116
(1608926660.812774) vcan0 244#00000001D3
(1608926660.826327) vcan0 244#00000001A6
(1608926660.839338) vcan0 244#00000001A3
(1608926660.852786) vcan0 244#00000001B4
(1608926660.866754) vcan0 244#000000018E
(1608926660.879825) vcan0 244#000000015F
(1608926660.892934) vcan0 244#0000000103
(1608926660.904816) vcan0 244#0000000181
(1608926660.920799) vcan0 244#000000015F

I’ll want to look at the various ids passed in this log. I’ll use grep to isolate the three characters before the #, and the run that into sort | uniq -c | sort -nr to get a histogram:

elf@c1413b97664d:~$ cat candump.log | grep -oP '.{3}#' | sort | uniq -c | sort -nr
   1331 244#
     35 188#
      3 19B#

As I’m looking for a single unlock between two locks, id 19B seems promising. I can grep again for this:

elf@c1413b97664d:~$ grep '19B#' candump.log 
(1608926664.626448) vcan0 19B#000000000000
(1608926671.122520) vcan0 19B#00000F000000
(1608926674.092148) vcan0 19B#000000000000

Likely all 000000000000 represents lock and 00000F000000 represents unlock. The fractional seconds on the timestamp of the unlock looks promising, 122520 (Christmas’ date!). It solves the challenge:

elf@c1413b97664d:~$ ./runtoanswer 122520
Your answer: 122520
Checking....
Your answer is correct!

Solve the Sleigh’s CAN-D-BUS Problem

Hints

On solving the terminal, Wunorse offers hints about the task:

Great work! You found the code!

I wonder if I can use this knowledge to work out some kind of universal unlocker…

… to be used only with permission, of course!

Say, do you have any thoughts on what might fix Santa’s sleigh?

Turns out: Santa’s sleigh uses a variation of CAN bus that we call CAN-D bus.

And there’s something naughty going on in that CAN-D bus.

The brakes seem to shudder when I put some pressure on them, and the doors are acting oddly.

I’m pretty sure we need to filter out naughty CAN-D-ID codes.

There might even be some valid IDs with invalid data bytes.

For security reasons, only Santa is allowed access to the sled and its CAN-D bus.

I’ll hit him up next time he’s nearby.

One more hint from the badge:

• Try filtering out one CAN-ID at a time and create a table of what each might pertain to. What’s up with the brakes and doors?

Solution

Opening the Sleigh controls gives a panel with three columns. The left column offers controls. The right offers a stream of Canbus messages. The middle offers a way to filter the messages that are streaming by on the right:

Because the events are moving by so fast, I first tried to stop all of them. I set four filters in place:

With these in place, the only message that comes by is an occasional 19B#0000000F2057.

Pushing the lock generates a 19B#000000000000, just as in the terminal. Unlock generates a 19B#00000F000000. It’s safe to say that 19B is the id for the locks, and these two messages are lock and unlock. That means that the 19B#0000000F2057 message is likely on that I need to remove. I’ll add that filter.

Messing with the steering starts a stream of 019 messages, there the value is the hex value of the steering setting (negative numbers show up in two’s complement). Nothing looks weird here. I’ll set the steering back to 0 so I don’t see the messages filling the stream.

Starting the car sends a 02A#0000FF, and then a stream of 244 id messages come through with the RPMs value in the body. Messing with the accelerator while the car is one will increase those RPM readings, but doesn’t seem to send any messages of its own. Stopping the car sends a 02A#00FF00.

Increasing the break value starts a stream id 080. There’s something off about it through. As soon as the brake value gets to 4 or higher, there are negative values coming back as well:

It looks like something messed with the breaks. I’ll want to filter out those negative messages.

I’ll add a filter for ID 080 less than 0. Then I can remove the other filters, leaving just two, and a message pops up to say the sleigh is fixed:

« 6) Splunk Challenge8) Broken Tag Generator »