Sleigh CAN-D-BUS Issue

Objective7

Now that Spunk is solved, my badge tells me to head up to the NetWars room for solving the next objective and talk with Wunorse Openslae who can help if you figure out what’s up with his terminal:

Hey Santa! Those tweaks you made to the sled just don’t seem right to me. I can’t figure out what’s wrong, but maybe you can check it out to fix it.

Next I click on the terminal next to him, which pops up a CLI session. As the MOTD tells me, there is a file with logs of the CAN traffic of the sleigh. In the logs there are few distinct message types:

  • Engine UP/DOWN messages (many of these)
  • LOCK and UNLOCK messages (3 in total!)

So then I inspect the candump.log file and do some transformations on it. First, I filter each line and keep only the third column. Then I extract the first 3 characters of each line and use sort -nr & uniq -c to show how many of each line is present in the logs:

1elf@87cee25c674e:~$  cat candump.log | awk '{print $3}' |  cut -b 1-3 | sort -nr | uniq -c
2   1331 244
3     35 188
4      3 19B
5
6elf@87cee25c674e:~$ cat candump.log  | grep 19B#
7(1608926664.626448) vcan0 19B#000000000000
8(1608926671.122520) vcan0 19B#00000F000000
9(1608926674.092148) vcan0 19B#000000000000

This helps to know that messages with ID 19B are related to LOCK/UNLOCK events. This will be useful to know for fixing Santa’s sleigh next:

RunToAnswer CAN BUS

Next I click on Santa’s sleigh, and a strange UI interface pops up. To learn more about what it is, I watch the KringleCon talk from Chris Elgee on CAN Bus in vehicles HERE.

Sleigh CAN-D-BUS

Initially, I just naively excluded all messages with ID 19B but that did not seem to fix it. Then I excluded some of the most common messages to make the steam slower a bit so that I can see more clearly what was happening. That’s when I discovered a strange message with the same ID but non-zero payload in the stream:

11609081466157 019#00000000
21609081466258 188#00000000
31609081466462 19B#0000000F2057       << THIS SHOULD NOT BE HERE!
41609081466562 080#000000
51609081466663 019#00000000
61609081466767 188#00000000

I thought this may be the malicious message that is being inserted onto the bus, so I excluded it. This was probably a step in the right direction, but it was still not enough to complete the objective.

Next, I proceeded to play a bit with the controls and noticed something strange when the slider for the break was moved. I noticed that on each cycle, two messages would be emitted from the break:

11609082448556 080#000028
21609082448576 080#FFFFF0      <<< EXCLUDE!
31609082449074 080#000028
41609082449077 080#FFFFF3      <<< EXCLUDE!

The ones with high payload value seemed suspicious, so I excluded them all and voila, this was the correct solution!

CAN D BUS Solved

On to the next one! 😎

Previous
Next

Last updated on Jan 11, 2021