4 import csv, time, argparse;
7 from random import randrange
9 from GoodFETMCPCAN import GoodFETMCPCAN;
10 from GoodFETMCPCANCommunication import GoodFETMCPCANCommunication
11 from intelhex import IntelHex;
18 class experiments(GoodFETMCPCANCommunication):
20 This class provides methods for reverse-engineering the protocols on the CAN bus network
21 via the GOODTHOPTER10 board, U{http://goodfet.sourceforge.net/hardware/goodthopter10/}
25 def __init__(self, data_location = "../../contrib/ThayerData/"):
28 @type data_location: string
29 @param data_location: path to the folder where data will be stored
31 GoodFETMCPCANCommunication.__init__(self, data_location)
32 #super(experiments,self).__init(self)
36 def filterStdSweep(self, freq, low, high, time = 5):
38 This method will sweep through the range of standard ids given from low to high.
39 This will actively filter for 6 ids at a time and sniff for the given amount of
40 time in seconds. If at least one message is read in then it will go individually
41 through the 6 ids and sniff only for that id for the given amount of time.
42 This does not save any sniffed packets.
45 @param freq: The frequency at which the bus is communicating
47 @param low: The low end of the id sweep
49 @param high: The high end of the id sweep
51 @param time: Sniff time for each trial. Default is 5 seconds
53 @rtype: list of numbers
54 @return: A list of all IDs found during the sweep.
58 self.client.MCPsetup()
59 for i in range(low, high+1, 6):
60 print "sniffing id: %d, %d, %d, %d, %d, %d" % (i,i+1,i+2,i+3,i+4,i+5)
61 comment= "sweepFilter: "
62 #comment = "sweepFilter_%d_%d_%d_%d_%d_%d" % (i,i+1,i+2,i+3,i+4,i+5)
63 description = "Running a sweep filer for all the possible standard IDs. This run filters for: %d, %d, %d, %d, %d, %d" % (i,i+1,i+2,i+3,i+4,i+5)
64 count = self.sniff(freq=freq, duration = time, description = description,comment = comment, standardid = [i, i+1, i+2, i+3, i+4, i+5])
66 for j in range(i,i+5):
67 comment = "sweepFilter: "
68 #comment = "sweepFilter: %d" % (j)
69 description = "Running a sweep filer for all the possible standard IDs. This run filters for: %d " % j
70 count = self.sniff(freq=freq, duration = time, description = description,comment = comment, standardid = [j, j, j, j])
76 def sweepRandom(self, freq, number = 5, time = 5):
78 This method will choose random values to listen out of all the possible standard ids up to
79 the given number. It will sniff for the given amount of time on each set of ids on the given
80 frequency. Sniffs in groups of 6 but when at least one message is read in it will go through all
81 six individually before continuing. This does not save any sniffed packets.
84 @param freq: The frequency at which the bus is communicating
86 @param number: High end of the possible ids. This will define a range from 0 to number that the ids will be chosen from
88 @param time: Sniff time for each trial. Default is 5 seconds
90 @rtype: list of numbers, list of numbers
91 @return: A list of all IDs found during the sweep and a list of all the IDs that were listened for throughout the test
93 msgIDs = [] #standard IDs that we have observed during run
94 ids = [] #standard IDs that have been tried
96 self.client.MCPsetup()
97 for i in range(0,number+1,6):
99 comment = "sweepFilter: "
100 for j in range(0,6,1):
102 #comment += "_%d" % id
106 description = "Running a sweep filer for all the possible standard IDs. This runs the following : " + comment
107 count = self.sniff(freq=freq, duration=time, description=description, comment = comment, standardid = idsTemp)
109 for element in idsTemp:
110 #comment = "sweepFilter: %d" % (element)
111 comment="sweepFilter: "
112 description = "Running a sweep filer for all the possible standard IDs. This run filters for: %d " % element
113 count = self.sniff(freq=freq, duration = time, description = description,comment = comment, standardid = [element, element, element])
119 def rtrSweep(self,freq,lowID,highID, attempts = 1,duration = 1, verbose = True):
121 This method will sweep through the range of ids given by lowID to highID and
122 send a remote transmissions request (RTR) to each id and then listen for a response.
123 The RTR will be repeated in the given number of attempts and will sniff for the given duration
124 continuing to the next id.
126 Any messages that are sniffed will be saved to a csv file. The filename will be stored in the DATA_LOCATION folder
127 with a filename that is the date (YYYYMMDD)_rtr.csv. If the file already exists it will append to the end of the file
128 The format will follow that of L{GoodFETMCPCANCommunication.sniff} in that the columns will be as follows:
129 1. timestamp: as floating point number
130 2. error boolean: 1 if there was an error detected of packet formatting (not exhaustive check). 0 otherwise
131 3. comment tag: comment about experiments as String
132 4. duration: Length of overall sniff
133 5. filtering: 1 if there was filtering. 0 otherwise
140 @param freq: The frequency at which the bus is communicating
142 @param lowID: The low end of the id sweep
143 @type highID: integer
144 @param highID: The high end of the id sweep
145 @type attempts: integer
146 @param attempts: The number of times a RTR will be repeated for a given standard id
147 @type duration: integer
148 @param duration: The length of time that it will listen to the bus after sending an RTR
149 @type verbose: boolean
150 @param verbose: When true, messages will be printed out to the terminal
153 @return: Does not return anything
155 #set up file for writing
156 now = datetime.datetime.now()
157 datestr = now.strftime("%Y%m%d")
158 path = self.DATA_LOCATION+datestr+"_rtr.csv"
160 outfile = open(filename,'a');
161 dataWriter = csv.writer(outfile,delimiter=',');
162 dataWriter.writerow(['# Time Error Bytes 1-13']);
163 dataWriter.writerow(['#' + "rtr sweep from %d to %d"%(lowID,highID)])
166 #self.client.serInit()
167 #self.spitSetup(freq)
170 for i in range(lowID,highID+1, 1):
171 self.client.serInit()
172 self.spitSetup(freq) #reset the chip to try and avoid serial timeouts
174 standardid = [i, i, i, i]
175 self.addFilter(standardid, verbose = True)
177 #### split SID into different areas
178 SIDlow = (standardid[0] & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
179 SIDhigh = (standardid[0] >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
181 packet = [SIDhigh, SIDlow, 0x00,0x00,0x40]
182 dataWriter.writerow(["#requested id %d"%i])
183 #self.client.poke8(0x2C,0x00); #clear the CANINTF register; we care about bits 0 and 1 (RXnIF flags) which indicate a message is being held
185 packet1 = self.client.rxpacket();
186 packet2 = self.client.rxpacket();
188 self.client.txpacket(packet)
189 ## listen for 2 packets. one should be the rtr we requested the other should be
190 ## a new packet response
191 starttime = tT.time()
192 while ((time.time() - starttime) < duration): #listen for the given duration time period
193 packet = self.client.rxpacket()
196 # we have sniffed a packet, save it
198 row.append("%f"%time.time()) #timestamp
199 row.append(0) #error flag (not checkign)
200 row.append("rtrRequest_%d"%i) #comment
201 row.append(duration) #sniff time
202 row.append(1) # filtering boolean
204 row.append("%02x"%ord(byte));
205 dataWriter.writerow(row)
206 print self.client.packet2parsedstr(packet)
208 # for each trial repeat
209 while( trial <= attempts):
210 print "trial: ", trial
211 self.client.MCPrts(TXB0=True);
212 starttime = time.time()
213 # this time we will sniff for the given amount of time to see if there is a
214 # time till the packets come in
215 while( (time.time()-starttime) < duration):
216 packet=self.client.rxpacket();
220 row.append("%f"%time.time()) #timestamp
221 row.append(0) #error flag (not checking)
222 row.append("rtrRequest_%d"%i) #comment
223 row.append(duration) #sniff time
224 row.append(1) # filtering boolean
226 row.append("%02x"%ord(byte));
227 dataWriter.writerow(row)
228 print self.client.packet2parsedstr(packet)
230 print "sweep complete"
233 # This method will do generation based fuzzing on the id given in standard id
234 # dbLimits is a dictionary of the databytes
235 # dbLimits['db0'] = [low, High]
237 # dbLimits['db7'] = [low, High]
238 # where low is the low end of values for the fuzz, high is the high end value
239 # period is the time between sending packets in milliseconds, writesPerFuzz is the times the
240 # same fuzzed packet will be injecetez. Fuzzes is the number of different packets to be injected
241 def generationFuzzer(self,freq, standardIDs, dbLimits, period, writesPerFuzz, Fuzzes):
243 This method will perform generation based fuzzing on the bus. The method will inject
244 properly formatted, randomly generated messages at a given period for a I{writesPerFuzz}
245 number of times. The packets that are injected into the bus will all be saved in the following path
246 DATALOCATION/InjectedData/(today's date (YYYYMMDD))_GenerationFuzzedPackets.csv. An example filename would be 20130222_GenerationFuzzedPackets.csv
247 Where DATALOCATION is provided when the class is initiated. The data will be saved as integers.
248 Each row will be formatted in the following form::
249 row = [time of injection, standardID, 8, db0, db1, db2, db3, db4, db5, db6, db7]
252 @param freq: The frequency at which the bus is communicating
253 @type standardIDs: list of integers
254 @param standardIDs: List of standard IDs the user wishes to fuzz on. An ID will randomly be chosen
255 with every new random packet generated. If only 1 ID is input in the list then it will
256 only fuzz on that one ID.
257 @type dbLimits: dictionary
258 @param dbLimits: This is a dictionary that holds the limits of each bytes values. Each value in the dictionary will be a list
259 containing the lowest possible value for the byte and the highest possible value. The form is shown below::
261 dbLimits['db0'] = [low, high]
262 dbLimits['db1'] = [low, high]
264 dbLimits['db7'] = [low, high]
267 @param period: The time gap between packet inejctions given in milliseconds
268 @type writesPerFuzz: integer
269 @param writesPerFuzz: This will be the number of times that each randomly generated packet will be injected onto the bus
270 before a new packet is generated
271 @type Fuzzes: integer
272 @param Fuzzes: The number of packets to be generated and injected onto bus
275 @return: This method does not return anything
278 #print "Fuzzing on standard ID: %d" %standardId
279 self.client.serInit()
281 packet = [0,0,0x00,0x00,0x08,0,0,0,0,0,0,0,0] #empty packet template
284 #get folder information (based on today's date)
285 now = datetime.datetime.now()
286 datestr = now.strftime("%Y%m%d")
287 path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv"
289 outfile = open(filename,'a');
290 dataWriter = csv.writer(outfile,delimiter=',');
291 #dataWriter.writerow(['# Time Error Bytes 1-13']);
292 #dataWriter.writerow(['#' + description])
294 numIds = len(standardIDs)
295 fuzzNumber = 0; #: counts the number of packets we have generated
296 while( fuzzNumber < Fuzzes):
297 id_new = standardIDs[random.randint(0,numIds-1)]
299 #### split SID into different regs
300 SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
301 SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
305 #generate a fuzzed packet
306 for i in range(0,8): # for each data byte, fuzz it
308 limits = dbLimits[idx]
309 value = random.randint(limits[0],limits[1]) #generate pseudo-random integer value
312 #put a rough time stamp on the data and get all the data bytes
313 row = [tT.time(), id_new,8] # could make this 8 a variable
315 for i in range(5,13):
316 row.append(packet[i])
317 msg += " %d"%packet[i]
319 dataWriter.writerow(row)
320 self.client.txpacket(packet)
321 tT.sleep(period/1000)
323 #inject the packet the given number of times.
324 for i in range(1,writesPerFuzz):
325 self.client.MCPrts(TXB0=True)
326 tT.sleep(period/1000)
328 print "Fuzzing Complete"
331 def generalFuzz(self,freq, Fuzzes, period, writesPerFuzz):
333 The method will inject properly formatted, randomly generated messages at a given period for a I{writesPerFuzz}
334 number of times. A new random standard id will be chosen with each newly generated packet. IDs will be chosen from the full
335 range of potential ids ranging from 0 to 4095. The packets that are injected into the bus will all be saved in the following path
336 DATALOCATION/InjectedData/(today's date (YYYYMMDD))_GenerationFuzzedPackets.csv. An example filename would be 20130222_GenerationFuzzedPackets.csv
337 Where DATALOCATION is provided when the class is initiated. The data will be saved as integers.
338 Each row will be formatted in the following form::
339 row = [time of injection, standardID, 8, db0, db1, db2, db3, db4, db5, db6, db7]
342 @param freq: The frequency at which the bus is communicating
344 @param period: The time gap between packet inejctions given in milliseconds
345 @type writesPerFuzz: integer
346 @param writesPerFuzz: This will be the number of times that each randomly generated packet will be injected onto the bus
347 before a new packet is generated
348 @type Fuzzes: integer
349 @param Fuzzes: The number of packets to be generated and injected onto bus
352 @return: This method does not return anything
355 #print "Fuzzing on standard ID: %d" %standardId
356 self.client.serInit()
358 packet = [0,0,0x00,0x00,0x08,0,0,0,0,0,0,0,0] #empty template
360 #get folder information (based on today's date)
361 now = datetime.datetime.now()
362 datestr = now.strftime("%Y%m%d")
363 path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv"
365 outfile = open(filename,'a');
366 dataWriter = csv.writer(outfile,delimiter=',');
367 #dataWriter.writerow(['# Time Error Bytes 1-13']);
368 #dataWriter.writerow(['#' + description])
370 fuzzNumber = 0; #: counts the number of packets we have generated
371 while( fuzzNumber < Fuzzes):
372 #generate new random standard id in the full range of possible values
373 id_new = random.randint(0,4095)
375 #### split SID into different regs
376 SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
377 SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
381 #generate a fuzzed packet
382 for i in range(0,8): # for each data byte, fuzz it
385 value = random.randint(0, 255) #generate pseudo-random integer value
388 #put a rough time stamp on the data and get all the data bytes
389 row = [time.time(), id_new,8]
390 """@todo: allow for varied packet lengths"""
392 for i in range(5,13):
393 row.append(packet[i])
394 msg += " %d"%packet[i]
396 dataWriter.writerow(row)
397 self.client.txpacket(packet)
398 time.sleep(period/1000)
400 #inject the packet the given number of times.
401 for i in range(1,writesPerFuzz):
402 self.client.MCPrts(TXB0=True)
403 time.sleep(period/1000)
405 print "Fuzzing Complete"
408 # assumes 8 byte packets
409 def packetRespond(self,freq, time, repeats, period, responseID, respondPacket,listenID, listenPacket = None):
411 This method will allow the user to listen for a specific packet and then respond with a given message.
412 If no listening packet is included then the method will only listen for the id and respond with the specified
413 packet when it receives a message from that id. This process will continue for the given amount of time (in seconds).
414 and with each message received that matches the listenPacket and ID the transmit message will be sent the I{repeats} number
415 of times at the specified I{period}. This message assumes a packet length of 8 for both messages, although the listenPacket can be None
418 @param freq: Frequency of the CAN bus
420 @param time: Length of time to perform the packet listen/response in seconds.
421 @type repeats: Integer
422 @param repeats: The number of times the response packet will be injected onto the bus after the listening
423 criteria has been met.
425 @param period: The time interval between messages being injected onto the CAN bus. This will be specified in milliseconds
426 @type responseID: Integer
427 @param responseID: The standard ID of the message that we want to inject
428 @type respondPacket: List of integers
429 @param respondPacket: The data we wish to inject into the bus. In the format where respondPacket[0] = databyte 0 ... respondPacket[7] = databyte 7
430 This assumes a packet length of 8.
431 @type listenID: Integer
432 @param listenID: The standard ID of the messages that we are listening for. When we read the correct message from this ID off of the bus, the method will
433 begin re-injecting the responsePacket on the responseID
434 @type listenPacket: List of Integers
435 @param listenPacket: The data we wish to listen for before we inject packets. This will be a list of the databytes, stored as integers such that
436 listenPacket[0] = data byte 0, ..., listenPacket[7] = databyte 7. This assumes a packet length of 8. This input can be None and this
437 will lead to the program only listening for the standardID and injecting the response as soon as any message from that ID is given
441 self.client.serInit()
444 #formulate response packet
445 SIDhigh = (responseID >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
446 SIDlow = (responseID & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
447 #resPacket[0] = SIDhigh
448 #resPacket[1] = SIDlow
449 resPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
450 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
451 # lower nibble is DLC
452 respondPacket[0],respondPacket[1],respondPacket[2],respondPacket[3],respondPacket[4],respondPacket[5],respondPacket[6],respondPacket[7]]
453 #load packet/send once
454 """@todo: make this only load the data onto the chip and not send """
455 self.client.txpacket(resPacket)
456 self.addFilter([listenID,listenID,listenID,listenID, listenID, listenID]) #listen only for this packet
457 startTime = tT.time()
459 while( (tT.time() - startTime) < time):
460 packet = self.client.rxpacket()
462 print "packet read in, responding now"
463 # assume the ids already match since we are filtering for the id
465 #compare packet received to desired packet
466 if( listenPacket == None): # no packets given, just want the id
467 for i in range(0,repeats):
468 self.client.MCPrts(TXB0=True)
469 tT.sleep(period/1000)
470 else: #compare packets
471 sid = ord(packet[0])<<3 | ord(packet[1])>>5
472 print "standard id of packet recieved: ", sid #standard ID
476 byteIn = ord(packet[idx])
478 compareIn = listenPacket[i]
479 print byteIn, compareIn
480 if( byteIn != compareIn):
482 print "packet did not match"
485 if( packet != None ):
486 self.client.MCPrts(TXB0=True)
487 tT.sleep(period/1000)
488 print "Response Listening Terminated."
491 # def generationFuzzRandomID(self, freq, standardIDs, dbLimits, period, writesPerFuzz, Fuzzes):
492 # print "Fuzzing on standard ID: %d" %standardId
493 # self.client.serInit()
494 # self.spitSetup(freq)
495 # packetTemp = [0,0,0,0,0,0,0,0]
496 # #form a basic packet
498 # #### split SID into different regs
499 # SIDlow = (standardId & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
500 # SIDhigh = (standardId >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
502 # packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
503 # 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
504 # # lower nibble is DLC
505 # packetTemp[0],packetTemp[1],packetTemp[2],packetTemp[3],packetTemp[4],packetTemp[5],packetTemp[6],packetTemp[7]]
508 # #get folder information (based on today's date)
509 # now = datetime.datetime.now()
510 # datestr = now.strftime("%Y%m%d")
511 # path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv"
513 # outfile = open(filename,'a');
514 # dataWriter = csv.writer(outfile,delimiter=',');
515 # #dataWriter.writerow(['# Time Error Bytes 1-13']);
516 # #dataWriter.writerow(['#' + description])
518 # numIds = len(standardIDs)
520 # while( fuzzNumber < Fuzzes):
521 # id_new = standsardIDs[random.randint(0,numIds-1)]
522 # #### split SID into different regs
523 # SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
524 # SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
525 # packet[0] = SIDhigh
528 # #generate a fuzzed packet
529 # for i in range(0,8): # for each databyte, fuzz it
531 # limits = dbLimits[idx]
532 # value = random.randint(limits[0],limits[1]) #generate pseudo-random integer value
533 # packet[i+5] = value
535 # #put a rough time stamp on the data and get all the data bytes
536 # row = [time.time(), standardId,8]
537 # msg = "Injecting: "
538 # for i in range(5,13):
539 # row.append(packet[i])
540 # msg += " %d"%packet[i]
542 # dataWriter.writerow(row)
543 # self.client.txpacket(packet)
544 # #inject the packet repeatily
545 # for i in range(1,writesPerFuzz):
546 # self.client.MCPrts(TXB0=True)
547 # time.sleep(period/1000)
549 # print "Fuzzing Complete"