X-Git-Url: http://git.rot13.org/?a=blobdiff_plain;f=client%2Fexperiments.py;h=0cffedbb80a9c6161e3b16dcde3d356f192546c9;hb=dfdc03e81e65e8c48000e47c2a14da572d301e65;hp=12ccfd96f83cb060ee384fc66edb82978af2cf15;hpb=0ec610ab9c97dd3301957256f8c61014f1c7b8f4;p=goodfet diff --git a/client/experiments.py b/client/experiments.py index 12ccfd9..0cffedb 100644 --- a/client/experiments.py +++ b/client/experiments.py @@ -16,13 +16,43 @@ tT = time class experiments(GoodFETMCPCANCommunication): + """ + This class provides methods for reverse-engineering the protocols on the CAN bus network + via the GOODTHOPTER10 board, U{http://goodfet.sourceforge.net/hardware/goodthopter10/} - def __init__(self): - GoodFETMCPCANCommunication.__init__(self) + """ + + def __init__(self, data_location = "../../contrib/ThayerData/"): + """ + Constructor + @type data_location: string + @param data_location: path to the folder where data will be stored + """ + GoodFETMCPCANCommunication.__init__(self, data_location) #super(experiments,self).__init(self) self.freq = 500; + def filterStdSweep(self, freq, low, high, time = 5): + """ + This method will sweep through the range of standard ids given from low to high. + This will actively filter for 6 ids at a time and sniff for the given amount of + time in seconds. If at least one message is read in then it will go individually + through the 6 ids and sniff only for that id for the given amount of time. + This does not save any sniffed packets. + + @type freq: number + @param freq: The frequency at which the bus is communicating + @type low: integer + @param low: The low end of the id sweep + @type high: integer + @param high: The high end of the id sweep + @type time: number + @param time: Sniff time for each trial. Default is 5 seconds + + @rtype: list of numbers + @return: A list of all IDs found during the sweep. + """ msgIDs = [] self.client.serInit() self.client.MCPsetup() @@ -43,9 +73,25 @@ class experiments(GoodFETMCPCANCommunication): return msgIDs - def sweepRandom(self, freq, number = 5, time = 200): - msgIDs = [] - ids = [] + def sweepRandom(self, freq, number = 5, time = 5): + """ + This method will choose random values to listen out of all the possible standard ids up to + the given number. It will sniff for the given amount of time on each set of ids on the given + frequency. Sniffs in groups of 6 but when at least one message is read in it will go through all + six individually before continuing. This does not save any sniffed packets. + + @type freq: number + @param freq: The frequency at which the bus is communicating + @type number: integer + @param number: High end of the possible ids. This will define a range from 0 to number that the ids will be chosen from + @type time: number + @param time: Sniff time for each trial. Default is 5 seconds + + @rtype: list of numbers, list of numbers + @return: A list of all IDs found during the sweep and a list of all the IDs that were listened for throughout the test + """ + msgIDs = [] #standard IDs that we have observed during run + ids = [] #standard IDs that have been tried self.client.serInit() self.client.MCPsetup() for i in range(0,number+1,6): @@ -56,7 +102,7 @@ class experiments(GoodFETMCPCANCommunication): #comment += "_%d" % id idsTemp.append(id) ids.append(id) - print comment + #print comment description = "Running a sweep filer for all the possible standard IDs. This runs the following : " + comment count = self.sniff(freq=freq, duration=time, description=description, comment = comment, standardid = idsTemp) if( count != 0): @@ -70,28 +116,62 @@ class experiments(GoodFETMCPCANCommunication): return msgIDs, ids - # this will sweep through the given ids to request a packet and then sniff on that - # id for a given amount duration. This will be repeated the number of attempts time - - #at the moment this is set to switch to the next id once a message is identified def rtrSweep(self,freq,lowID,highID, attempts = 1,duration = 1, verbose = True): - #set up file + """ + This method will sweep through the range of ids given by lowID to highID and + send a remote transmissions request (RTR) to each id and then listen for a response. + The RTR will be repeated in the given number of attempts and will sniff for the given duration + continuing to the next id. + + Any messages that are sniffed will be saved to a csv file. The filename will be stored in the DATA_LOCATION folder + with a filename that is the date (YYYYMMDD)_rtr.csv. If the file already exists it will append to the end of the file + The format will follow that of L{GoodFETMCPCANCommunication.sniff} in that the columns will be as follows: + 1. timestamp: as floating point number + 2. error boolean: 1 if there was an error detected of packet formatting (not exhaustive check). 0 otherwise + 3. comment tag: comment about experiments as String + 4. duration: Length of overall sniff + 5. filtering: 1 if there was filtering. 0 otherwise + 6. db0: Integer + + --- + 7. db7: Integer + + @type freq: number + @param freq: The frequency at which the bus is communicating + @type lowID: integer + @param lowID: The low end of the id sweep + @type highID: integer + @param highID: The high end of the id sweep + @type attempts: integer + @param attempts: The number of times a RTR will be repeated for a given standard id + @type duration: integer + @param duration: The length of time that it will listen to the bus after sending an RTR + @type verbose: boolean + @param verbose: When true, messages will be printed out to the terminal + + @rtype: None + @return: Does not return anything + """ + #set up file for writing now = datetime.datetime.now() datestr = now.strftime("%Y%m%d") - path = self.DATALOCATION+datestr+"_rtr.csv" + path = self.DATA_LOCATION+datestr+"_rtr.csv" filename = path outfile = open(filename,'a'); dataWriter = csv.writer(outfile,delimiter=','); dataWriter.writerow(['# Time Error Bytes 1-13']); dataWriter.writerow(['#' + "rtr sweep from %d to %d"%(lowID,highID)]) - print "started" + if( verbose): + print "started" #self.client.serInit() #self.spitSetup(freq) + + #for each id for i in range(lowID,highID+1, 1): self.client.serInit() - self.spitSetup(freq) - standardid = [i, i, i, i] + self.spitSetup(freq) #reset the chip to try and avoid serial timeouts #set filters + standardid = [i, i, i, i] self.addFilter(standardid, verbose = True) #### split SID into different areas @@ -108,11 +188,12 @@ class experiments(GoodFETMCPCANCommunication): self.client.txpacket(packet) ## listen for 2 packets. one should be the rtr we requested the other should be ## a new packet response - starttime = time.time() - while ((time.time() - starttime) < duration): + starttime = tT.time() + while ((time.time() - starttime) < duration): #listen for the given duration time period packet = self.client.rxpacket() if( packet == None): continue + # we have sniffed a packet, save it row = [] row.append("%f"%time.time()) #timestamp row.append(0) #error flag (not checkign) @@ -123,19 +204,8 @@ class experiments(GoodFETMCPCANCommunication): row.append("%02x"%ord(byte)); dataWriter.writerow(row) print self.client.packet2parsedstr(packet) -# packet1=self.client.rxpacket(); -# packet2=self.client.rxpacket(); -# if( packet1 != None and packet2 != None): -# print "packets recieved :\n " -# print self.client.packet2parsedstr(packet1); -# print self.client.packet2parsedstr(packet2); -# continue -# elif( packet1 != None): -# print self.client.packet2parsedstr(packet1) -# elif( packet2 != None): -# print self.client.packet2parsedstr(packet2) trial= 2; - # for each trial + # for each trial repeat while( trial <= attempts): print "trial: ", trial self.client.MCPrts(TXB0=True); @@ -144,6 +214,8 @@ class experiments(GoodFETMCPCANCommunication): # time till the packets come in while( (time.time()-starttime) < duration): packet=self.client.rxpacket(); + if( packet == None): + continue row = [] row.append("%f"%time.time()) #timestamp row.append(0) #error flag (not checking) @@ -154,19 +226,6 @@ class experiments(GoodFETMCPCANCommunication): row.append("%02x"%ord(byte)); dataWriter.writerow(row) print self.client.packet2parsedstr(packet) -# packet2=self.client.rxpacket(); -# -# if( packet1 != None and packet2 != None): -# print "packets recieved :\n " -# print self.client.packet2parsedstr(packet1); -# print self.client.packet2parsedstr(packet2); -# #break -# elif( packet1 != None): -# print "just packet1" -# print self.client.packet2parsedstr(packet1) -# elif( packet2 != None): -# print "just packet2" -# print self.client.packet2parsedstr(packet2) trial += 1 print "sweep complete" outfile.close() @@ -180,26 +239,52 @@ class experiments(GoodFETMCPCANCommunication): # period is the time between sending packets in milliseconds, writesPerFuzz is the times the # same fuzzed packet will be injecetez. Fuzzes is the number of different packets to be injected def generationFuzzer(self,freq, standardIDs, dbLimits, period, writesPerFuzz, Fuzzes): + """ + This method will perform generation based fuzzing on the bus. The method will inject + properly formatted, randomly generated messages at a given period for a I{writesPerFuzz} + number of times. The packets that are injected into the bus will all be saved in the following path + DATALOCATION/InjectedData/(today's date (YYYYMMDD))_GenerationFuzzedPackets.csv. An example filename would be 20130222_GenerationFuzzedPackets.csv + Where DATALOCATION is provided when the class is initiated. The data will be saved as integers. + Each row will be formatted in the following form:: + row = [time of injection, standardID, 8, db0, db1, db2, db3, db4, db5, db6, db7] + + @type freq: number + @param freq: The frequency at which the bus is communicating + @type standardIDs: list of integers + @param standardIDs: List of standard IDs the user wishes to fuzz on. An ID will randomly be chosen + with every new random packet generated. If only 1 ID is input in the list then it will + only fuzz on that one ID. + @type dbLimits: dictionary + @param dbLimits: This is a dictionary that holds the limits of each bytes values. Each value in the dictionary will be a list + containing the lowest possible value for the byte and the highest possible value. The form is shown below:: + + dbLimits['db0'] = [low, high] + dbLimits['db1'] = [low, high] + ... + dbLimits['db7'] = [low, high] + + @type period: number + @param period: The time gap between packet inejctions given in milliseconds + @type writesPerFuzz: integer + @param writesPerFuzz: This will be the number of times that each randomly generated packet will be injected onto the bus + before a new packet is generated + @type Fuzzes: integer + @param Fuzzes: The number of packets to be generated and injected onto bus + + @rtype: None + @return: This method does not return anything + + """ #print "Fuzzing on standard ID: %d" %standardId self.client.serInit() self.spitSetup(freq) - packet = [0,0,0x00,0x00,0x08,0,0,0,0,0,0,0,0] #empty template - #form a basic packet - -# #### split SID into different regs -# SIDlow = (standardIds[0] & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 -# SIDhigh = (standardIds[0] >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 -# -# packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs -# 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) -# # lower nibble is DLC -# packetTemp[0],packetTemp[1],packetTemp[2],packetTemp[3],packetTemp[4],packetTemp[5],packetTemp[6],packetTemp[7]] -# - + packet = [0,0,0x00,0x00,0x08,0,0,0,0,0,0,0,0] #empty packet template + + #get folder information (based on today's date) now = datetime.datetime.now() datestr = now.strftime("%Y%m%d") - path = self.DATALOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv" + path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv" filename = path outfile = open(filename,'a'); dataWriter = csv.writer(outfile,delimiter=','); @@ -207,24 +292,25 @@ class experiments(GoodFETMCPCANCommunication): #dataWriter.writerow(['#' + description]) numIds = len(standardIDs) - fuzzNumber = 0; + fuzzNumber = 0; #: counts the number of packets we have generated while( fuzzNumber < Fuzzes): id_new = standardIDs[random.randint(0,numIds-1)] + print id_new #### split SID into different regs - SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 + SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 packet[0] = SIDhigh packet[1] = SIDlow #generate a fuzzed packet - for i in range(0,8): # for each databyte, fuzz it + for i in range(0,8): # for each data byte, fuzz it idx = "db%d"%i limits = dbLimits[idx] value = random.randint(limits[0],limits[1]) #generate pseudo-random integer value packet[i+5] = value - + print packet #put a rough time stamp on the data and get all the data bytes - row = [time.time(), id_new,8] + row = [tT.time(), id_new,8] # could make this 8 a variable msg = "Injecting: " for i in range(5,13): row.append(packet[i]) @@ -232,61 +318,76 @@ class experiments(GoodFETMCPCANCommunication): #print msg dataWriter.writerow(row) self.client.txpacket(packet) - #inject the packet repeatily + tT.sleep(period/1000) + + #inject the packet the given number of times. for i in range(1,writesPerFuzz): self.client.MCPrts(TXB0=True) - time.sleep(period/1000) + tT.sleep(period/1000) fuzzNumber += 1 print "Fuzzing Complete" outfile.close() - - def generationFuzzRandomID(self, freq, standardIDs, dbLimits, period, writesPerFuzz, Fuzzes): - print "Fuzzing on standard ID: %d" %standardId - self.client.serInit() - self.spitSetup(freq) - packetTemp = [0,0,0,0,0,0,0,0] - #form a basic packet - - #### split SID into different regs - SIDlow = (standardId & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 - SIDhigh = (standardId >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 + def generalFuzz(self,freq, Fuzzes, period, writesPerFuzz): + """ + The method will inject properly formatted, randomly generated messages at a given period for a I{writesPerFuzz} + number of times. A new random standard id will be chosen with each newly generated packet. IDs will be chosen from the full + range of potential ids ranging from 0 to 4095. The packets that are injected into the bus will all be saved in the following path + DATALOCATION/InjectedData/(today's date (YYYYMMDD))_GenerationFuzzedPackets.csv. An example filename would be 20130222_GenerationFuzzedPackets.csv + Where DATALOCATION is provided when the class is initiated. The data will be saved as integers. + Each row will be formatted in the following form:: + row = [time of injection, standardID, 8, db0, db1, db2, db3, db4, db5, db6, db7] - packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs - 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) - # lower nibble is DLC - packetTemp[0],packetTemp[1],packetTemp[2],packetTemp[3],packetTemp[4],packetTemp[5],packetTemp[6],packetTemp[7]] + @type freq: number + @param freq: The frequency at which the bus is communicating + @type period: number + @param period: The time gap between packet inejctions given in milliseconds + @type writesPerFuzz: integer + @param writesPerFuzz: This will be the number of times that each randomly generated packet will be injected onto the bus + before a new packet is generated + @type Fuzzes: integer + @param Fuzzes: The number of packets to be generated and injected onto bus + @rtype: None + @return: This method does not return anything + + """ + #print "Fuzzing on standard ID: %d" %standardId + self.client.serInit() + self.spitSetup(freq) + packet = [0,0,0x00,0x00,0x08,0,0,0,0,0,0,0,0] #empty template #get folder information (based on today's date) now = datetime.datetime.now() datestr = now.strftime("%Y%m%d") - path = self.DATALOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv" + path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv" filename = path outfile = open(filename,'a'); dataWriter = csv.writer(outfile,delimiter=','); #dataWriter.writerow(['# Time Error Bytes 1-13']); #dataWriter.writerow(['#' + description]) - numIds = len(standardIDs) - fuzzNumber = 0; + fuzzNumber = 0; #: counts the number of packets we have generated while( fuzzNumber < Fuzzes): - id_new = standsardIDs[random.randint(0,numIds-1)] + #generate new random standard id in the full range of possible values + id_new = random.randint(0,4095) + #print id_new #### split SID into different regs - SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 + SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 packet[0] = SIDhigh packet[1] = SIDlow #generate a fuzzed packet - for i in range(0,8): # for each databyte, fuzz it + for i in range(0,8): # for each data byte, fuzz it idx = "db%d"%i - limits = dbLimits[idx] - value = random.randint(limits[0],limits[1]) #generate pseudo-random integer value + + value = random.randint(0, 255) #generate pseudo-random integer value packet[i+5] = value - + #print packet #put a rough time stamp on the data and get all the data bytes - row = [time.time(), standardId,8] + row = [time.time(), id_new,8] + """@todo: allow for varied packet lengths""" msg = "Injecting: " for i in range(5,13): row.append(packet[i]) @@ -294,10 +395,156 @@ class experiments(GoodFETMCPCANCommunication): #print msg dataWriter.writerow(row) self.client.txpacket(packet) - #inject the packet repeatily + time.sleep(period/1000) + + #inject the packet the given number of times. for i in range(1,writesPerFuzz): self.client.MCPrts(TXB0=True) time.sleep(period/1000) fuzzNumber += 1 print "Fuzzing Complete" outfile.close() + + # assumes 8 byte packets + def packetRespond(self,freq, time, repeats, period, responseID, respondPacket,listenID, listenPacket = None): + """ + This method will allow the user to listen for a specific packet and then respond with a given message. + If no listening packet is included then the method will only listen for the id and respond with the specified + packet when it receives a message from that id. This process will continue for the given amount of time (in seconds). + and with each message received that matches the listenPacket and ID the transmit message will be sent the I{repeats} number + of times at the specified I{period}. This message assumes a packet length of 8 for both messages, although the listenPacket can be None + + @type freq: number + @param freq: Frequency of the CAN bus + @type time: number + @param time: Length of time to perform the packet listen/response in seconds. + @type repeats: Integer + @param repeats: The number of times the response packet will be injected onto the bus after the listening + criteria has been met. + @type period: number + @param period: The time interval between messages being injected onto the CAN bus. This will be specified in milliseconds + @type responseID: Integer + @param responseID: The standard ID of the message that we want to inject + @type respondPacket: List of integers + @param respondPacket: The data we wish to inject into the bus. In the format where respondPacket[0] = databyte 0 ... respondPacket[7] = databyte 7 + This assumes a packet length of 8. + @type listenID: Integer + @param listenID: The standard ID of the messages that we are listening for. When we read the correct message from this ID off of the bus, the method will + begin re-injecting the responsePacket on the responseID + @type listenPacket: List of Integers + @param listenPacket: The data we wish to listen for before we inject packets. This will be a list of the databytes, stored as integers such that + listenPacket[0] = data byte 0, ..., listenPacket[7] = databyte 7. This assumes a packet length of 8. This input can be None and this + will lead to the program only listening for the standardID and injecting the response as soon as any message from that ID is given + """ + + + self.client.serInit() + self.spitSetup(freq) + + #formulate response packet + SIDhigh = (responseID >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 + SIDlow = (responseID & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 + #resPacket[0] = SIDhigh + #resPacket[1] = SIDlow + resPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs + 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) + # lower nibble is DLC + respondPacket[0],respondPacket[1],respondPacket[2],respondPacket[3],respondPacket[4],respondPacket[5],respondPacket[6],respondPacket[7]] + #load packet/send once + """@todo: make this only load the data onto the chip and not send """ + self.client.txpacket(resPacket) + self.addFilter([listenID,listenID,listenID,listenID, listenID, listenID]) #listen only for this packet + startTime = tT.time() + packet = None + while( (tT.time() - startTime) < time): + packet = self.client.rxpacket() + if( packet != None): + print "packet read in, responding now" + # assume the ids already match since we are filtering for the id + + #compare packet received to desired packet + if( listenPacket == None): # no packets given, just want the id + for i in range(0,repeats): + self.client.MCPrts(TXB0=True) + tT.sleep(period/1000) + else: #compare packets + sid = ord(packet[0])<<3 | ord(packet[1])>>5 + print "standard id of packet recieved: ", sid #standard ID + msg = "" + for i in range(0,8): + idx = 5 + i + byteIn = ord(packet[idx]) + msg += " %d" %byteIn + compareIn = listenPacket[i] + print byteIn, compareIn + if( byteIn != compareIn): + packet == None + print "packet did not match" + break + print msg + if( packet != None ): + self.client.MCPrts(TXB0=True) + tT.sleep(period/1000) + print "Response Listening Terminated." + + +# def generationFuzzRandomID(self, freq, standardIDs, dbLimits, period, writesPerFuzz, Fuzzes): +# print "Fuzzing on standard ID: %d" %standardId +# self.client.serInit() +# self.spitSetup(freq) +# packetTemp = [0,0,0,0,0,0,0,0] +# #form a basic packet +# +# #### split SID into different regs +# SIDlow = (standardId & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 +# SIDhigh = (standardId >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 +# +# packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs +# 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) +# # lower nibble is DLC +# packetTemp[0],packetTemp[1],packetTemp[2],packetTemp[3],packetTemp[4],packetTemp[5],packetTemp[6],packetTemp[7]] +# +# +# #get folder information (based on today's date) +# now = datetime.datetime.now() +# datestr = now.strftime("%Y%m%d") +# path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv" +# filename = path +# outfile = open(filename,'a'); +# dataWriter = csv.writer(outfile,delimiter=','); +# #dataWriter.writerow(['# Time Error Bytes 1-13']); +# #dataWriter.writerow(['#' + description]) +# +# numIds = len(standardIDs) +# fuzzNumber = 0; +# while( fuzzNumber < Fuzzes): +# id_new = standsardIDs[random.randint(0,numIds-1)] +# #### split SID into different regs +# SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 +# SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 +# packet[0] = SIDhigh +# packet[1] = SIDlow +# +# #generate a fuzzed packet +# for i in range(0,8): # for each databyte, fuzz it +# idx = "db%d"%i +# limits = dbLimits[idx] +# value = random.randint(limits[0],limits[1]) #generate pseudo-random integer value +# packet[i+5] = value +# +# #put a rough time stamp on the data and get all the data bytes +# row = [time.time(), standardId,8] +# msg = "Injecting: " +# for i in range(5,13): +# row.append(packet[i]) +# msg += " %d"%packet[i] +# #print msg +# dataWriter.writerow(row) +# self.client.txpacket(packet) +# #inject the packet repeatily +# for i in range(1,writesPerFuzz): +# self.client.MCPrts(TXB0=True) +# time.sleep(period/1000) +# fuzzNumber += 1 +# print "Fuzzing Complete" +# outfile.close()