Car stops responding after a few seconds for packet transmission

Snir 2018-05-14 16:15:32 UTC #1

Hello Guys,
I'm having an odd issue which i couldn't find a useful solution or reason for.
I'm connected directly to my canbus to the OBD 2.
I'm getting canbus traffic and everything works well.

After i figured out the can id for my RPM, i performed a replay attack with socketCan.
The attack worked and the RPM did respond, but only for a second or less, and than stopped.
Another attempt was failed, and the RPM didn't respond at all. The only way to make it respond again was to unplug my connection, plug it back, and reconfigure the can0 interface for socket can.

Details:
Car: Kia Picanto 2017
Hardware: Cantact v1.0
Software: SocketCan - can utils
Running:
"while true; do cansend can0 316#4532F53D322F007F; sleep 0.002; done"

Also because i transmit a lot of packets, i increased my kernel queue buffer:
sudo ifconfig can0 txqueuelen 10000

Anybody familiar with this issue? or what cause it? any solutions found?
Or maybe did i miss something on my experiment?

Thanks a lot!
Snir

cyclin_al1 2018-05-15 15:13:18 UTC #2

@Snir,

This is where car hacking can get difficult.
You showed that you can successfully communicate with your car.
However, how is the ECU on your car responding?
It is hard to know without knowing the design and code of the ECU.

Did the ECU detect your attack?
Did the ECU detect that the RPM data is not the real RPM?
Does the RPM data mismatch some other car data?

As a result, what is the ECU doing:
Is it ignoring device?
Is it ignoring the RPM data?
Is it logging the attack and the messages?

These are all things that you will have to research and experiment that are specific to your car...

Snir 2018-05-15 17:24:35 UTC #3

@cyclin_al1
First of all thank you very much for replying.

I'm going to test your suggestions tommorow on an experiment.
I have a few questions on your suggentions please:

**Did the ECU detect your attack? **
Did the ECU detect that the RPM data is not the real RPM?
Any tips how to know if the ecu detect the attack?

Does the RPM data mismatch some other car data?
Currently working on more can-ids

Is it ignoring device?
Is it ignoring the RPM data?

As far as i see it, the ECU ignoring the whole device, because after a second attempt without plug the device out and plug it back in, the RPM won't respond to my messages.

Is it logging the attack and the messages?
Haven't tested it yet. Any tips what to look for?

Thank you very much for your support!

cyclin_al1 2018-05-17 05:02:51 UTC #4

@Snir,

A lot of these questions are best answered by the team that designed your car.
That's definitely not me!

One thing that might work is to look at some forums or message boards that are all about your car.
For example, the Subaru Forester Owners Forum is www.subaruforester.org. There is probably something like that for your car, but you will have to search for it yourself.

Another suggestion is to get a copy of the Car Hackers Handbook, which might give you some more ideas.

Good luck!

Snir 2018-05-19 13:11:13 UTC #5

@cyclin_al1

Thank you very much for the response. Going to look for it.