โณ๏ธ CTF
Automotive CTF 2024 Qualifier
Participation in BlockHarbor Automotive CTF Season 2 and advancement to the finals
Overview
We participated in the BlockHarbor x Vicone Automotive CTF Season 2, which took place from August 24 to September 9. Our team, named JJJJJ, consisted of five researchers, and we finished the qualifiers ranked 2nd in the world.
Challenges
xNexus
CAN BUS ANOMALY #2
Someone is trying to disabled the ESP and the power assisted system.
Go track that anomaly with CAN ID 0x0645 and determine what car is being targeted
for that kind of attack. The vehicle is the flag enclosed in the proper flag format
The challenge question asks which vehicle is being targeted by an attack that attempts to disable ESP and Power Assisted System from CAN ID 0x645.
Initially, I used the xNexus platform to collect CAN messages from 0x645 and observed messages composed of 00, 01, 0b, and 02. I thought these messages might be a clue.
As time passed, I realized that this message was not important. Therefore, I explored other methods and found an attack case related to ESP at 0x645. You can find the relevant article at the following link.
The attack described in the challenge is accurate. The content detailed the attack script for deactivating ESP at 0x645, and the affected vehicle was a Tesla Model S P85.
Stego (TBD)
IVI
Mach-E
What is the VIN?
What is the VIN of the vehicle driving?
This is a challenge regarding the unique Vehicle Identification Number (VIN) of a moving car. By examining the given CAN log, you can find ASCII characters "3FMTK4", "SX8MME", and "00878" in 0x40A. Searching for "3FMTK4" reveals that it is used in a specific vehicle model from FORD, confirming that this is the VIN. (3FMTK4SX8MME00878)
DID ACCESS
What negative response code was given for DID 0x4915?
In DID Access, it is necessary to check which negative response code was returned for the 0x4915 DID request. DID uses the ReadDataByIdentifier (0x22) service in UDS diagnostics, and in the case of a negative response, the message is composed of 03 7F 22 XX (XX = NRC).
Therefore, by searching the given log for 03 7F 22 to find the negative response message, it can be identified that a 0x31 (Request out of Range) response was returned.
Steering Angle
All challenges in this category refer to the same CAN log.
What arbitration ID has the steering wheel angle?
This is a steering steering angle challenge, which you can guess is used by FORD vehicles based on the VIN from the previous challenge. Therefore, I searched for Steering-related CAN messages in the publicly available CAN DBC file for FORD vehicles, and I was able to find the SteeringPinion_Data message in 0x7E.
When were we driving?
On what day did the drive in this can log take place?
(answer in DD/MM/YYYY)
In this challenge, we're asked about when the vehicle was driven. Similar to how we solved the Steering Angle, we identified it using the CAN DBC. In the 0x84 ID, we can find a message related to the GlobalClock. This message consists of the following signals.
The given CAN message in 0x84 ID shows the data 18 00 00 B2 34 30 0D 00
Therefore, we calculate it as follows
b0 = 18 = 24
b2<<8+b3 = 00 B2 = 0*256+178
178 = June 26
Thus, the correct answer in the flag format is 26/06/2024
Where were we driving?
What was the latitude and longtitude of our destination in degrees and minutes?
Example Flag:
LatitudeDegrees.LatitudeMinutes,LongitudeDegrees.LongitudeMinutes (00.00,00.00)
It seems like it's asking for part of the latitude and longitude coordinates for the destination. The 'Degrees, Minutes' representation appears to be the signal name defined in the CAN message, and by matching it with the DBC, I was able to identify the following signals in CAN ID (0x462).
The data provided in 0x462 was identified as a CAN message representing latitude and longitude coordinates, respectively.
GPS Latitude/Longitude: 83 86 76 6A 30 0E 69 EC
Since the Bit, Factor, and Offset values obtained here did not match, I referred to a DBC used in another FORD vehicle. Using the given CAN data and based on the Bit, Factor, and Offset values, I calculated as follows
import cantools
def fromhex(data: str):
return bytearray.fromhex(data)
def extract_bitpos(data: str, bitpos: int, length: int):
bin_data = ''.join(f'{byte:08b}' for byte in data)
select_data = bin_data[bitpos:bitpos+length]
select_value = int(select_data, 2)
return select_value
data = fromhex("83 86 76 6A 30 0E 69 EC")
gps_latitude_de = extract_bitpos(data, 0, 8)
gps_latitude = (1 * gps_latitude_de + (-89))
gps_latitude_min_de = extract_bitpos(data, 8, 6)
gps_latitude_min = (1 * gps_latitude_min_de + (-0))
print(f"{gps_latitude}.{gps_latitude_min}")
gps_long_de = extract_bitpos(data, 32, 9)
gps_long = (1 * gps_long_de + (-179))
gps_long_min_de = extract_bitpos(data, 41, 6)
gps_long_min = (1 * gps_long_min_de + (-0))
print(f"{gps_long}.{gps_long_min}")
# Result: 42.33,-83.7
The result of running the above code is 42.33, -83.7. Note that you need to pad a zero before the decimal point in -83.7; otherwise, the authentication will fail. (Remember that the maximum value for Minutes is 59.)