 Welcome to my talk. I'll be talking about a framework that I've just recently opened source. It's called CanTalk. And the title of my talk will be CanTalk, the canvas hacking framework to compile fun hacks and vulnerabilities. So what's the agenda for this talk? Of course, self-promotion, which is who am I, and then backstory and background about why I started this framework and project, and then a quick start and basic usage of CanTalk. And of course, simple demo onto how you can get started with CanTalk. And then if you have, I have a slide for Q&A, but you know, you can just ping me at Twitter, at Shipcode, if you have any questions regarding CanTalk, especially with installing some of the dependencies of CanTalk and if you want a real demo about CanTalk. So let's start with Waman. So my name is Jay Turla slash Shipcode. That's my Twitter handle. And I currently work right now as a principal security consultant at Viking Cloud. I do NetPen web application pen test and a couple of IoT hacking as well. And then I'm also a Rutkon Goon and CFP review board. So despite my family name, some people would DM me if I'm the author of Turla Malware. So I'm not the author of Turla Malware. I'm Filipino. That Turla Malware originated from Russia. So yeah, definitely innocent about that. And then I've also contributed to some auxiliary and exploit modules to Metasploit, including Hardware Bridge. So that's why this framework is also one of the things that I want to develop. And then I also organize the CarHacking Village at Rutkon for the CarHacking Village and DH. I would like to thank Robert and the rest of the CarHacking Village team in the US for allowing me to organize such event here in the Philippines. So aside from that, I also love hacking botnets. So I've written a couple of modules or exploits regarding hacking botnets as well. So the background story of CanTalk is it's actually inspired upon the idea of Metasploit's Hardware Bridge and the POST modules related to automotive. So maybe you're familiar with Metasploit Hardware Bridge. It allows you to interact with the Canvas network using Metasploit and Craig Smith and some other Metasploit contributors contributed some modules that can be used for hand testing your cars, also fuzzing, fuzzing the Canvas network and also there's even a one module that I really like from that one, which they call as Automotive BDT, which allows you to pop the airbags of your car. So it's really cool. I mean, that module is one of the coolest that I've seen from Metasploit. So it is like Metasploit. CanTalk is pretty much like Metasploit and it is a framework in Python. It's not coded Ruby. It's actually coded in Python and it's based on the exploit kit development kit. So instead of writing from scratch my own framework, I've used the exploit kit development kit for interfacing with automating some of the vulnerabilities or fun car hacking vulnerabilities. So next. So this is the inspiration. If you use Metasploit, if you type or type in the console once you launch Metasploit, if you search Automotive, you can see a lot of, you can see some of these modules. You've got the canflood and this is the one that I'm talking about, the BDT, which allows you to track for prep and pyrotechnic devices like the airbags, battery clamps, and then there's also some of the modules that I've actually contributed just like the ECU hard reset and the diagnostic state using Metasploit. So the realization and development with CanTalk is the last Metasploit module for Automotive related to Canvas hacking was last October 2021, which was the module that I contributed. And I was the one who created the previous Metasploit modules where they took our hacking, the diagnostic state modules, ECU hard reset, and the master tool instrument cluster accelerometer mover, which allows you to fuzz the instrument cluster for master tool as long as you're connected to the bus. So I tried pushing some modules related to the G-Packs by Charlie Miller and Chris Valasek, but were closed by the Metasploit Z. So this was the one that I actually tried contributing a year ago. And the module will bleed all the airbrakes on the 2000, I mean the brakes, sorry, that the airbrakes, but on the 2014 Jeep Cherokee, we all know that's very old, right? But I just want to put it in Metasploit to have it as a reference and for people to try it on. But sad to say it was closed and you can see the comments in there that even with the defunct mode option provided, I am in favor of not accepting this module into the main branch as I can see this module being reused by other community members or pen testers. Now, I'm not hurt on this one. I do understand their decision. So from there, this was actually the unreleased module for the Cherokee kill brakes related to Charlie Miller. And you can still see the code even though it's closed. But it was not added to the Metasploit module, which is understandable because they don't want to build with the hardware bridge anymore. So another thing that I've known since then is there are a lot of open source can fuzzers and analyzers already out there. We have can tools, which is really good. And then carrying caribou, which is one of my favorites for fuzzing UDS, the agnostic services. And then the savvy can, which is a good tool as well. And then the CMAP, which was presented by Robert, which is a good tool as well. And then the canalizator and then kayak and other open source tools out there, which I didn't just put it on the slide because there are really a lot. But these are some of the awesome and good tools that I've actually tested. So why not create my own framework that contains known can bus hacks and attacks similar to Metasploit? So I think about it and, okay, why not? Why not try doing so? Because it's a good learning experience and also to improve my skill in Python and also because I want to create a couple of contributors that could develop their Python for car hacking. So Cantot was born and I believe it is a fun can bus hacking framework that you can try and maybe you can also help contribute. So it's a quick and dirty can bus hacking framework. I mean, there needs to be a lot of things that needs to be done. And I was hoping that the reason why I presented this is to compile other vulnerabilities and maybe open up other car hackers to contribute to this framework. So I want to start something out of the things that I'm doing with my car hacking research. So this is the screenshot as what you can see. If you tried to launch Cantot and then search Tesla, there are two modules there. One is the Tesla disable ESP ABS. This module will inject UDS data frames through Gateway and disable ESP or ABS ECU at low speed on a Tesla Model S. And then we have the Tesla open truck which will open a truck on a Tesla Model S 85. This was patched because this was discovered in 2016. But hey, the idea of Cantot is to have, you know, non vulnerabilities and also to compile non vulnerabilities in automotive security. So the basic usage of Cantot is there are three commands that are easy to be familiar with. You've got help which gives you a couple of commands in working with Cantot. And then you also have use just like when you try to call a metasploit module. So when you try to use a module or call a module, you just need to use and then the module name. So take for example, use Cantot. And then if you want to run the module, you can just type the command run. But there are also options which I'll be showing later on. So this is a sample module execution. And this module is what you call as reset mileage. So this module clears the agnostic trouble codes and resets the mileage. And that's what you can see here from the screenshot. You just need to call use and then space reset underscore mileage with the module name because that's the module name. And then just like metasploit, you also have the show options. So if you try to show options, you can see the options that you can set. So for example, you have the RID as the option one, and then the option two is interface. So if you want to edit those options, you can just use set RID, a set space, RID, and then space the value of the arbitration ID because this is the arbitration ID. And then if you want to set your interface, you can do it like this in the command set interface, a set space interface, space, and then the can interface. So for example, if you have can zero, so set space interface, space can zero. And then from there, after all of the options are set, you can run the module directly. And if you try to view the can dump, you can see the dump from there. So that's what you can see here on the, there's a small image at the bottom where it says clear DTC because I was using an ECU simulator from Craig Smith when I tried to test this. So next up, this is the code snippet of the sample module. And that's what you can see. This is the snippet of the diagnostic module. And you can see here that this is how the option is coded. And then this is the main function of the module. So the frame data, you can see the frame data from there. And then let's check one sample module code again. So this is one module code that I've added. So this is the Cherokee kill breaks. And of course, I want to give credits where the credits are due. So this is from the research of Charlie Miller and Chris Velasek. And I gave a reference as well from ilmatics.com. And this is the whole module, the one module from the Cherokee kill break. So if you use this module, it will bleed all the brakes on the 2014 Jeep Cherokee while the car is moving. So that's the fun stuff that I've added in Canva. So there are a lot of modules aside from that. So I'm going to show a demo regarding the tool. So I'll just point you to my VM. So this is my VM. And I'm running Cansot on my Kali Linux. So I'm just going to try to zoom this one, zoom in. And you can just, if I'll give the link on how you can clone this one. So once you install Cansot, this is the main files that you can see in the directories. And then you can just run Python three main.v1. So there's an error. I'll try to fix some down one because I haven't had this error before. So I'll try to fix on this one. And then I tried to run show modules. And you can see that there are 29 modules as of now, which are un-categorized, which I'll be fixing in the long run or after a few weeks. So you have show modules. And then you've got some of the modules that are here. You have canned dump, canned faucets, Cherokee kill engine, ECU hard reset. And then a couple of things like kill bus, which will perform unknown can bus denial of service attack, called the fire hose attack. And then we have the Malibu overheat. This module will flood temp gauge on a 2006 Malibu. And then you have a couple of Tesla open truck, UDS fuzzer, UDS access fuzzer, and then PDO input, output controller. So yeah, you can actually try to install a clone, the repository and try out some of these modules. So if you want to search, for example, a certain module, take for example MESDA. So you can see that there are three matches. And if I want to actually try the, try one of the modules, take for example the, let's just say I'm going to try on the previous Spark kill engine. So I'm just going to copy this one and then use the previous Spark kill engine or use and then the module name on the module name and then show options. Okay. For demo purposes, we're going to just, going to perform this one on a virtual can device that I set up. So vcan zero, that's the can device that I have, the virtual can device. And that's the only option that I have, because that's the most important thing that you're going to set if you want to use the previous Spark kill engine. So we're just going to try to run that one. I don't need to set up the options for interface. So if we try to run, it will do this, sending a packet that will kill fuel to all cylinders to the ice. And then if we try to do a dump, can dump. So I've already run the can dump module. So let me just try to zoom that one. So yeah, I did try to run this one. And then this is the message that will be sent to the can and in my case, the virtual can. So here are some of the snippets of the code. So I'm using actually can on some of the modules. And then I'm also using pyvit for some of the modules. And here you can see some snippets for my code. Like I said, you can just clone and refer you to view all of the modules that are actually written on this framework. So you have the PG RX-E8, which allows you to send for spoof, the instrument cluster for mass.rx8. So there's the RX-8 RPM fuzzer. So there's a lot of things that I've included as well. And then a UDS fuzzer, Tesla open truck. And then of course, some of this were discovered already. So there are credits to it. And also the reference from the modules. And then kill bus, this is the typical part host of that, wherein you'll be sending arbitration ID zero and then frame data with eight bytes for zero. So yeah. And then if you want to stop the attack, you can just press control C. So yeah, that's it. And here's a sample video of an actual instrument cluster that I've tried with can talk. So so this is me on the can talk. And I'm actually using the PG-207 instrument cluster. So and also this can device SL can device, which is can talk pro. So I've run, I run the PG-207 IC mover, there's also a fuzzer for it. So that's why it's set to the maximum values. So it moves the speedometer and accelerometer for a PG-207 instrument cluster. And if we try to start that one again, you can see the output. And we know that a successful message was sent to the instrument cluster. And that's why it reacted that way. So yeah, I'm planning to really, you know, put some fun things that you could try when you use can talk. So there are some instrument clusters that you could try as well. So I guess that's it for the demo. And where's the download link for can talk. So this is the GitHub repo of can talk. It's under github.com slash ship code, which is my handle and slash can talk. So it starts with letter after can, it's big letter t, it's capital letter t that can talk. And from there, you can see the modules. So this is the one. This is the GitHub repo, GitHub link. And there are some installation. So you just need to clone it. And then go to the directory and then just install the requirements, the text for the dependencies of this framework. And based on my test, it works better with Cali and Ubuntu. With DBN, I have a friend who is actually trying to test that one and we're still trying to fix the dependencies. And then after you've installed the requirements, you just need to run Python three main.py. And then you already have can talk. So yeah. If you want to try, just clone it, install the requirements, and then you have your own known can bus hacks and vulnerabilities. So let's proceed. So what is the road map for can talk? The general plan is to compile known can bus hacks and vulnerabilities. I want it to be a vulnerability database for can bus hacks as well. And spread the word about can talk so that I could invite other car hackers and automotive security into chess to collaborate and create modules. I already have one friend who wants to contribute. And he said that he will be adding some of his buzzers from the car that he is actually testing. So I guess he will try. So shout out to peer up. I think he will ping with me with some of his scripts and then he will try to port some of his scripts to can talk. And then yeah, I've said this before, can talk as a vulnerability database for can bus hacks, known can bus hacks. What are my future dev plan? Improve other options and add info about the modules. So I'm trying to add the option info. So if you try to just use the module and then say info, you can see what the module will try to do and also more information. And then add more commands from the directory commands of split kit. And then I want to add more buzzers and also ECU unlock modules and then some can analyze our module. And then of course I want to improve some exceptions to some errors because maybe you will have errors when you try to send some can messages on the can bus network. So I want to try to add more exceptions to that. And then other plan, maybe port some carrying caribou modules. I mean, carrying caribou is great. I love it. And maybe I want to port some of the modules that I really like to carry to can talk. And then the other plan that I have is reach out to the author of can tools, which is AKA AKA yet, which is yet another car hacking tool. I tried to test on that on that Python toolkit as well. And it's really good. I've seen some good work from can tools. So I want to reach out and add something similar to can talk. So I want to improve can talk in the long run. And I'm inviting all car hackers to somehow help me improve can talk. So I do not claim to be an expert in automotive security, but I plan on improving my skills and car hacking and canvas. So yeah, this is this is my start in compiling known canvas hacks. So I would like to give some credits to Nikhil Baugam for CVE 2022629 and allowing me to port his findings. His finding is actually part of can talk right now. I ask his permission. And then we have Charlie Miller and Chris Ballas X for their research and papers. So some of their canvas hacks are added to can talk. And then of course to Ian Tabor, internet for his advices and mentorship. And then the car hacking village for being an inspiration to me. It's when I go to DEF CON, it's one of the villages that I really want to visit always. And then Eric Evenchik for PY bit and for can talk as well. I've used some PY bit Python modules, which I've integrated with can talk. And then for Robert Neil, aka Carfucker, for the campus underscore since the PY inspiration. So I've written a similar module to the canvas sids that I found on Wilka Ronas repository called CHV PY. And then from there, I learned that it was part of Robert Leal's or Carfucker's code. So I also gave credits to that one from that module, the canvas sids. And then Briggs Smith for the car hackers handbook and hardware pitch inspiration. And then of course, memes and images from Google. And I'd also like to give credits to other car hackers out there who helped me on understanding some other canvas hacks out there. So if you have any questions, please do reach out to me on Twitter, ship code. So my E is spelled as three. So ship code. You can just DM me on Twitter or email me. So yeah. Thank you. Thank you to the Car Hacking Village for allowing me to present my talk or my framework about car hacking. And also I would like to thank the audience who will be listening to this talk. And I hope that you can spread word about can talk.