 Thanks. So I'm Ben. I'm pretty excited to be here talking today about truck hacking. I'm going to introduce you to commercial transportation, show you why it matters. We're going to be talking about trucking in particular, so trucks and trailers and distribution centers, etc. Then we're going to get into the technical details of the three main vehicle networks that are found on trucks today. In the second half of the talk, I'm going to do a review of some of the public attacks on trucks and I'll highlight areas where you can use some more hacking. So there's definitely room for your own research and I'll give you some ways to get involved. Then we'll wrap up the session by looking at some concrete examples of using tools to interact with the vehicle networks, and I'll also give you a whole list of tools that you can go and get and play with yourself. Just a very little bit about me. I'm a cybersecurity research engineer contractor at the NMFTA. I have some previous experience in embedded systems design and reverse engineering. I'm also proud to be a cyber truck challenge instructor and a volunteer at the DEF CON hardware hacking villages and car hacking villages. So commercial transportation, what is a very broad topic. The whole possible transportation of goods or people for a business purpose, just about anything. It makes up, you know, trailers, trains and ships, which you can see pictured here. Also, card containers, which is called intermodal is a big part and we'll talk about that. Why does commercial transportation security matter. Look around the room you're in right now. I thought it came on a truck. Truck problems are big problems for society. And if you need to be convinced, I encourage you to take a look at a week without truck transport at iru.org. It's amazing just how deep the supply chain of trucking goes. There are some communities that even need to get their drinking water from trucks. And then probably most obviously trucks are the big lumbering giants on the road and safety issues with trucks are all of our issues. If you think about all the modes of transportation and not just trucking, it matters because we're all linked by that global supply chain, but also because all the technologies are shared among the different modes. So a vector of an attack in one mode can actually be an attack across the board. For example, the CAN bus hack research that demonstrates engines, disablement via derate abuse is actually applicable across all the modes because diesel is found in all the modes. We're going to talk with that a little more later. So trucks pictured here in this spaghetti diagram they have a lot of features, a lot of connectivity and they have a lot of variations. Trucks are actually leave the factory today sometimes with three different cellular modems installed. The cellular components and specs of the truck are built to order by the fleets which accounts for all the variation. These trucks actually use multiple different vehicle networks and sometimes multiple segments of the same network to accomplish all the features that are necessary. This diagram you can see is showing three different types of networks three connectors, a whole bunch of different components. One of the things we're not picturing this diagram is components that bridge multiple segments other than that gateway, because doing so would make it a bit more of a spaghetti mess. But those types of components that bridge segments are also present and take note of the connectors here. The J560 connector is the is what's used to make the umbilical connection between the tractor and the trailer. That OBD connector is the regulated onboard diagnostics connector found in all trucks. And then the RP 1226 is a newer connector, but was put there because permanently connecting devices such as telematics or other aftermarket is not recommended for the OBD connector. So the OEMs place that there to give fleets a place to put their permanently or send the permanently installed equipment. And of course it goes without saying these trucks they exist as money makers if they're not rolling then the fleet is losing money. So what about trailers, the other things that roll, they actually outnumber tractors in North America. They have plenty of features. What you see pictured here is a summary of the features you'll find in a trailer based on questionnaires that we put to our fleets. They all have trailer ABS unsurprisingly because that's regulated. There's also other features and the other features are usually integrated with wireless proprietary but there are other proprietary type networks that will enable those features as well. And it seems like there's still quite a bit quite a bit more than just trailer breaks these features aren't stopping there though they're growing every day. This is a conglomerate of future looking features that you might find in a trailer based on a bunch of webinars by Paul Menig and the people that you invited into AT-ATMC task forces. Combined with some of the questionnaires that we put to our members and you can see it's quite a lot of features quite a lot of different bus options. Note that the adoption of these technologies have been pretty slow. A lot of these things that you'll see here have actually been listed as next generation technologies in a report that dates to 1998. So take the marketing with a grain of salt, but these kind of technologies are coming as are the switch to a different bus. You'll see here we're listing canned J-1939 as well as ISO 11992-2, which is also known as TT can. These can buses and trailers are much more common in Europe. In North America today they're pretty rare, but that may very well change in the future. And then an important thing to mention is that if you thought getting testing time on a truck was hard, imagine getting testing time on a trailer. If these trailers aren't rolling or docked, they're actually parked holding cargo. So getting time on a trailer is pretty difficult. And the trailers last a really long time. They stay at a service lifetime of about 30 years in North America. So a lot of the trailers you'll run into are quite old, maybe beaten up in the same better days. So trucking goes without saying, I think I said it before, it's a moneymaker. The vehicles are owned for commercial purposes. Sometimes they're leased for companies, for example, Penske. And they protect their investments with preventative maintenance. So maintenance is a big part. Tractors actually spend more time in a service center connected to diagnostics than any passenger car would. The diagnostic software is quite powerful. You can see that paper reference there that Bill Haas was on the diagnostic software, for example, is capable of disabling engine cylinders and cycling ABS pressure valves. And a lot of this diagnostic software is actually just low quality Windows software. Another big part about trucking is the distribution centers. So fleets actually make extensive use of these. For example, in LTL, less than truckload, where these distribution centers are called terminals and moving freight there is much more like moving passengers in air traffic than it is like packets in a network. Packets in a network is more like truckload. So you can also think of LTL is how the postal service operates and these terminals end up being staging areas for different groups of passengers as they get regrouped into different trailers and sent on to their next destination. These distribution centers actually have a lot of technology and a lot of attack surface themselves, which I'm not prepared to talk about. But it should be unsurprising to you to find that handhelds and tablets and IOT and all the other embedded systems actually pervade the distribution center today. Intermodal briefly a lot of people recognize intermodal as containers. A lot of fleets make extensive use of them transferring them from train to ship to trailer as they're designed to do. We've heard that some intermodal containers actually have their own networking interconnects and many of these containers have their own telematics modems. So just another way that things are all interconnected. I'm not an expert in the other modes here, but it's important to let you know what they are. So ships also use JNT 39 and there it's called NMEA trains also use JNT 39 because they have a diesel engine. Although on the trains, a lot of times the diesel engine is set up as a generator and not as an engine to move the as a motor to move the train. And another thing that all the modes share in common is they're all kind of a creating all of this IOT stuff and adding them on to their business operations. You can see here a picture of a port that has all kinds of handhelds and different sensors and integration with the ships that dock much like the distribution center. So I hope I've convinced you that commercial transportation is important and that the other all the other modes are interrelated. I'd like to move into discussing particulars of truck vehicle networks starting with JNT 39. I think a lot of people here joining the car hacking village are going to be familiar with can networks especially as they relate to passenger cars. So I'd like to introduce you to JNT 39 which is found in heavy vehicles as it relates in analogy to passenger cars. So in both cases, the can buses are encoding time varying signals and packing those time varying signals into bit field locations. In passenger cars, the bit field locations are, you know, signals that are identified by these arbitration IDs and both the arbitration IDs that identify the signals and the locations of the signals as they're packed are proprietary information. In JNT 39 in contrast, PGNs that identify the grouping of signals and the SPNs that identify where they're packed are the standardized parts in fact in JNT 39 for the most part. In passenger cars, diagnostics were standardized. This is mostly for carb and in contrast in heavy vehicles, it's actually the diagnostics that are proprietary. So in passenger cars, you should be familiar with UDS for diagnostics. Trucks have more than one type of diagnostic. UDS is available and is gaining share. It has its own reserve PGN for example. Here's a nice little decode of a can frame that is encoding a JNT 39 seed key exchange. This was put together using Ken Tyndall's can 2 decoder, which is great at looking at extended errors and does a really nice breakdown and build up of the parts of the frame. You can see here that JNT 39 frames use extended 29 bit arbitration IDs, which is the combination of IDA and IDB that you see there. They can have a variable data field, in this case 3, and then have all the normal Ken parts. There's also a diagram below showing you how the PGNs are actually packed into that arbitration ID. So there's both unicast and broadcast PGNs. When we're talking about a broadcast PGN, it uses all of the bits from 23 to 8. And for a unicast, it actually just uses the upper bits and encodes the destination address in an arbitration ID. And in all cases, the arbitration ID also encodes a source address and a priority, as well as one reserve bit and a page that is starting page that's starting to be used more extensively in JNT 39 definitions. JNT 39 has a lot of different features. I told you it has unicast and broadcast. It also has its own transport, fragmentation and reassembly mechanism, address claiming, request to PGN data. And then more importantly to truck hacking, there's proprietary messages that flow over JNT 39 networks, and they have their own reserved range of PGNs, both unicast and broadcast. So when you're dealing with trucks, a lot of the fun stuff that dumping and reconfiguring and reflashing is all protected by authentication and authorization challenge response system called CP exchange. And the UDS is used for CP exchange as a reserve PGN of hex DA00, and you saw some of that encoded in the previous slide. So let's talk about where you might be able to find JNT 39 on a truck. First up is that onboard diagnostics connector. These can be found in either black or green. They're located below the steering wheel just to the left of it. They're usually this Deutsche nine pin, although some OEMs actually use the passenger car style, but we need to connector on the black socket. You'll find that in addition to J708, there's actually two J1939 buses. The second one is optional. And on the black socket, J1939 runs at 250 kilobot. On the green variety, the J708 bus is actually optional, replaced usually by J1939. And the J1930 buses on the green socket run at 500 kilobot. And the OEM specific pins that you see pictured there, those are also probably another J1939 bus on many of the vehicles. Finally, J1939 on the RP 1226 aftermarket connector that should be present on pins two and nine and four and 11. Remember, this is the aftermarket or telematics connector that you might find behind the dash or behind the birth. This is provided by OEMs to give fleets a place to connect things permanently or 70 permanently that wasn't the OBD connector. Notice here that there's also two OEM specific pins. Those are probably also a J1939 bus. In addition, many modern vehicles have lots of different J1939 segments that are not pinned out on the onboard diagnostics connector. This architecture diagram you see here is from a textbook by Duffy and Wright. And it shows no less than six separate CAN segments, only two of which are present on the diagnostics connector. So you'll probably be able to find more J1939 if you poke around in the harnesses of the truck. Last finding J1939 is going to be possible on DB15 connectors. Many of the adapter cables that you'll use on heavy vehicles are pinned out on DB15 connectors. So knowing this pinout is really useful. CAN is present on five and 10 and 12 and 13. So that was J1939. Let's talk about 1708 and 1587. These two standards are pretty much always found together. They predate J1939 by many years. They're sometimes still found in tractors and they are always still found in the trailer as J2497. More on that later. You can see here in this analogy diagram that tries to roughly place where J1587 is relative to where J1939 or say UDP would sit on top of Ethernet. Just so you can get an idea of the place in the stack up of these different standards. So J1708 has a very similar bus arbitration to CAN, the lowest bite first wins. J1708 always runs at 9,600 bod, 8 bits, one stop at no parity, so 8 and 1. At the physical layer it's very much like RS-485, but it has hard real-time constraints for framing and bus arbitration. So if you want to write J1708 you have to actually have hard real-time holdoffs for frame limiting. If you just want to read J1708 and dump it, any RS-485 adapter should do. In J1708 that first bite is called the MID and it's much more like a source address than arbitration IDs are on CAN. And there's many sort of noteworthy MIDs. So J111 is factory test and that's fun. There's also off-board diagnostics, programming, there's a vehicle security reserve number, there's bridges for drivetrain as well as tractor trailer, and then for total J2497 reserve, so there's 10 and 11, which is the lamp on lamp off, that's the whole raison d'etre for J2497. For 128 through 255 those are actually defined by the J1587 standard. So J1587 signals are identified by a PID byte which gets put into the payload of the J1708 frame. It's kind of different than J1939 or passenger cars where maybe the PGN implicitly specifies the bit packing. So these signals are identified by a PID that's put in the frame and then how you decode the data that follows the PID, that's where you have to refer to the J1587 specification. And of course there are tools out there that can take the SAAPDF and do a decode like pretty 1587. We'll talk a bit about that later. J1587 has a lot of features, both broadcast and unicast frames are possible. It includes ways to request data, both requesting broadcast data as well as component specific data. It includes fragmentation or reassembly, both a transport protocol that's unicast and a special multi-section parameter PID 192 for PIDs that are broadcast. There's also a free form data standardized requests that sits on top of the transport protocol where you can ask for interesting things like programmable parameters and calibration and executable code. And there are of course, since it's automotive proprietary messages and the proprietary messages where the fun stuff happens in 1587, this is called data link escape. And these are unicast. So they're made up by PID 254 and 510. The only message you might see is, you know, ACFE80FO17 down here, which is a 254 PID being sent from MIT Hex AC to MIT Hex 80. And the payload FO17 is what gets interpreted by the destination on the other end. You saw this already on a couple of the Deutsche 9 pin connectors, J178 should be present on F and G on that black socket, and it'll be optional on the green socket. If you have an RP 1226 connector, you may very well have access to 1708 bus on pins 6 and 13. And of course, if you have a DB 15 cable adapter, you're probably going to find your 178 bus on pins 14 and 50. So we have reviewed the locations where it's possible to find 1708 or 1587, but the presence of this bus is becoming increasingly uncommon on tractors. The reason why it's relevant why we cover here is because this network does show up on power line carrier form in all tractors since 2001. Let's talk about that form. It's known as J2497. And it's what links tractors and trailer ABS. And speaking, J2497 is J1708 over trailer power lines. It's also known as PLC for trucks. And you can think of it as an alternative transport layer for 1587. The way it works is it's almost exclusively implemented by the Intel on SSCP 45 chip which adds preamble and sync bits around the beginning in the end of J17 late messages. This is a bi-directional switch. You can also see a time domain plot at the bottom of the kind of chirps that it puts together. J2497 has a lot of features itself. The primary purpose is for those MID 10 and 11 frames, you know, OAOO and OBFF are these the default frames for lamp on and lamp off. That's the whole reason why they developed it. But because it is J1708, it has all of those features plus they also had a dynamic address claim to support having road trains. So multiple different trailers connected together. Because this is the data network, the trailer break manufacturers put together a trailer break diagnostics. So all the ABS air pressure valve cycling and ECU reconfiguration should be present over 2497. And some of those break ECUs and trailers actually have their own scripting languages that are programmable over J2497. So one of the interesting things about this network is because of that added preamble that that chip adds to the beginning of the message. There's a duplication of the first byte BDMID byte. You can actually create priority override frames. So for example, you can you can send a maximum priority double zero and a J1708 inside it as a minimum double F. And that double zero frame will override the priority of all the traffic, but it's received as a MID double F. And then finally, because this is a power line character carrier technology and it uses very long conductors. We have been able to receive this using the SDR software from six feet away from the trailer. So where are you going to find J2497? Well, it's always going to be on that power pin, the center pin ox on the J560 connector at the back of the tractor or the front of the trailer, pictured on that green cable on the top right, which means all the adapters in the bottom left are your friend. So you might find some adapters that give you a DB 15 power right out to the J560 is pictured in the bottom left. There are inline adapters next from the left. That's you have to be careful. Some of them actually include an interlon chip. So they will convert from 2497 to 1708. Some of them don't. You can also make your own inline adapter by taking the shell off of J560 cable and inserting your own pigtail. As you can see pictured there second from the left. You might also find J2497 on the power pins of the diagnostics connector that OBD connector, the Deutsche 9 pin. But you have to be careful. Some trucks include filtering so that the diagnostics connector is actually got filtered power relative to what you'd find on the tractor. Same for 2497 on the RP 1226 connector. So the RP 1226 document says that it should be there. All the OEMs that I've ever talked to in meetings say that it probably won't work. It probably is filtered. So you may or may not find it on the RP 1226 connector. 2497 might actually be on the battery terminals of the truck, which makes this adapter useful sometimes, but it may also be filtered. The only place is guaranteed to be found is on that tractor connected to the J560. But I have no fear. You might just be able to set up an active antenna and some SDR software and receive the traffic standing next to the trailer anyways. Of course, there is going to be other vehicle networks in intermodal. We know that J1939 is going to be found anywhere there's a diesel engine. And since J1939 historically replaces J178 and 1587, it stands to reason that there may be installations that also have J1708 on their diesel engines in intermodal. We've also heard that J2497 might be used for power line communications on some containers, but haven't been able to test this yet. In the future, of course, as applications for high speed data keep increasing, the number of buses and types of buses that will be deployed will go up. Some of the ones not listed here, you might find a passenger car is like flexor a most in heavy. It looks like can FD may or may not make it in can HD looks like a good option to to avoid the incompatibilities automotive Ethernet seems pretty clear that it'll find applications on trailers. And of course the proliferation of different wireless technologies is inevitable on these vehicles. Okay, so that was an overview of what trucking is how it works with the technicals. Let's talk about truck hacking. Starting off with the can attack methods so if you actually have access to a can bus what can you do. If you're thinking at the frame level how you create the can messages, you can flood the bus. That's a pretty obvious one and I think there's lots of examples of that in the literature, or you can just send a message that you want and pretend that you were the intended source and that's spoofing but might be known by other names. All of the types of attacks that are going to discuss in this section are all just simple spoofing attacks of sending data pretending that you the ECU that you want to be. So there's more than that. There's a lot of different ways to attack the protocol level, sort of below payloads and the arbitration idea might create using something like socket can. The can hack tool by Ken Nindale, and the can't tool by bit bang and end to it grim are capable of doing things like bus off attacks spoofing immediately after a frame goes by so you can be sure that the receiver buffer will get it as soon as possible and if the receiver uses timed receiving then you can actually replace the message. They're capable of causing double receive messages overload frames. There's a way to force transmitters and error passive and then replace the data or spoof the data. And then this type of an attack that's Janice which exploits the fact that different sampling points can be configured on can receivers so you can create a waveform that is received with different data by different configured sampling points. So these are just things like bus shorting and NAC data replacers so those last three actually require analog switches in hardware, but they are interesting attack that's possible with some of the can't tools. All the ones that are in red are possible attacks to to employ. If you have an SOC that has GPIO is connected to a can transceiver. The SOCs have this configuration where the can controller is embedded in the chip. And then there's an external can transceiver that does the differential pair level shifting. And if the pin mux can be reconfigured so that GPIOs are connected to the transceiver instead of the can controller which is almost all SOCs and all of these red attacks are then possible by software takeover of those nodes. Note that analogs to these attacks, some of them anyways are also possible with J 1708. So a bus flooding and simple spoofing. Yep, that's just by creating the data. Doing bus off and spoofing immediately is definitely possible with real time control as would be an error passive data replacing style attack. So, let's talk about some of the public attacks in literature. We'll talk about 10. The result is true only on a specific model or year of a particular trucks of your mileage may vary, but they're worth testing. If you have access to a truck. First up is vehicle disable or limp by a deaf DF additive message manipulation so the deaf is the the additive that's added to diesel to make it burn cleaner. And Johnston back in 2015 proposed this, the way the trucks are set up by regulation when there's failures in the additive control system, the deaf levels for example, the truck has to actually eventually enter a limp mode, which where it's going very very slow, almost completely useless so by manipulating those deaf levels, if you had access to the segment where they were being sent, you could actually cause a vehicle disable. The denial of ECUs is possible so super sheet et al demonstrated this back in 2016. They were actually able to exploit a weakness in the data link layer protocols of 1939 21. They demonstrated there was actually a practical denial of service attack in these systems they're they're practical because they were actually later demonstrated in real vehicles. They also did require studying the workflow of the data link layer, and identifying points that are suitable for disruption. There were actually three categories of DOS they're identified there was a request overload. There was false RTS is, and there was connection exhaustion. There's more vehicle disables and limps that are possible. This is some research that was performed by can bus hack sponsored by the NFTA. They provide a whole family of message types that can possibly lead to the D rate event, and hence also a lit mode. So what's more they created a very simple fuzzing like attack kind of a search through the proprietary message space that was demonstrated to find and cause D rate events with a known investigation or reverse engineering sorry no reverse engineering required. They also demonstrated that the great events could be caused by reconfiguring the calibrated limits that are stored in the engine components, which underscores the importance of diagnostics security. There's more details on this attack which is pretty recent at our portal CTS RP and MFTA org seen there in the link. So J 178 1587. And this is also in the category of abusing diagnostics haystack and six volts, delivered a talk here at the car hacking village in Defcon 24. And in it they included an example of how you could actually disable a truck ECM by misconfiguring it. And they did this by doing some protocol and software reverse engineering of 17 a traffic. And they did demonstrate that there were no access controls on one needed to be sent from the diagnostics software to create bad engine configuration so in addition to physical access being required. They also highlighted that compromise of the diagnostic software would in fact be sufficient. Remember the diagnostic software is highly privileged is usually just Windows software running on a Windows PC in a maintenance bay. It's possible to override the instrument cluster display. I think lots of people have done this playing with the instrument cluster set up on benches for past cars. The same thing is possible in heavy vehicles as demonstrated by Liza Veracopa bill house, leaving a lot, etc. More by Liza and bills team, you can actually do RPM control and engine brake disabled. Not only were they able to disable the engine braking, but over 1708 they found that they could disable cylinders particular truck they were testing. And this was done via legitimate diagnostics functionality similar to what a stack and six volts presented previously. They also were able to cycle ABS air release. And they noticed that they could do this by replaying diagnostics diagnostic tool traffic those unauthenticated. What's interesting is that the same functionality is also present on J 2497 networks, which maybe isn't surprising since that's just J 1708 over a power lines. So last up is reading remote traffic from J 2497. We mentioned this in the technicals of J 2497. We did find that you could cycle the ABS pressure valves. But when you're just reading traffic, it's possible to get it from six feet away. And this was published as CISA advisory last year and also got a CD. So in summary, there's plenty of things you can do both in 1939, 1708 and 2497. There's more and we would like you to give it a shot. So what actually needs more hacking. Well, abuse of the legitimate stuff is probably a good place to start so no no exploitation needed. Take some diagnostic software and see what can actually be replayed as a good place to start. We have seen several examples of fruitful abuse so far, but there hasn't been much in terms of abusing ADAS features or mobilizer body control. So some things to think about. There's also definitely research needed into vehicle network gateways. So, gateways being the devices that are going to bridge multiple can or J 1939 segments in the vehicle. Sometimes they're being introduced for performance reasons. But whether they're being introduced for performance reasons or not, they're always a security relevant device and so they connect multiple segments and pivoting is possible. So those could use some sunlight as well. What other truck and trailer hacking can you do? Well, just like car hacking, you know, truck hacking is really the Olympics of hacking, which is a quote attributed to will, Karawana. All the usual IOT stuff is there game hacking as well. Telematics is pretty much IOT devices, all the mobile handhelds and head units and logistics devices are all Android. The diagnostics and maintenance tools are usually just, you know, not very high quality Windows software, although that is getting better. And of course, there's lots of RF all over the trucks and RF is usually, you know, whatever you got, whatever you want to try. So there's definitely a place for you to get involved. If you're a professional or a student that wants to get involved, definitely recommend the cyber truck challenge. This is an event that's put together specifically to train students. It does get attended both by industry experts as well as the students and OEMs and suppliers. Each student that attends pretty much gets more than $10,000 in free training. There is a stipend for students that are eligible. There's going to be stuff to crawl under and over the form of trucks and boxes. And I do encourage you to participate. Of course, and this shouldn't be surprising when watching the videos, you can definitely get involved through the car hacking village. This year, we're going to have some more air brakes setups, launching some nerve darts for fun. If you want to join and try. If you want to get involved, I highly recommend doing a bench setup. This is definitely necessary in this field because getting time on trucks is hard. As we mentioned, if the trucks aren't rolling, the fleets aren't making any money, but you can make a truck in a box looking at haystack and six volts paper that's available on GitHub. And for all the really gory details, you can check Jose's master's thesis, which is available at the University of Tulsa. So we're going to move on to some technical stuff and talk about tools for truck hacking or just vehicle networks in general. So if you're on a January network and you got some traffic flying by. You want to know what it is that you're looking at in a passenger car, you might need to try to get your hands on a dbc file that defines all the bit fields and what they mean, and maybe with the arbitration IDs are supposed to be. The j-39, most of this is standardized and if you had a copy of the j-39 digital annex, you could go and decode it yourself. There is a nice tool that we've developed called pretty j-39 which takes that digital annex converts it into a j-39 Jason file, and is able to use that Jason database to decode the j-39 traffic. The tool is also compatible with lots of previous versions of the j-39 db. Jason format that you may find floating around on the interwebs so if you have one of those Jason files you're in luck you can use it. I remember though that your decode is only as good as the db that you use with so previous versions didn't actually capture all the details of January 9 accurately. So the best quality will be obtained by purchasing the digital annex and converting it. The output that you see here is showing how you can augment the can dump format with commented Jason objects. You can also omit the can dump stuff on the left and just put out a sequence of Jason objects. That format with just Jason is very useful for filtering and beautifying with something like jq, requiring the Jason. The can data you see here is from the Colorado state public can data logs, and so is the VIN of the truck that they own there. What about sending j-39 you can do that using socket can and you can do socket can on a truck duck. So the truck duck was introduced here at the car hacking village Defcon 24 by six volts and haystack it's the blue one pictured on the left. Since then they've put up together some more versions like the 1.5 yeat, which is green, and that mega board which is blue next to it. Also pictured here on the right is my truck cape, which is a truck duck mixed by Dr daily, and it's in my custom monogram laser case which I'm very proud of. You can also see the estimate connector sticking out of it which I use for j 24 97 research. So here is a snippet of some Python. You need to use sock raw in most cases. It won't send frames with transport for longer data so you'll have to do your transport breaking up yourself but there are other tools we'll talk about. And this does let you put together programmatically. We're showing a hexed up here. You have to use you don't have to use struck pack but you can see the struck pack example. There's some patches that are necessary for using other features of j-39 and we'll talk about that a bit in a second. If you want to know more about what's actually happening in this snippet where address claim messages are being put together. I recommend you check out the presentation at our portal by Dr daily, and you can see some of the sample code at Dr dailies get up there. So there's lots of alternatives to sending j 39. Since Linux 5.4, there actually is a new socket can type can j 1939, which can be used since see Python 3.9 so as long as you're above that. You can go direct to can j 1939 for your socket type instead of using can raw like we saw on the snippet. That is how haystack put together the truck duck for pyhp networks. But wasn't actually but I was done in a back port so it isn't available mainline until much more recently. There's a lot of different kind of semi dead or semi active Python things out there, the one that seems to be the most actively developed is Python can j 1939 linked here. That one uses can raw so we'll be workable on more systems than just the most recent patch to the externals. The API that it has there is best suited for developing j-39 EC use but I'm sure it would still be fine if we're putting together messages that you want to send. All that to say that socket can isn't the only way to send j 939 there are other tools such as the can cat and truck devil which are great sending j 1939 taco as well. So let's move to j 1708 and 1587 and 2487. You can decode all these networks using the pretty j 57 tools and this is the tool that will take the essay PDF of j 57 j 1708. It'll convert them into a database. And then if you feed it frames from j 1708 or any other two networks we mentioned here it'll actually do the decoding. This was presented last year by Dan Salam and Thomas Hayes. This was presented last year at the CHP. The data you see here is actually from a couple attempts at launching the nerf darts last year's this was by you locks gave it a shot spoiler, neither of these worked but it was a good idea. We're both sending data. So you can do that using the j 78 send on a truck duck, some hardware modifications are required and for details on that see the see the GitHub as well as the talk last year. Right, and that's not the only tools. We mentioned this earlier, there's non socket can options such as truck devil and can cat which are great tools for putting together your own can frames or even receiving your own can frames from 1939. The can matrix tool is great for converting between different database formats. It actually has a basic j 1939 dbc that's available in it. It's a 2497 developed by Chris poor at a s actually does 2497 decoding on sdr's the pi hv networks library by haystack and six volts does j 1708 sending as well as j 1708 receiving. And of course, USB links and dpa force. The first up is the truck devil by Hannah civil Silva. It actually does decoding and logging and sending works on the Makina M2. And there is a really cool fuzzer that's in development, Hannah put together training videos and these training videos for the truck devil are also available on our portal. The can cat which is developed by Atlas uses a custom firmware for the M2. And it has its own clients, which includes j 1939 sport. The can cat is developed much like a lot of Atlas's stuff which is interactive Python repel. So if you're into programming at a ripple. This might be for you. There's can matrix, don't forget there is a basic j 90 39 dbc in the can matrix by Edward broker. 2497 receiver by Chris poor at a s this is freely licensed if you want to use it. It has flowgrass and custom blocks and it will let you read j 2497 traffic if you have an sdr. This is pretty much the only way to send j 178 1587 traffic using open source software, it works only on the truck duck at this point anyways. So if you need to send j 1708 j 57 traffic you're going to want to head to this. So having open source software and open source hardware isn't your only option. When you're dealing with trucks, you're going to run into oem diagnostic software. It's a really good idea to have what are called vehicle diagnostic adapters. And these are. They also have a standardized programming interface dls in fact, that are specified by rp 1210. So having an rp 1210 VDA really lets you use any of the oem software. The next usb link in particular is cheap and easy to find. There are definitely rip off versions that you can find on less reputable sites, but we of course recommend the buy the real one. The original usb link original not to not the version to actually has a db 15 connector, which we highly recommend because there's a lot of cheap cables and adapters for db 15, as opposed to some of the newer stuff than move to db 25 and other higher density connectors. Similar vein is the dg tech dpa for also rp 1210 compatible also has a db 15 connector which is really useful. dpa 5 does not have the db 15 connector although it's also really great adapter. The drivers for both of these dpa is include a really useful data logging feature that they call it debug file, but when you turn it on, you get a dump of all the traffic going on and all the buses on the diagnostic adapter. So I hope we covered everything we wanted to cover. In review. I hope I convinced you that commercial transportation is important to everybody. And I showed you that trucks have three main types of vehicle networks, two of all of these, two of these vehicle networks are found on all the trucks in North America. We did a survey of all the public hacks of trucks by a host of a bunch of people. Which is definitely room for more. And I showed you how you can get involved in a whole bunch of different ways. So, you know, personal transportation is important. And I think this talk is convinced you. Lastly, our program, the commercial transportation security research program at the nm fta is always open to collaboration. We fund, as well as collaborating directly on a variety of topics including vehicle security office and defense which you saw in this talk. We're also interested in a back end system security distribution service center security and both mainframe and mid so IDMZ and IDMI security. If you are interested in collaborating on a particular project or idea, please do reach out to us. We're always looking for great smart people to work with. So, thank you very much for your time. I'll be available and discord for questions. And I'll see you around the corner. Bye.