def _random_memory_addr_pkt(addr_len=None, size_len=None, size=None): # type: (Optional[int], Optional[int], Optional[int]) -> Packet pkt = UDS() / UDS_RMBA() # type: Packet pkt.memorySizeLen = size_len or random.randint(1, 4) pkt.memoryAddressLen = addr_len or random.randint(1, 4) UDS_RMBARandomEnumerator.set_size(pkt, size or 4) UDS_RMBARandomEnumerator.set_addr( pkt, random.randint( 0, (2 ** (8 * pkt.memoryAddressLen) - 1)) & 0xfffffff0) return pkt
def _random_memory_addr_pkt(addr_len=None): # noqa: E501 # type: (Optional[int]) -> Packet pkt = UDS() / UDS_RD() # type: Packet pkt.dataFormatIdentifiers = random.randint(0, 16) pkt.memorySizeLen = random.randint(1, 4) pkt.memoryAddressLen = addr_len or random.randint(1, 4) UDS_RMBARandomEnumerator.set_size(pkt, 0x10) addr = random.randint(0, 2 ** (8 * pkt.memoryAddressLen) - 1) & \ (0xffffffff << (4 * pkt.memoryAddressLen)) UDS_RMBARandomEnumerator.set_addr(pkt, addr) return pkt
def get_key_pkt(seed, level=1): # type: (Packet, int) -> Optional[Packet] def key_function_int(s): # type: (int) -> int return 0xffffffff & ~s def key_function_short(s): # type: (int) -> int return 0xffff & ~s try: s = seed.securitySeed except AttributeError: return None fmt = None key_function = None # Optional[Callable[[int], int]] if len(s) == 2: fmt = "H" key_function = key_function_short if len(s) == 4: fmt = "I" key_function = key_function_int if key_function is not None and fmt is not None: key = struct.pack(fmt, key_function(struct.unpack(fmt, s)[0])) return cast( Packet, UDS() / UDS_SA(securityAccessType=level + 1, securityKey=key)) else: return None
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] # Only generate services with unset positive response bit (0x40) as # default scan_range scan_range = kwargs.pop("scan_range", (x for x in range(0x100) if not x & 0x40)) return (UDS(service=x) for x in scan_range)
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] control_type = kwargs.pop("scan_range", range(0x100)) return cast( Iterable[Packet], UDS() / UDS_CC(controlType=control_type, communicationType0=1, communicationType2=15))
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] scan_range = kwargs.pop("scan_range", range(0x10000)) rdbi_enumerator = kwargs.pop("rdbi_enumerator", None) if rdbi_enumerator is None: log_interactive.debug("[i] Use entire scan range") return (UDS() / UDS_WDBI(dataIdentifier=x) for x in scan_range) elif isinstance(rdbi_enumerator, UDS_RDBIEnumerator): log_interactive.debug("[i] Selective scan based on RDBI results") return (UDS() / UDS_WDBI(dataIdentifier=t.resp.dataIdentifier) / Raw(load=bytes(t.resp)[3:]) for t in rdbi_enumerator.results_with_positive_response if len(bytes(t.resp)) >= 3) else: raise Scapy_Exception("rdbi_enumerator has to be an instance " "of UDS_RDBIEnumerator")
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] type_list = kwargs.pop("type_list", [1, 2, 3]) scan_range = kwargs.pop("scan_range", range(0x10000)) return ( UDS() / UDS_RC(routineControlType=rc_type, routineIdentifier=data_id) for rc_type, data_id in itertools.product(type_list, scan_range))
def enter(socket, # type: _SocketUnion configuration, # type: AutomotiveTestCaseExecutorConfiguration _ # type: Dict[str, Any] ): # type: (...) -> bool if configuration.unittest: configuration["tps"] = None socket.sr1(UDS() / UDS_TP(), timeout=0.1, verbose=False) return True UDS_TPEnumerator.cleanup(socket, configuration) configuration["tps"] = UDS_TesterPresentSender(socket) configuration["tps"].start() return True
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] samples_per_block = { 4: 29, 5: 22, 6: 19, 8: 11, 9: 11, 10: 13, 11: 14, 12: 31, 13: 4, 14: 26, 16: 30, 17: 4, 18: 20, 19: 5, 20: 49, 21: 54, 22: 9, 23: 4, 24: 10, 25: 8, 28: 6, 29: 3, 32: 11, 36: 4, 37: 3, 40: 9, 41: 9, 42: 3, 44: 2, 47: 3, 48: 4, 49: 3, 52: 8, 64: 35, 66: 2, 68: 24, 69: 19, 70: 30, 71: 28, 72: 16, 73: 4, 74: 6, 75: 27, 76: 41, 77: 11, 78: 6, 81: 2, 88: 3, 90: 2, 92: 16, 97: 15, 98: 20, 100: 6, 101: 5, 102: 5, 103: 10, 106: 10, 108: 4, 124: 3, 128: 7, 136: 15, 137: 14, 138: 27, 139: 10, 148: 9, 150: 2, 152: 2, 168: 23, 169: 15, 170: 16, 171: 16, 172: 2, 176: 3, 177: 4, 178: 2, 187: 2, 232: 3, 235: 2, 240: 8, 252: 25, 256: 7, 257: 2, 287: 6, 290: 2, 316: 2, 319: 3, 323: 3, 324: 19, 326: 2, 327: 2, 330: 4, 331: 10, 332: 3, 334: 8, 338: 3, 832: 6, 833: 2, 900: 4, 956: 4, 958: 3, 964: 12, 965: 13, 966: 34, 967: 3, 972: 10, 1000: 3, 1012: 23, 1013: 14, 1014: 15 } to_scan = [] block_size = UDS_RDBIRandomEnumerator.block_size probe_start = kwargs.pop("probe_start", 0) probe_end = kwargs.pop("probe_end", 0x10000) probe_range = range(probe_start, probe_end, block_size) for block_index, start in enumerate(probe_range): end = start + block_size count_samples = samples_per_block.get(block_index, 1) to_scan += random.sample(range(start, end), count_samples) # Use locality effect # If an identifier brought a positive response in any state, # it is likely that in another state it is available as well positive_identifiers = [t.resp.dataIdentifier for t in self.results_with_positive_response] to_scan += positive_identifiers # make all identifiers unique with set() # Sort for better logs to_scan = sorted(list(set(to_scan))) return (UDS() / UDS_RDBI(identifiers=[x]) for x in to_scan)
def get_seed_pkt(sock, level=1, record=b""): # type: (_SocketUnion, int, bytes) -> Optional[Packet] req = UDS() / UDS_SA(securityAccessType=level, securityAccessDataRecord=record) for _ in range(10): seed = sock.sr1(req, timeout=5, verbose=False) if seed is None: return None elif seed.service == 0x7f and \ UDS_Enumerator._get_negative_response_code(seed) != 0x37: log_interactive.info("Security access no seed! NR: %s", repr(seed)) return None elif seed.service == 0x7f and seed.negativeResponseCode == 0x37: log_interactive.info("Security access retry to get seed") time.sleep(10) continue else: return seed return None
def __pois_to_requests(self, pois): # type: (List[_PointOfInterest]) -> List[Packet] tested_addrs = self._get_memory_addresses_from_results( self.results_with_response) testing_addrs = set() new_requests = list() for addr, upward, mem_size_len, mem_addr_len, mem_size in pois: for i in range(0, mem_size * 50, mem_size): if upward: addr = min(addr + i, 2**(8 * mem_addr_len) - 1) else: addr = max(addr - i, 0) if addr not in tested_addrs and \ (addr, mem_size) not in testing_addrs: pkt = UDS() / UDS_RMBA(memorySizeLen=mem_size_len, memoryAddressLen=mem_addr_len) self.set_size(pkt, mem_size) self.set_addr(pkt, addr) new_requests.append(pkt) testing_addrs.add((addr, mem_size)) return new_requests
def hsfz_scan( ip, # type: str scan_range=range(0x100), # type: Iterable[int] src=0xf4, # type: int timeout=0.1, # type: Union[int, float] verbose=True # type: bool ): # type: (...) -> List[UDS_HSFZSocket] """ Helper function to scan for HSFZ endpoints. Example: >>> sockets = hsfz_scan("192.168.0.42") :param ip: IPv4 address of target to scan :param scan_range: Range for HSFZ destination address :param src: HSFZ source address, used during the scan :param timeout: Timeout for each request :param verbose: Show information during scan, if True :return: A list of open UDS_HSFZSockets """ results = list() for i in scan_range: with UDS_HSFZSocket(src, i, ip) as sock: try: resp = sock.sr1(UDS() / UDS_TP(), timeout=timeout, verbose=False) if resp: results.append((i, resp)) if resp and verbose: print("Found endpoint %s, src=0x%x, dst=0x%x" % (ip, src, i)) except Exception as e: print("Error %s at destination address 0x%x" % (e, i)) return [UDS_HSFZSocket(0xf4, dst, ip) for dst, _ in results]
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] pdid = kwargs.pop("scan_range", range(0x100)) return cast( Iterable[Packet], UDS() / UDS_RDBPI(transmissionMode=1, periodicDataIdentifier=pdid))
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] scan_range = kwargs.pop("scan_range", range(0x10000)) return (UDS() / UDS_IOCBI(dataIdentifier=x) for x in scan_range)
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] session_range = kwargs.pop("scan_range", range(2, 0x100)) return UDS() / UDS_DSC(diagnosticSessionType=session_range)
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] cnt = kwargs.pop("scan_range", range(0x100)) return cast(Iterable[Packet], UDS() / UDS_TD(blockSequenceCounter=cnt))
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] return [UDS() / UDS_TP()]
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] reset_type = kwargs.pop("scan_range", range(0x100)) return cast(Iterable[Packet], UDS() / UDS_ER(resetType=reset_type))
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] scan_range = kwargs.pop("scan_range", range(1, 256, 2)) return (UDS() / UDS_SA(securityAccessType=x) for x in scan_range)
def _get_initial_requests(self, **kwargs): # type: (Any) -> Iterable[Packet] # Only generate services with unset positive response bit (0x40) return (UDS(service=x) for x in range(0x100) if not x & 0x40)