-
Notifications
You must be signed in to change notification settings - Fork 14
mod_stat
This module is designed for CAN traffic sniffing and analyses. Module receives CAN frames from PIPE and saves it in the memory for future analysis and actions. This module is used for understanding CAN traffic, detecting control/event frames and data extraction.
Put this module in any PIPE that have some CAN traffic, for example after hw_USBTin module. Config example:
load_modules = {
'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500}, # IO hardware module
'mod_stat': {'meta_file':'meta.txt',} # Stats
}
# Now let's describe the logic of this test
actions = [
{'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1
{'mod_stat': {'pipe': 1}} # collect sniffed packets
]
By default all frames will be sniffed in buffer with index 0. But you can switch sniffing to another buffer (will be index 1, then 2 and etc).
For STATCHECK features sthis module also generate some CAN traffic (replays).
cmd: p
parameters: [index]
example: 1
Print stats for CAN frames in buffer with index 1. If buffer index is not specified, then all buffers will be printed.
cmd: a
parameter 1: <UDS|ISO|FRAG|ALL(defaut)>
- UDS - Detect UDS sessions
- ISO - Detect CAN trffic in ISO TP format
- FRAG - Detect loops with counter/index in first byte.
parameter 2: [buffer index]
example: UDS, 1
Detect UDS sessions in buffer with index 1.
Perform basic analysis of captured CAN traffic. If parameter 1 is not specified, then ALL analysis will be performed. Parameter 2 specifies a buffer (by index) that should be used. if not specified, then all buffers will be parsed.
cmd: u
parameter 1: [shift value]
example: 0x20
New UDS shift for response is 0x20
By default Analysis of captured traffic for UDS analysis using UDS ID shift for response detection equal 8. But this value could be different and if you want to change it use this command and perform Analysis again.
cmd: D
parameter 1: [name]
example: Unlock_Action
Switch all sniffing to a new buffer with name Unlock_Action
Create a new buffer (index value will be increased by 1). All new CAN frames will be sniffed into created buffer. Name parameter is optional.
cmd: I
parameter 1: [buffer index 1]
parameter 2: [buffer index 2]
parameter 3: [uniq values max]
example: 0, 1, 2
Find differences from buffer with index 1 against buffer with index 0. Remove all ID from output that have more than 2 unique values in buffer with index 1.
This function could be used for detecting CAN frames that are exists in buffer (parameter 2) but not found in another buffer (index of this buffer specified in parameter 1). This "diff" is based on new arbitration ID and DATA bytes of CAN frames. Other words it is just a difference of two sets.
Third parameter is additional filter for amount of uniq. values for each ID.
If index parameters are not set, then last two buffers will be used. If last parameter is not set then no additional filter applied.
cmd: Y
parameter 1: <filename>
parameter 2: [buffer index 1,buffer index 2]
parameter 3: [uniq values max]
example: dump_cantoolz.replay, 0, 1 , 2
Dump difference between buffer with index 0 and 1, with filter on max values equal 2 into the file: 'dump_cantoolz.replay'
Same as above, but output will be saved as CANToolz replay file that could be used later for replay or analysis.
cmd: F
parameter 1: <ID>
example: 0x70f
Find all CAN frames with arbitration ID 0x70F in all buffers.
cmd: train
parameter 1: [buffer index]
example: 1
Make profiling on buffer with index 1.
This is STATCHECK 'trainer'. This feature collect some statistical information about CAN traffic from chosen buffer. Currently this function 'rermember' bits that have been changed for each ID. Also we collect time-period between each frames for same ID and remember minimums.
cmd: check
parameter 1: [buffer index]
example: 1
Compare statistics from chosen buffer with something we learn on previous step (command STATCHECK: profiling on normal traffic (EXPEREMENTAL))
On this stage we could find 'abnormal' changes ( bit or bits never been changed before). Also if CAN frames have been sent more frequently just after this "abnormal change" it will be also collected. Then function remove possible "noise" by excluding those abnormalities that are not correlated with other abnormalities in same buffer. AS result we will get 'event's session'. More accurate and effective then simple diff method.
cmd: check
When all previous STATCHECK functions passed we could try to find 'main action frame'. For example we are trying to find "how to do the unlock", and we successfully have session extracted by *STATCHECK: find abnormalities on 'event' traffic (EXPEREMENTAL) then this function will replay CAN frames from this extraction one by one and then collect 'abnormal' changes that are same as we have extracted. So if replayed frame causes same 'abnormal' changes in CAN traffic than this frame is what we are looking for (high possibility)
cmd: **load
parameter: filename1[,filename2,...]
Load CAN frames stored in CANToolz eplay format. Each file will be loaded into new buffer. New buffers will be named as files.
cmd: c
Clean all buffers and memory.
cmd: i
parameters: <ID>, <data regex ASCII HEX>, <description>
example: 0x70f, ..2F2F.*, Unlock command
Add description for CAN frames. This will be stored and applied each time your call next functions:
- Print current table
- Dump buffer (if index is empty then all) in CSV format
- Dump STATS for buffer (if index is empty then all) in CSV format
cmd: bits
parameters: <ID>, <LEN>, <TYPE>:<LAST BIT INDEX>:<DESCRIPTION>[,...]
- ID: Arbitration ID
- LEN: Length of CAN frame
- TYPE: how to extract data:
- bin - binary
- int - integer
- hex - hex
- ascii - ascii string
- LAST BIT INDEX: Last bit index. Let's say we have 0x112233 as a data, and we want to extract all 3 bytes as three fields, than for 0x11 LAST INDEX is 8 (from 0 to 8), for 0x22 - 16 (from 8 to 16) and for 0x33 last bit index is 24
example: 0x611, 5, int:16:Speed, int:32:RPM
Extract data from CAN data.
These 'extraction rules' will be stored and applied each time your call next functions:
- Print current table
- Dump STATS for buffer (if index is empty then all) in CSV format
cmd: z
Parameter: <filename>
Save all meta-data rules to the file
cmd: l
Parameter: <filename>
Load all meta-data rules from the file
cmd: r
Parameter: <filename>, [index]
Example: dump.replay, 2
Dump all CAN frames form buffer with index 2 into file dump.replay
cmd: d2
Parameter: <filename>, [index]
Example: dump.csv, 2
Dump all CAN frames form buffer with index 2 into file dump.csv. If no index specified then all buffers will be dumped.
cmd: d
Parameter: <filename>, [index]
Example: dump.csv, 2
Dump STATS extraction for all CAN frames form buffer with index 2 into file dump.csv. If no index specified then all buffers will be dumped.
uds_shift - optional. default value is 8.
This parameter tells module which offset should be used for UDS response ID. By default response ID on UDS request is +8 to ID of UDS request. For other vendors it can be other value, for example for VW it could be 0x6a.
meta_file - optional. no values by default.
Path to a META file that will be used for this traffic. META file describes already known things in the traffic. File format (and possible features):
{ 'description':{ (1337,'00FF'):'action 1 description', (1337,'0000'):'action 2 description } }
1337 - CAN frame ID '00FF' - regex for CAN frame data
So all frames 1337:3:00FF11 - will be commented as 'action 1 description'
None.