uds_scan
Target: we want to find if some UDS services are available from OBDII socket. And if yes, then what ID they have
Our task is pretty simple. We want to connect CANToolz to OBDII, and find few UDS services (those service most interestiong from security point of view, and they available from OBD2!). Problem with UDS that it is not sending any messages in the bus, so until you send UDS request, you will find nothing in the bus. On some cars OBD2 is totally empty. If course if you have UDS Client software/device, you can sniff it, but also it is possible to scan all arbitration ID from OBD2 to find if we have some services (maybe even those that not used by Client Software). Anyway our method here is VERY CLOSE to simple TCP PORT scanning. You send request - and if service available you will get a response. First of all we need a config for CANtoolz:
load_modules = {
'hw_USBtin': {'port': 'auto', 'debug': 1, 'speed': 500}, # IO hardware module
'gen_ping' : {}, # Generator/Ping
'mod_stat': {} # Mod stat to see results
}
actions = [
{'hw_USBtin': {'action': 'read'}}, # Read to PIPE 1
{'mod_stat': {}}, # Mod stat (with CAN traffic analyzer)
{'gen_ping': { # Generate UDS requests
'pipe': 2,
'delay': 0.06,
'range': [1, 2047], # ID range (from 1790 to 1794)
'services':[{'service': 0x10, 'sub': 0x01},
{'service': 0x3E, 'sub': None},
{'service': 0x3E, 'sub': 0x01}],
'mode':'UDS'}
},
{'mod_stat': {'pipe': 2}},
{'hw_USBtin': {'action': 'write','pipe':2}}
]
Do not want to repeat details about config structure, anyway you can find this info here. This config simply read everthing from CAN bus and saves it into mod_stat. On second pipe we have gen_ping, which will generate scan requests. We will scan ID from 1, to 2046 and for each ID we will do 3 UDS requests for service 0x10 with sub command 0x01, for service 0x3E with sub command 0x01 and without sub command. 'delay' parameter is also important. We do not want to DoS a CAN bus with high-rate pings, so we set a delay between each ping request.
When config is ready, run CANToolz, and press Activate on gen_ping. After scan will be finished (status bar in WEB GUI will inform you), you can go to mod_stat and press "Analyses of captured traffic". If some UDS responses came then you will see it here and also info about decoding of some Services and sub-commands. Super simple!
In some case it will not work right, because it is about 'custom' UDS/ISO-TP implementation that depends from automotive vendor.
For example in some cars you need to use padding to 8 bytes, even if your request is less than 8 bytes. Some vendors have different difference between request ID and response ID (in CAN we have only ID which are used as pointer, so in general for UDS, response ID uses request ID + 0x08, but different vendors can change this value). In case if vendor do not use 0x08, anyway you can see/guess this 'shift', and set it in mod_stat. So in next example, vendor are use padding 0x55, and 'shift' between request and response - 0x6a (but for some services it is 0x8). (regarding black box, shift you can find, but with padding could be problems, you need to do scan without padding, then if nothing found - with padding, but padding value can be any or you need to bruteforce in worst case).
Now we can get full list of ID where we have UDS service and we can continue research for that targets!
by Alexey Sintsov and Anton Sysoev