The instrument cluster simulator (ICSim) is one of the most useful tools to come out of Open Garages, a group that fosters open collaboration between mechanics, performance tuners, and security researchers. ICSim is a software utility designed to produce a few key CAN signals in order to provide a lot of seemingly “normal” background CAN noise—essentially, it’s designed to let you practice CAN bus reversing without having to tinker around with your car. (ICSim is Linux only because it relies on the virtual CAN devices.) The methods you’ll learn playing with ICSim will directly translate to your target vehicles. ICSim was designed as a safe way to familiarize yourself with CAN reversing so that the transition to an actual vehicle is as seamless as possible.
Setting Up the ICSim
Grab the source code for the ICSim from https://github.com/zombieCraig/ ICSim and follow the README file supplied with the download to compile the software. Before you run ICSim, you should find a sample script in the README called setup_vcan.sh that you can run to set up a vcan0 interface for the ICSim to use. ICSim comes with two components, icsim and controls, which talk to each other over a CAN bus. To use ICSim, first load the instrument cluster to the vcan device like this:
/* Your code... */ $ ./icsim vcan0In response, you should see the ICSim instrument cluster with turn signals, a speedometer, and a picture of a car, which will be used to show the
car doors locking and unlocking .
The icsim application listens only for CAN signals, so when the ICSim first loads, you shouldn’t see any activity. In order to control the simulator,
load the CANBus Control Panel like this:
The screen looks like a game controller; in fact, you can plug in a USB
game controller, and it should be supported by ICSim.
You can use the controller to operate the ICSim in a method similar to driving a car using a gaming console, or you can control it by pressing the corresponding keys on your keyboard .
Lock (left shift), Unlock (right shift) This one requires you to press two buttons at once. Hold down the left shift and press a button (A, B, X, or Y) to lock corresponding door. Hold down the right shift and press one of the buttons to unlock a door. If you hold down left shift and then press right shift, it will unlock all the doors. If you hold down right shift and press left shift, you’ll lock all the doors. Make sure you can fit both the ICSim and the CANBus Control Panel on the same screen so that you can see how they influence each other. Then, select the control panel so that it’s ready to receive input. Play around with the controls to make sure that the ICSim is responding properly. If you don’t see a response to your controls, ensure that the ICSim control window is selected and active.
Reading CAN Bus Traffic on the ICSim
When you’re sure everything is working, fire up your sniffer of choice and take a look at the CAN bus traffic, as shown in Figure 5-10. Try to identify which packets control the vehicle, and create scripts to control ICSim without using the control panel. Most of the changing data you see in is caused by a replay file of a real CAN bus. You’ll have to sort through the messages to determine the proper packets. All methods of replay and packet sending will work with ICSim, so you can validate your findings.
Changing the Difficulty of ICSim
One of the great things about ICSim is that you can challenge yourself by making it harder to find the target CAN traffic. ICSim supports four difficulty levels—0 through 3, with level 1 as the default. Level 0 is a super simple CAN packet that does the intended operation without any background noise, while level 3 randomizes all the bytes in the packet as well. To have the simulator choose different IDs and target byte positions, use ICSim’s randomize option:
$ ./icsim -r vcan0
Using CAN interface vcan0
Seed: 745892371
This option prints a randomized seed value to the console screen. Pass this value into the CANBus Control Panel along with your choice
of difficulty level:
$ ./controls -s 745892371 -l 3 vcan1
You can replay or share a specific seed value as well. If you find one you like or if you want to race your friends to see who can decipher the packets first, launch ICSim with a set seed value like this:
$ ./icsim -s 745892371 vcan1 Next, launch the CANBus Control Panel using the same seed value to sync up the randomized control panel to the ICSim. If the seed values
aren’t the same, they won’t be able to communicate.
It may take you a while to locate the proper packets the first time using ICSim, but after a few passes, you should be able to quickly identify which packets are your targets.
Try to complete the following challenges in ICSim:
1. Create “hazard lights.” Make both turn signals blink at the same time.
2. Create a command that locks only the back two doors.
3. Set the speedometer as close as possible to 220 mph.
