Vehicle-Scan#
Warning
Any scan on a vehicle is performed at your own risk. Ensure that the vehicle under scan can’t cause any physical damages.
Background-Information#
The following information might be useful as background information:
ISOTP Scan#
In general, modern vehicles have a complex internal network.
Fig. 2 Network overview of a modern BMW vehicle.#
A central gateway allows access to all ECUs in the network via the OBD-II port. Latest vehicles support access via DoIP/HSFZ, all vehicles support access via the OBD-II CAN interface. On CAN networks, ISOTP is used to address every individual ECU in the entire vehicle network. The gateway ECU will route ISOTP packets into the right subnet automatically. ISOTP supports the following addressing schemes:
Ref. |
Description |
|---|---|
A1 |
Normal addressing, 11-bit CAN identifier |
A2 |
Normal fixed addressing, 29-bit CAN identifier |
A3 |
Extended addressing, 11-bit CAN identifier |
A4 |
Mixed addressing with 29-bit CAN identifier |
A5 |
Mixed addressing with 11-bit CAN identifier |
Unfortunately, every OEM uses different addressing schemes. For example:
BMW uses extended addressing (A3) CAN-Identifier 0x6f1
VW uses normal addressing (A1) CAN-Identifier 0x700-0x7ff
Mercedes uses normal addressing (A1) CAN-Identifier 0x600-0x7ff
This has to be taken into account, if an ISOTP scan is performed.
A good practice is to scan for ECUs with normal addressing with a CAN identifier range from 0x500-0x7ff. Vehicles from GM need to be scanned with a range from 0x200-0x300.
If this scan is not sufficient, an extended addressing scan should be performed with the same CAN identifier range 0x500-0x7ff. This scan will take approx. 10 times longer.
UDS Scan#
On every identified ISOTP Endpoint, a UDS scan can be performed to identify the attack surface of this ECU (Endpoint).
Warning
A UDS scan can cause errors on an ECU, if the wrong commands are sent. HydraScope is not restricted here. Please read the following advices carefully!
UDS System States#
Every ECU has at least three different states, also called sessions:
DefaultSession (0x1)
ProgrammingSession (0x2)
ExtendedDiagnosticSession (0x3)
Usually, the ECU runs in the normal application for session 0x1 and session 0x3. If a Tester requests a session change to the ProgrammingSession, usually the ECU enters the internal bootloader. If this is change is performed on a vehicle, other ECUs will detect errors, since one ECU isn’t “acting normal” on the bus. A change to programming session results in errors which are usually logged in DiagnosticTroubleCodes (DTCs).
However, this change is not permanent. According to the UDS standard, an ECU leaves the ProgrammingSession after 5 seconds. In the worst case, an ignition cycle or the unplugging and reconnecting of the battery will restore the vehicle to an operating state.
UDS WriteDataByIdentifier#
The UDS command WriteDataByIdentifier has the capability to modify data of an ECU. With this command, an ECU can become misconfigured and the functionality can be disturbed. HydraScope uses a smart scan approach which, first reads the data of an identifier and second tries to write the same data again to the identifier. In this way, no data changes to an identifier are made.
However, please be aware that this scan could modify the configuration of your ECU.
UDS RoutineControl#
The UDS RoutineControl command is used for multiple “dangerous” operations by OEMs. For example, the flash memory of an ECU can be erased or physical actuators on the car can be triggerd via routine control jobs.
The UDS protocol specifies three different routine types:
StartRoutine (0x1)
StopRoutine (0x2)
RequestRoutineResults (0x3)
The StartRoutine is used to trigger certain actions in most case. A StopRoutine can stop the execution of a routine that runs for a longer time, for example maintenance jobs that cause permanent physical changes on the car, such as parking break cylinder movements. Some routines support a result function, such as the calculation of a checksum of a firmware image.
Warning
If you work on a real car, please never use StartRoutine for a scan job. This could cause serious failures or physical actions!
Either use the “RoutineControl (0x31) Enumeration” with the modifications shown below, or use “Smart RoutineControl (0x31) Enumeration”
Fig. 3 Only execute RoutineControl Enumeration with the RoutineControlTypes 2 and 3!!!#
UDS InputOutputControlByIdentifier#
This command is similar to the UDS RoutineControl command. This command can lead to physical actions on the car, if certain outputs of an ECU are modified by a scan.
UDS CommunicationControl#
This command allows a tester to modify the communication behaviour of an ECU. For example this command can advice an ECU to stop sending and/or receiving any messages. The purpose of this command is to lower the CAN-Bus utilization to safe bandwidth when software updates are performed.
The effects of this command shouldn’t be permanent, however it might happen that certain OEMs don’t follow the UDS specifications strictly.
General recommendations#
Vehicles tend to safe power, whenever they can. This has to be kept in mind during any scan operation. Depending on the configuration of the scan, it can take up to multiple hours. It’s very important to keep the car awake for this time.
Some cars stay on, as long as ignition is turned on
Some cars need the engine to be turned on, to stay awake
Safe UDS-Scan configurations#
This section shows non-dangerous configurations for the UDS scan and discusses the possible settings
Service Enumerator#
This enumerator is safe to use inside a vehicle.
Diagnostic Session Control Enumerator#
This enumerator is safe to use inside a vehicle with a scan range of 0x1 and 0x3.
It should be possible to also use the scan range 0x1,0x2,0x3, but the use of ProgrammingSession
could cause temporary errors on the car.
Read Data By Identifier Enumerator#
This enumerator is safe to use inside a vehicle. Please note, that the default scan
range 0x0-0xffff can take up to 30 minutes scan duration!
Smart Read Data By Identifier Enumerator and Smart Write Data By Identifier Enumerator#
These enumerators are safe to use inside a vehicle. Please note, that a scan can take up to 10 minutes scan duration!
Security Access Enumerator#
This enumerator is safe to use inside a vehicle.
Routine Control Enumerator#
This enumerator is safe to use inside a vehicle with a RoutineControlTypes List of 0x2 and 0x3.
Please note that a full scan with the scan range 0x0-0xffff can take up to 30 minutes.
Smart Routine Control Enumerator#
This enumerator is safe to use inside a vehicle. Please note that a scan can take up to 30 minutes.
Smart Read Memory by Address Enumerator#
This enumerator is safe to use inside a vehicle. Please note that a scan can take up to 30 minutes.
Tester Present Enumerator#
This enumerator is safe to use inside a vehicle.
ECU Reset Enumerator#
This enumerator is safe to use inside a vehicle.
It’s recommended to use a scan range of 0x0-0x5.