UDS Challenge

UDS Challenge

Challenges

These challenge are within a simulation on VSEC Test. Below are the detailed walkthroughs on how to complete each challenge.

Please use the UDS Challenge simulation for these challenges.

Simulation VIN (40 points)

Retrieve the VIN of the simulation using UDS.
A system is only as strong as its weakest layer.

Walkthrough

  1. Sign-in to vsec.blockharbor.io
  2. Navigate to Test on the sidebar menu to enter the VSEC Test application and then select the Simulations submenu.
  3. Select the UDS Challenge to open a terminal on the simulation.
  4. Use tmux to create 3 seperate terminals which we’ll run different commands in. tmux
  5. In the terminal(s) run the following commands in the order below
    1. Terminal #1 - candump vcan0
    2. Terminal #2 - isotprecv -p 00 -s 7E0 -d 7E8 -l vcan0
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying with 7E8
      • -l vcan0 - Listen on vcan0
    3. Terminal #3 - echo "22 F1 90" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
      • echo "22 F1 90" - Data to be sent
        • 0x22 Service identifier - Read Data by Identifer
        • 0xF190 VIN Data Identifier
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying from 7E8
      • vcan0 - Send on vcan0
  6. Once you’ve sent those commands in different terminals in the order above, the isotprecv command will show a response with the answer in HEX.
  7. Convert 66 6C 61 67 7B 76 31 6E 5F 42 48 6D 61 63 68 33 7D from HEX to ASCII to receive the answer.
ANSWER
v1n_BHmach3
OR
flag{v1n_BHmach3}
Flag is the ASCII value of the VIN

Startup Message (50 points)

It seems the simulation broadcasts some diagnostic information on arbitration ID 0x7DF when booting up, what does this message say? (in ASCII)
Can you get an ECU to restart?

Walkthrough

  1. Sign-in to vsec.blockharbor.io
  2. Navigate to Test on the sidebar menu to enter the VSEC Test application and then select the Simulations submenu.
  3. Select the UDS Challenge to open a terminal on the simulation.
  4. Use tmux to create 3 seperate terminals which we’ll run different commands in. tmux
  5. In the terminal(s) run the following commands in the order below
    1. Terminal #1 - candump vcan0
    2. Terminal #2 - isotprecv -p 00 -s 7E0 -d 7DF -l vcan0
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying with 7E8
      • -l vcan0 - Listen on vcan0
    3. Terminal #3 - echo "11 01" | isotpsend -p 00 -s 7E0 -d 7DF vcan0
      • echo "11 01" - Data to be sent
        • 0x11 Service identifier - Read Data by Identifer
        • 0x01 Hard ECU Reset
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7DF - Messages replying from 7DF
      • vcan0 - Send on vcan0
  6. Once you’ve sent those commands in different terminals in the order above, the isotprecv command will show a response with the answer in HEX.
  7. Convert 07 67 30 47 72 65 33 6E from HEX to ASCII to receive the answer.
ANSWER
g0Gre3n
Flag is the ASCII Value of the packet

Engine Trouble? (75 points)

The simulation’s engine light is on, can you read the diagnostic code?
DTCs (Diagnostic Trouble Codes) are sent to alert of an issue in the vehicle.

Additional details for this challenge:


Walkthrough

  1. Sign-in to vsec.blockharbor.io
  2. Navigate to Test on the sidebar menu to enter the VSEC Test application and then select the Simulations submenu.
  3. Select the UDS Challenge to open a terminal on the simulation.
  4. Use tmux to create 3 seperate terminals which we’ll run different commands in. tmux
  5. In the terminal(s) run the following commands in the order below
    1. Terminal #1 - candump vcan0
    2. Terminal #2 - isotprecv -p 00 -s 7E0 -d 7E8 -l vcan0
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying with 7E8
      • -l vcan0 - Listen on vcan0
    3. Terminal #3 - echo "19 02 88" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
      • echo "19 02 88" - Data to be sent
        • 0x19 Service identifier - Read Diagnostic Trouble Code
        • 0x02 Report DTC by Status Mask
        • 0x88 Warning Indicator Request with confirmed DTCs
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7DF - Messages replying from 7DF
      • vcan0 - Send on vcan0
  6. Once you’ve sent those commands in different terminals in the order above, the isotprecv command will show a response with the answer.
  7. The device responds back with 07 59 02 88 3E 9F 01 AB, where is the DTC is 3E 9F 01.
ANSWER
P3E9F-01
OR
P3E9F
The format of the DTC is Pxxxx-xx. Example answer: P1234-01

Secrets in Memory? (100 points)

It seems the simulation allows access to only some off-chip sections of memory, are there any secrets in the visible memory?
To read memory with a known starting point use service 0x23 - Read Memory by Address
The memory region starts at 0xC3F80000 and the flag is in the format flag{...}.

Additional details for this challenge:


Walkthrough

  1. Sign-in to vsec.blockharbor.io
  2. Navigate to Test on the sidebar menu to enter the VSEC Test application and then select the Simulations submenu.
  3. Select the UDS Challenge to open a terminal on the simulation.
  4. Use tmux to create 3 seperate terminals which we’ll run different commands in. tmux
  5. In the terminal(s) run the following commands in the order below
    1. Terminal #1 - candump vcan0
    2. Terminal #2 - isotprecv -p 00 -s 7E0 -d 7E8 -l vcan0
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying with 7E8
      • -l vcan0 - Listen on vcan0
    3. Terminal #3 - echo "23 14 C3 F8 00 00 0F" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
      • echo "23 14 C3 F8 00 00 0F" - Data to be sent
        • 0x23 Service identifier - Read Memory by Address
        • 0x14 Address and Length Format Identifier - the first digit (1) is how many bytes long the Memory Size field is, the second digit (4) is how many bytes long the Memory Address field is
        • C3 F8 00 00 Memory Address - the starting point of the memory region you want to read
        • 0F Memory Size - how many bytes of data to read back (0x0F = 15 bytes)
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying from 7E8
      • vcan0 - Send on vcan0
  6. Once you’ve sent those commands in different terminals in the order above, the isotprecv command will show the bytes stored at that memory region in the response.
  7. The flag may be far from the starting address, so you may need to request a large block of memory (increase the Memory Size) or script requests across several starting addresses. Convert the returned bytes from HEX to ASCII and look for the standard flag{...} marker.
ANSWER
mem+r34d
OR
flag{mem+r34d}
The flag is in the standard flag{...} format and may be located far from the starting address.

Security Access Level 3 (150 points)

Can you find the key and break in?
Security Access (service 0x27) is a seed-and-key challenge. The ECU will not accept it from the default session, so first switch to an extended diagnostic session (0x10) and keep it alive with Tester Present (0x3E), then request a seed, transform it into the matching key, and send the key back to unlock the level.

Additional details for this challenge:



Walkthrough

  1. Sign-in to vsec.blockharbor.io
  2. Navigate to Test on the sidebar menu to enter the VSEC Test application and then select the Simulations submenu.
  3. Select the UDS Challenge to open a terminal on the simulation.
  4. Use tmux to create 4 seperate terminals which we’ll run different commands in. tmux
  5. In the terminal(s) run the following commands in the order below
    1. Terminal #1 - candump vcan0
    2. Terminal #2 - isotprecv -p 00 -s 7E0 -d 7E8 -l vcan0
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying with 7E8
      • -l vcan0 - Listen on vcan0
    3. Terminal #3 - Enter an extended diagnostic session. Service 0x27 cannot be used from the default session. echo "10 03" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
      • echo "10 03" - Data to be sent
        • 0x10 Service identifier - Diagnostic Session Control
        • 0x03 Extended Diagnostic Session
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying from 7E8
      • vcan0 - Send on vcan0
    4. Terminal #4 - Keep the session alive so the ECU does not time out and fall back to the default session. while true; do echo "3E 80" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0; sleep 1; done
      • echo "3E 80" - Data to be sent
        • 0x3E Service identifier - Tester Present
        • 0x80 Suppress positive response (silent mode, keeps the isotprecv window from filling with replies)
      • while ... sleep 1 ... done - Re-sends Tester Present every second so the session stays active
  6. Back in Terminal #3, request the seed for security access level 3. echo "27 03" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
    • echo "27 03" - Data to be sent
      • 0x27 Service identifier - Security Access
      • 0x03 Request Seed (security access level 3, an odd subfunction)
    • | - Pipe output from echo command to isotpsend
    • -p 00 - Pads the message with all zeros
    • -s 7E0 - Messages sent to 7E0
    • -d 7E8 - Messages replying from 7E8
    • vcan0 - Send on vcan0
  7. The isotprecv command will show a positive response beginning with 67 03 (0x27 + 0x40), followed by the seed bytes the ECU wants you to solve. If you instead see 7F 27 7E, the ECU is still in the wrong session - re-check the session control in step 5.3 and confirm the Tester Present loop in step 5.4 is running.
  8. Derive the key from the seed by performing a NOT operation on the seed - flip each individual bit, or use a NOT/bitwise-complement calculator.
  9. Send the key back using send-key subfunction 0x04 (one higher than the request seed subfunction). Replace <key> with the bytes you calculated in the previous step.
    1. Terminal #3 - echo "27 04 <key>" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
      • echo "27 04 <key>" - Data to be sent
        • 0x27 Service identifier - Security Access
        • 0x04 Send Key (security access level 3)
        • <key> The NOT of the seed from step 8
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying from 7E8
      • vcan0 - Send on vcan0
  10. A positive 67 04 response means security access level 3 is unlocked.
ANSWER
TODO
To derive the key, perform a NOT operation on the seed (flip each individual bit, or just use a NOT calculator).

Security Access Level 1 (300 points)

Can you provide a valid key for security access level 1?
Security Access (service 0x27) is a seed-and-key challenge. The ECU will not accept it from the default session, so first switch to an extended diagnostic session (0x10) and keep it alive with Tester Present (0x3E), then request a seed, transform it into the matching key, and send the key back to unlock the level.

Additional details for this challenge:


Walkthrough

  1. Sign-in to vsec.blockharbor.io
  2. Navigate to Test on the sidebar menu to enter the VSEC Test application and then select the Simulations submenu.
  3. Select the UDS Challenge to open a terminal on the simulation.
  4. Use tmux to create 4 seperate terminals which we’ll run different commands in. tmux
  5. In the terminal(s) run the following commands in the order below
    1. Terminal #1 - candump vcan0
    2. Terminal #2 - isotprecv -p 00 -s 7E0 -d 7E8 -l vcan0
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying with 7E8
      • -l vcan0 - Listen on vcan0
    3. Terminal #3 - Enter an extended diagnostic session. Service 0x27 cannot be used from the default session. echo "10 03" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
      • echo "10 03" - Data to be sent
        • 0x10 Service identifier - Diagnostic Session Control
        • 0x03 Extended Diagnostic Session
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying from 7E8
      • vcan0 - Send on vcan0
    4. Terminal #4 - Keep the session alive so the ECU does not time out and fall back to the default session. while true; do echo "3E 80" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0; sleep 1; done
      • echo "3E 80" - Data to be sent
        • 0x3E Service identifier - Tester Present
        • 0x80 Suppress positive response (silent mode, keeps the isotprecv window from filling with replies)
      • while ... sleep 1 ... done - Re-sends Tester Present every second so the session stays active
  6. Back in Terminal #3, request the seed for security access level 1. echo "27 01" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
    • echo "27 01" - Data to be sent
      • 0x27 Service identifier - Security Access
      • 0x01 Request Seed (security access level 1, an odd subfunction)
    • | - Pipe output from echo command to isotpsend
    • -p 00 - Pads the message with all zeros
    • -s 7E0 - Messages sent to 7E0
    • -d 7E8 - Messages replying from 7E8
    • vcan0 - Send on vcan0
  7. The isotprecv command will show a positive response beginning with 67 01 (0x27 + 0x40), followed by the seed bytes the ECU wants you to solve. If you instead see 7F 27 7E, the ECU is still in the wrong session - re-check the session control in step 5.3 and confirm the Tester Present loop in step 5.4 is running.
  8. Derive the key from the seed using the level 1 key algorithm.
  9. Send the key back using send-key subfunction 0x02 (one higher than the request seed subfunction). Replace <key> with the bytes you calculated in the previous step.
    1. Terminal #3 - echo "27 02 <key>" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
      • echo "27 02 <key>" - Data to be sent
        • 0x27 Service identifier - Security Access
        • 0x02 Send Key (security access level 1)
        • <key> The key derived from the seed in step 8
      • | - Pipe output from echo command to isotpsend
      • -p 00 - Pads the message with all zeros
      • -s 7E0 - Messages sent to 7E0
      • -d 7E8 - Messages replying from 7E8
      • vcan0 - Send on vcan0
  10. A positive 67 02 response means security access level 1 is unlocked.
ANSWER
TODO

Proving Grounds - Course Completion 40%
Last updated on