ICSim: Make Sense of Hex

  • Author: Dr. Jim Marquardson (jimarqua@nmu.edu)
  • Updated 2024-06-16

This exercise uses the Instrument Cluster Simulator (ICSim) and can-utils to explore CANBUS networks. Specifically, the data values sent on the network will be evaluated.

Learning Objectives

In this exercise, you will learn to:

  • convert hex data, and
  • decode hex messages.

Prerequisites

This exercise assumes that the following are available:

  • Kali Linux VM with a graphical user interface,
  • can-utils has been installed,
  • ICSim has been installed to ~/ICSim.

Setup a the Test Environment

  • Run the following commands in a terminal to set up the test environment. The setup_vcan.sh command might give a warning message RTNETLINK answers: File exists if the vcan0 network already exists. It's okay to ignore the warning. You may need to press enter several times after launching icsim and controls.
cd ~/ICSim
sudo sh setup_vcan.sh
./icsim vcan0 &
./controls vcan0 &
cansiffer -c vcan0
  • Resize the terminal window so that cansiffer displays all data.

At this point, you should see many CAN messages displayed in cansiffer.

Test the Speedometer

  • Click on the game controller to activate it.
  • Press and hold the up arrow key to accelerate.
  • Look at the cansiffer output.
  • Spoiler: the accelerator uses the 244 arbitration ID. You should see data similar to the following.
00011 | 244 | 00 00 00 01 B3
  • Notice that the speedometer in the simulator is constantly moving slightly. The "car" is constantly sending minute speed fluctuations to the simulator.
  • Two pairs of hex characters change when the speedometer moves.
  • Watch how each of the pairs changes as you accelerate. One pair will change quicker than the other.

Interpret Hex

Hex data simply represents binary data compactly. Each hex character represents 4 bits of binary data. The following shows every combination of 4-digit binary data and the hexadecimal representation.

  • 0000: 0
  • 0001: 1
  • 0010: 2
  • 0011: 3
  • 0100: 4
  • 0101: 5
  • 0110: 6
  • 0111: 7
  • 1000: 8
  • 1001: 9
  • 1010: A
  • 1011: B
  • 1100: C
  • 1101: D
  • 1110: E
  • 1111: F

So when you see hex output in cansiffer, remember that it is just binary data being sent on the network. But we don't know for sure how that binary data is being interpreted. The simulator might convert that binary data to text, or it might convert it to a number.

Hex as Text

Text data can be encoded using hexadecimal.

  • Open the Cyber Chef.
  • Add the To Hex operation to the recipe.
  • Enter the number 1 in the input.
  • Notice that the output is 31. The 1 in the input is being treated as a text character, not as a number. In this case, the hex value 31 represents the ASCII code.
  • Go to ascii-code.com and scroll to the section titled ASCII printable characters.
  • Find the hex code 31. It will show that the symbol (i.e., the text character) is the number 1.

Text data can be decoded from hexadecimal.

  • Clear the Cyber Chef recipe using the trash can icon.
  • Add the From Hex operation.
  • Enter 01 B3 in the input.
  • The Cyber Chef will attempt to convert the hex data to text, but it will not produce anything readable. Therefore, it is unlikely that the car simulator is treating the hexadecimal as text to set the speedometer.

Hex as Numbers

Hex data can be converted into integers.

  • When the speedometer was near 0, the hex code read 01 B3 at the end of the data.
  • Return to the Cyber Chef.
    • Clear the recipe using the garbage can icon.
    • Enter 01 B3 in the input.
    • Add the From Hex operation to the recipe.
    • Add the To Decimal operation to the recipe.
    • (Here is a link with the recipe.)
  • Notice that the output contains two integers: 1 179. How is the speedometer interpreting that value when the speedometer reports a speed near 0? More exploration is needed.
  • In the game controller, accelerate as far as it will let you--about 95 MPH by default.
  • The hex code reported for arbitration ID 244 should be something like 38 94.
  • Change the input in the Cyber Chef to 38 94. The new integer output will show 56 148.
  • Notice that if the speedometer went straight up it would report 140 MPH.
  • Make the car go about 70 MPH (it would be difficult to keep the car at exactly 70 MPH).
  • The hex code should be something like 2D CA. This gives the decimal output of 45 170.
  • We now have 3 hex codes and 3 decimal numbers.
    • ~00 MPH: 01 B3: 1 179
    • ~70 MPH: 2d CA: 45 170
    • ~95 MPH: 38 94: 56 148
  • Clearly, as the speed goes up, the numbers get bigger. Can you find a pattern?
  • Test your theories as to what the numbers mean using cansend.
cansend vcan0 244#0000007700
  • Because you are competing with the system noise, you may have to quickly press the up arrow in the terminal to access the last command, and press enter to rerun the command.
  • It is possible to create a basic bash script to run the command 30 times as shown below. You can run the code below in the terminal because it fits on a single line.
for run in {1..30}; do cansend vcan0 244#0000007700; done
  • The data value could represent:
    • the current speed in MPH, or
    • something else (this is the answer).
  • Figuring out what it means exactly is an exercise left up to you.

Challenges

  • Make the speedometer report exactly 140 MPH.
  • Write a script that will send a specific speed in a loop to maintain a consistent reading on the speedometer.
    • Save the script to a file.
    • Make the script executable.
    • Run the script.

Shutting Down

  • Close the ICSim window. You may have to click Yes to confirm closing it.
  • Close the controller window.
  • If cansniffer is running, press control+c to stop it.

Reflection

  • Who determines how the data is sent and interpreted?
  • Do you think the designers made a good decision for reporting the speed?