CrikeyCon CTF - Carhacky Content

Have you ever wanted to hack the CAN data of a Porsche 911?

The following is the background you might want if you're trying the CrikeyCon CTF car hacking challenges... then you can have a go at data recorded directly from the CAN bus of a 911 and make real-time changes to what the instrument cluster is showing you.

Context - where the CAN bus data came from

The data was collected using exactly the same Raspberry Pi4 + PICAN3 hat combination as is used in the challenge.

This device was connected to the CAN bus of a 2004 Porsche 996 "40th Anniversary Edition" vehicle - one of the earliest Porsche cars with a CAN bus controlling the engine as well as other functions throughout the car. The model belongs to the 996 "gen 2", "facelift" or 996.2 version of the 996, if you're searching for more data.

It has an 'eGas' pedal connected to the instrument cluster, which in turn was connected to two CAN buses - one for the drive-train and one for 'comfort' (Porsche's word for climate control and entertainment systems). Having two buses keeps the important traffic like accelerator & brakes separate from the non-important traffic, like what the air conditioning is doing. (There is some overlap, as the a/c will trigger the compressor which does alter what the engine is doing... but this is controlled by the instrument cluster which is connected to both CAN buses.)

The capture of traffic was performed after tapping the CAN high and low wires (and getting decent grounding to the chassis of the car).

CAN dump log file is in https://github.com/autohackers/CrikeyCon8CTF

The dump file shows the following:

• engine being started (and a pause while I'm "wow, this is working!")
• reversing up/out of driveway
• driving around our block
• back into driveway and switching off engine

Instrument Cluster for playback

The idea of the capture was to learn about the CAN bus traffic in the 996 and also to be able to replay it and see what we can tweak.

Unfortunately there aren't that many of this specific model in the whole world (just over 1200 accounted for - see https://www.40jahre911.com/ if you're curious about the model) so finding any parts at a wrecker in Australia is kind of tough.

However I was able to locally(ish) source the instrument cluster from a similar vintage Porsche Boxter, that I know uses the same electronics gear, so I figured (honestly, made an "educated gamble") it would serve to replay the CAN traffic.🤞

In case you're looking up details, the numbers from the dashboard above are Porsche: 986 641 217 03 FHB, type UK and VDO: 110.080.039/161

And, after figuring out the wiring of the connectors on the back of the cluster, a little wiring (you need +battery and +ignition for it to start accepting traffic) to hook the dashboard to a 12V supply and the CAN bus of the RPi, it worked!

The final step was stopping the playback and seeing what items on the cluster could be directly addressed (or faked) using the CANsend tool. Some things, like the fuel gauge, are directly hooked up to sensors in the car (i.e. not the CAN bus). I managed to change data bound for the speedo, the tacho (RPM guage) and the engine temperature gauge. (I believe some other warning lights are also addressable but, at this point, I haven't found their identities - eg ABS & traction control - as I haven't had the RPi secured well enough to, er, engage the traction control to the point it flashes a warning at me!)

Hence the CrikeyCon challenges available today are based on those three gauges. See the CTF board in the conference for more details... or come and see me at the car hacking desk! 😎