CAN Bus Investigaion

Location: NetWars

Introduction

Welcome to the CAN bus terminal challenge!

In your home folder, there's a CAN bus capture from Santa's sleigh. Some of
the data has been cleaned up, so don't worry - it isn't too noisy. What you
will see is a record of the engine idling up and down. Also in the data are
a LOCK signal, an UNLOCK signal, and one more LOCK. Can you find the UNLOCK?
We'd like to encode another key mechanism.

Find the decimal portion of the timestamp of the UNLOCK code in candump.log
and submit it to ./runtoanswer!  (e.g., if the timestamp is 123456.112233,
please submit 112233)

Hints

• CAN Bus Talk
• Filtering Text

Solution

What data has been provided?

elf@7981eb10e06e:~$ ls -l
total 516
-rwxr-xr-x 1 root root  56065 Nov 29 13:36 candump.log
-rws--x--x 1 root root 469136 Nov 29 13:36 runtoanswer
elf@7981eb10e06e:~$ view candump.log
bash: view: command not found
elf@7981eb10e06e:~$ less candump.log
bash: less: command not found

It is not possible to view the contents of the file the easy way, but head and tail can be used.

elf@7981eb10e06e:~$ head candump.log
(1608926660.800530) vcan0 244#0000000116
(1608926660.812774) vcan0 244#00000001D3
...SNIP...
(1608926660.920799) vcan0 244#000000015F
elf@7981eb10e06e:~$ tail candump.log
(1608926678.515574) vcan0 244#000000011E
(1608926678.528405) vcan0 244#000000016A
...SNIP...
(1608926678.629068) vcan0 244#0000000135

Now that the format of the file is known, the file's content can be analysed.

elf@7981eb10e06e:~$ awk '{print $3}' candump.log | cut -f1 -d# | sort -u
188
19B
244

There are 3 id's.

The next step is to determine how many of each id exists in the log file.

elf@7981eb10e06e:~$ grep "188#" candump.log | wc -l
35
elf@7981eb10e06e:~$ grep "19B#" candump.log | wc -l
3
elf@7981eb10e06e:~$ grep "244#" candump.log | wc -l
1331

The 19B id is the one of interest based on the information in the introduction.

Below the lock, unlock, lock sequence can be seen.

elf@7981eb10e06e:~$ grep "19B#" candump.log
(1608926664.626448) vcan0 19B#000000000000
(1608926671.122520) vcan0 19B#00000F000000
(1608926674.092148) vcan0 19B#000000000000
elf@7981eb10e06e:~$
elf@7981eb10e06e:~$ ./runtoanswer 
There are two LOCK codes and one UNLOCK code in the log.  What is the decimal portion of the UN
LOCK timestamp?
(e.g., if the timestamp of the UNLOCK were 1608926672.391456, you would enter 391456.
> 122520
Your answer: 122520
Checking....
Your answer is correct!
elf@7981eb10e06e:~$ 

Answer

122520