Injecting CAN Data
Miller and Valasek have done a fantastic job of explaining the structure of CAN data. It is cru-
cial that we understand how the CAN packets are structured so we have a solid concept of how
these packets are constructed and computed by various ECUs.
Here is a sample packet from a Ford Escape:
IDH: 03, IDL: B1, Len: 08, Data: 80 00 00 00 00 00 00 00In this packet, the CAN ID transmitted is 03B1 (a concatenation of the ID-High and ID-
Low values). Each ECU that receives the CAN packet decides whether to process the packet or
ignore it depending upon how it is programmed to recognize the CAN ID of the packet. The
next byte represents the size of the data portion of the packet, which in this case is 8 bytes.
Here is an example of a CAN packet transmitted by a Toyota Prius:
IDH: 00, IDL: B6, Len: 04, Data: 33 A8 00 95In the case of the Prius, it was found that the last byte represented a checksum value com-
puted by the following algorithm:
Checksum = (IDH + IDL + Len + Sum(Data[0] – Data[Len-2])) & 0xFFFor simplicity, here are the values of our packet in decimal:0xB6 = 182
0x04 = 4
0x33 = 51
0xA8 = 168Adding it all up, we have 182 + 4 + 51 +168 = 405, which in binary is represented as:0000 0001 1001 0101The value of 0xFF in decimal is 255, and here is the binary value:0000 0000 1111 1111Here is the resulting binary if we were to perform an AND operation between the two
values:
0000 0000 1001 0101CHAPTER 6: CONNECTED CAR SECURITY ANALYSIS—FROM GAS TO FULLY(^164) ELECTRIC