CAN-bus
This module supports scanning, injecting and fuzzing CAN-bus frames via socketcan compatible adapters.
Commands
Section titled “Commands”can.recon on
Section titled “can.recon on”Start CAN-bus discovery.
can.recon off
Section titled “can.recon off”Stop CAN-bus discovery.
can.clear
Section titled “can.clear”Clear everything collected by the discovery module.
can.show
Section titled “can.show”Show a list of detected CAN devices.
can.dbc.load NAME
Section titled “can.dbc.load NAME”Load a DBC file from the list of available ones or from disk.
can.inject FRAME_EXPRESSION
Section titled “can.inject FRAME_EXPRESSION”Parse FRAME_EXPRESSION as ‘id#data’ and inject it as a CAN frame.
can.fuzz ID_OR_NODE_NAME OPTIONAL_SIZE
Section titled “can.fuzz ID_OR_NODE_NAME OPTIONAL_SIZE”If an hexadecimal frame ID is specified, create a randomized version of it and inject it. If a node name is specified, a random message for the given node will be instead used.
Parameters
Section titled “Parameters”| Parameter | Default | Description |
|---|---|---|
can.device | can0 | CAN-bus device. |
can.dump | Load CAN traffic from this candump log file. | |
can.dump.inject | false | Write CAN traffic read form the candump log file to the selected can.device. |
can.filter | Optional boolean expression to select frames to report. | |
can.parse.obd2 | false | Enable built in OBD2 PID parsing. |
can.transport | can | Network type, can be ‘can’ for SocketCAN or ‘udp’. |
Examples
Section titled “Examples”Read, write and fuzz raw frames
Section titled “Read, write and fuzz raw frames”The very basic of CAN-bus functionalities. Set your device and enable the module to start reading raw frames:
set can.device /dev/can0
can.recon onYou can also load and replay a dump previously captured with candump:
set can.dump obd2-candump-2023-11-22_031813.log
can.recon onInject raw frames as id#hex-data:
can.inject 0#aabbccddeeOr generate random ones for fuzzing with can.fuzz id size:
can.fuzz ff 8And show a list of the detected ECUs:
can.showLoad your own DBC files, decode traffic and fuzz with them
Section titled “Load your own DBC files, decode traffic and fuzz with them”You can also use CAN-bus database files that describe a specific protocol, in which case bettercap will use it to automatically parse every frame on the bus (css-electronics and comma.ai have some very good ones):
set can.device /dev/can0
can.dbc.load css-electronics/obd2-pack-v5/obd2-dbc/CSS-Electronics-11-bit-OBD2-v2.2.dbc
can.recon onWhen running with a DBC, you’ll also be able to use use it for fuzzing. For instance, to generate a specific message given its id, with randomized content:
can.fuzz 12To instead pick a random message from a specific ECU and generate its contents randomly:
can.fuzz ECU_nameDecode OBD2 PIDs with builtin decoder
Section titled “Decode OBD2 PIDs with builtin decoder”Alternatively to using a DBC, if you work with OBD2 standard PIDs, you can just enable the builtin PID parser:
set can.device /dev/can0set can.parse.obd2 truecan.recon on