Custom Attack
Description
The custom_attack
submenu allows users to construct low-level attacks with bit-level precision by chaining primitives. Predefined attacks are built from these primitives, but custom attacks offer granular control for complex scenarios, such as forcing an engine start. It supports primitives like send_msg
, wait_bus_free
, and send_error
to tailor attacks to specific vulnerabilities.
Console Usage
- Access the main menu via the serial console.
- Enter the custom attack submenu with
custom_attack
(prompt changes tocustom_attack>
). - Build the attack using the following primitives:
- match_id
[ --extended ] : Waits for a message with the specified CAN ID (e.g.,match_id 0x300 --extended
for a 29-bit ID). - match_data
[ ] : Filters by data length and content (e.g.,match_data 2 0x00,0x00
matches 2 bytes starting with0x00,0x00
). - skip_data: Ignores data fields, matching only ID and DLC (e.g.,
skip_data
). - wait
: Inserts a delay in CAN bit times (e.g., wait 10
for 10 bits). - send_error
: Sends consecutive error frames (e.g., send_error 3
for 3 errors). - send_raw
[ --force ] : Transmits a raw bit sequence (e.g.,send_raw 0110001 --force
with forced override). - wait_bus_free: Pauses until the bus is idle (e.g.,
wait_bus_free
). - send_msg
[ --extended ] [ --rtr ] [ --force ] [ ] : Sends a CAN frame (e.g.,send_msg 0x400 0x01 --force
for a forced start command). - set_bitstuffing
: Enables/disables bitstuffing (e.g., set_bitstuffing off
).
- match_id
- Example: To force an engine start:
match_id 0x300
match_data 2 0x00,0x00
wait 10
send_msg 0x400 0x01 --force
save "engine_start"
- Manage the sequence with
list
,delete <index>
, ormove <from> <to>
, thenexit
to return to the main menu. - Add to the plan with
add_custom engine_start
and execute withattack
(e.g.,attack 1
). - Use
help
orhelp <command>
(e.g.,help send_msg
) for primitive details or assistance.
How it works
TODO