The CANHack toolkit is a portable bit-banging library to emulate the minimal parts of the CAN protocol required for hacking a CAN bus. This toolkit is a proof-of-concept to show how various attacks on the CAN bus can be done purely in software if a microcontroller can be hijacked (we’ve not addressed how the hijacking could occur: it might be as simple as reflashing the firmware on an OBD-II dongle that an attacker owns, or something more complex like an exploit of a buffer overrun in a diagnostic messaging stack).

In most situations a microcontroller’s on-chip CAN controller is connected to a CAN transceiver and through this transceiver to the CAN bus. If the microcontroller can be hijacked then in general the pins allocated to the CAN controller can be re-purposed as GPIO pins. The CANHack toolkit has minimal assumptions about the environment, which are implemented in target-specific code that wraps the library. The basic requirements are:

• Access to CAN RX and CAN TX as GPIO pins
• Access to a timer to read the elapsed clock cycles (typically a free-running counter)
• Interrupts are disabled around key operations (the code spins on the timer waiting for events)

This can be ported to pretty much anything fast enough to bit-bang CAN (a Cortex M0 at 48MHz is probably too slow, but an ESP32 should be fast enough). The only other hardware requirement is that a CAN transceiver is connected to two GPIO pins.

The Canis CANPico can run CANHack and the API is included in the CANPico MicroPython CAN firmware.

The CANPico is also supported as a development platform for other Canis Labs products and technologies. It is available to buy from SK Pang.

A cheatsheet for the CANHack Python API (also available in PDF).