For those looking to sharpen their skills before Season 2, Block Harbor is hosting the Season 1 challenges in the Proving Grounds on our free platform, VSEC, which–alongside these challenges–offers walkthroughs to guide participants through previous tasks. Each week, we will be adding new Proving Grounds content in VSEC Learn, ensuring continuous learning and preparation. Proving Grounds challenges are available now!
So, here I come.
VSEC Garage: UDS Challenge
Simulation VIN
1 2
Retrieve the VIN of the simulation using UDS. 使用 UDS 检索模拟的 VIN。
It seems the simulation broadcasts some diagnostic information on arbitration ID 0x7DF when booting up, what does this message say? (in ASCII) 似乎模拟在启动时广播了一些有关仲裁 ID 0x7DF 的诊断信息,这条消息说了什么?(ASCII 格式)
HINT: How can you get an ECU to restart? 提示:如何让 ECU 重新启动?
The simulation's engine light is on, can you read the diagnostic code? 模拟的发动机灯亮了,你能读出诊断代码吗? Check out our youtube walkthrough if you get stuck: <https://www.youtube.com/watch?v=IaUL0dA4Z_Y> 如果你遇到问题,请查看我们的 YouTube 演示:<https://www.youtube.com/watch?v=IaUL0dA4Z_Y>
使用0x19服务来读取DTC
1
cansend vcan0 7e0#0319020800000000
接收的是
1
vcan0 7E8 [8] 07 59 02 08 3E 9F 01 AB
flag为P3E9F-01
Secrets in Memory?
1 2 3 4 5
It seems the simulation allows access to only some off-chip sections of memory, are there any secrets in the visible memory? 看来模拟只允许访问一些片外内存部分,可见内存中有什么秘密吗?
The memory region starts at 0xC3F80000 and the flag is in the format flag{...}. 内存区域从 0xC3F80000 开始,标志的格式为 flag{...}。
The simulation is implementing service 0x27 Security Access Level 3 using MAAATH. Can you find the key and breakin? 模拟正在使用 MAAATH 实现服务 0x27 安全访问级别 3。您能找到密钥并闯入吗?
The flag is the key to unlock with seed 1337 in hex (example a5a5) 标志是使用十六进制种子 1337 解锁的密钥(例如 a5a5)
将0x1337按位取反即可,得到 0xecc8
Security Access Level 1
1 2 3 4 5
Level 3 provides access to a new diagnostic session and some new memory at 0x1A000, but we still don't have full control of the module. Can you provide a valid key for security access level 1? 级别 3 允许访问新的诊断会话和位于 0x1A000 的一些新内存,但我们仍然无法完全控制该模块。您能否提供安全访问级别 1 的有效密钥? The flag is the key to unlock with seed 7D0E1A5C in hex (example 12345678) 该标志是使用十六进制种子 7D0E1A5C(例如 12345678)解锁的密钥
This challenge is within the Harborbay vehicle simulator on VSEC. From the home page, enter HarborBay. Select the Mach-E User Space Diagnostics Challenge Simulation, then launch the terminal. 这项挑战在 VSEC 上的 Harborbay 车辆模拟器中进行。从主页进入 HarborBay。选择 Mach-E 用户空间诊断挑战模拟,然后启动终端。
Can you identify the data? 您能识别数据吗?
爆破DID
1 2 3 4 5 6 7 8 9 10 11 12 13
import can import time import binascii
bus = can.Bus(interface='socketcan', channel='vcan0')
for i inrange(0,0xFF): for j inrange(0,0xFF): message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x03, 0x22, i, j, 0x00, 0x00, 0x00, 0x00]) bus.send(message, timeout=0.2) msg = bus.recv()
This challenge is within the Harborbay vehicle simulator on VSEC. From the home page, enter HarborBay. Select the Mach-E User Space Diagnostics Challenge Simulation, then launch the terminal. 这项挑战在 VSEC 上的 Harborbay 车辆模拟器中进行。从主页进入 HarborBay。选择 Mach-E 用户空间诊断挑战模拟,然后启动终端。
I hear routine control has a lot of fun features. 我听说常规控制有很多有趣的功能。
使用 Routine Control 服务来执行已定义的步骤序列并获取任何相关结果,服务 ID 是 0x31
bus = can.Bus(interface='socketcan', channel='vcan0') bus.set_filters([{"can_id": 0x7E8, "can_mask": 0xFFF, "extended": False}])
for i in range(0,0xFF): for j in range(0,0xFF): time.sleep(0.01) message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x04, 0x31, 0x01, i, j, 0x00, 0x00, 0x00]) bus.send(message, timeout=0.2) msg = bus.recv() result = binascii.hexlify(msg.data).decode('utf-8') if result == "037f3131": pass else: print("i: ",hex(i)," j: ",hex(j))
This challenge is within the Harborbay vehicle simulator on VSEC. From the home page, enter HarborBay. Select the Mach-E User Space Diagnostics Challenge Simulation, then launch the terminal. 此挑战在 VSEC 上的 Harborbay 车辆模拟器中进行。从主页进入 HarborBay。选择 Mach-E 用户空间诊断挑战模拟,然后启动终端。
I hear single byte XOR keys are a great security measure, can you prove me wrong? 我听说单字节 XOR 密钥是一种很好的安全措施,你能证明我错了吗?
Please download <https://github.com/zombieCraig/ICSim> and read the instructions to compile/run. Once setup, set the seed value -s 10000 for both the ./controls and ./icsim. Next Answer the following questions. Use any tool you would like in order to arrive at the answers.
clone下来项目后,先运行ICSim 目录下的setup_vcan.sh脚本:
1 2 3 4
sudo modprobe can sudo modprobe vcan sudo ip link add dev vcan0 type vcan sudo ip linkset up vcan0
modprobe 命令是用来加载内核模块,比如 can 和 vcan 模块,最后两行将创建一个 vcan0 接口以便模拟汽车网络,这些命令可以来设置一个虚拟的 can 接口 vcan0
这个 vcan0 是一个虚拟的 CAN 接口,ICSim 将通过它来发送和接收 CAN 帧。当启动控制面板时,可以观察到车速表有一些波动,这是因为控制面板模拟了噪声