CN115022414B - CAN ID reverse and determining method for vehicle electronic control unit - Google Patents

CAN ID reverse and determining method for vehicle electronic control unit Download PDF

Info

Publication number
CN115022414B
CN115022414B CN202210414438.9A CN202210414438A CN115022414B CN 115022414 B CN115022414 B CN 115022414B CN 202210414438 A CN202210414438 A CN 202210414438A CN 115022414 B CN115022414 B CN 115022414B
Authority
CN
China
Prior art keywords
firmware
candidate
api function
standard
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210414438.9A
Other languages
Chinese (zh)
Other versions
CN115022414A (en
Inventor
李祥学
郝新鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN202210414438.9A priority Critical patent/CN115022414B/en
Publication of CN115022414A publication Critical patent/CN115022414A/en
Application granted granted Critical
Publication of CN115022414B publication Critical patent/CN115022414B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Security & Cryptography (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a CAN ID reversing and determining method for a vehicle electronic control unit, which comprises the following steps: determining the base address of the obtained ECU firmware so that it can be disassembled correctly; searching in the firmware according to the data storage format of the CAN standard frames in the firmware to obtain a set of candidate CAN standard frames; because the CAN standard frame in the firmware is referenced by the CAN-API function no matter where the frame is stored in the firmware, the address of the CAN-API function is positioned through the characteristics; and finally, determining the CAN standard frame which is correctly referenced, and further determining the CAN ID of the CAN standard frame. The invention is suitable for the micro controller which adopts a fixed data storage format for the CAN standard frame and uses a fixed address to carry out data transmission buffer, thus being suitable for all the ECUs carrying the micro controller. The invention has a certain value for the field of intelligent network automobile safety, in particular to intrusion detection and penetration test of an in-car CAN network.

Description

CAN ID reverse and determining method for vehicle electronic control unit
Technical Field
The invention relates to the field of reversing and determining a CAN ID in a CAN standard frame sent or received by an electronic control unit in an automobile during CAN network communication in the automobile, and relates to the technical field of firmware disassembly, in particular to a CAN ID reversing and determining method for an Electronic Control Unit (ECU) of the automobile.
Background
With the development of the internet of things technology, more intelligent networking devices with larger storage space, higher processing speed and wider interaction mode enter the life of people, and particularly obvious automobiles. Through rapid development in the last two decades, intelligent internet-connected automobiles become a third intelligent mobile device for people to relay to mobile phones and computers. The internal network communication of modern automobiles is mainly divided into several modules, such as a power module, a vehicle body control module, an infotainment module and the like, and the different modules are connected by a gateway. Inside each module, the control and information transmission of the automobile is realized by an ECU (Electric Control Unit, electronic control unit), the ECU communicates with other ECUs through CAN frames, and besides, a plurality of sensors send collected data to a CAN bus in the same way. Each ECU will contain a specific CAN ID when sending CAN frames onto the bus, and CAN IDs that it CAN send and accept are specific to one ECU, embedded in the firmware of the ECU by the vehicle manufacturer's hardware development engineer or automobile module development engineer according to the function that the ECU is to perform. In the academia, the most studied around the CAN network inside the automobile is the intrusion detection system, and the premise of the study must be based on knowing which CAN IDs each ECU of the automobile will send or receive, and in addition, it must be known which CAN IDs it CAN receive first when a specific ECU is attacked.
With the development of firmware reverse engineering technology, research on ARM (Advanced RISC Machines) architecture is becoming mainstream. While Ruisa is a well-known MCU provider, and series MCU such as SuperH, RX and the like is very widely used in an information entertainment system and a T-BOX of an automobile due to low energy consumption and communication speed.
Disclosure of Invention
The invention aims to provide a CAN ID reversing and determining method for a vehicle electronic control unit, in particular to a method for reversing CAN IDs stored in SuperH and RX series MCU firmware of Ruisha.
The specific technical scheme for realizing the aim of the invention is as follows:
a CAN ID reverse and confirm method facing vehicle electronic control unit, this method adopts the analysis system that firmware base address confirms the module, candidate CAN standard frame locating module, CAN-API function locating module and CAN ID confirm module to make up, confirm the base address in its MCU address space of firmware extracted from vehicle ECU, and use the base address confirmed to disassemble the firmware, define CAN standard frame format and MCU supplier define CAN standard frame data storage structure in the ISO11898 agreement, find the candidate CAN standard frame meeting this characteristic in the firmware according to the characteristic of CAN standard frame in the definition, through the transmission purpose that CAN-API function will be realized in the firmware, position CAN-API function according to the transmission order, CAN obtain the correctness of this CAN standard frame by the correct quotation of CAN-API function of the candidate CAN standard frame, and then confirm its CAN ID; the firmware base address determining module determines the base address of the firmware and outputs the anti-assembled firmware to the candidate CAN standard frame positioning module according to the correct base address; the candidate CAN standard frame positioning module searches and obtains a set of candidate CAN standard frames in firmware according to the characteristics of the CAN standard frames, and the obtained set of candidate CAN standard frames is transmitted to the CAN-API function positioning module; the CAN-API function positioning module is used for positioning the CAN-API function according to a special transmission instruction in the CAN-API function and transmitting the CAN-API function to the CAN ID determining module; the CAN ID determining module determines the candidate CAN standard frame referenced by the CAN-API function as a correct CAN standard frame and determines the CAN ID thereof.
The firmware base address determining module is used for firmware of the vehicle electronic control unit, the firmware obtaining mode comprises the steps of obtaining the firmware through an OBD interface by using an advanced diagnosis protocol or reading the firmware through a JTAG debugging interface in the electronic control unit by using a JTAG-to-USB interface converter, and directly reading the firmware by using a programmer for FLASH with known types and common on some PCB boards.
The method for determining the base address of the firmware base address determination module obtains the absolute address of the called function in the case statement block by locating the switch-case statement in the firmware, and further determines the correct base address by iterating the range of the base address.
The candidate CAN standard frame positioning module performs byte-by-byte screening on the firmware, defines a data structure conforming to the characteristics as a candidate CAN standard frame, and obtains a set of candidate CAN standard frames.
The CAN-API function positioning module uses a special transmission instruction in the MCU instruction set, namely a 20-bit immediate transmission instruction and a structure data transmission instruction according to a pointer of a CAN standard frame in a CAN-API function parameter list and the configuration purpose of a mailbox in the CAN module, and positions the CAN-API function by screening the transmission instruction which accords with the condition.
The CAN ID determining module is used for referencing the candidate CAN standard frame by the CAN-API function, namely, the address of the candidate CAN standard frame is used as an operand of a structure body transmission instruction in the CAN-API function; and obtaining a correct CAN standard frame, and obtaining the CAN ID according to the ID field in the CAN standard frame.
The CAN ID reversing and determining method facing the vehicle control unit CAN be suitable for all ECUs which accord with the definition of CAN standard frames in ISO11898, accord with the fixed data storage structure in the MCU and transmit and buffer through the fixed address.
Compared with the prior art, the invention has the following beneficial effects:
1. the firmware base address determining module acquires the absolute address of the called function through the function call logic of the case statement block in the switch-case in the firmware, and the method has lower false positive and higher accuracy in comparison function prologue.
2. The CAN standard frame identification method CAN determine all candidate CAN IDs in the firmware. The CAN ID that CAN be transmitted and received by one ECU is obtained using a conventional method, and is typically obtained by establishing a communication connection for packet capture, but this method only obtains a part of the CAN ID.
3. The invention uses an automatic method to locate the CAN-API function, and CAN obtain the transmission logic of the ECU to the CAN standard frame by analyzing the function, thereby having higher expansibility to the research of the whole CAN network.
4. The invention has universality, is suitable for all the ECUs which accord with the definition of CAN standard frames in ISO11898, accord with the fixed data storage structure in the MCU and transmit and buffer through the fixed address, and most of the ECUs accord with the condition.
Drawings
Fig. 1 is a flow chart of a reverse and determining method module for a CAN ID of a vehicle electronic control unit according to an embodiment of the present invention;
fig. 2 is a schematic diagram of SH2A firmware according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a transmission CAN standard frame API function positioning module according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the embodiments of the present invention and the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The specific technical scheme of the invention is as follows:
the invention discloses a CAN ID reversing and determining method for a vehicle electronic control unit, which is realized by an analysis system consisting of a firmware base address determining module, a candidate CAN standard frame positioning module, a CAN-API function positioning module and a CANID determining module.
The source of the ECU firmware in the invention is directly read through JTAG debug interface on MCU in the vehicle electronic control unit.
The firmware base address determining module is used for mapping the firmware to a starting position in the memory of the embedded device, namely a loading base address of the firmware. The jump table stores the address offset of each case statement block, and further, the address of each case statement block can be obtained according to the address offset in the jump table. In the case statement block, there is a transmission instruction for storing the absolute address pointer of the called function, so that an absolute address of the called function can be obtained, and a set of absolute addresses of the function can be obtained by traversing all case statement blocks in the firmwareAddr []. All the obtained absolute addresses of the functions are ordered, and then the range of the Base address Base can be expressed as:
Addr.max – fileSize< Base <Addr.min
where fileSize is the firmware size.
Each address in the range is traversed, and if there is an address x belonging to the range of the base address, the obtained function absolute address has the largest number of times of the function prologue, and the address is considered as the base address.
After the base address of the firmware is determined, the firmware can be disassembled correctly.
The candidate CAN standard frame positioning module searches the binary file of the firmware through the characteristics according to the definition of the CAN standard frame format in the ISO11898 protocol, the definition of the CAN standard frame data storage structure in the Ruisha official document and the form called by the corresponding API function. After searching the binary file of the whole firmware according to the characteristics, a set of candidate CAN standard frames and a set of candidate CAN IDs CAN be obtained.
A set of candidate standard frames and a set of candidate CAN IDs are obtained, which sets contain false positives, so that it is determined which CAN IDs are correct, and since a correct standard frame, no matter where in the firmware, is called by the API function transmitting the CAN standard frame, the correctness of a candidate standard frame CAN be judged by the API function call.
The CAN-API function positioning module performs positioning in firmware according to the transmission function to be completed by the API function, and for the API function for transmitting the CAN standard frame, a parameter list of the API function comprises a pointer pointing to the structural body address of the CAN standard frame, so that the absolute addresses of all candidate CAN standard frames obtained in the candidate CAN standard frame positioning module are obtained according to the firmware base address determined by the firmware base address determining module and are searched in the whole firmware, and once the absolute address of a certain candidate CAN standard frame appears in the firmware, the absolute address is indicated to be obtained by a structural body data fetching command MOV in the API function through an offset, and then the pointer pointing to the candidate CAN standard frame is obtained. By this method, the absolute addresses of all the candidate CAN standard frames appearing in the firmware CAN be obtained, and thus the range of the maximum offset in the MOV instruction CAN be determinedTo obtain the address of the MOV instruction taking the absolute address, and further to obtain an address set containing the API function of the MOV instructioncandidateAPI_1[].
For the API function for transmitting the CAN standard frame, not only the pointer of the CAN standard frame is taken as a parameter to be transmitted, but also the standard frame is transmitted to a corresponding buffer MailBox, then the standard frame is transmitted to a CAN transceiver through a CAN module in the MCU, and finally the CAN transceiver transmits the standard frame to a CAN bus. Because the address of the MailBox in the CAN module is known, the transmission instruction corresponding to the MailBox for transmitting data to the MailBox in the API function CAN be searched, and because the super H series of Ralssa and the CAN module in the RX series of MCU are both in high addresses of the memory, an immediate transmission instruction is basically used for setting a pointer pointing to the MailBox address, the immediate transmission instruction CAN transmit an immediate of 20 bits, and the 32-bit absolute address of the MailBox CAN be obtained through bit expansion. Traversing all immediate transmission instructions in firmware by taking the address of the whole CAN module as a target, obtaining a set of immediate transmission instructions with an absolute address pointer pointing to MailBox, and further obtaining an address set of an API function containing the immediate transmission instructionscandidate API_2 [].
And determining the memory size of the API function, and taking the intersection of the two sets of candidate API functions to obtain the address of the API function transmitting the CAN standard frame.
Besides, the CAN ID determining module CAN determine that the ID of the candidate CAN standard frame is the correct CAN ID through the reference of the API function by the candidate CAN standard frame absolute address, and in addition, the API function obtained by the CAN-API function positioning module is analyzed on a disassembly tool (such as IDApro), so that the corresponding CAN standard frame and the corresponding CAN ID CAN be obtained through other transmission logics.
The invention CAN be applied to experimental study of vehicle network safety, and obtains the CAN ID which CAN be sent and received by a target ECU and even all ECUs of the whole vehicle by a reverse engineering method, thereby having higher application value for intrusion detection of the CAN network in the vehicle. The application principle of the invention can be applied to all data transmission scenes in which fixed data structure messages are used for communication, and a MailBox (MailBox) mechanism or a port (EndPoint) mechanism is adopted for data caching, so that the application is wider.
Examples
Fig. 1 is a block diagram of a reverse and determining method module for a CAN ID in a vehicle electronic control unit according to an embodiment of the present invention, which has versatility, and is described below by taking a TBOX with model number HERMES 2.0 and firmware therein, which is carried by a Benz car, as an illustrative example, and the TBOX is carried by a processor of a Ruisha SH2A architecture. The method specifically comprises the following steps:
s101, a firmware base address determining module:
the firmware base address determining module is used as a precondition of reverse engineering of the firmware, and only a correct base address is determined to obtain correct cross reference in the firmware. The determination of the base address of the firmware can be divided into two parts, firstly the absolute address existing in the firmware is found out, and then the base address is determined by the corresponding special instruction in the absolute address.
In particular, there are many instructions in firmware that transmit absolute addresses, which are typically used to set a pointer to the absolute address of the called function, while instructions with the same format do not all determine that the pointer points to the called function, some point to registers in the high address field of memory or some other data, such as a string. Because of the nature of the switch-case statement, in its case statement block, typically several called functions, the absolute addresses of these called functions are available.
FIG. 2 is a schematic diagram of the SH2A firmware according to an embodiment of the present invention, in which each switch-case statement in the firmware generates a jump table, and the jump table stores the offset address of each case statement block. For the instruction set architecture, instructionsMOVA TBLM ,R0Will pass the jump table's first address to register R0, nextMOV.W @(R0,R1) , R1The instruction will obtain the offset address of the target case statement block according to the offset in the jump table, and finally the instructionBRAFR1And jumping is carried out according to the obtained address offset.
The three instructions are the main instructions for implementing the switch-case grammar, so the first step is to respond to the instructionsMOVATBLM , R0A switch statement block in firmware is located and the MOVA instruction is contained in the defaultase statement block.
The TBLM address in the MOVA instruction is an offset address relative to the MOVA instruction address, the address is the starting address of a jump table, and the base address of the jump table is the address +2 of the NOP instruction after the BRAF instruction. Therefore, the address of each case statement can be obtained through the base address of the jump table and the offset address in the jump table.
In case statement blocks, the instruction will passMOV.L# absolute address, R11(the registers are typically R10, R11, R14) to update pointers to the called functions, so that an accurate absolute address of the called function is obtained, and furthermore, an absolute address of the function called by the function is generated before the jump table after the NOP instruction, typically referred to as a function entry table, so that accurate absolute addresses of the called functions are obtained.
Traversing all switch statement blocks in the firmware, a set Addr of function absolute addresses can be obtained, and sequencing all absolute addresses in the set from small to large, so that the range of the Base address Base can be obtained as the maximum value of the function absolute addresses minus the minimum value of the function absolute addresses, namely:
Addr.max – fileSize< Base <Addr.min
traversing all addresses in this base address range, the base address must be a multiple of 2 since for the SH2A architecture its base instruction is 16 bits and the partially extended instruction is 32 bits.
For the address x in the base address range, when the base address is x, if the obtained function absolute address corresponds to the maximum number of pro-keys of which the instruction is a function, the address x is considered as the base address of the firmware. For the SH2A architecture, its function prologue is typicallyMOV.L R8 , @-R15The instruction is a save stack instruction.
After the base address of the firmware is obtained by the above process, the firmware can be correctly loaded into the disassembly tool IDApro for verification and further work, and the module is the basis of reverse engineering of the firmware.
S102, a candidate CAN standard frame positioning module:
the CAN standard frame positioning module needs to search an initialization standard frame data structure existing in the firmware. From the official document provided by rassa on the SH2A series MCU, it is known that the data storage structure of the CAN standard frame in the firmware is:
Struct{
uint32_t id;
uint8_t dlc;
uint8_t data[8];
}can_frame_t;
the signature of the transfer API function is:
uint32_t R_CAN_TxSet(const uint32_t ch_nr, const uint32_t mb_mode, const uint32_t mbox_nr, const can_frame_t* frame_p, const uint32_t frame_type);
frame_p in the parameter list is a pointer to the standard frame structure.
Thus, the following features CAN be derived from the features of the CAN standard frame data structure and from the definition of CAN standard frame format in IOS11898 by looking up in firmware:
rule 1 standard frame length is 4 (ID) +1 (DLC) +8 (DATA) =13 bytes.
Rule 2 the ID field of the standard frame is less than 0x7FF and cannot all be 0.
Ruler3 DLC cannot be greater than 8 for the DLC and DATA segments of a standard frame and the last (8-DLC) byte of DATA in the DATA segment must be 0.
According to the characteristics, searching is carried out in the whole firmware, so that a set of candidate CAN standard frames and a set of candidate CANIDs CAN be obtained. The results of this example are:
the number of CAN standard frames is 673, and the number of CAN IDs is 96.
The result obtained by the feature search method only must have false positive, so that it is necessary to determine which candidate CAN standard frames are correct standard frames and which candidate CAN IDs are correct CAN IDs. Since the standard frame in firmware, no matter where it is, its address is referenced by the transmit CAN-API function as a parameter, the correctness of a candidate CAN standard frame CAN be determined by being referenced by the transmit CAN-API function or other CAN-API function.
S103, a CAN-API function positioning module:
the CAN-API function positioning module is used for positioning a function for transmitting a CAN standard frame, and the embodiment takes the CAN-API function R_CAN_TxSet of SH2A series or RX series as an example for illustration.
According to the function signature, the parameter list contains mbox_nr (mailbox number) and frame_p (CAN standard frame pointer), so that the transmission logic instruction (data transmission instruction) contained in the function CAN be located from two aspects. On the one hand, since the pointer of the CAN standard frame is to be transmitted as a parameter, there will be a data transmission instruction to transmit the address of the standard frame, and on the other hand, since the API function is to transmit the standard frame to the corresponding MailBox as a buffer, there will be a data transmission instruction to set a pointer to the corresponding MailBox, and according to the two functions to be completed by the API function, the corresponding transmission instruction CAN be located, and thus the API function CAN be located.
Fig. 3 is a schematic diagram of an API function positioning module for transmitting CAN standard frames according to the present embodiment, where the address of the API function CAN be determined by taking an intersection set of the set of transmission command addresses positioned in the above two aspects, which is described in detail below.
For the first aspect, there is a pointer to the address of the CAN standard frame in the parameter list of the API function, so there is an instruction in the API function to transmit the address of the standard frame. For the SH2A instruction set architecture, the instruction corresponding to the function is an MOV structure data transmission instruction, and the instruction format is thatMOV.B Rm , @(disp12 , Rn),It fetches the address of the target structure by a 12-bit offset, and since the offset is 12 bits, the target address to be fetched must be in memoryWithin 4KB up and down the MOV instruction.
For the candidate standard frame [00 0000 12 0000 0000 0000 0000 00] obtained by the S102 module, for example, the absolute address is calculated to be #3c050000, the absolute address is searched in the whole firmware, if the absolute address exists in the firmware, and an MOV instruction for transmitting the absolute address is found within the range of 4KB above and below the absolute address, it CAN be explained that the MOV instruction sets a pointer pointing to the absolute address of the candidate CAN standard frame, so that a function block containing the MOV instruction CAN be obtained, namely, an r_can_txset function for transmitting CAN standard frames.
And traversing and searching absolute addresses of all candidate CAN standard frames to obtain a set of transmission instructions MOV, and further determining a set of candidate R_CAN_TxSet functions Candida_CAN_TxSet1 [ ].
On the other hand, since the r_can_txset function needs to not only transfer the pointer to the address of the CAN standard frame as a parameter, but also needs to transfer the standard frame to the corresponding MailBox, a data transfer instruction exists in the function internal instruction to set a pointer to the MailBox.
For the above-mentioned SH2A series MCU, its CAN module address is in the high address segment of the memory address space, namely FFFE 0000-FFFE 0500, so that the instruction set architecture for the series MCU typically uses 20-bit immediate transmission instruction to transmit this high address, namely instructionMOVI20 #20 bit immediate, R0Or isMOVI 20S# 20 bit immediate, R0. The last 20 bits of the CAN module address CAN be transmitted through the instruction, and the 32 addresses CAN be obtained through sign expansion, so that the function containing the immediate transmission instruction is the candidate R_CAN_TxSet function.
Because an absolute address is determined as a base address through the immediate transmission instruction, and addresses of other MainBox are acquired through the base address and the offset, the last 20 bits of the address of the whole CAN module are set as a target, and the corresponding immediate transmission instruction in the whole firmware is searched, so that a candidate R_CAN_TxSet2 </SP > CAN be obtained as a collection of candidate R_CAN_TxSet functions.
For this embodiment, the distance between the immediate transmission instruction for transmitting the MailBox address and the structure body transmission instruction for transmitting the standard frame structure question in the same function (i.e., the memory size of one function) is set to 64KB through repeated experiments. And according to the range, the obtained set of the two candidate R_CAN_Txset functions is intersected, and then the address of the target R_CAN_Txset function CAN be obtained.
S104, a CAN ID determination module:
the CAN ID determining module determines the transmission CAN standard frame API function through the CAN-API function positioning module and receives the reference of the CAN standard frame API function to the candidate CAN standard frame obtained by the S102 module to obtain the CAN standard frame with the correct reference, so that the CAN ID is the correct CAN ID.
By using the method to locate CAN standard frames and API functions, and writing an automation script, CAN IDs existing in firmware CAN be obtained effectively.
The firmware used in the invention comes from an interface converter FT232H which uses a JTAG to USB, and reads the MCU chip pin of a TBOX used in a Benz class A vehicle directly. Although the firmware obtained by the different methods may be structurally different, the method of the present invention is applicable to any firmware meeting the above conditions.
The invention has universality, is applicable to all formats supporting CAN standard frames defined in ISO11898 and has similar storage data structures and a data caching mechanism similar to MailBox. And the invention is strictly applicable to the Ruisash 2A, RX series MCU, the use of which in automobile ECUs is mainly found in infotainment modules.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (6)

1. A CAN ID reverse determination method for a vehicle electronic control unit is characterized in that an analysis system consisting of a firmware base address determination module, a candidate CAN standard frame positioning module, a CAN-API function positioning module and a CAN ID determination module is adopted to determine the base address of firmware extracted from a vehicle ECU in an MCU address space, the determined base address is used for disassembling the firmware, the definition of a CAN standard frame format and the definition of a CAN standard frame data storage structure by an MCU provider in an ISO11898 protocol are adopted, candidate CAN standard frames meeting the characteristic are searched in the firmware according to the characteristic of the CAN standard frames in the definition, the CAN-API function is positioned according to a transmission order to be realized by the CAN-API function in the firmware, the correctness of the CAN standard frames CAN be obtained by the correct reference of the CAN-API function of the candidate CAN standard frames, and then the CAN ID of the CAN standard frames is determined; the firmware base address determining module determines the base address of the firmware and transmits the anti-assembled firmware to the candidate CAN standard frame positioning module according to the correct base address; the candidate CAN standard frame positioning module searches and obtains a set of candidate CAN standard frames in firmware according to the characteristics of the CAN standard frames, and transmits the obtained set of candidate CAN standard frames to the CAN-API function positioning module; the CAN-API function positioning module is used for positioning the CAN-API function according to a transmission instruction in the CAN-API function and transmitting the CAN-API function to the CAN ID determining module; the CAN ID determining module determines the candidate CAN standard frame referenced by the CAN-API function as a correct CAN standard frame and determines the CAN ID thereof.
2. The method for determining the reverse direction of the CAN ID of the electronic control unit of the vehicle according to claim 1, wherein the firmware base address determining module is used for firmware of the electronic control unit of the vehicle, and the firmware is obtained by using an advanced diagnosis protocol through an OBD interface or through a JTAG debug interface inside the electronic control unit, and is read by using a JTAG-to-USB interface converter, and is directly read by using a programmer for FLASH of a known model and common on some PCBs.
3. The CAN ID reverse determination method for a vehicle electronic control unit according to claim 1, wherein the firmware base address determination module obtains an absolute address of a called function in a case statement block by locating a switch-case statement in firmware, and further determines a correct base address by iterating a range of base addresses.
4. The CAN ID reverse determination method for a vehicle electronic control unit according to claim 1, wherein the candidate CAN standard frame positioning module performs byte-by-byte screening on firmware, defines a data structure conforming to characteristics as a candidate CAN standard frame, and obtains a set of candidate CAN standard frames.
5. The method for determining the reverse direction of the CAN ID for the electronic control unit of a vehicle according to claim 1, wherein the CAN-API function positioning module screens out the transmission instructions meeting the conditions to position the CAN-API function according to the pointers of the CAN standard frames in the CAN-API function parameter list and the configuration purpose of the mailbox in the CAN module by using the 20-bit immediate transmission instruction and the structure data transmission instruction in the MCU instruction set.
6. The CAN ID reverse determination method for a vehicle electronic control unit according to claim 1, wherein the CAN ID determination module refers to a candidate CAN standard frame by a CAN-API function, i.e., an address of the candidate CAN standard frame is used as an operand of a structure transmission instruction in the CAN-API function; and obtaining a correct CAN standard frame, and obtaining the CAN ID according to the ID field in the CAN standard frame.
CN202210414438.9A 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit Active CN115022414B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210414438.9A CN115022414B (en) 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210414438.9A CN115022414B (en) 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit

Publications (2)

Publication Number Publication Date
CN115022414A CN115022414A (en) 2022-09-06
CN115022414B true CN115022414B (en) 2023-08-22

Family

ID=83067056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210414438.9A Active CN115022414B (en) 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit

Country Status (1)

Country Link
CN (1) CN115022414B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116880858A (en) * 2023-09-06 2023-10-13 北京华云安信息技术有限公司 Method, device, equipment and storage medium for acquiring actual base address of firmware

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130021652A (en) * 2011-08-23 2013-03-06 현대자동차주식회사 Interface apparatus and method for converting a plurality of different vehicles diagnosis protocol to standard diagnosis protocol
CN106950864A (en) * 2017-04-11 2017-07-14 重庆长安汽车股份有限公司 The CAN communication program creating method and device of a kind of entire car controller
KR101923511B1 (en) * 2018-03-27 2018-11-29 콘티넨탈 오토모티브 게엠베하 Apparatus for communicating diagnostic vehicle and method thereof
CN109214149A (en) * 2018-09-11 2019-01-15 中国人民解放军战略支援部队信息工程大学 A kind of MIPS firmware base address automated detection method
CN110380842A (en) * 2019-08-08 2019-10-25 北方工业大学 CAN bus message endorsement method, device and system suitable for wisdom net connection automobile
CN111106989A (en) * 2019-12-26 2020-05-05 国家计算机网络与信息安全管理中心 Vehicle CAN bus protocol determining method and device
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN113688138A (en) * 2021-08-27 2021-11-23 华东师范大学 Key Map table reversing and positioning method for vehicle engine control unit

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130108787A (en) * 2012-03-26 2013-10-07 한국전자통신연구원 Apparatus and method for automotive partial networking
US11032300B2 (en) * 2017-07-24 2021-06-08 Korea University Research And Business Foundation Intrusion detection system based on electrical CAN signal for in-vehicle CAN network
TWI647617B (en) * 2018-01-23 2019-01-11 緯創資通股份有限公司 Electronic device and firmware update method thereof

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130021652A (en) * 2011-08-23 2013-03-06 현대자동차주식회사 Interface apparatus and method for converting a plurality of different vehicles diagnosis protocol to standard diagnosis protocol
CN106950864A (en) * 2017-04-11 2017-07-14 重庆长安汽车股份有限公司 The CAN communication program creating method and device of a kind of entire car controller
KR101923511B1 (en) * 2018-03-27 2018-11-29 콘티넨탈 오토모티브 게엠베하 Apparatus for communicating diagnostic vehicle and method thereof
CN109214149A (en) * 2018-09-11 2019-01-15 中国人民解放军战略支援部队信息工程大学 A kind of MIPS firmware base address automated detection method
CN110380842A (en) * 2019-08-08 2019-10-25 北方工业大学 CAN bus message endorsement method, device and system suitable for wisdom net connection automobile
CN111106989A (en) * 2019-12-26 2020-05-05 国家计算机网络与信息安全管理中心 Vehicle CAN bus protocol determining method and device
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN113688138A (en) * 2021-08-27 2021-11-23 华东师范大学 Key Map table reversing and positioning method for vehicle engine control unit

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于CAN和RFID的车胎信息采集系统的设计;白华;林巧婷;;仪表技术与传感器(10);全文 *

Also Published As

Publication number Publication date
CN115022414A (en) 2022-09-06

Similar Documents

Publication Publication Date Title
CN106950864B (en) CAN communication program generation method and device of vehicle control unit
CN103714029B (en) Novel two-line synchronous communication protocol and application
US7533302B2 (en) Trace and debug method and system for a processor
US5608867A (en) Debugging system using virtual storage means, a normal bus cycle and a debugging bus cycle
CN110196795B (en) Method and related device for detecting running state of mobile terminal application
CN115022414B (en) CAN ID reverse and determining method for vehicle electronic control unit
CN111045964A (en) PCIE interface-based high-speed transmission method, storage medium and terminal
CN107290654A (en) A kind of fpga logic test structure and method
CN113225232B (en) Hardware testing method and device, computer equipment and storage medium
CN109684152B (en) RISC-V processor instruction downloading method and device
CN114510723B (en) Intelligent contract authority management vulnerability detection method and device
WO2020045929A1 (en) Code coverage method for embedded system on chip
CN101197959B (en) Terminal control method, system and equipment
CN110908882A (en) Performance analysis method and device of application program, terminal equipment and medium
CN113886302A (en) Serial port number obtaining method and device of application equipment, terminal equipment and storage medium
CN104572515A (en) Tracking module, method, system and SOC (System-On-Chip)
CN114035846A (en) Instruction verification method and instruction verification device
CN102023870A (en) Detection method and device for software modification as well as electronic equipment
CN104252631B (en) The control method of electronic installation and the electronic installation
CN112269740A (en) Automatic testing method and device for automatic driving software
NL2029030A (en) Device, system and method to determine a structure of a crash log record
CN107423038B (en) Differential inclusion merging method and system independent of file system
CN114580329B (en) Real-time debugging method for digital signal processor chip
CN110701948B (en) Method for improving real-time debugging efficiency of follow-up system
CN114490423A (en) Automatic testing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant