CN115022414A - CAN ID reverse direction and determination method for vehicle electronic control unit - Google Patents

CAN ID reverse direction and determination method for vehicle electronic control unit Download PDF

Info

Publication number
CN115022414A
CN115022414A CN202210414438.9A CN202210414438A CN115022414A CN 115022414 A CN115022414 A CN 115022414A CN 202210414438 A CN202210414438 A CN 202210414438A CN 115022414 A CN115022414 A CN 115022414A
Authority
CN
China
Prior art keywords
firmware
standard frame
candidate
api function
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210414438.9A
Other languages
Chinese (zh)
Other versions
CN115022414B (en
Inventor
李祥学
郝新鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN202210414438.9A priority Critical patent/CN115022414B/en
Publication of CN115022414A publication Critical patent/CN115022414A/en
Application granted granted Critical
Publication of CN115022414B publication Critical patent/CN115022414B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a CAN ID reverse and determination method for a vehicle electronic control unit, which comprises the following steps: determining the base address of the obtained ECU firmware so that the ECU firmware can be correctly disassembled; searching in the firmware according to the data storage format of the CAN standard frame in the firmware to obtain a set of candidate CAN standard frames; because the CAN standard frame in the firmware is referred to by the CAN-API function no matter where the CAN standard frame is stored in the firmware, the address of the CAN-API function is positioned through the characteristics; and finally, determining the correctly quoted CAN standard frame and further determining the CAN ID of the CAN standard frame. The invention is suitable for the microcontroller which adopts a fixed data storage format for the CAN standard frame and uses a fixed address to carry out data transmission and caching, thereby being suitable for all ECUs carrying the microcontroller. The invention has certain value in the field of intelligent networking automobile safety, in particular to the intrusion detection and penetration test of the CAN network in the automobile.

Description

CAN ID reverse direction and determination method for vehicle electronic control unit
Technical Field
The invention relates to the field of reverse and determination of CANID in a CAN standard frame sent or received by an electronic control unit in an automobile during CAN network communication, and relates to the technical field of firmware disassembly, in particular to a CAN ID reverse and determination method for an Electronic Control Unit (ECU) of the automobile.
Background
With the development of the internet of things technology, more intelligent internet devices with larger storage space, higher processing speed and wider interaction mode enter the lives of people, and particularly, automobiles are used. Through the rapid development of the last two decades, the intelligent internet automobile has become a third intelligent mobile device beyond the mobile phone and the computer. The internal network communication of modern automobiles is mainly divided into several modules, such as a power module, an automobile body control module, an information entertainment module and the like, and different modules are connected by a gateway. In each module, an ECU (electronic Control Unit) is used for controlling the automobile and transmitting information, and the ECU communicates with other ECUs through a CAN frame. Each ECU will contain a specific CAN ID when sending CAN frames to the bus, and for an ECU, the CAN IDs that it CAN send and receive are specific, and are embedded into the firmware of the ECU by the hardware development engineer or the automobile module development engineer of the vehicle manufacturer according to the functions to be completed by the ECU. In academia, the intrusion detection system is most researched around the CAN network in the automobile, and the premise of the research is to be established on the basis of knowing which CAN IDs each ECU of the automobile will send or receive, and in addition, to attack a specific ECU, the specific ECU must know which CAN IDs it CAN receive.
With the development of firmware reverse engineering technology, research on arm (advanced RISC machines) architecture is becoming mainstream. Rassa is a well-known MCU supplier, and its super h, RX and other serial MCUs are widely used in the infotainment system and T-BOX of the automobile due to their low power consumption and communication speed.
Disclosure of Invention
The invention aims to provide a CAN ID reverse and determination method for a vehicle electronic control unit, and particularly reverse engineering is carried out on CAN IDs stored in SuperH and RX series MCU firmware of Rysa.
The specific technical scheme for realizing the purpose of the invention is as follows:
a CAN ID reverse direction and determination method facing vehicle electronic control unit, the method uses the analysis system composed of firmware base address determination module, candidate CAN standard frame location module, CAN-API function location module and CAN ID determination module to determine the base address of the firmware extracted from vehicle ECU in MCU address space, and uses the determined base address to disassemble the firmware, through the definition of CAN standard frame format in ISO11898 protocol and the definition of CAN standard frame data storage structure by MCU supplier, according to the feature of CAN standard frame in definition, the candidate CAN standard frame meeting the feature is searched in the firmware, through the transmission purpose realized by CAN-API function in firmware, according to the transmission instruction, the CAN-API function is located, through the correct reference of candidate CAN standard frame by CAN-API function, the correctness of CAN standard frame CAN be obtained, further determining the CAN ID; the firmware base address determining module determines the base address of the firmware and outputs the firmware after the anti-compilation to the candidate CAN standard frame positioning module according to the correct base address; the candidate CAN standard frame positioning module searches and obtains a set of candidate CAN standard frames in the firmware according to the characteristics of the CAN standard frames, and outputs the obtained set of candidate CAN standard frames to the CAN-API function positioning module; the CAN-API function positioning module positions the CAN-API function according to a special transmission instruction in the CAN-API function and outputs the CAN-API function to the CAN ID determining module; and the CAN ID determining module determines the candidate CAN standard frame quoted by the CAN-API function as a correct CAN standard frame and determines the CAN ID of the candidate CAN standard frame.
The firmware base address determining module is used for firmware of the vehicle electronic control unit, the firmware obtaining mode comprises obtaining through an OBD interface by using a high-level diagnostic protocol, or reading through a JTAG debugging interface in the electronic control unit and an interface converter from JTAG to USB, and for some FLASH with known models and common FLASH on a PCB board, reading directly by using a programmer.
The method for determining the base address of the firmware base address determination module obtains the absolute address of the called function in the case statement block by positioning the switch-case statement in the firmware, and further determines the correct base address by iterating the range of the base address.
The candidate CAN standard frame positioning module screens the firmware byte by byte, defines a data structure meeting the characteristics as a candidate CAN standard frame, and obtains a set of the candidate CAN standard frames.
The CAN-API function positioning module positions the CAN-API function by screening transmission instructions meeting conditions by using a special transmission instruction in an MCU instruction set, namely a 20-bit immediate data transmission instruction and a structural body data transmission instruction according to the pointer of the CAN standard frame in the CAN-API function parameter list and the configuration purpose of the mailbox in the CAN module.
The CAN ID determining module is used for referencing the candidate CAN standard frame by the CAN-API function, namely the address of the candidate CAN standard frame is used as the operand of a structure transmission instruction in the CAN-API function; and obtaining a correct CAN standard frame, and obtaining a CAN ID according to an ID field in the CAN standard frame.
The CAN ID reverse and determination method facing the vehicle control unit CAN be suitable for all ECUs which accord with the definition of CAN standard frames in ISO11898, and also accord with a fixed data storage structure in the MCU and transmit and cache through a fixed address.
Compared with the prior art, the invention has the following beneficial effects:
1. the firmware base address determining module acquires the absolute address of the called function through the function calling logic of the case statement block in the switch-case in the firmware, and the method has lower false positive and higher accuracy in comparing the function prologue.
2. The CAN standard frame identification method CAN determine all candidate CAN IDs in the firmware. The conventional method for acquiring the CAN ID which CAN be transmitted and received by the ECU is generally to establish a communication connection for packet capture acquisition, but the method only acquires a part of the CAN ID.
3. The invention uses an automatic method to position the CAN-API function, and the transmission logic of the ECU to the CAN standard frame CAN be obtained by analyzing the function, thus having higher expansibility for the research of the whole CAN network.
4. The method has universality, is suitable for all definitions meeting CAN standard frames in ISO11898, meets a fixed data storage structure in the MCU and the ECU performing transmission and caching through a fixed address, and most of the ECUs meet the condition.
Drawings
FIG. 1 is a block flow diagram of a method for reversing and determining a CAN ID for a vehicle electronic control unit according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of SH2A firmware provided by an embodiment of the present invention;
fig. 3 is a schematic diagram of an API function positioning module for transmitting a CAN standard frame according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention and the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The specific technical scheme of the invention is as follows:
the invention relates to a CAN ID reverse direction and determination method for a vehicle electronic control unit, which is realized by adopting an analysis system consisting of a firmware base address determination module, a candidate CAN standard frame positioning module, a CAN-API function positioning module and a CANID determination module.
In the invention, the source of ECU firmware directly reads the JTAG debugging interface on the MCU in the vehicle electronic control unit.
The firmware base address determining module is used for mapping the firmware to a starting position in the memory of the embedded device, namely a loading base address of the firmware. Including locating a switch-case statement in a binary file of firmware according to instructions of a transfer jump table present in the firmwareAnd the jump table stores the address offset of each case statement block, and further can obtain the address of each case statement block according to the address offset in the jump table. In case statement block, there is transmission instruction for setting and storing absolute address pointer of called function, so that the absolute address of called function can be obtained, and traversing all case statement blocks in firmware can obtain a set of absolute address of functionAddr []. Sorting all the obtained function absolute addresses, the range of the Base address Base can be expressed as:
Addr.max – fileSize< Base <Addr.min
where fileSize is the firmware size.
Traversing each address in the range, if there is an address x belonging to the range of the base address, and the obtained number of times that the instruction at the absolute address of the function is the function prologue is the largest, the address is considered as the base address.
After the base address of the firmware is determined, the firmware can be correctly disassembled.
The candidate CAN standard frame positioning module searches in a binary file of the firmware through the characteristics of the candidate CAN standard frame positioning module according to the definition of a CAN standard frame format in an ISO11898 protocol, the definition of a CAN standard frame data storage structure in a Ryssa official document and a form called by a corresponding API function. After the binary file of the whole firmware is searched according to the characteristics, a set of candidate CAN standard frames and a set of candidate CAN IDs CAN be obtained.
And obtaining a set of candidate standard frames and a set of candidate CAN IDs, wherein the two sets contain false positives, so that which CAN IDs are correct is determined, and the correctness of one candidate standard frame CAN be judged by being called by an API function of a transmitted CAN standard frame no matter where the correct standard frame is in firmware.
The CAN-API function positioning module positions in the firmware according to the transmission function to be completed by the API function, and for an API function transmitting a CAN standard frame,the parameter list comprises a pointer pointing to the structural address of the CAN standard frame, so that according to the firmware base address determined by the firmware base address determining module, the absolute addresses of all candidate CAN standard frames obtained in the candidate CAN standard frame positioning module are solved, the absolute addresses are searched in the whole firmware, once the absolute address of a certain candidate CAN standard frame appears in the firmware, the absolute address is indicated to be obtained by a structural data obtaining instruction MOV in an API function through an offset, and the pointer pointing to the candidate CAN standard frame is further obtained. By the method, absolute addresses of all candidate CAN standard frames appearing in firmware CAN be obtained, an MOV instruction address for obtaining the absolute address CAN be obtained according to the range of the maximum offset in the MOV instruction, and an address set of an API function containing the MOV instruction CAN be obtainedcandidateAPI_1[].
For the API function for transmitting the CAN standard frame, the pointer of the CAN standard frame is used as a parameter, the standard frame is transmitted to the corresponding buffer MailBox, the standard frame is transmitted to the CAN transceiver through the CAN module in the MCU, and finally the standard frame is transmitted to the CAN bus by the CAN transceiver. Because the address of the MailBox in the CAN module is known, a transmission instruction corresponding to transmitting data to the MailBox in the API function CAN be searched, and because the CAN modules in the SuperH series and the RX series MCUs of rassa are both located at a high address in the memory, basically, a pointer pointing to the MailBox address is set by using an immediate transmission instruction, the immediate transmission instruction CAN transmit a 20-bit immediate, and a 32-bit absolute address of the MailBox CAN be obtained by bit expansion. Traversing all the immediate data transmission instructions in the firmware by taking the address of the whole CAN module as a target to obtain a set of immediate data transmission instructions for setting an absolute address pointer pointing to the MailBox, and further obtaining an address set of an API function containing the immediate data transmission instructionscandidate API_2 [].
By determining the memory size of the API function and taking the intersection of the sets of the two candidate API functions, the address of the API function for transmitting the CAN standard frame CAN be obtained.
In addition, the CAN ID determining module CAN determine that the ID of the candidate CAN standard frame is the correct CAN ID by the reference of the API function by the absolute address of the candidate CAN standard frame, and CAN obtain the corresponding CAN standard frame and the corresponding CAN ID through other transmission logics by analyzing the API function obtained by the CAN-API function positioning module on a disassembling tool (such as IDApro).
The method CAN be applied to the experimental research of vehicle network safety, CAN ID which CAN be sent and received by a target ECU and even all ECUs of the whole vehicle CAN be obtained by a reverse engineering method, and has higher application value for the intrusion detection of the CAN network in the vehicle. The application principle of the invention can be applied to all data transmission scenes that communication is carried out by using fixed data structure messages and a MailBox (MailBox) mechanism or a port (EndPoint) mechanism is adopted for carrying out data caching, and the application is relatively wide.
Examples
Fig. 1 is a block configuration diagram of a method for reversing and determining a CAN ID in a vehicle electronic control unit according to an embodiment of the present invention, which has general applicability, and a rushing automobile is equipped with a TBOX of type hemmes 2.0 and firmware therein as an illustrative example, and the TBOX is equipped with a processor of rassa SH2A architecture. The method specifically comprises the following steps:
s101, a firmware base address determining module:
the firmware base address determining module is used as a premise of reverse firmware engineering, and correct cross reference in the firmware can be obtained only by determining a correct base address. The base address of the firmware can be determined by dividing the base address into two parts, firstly finding out the absolute address existing in the firmware, and then determining the base address through the corresponding special instruction in the absolute address.
Specifically, there are many instructions in firmware that transfer absolute addresses, which are typically used to set a pointer to the absolute address of the function being called, and the instructions with the same format determine that the pointer does not all point to the function being called, and some point to a register in a high address section of memory or some other data, such as a string. Due to the characteristics of the switch-case statement, there are usually several called functions in the case statement block, so the absolute addresses of these called functions can be obtained.
Fig. 2 is a schematic diagram of the SH2A firmware according to an embodiment of the present invention, where each switch-case statement in the firmware generates a jump table, and the jump table stores an offset address of each case statement block. For the instruction set architecture, instructionsMOVA TBLM ,R0The first address of the jump table is passed to register R0, which in turn passes the first address to the register R0MOV.W @(R0,R1) , R1The instruction obtains the offset address of the target case statement block according to the offset in the jump table, and finally the instructionBRAFR1And skipping according to the obtained address offset.
The three instructions are the main instructions for realizing the switch-case syntax, so the first step needs to be according to the instructionsMOVATBLM , R0The switch statement block in firmware is located and the MOVA instruction is contained in the defaultase statement block.
Next, the TBLM address in the MOVA instruction is an offset address relative to the MOVA instruction address, which is the start address of the jump table whose base address is the address +2 of the NOP instruction following the BRAF instruction. Therefore, the address of each case statement can be obtained by the base address of the jump table and the offset address in the jump table.
In case statement block, pass instructionMOV.L # Absolute Address, R11(the registers are usually R10, R11, R14) to update the pointer to the called function, so as to obtain an accurate absolute address of the called function, and furthermore, an absolute address of the called function of the function is generated after the NOP instruction and before the table is skipped, which is generally called a function entry table, so that accurate absolute addresses of the called function are obtained.
Traversing all switch statement blocks in the firmware to obtain a set Addr [ ] of function absolute addresses, sequencing all absolute addresses in the set from small to large, and obtaining that the range of a Base address Base is the minimum value from the maximum value of the function absolute addresses minus the size of the firmware to the function absolute addresses, namely:
Addr.max – fileSize< Base <Addr.min
traversing all addresses in this base address range, the base address must be a multiple of 2 since for the SH2A architecture, its base instruction is 16 bits and its partially extended instruction is 32 bits.
Regarding the address x in the base address range, when the base address is x, if the number of the instructions corresponding to the obtained function absolute address is the maximum of the prologue of the function, the address x is considered as the base address of the firmware. For the SH2A architecture, the function prologue is usuallyMOV.L R8 , @-R15The instruction is a save stack instruction.
After the firmware base address is obtained through the process, the firmware can be correctly loaded into the disassembly tool IDApro for verification and the next step of work, and the module is the basis of firmware reverse engineering.
S102, a candidate CAN standard frame positioning module:
the CAN standard frame positioning module needs to search an initialization standard frame data structure existing in the firmware. According to the official documents about SH2A series MCU provided by rassa, it CAN be known that the data storage structure of the CAN standard frame in firmware is:
Struct{
uint32_t id;
uint8_t dlc;
uint8_t data[8];
}can_frame_t;
and the signature of the transfer API function is:
uint32_t R_CAN_TxSet(const uint32_t ch_nr, const uint32_t mb_mode, const uint32_t mbox_nr, const can_frame_t* frame_p, const uint32_t frame_type);
the frame _ p in the parameter list is a pointer to the standard frame structure.
Thus, by characterizing the CAN Standard frame data structure and looking up in firmware according to the definition in the IOS11898 regarding the CAN Standard frame format, the following characteristics CAN be derived:
miller 1 standard frame length 4(ID) +1(DLC) +8(DATA) = 13 bytes.
Ruler2 the ID segments of a standard frame are less than 0x7FF and cannot all be 0.
Ruler3 for the DLC and DATA sections of a standard frame, the DLC cannot be larger than 8 and the last (8-DLC) byte DATA in the DATA section must be 0.
According to the characteristics, a set of candidate CAN standard frames and a set of candidate CANIDs CAN be obtained by searching in the whole firmware. The results of this example are:
the number of CAN standard frames is 673, and the number of CAN IDs is 96.
Only the result obtained by the feature search method must have false positives, so that it is necessary to determine which candidate CAN standard frames are correct standard frames and which candidate CAN IDs are correct CAN IDs. Since the address of the standard frame in the firmware, regardless of the location, is referred to by the transmitting CAN-API function as a parameter, the correctness of a candidate CAN-standard frame CAN be determined by being referred to by the transmitting CAN-API function or other CAN-API functions.
S103, a CAN-API function positioning module:
the CAN-API function locating module is used to locate a function for transmitting a CAN standard frame, and this embodiment takes the SH2A series or RX series CAN-API function R _ CAN _ TxSet as an example for description.
According to the above function signature, the parameter list contains mbox _ nr (mailbox number) and frame _ p (CAN standard frame pointer), so that the transmission logic command (data transmission command) contained in the function CAN be located from two aspects. On one hand, because the pointer of the CAN standard frame is to be transmitted as a parameter, there is a data transmission instruction to transmit the address of the standard frame, and on the other hand, because the API function is to transmit the standard frame to the corresponding MailBox as a buffer, there is a data transmission instruction to set a pointer to the corresponding MailBox.
Fig. 3 is a schematic diagram of the API function positioning module for transmitting the CAN standard frame provided in this embodiment, and the address of the API function CAN be determined by taking an intersection of sets of the transmission instruction addresses positioned in the foregoing two aspects, which is described in detail below.
For the first aspect, there is a pointer to the CAN standard frame address in the parameter list of the API function, and therefore there is an instruction in the API function to transmit the address of the standard frame. For the SH2A instruction set architecture, the instruction corresponding to the function is an MOV structure data transmission instruction in the format ofMOV.B Rm , @(disp12 , Rn),The target structure address is fetched by a 12-bit offset, and since the offset is 12 bits, the target address to be fetched must be in memory within 4KB above and below the MOV instruction.
For the candidate standard frame [ 00000012000000000000000000 ] obtained by the block S102 as an example, the absolute address is found to be #3C050000, the absolute address is looked up in the whole firmware, if the absolute address exists in the firmware and an MOV instruction for transmitting the absolute address is found within 4KB above and below the absolute address, it CAN be said that the MOV instruction sets a pointer to the absolute address of the candidate CAN standard frame, and therefore, the function block containing the MOV instruction is the R _ CAN _ TxSet function for transmitting the CAN standard frame.
The absolute addresses of all candidate CAN standard frames are searched in a traversal manner, a set of MOV transmission instructions CAN be obtained, and a set candidateR _ CAN _ TxSet 1 of a candidate R _ CAN _ TxSet function CAN be further determined.
On the other hand, since the R _ CAN _ TxSet function not only needs to send in a pointer pointing to a CAN standard frame address as a parameter, but also needs to transmit the standard frame to the corresponding MailBox, a data transmission instruction exists in the function internal instruction to set a pointer pointing to the MailBox.
For the MCU of SH2A series, the CAN module address is in the high address segment of the memory address space, i.e. FFFE 0000-FFFE 0500, so the instruction set architecture for this series of MCUs usually uses 20-bit immediate data transmission instruction to transmit this high address, i.e. instructionMOVI20 #20 bit immediate, R0Or isMOVI20S #20 bit immediate, R0. Through which is passedThe command CAN transmit the last 20 bits of the address of the CAN module, and the 32 addresses CAN be obtained through sign extension, so that the function containing the immediate data transmission command is a candidate R _ CAN _ TxSet function.
Since an absolute address is determined as a base address through the immediate data transmission instruction, and the addresses of other mailboxes are obtained through the base address and the offset, the last 20 bits of the address of the whole CAN module are set as target, the corresponding immediate data transmission instruction in the whole firmware is searched, and a set candidate R _ CAN _ TxSet function candate R _ CAN _ TxSet2[ ] CAN be obtained.
For this embodiment, the distance between the immediate transmission command for transmitting the MailBox address and the structure transmission command for transmitting the standard frame structure problem in the same function (i.e. the memory size of one function) is set to 64KB through repeated experiments. And according to the range, the intersection of the two sets of the candidate R _ CAN _ TxSet functions is obtained, so that the address of the target R _ CAN _ TxSet function CAN be obtained.
S104, a CAN ID determining module:
the CAN ID determining module determines the obtained transmitted CAN standard frame API function through the CAN-API function positioning module and receives the reference of the CAN standard frame API function to the candidate CAN standard frame obtained by the S102 module, so that the referred candidate standard frame is a correct CAN standard frame, the CAN ID of the referenced candidate standard frame is a correct CAN ID, and moreover, the API function is analyzed through a disassembling tool IDApro, CAN standard frame data configured through other transmission logics CAN also be obtained, and the accuracy of the obtained CAN ID CAN be verified.
The method is used for positioning the CAN standard frame and the API function, and compiling the automatic script, so that the CAN ID existing in the firmware CAN be effectively obtained.
The firmware used in the invention comes from a JTAG to USB interface converter FT232H, and is directly read from a MCU chip pin of TBOX used in a Benz class A vehicle, besides, there are many ways to obtain the firmware, such as directly reading an engine ECU through a KTAG programmer, obtaining the firmware through an OBD interface by using a high-level diagnosis command, or reading through a JTAG interface on a PCB board by disassembling the ECU. Although the firmware obtained by different methods may have different structures, the method of the present invention is applicable to any firmware that meets the above requirements.
The invention has universality, is suitable for all formats which support CAN standard frames defined in ISO11898, and has similar storage data structures and data caching mechanisms similar to MailBox. And the invention is strictly applicable to rassa SH2A, RX series MCU, whose use in automotive ECU mainly resides in infotainment modules.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (6)

1. A CAN ID reverse direction and determination method facing vehicle electronic control unit is characterized in that an analysis system composed of a firmware base address determination module, a candidate CAN standard frame positioning module, a CAN-API function positioning module and a CAN ID determination module is adopted to determine a base address of firmware extracted from a vehicle ECU in an MCU address space, the determined base address is used for disassembling the firmware, a candidate CAN standard frame meeting the characteristics is searched in the firmware according to the characteristics of the CAN standard frame in the definition through the definition of a CAN standard frame format in an ISO11898 protocol and the definition of a CAN standard frame data storage structure by an MCU supplier, the CAN-API function is positioned according to a transmission command through the transmission purpose to be realized by the CAN-API function in the firmware, the accuracy of the CAN standard frame CAN be obtained through the accurate reference of the candidate CAN standard frame by the CAN-API function, further determining the CAN ID; the firmware base address determining module determines the base address of the firmware and outputs the firmware after the anti-compilation to the candidate CAN standard frame positioning module according to the correct base address; the candidate CAN standard frame positioning module searches and obtains a set of candidate CAN standard frames in the firmware according to the characteristics of the CAN standard frames, and outputs the obtained set of candidate CAN standard frames to the CAN-API function positioning module; the CAN-API function positioning module positions the CAN-API function according to a transmission instruction in the CAN-API function and outputs the CAN-API function to the CAN ID determining module; and the CAN ID determining module determines the candidate CAN standard frame quoted by the CAN-API function as a correct CAN standard frame and determines the CAN ID of the candidate CAN standard frame.
2. The CAN ID inversion and determination method for the vehicle control unit according to claim 1, wherein the firmware base address determination module is used for firmware of the vehicle electronic control unit, and the firmware is obtained through an OBD interface by using a high-level diagnostic protocol, or is read through a JTAG debugging interface inside the electronic control unit by using a JTAG-to-USB interface converter, and is directly read by using a programmer for some FLASH with known model and common FLASH on a PCB board.
3. The method for reversing and determining the CAN ID of the vehicle control unit according to claim 1, wherein the firmware base address determination module obtains the absolute address of the called function in the case statement block by positioning the switch-case statement in the firmware, and further determines the correct base address by iterating the range of the base address.
4. The method of claim 1 wherein the candidate CAN standard frame location module performs byte-by-byte screening of firmware, defines a feature-compliant data structure as a candidate CAN standard frame, and obtains a set of candidate CAN standard frames.
5. The CAN ID inversion and determination method for vehicle control units according to claim 1, wherein the CAN-API function location module locates the CAN-API function by screening transmission commands that meet the conditions using transmission commands in the MCU command set, i.e., 20-bit immediate data transmission commands and structural data transmission commands, according to the pointers of the CAN standard frames in the CAN-API function parameter list and the configuration purpose of the mailbox in the CAN module.
6. The CAN ID inverting and determining method for a vehicle control unit according to claim 1, wherein the CAN ID determining module refers a candidate CAN standard frame to the CAN-API function, that is, an address of the candidate CAN standard frame is used as an operand of a structure transfer command in the CAN-API function; and obtaining a correct CAN standard frame, and obtaining the CAN ID according to the ID field in the CAN standard frame.
CN202210414438.9A 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit Active CN115022414B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210414438.9A CN115022414B (en) 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210414438.9A CN115022414B (en) 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit

Publications (2)

Publication Number Publication Date
CN115022414A true CN115022414A (en) 2022-09-06
CN115022414B CN115022414B (en) 2023-08-22

Family

ID=83067056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210414438.9A Active CN115022414B (en) 2022-04-20 2022-04-20 CAN ID reverse and determining method for vehicle electronic control unit

Country Status (1)

Country Link
CN (1) CN115022414B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116880858A (en) * 2023-09-06 2023-10-13 北京华云安信息技术有限公司 Method, device, equipment and storage medium for acquiring actual base address of firmware

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130021652A (en) * 2011-08-23 2013-03-06 현대자동차주식회사 Interface apparatus and method for converting a plurality of different vehicles diagnosis protocol to standard diagnosis protocol
US20130250804A1 (en) * 2012-03-26 2013-09-26 Electronics And Telecommunications Research Institute Automotive partial networking apparatus and method
CN106950864A (en) * 2017-04-11 2017-07-14 重庆长安汽车股份有限公司 The CAN communication program creating method and device of a kind of entire car controller
KR101923511B1 (en) * 2018-03-27 2018-11-29 콘티넨탈 오토모티브 게엠베하 Apparatus for communicating diagnostic vehicle and method thereof
CN109214149A (en) * 2018-09-11 2019-01-15 中国人民解放军战略支援部队信息工程大学 A kind of MIPS firmware base address automated detection method
US20190028500A1 (en) * 2017-07-24 2019-01-24 Korea University Research And Business Foundation Ecu identifying apparatus and controlling method thereof
US20190227783A1 (en) * 2018-01-23 2019-07-25 Wistron Corporation Electronic apparatus and firmware update method thereof
CN110380842A (en) * 2019-08-08 2019-10-25 北方工业大学 CAN bus message endorsement method, device and system suitable for wisdom net connection automobile
CN111106989A (en) * 2019-12-26 2020-05-05 国家计算机网络与信息安全管理中心 Vehicle CAN bus protocol determining method and device
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN113688138A (en) * 2021-08-27 2021-11-23 华东师范大学 Key Map table reversing and positioning method for vehicle engine control unit

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130021652A (en) * 2011-08-23 2013-03-06 현대자동차주식회사 Interface apparatus and method for converting a plurality of different vehicles diagnosis protocol to standard diagnosis protocol
US20130250804A1 (en) * 2012-03-26 2013-09-26 Electronics And Telecommunications Research Institute Automotive partial networking apparatus and method
CN106950864A (en) * 2017-04-11 2017-07-14 重庆长安汽车股份有限公司 The CAN communication program creating method and device of a kind of entire car controller
US20190028500A1 (en) * 2017-07-24 2019-01-24 Korea University Research And Business Foundation Ecu identifying apparatus and controlling method thereof
US20190227783A1 (en) * 2018-01-23 2019-07-25 Wistron Corporation Electronic apparatus and firmware update method thereof
KR101923511B1 (en) * 2018-03-27 2018-11-29 콘티넨탈 오토모티브 게엠베하 Apparatus for communicating diagnostic vehicle and method thereof
CN109214149A (en) * 2018-09-11 2019-01-15 中国人民解放军战略支援部队信息工程大学 A kind of MIPS firmware base address automated detection method
CN110380842A (en) * 2019-08-08 2019-10-25 北方工业大学 CAN bus message endorsement method, device and system suitable for wisdom net connection automobile
CN111106989A (en) * 2019-12-26 2020-05-05 国家计算机网络与信息安全管理中心 Vehicle CAN bus protocol determining method and device
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN113688138A (en) * 2021-08-27 2021-11-23 华东师范大学 Key Map table reversing and positioning method for vehicle engine control unit

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘蓬勃等: "汽车can网络的入侵检测模型及装置研究", 《实验技术与管理》, vol. 39, no. 3 *
白华;林巧婷;: "基于CAN和RFID的车胎信息采集系统的设计", 仪表技术与传感器, no. 10 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116880858A (en) * 2023-09-06 2023-10-13 北京华云安信息技术有限公司 Method, device, equipment and storage medium for acquiring actual base address of firmware

Also Published As

Publication number Publication date
CN115022414B (en) 2023-08-22

Similar Documents

Publication Publication Date Title
US7533302B2 (en) Trace and debug method and system for a processor
US9411745B2 (en) Multi-core heterogeneous system translation lookaside buffer coherency
US11720365B2 (en) Path prediction method used for instruction cache, access control unit, and instruction processing apparatus
US8055805B2 (en) Opportunistic improvement of MMIO request handling based on target reporting of space requirements
CN112631657B (en) Byte comparison method for character string processing and instruction processing device
CN101371224A (en) Efficient memory hierarchy management
CN115022414A (en) CAN ID reverse direction and determination method for vehicle electronic control unit
JP2011238251A (en) Method and device for ensuring accurate predecode
CN107290654A (en) A kind of fpga logic test structure and method
CN110806899B (en) Assembly line tight coupling accelerator interface structure based on instruction extension
JP5680574B2 (en) Power saving method and apparatus for selectively enabling a comparator in a CAM renaming register file based on known processor states
CN108762812B (en) Hardware acceleration structure device facing general character string processing and control method
CN116107641A (en) Instruction storage system, method, apparatus, computer device and readable storage medium
CN114510723B (en) Intelligent contract authority management vulnerability detection method and device
CN115629806A (en) Method, system, equipment and storage medium for processing instruction
CN114035846A (en) Instruction verification method and instruction verification device
US20030056037A1 (en) Hardware chain pull
CN113886302A (en) Serial port number obtaining method and device of application equipment, terminal equipment and storage medium
CN105573818B (en) A kind of windows kernels base address in virtualized environment and compiled version recognition methods
CN113965917B (en) Communication method, device and terminal equipment
JP2008123130A (en) Coverage measurement method and device and tracing method and device for module
JP2845754B2 (en) Multiprocessor system
CN112835824A (en) Bus master device, chip control method, intelligent terminal and storage medium
CN117348936A (en) Processor, finger fetching method and computer system
CN113672555A (en) Processor core, processor, system on chip and debugging system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant