Aggregator

A vulnerability classified as critical has been found in Apple iOS up to 7.1. This affects an unknown part of the component WebKit. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2014-1311. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WebKit. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to memory corruption. This vulnerability is known as CVE-2014-1309. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple iOS up to 7.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component WebKit. The manipulation leads to memory corruption. This vulnerability is known as CVE-2014-1309. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

每个工作日早晨 8:30，非营利组织 Unlocked Labs 的首席工程师 Preston Thorp 会泡一杯速溶咖啡，打开笔记本电脑，他有一个七人团队，他们的工作是编程。Thorp 会在中午做做运动，经常在电脑前一直干到很晚。与普通 IT 工程师不同的是，他的窗外围着铁丝网，狱警会定期检查他的房间。他因为毒品相关的罪名被判 12 年，在缅因州监狱服刑。新冠疫情推动了远程工作的普及，而最出人意料的可能是监狱允许囚犯远程工作。推动监狱远程办公的组织 Alliance for Higher Education in Prison 表示，美国有多个州的监狱系统允许远程工作，其中以缅因州为最。从事传统工作的囚犯每个月只有数百美元的收入，但从事远程办公的囚犯拿的是 IT 市场的公平薪水，他们的收入可能比看守他们的狱警还高。这些收入能用于支付受害者赔偿费和法律费用、子女抚养费，留作社会保障和退休基金。他们十分之一的薪水需要上交给州政府，用作食宿费用。

Задержаны десятки исполнителей поджогов банков по всей стране.

什么？原来ssrf挖掘这么简单？

A ransomware attack on Pittsburgh Regional Transit (PRT) was the root cause of the agency’s service disruptions. On December 23, 2024, Pittsburgh Regional Transit (PRT) announced it was actively responding to a ransomware attack that was first detected on Thursday, December 19. Pittsburgh Regional Transit (PRT) is the public transportation agency that serves the Pittsburgh […]

A vulnerability, which was classified as critical, has been found in 1000 Projects Portfolio Management System MCA 1.0. Affected by this issue is some unknown functionality of the file /update_pd_process.php. The manipulation of the argument profile leads to unrestricted upload. This vulnerability is handled as CVE-2024-12953. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, was found in 1000 Projects Portfolio Management System MCA 1.0. This affects an unknown part of the file /update_ach.php. The manipulation of the argument ach_certy leads to unrestricted upload. This vulnerability is uniquely identified as CVE-2024-12954. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in WebKit. It has been classified as critical. Affected is an unknown function. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2014-1308. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple iOS up to 7.1. It has been classified as critical. Affected is an unknown function of the component WebKit. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2014-1308. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WebKit and classified as critical. This issue affects some unknown processing. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2014-1307. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple iOS up to 7.1 and classified as critical. This issue affects some unknown processing of the component WebKit. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2014-1307. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Apple Safari up to 7.0.3. Affected is an unknown function of the component WebKit. The manipulation leads to improper input validation. This vulnerability is traded as CVE-2014-1346. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Apple Safari up to 7.0.3. This affects an unknown part of the component WebKit. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2014-1343. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Mozilla Firefox and Thunderbird. Affected by this vulnerability is an unknown functionality of the component resource:/ Handler. The manipulation leads to improper access controls. This vulnerability is known as CVE-2015-0816. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

前言

2021年在360搭了一套ID.4台架环境，本来快要出成果了（拿到了ODIS内网权限，还有ICAS3的root），被安排出差去搭建展示车，后续工作计划被打乱。这期间不管是工作还是生活都遇到了许多糟心事，便停止了研究。

算是一个怨念项目吧，今年5月我在机缘巧合下又研究了ID.4的ICAS1的车控逻辑，还有一个怨念项目是CAN-Pick NG，写了一半又搁置了，不知道2025可不可以完成。

ID.4 是大众MEB平台，EE架构总共有两个域控制器，ICAS1, ICAS3。其中ICAS1(J533)与车身控制有关。 下图是J533的位置，位于序号13。将线控模块装载到此处，可以实现车身监测和控制。

车内ECU拓扑

Classic CAN： 500k

CAN-FD：仲裁域500k, 数据域2M。若要分析CAN-FD，ZLG设备最合适。

通过分析 ELSA电路图 和 大众内部培训资料，发现总线命名混乱，必须重新整理才能得到正确的CAN拓扑图。

J533总共有9路CAN，4路LIN（暂不需要），关键ECU如下。

• Running-Gear CAN (CAN-FD)
  • J104 - ABS
  • J500 - EPS，转向助力控制单元
  • NX6 - 制动控制器 (Brake Booster)
• Powertrain CAN (CAN-FD)
  • J623 - 电机控制模块 Engine/Motor Control Module
  • J841/J944 - 电驱单元
  • J234 - 气囊 （不能在这里Fuzzing，危险）
• Driver Assistance CAN，CAN-FAS (CAN-FD)
  • J428 - 车距调节控制单元
  • J446 - 泊车雷达控制单元
  • J769/J770 - 行驶换道辅助系统控制单元
  • J928 - 全景摄像头控制单元
• Convenience CAN (Classic)
  • J527 - 电控换档模块 (Steering Column Electronics Control Module)
  • J605 - 行李箱盖控制单元
  • J764 - 转向柱锁
  • …其他车身控制
• CAN-EV (CAN-FD)
  • J979 - 加热与空调控制模块 (Heater and Air Conditioning Control Module)

J533连接器T40a定义

T40a 连接器和表格对应如下。

总线安全策略 网关隔离

多功能方向盘控制信号，由Convenience CAN接收，但是底盘CAN的ECU也能收到。底盘CAN发出的多功能方向盘控制信号，不会被J533转发到目标ECU。

CRC 校验

分析CAN总线变化，可以看到大部份报文的变化规律，第一字节随机，第二字节有规律递增。第一字节是CRC，第二字节是计数器。

CRC 初始值

参考OpenDBC github /opendbc/can/common.cc volkswagen_mqb_checksum

可以获取VM MQB平台的 Checksum 初始值，但是ID.4有很多新的CRC初始值，我通过逆向分析并记录在下面了。

大部份控制信号有CRC和计数器，ECU不会校验某些不重要功能的CRC，比如天窗，车窗，鸣笛。但是会校验转向助力，行李箱盖开启，雨刮等影响驾驶的功能。

Signal CAN ID CRC Seed AAA_01 0x12DD5502 0x62,0x14,0x7c,0xa1,0x49,0x95,0x43,0x04,0x78,0x46,0x74,0x19,0x39,0x17,0x9f,0x1c ACC_18 0x14D 0x1a,0x65,0x81,0x96,0xc0,0xdf,0x11,0x92,0xd3,0x61,0xc6,0x95,0x8c,0x29,0x21,0xb5 Airbag_01 0x040 0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40 Airbag_02 0x520 0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44 APS_Master 0x380 0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13 AWV_03 0x0DB 0x09,0xfa,0xca,0x8e,0x62,0xd5,0xd1,0xf0,0x31,0xa0,0xaf,0xda,0x4d,0x1a,0x0a,0x97 BEM_06 0x48B 0x54,0xaf,0x8a,0xfb,0x0d,0x87,0x6a,0x0f,0x47,0x78,0x31,0x4f,0x35,0x28,0x82,0x6d Blinkmodi_02 0x366 0xa9,0xbd,0xfb,0x3c,0x95,0x0f,0x75,0x3a,0x4f,0x19,0x59,0x6d,0xb2,0xe9,0xd1,0x97 EA_01 0x1A4 0x69,0xbb,0x54,0xe6,0x4e,0x46,0x8d,0x7b,0xea,0x87,0xe9,0xb3,0x63,0xce,0xf8,0xbf EA_02 0x1F0 0x2f,0x3c,0x22,0x60,0x18,0xeb,0x63,0x76,0xc5,0x91,0x0f,0x27,0x34,0x04,0x7f,0x02 ELV_01 0x656 0xab,0x2f,0xd3,0x39,0x6f,0x37,0xfa,0x59,0xa4,0x70,0xce,0x11,0x54,0x82,0x62,0x56 EM1_01 0x0C0 0x2f,0x44,0x72,0xd3,0x07,0xf2,0x39,0x09,0x8d,0x6f,0x57,0x20,0x37,0xf9,0x9b,0xfa EML_02 0x1A555541 0x3e,0xb4,0x25,0xc1,0x31,0x1f,0xf1,0xd7,0xb1,0xbe,0xcc,0xe0,0x0f,0x46,0x51,0xb2 EML_06 0x20A 0x9d,0xe8,0x36,0xa1,0xca,0x3b,0x1d,0x33,0xe0,0xd5,0xbb,0x5f,0xae,0x3c,0x31,0x9f ESC_50 0x102 0xd7,0x12,0x85,0x7e,0x0b,0x34,0xfa,0x16,0x7a,0x25,0x2d,0x8f,0x04,0x8e,0x5d,0x35 ESC_51 0x0FC 0x77,0x5c,0xa0,0x89,0x4b,0x7c,0xbb,0xd6,0x1f,0x6c,0x4f,0xf6,0x20,0x2b,0x43,0xdd ESP_10 0x116 0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac ESP_20 0x65D 0xac,0xb3,0xab,0xeb,0x7a,0xe1,0x3b,0xf7,0x73,0xba,0x7c,0x9e,0x06,0x5f,0x02,0xd9 ESP_21 0x0FD 0xb4,0xef,0xf8,0x49,0x1e,0xe5,0xc2,0xc0,0x97,0x19,0x3c,0xc9,0xf1,0x98,0xd6,0x61 ESP_24 0x31B 0x67,0x8a,0xae,0x22,0x4d,0xd0,0x51,0x80,0x5c,0xb9,0xce,0x1e,0xdf,0x02,0x2d,0xd4 Getriebe_11 0x0AD 0x3f,0x69,0x39,0xdc,0x94,0xf9,0x14,0x64,0xd8,0x6a,0x34,0xce,0xa2,0x55,0xb5,0x2c GRA_ACC_01 0x12B 0x6a,0x38,0xb4,0x27,0x22,0xef,0xe1,0xbb,0xf8,0x80,0x84,0x49,0xc7,0x9e,0x1e,0x2b HCA_01 0x126 0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda HVL_01 0x12DD553D 0x1d,0x82,0x7b,0x79,0xa5,0xee,0x3a,0xb9,0xb7,0xf9,0xe4,0x67,0x7f,0x97,0x11,0xad IPA_01 0x138 0x77,0x4e,0x14,0x87,0xf2,0xf8,0xb2,0x61,0xf6,0xa4,0x52,0x94,0xd4,0x81,0x2a,0xb1 IPA_02 0x16A9545F 0xc6,0x7f,0x85,0xb6,0xe6,0xae,0xf8,0x26,0xb0,0x8c,0x19,0x10,0x5b,0x33,0x64,0x6c Klemmen_Status_01 0x3C0 0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3 LH_EPS_02 0x11D 0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c LH_EPS_03 0x09F 0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5 Licht_Anf_01 0x3D5 0xc5,0x39,0xc7,0xf9,0x92,0xd8,0x24,0xce,0xf1,0xb5,0x7a,0xc4,0xbc,0x60,0xe3,0xd1 LWI_01 0x086 0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86 Motor_14 0x3BE 0x1f,0x28,0xc6,0x85,0xe6,0xf8,0xb0,0x19,0x5b,0x64,0x35,0x21,0xe4,0xf7,0x9c,0x24 Motor_51 0x10B 0x77,0x5c,0xa0,0x89,0x4b,0x7c,0xbb,0xd6,0x1f,0x6c,0x4f,0xf6,0x20,0x2b,0x43,0xdd Motor_54 0x14C 0x16,0x35,0x59,0x15,0x9a,0x2a,0x97,0xb8,0x0e,0x4e,0x30,0xcc,0xb3,0x07,0x01,0xad Motor_Code_01 0x641 0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47 Parken_01 0x206 0x09,0xfa,0xca,0x8e,0x62,0xd5,0xd1,0xf0,0x31,0xa0,0xaf,0xda,0x4d,0x1a,0x0a,0x97 PLA_04 0x407 0xef,0x60,0x04,0xa8,0x0c,0x1c,0xda,0x07,0x36,0xd7,0x28,0x92,0xa9,0x88,0x2c,0x4a QFK_01 0x13D 0x20,0xca,0x68,0xd5,0x1b,0x31,0xe2,0xda,0x08,0x0a,0xd4,0xde,0x9c,0xe4,0x35,0x5b RCTA_01 0x2B7 0x5e,0xc7,0x04,0x11,0x4d,0x27,0x0d,0x31,0x91,0xb8,0x62,0x76,0x64,0x09,0xeb,0xec SAL_01 0x12DD54C9 0xde,0xa9,0x83,0x0b,0x0c,0x64,0x79,0x44,0x0f,0xf6,0xc6,0xc7,0x05,0x45,0xb7,0x59 SAM_01 0x205 0x19,0x36,0xd4,0x1e,0x80,0x22,0xf4,0xb8,0xad,0x41,0x0b,0x3f,0x87,0x42,0x25,0x40 SMLS_01 0x3D4 0xc3,0x79,0xbf,0xdb,0xe9,0x11,0x46,0x86,0x69,0xb6,0x9b,0x29,0x15,0x9c,0x45,0x0d TA_01 0x26B 0xce,0xcc,0xbd,0x69,0xa1,0x3c,0x18,0x76,0x0f,0x04,0xf2,0x3a,0x93,0x24,0x19,0x51 TSG_FT_02 0x3E5 0xc4,0x6a,0x69,0x30,0xcf,0x61,0x58,0x51,0x1b,0x86,0x99,0xd3,0xf6,0x1d,0x9a,0x37 VMM_01 0x105 0xde,0x0e,0xa7,0x1d,0xc3,0x83,0xbd,0x82,0x8c,0xa2,0x0c,0x7b,0x4d,0x3c,0x58,0x79 VMM_02 0x139 0xed,0x03,0x1c,0x13,0xc6,0x23,0x78,0x7a,0x8b,0x40,0x14,0x51,0xbf,0x68,0x32,0xba CRC 算法 MEB_Kennungsfolge = { # LWI_01 Steering Angle 0x86: [0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86], # LH_EPS_03 Electric Power Steering 0x9F: [0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5], # HCA_01 Heading Control Assist 0x126: [0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA], # GRA_ACC_01 Steering wheel controls for ACC 0x12B: [0x6A, 0x38, 0xB4, 0x27, 0x22, 0xEF, 0xE1, 0xBB, 0xF8, 0x80, 0x84, 0x49, 0xC7, 0x9E, 0x1E, 0x2B] } def gen_crc_lookup_table_8(poly): crc_lut = [0] * 256 for i in range(256): crc = i for j in range(8): if crc & 0x80: crc = (crc << 1) ^ poly else: crc <<= 1 crc_lut[i] = crc & 0xFF return crc_lut def volkswagen_mqb_checksum(address, data): global crc8_lut_8h2f crc = 0xFF # CRC8 8H2F/AUTOSAR for i in range(1, len(data)): crc = crc ^ data[i] # print(hex(crc), hex(i)) crc = crc8_lut_8h2f[crc] counter = data[1] & 0x0F if address in MEB_Kennungsfolge: crc ^= MEB_Kennungsfolge[address][counter] else: # 无需校验 crc ^= [0x00] * 16 # 默认情况下，返回全 0 crc = crc8_lut_8h2f[crc] # 标准 CRC8 8H2F/AUTOSAR 最后一个 XOR return crc ^ 0xFF can_id = 0x126 data = bytearray(bytes(8)) crc8_lut_8h2f = gen_crc_lookup_table_8(0x2f) crc = volkswagen_mqb_checksum(can_id, data) data[0] = crc CAN 信号

• Convenience CAN有以下信号通信，可用于状态读取，车身功能基本上可以通过此路CAN进行控制。包括空调，前后大灯，鸣笛，雨刮，车窗，车锁，车辆状态等信息。

0x12B GRA_ACC_01 自适应巡航，GRA系统，ACC， 0x1F0 EA_02 应急辅助 0x205 SAM_01 开关和执行模块 0x2B7 RCTA_01 Rear Cross Traffic Alert，后方交通警示 0x31B ESP_24 0x366 Blinkmodi_02 闪烁模式 0x397 LDW_02 车道偏离警示系统 0x3BE Motor_14 电机控制 0x3C0 Klemmen_Status_01 端子状态 0x3CE TSG_HFS_01 后座门窗功能系统 0x3CF TSG_HBFS_01 后门窗户功能系统 0x3D0 TSG_FT_01 前门功能系统 0x3D4 SMLS_01 转向柱开关模块 0x3D5 Licht_Anf_01 灯光要求 0x3D6 Licht_hinten_01 后部灯光状态 0x3DC Gateway_73 这些信息涉及车辆的各种信号和状态，包括系统提示、安全提示、故障诊断、信号更新和旧信号的替换 0x48B BEM_06 低电压能源管理 0x520 Airbag_02 气囊2 0x551 WFS_01 车钥匙防盗 0x582 HDSG_01 后备箱管理状态 0x583 ZV_02 中央门锁系统 0x585 Systeminfo_01 诊断和生产模式设置 0x592 Kessy_04 智能钥匙系统（Kessy）以及远程停车功能的状态和控制 0x5A0 RLS_01 光传感器和雨量传感器 0x5A7 TM_01 Telematics 0x5F0 Dimmung_01 调光 0x5F4 Innenlicht_11 车内灯光 0x641 Motor_Code_01 电机设码 0x643 Einheiten_01 单位设置 0x656 ELV_01 电子转向柱锁 0x658 Licht_vorne_01 前灯状态 0x65D ESP_20 0x668 Klima_12 空调系统 0x670 Motor_18 0x6AE Spiegel_01 后视镜 0x6AF Rear_View_01 后视摄像头 0x6B2 Diagnose_01 0x6B4 VIN_01 0x12DD54C9 SAL_01 照明模块 其他信号

DBC已经分析出来了，暂时不公开。

0x184 1. 锁车 1. 第二字节 后视镜开 0x20 开 2. 第三字节 后视镜关 0x40 关 2. 车窗 1. 第六字节 车窗 04 左前下，02 左前上，40 左后下，08右前上，10右前下 2. 第七字节，01右后下 0x185 1. 车窗控制，10 20 up 40 80 down 1. 第一字节 前排 2. 第二字节 后排 0x598 1. 天窗控制 1. 第三字节 0x20 无 0x21 tap 0x22 滑动 0x25 长按 2. 第七字节：04 关一下，08 一直关，0C 开一下，10 一直开， 14，1c其他 控制转向

要求档位在D/B或者R档。以下五个信号可以用于控制方向盘。

• LWI_01 Lenkwinkelsensor
• LH_EPS_03 Lenkhilfe Electric Power Steering
• HCA_01 Heading Control Assist
• GRA_ACC_01 Geschwindigkeitsregelanlage & Adaptive Cruise Control
• PLA_05 Park Lane Assist

提示

• 组合使用0x86, 0x9f, 0x126, 0x12b, 0x302信号，在CAN-FAS发送，可以实现泊车方向盘转向功能。
• 组合使用0x86, 0x9f, 0x302信号，在Gear-Running CAN发送，可以实现方向盘转向。
• 其中0x9f(LH_EPS_03)和0x302(PLA_05)两个信号都可以直接控制方向盘。
• 0x302没有CRC校验，因此控制方向盘比0x9f容易

DEMO def create_pla_control(sendestatus, positive, degree): data = bytearray(bytes(24)) data[1] = 0x40 # PLA_QFK_Spuerb data[2] = 0xFA # PLA_QFK_KruemmSoll data = set_value(data, degree, 32, 15) # PLA_QFK_KruemmSoll_VZ if positive: data = set_value(data, 1, 47, 1) else: data = set_value(data, 0, 47, 1) # PLA_05_Sendestatus if sendestatus: data = set_value(data, 1, 74, 1) else: data = set_value(data, 0, 74, 1) return data hca_01_counter = 0 degree = 0 for i in range(20): # data = create_steering_control(10 * i, 1) # meb_can_send(0x126, 0.1, data) degree += 0x10 data = create_pla_control(1, 1, degree) can_send(0x302, 0.1, data) RPi CAN HAT

控制方向盘Demo，仅让方向盘动起来，真正要实现远控，需要有力学的知识，还要设计控制算法。

import os import can import time can0 = can.interface.Bus(channel = 'can0', bustype = 'socketcan', fd=True, bitrate=500000) # msg = can.Message(is_extended_id=False, arbitration_id=0x123, data=[0, 1, 2, 3, 4, 5, 6, 7]) # can0.send(msg) MEB_Kennungsfolge = { # LWI_01 Steering Angle 0x86: [0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86], # LH_EPS_03 Electric Power Steering 0x9F: [0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5, 0xF5], # HCA_01 Heading Control Assist 0x126: [0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA, 0xDA], # GRA_ACC_01 Steering wheel controls for ACC 0x12B: [0x6A, 0x38, 0xB4, 0x27, 0x22, 0xEF, 0xE1, 0xBB, 0xF8, 0x80, 0x84, 0x49, 0xC7, 0x9E, 0x1E, 0x2B] } def volkswagen_mqb_checksum(address, data): global crc8_lut_8h2f crc = 0xFF # CRC8 8H2F/AUTOSAR for i in range(1, len(data)): crc = crc ^ data[i] # print(hex(crc), hex(i)) crc = crc8_lut_8h2f[crc] counter = data[1] & 0x0F if address in MEB_Kennungsfolge: crc ^= MEB_Kennungsfolge[address][counter] else: print("Attempt to CRC check undefined Volkswagen message 0x%02X" % address) crc ^= [0x00] * 16 # 默认情况下，返回全 0 crc = crc8_lut_8h2f[crc] # 标准 CRC8 8H2F/AUTOSAR 最后一个 XOR return crc ^ 0xFF def gen_crc_lookup_table_8(poly): crc_lut = [0] * 256 for i in range(256): crc = i for j in range(8): if crc & 0x80: crc = (crc << 1) ^ poly else: crc <<= 1 crc_lut[i] = crc & 0xFF return crc_lut def meb_can_send(can_id, interval, data): global hca_01_counter data[1] = data[1] | hca_01_counter crc = volkswagen_mqb_checksum(can_id, data) data[0] = crc hca_01_counter += 1 for j in data: print(hex(j), end=", ") time.sleep(interval) msg = can.Message(is_extended_id=False, arbitration_id=can_id, data=data, is_fd=True) can0.send(msg) def can_send(can_id, interval, data): time.sleep(interval) msg = can.Message(is_extended_id=False, arbitration_id=can_id, data=data, is_fd=True) can0.send(msg) crc8_lut_8h2f = gen_crc_lookup_table_8(0x2f) def set_value(data, value, start_pos, value_length): end_pos = start_pos + value_length for bit_index in range(start_pos, end_pos): byte_index = bit_index // 8 bit_offset = bit_index % 8 bit_value = (value >> (bit_index - start_pos)) & 1 # print("\n") # print("index", bit_index, start_pos, end_pos, "byte_index:", byte_index, "bit_offset:", bit_offset, "v:", bit_value) if bit_value: data[byte_index] |= 1 << bit_offset else: data[byte_index] &= ~(1 << bit_offset) # for i in data: # print(bin(i), end=",") return data def set_bit(b, bit, bit_index): if bit_index < 0 or bit_index > 7: raise ValueError("bit_index must be between 0 and 7") mask = 1 << bit_index flipped_byte = b ^ mask return flipped_byte def create_steering_control(apply_steer, lkas_enabled): data = bytearray(bytes(8)) if lkas_enabled: # HCA_01_Sendestatus data = set_value(data, 5, 30, 1) # HCA_01_Status_HCA data = set_value(data, 1, 32, 4) else: # HCA_01_Sendestatus data = set_value(data, 3, 30, 1) # HCA_01_Status_HCA data = set_value(data, 0, 32, 4) # HCA_01_LM_Offset print("create_steering_control", apply_steer) data = set_value(data, abs(apply_steer), 16, 9) # HCA_01_LM_OffSign v = 1 if apply_steer < 0 else 0 data = set_value(data, v, 31, 1) # HCA_01_Vib_Freq data = set_value(data, 3, 12, 4) # HCA_01_Vib_Amp data = set_value(data, 10, 36, 4) return data def create_pla_control(sendestatus, positive, degree): data = bytearray(bytes(24)) data[1] = 0x40 # PLA_QFK_Spuerb data[2] = 0xFA # PLA_QFK_KruemmSoll data = set_value(data, degree, 32, 15) # PLA_QFK_KruemmSoll_VZ if positive: data = set_value(data, 1, 47, 1) else: data = set_value(data, 0, 47, 1) # PLA_05_Sendestatus if sendestatus: data = set_value(data, 1, 74, 1) else: data = set_value(data, 0, 74, 1) return data hca_01_counter = 0 degree = 0 for i in range(20): # data = create_steering_control(10 * i, 1) # meb_can_send(0x126, 0.1, data) degree += 0x10 data = create_pla_control(1, 1, degree) can_send(0x302, 0.1, data) 注意事项

1. 离开车辆之前，确保CAN总线处于接通状态，否则会大量耗电。
2. 不要对Powertrain 和Running Gear CAN 进行 Fuzzing，可能直接会导致人身伤害，另外，也可能导致ECU异常，产生潜在隐患。比如转向灯失效，后视镜无法打开。