<- HARDWARE

Unique

1 minute to read

We are told that a vehicle is sending the VIN (Vehicle Identificacion Number) and they saved the signal capture in a file (trace_captured.sal). We need to find the VIN.

Initial reconnaissance

We can open trace_captured.sal with Saleae Logic2:

Unique 1

At first, we can select “Async Serial” and test some bitrates:

Unique 2

As we can see, the dots don’t fit with the signal pulses. We can do some calculation to see what is the correct bitrate:

Unique 3

It looks like $7.64\; \mu\mathrm{s}$ is the bit period, so the bitrate will be $(7.64\; \mu\mathrm{s})^{-1} \approx 130890\; \mathrm{bps}$:

Unique 4

But it is not perfect yet. We can tweak it a bit and find out that $125000\; \mathrm{bps}$ matches perfectly:

Unique 5

CAN messages

However, the protocol is not “Async Serial”. In fact, while researching about VIN, I found that it can be queried from the OBD-II port, which has a direct connection to the vehicle’s CAN bus.

Saleae Logic2 is able to parse CAN messages. I was expecting a command identifier like 0x0902, as stated in stackoverflow.com or community.carloop.io, but it was not there…

Flag

However, if we use the CAN analyzer, we will find the flag in some frames:

Unique 6

Unique 7

Unique 8

Unique 9

HTB{v1n_c42_h4ck1n9_15_1337!*0^}