Kiosk 6: CAN-Bus Investigation

The CAN-Bus Investigation Kiosk was located on the NetWars roof, hosted by Wunorse Openslae. It dealt with the logs coming from the CAN Bus of the sleigh itself. My mission, should I choose to accept it, was to filter through the cruft and locate the UNLOCK signal sent along the bus.

Wunorse Openslae's Kiosk

Opening the terminal, I have some neato ascii art:

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMWX00OkxxddcddxxkOO0XWMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMWXOxoc:c.;cccccc.ccccc:.:c:ldxOXMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMXkoc',ccccc:.:ccccc.ccccc.;cccc,'::cdOXMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMM0xc:cccc,':cccc::ccccccccccccccc:.;cccccc:lxXMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMNkl,',:ccccc;;ccccccccccccccccccccc::cccccc:,',:lOWMMMMMMMMMMMMM
MMMMMMMMMMMMNxccccc;';cccccccccccccccccccccccccccccccccc;':cccccckWMMMMMMMMMMM
MMMMMMMMMMNdcccccc:..;cccccccccccccccccccccccccccccccccccccccccccc:kWMMMMMMMMM
MMMMMMMMM0c,,,,:cccc;..;cccccccccccccccccccccccccccccccccccccc:,,,;:lKMMMMMMMM
MMMMMMMWd:cccc;:cccccc;..,cccccccccccccccccccccccccccccccccccc;:cccccckMMMMMMM
MMMMMMNlcccccccccccccccc:..,:ccccccccccccccccccccccccccccccccccccccccc:oWMMMMM
MMMMMNc,,,,,:ccccccccccccc:..':cccccccccccccccccccccccccccccccccc:,,,,,;oWMMMM
MMMMWoccccc::ccccccccccccccc:'.':cccccccccccccccccccccccccccccccc::ccccccxMMMM
MMMMkccccccccccccccccccccccccc:'..:cccccccccccccccccccccccccccccccccccccc:0MMM
MMMN::cccccccccccccccccccccccccc:'..:cccccccccccccccccccccccccccccccccccc:cWMM
MMMk,,,,,:cccccccccccccccccccccccc:,..;ccccccccccccccccccccccccccccc:,,,,,;0MM
MMMlccccccccccccccccccccccccccccccccc,.;cccccccccccccccccccccccccccccccccccdMM
MMW:ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccclMM
MMWOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO0MM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

Welcome to the CAN bus terminal challenge!

In your home folder, there's a CAN bus capture from Santa's sleigh. Some of
the data has been cleaned up, so don't worry - it isn't too noisy. What you
will see is a record of the engine idling up and down. Also in the data are
a LOCK signal, an UNLOCK signal, and one more LOCK. Can you find the UNLOCK?
We'd like to encode another key mechanism.

Find the decimal portion of the timestamp of the UNLOCK code in candump.log
and submit it to ./runtoanswer!  (e.g., if the timestamp is 123456.112233,
please submit 112233)

elf@a9ccf8878c60:~$ 

So immediately we have a pretty good indicator as to what to expect with the data. A vast majority of it is the engine idling up and down. For reference, this is a sample of the data I'm working with:

<<< snip >>>
(1608926674.880365) vcan0 244#0000001032
(1608926674.894720) vcan0 244#000000101F
(1608926674.910965) vcan0 244#000000100D
(1608926674.924169) vcan0 244#0000000FFB
(1608926674.938131) vcan0 244#0000000FE9
(1608926674.951003) vcan0 244#0000000FD7
(1608926674.964086) vcan0 244#0000000FC5
(1608926674.977186) vcan0 244#0000000FB3
(1608926674.992136) vcan0 244#0000000FA1
(1608926675.005780) vcan0 244#0000000F8F
(1608926675.020164) vcan0 244#0000000F7C
(1608926675.040383) vcan0 244#0000000F6A
(1608926675.053859) vcan0 244#0000000F58
(1608926675.065655) vcan0 244#0000000F46
(1608926675.079421) vcan0 244#0000000F34
(1608926675.092864) vcan0 244#0000000F22
(1608926675.099853) vcan0 188#00000000
(1608926675.106900) vcan0 244#0000000F10
(1608926675.120475) vcan0 244#0000000EFE
(1608926675.134017) vcan0 244#0000000EEC
(1608926675.147023) vcan0 244#0000000EDA
(1608926675.160161) vcan0 244#0000000EC7
(1608926675.174036) vcan0 244#0000000EB5
(1608926675.187399) vcan0 244#0000000EA3
(1608926675.200131) vcan0 244#0000000E9
<<< snip >>>

This was simply a flat log file. The basics of each line specify the timestamp in epoch time, followed by the interface, followed by an ID number separated by a pound sign, then the value in hex.

The MOTD shows that a majority of these values should be engine idling values, and from the looks of the above I see the 244 ID repeated many times, so I'm going to filter that out:

elf@ab3223db7768:~$ grep -v 244\# ./candump.log 
(1608926660.970738) vcan0 188#00000000
(1608926661.474018) vcan0 188#00000000
(1608926661.978259) vcan0 188#00000000
(1608926662.478577) vcan0 188#00000000
(1608926662.977733) vcan0 188#00000000
(1608926663.483216) vcan0 188#00000000
(1608926663.989726) vcan0 188#00000000
(1608926664.491259) vcan0 188#00000000
(1608926664.626448) vcan0 19B#000000000000
(1608926664.996093) vcan0 188#00000000
(1608926665.499007) vcan0 188#00000000
(1608926666.009926) vcan0 188#00000000
(1608926666.512371) vcan0 188#00000000
(1608926667.013385) vcan0 188#00000000
(1608926667.520201) vcan0 188#00000000
(1608926668.022800) vcan0 188#00000000
(1608926668.530024) vcan0 188#00000000
(1608926669.036851) vcan0 188#00000000
(1608926669.544057) vcan0 188#00000000
(1608926670.046480) vcan0 188#00000000
(1608926670.550541) vcan0 188#00000000
(1608926671.055065) vcan0 188#00000000
(1608926671.122520) vcan0 19B#00000F000000
(1608926671.558329) vcan0 188#00000000
(1608926672.063221) vcan0 188#00000000
(1608926672.568871) vcan0 188#00000000
(1608926673.072611) vcan0 188#00000000
(1608926673.579853) vcan0 188#00000000
(1608926674.086447) vcan0 188#00000000
(1608926674.092148) vcan0 19B#000000000000
(1608926674.589954) vcan0 188#00000000
(1608926675.099853) vcan0 188#00000000
(1608926675.605010) vcan0 188#00000000
(1608926676.110132) vcan0 188#00000000
(1608926676.617537) vcan0 188#00000000
(1608926677.121567) vcan0 188#00000000
(1608926677.630561) vcan0 188#00000000
(1608926678.141434) vcan0 188#00000000

I'm left with far fewer entries. Since I'm looking for the "unlock" code and have yet to enumerate what each ID refers to, I'm going to start deducting what I have here. There are 2 IDs from the above: 188 and 19B. Since 188 is repeated over and over with a value of 0, that leaves the 19B entries which have two values: 0 and 0F000000. The MOTD says there is a lock, an unlock, and a lock again, so I can deduce that the second entry is what I'm looking for, so more specifically:

(1608926671.122520) vcan0 19B#00000F000000

The challenge says to send the decimal value to the ./runtoanswer binary, so let's try it:

elf@ab3223db7768:~$ ./runtoanswer 122520
Your answer: 122520

Checking....
Your answer is correct!

Nice!