Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/FlUxIuS/V2GInjector
V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets
https://github.com/FlUxIuS/V2GInjector
car hacking homeplug plc powerline v2g
Last synced: about 1 month ago
JSON representation
V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets
- Host: GitHub
- URL: https://github.com/FlUxIuS/V2GInjector
- Owner: FlUxIuS
- License: gpl-3.0
- Created: 2019-05-11T08:19:50.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-06-28T08:49:54.000Z (6 months ago)
- Last Synced: 2024-08-02T13:31:42.995Z (4 months ago)
- Topics: car, hacking, homeplug, plc, powerline, v2g
- Language: Python
- Homepage:
- Size: 147 KB
- Stars: 110
- Watchers: 9
- Forks: 28
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-starz - FlUxIuS/V2GInjector - V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets (Python)
README
![V2GInjector Logo](/images/logo.png)
Tool to penetrate V2G networks, monitor and inject packets to attack electric cars and charging stations.
## Publications
- Researches paper: https://www.sstic.org/media/SSTIC2019/SSTIC-actes/v2g_injector_playing_with_electric_cars_and_chargi/SSTIC2019-Article-v2g_injector_playing_with_electric_cars_and_charging_stations_via_powerline-dudek.pdf
- Slides from SSTIC 2019: https://www.sstic.org/media/SSTIC2019/SSTIC-actes/v2g_injector_playing_with_electric_cars_and_chargi/SSTIC2019-Slides-v2g_injector_playing_with_electric_cars_and_charging_stations_via_powerline-dudek.pdf
- Video recording from SSTIC 2019 (in French): https://static.sstic.org/videos2019/1080p/SSTIC_2019-06-07_P06.mp4Support: contact the [Penthertz company](https://penthertz.com/) which is the owner of the project.
## Dependencies
### Software
- Python 2, and Python 3
- Scapy
- Colorama for Python
- V2Gdecoder in submodules, that is already compiled and available here: https://github.com/FlUxIuS/V2Gdecoder/releases
- HomePlugPWN that is provided in submodulesTo install Python dependencies, use `pip install -r requirements.txt` (or `pip3` as needed).
Submodules can be fetched as follows:
```
$ git submodule update --init --recursive
```### Hardware
Any devices using the PowerLine-Communication Qualcomm Atheros 7k (QCA7k) series baseband (tested on QCA7420 and QCA7500).
For wallplugs, next to the HomePlug logo, there is a text descripting plug's interoperability including HomePlug GP.The tool has been tested with following devices:
* dLAN Green PHY eval board EU II (~150€)
* PLC Stamp Micro 2 Evaluation Board (Home Automation) (~300€)
* Devolo 1200+ (~50€) -> to rework if you want to bind it to CP lines -> dangerous to get access on TR+/- lines /!\
* Working on QCA7420 chips, but attenuation must be forced on EVSE side for the SLAC procedure
* TODO: test other devices with a QCA7k PLC baseband.## Connections
The PowerLine Communication device could be plugged in three different ways:
* plugging it with an IEC 61851 or any compatible connector for your targeted car (that could be found in Alibaba)
* with an interception cable between the charging station and the car
* or using simply use a default PLC wallplug with a QCA7k connected to the same shared electrical network as the charging station(s) and the car(s).## How to use it
The tool can be started with the following interpreter as follows:
```
$ python V2GInjectorooooo oooo ooooooo ooooooo8
888 88 o88 888 o888 88
888 88 o888 888 oooo
88888 o888 o 888o 88
888 o8888oooo88 888ooo888
ooooo o88 o8
888 oo oooooo oooo ooooooooo8 ooooooo o888oo ooooooo oo oooooo
888 888 888 888 888oooooo8 888 888 888 888 888 888 888
888 888 888 888 888 888 888 888 888 888
o888o o888o o888o 888 88oooo888 88ooo888 888o 88ooo88 o888o
o88~>>>
```To collect data automatically, two methods are provided by Network class object:
* `Network().pcap()`
* `Network().sniff(iface=)`### Decoding V2G packet
First, the V2Gdecoder service must be running as follows:
```
$ java -jar V2Gdecoder.jar -w
```Then, when calling `pcap()` or `sniff()` methods as follows, EXI data are simply decoded:
```
~>>> n=Network()
~>>> n.pcap("/tmp/emulated.pcapng")
>>>
[Decoded packet]
urn:iso:15118:2:2013:MsgDef20101>>>
[Decoded packet]
OK_SuccessfulNegotiation10>>>
[Decoded packet]
00000000000000001C1BB56B09D6>>>
[Decoded packet]
9F9709381F21A2BBOK_NewSessionEstablishedEVSEID-01557933159>>>
[Decoded packet]
9F9709381F21A2BB>>>
[Decoded packet]
9F9709381F21A2BBOKExternalPayment1EV charging (AC/DC)EVChargingfalseAC_three_phase_coreAC_single_phase_coreDC_coreDC_extendedDC_combo_core
[...]
```### Collected HPGP keys
Collected HomePlug GP keys are directly show when calling `pcap()` or `sniff()`:
```
~>>> n=Network()
~>>> n.sniff(iface="eth0")
[...]
[New HPGP network spotted!]
- EVSEID: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
- NetID: '\xae\x20\x00\xff\x82\x02\x00'
- NMK: '\x43F\xc8\xaeT\xbf\xefs\x01\x84\x94\xf8\xc3\x17'
- EVID: '\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff'
- RunID: '\xef\x34C\xf5E\xe0\xa6\x01'
```
These data are stored in the `Network().hpgp` attribute.This can then be used to configure your PLC device's PIB by dumping it with `plctool` and using `slac\pev` tool and profile file.
### Generate V2G packets
As it uses Scapy and extension layers, a V2G packet can be built using the same logic as Scapy:
```
~>>> ether = Ether()
~>>> ip = IPv6(dst="fe80::3e2a:b4ff:3e5f:1a4")
~>>> tcp = TCP(sport=6666, dport=54054, flags=24)
~>>> v2g=V2GTP()
~>>> packet = ether/ip/tcp/v2g
~>>> packet
>>>
```
But we need to push an EXI encoded payload in the V2GTP layer:
```
~>>> packet[V2GTP].show()
###[ V2GTP ]###
Version = 1
Invers = 254
PayloadType= EXI
PayloadLen= 0
Payload = ''
```
To do that, as for the `analyse()` method call by `sniff()` and `pcap()` which uses `decodeEXI()` function to decode EXI data, a encoder function `encodeEXI` also exists to compress the XML payload to EXI:
```
~>>> xml = '00000000000000001C1BB56B09D6'
~>>> encoded_xml=encodeEXI(xml)
~>>> encoded_xml
u'809802000000000000000011D018706ED5AC275800'
```
Then, the encoded/compressed data in EXI can be pushed in the V2GTP payload as follows:
```
~>>> packet.Payload=encoded_xml
~>>> packet
>>>
```
To finish, the packet can be sent to the target using Scapy's `sendp()` function.## Further development
* Make a native Python EXI encoder/decoder -> very long task to do, or try using the C++ EXI Wrapper in Python
* Add other wrappers
* Add some pre-developed attacking functions during interception
* More docs