Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/FlUxIuS/V2GInjector

V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets
https://github.com/FlUxIuS/V2GInjector

car hacking homeplug plc powerline v2g

Last synced: 3 months ago
JSON representation

V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets

Host: GitHub
URL: https://github.com/FlUxIuS/V2GInjector
Owner: FlUxIuS
License: gpl-3.0
Created: 2019-05-11T08:19:50.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-06-28T08:49:54.000Z (7 months ago)
Last Synced: 2024-08-02T13:31:42.995Z (6 months ago)
Topics: car, hacking, homeplug, plc, powerline, v2g
Language: Python
Homepage:
Size: 147 KB
Stars: 110
Watchers: 9
Forks: 28
Open Issues: 2
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-starz - FlUxIuS/V2GInjector - V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets (Python)

README

        ![V2GInjector Logo](/images/logo.png)

Tool to penetrate V2G networks, monitor and inject packets to attack electric cars and charging stations.

## Publications

- Researches paper: https://www.sstic.org/media/SSTIC2019/SSTIC-actes/v2g_injector_playing_with_electric_cars_and_chargi/SSTIC2019-Article-v2g_injector_playing_with_electric_cars_and_charging_stations_via_powerline-dudek.pdf

- Slides from SSTIC 2019: https://www.sstic.org/media/SSTIC2019/SSTIC-actes/v2g_injector_playing_with_electric_cars_and_chargi/SSTIC2019-Slides-v2g_injector_playing_with_electric_cars_and_charging_stations_via_powerline-dudek.pdf

- Video recording from SSTIC 2019 (in French): https://static.sstic.org/videos2019/1080p/SSTIC_2019-06-07_P06.mp4

Support: contact the [Penthertz company](https://penthertz.com/) which is the owner of the project.

## Dependencies

### Software 

- Python 2, and Python 3

- Scapy

- Colorama for Python

- V2Gdecoder in submodules, that is already compiled and available here: https://github.com/FlUxIuS/V2Gdecoder/releases

- HomePlugPWN that is provided in submodules

To install Python dependencies, use `pip install -r requirements.txt` (or `pip3` as needed).

Submodules can be fetched as follows:

```

$ git submodule update --init --recursive

```

### Hardware

Any devices using the PowerLine-Communication Qualcomm Atheros 7k (QCA7k) series baseband (tested on QCA7420 and QCA7500). 

For wallplugs, next to the HomePlug logo, there is a text descripting plug's interoperability including HomePlug GP.

The tool has been tested with following devices:

* dLAN Green PHY eval board EU II (~150€)

* PLC Stamp Micro 2 Evaluation Board (Home Automation) (~300€)

* Devolo 1200+ (~50€) -> to rework if you want to bind it to CP lines -> dangerous to get access on TR+/- lines /!\

* Working on QCA7420 chips, but attenuation must be forced on EVSE side for the SLAC procedure

* TODO: test other devices with a QCA7k PLC baseband.

## Connections

The PowerLine Communication device could be plugged in three different ways:

* plugging it with an IEC 61851 or any compatible connector for your targeted car (that could be found in Alibaba)

* with an interception cable between the charging station and the car

* or using simply use a default PLC wallplug with a QCA7k connected to the same shared electrical network as the charging station(s) and the car(s). 

## How to use it

The tool can be started with the following interpreter as follows:

```

$ python V2GInjector

ooooo  oooo  ooooooo     ooooooo8  

 888    88 o88     888 o888    88  

  888  88        o888  888    oooo 

   88888      o888   o 888o    88  

    888    o8888oooo88  888ooo888  

ooooo             o88                         o8                        

 888  oo oooooo  oooo  ooooooooo8  ooooooo  o888oo ooooooo  oo oooooo   

 888   888   888  888 888oooooo8 888     888 888 888     888 888    888 

 888   888   888  888 888        888         888 888     888 888        

o888o o888o o888o 888   88oooo888  88ooo888   888o 88ooo88  o888o       

                 o88                                                    

~>>>

```

To collect data automatically, two methods are provided by Network class object:

* `Network().pcap()`

* `Network().sniff(iface=)`

### Decoding V2G packet

First, the V2Gdecoder service must be running as follows:

```

$ java -jar V2Gdecoder.jar -w

```

Then, when calling `pcap()` or `sniff()` methods as follows, EXI data are simply decoded:

```

~>>> n=Network()

~>>> n.pcap("/tmp/emulated.pcapng")

>>>

[Decoded packet]

urn:iso:15118:2:2013:MsgDef20101

>>>

[Decoded packet]

OK_SuccessfulNegotiation10

>>>

[Decoded packet]

00000000000000001C1BB56B09D6

>>>

[Decoded packet]

9F9709381F21A2BBOK_NewSessionEstablishedEVSEID-01557933159

>>>

[Decoded packet]

9F9709381F21A2BB

>>>

[Decoded packet]

9F9709381F21A2BBOKExternalPayment1EV charging (AC/DC)EVChargingfalseAC_three_phase_coreAC_single_phase_coreDC_coreDC_extendedDC_combo_core

[...]

```

### Collected HPGP keys

Collected HomePlug GP keys are directly show when calling `pcap()` or `sniff()`:

```

~>>> n=Network()

~>>> n.sniff(iface="eth0")

[...]

[New HPGP network spotted!]

- EVSEID: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

- NetID: '\xae\x20\x00\xff\x82\x02\x00'

- NMK: '\x43F\xc8\xaeT\xbf\xefs\x01\x84\x94\xf8\xc3\x17'

- EVID: '\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff'

- RunID: '\xef\x34C\xf5E\xe0\xa6\x01'

```

These data are stored in the `Network().hpgp` attribute.

This can then be used to configure your PLC device's PIB by dumping it with `plctool` and using `slac\pev` tool and profile file.

### Generate V2G packets

As it uses Scapy and extension layers, a V2G packet can be built using the same logic as Scapy:

```

~>>> ether = Ether()

~>>> ip = IPv6(dst="fe80::3e2a:b4ff:3e5f:1a4")

~>>> tcp = TCP(sport=6666, dport=54054, flags=24)

~>>> v2g=V2GTP()

~>>> packet = ether/ip/tcp/v2g

~>>> packet

>>>

```

But we need to push an EXI encoded payload in the V2GTP layer:

```

~>>> packet[V2GTP].show()

###[ V2GTP ]### 

  Version   = 1

  Invers    = 254

  PayloadType= EXI

  PayloadLen= 0

  Payload   = ''

```

To do that, as for the `analyse()` method call by `sniff()` and `pcap()` which uses `decodeEXI()` function to decode EXI data, a encoder function `encodeEXI` also exists to compress the XML payload to EXI:

```

~>>> xml = '00000000000000001C1BB56B09D6'

~>>> encoded_xml=encodeEXI(xml)

~>>> encoded_xml

u'809802000000000000000011D018706ED5AC275800'

```

Then, the encoded/compressed data in EXI can be pushed in the V2GTP payload as follows:

```

~>>> packet.Payload=encoded_xml

~>>> packet

>>>

```

To finish, the packet can be sent to the target using Scapy's `sendp()` function.

## Further development

* Make a native Python EXI encoder/decoder -> very long task to do, or try using the C++ EXI Wrapper in Python

* Add other wrappers

* Add some pre-developed attacking functions during interception

* More docs