HydraScan

HydraScan is an ISOTP and UDS protocol scanner that enables users to communicate with Electronic Control Units (ECUs) and collect valuable data related to their systems security. Dissecto HydraScan allows users to automatically reverse engineer the ECU’s system state machine, providing a deeper understanding of the ECU’s behavior and attack surface. Penetration testers can use the product to identify vulnerabilities in ECUs, helping them to improve the security of automotive systems. Additionally, HydraScope enables users to monitor and analyze the diagnostic protocol stack of ECUs, providing insight into the flow of data and potential attack vectors.

Features


  • Protocol Support: both ISOTP and UDS protocols are supported, enabling users to efficiently communicate with Electronic Control Units (ECUs)
  • Reverse Engineering Capabilities: By automatically reverse engineering the ECU’s system state machine, HydraScan provides users with a deeper understanding of the ECU’s behavior and potential attack surface
  • Diagnostic Log Stack Monitoring and Analysis: HydraScan allows you to monitor and analyze the diagnostic log stack of ECUs, providing insight into the data flow and potential attack vectors 
  • Compatibility: Designed to be compatible with a wide range of ECUs, HydraScan allows the user to test different vehicle types, ensuring versatility in safety assessments 
  • Comparative Analysis: Compare the attack surfaces of different ECUs from various Original Equipment Manufacturers (OEMs) and diagnostic protocols to improve the security of your ECUs and vehicles 
  • Black-Box Testing: HydraScan employs a black-box testing strategy focused on diagnostic protocol communication. This approach allows for automated investigation of the attack surface, providing a proactive method for identifying vulnerabilities in automotive systems.
  • ISOTP Endpoint Identification: HydraScan supports all common ECU addressing schemes used by OEMs and can automatically identify ISOTP endpoints 

Applications

  • Embedded Systems
  • Automotive Systems
  • Industrial Systems
  • Aviation & Aerospace Systems
  • Maritime Systems
  • Defense Systems
  • IoT (Internet of Things) Devices
  • Medical Devices

Operating Systems

  • Windows
  • Ubuntu 22.04 & 20.04
  • Fedora
  • Manjaro

Supported CAN Devices

OSGS-USBPCANSLCANVector
WindowsXX
LinuxXXX

UDS Scan Enumerators

This gives an overview of HydraScopes scan capabilities. Custom Enumerators can be provided by dissecto Research. Enumerators get executed in every system state of the ECU to gather the full picture of the ECUs attack surface on UDS:

Smart Scan Runcombines various enumerators to gather the most general information possible about the target system. It leverages the information collected by multiple enumerators to provide a holistic view of the system
Available Services Enumerationfetches information about the UDS services supported by the target system. It identifies both available services and negative responses for services that are not supported
DiagnosticSessionControl (0x10)enables the capability to change diagnostic sessions on the target system, depending on the security level. This enumerator plays a vital role in accessing different diagnostic modes for comprehensive scanning and testing
ReadDataByIdentifier (0x22)designed to read data from the target system based on specific identifiers within a given scan range. It allows retrieving important data points that can provide insights into the system’s configuration and functionality
Smart ReadDataByIdentifier (0x22)an intelligent variant of the ReadDataByIdentifier enumerator. It utilizes a more sophisticated approach to optimize data retrieval based on identifier information and scan range
Smart WriteDataByIdentifier (0x2E)responsible for using the WriteDataByIdentifier services on the target system. It follows a two-step process, first reading the value of the identifier and then writing the same value to the identifier. This prevents undesired modification of the system
SecurityAccess (0x27)used to discover available security seeds with access type and state on the target system. This information is essential for understanding the security mechanisms in place and gaining appropriate access to the system
SecurityAccess (0x27) – XOR-Key Probingattempts to access available security levels by using an XOR-based method to generate the key from the seed
SecurityAccess (0x27) – Query Server for Keysattempts to access available security levels by using an external security access server. This method provides an alternative approach to handle security challenges and allows users to provide their custom security access algorithm to HydraScope
RoutineControl (0x31)enables users to identify control routines on the target system. Users can scan for start, stop, and retrieve results of routines based on the configuration
RoutineControl (0x31) – RoutineControlType ‘startRoutine’ onlyspecifically designed to start routines on the target system
Smart RoutineControl (0x31)only scans for stop routines and retrieve results routines on the target system
Smart ReadMemoryByAddress (0x23)provides a sophisticated method to probe for the read memory by address service on the target system by combining the Random ReadMemoryByAddress Enumeration followed by the Sequential ReadMemoryByAddress Enumeration
TesterPresent (0x3E)verifies whether the Tester Present service is supported on the target system
ECUReset (0x11)verifies whether the ECU Reset service is supported on the target system
InputOutputControlByIdentifier (0x2F)gathers available InputOutputControls based on their identifiers and provides information about negative responses per state
CommunicationControl (0x28)tests if the CommunicationControl service is supported on the target system
RequestDownload (0x34)tests if the RequestDownload service is supported on the target system
TransferData (0x36)tests if the TransferData service is supported on the target system
ReadDataByPeriodicIdentifier (0x2A)tests if the ReadDataByPeriodicIdentifier service is supported on the target system

*product specifications and features are subject to change without prior notice as we continuously strive to improve our products