hardwarefreemedium

Outrun

hackthebox

Task: HackTheBox hardware challenge with a Saleae .logicdata CAN capture and a socket.io bridge to a live car. Solution: reverse the .logicdata as uint16 analog samples, decode single-wire CAN at 1.25 Mbps (invert + destuff + CRC-15) to learn the frame format, then connect via an Engine.IO v3 client and flood spoofed 0x122 (lock:1) and 0x402 (speed=0) frames to stop the car and lock the doors.

$ ls tags/ techniques/

race_condition logic_analyzer saleae signal_analysis socket_io automotive can_bus logicdata sigrok engineio_v3 flask_socketio can_decoding crc15 bit_destuffing replay_attack tcu vehicle_hacking ascii_can_frame

logicdata_format_reversinganalog_sample_thresholdingcan_bitrate_detectioncan_frame_destuffingcrc15_validationsocketio_eio3_downgradecan_id_semantic_reversingvalue_field_mappingframe_flooding_replaydoor_lock_can_injectionspeedometer_can_injection

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Outrun — HackTheBox

Description

A corporate spy is escaping in a prototype vehicle. A drone is in range to exploit the TCU (Telematics Control Unit) and grant access to the car's inner CAN network. Stop the car and lock the doors to trap the spy and safeguard the IP.

Two files are given: PCS_checklog.logicdata — a 787 MB Saleae logic-analyzer capture (a "system check log" of the car), and bridge.py — a Python socket.io client wrapper from internal documentation that connects to a live instance on port 5000. Goal: drive the on-board CAN bus to speed 0 and lock the doors over a single socket connection to receive the flag.

Analysis

The challenge has two independent halves: an offline capture that teaches the CAN frame format, and a live socket.io instance where the actual exploit happens.

`PCS_checklog.logicdata` — Saleae Logic 1.x capture

Header starts with 7f 01 0a 01 0a "Data save2" and lists two channels (Channel 0 / Channel 1). This is the legacy .logicdata format, NOT the newer .sal. sigrok-cli has no input module for .logicdata, so the file must be parsed by hand (sigrok does, however, ship a usable can protocol decoder).
The data region (from offset ~0x194) is a flat array of uint16 little-endian analog ADC samples, not an RLE/transition list. The recurring "value, 0x08" byte pattern people mistake for run-length data is simply the low/high bytes of 16-bit values clustered around ~2057.
Sample rate is a u32 in the header at offset 0x19 = 25000000 → 25 MHz, ~393.7M samples (~15.7 s).
The file has multiple segments. Only the first segment (~samples 4.21M–24M, ~0.8 s) is CAN traffic; later segments are full-scale analog sensor data and are red herrings.

Single-wire CAN at an unusual bitrate

...

$ grep --similar

Similar writeups

[hardware][Pro]Prison Escape— hackthebox
[hardware][free]RFlag— hackthebox
[hardware][free]Project Power Challenge Scenario— hackthebox
[pwn][Pro]Easy ROP— hackerlab
[pwn][free]Getting Started— hackthebox