Intelligent fuzzing for CAN, UDS, OBD-II, and DoIP automotive protocols
NullSec CarFuzz is a coverage-guided fuzzer specifically designed for automotive protocols. It understands protocol grammars for CAN, UDS (ISO 14229), OBD-II (ISO 15031), and DoIP (ISO 13400), generating intelligent test cases that explore deep protocol states rather than random data.
| Feature | Description |
|---|---|
| Grammar-Aware Fuzzing | Protocol-aware mutation for CAN, UDS, OBD-II, DoIP |
| Coverage Tracking | Monitor ECU responses to guide mutation strategy |
| State Machine | Track protocol state to reach deep execution paths |
| Crash Detection | Detect ECU resets, hangs, and error responses |
| Session Manager | Handle diagnostic session changes and security access |
| Report Generator | Detailed crash reports with reproduction steps |
| Protocol | Standard | Fuzzing Depth |
|---|---|---|
| CAN 2.0A/B | ISO 11898 | Frame-level |
| UDS | ISO 14229 | Service + sub-function |
| OBD-II | ISO 15031 | PID + mode |
| DoIP | ISO 13400 | Full TCP/UDP stack |
| XCP | ASAM | Partial |
| KWP2000 | ISO 14230 | Service-level |
# Fuzz UDS services on an ECU
nullsec-carfuzz uds --interface can0 --target 0x7E0 --services all
# Fuzz OBD-II PIDs
nullsec-carfuzz obd --interface can0 --modes 01,09 --timeout 100ms
# Grammar-guided CAN fuzzing
nullsec-carfuzz can --interface can0 --id-range 0x600-0x6FF --duration 1h
# Generate crash report
nullsec-carfuzz report --input crashes/ -o report.html| Project | Description |
|---|---|
| nullsec-canbus | CAN bus sniffing & injection |
| nullsec-keyfob | Key fob & immobilizer analysis |
| nullsec-sdr | Software-defined radio toolkit |
| nullsec-linux | Security Linux distro (140+ tools) |
For authorized automotive security testing only. Never fuzz ECUs in vehicles in traffic.
MIT License — @bad-antics
Part of the NullSec Automotive Security Suite