nullsec-carfuzz 0.1.0

Coverage-guided fuzzer for automotive protocols: CAN, UDS (ISO 14229), OBD-II (ISO 15031), DoIP (ISO 13400)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

<div align="center">

# 🏎️ NullSec CarFuzz

### Automotive Protocol Fuzzer

[![Rust](https://img.shields.io/badge/Rust-1.70+-000000?style=for-the-badge&logo=rust&logoColor=white)]()
[![License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)]()
[![NullSec](https://img.shields.io/badge/NullSec-Linux_v5.0-00ff41?style=for-the-badge&logo=linux&logoColor=white)](https://github.com/bad-antics/nullsec-linux)

*Intelligent fuzzing for CAN, UDS, OBD-II, and DoIP automotive protocols*

</div>

---

## 🎯 Overview

NullSec CarFuzz is a coverage-guided fuzzer specifically designed for automotive protocols. It understands protocol grammars for CAN, UDS (ISO 14229), OBD-II (ISO 15031), and DoIP (ISO 13400), generating intelligent test cases that explore deep protocol states rather than random data.

## ⚡ Features

| Feature | Description |
|---------|-------------|
| **Grammar-Aware Fuzzing** | Protocol-aware mutation for CAN, UDS, OBD-II, DoIP |
| **Coverage Tracking** | Monitor ECU responses to guide mutation strategy |
| **State Machine** | Track protocol state to reach deep execution paths |
| **Crash Detection** | Detect ECU resets, hangs, and error responses |
| **Session Manager** | Handle diagnostic session changes and security access |
| **Report Generator** | Detailed crash reports with reproduction steps |

## 📋 Supported Protocols

| Protocol | Standard | Fuzzing Depth |
|----------|----------|---------------|
| CAN 2.0A/B | ISO 11898 | Frame-level |
| UDS | ISO 14229 | Service + sub-function |
| OBD-II | ISO 15031 | PID + mode |
| DoIP | ISO 13400 | Full TCP/UDP stack |
| XCP | ASAM | Partial |
| KWP2000 | ISO 14230 | Service-level |

## 🚀 Quick Start

```bash
# Fuzz UDS services on an ECU
nullsec-carfuzz uds --interface can0 --target 0x7E0 --services all

# Fuzz OBD-II PIDs
nullsec-carfuzz obd --interface can0 --modes 01,09 --timeout 100ms

# Grammar-guided CAN fuzzing
nullsec-carfuzz can --interface can0 --id-range 0x600-0x6FF --duration 1h

# Generate crash report
nullsec-carfuzz report --input crashes/ -o report.html
```

## 🔗 Related Projects

| Project | Description |
|---------|-------------|
| [nullsec-canbus](https://github.com/bad-antics/nullsec-canbus) | CAN bus sniffing & injection |
| [nullsec-keyfob](https://github.com/bad-antics/nullsec-keyfob) | Key fob & immobilizer analysis |
| [nullsec-sdr](https://github.com/bad-antics/nullsec-sdr) | Software-defined radio toolkit |
| [nullsec-linux](https://github.com/bad-antics/nullsec-linux) | Security Linux distro (140+ tools) |

## ⚠️ Legal

For **authorized automotive security testing only**. Never fuzz ECUs in vehicles in traffic.

## 📜 License

MIT License — [@bad-antics](https://github.com/bad-antics)

---

<div align="center">

*Part of the [NullSec Automotive Security Suite](https://github.com/bad-antics)*

</div>