This lab focuses on the integration of physical automotive hardware with virtual simulation. It uses a bare-metal testing platform bi-directionally synchronized with the CARLA driving simulator to form a “Digital Twin” environment.

Lab Structure: A 30-minute theoretical presentation (PASTA architecture, CAN vulnerabilities, Sim2Real concept) followed by 90 minutes of practical exercises.

The infrastructure consists of three operational layers.

Built inside a portable briefcase, organized in a dual-panel configuration:

• Lower Panel (The Network): Contains four Electronic Control Unit (ECU) nodes: Gateway, Powertrain, Chassis, and Body.
• Processing Core: Uses Teensy 4.0 and 4.1 microcontrollers running bare-metal firmware.
• The Bus: ECUs communicate over a flattened shared CAN bus made of a twisted-pair cable. Includes an OBD-II diagnostic port and a “clipping zone” for physical probing and payload injection.
• Upper Panel (HMI): Integrates physical automotive inputs (ignition switch, steering wheel via rotary potentiometer, pedals, lighting controls) and three Nextion touch screens to display the dashboard state.

Translates hardware signals into digital commands.

• Ethernet Link: Establishes a bidirectional Ethernet connection between the physical platform and the simulator.
• JSON Abstraction: A Python-based bridge translates CARLA outputs into CAN messages and vice versa, using JSON for state consistency.

• CARLA Simulator: A 3D driving simulator that dynamically interacts with the physical ECUs.
• PyQt5 GUI: An interface for monitoring live CAN traffic, defining packet structures, and injecting messages.

Objective: Analyze the electrical characteristics of the CAN bus.

The CAN lines on the testbed are coiled around the main 12V power supply to introduce Electromagnetic Interference (EMI).

Task:

• Connect the Rigol DS1052E digital oscilloscope to the physical clipping zone.
• Probe the CAN_H and CAN_L lines sequentially relative to the common ground.
• Capture a transmission frame.

Questions & Observations:

• Identify States: Locate the recessive state (logic 1) and the dominant state (logic 0).
• Measure Voltages: Determine the voltage levels for CAN_H and CAN_L in the dominant state.
• Calculate Differential Voltage: Subtract CAN_L from CAN_H. The expected differential voltage is approximately 1.96V (e.g., CAN_H at ~2.99V and CAN_L at ~1.03V).

Objective: Parse and interpret raw CAN traffic using pre-captured traffic.

You are provided with a CSV file containing CAN traffic. This data was extracted from the testbed's internal logic pins using a Kingst LA2016 high-speed logic analyzer.

Task: Write a Python script to read the CSV file, extract the CAN IDs and data payloads, and translate them into actions using the provided CAN_ID.json dictionary.

Download the starting code from here

Objective: Execute an injection attack on the digital twin and observe the kinetic impact in CARLA.

The CAN protocol uses a broadcast mechanism without source authentication.

Task: Inject a falsified message masquerading as a legitimate ECU (e.g., imitating the Chassis module to send a Powertrain command), causing the simulated vehicle to accelerate to 100% throttle and steer fully to the left.

Steps:

• Target Identification: Use CAN_ID.json to find the CAN ID for the accelerator or brake pedal.
• Craft Payload: Use the PyQt5 GUI / CAN-Simulator Bridge to construct a JSON payload with the target can_id and a modified data value.
• Inject: Run the injection script as shown by the instructor.

Questions & Observations:

• Simulator Impact: Observe the virtual car's reaction in CARLA.
• Defense Mechanisms: Consider how an Intrusion Detection System (IDS) could detect this based on message frequency and timing constraints.

CAN Bridge

CARLA Simulator