The CyberTruck Research Vehicle

A description and purpose of the cybersecurity research truck at Colorado State University

Kenworth Left Side View Photo

Introduction

Heavy vehicle cybersecurity is challenging to explore if you don't have access to a truck. Even if you have access to a truck, you may not be able to modify it or truly assess the vehicle due to fears of damage or repair. This issue creates a research need to have a truck available to research cybersecurity issues for heavy vehicles. The CyberTruck Research Vehicle in Systems Engineering at Colorado State University is dedicated to support research and testing efforts around heavy vehicle cybersecurity. The remainder of this article describes the CyberTruck and its capabilities. It is a resource that is available for the research community.

Vehicle Description

The CSU CyberTruck research vehicle is a 2014 Kenworth T270 Class 6 box van truck. It has about 250,000 miles (in 2022) on the chassis. Dr. Daily purchased the vehicle from MHC Kenworth in 2019 shortly after he arrived at Colorado State University. The truck is powered by a PACCAR PX-7 engine, which is a rebranded Cummins 6.7L ISB engine. The engine is connected to an Allison 2100RDS transmission and it has Bendix controlled air brakes. The systems communicate with each other using 250kbps J1939. The VIN is 2NKHHM6X2EM406412.

Right Front of the Kenworth Left Front of the Kenworth Vehicle Name Sticker Vehicle Emmission Sticker
Click on the images for full resolution photos.

Research Features

The original wiring harness has been altered to enable the easy installation and removal of middleperson devices in the J1939 network. In the photograph below, CSU student David Nnaji is making the modifications to the J1939 network stub connecting the engine with the rest of the network.

David installing the wiring

After the installation of the removable wiring, the communications path is routed back into the cab using the network tap. The wiring is shown in the photo below. The square stick is indicating the connection made with the 3-pin Deutsch connectors. To remove the wiretap, simply reconnect the Deutsch connectors and the original wiring will be restored.

Network Tap on Engine Network Tap on Engine
Network tap for the J1939 stub for the engine controller on the left and the restored network wiring on the right.

The connection from the engine compartment runs through the firewall and into the cab. It is terminated below the passenger seat, facing the door for easier access. These connections are in place for the brakes, transmission, and engine. At the end of this connection is a middleperson device that can read and write to each side of the J1939 network. This unique feature gives researchers the ability to affect the network traffic inside the vehicle while it is running.

CAN Conditioners
CAN Conditioners

CAN Conditioner Hardware

CAN Conditioners are based on the Teensy 4.0 evaluation board with 2 CAN channels. One CAN channel faces the original J1939 network and the second channel faces the single ECU on the stub. The Teensy boards are programmed using the Arduino IDE with the Teensyduino add-on. The CAN conditioners also have a Microchip ATECC608A hardware security module.

The schematic for the CAN Conditioner show the circuits and connections for the devices. The hardware was designed in Altium Designer and the Altium files are available from this zip archive.

The board can be ordered from OSH Park: https://oshpark.com/shared_projects/xYRWU2Or and the Bill of Materials in CSV form was current in 2020. It's also available in Excel format.

CAN Conditioner Software

The firmware described in the following papers are open source and the repository is available here: https://github.com/SystemsCyber/CANWatermarking

Access to Electronic Control Units (ECUs)

In the research truck, we have access to the Transmission Controller, Brake Controller, Instrument Cluster, Diagnostic Port, and Engine Controller. The following sections describe the different ECUs and present photos of each.

Engine Controller

J1939 Source Address 0 (0x00)
The engine controller is a Cummins CM2350 controller unit.

Engine Controller
Engine Control Unit mounted on the driver's side of the engine.

Transmission Controller

J1939 Source Address 11 (0x03)

Transmission Controller
Transmission Control Unit mounted in the center of the cab.

Electronic Brake Controller

J1939 Source Address 11 (0x0B)

Brake Controller
Electronic Brake Controller (EBC) Unit mounted behind the diagnostic port on the driver's left side.

Contact

For more information regarding the availability of the CyberTruck Research Vehicle, please contact Jeremy Daily at Jeremy.Daily@colostate.edu.