---

🎯 Overview

NullSec CarFuzz is a coverage-guided fuzzer specifically designed for automotive protocols. It understands protocol grammars for CAN, UDS (ISO 14229), OBD-II (ISO 15031), and DoIP (ISO 13400), generating intelligent test cases that explore deep protocol states rather than random data.

⚡ Features

Feature	Description
Grammar-Aware Fuzzing	Protocol-aware mutation for CAN, UDS, OBD-II, DoIP
Coverage Tracking	Monitor ECU responses to guide mutation strategy
State Machine	Track protocol state to reach deep execution paths
Crash Detection	Detect ECU resets, hangs, and error responses
Session Manager	Handle diagnostic session changes and security access
Report Generator	Detailed crash reports with reproduction steps

📋 Supported Protocols

Protocol	Standard	Fuzzing Depth
CAN 2.0A/B	ISO 11898	Frame-level
UDS	ISO 14229	Service + sub-function
OBD-II	ISO 15031	PID + mode
DoIP	ISO 13400	Full TCP/UDP stack
XCP	ASAM	Partial
KWP2000	ISO 14230	Service-level

🚀 Quick Start

# Fuzz UDS services on an ECU
nullsec-carfuzz uds --interface can0 --target 0x7E0 --services all

# Fuzz OBD-II PIDs
nullsec-carfuzz obd --interface can0 --modes 01,09 --timeout 100ms

# Grammar-guided CAN fuzzing
nullsec-carfuzz can --interface can0 --id-range 0x600-0x6FF --duration 1h

# Generate crash report
nullsec-carfuzz report --input crashes/ -o report.html

🔗 Related Projects

Project	Description
nullsec-canbus	CAN bus sniffing & injection
nullsec-keyfob	Key fob & immobilizer analysis
nullsec-sdr	Software-defined radio toolkit
nullsec-linux	Security Linux distro (140+ tools)

⚠️ Legal

For authorized automotive security testing only. Never fuzz ECUs in vehicles in traffic.

📜 License

MIT License — @bad-antics

---