Tip:
Highlight text to annotate it
X
>> ALBERTO: How are you DEF CON? Okay. So, you know, this is our presentation, we are
speaking about car hacking. Later about how to do a forensic job into a car after a crash,
after an accident, to retrieve all the speed, the RPM, the brake position and this kind
of things, okay. Let's start. You know it's called "Dude, Where the *** in My Car?" I'm
Alberto, he's Javier, I'm going to introduce him and he's a hardware specialist. He loves
breaking toys. Every time I meet with him, he is always with some staff with the hands
completely dirty, dirty in the sense of the hand, only, okay? So he's freelance, okay?
He's working alone. He's from ‑‑ we are from Spain, okay, this is important to understand
the jokes and this kind of things (Laughter.) Sometimes we are different kind of jokes,
but I think the Spanish jokes are cool. Have you ever been top Spain? He is from a city
in the part of Spain that is in the very south, close to Morocco and that's him, okay?
I am this guy. On the left. The youngest one! The other guy is my Grandpa! (Laughter.)
This is my second time here in DEF CON, last year I was speaking here about other stuff.
The thing is ‑‑ (Applause.) Thank you! The thing is I don't want to introduce
myself like the typical times, like, I'm doing the *** or whatever, blah, blah, blah, so
the thing is I'm going to use a video of the last year, yeah? It's a piece of the total
of last year here at DEF CON. So I think it will be enough to introduce myself. You see,
I reuse the slides, I am lazy! I am from a city 200 kill meters to the north of Madrid,
and I am 24 years old, I'm single, if anyone wants to ‑‑ (Laughter.)
Okay? No, I'm only like girls, sorry! (Laughter.) (Applause.)
I am only 25 years old now, and all the rest is the same so only girls, please! (Applause.)
Okay, let's go. Okay, like I told you at the beginning we are speaking about hacking the
car, hacking the ECU, like the brain of the car. There are different brains around the
car but we are trying to get the control to interact with the ECU, the main one, the ECU
is where the configuration of the car is stored. So this is the first part of the talk and
like I told you, we are going to do the forensic job, okay?
So we can know what happened in an accident and if someone is guilty or not or whatever,
yeah. So for now I'm going to give the am I correct phone to my friend, my partner,
and he's going to start. >> JAVIER: Okay, so as Alberto said I'm Javier
I'm from Cardiff and all that stuff. Why did this happen, the car hacking thing? Well,
I had a friend ‑‑ well, I used to do this stuff with my laptop, like everyone does
and he kept on bugging me, you want a factory, I want it cheap and I thought, man, I make
one piece hardware so you stop bugging me, and that's how it started, I wanted him to
not keep on calling me. At first I use this, it didn't work ‑‑ (Laughter.)
I needed a plan. I had to sort it out. At first I needed some information, of course,
I needed to see how the car did work so I realized that there were different electronic
control units that they were all networked in the same bus, so they were address huddled,
they had some security, I didn't know that much, I was playing a little while, and I
knew that data was stored in them, and it's interesting data. There are some communication
protocols, these are widely spread. They are not the only once but they are most common,
this is the one that is being used the most, Com Bus.
>> AUDIENCE MEMBER: (Away from microphone.) >> JAVIER: One of the most important things
when I started with this thing was the price. When i was going to develop the tool, my friend
wanted it cheap, and K‑ Line was $10 cheaper. I am not cheap I just we want for the interface,
K‑Line. Why did I choose it? As I said, it is cheaper. For Comm Bus we need ICs, and
ECUs that work for K‑Line are cheaper. >> ALBERTO: (Away from microphone.)
>> JAVIER: It's $10, $8, but that's something. Then the question, if I say different, to
implement it? The difference between K‑Line and Comm Bus is protocol layers, so it's layer
1 and layer 2. All the encryption is the same so if you wanted to move from K‑Line to
Comm Bus it would take no time, it would be changing the hardware and changing the structure,
Comm Bus works on SPI but not really a big deal. What did we know about ECU? We know
they are in cars, and once I decided to start with it I had two options. One was to do some
research and navigate through the technical information, or hook the logic analyzer. We
decided to go 50/50 to make it not too interesting either way.
So that's what we found. After a little bit of research they are responsible for the engine
management ‑‑ engine is ECU, not all, we have locks ECUs, many others, but this
is the engine ones. This is stored and they hold mobilizer routine and they contain and
determine the way the car behaves. So the hardware which is the ECU itself the
physical thing is composed of internal and external flash. Internal flash is most of
the times OTP, it's not accessible, normally, from the outside. It has internal ‑‑
external most of the times as well and it's like something when you try to hope it you
start to hate it, it sucks. You have to deal with it anyway, so. As I said we attached
the logic analyzer and we saw this stuff. This is exactly from an EDC15, this is one
of the first ones we will talk about, the first part is the weak‑up pattern, the address
for the control module which is 01. Then we request the speed to support the bus, and
then we change the speed to higher, because you start at 10,400, you do authentication,
you set address ‑‑ actually, you have to send EDC15 you have to send a loader, on
16 you don't have to do that, but I will talk about 245 later.
The fourth part is sending the loader plus operations. Of course I was ignorant about
this, I said "man this is easy" it didn't work. It wasn't that easy. So after research
what did I found? Actually we just noticed that there was an authentication that was
not static. That's why it didn't work. So it's called a algorithm. The ECU acts as a
server so you request authorization, the ECU will send you a seat, you will have to do
some maps, it will send the result and that's called the "key" and there you go. That's
it. It has checks to check the integrity of the data that you are uploading. When you
download it already hats checks so you don't need to check anything, so on EDC15 it requires
a loader as I was saying. For the operations it's usually an assembler, and it has internal
flash. On we have this algorithm, as well, but it is just one level, you send the loader
and do the operations with that loader. Here we have level 3, which is pretty easy, the
challenge is just to a number, and we have level 2 can, which is operations and level
1 is to write the flash of the device which is a little more complicated but it's like
EDC 15 they didn't change at all, you know, just small things. We have RSA encryption,
when you want to download from an EDC 16 it's plain, it's binary, you can put it into IDA
or your favorite tool no problem, easy. Bullet when you want to upload it of course you need
to have the check zones, like you did earlier but it RSA encrypted and it needs to be in
blocks of 256 kilobytes, in this case, whatever you want to upload it must be encrypted in
blocks of 256 kilobytes. Well, how did we do it? My wife helped me
a little bit! Why is this interesting? Well, I think we all want to save a few bucks so
if you want your car to have more mileage per gallon, that's good. The difference between
most cars, like for example my own cars, I have a Cooper 1 which is 167 horse power,
I modified and now it's 210 horse power. It's easy, free, that's good!
It's cool, inexpensive to do it. At first, I started with EDC 15 was the ECU in my car
and my friend's car and I developed the whole thing it was 1,800 lines of code, and then
I wanted to start reversing for EDC16 and I had to start from scratch so I go to different
binaries, one for EDC16 which is the same even though the processor is different. This
is the first point I had to be really careful code it go due the two limitations of the
NCU itself. We're actually working now on externalizing. For example, I coded it and
we thought it would be better to externalize it and bring the binary out and by making
it with modules, the processors, we can make a universal firmware so we don't need to update
every time we want to support new ECUs and that's what we are working on now.
This is how an EDC15 board looks like, as I said, it has an external, and the external
flash and the ECUs. This is a little bit of code from the EDC15 app they not indication,
the key. The algorithm is static but, for example, here I have an EDC15P. This has one
set of keys. Even though the algorithm is the same for all the EDC15 family. If we get
an EDC15V, the keys change and the VM the keys have different so we would need to construct
the keys for every single ECU. But that's not a hard task, it can be done with bruit
force and some power tricks. Because at times you have done a wrong log‑in, but you can
glitch it to forget about it or, you know, try something else. This is the EDC16, in
this case it's internal and there are variants which have an external apron.
The ECU is stored internally, this is the algorithm, we have external flash and a port
which is BDM, bench diagnostics mode. Here we have part of the code for the level 1 authentication
for EDC16 as well. Just like it happened on EDC15 for example, we have an EDC CP34, it's
a different model, the 16, the algorithm will be the same the key will be different and
we can do this exactly the same way to create the keys for it. This is level 3 authentication,
that's, as I said, the ECU, since you challenge, you add that ‑‑ I don't remember what
number is it? 2FC9X, you assemble that number and you got it. That's how much they brainstormed
for this. Here we can see an example of our encryption, in EDC16. On the first part the
top is the binary so I just brought out this red square, so you can see the read‑out.
The next one the data is the same, it has no encryption, nothing, then part 3 is the
write out, what you are writing this data down here even though it's completely different
it's the same it's just encrypted. So that's how it looks. It looks different.
How did we handle it? RSA encryption in the tool. Well, same instructions, we didn't really
want to the ‑‑ you will see it. It takes approximately 10 seconds to code 512 kilobytes
the map for chip tuning, that's the size and we do it before the ECU in it because it takes
10 seconds and that was a time out in communication with the ECU if we first check if it's there
and we cannot afford to lose communication due to the speed. Of course the check is calculated
at the same time and it is calculated for the nonencrypted file not for the encrypted
one so we do things at the same time, encryption and check. This is small part it was for four
pages, showing the first one for the EDC16 encryption algorithm. So we can see that's
the kind of operations ‑‑ >> ALBERTO: Yeah, like he told you, his wife
helped him to do that so that's, you know, you know his wife is a ***! With everyone! Sorry!
>> JAVIER: This is assembler. This is not a new thing, chip tuning, you can get tool
for that. These are the prices. I consider that expensive, I don't know about you. This
is what our tool costs. It's cheaper. (Applause.) Thanks. This is how it looks, it's fancy,
it has mustaches, and it's portable you don't need the laptop at all. It doesn't work so
don't worry! (Laughter.) I will be releasing the code soon, the schematics,
so this is Open Source you can do whatever you want on it. You are paying $26 for the
stuff you will be able to tweak. So I think it's worth, I'm paying like $500 for a closed
tool. These are the features for our tool. It is not locked to a single vehicle, there
are other stand‑alone tools there that require no computer but you are paying like $1,000
to be able to use it on your own car. I don't believe in that. It doesn't store encrypted
files, I don't want you to need to use my tool, you can use whatever you want. Download
it with my tool or with any other tool. It does not use a master slave, which is encrypted,
and as I said, Open Source so you can add support for whatever you want. Any other models,
diagnostics, there will be some cool stuff coming.
This is the lower interface. We can see they are doing a Mini Pro that is his on the left,
on the bottom level is the shifter. Sorry. This is just a regulator and a 7805 to get
the 5 bolts out of the 12 and this is an SD car, this is the LCD 2IC and I think you can
see it's homemade. This is a very cute eagle interface board,
just the same hardware. This part is on RG45 connector so you can get the thought of how
tiny it is and it has FTDI already imbedded in and you can update it whatever, straight
off. >> ALBERTO: The thing is that is homemade,
the thing that you saw before this is homemade. If you want to do it better with this board
it's much more than this, okay, this is just a case to haul all the things that he told
you, okay? But this thing maybe just ‑‑ maybe like a ‑‑
>> JAVIER: A quarter size of this. >> ALBERTO: So smaller and the thing of the
smaller side is interesting because we are speaking later about what evil things we can
do with this thing, okay? So that's not ‑‑ okay.
>> JAVIER: We're so evil! Here is an example of how to make it wireless. This is just the
same thing but with it is the serial console but without the blue tooth it's $1 and we
can control it with our Android phone so it's wireless and it's cheap.
Some examples of this, like I was saying, we can mold it to have less ‑‑ more mileage
per gallon, how to bypass immobilizer, is just a process, it's 2 bytes. The loader is
embedded for reading and writing, so you click a button and it's done and of course you can
later enable it. This car is fun, you connect to the tool and when it's in the middle of
the writing process you pull the cable, so it's *** up, no check, no anything (Laughter.)
You've got an expensive piece of metal, but later on you can still recover it, not everything
is lost. There are recovery processes for it, by the diagnostics part you don't need
to pull the ‑‑ off the car and it will eventually work again.
>> ALBERTO: But it's funny for a joke! >> JAVIER: When he finds out his car isn't
working it's so funny! Yeah! (Laughter.) An example ‑‑ well, you know, we can
have any interface, 3G, wifi, blue tooth as we saw with the phone and, well, we can disable
a car, we could eventually it is not yet implemented that is completely different, we could control
a car with this device as well with other firmware, we could disable or start modules,
funks, like turn on the air conditioner and make whoever get a really bad cold, you know?
(Laughter.) He couldn't be able to disable, it would be
terrible. Now, we're going to do a demo on the EDC16. It will be console but we will
be able to see the process. I'm going to show ‑‑ because you cannot see it from there but I'm
going to explain what we have here. We have an EDC16 connected and a mega 2,560 and we
have normal $10 diagnostics cable. So what did they do here? Wired up the level shifter
up to the ECU so we are going to is send comments to read the information and read the flash
and to write ‑‑ we're actually going to kill the ECU, revive it again and read
the info after that. So let's get to it. >> ALBERTO: Yeah.
>> JAVIER: Okay. So let's see if it works! We're going to read the info first. We can
see that's fast. It doesn't take too much time. Here we have the information, the software
version, the engine ‑‑ this is for a Volkswagen Passat, where it is not connected
to a chassis, but the inside is all around the K‑Line bus, so we can get the number,
the chassis number and now we're going to read the external flash, it will take a while.
Meanwhile, what can I say about this? It's fancy, I like flashing here, it's a pity you
cannot see it flashing. (Laughter.) Well, actually, when it was reversing the
protocol, I noticed that there were huge time gaps, you know, this is based on packets.
So between each packet is bytes, of course, and between byte there was time ‑‑ I
don't know how to explain ‑‑ a delay. After testing I realized it wasn't necessary
so I speed it up. We changed protocol, made it faster, works
25% faster than the original tool on EDC16 and it works 400 times percent faster, on
EDC15 so they didn't brainstorm too much about that, anyway.
I will not show that at this time because we are running low on time so now we are going
to kill the ECU. Now it's processing the RSA. >> ALBERTO: You have to believe that, but
we are going to show the logical analyzer after that, okay, a capture of the analyzer.
>> JAVIER: We will show another logic analyzer capture so you can see what is going on.
>> ALBERTO: Obviously we are running out of time.
>> JAVIER: So we got to be faster now. So what we are going to do to kill ‑‑ since
we have no cable to plug we're going to start writing, we're going to send just one packet
of data, then we are going to stop communicating with the ECU. So now it's deactivated. I need
to power cycle it once again. Now we are going to try to read the information.
Of course since it's disabled it won't be replying. So we got no response it's disabled,
just a piece of junk right now. But now we are going to make it work again! Should be fast! Things so slow, it's an AB processor.
With two kilobytes of RAM, it takes a while. Now actual you will to revive it since we
screwed up the flash, we erased the flash, we started to right, so checks and swearing,
correct, so now to fix it we need to write the whole flash again. We are writing what
we read out the first time. As I said, RSA encryption here is provided in blocks of 256
kilobytes, this is the first block, now we're starting with the second block. Since we are
running out of time we will go now on with the other things. If there is enough time
we will show the logic analyzer, it will be fast. Showing out ‑‑ maybe while it's
writing we can show ‑‑ okay, I'll show ‑‑ this is the key, this buckets ‑‑ this
is so small, the address, the target address, the source address, this is our request, now
27 means we want to have security access. We are send this gone packet, now this is
the level, level 01 which is to write, so the ECU will reply. With a 6701 means okay
I will send you the challenge. So here we have, for example, 86, 58, 86, that will be
the seed. For the challenge. Now we will process this and we should send ‑‑ okay, 2702
we must add 1 to the security level we requested and these are just 4 bytes, this one here.
Then if we succeed it will reply with 67. If we fail it will reply 7F. Which means "denied."
When writing we can see this is a huge block here, then we stop with the letter second
block, we write the second block and then we are done, that's the writing response.
One second I need to power cycle it. We are going to read info again to see it works.
So, again, it's alive! After killing it! (Laughter.) So now ‑‑ it works!
>> ALBERTO: Wait. It's not connected. It's fast as light but it's not connected so you
didn't see the joke! >> JAVIER: Windows.
>> ALBERTO: It was a joke, Spanish. Anyway. So I have only like 10 minutes so I'm going
to go fast. What happens in an accident, the police usually
look at the marks in the floor with the accident happens and they look at the condition of
the car to figure out the speed and things that happen but the IT guys we have a cooler
way to know exactly the parameter of the accident. In all the cars, our cars, we have a black
box, same as in a plane. The only difference is it doesn't record sound so don't worry
if you speak dirty things or whatever, it's not storing that. So it stores information
before and after the crash, it is interesting because even after the crash there is memory
that stores information. So we can have more information about the accident itself.
So that's information like I told you at the beginning this is related with the speed,
the most important, the RPM, brake, and depends on the plan, the plan that have made in the
ECU but there is other information stored in the ECU. This information is stored in
the A block ECU, okay, most of the time. So we have to take this part of the car, this
ECU is similar, it's just a little smaller than. Okay? It's stored in the apron memory,
it's nonvolatile, so we can get access to the data after the crash, okay? It's great
for that. There is hardware and software that is outside
and you can use it but the thing is this talk is about how to make a thing that cost only
$25 instead of $1,000 and in that case even the tools used to get information are more
expensive than to mod fry the ECUs. So the cool thing is we did something to the poor
people. Yeah, we are speaking all the time about 5 minutes okay. We are speaking all
the time about the ECUs, okay? There are different ways to track information from an ECU after
crash. The first of all is to connect into the ODB, it is the port behind the wheel in
the car and we can access information. Not all the time because in some crashes, the
car is completely ***, so ‑‑ what? So there is the ‑‑ the connection is
lost so we can't retrieve information. The other way is to connect directly to the ECU
and get information so for that we need authentication, maybe it's not a strong authentication, but
it is an authentication anyway. Finally we have the fancy way, directly with the apron
memory. I said all the information is in the apron so we can read it, okay? Yes, it's hardware
more than software, I'm a software guy maybe it's more difficult but for these people hardware
is like eating ice cream. This is the first one, behind the wheel, so
this is the first way, this is the other way, connecting directly to the ECU to get information
and the last way is this is from the apron memory this is the size of the apron you can
see it in the fingers, it's very small but we can do it, we can do it.
This is the hardware I told you before, hardware and software, okay, the hardware is like no
hardware because it doesn't do almost anything but, anyway, and the software, the real important
part of this kit. The premium tool our kit costs almost $9,000, yeah, I'm not going to
pay for that! What about the poor guys? What about people
like me that have just ended school and University and these kinds of things and we don't have
money. The software that is for me, the important part is you can access to it for free, okay?
Free software. The code of the data, because this is important information and we have
to parse this information to know, okay, from the bytes 11 to 40 is the speed and from bytes
whatever to whatever is whatever. So we have to parse it. So, yeah, we can ‑‑ his
wife is ‑‑ I sleep with his wife once too. (Laughter.)
Sorry, man! Okay. Other thing, this tool this are supported, okay, so there are very cool
brands that are supported to do this. Did you miss something? It's not interlaced, so
what happened? One time a client contacted us to do a forensic job on a car and the car
was a Mercedes, so we said one, maybe two ‑‑ okay, one. We said what are we going to do?
So what do we do? First of all we read the apron, okay, soldering, to the apron, and
we read the parts of the binary, so we erased one copy of this binary and make a ‑‑
okay? So when you parse will modify after the crash so it's a good point of start, okay?
So the next step was already filter it, the information, we only have the information,
only have the parts of the ECU, okay, I'm going. One minute. Half! (Laughter.)
Okay. We just ‑‑ it's the software to bring the graphics to bring ‑‑ the difference
in the graphics between the crescent and the crescent, okay, so the speed will be in the
crash, the crescent, right, if you crash you stop ‑‑ yeah, the speed is the crescent.
So we found this. Okay? You can see. After looking at it a lot we found this graphic
that gives us information in our research so we had ‑‑ anyway, so we are running
out of time. We want to say thank you to you! (Applause.)
Like always, to our family and friends, and all those who want to understand how and why
things work, thank you very much! (Applause.)