<i>33c3 intro music</i>

Herald: Let me present Felix Domke with

the Software Defined Emissions: A Hacker's
Review of Dieselgate.

<i>applause</i>

Felix Domke: Yeah, hey everyone. Thank you

for coming here. I saw there are a lot of
interesting talks at the same time in the

other rooms, so thank you for coming here
and listening to me about software-defined

emissions. "A Hacker's Review of
Dieselgate" is the subtitle. I'm Felix

Domke. I usually do embedded software,
mainly security. I'm definitely not on

cars and definitely not on things that
have combustion thingies, so I only got

dragged into car software last year when
my own Volkswagen car was accused of

cheating and I wanted to know what exactly
was going on. I held the talk last year

about some of the details of the
Volkswagen Sharan defeat device. For the

details you can take a look at that talk.
This time I want to look more at the

process of finding or analyzing car
software. I want to look at whether this

process scales to more cars. The first
step when having a piece of software that

does not always do what people think it
does is, well obtain a firmware image,

obtain a binary image of the firmware, and
in the case of my car I knew it was a

Bosch EDC17, which is a Bosch ECU that a
lot of cars use, including my Volkswagen

car. So, I didn't know anything about
ECUs, dumping software and so on, so I

asked Google "Hey, what do I need to do to
dump an EDC 17," and Google had a lot of

answers for this, but usually those were
people that wanted to sell me some device.

Those were chip tuners that built their
own devices where you can plug in the ECU

and then it extracts the image, usually by
exploiting some bugs in the software. But

I didn't really want to buy something and
it takes like a lot of time until I get in

my hands. I wanted to start. So I was
looking to do this on my own. What these

sites usually tell you without paying is
how you wire up your given ECU for their

device, so they tell you where to connect
12 volt, where to connect the CAN bus,

which is the serial communication bus that
the ECU uses to communicate with the rest

of the car
devices. Usually it's pretty easy, so...

when analyzing ECU it makes a lot of sense
to reproduce the scenario on your desk and

not in your car, so in order to make an
ECU boot all you need is ground, 12 volts,

there's usually an ignition pin that you
also have to supply 12 volt to it, and

then it boots. So on my desk it looked
something like this, and then once we have

the setup we can boot the ECU, we can use
Python to talk to the ECU, which is great,

and then we can use socket CAN, which is
the Linux CAN support that's really great,

and we can even use MicroPython if we
want to have a smaller device that we can

put in a car. So we can talk with the ECU.
Talking with the ECU in modern cars,

there's a protocol called UDS. Basically,
I simplified this slightly, you can ask

the ECU "Hey, I want to read memory by
address," you give it an address and you

ask it to read four bytes in this case of
that address, and then it returns it to

you. So I thought "Hey, maybe I can use
this to dump the software." In my case the

device responds with a Security Access
Denied, so I looked into what I need to

do. You actually have to do a Security
Access command. You send a command that's

called Request Seed. You get back
basically a 32 bit random number and then

what you have to do is to, have to
process this seed through a super-secret

function and then return it in a response
call. The question is how do we know this

super secret function. There are multiple
methods. We can look at the ECU software

itself, if the algorithms in there, to
verify it. We can reverse diagnostic

software that uses this mechanism. So for
example the Volkswagen software they use

for car shops, or maybe someone else
already reversed this and put it in their

own tools which may be easier to get it
from in terms of third-party diagnostic

software. And in the case of my Bosch ECU,
the super secret function was this. I

basically had to add this number to it.
The mechanism is called pin code.

It's in... I mean it's not super
secret. Anyway, once I know this...

<i>applause</i>
Yeah, thank you. I mean, it... once you

do this, you send back the result and hey,
then you can read... you can send the read

command again and, hey you're getting back
data, so this is great, right? We can read

memory at runtime of the ECU, and we can
even do this while the car is operating.

However it turns out that for the Bosch
ECU you can only dump specific regions. You

can dump most of memory, some memory areas
are excluded, but most of the interesting

stuff you can read. But you can't read any
code. You cannot read anything in flash.

But we are hackers, of course, so we find
a way. The CPU used in these ECUs is a

Infineon TriCore CPU, and it's used, at
least this particular one, was used in the

ECU I cared about, and the security model
for this chip is that you can always enter

a specific bootloader mode and execute
your own code, so you can strap a few

lines they... the chip tuners tell you
that, right, they tell you what's high and

low, which pins you have to connect your
ground and 3.3 volt, and then it enters

this bootloader mode, you can upload some
piece of code. However, you can't read the

flash, because the flash is locked. When
you start in bootloader mode, the flash is

not readable until you write a specific
password to a register. That was not so

great, so I looked into what else I could
do. The datasheet is very specific on how

to operate this chip. For example there's
this one flash supply pin. So, even though

the flash is in the same package as the
rest of the CPU, it has a dedicated supply

pin and it tells you which parameters not
to exceed to ensure correct operation, but

I really don't want the correct operation
which is in this case preventing me from

dumping the flash. So, what can we do? We
can violate the requirements. The

requirements for 3.3 volts. Let's see what
happens outside of that range. And turns

out, down to a certain voltage level,
roughly 1.6 volt, everything just works as

normal. That doesn't help us.
And below that voltage the device hangs in

the bootloader, so that doesn't help us
either. The interesting parts happened

when you are at the very specific voltage
level, and this is a little bit

unscientific, because it's really just the
voltage level I tried, and then most of

the time the device comes up and flash is
protected, and then the remaining times

the device comes up and hangs in the
bootloader. But one in 10 times something

interesting happened. The device came up
and the flash was not protected, so I

could dump it out.
<i>applause</i>

So having the image now in my hands, I
could start in actually reversing the

defeat device and what I found was - I
don't want to duplicate a lot of what I

talked about in the last talk - I found a
function called "acoustic function," or

"Akustikfunktion" in German. It's a
function that senses vehicle speed, the

duration of the engine operation, and some
other things, and then controls emission

related functionality, or in short you can
say that this is the test cycle detection

that enables the defeat device. And I
verified it to exist on my Sharan device

by driving through the test cycle and
logging data. And during the last year I

verified that it's actually the same
defeat device, more or less, that exists

on a lot of other Volkswagen cars. All
these Volkswagen defeat devices that we

talked about for the Euro 5 cars, they use
more or less the same acoustic function.

Basically, to remind you, there are a few
curves stored in the software that look

like this. This is the NEDC. This is the
test cycle you have to drive a car

through. They exactly define how fast you
have to drive for a given time in seconds,

so it's speed over time. If we draw this
as distance over time it looks like this.

So this is the distance you got. You're
not really moving the car, because you're

doing this in a lab on a dynamometer, but
what the car thinks it has moved to, and

if we overlay this with the curves we
found in a software there's a perfect

match. So this is the way how they
describe the test cycle. So this was for

my Sharan. So I looked into, what do the
other cars do, especially what do the

cars in North America do, because they're
not using the NEDC. And I found something

interesting, or some someone sent an
interesting document to me, that was this.

It was an emission service action. It
basically describes how there was a recall

for some vehicles, that required a
software update in the shop.

So this is basically the document that
informs the car shop what they have to do,

and it had something very interesting in
it. By the way, this was in December 2014,

so this was way before the whole
Dieselgate was public, but this was

already while the EPA was already talking
with Volkswagen, already demanding

explanations. All that investigation was
already proceeding. Volkswagen knew about

this, that people figured out about the
defeat device, and it had something very

interesting in it, that said "in addition,
the vehicle's engine management software

had been improved to ensure the vehicle's
tailpipe emissions are optimized and

operating efficiently." That sounds really
fishy to me, so I was curious, what

exactly did they change in the software
update? And luckily they tell you the old

and the new software versions, and you can
then go and look them up on a firmware

DVD, that you can download on the
Volkswagen website, and it turned out that

it's an ECU software similar to the the
Bosch ECU software I looked at before. So

there's an acoustic function again there,
and the curve stored there, they match the

US test cycles. This is one of them. There
are many more test cycles in the US, so

there's another curve that matches this,
and this is the curve stored in the

software and this is the corresponding
test cycle. And there are a lot of them.

But I noticed something really
interesting, and some of the curves...

they were much wider open than the other
ones. So for example this one... there's

really a nonzero probability that if you
just have your morning commute, through, I

don't know, some streets or something,
that you accidentally match this driving

cycle every time you start driving in the
morning, so the car would, every time you

drive this, think it is in test cycle
mode, and would operate with the

optimized... in the optimized emission
mode and apparently this caused problems

and what I saw, what Volkswagen added in
the software that was part of this recall,

was this function. So, this is from it
from a disassembly. In pseudocode, this is

this. So they started looking at the
steering wheel angle, and if they figured

out that you move the steering wheel
angle, then they ignored the curves, the

more open curves. So the idea is "Yeah, if
you move the steering wheel, you're

definitely not in a test cycle, so at that
point we do not try to operate in this

emission optimized mode. And it's a
little bit of speculation, but it matches

up pretty well with with all the facts
that I read, is that because those cars

operated in the test cycle mode too often,
that eventually caused the the particulate

filters to clog, and their solution for
Volkswagen, and again, this was while they

were already investigated by the EPA, was
to add the steering wheel angle detection.

For more details, I worked with this with
the NDR, and they produced a feature on

that, so there are some more details.
So this is Volkswagen, but there are more

cars, and if we look at this... this is a
meta-study based on something that the the

Ministry of Transport... they tested a lot
of diesel cars and what they found was

this. This is actually a representation by
the ICCT. So the orange line is the

emission limit, and the bars have an upper
and lower end, and the lower end is how

much emissions the cars have. This is just
for nitrogen oxides, for NOx emissions,

what they had in the lab, when you're
driving the test cycle. So and you can see

all of these cars managed to stay under
the orange line, so they get their

certification, but when driving them on a
real street, they produce the emissions

corresponding to the upper end of that
bar, which is for some cars significantly

higher. It's off by a factor of 10 and
more. When you're driving the car on a

street. And this is interesting, because
the cars, they can meet the emission

goals. The question is why don't they
always meet the emission goals?

Why do they operate so differently in the
test cycle than on the street? And I try

to give you a partial answer. And let's
look at how a car can optimize emissions.

The first thing they do... so this is a
very simplified diesel engine. So fresh

air goes in, fuel goes out, and there's an
exhaust pipe, right? And a lot of nitrogen

oxide, a lot of NOx, goes out as well, and
we don't want that. So we added an EGR

valve, which is basically a valve that
causes a part... a fraction of the

outgoing air to recirculate again through
the engine and burn again. And what this

causes is that the flame temperature goes
down, and if we look at the relationship,

it's very simplified here, but with a
lower flame temperature you get fewer NOx

concentrations, so you improve emissions
by lowering the flame temperature, however

at the same time you're increasing the
soot level, or the particulate matter, and

there is this trade-off - if you do too
much of EGR, too much of the exhaust gas

recirculation, you're getting too much
soot, and the other hand if you do it too

few, you get too much NOx, so you can
argue that the green area isn't really

great, because there's no point where both
of them are great. And here we see the

result of a clogged EGR valve. If there's
too much soot it will clog. EGR, as the

conclusion, is the least cost solution. It
doesn't really work at higher loads. It

works at low loads, and it does not
require exhaust... high exhaust

temperatures, which is great, but
excessive use of that clogs particulate

filters, affects the combustion, the
drivability goes down, and there are

trade-offs with this. It's also not very
useful for higher engine loads, for

example when you're accelerating you have
to disable EGR at high speeds. So a better

method, that was added on top of this, is
called "selective catalytic reduction". I

am... so, basically the idea is you have
an SCR catalyst in your exhaust pipe...

there are more catalysts there, but let's
talk about NOx, and in there, this

happens. We can simplify this, somehow,
and say if you put ammonia into this

catalyst, the NOx is converted to nitrogen
and water.

And Nitrogen and water is great, it's
harmless. It's already part of the air.

The only issue is ammonia is this and this
is not something you want the driver to

refill in your car. So instead this
solution is we can create ammonia in the

car from using from something that's less
dangerous, and we have the reaction there.

We can simplify this again and say we take
urea - Harnstoff auf Deutsch - and heat,

and we create ammonia. Urea or urea
solution is this. It's called AdBlue or

DEF - diesel exhaust fluid - it's not
dangerous. You can buy it, you can

transport it... it's relatively cheap. The
idea is, we have this reaction, it

requires ammonia in the catalyst, and we
put AdBlue into it, or urea, and using the

heat that we have from the exhaust pipe,
we create the ammonia that we need to

reduce the nitrogen oxides back to
nitrogen and water. There's a great

property of this, that some of the ammonia
that's produced in the catalyst stays

there until it's used up, so
there's some storage there. So the the

requirement for creating ammonia is heat,
and if you don't have heat, but for

example because you just started up your
engine... if there is still ammonia from

the last usage in your catalyst you can
still use that, and use that up, and by

the time you have used it up, maybe the
heat is enough to supply more AdBlue and

then fill up that storage. The downside is
you need a pump to dose the AdBlue, and

you need lots of software to control this
process. And you need a heater because the

AdBlue freezes at some point, and it's an
expensive solution, it adds roughly $500

to a car, which can be significant amount
of money for a small car, and it requires

a large AdBlue tank for long service
intervals, so you don't have to refill it

every few thousand kilometers or
something. The great thing about SCR is

that it's efficient at higher loads.
There's a third method called LNT, Lean

NOx Trap, it's cheaper than SCR for
smaller engine, it doesn't require

anything,
however the bad thing is it requires

frequent re-generation, which decreases
fuel efficiency, so it's kind of a stop-

gap solution. And it's not efficient for
continuous high engine load, for example

if you're driving on the German Autobahn
at full speed, then LNT is not going to

help you much. For the sake of this talk,
let's keep in mind that EGR is exhaust gas

recirculation, that's the thing that
operates within the engine and then we

have the SCR, the selective catalytic
reduction, that uses AdBlue and is after

the engine. We also saw that all these
technologies have significant trade-offs

for NOx compliance, so we can kind of see
the motivation for a defeat device here,

because it would be the solution to all of
these trade-offs. You get no downsides

during regular driving, because nobody can
measure your emissions and while

maintaining conformance because during a
test cycle you have perfect emissions.

That kind of explains why there are defeat
devices. OK, let's get back to the bigger

picture and see what other cars do. So
this is an Opel car, it's a Zafira car,

it's a Euro 6 car, it's a pretty modern
car, it has an SCR catalyst. In theory it

should have really great, low emissions,
especially at higher speeds because that's

where SCR is good at. But quite
surprisingly it doesn't. If we look again

at this report, we can see that this
Zafira exceeds the limit by up to 12x

compared to the Euro 6 limit. This is
especially interesting because there's

this Opel advertisement where they
advertise their diesel technology applying

to the Insignia and the Zafira and they
say a lot of diesel fun without regrets,

the new diesel generation of Opel achieves
best emission values and gasoline levels.

Yeah, after they got sued for this they
had to change it slightly and they had to

add this to the sentence.
<i>scattered laughter</i>

So, during this testing, they had
this 12x emission

limits. For example, one particular test
was to drive the test cycle in the same

way, but at a different temperature,
at 10°C,

and the car exceeded the
values by a factor of 6 even though the

car would be operated in the very same
way. It was just that the ambient air

temperature was 10°C instead
of 25. So they asked Opel why this was the

case during their investigation, and Opel
responded, saying that the EGR and the SCR

injection, they work to the full extent in
the temperature range of 20 to 30°C.

It's what they call "normal use".
So our question was, is it really just the

temperature window? So we got a car and
investigated. The ECU in that car is a

General Motors ECU. It's developed in-
house, Opel is a GM daughter. It uses an

automotive PowerPC, yay PowerPC! It uses
somewhat obscure variable length

instruction extension to PowerPC. So how
do we start? Again, we need a firmware

image. So let's ask the Internet, "How do
I dump this ECU?" Luckily, someone in some

chip tuning forum already uploaded their
stock ECU, which means they're what they

dumped from their ECU using some chip
tuning tool. It's not the same ECU, but

it's very similar and I hope they shared
some code so I can analyze the software,

maybe find a way to dump it. So the dump
was made with this tool and the tool did

not let me export the binary. And the tool
is free, however to use any of the

features in that software, you have to buy
their expensive hardware, that then

connects to the car, which I didn't want.
This is how their software looks like. I

loaded the image I found on the internet,
and I couldn't save it or anything without

having the device attached. However, I can
just use a memory debugger and just dump

it from the address space, and that gave
me a first firmware image to start with. I

threw it in a disassembler and I found the
UDS function and, yeah, it implements read

memory by address, so that's good. Most of
the RAM was readable without a security

challenge. That is good, so I didn't even
need a security challenge to read RAM.

However, the flash, it is readable, but
only with the security challenge. So let's

take a look at the security challenge.
Maybe it's as simple as the Bosch one. So

their way of doing this is, they store
16-bit input and output value in the

firmware, and it's different for every
device, and they don't store the algorithm

to compute the output from the input,
instead they just store the pair, and,

well, it's just 16 bit, right, so let's
brute force it. The issue is, you can only

try every 15 seconds, so it's kind of
lame. The question is, how do the GM

tools, the original factory tools, get
access to that? Luckily, chip tuners had

reversed that and then obfuscated it into
their own tools. But that can be de-

obfuscated and eventually it's just a
little bit amount of bit shifting and so

that was easy to fix. And also the the GM
repair manuals tell you how to wire up the

ECU. They tell you where to put 12 volts,
the CAN bus again, and ground, and the

ignition pin, and with all of that in
place, I can do the security challenge. I

can now read all of flash memory and read
the four megabytes of PowerPC code, which

mostly consists of mathematical functions.
There are no strings or anything, it's

really hard to find what a function does,
what... There are thousands of variables.

It's really hard to find what they mean,
right, so I need to know some entry

points, some known data values, and then I
could refer to... one thing I could find

are real-world constants, for example
there's the density of diesel fuel stored,

which allows me to understand that this is
something related to fuel, an amount of

fuel. Or more useful are the OBD2 calls.
So there are some standardized things you

can ask an ECU, that's engine rpm, vehicle
speed, and things like that, and I would

find that table in the firmware and then I
had a first start of things like RPM,

speed, and so on. That was a good start.
It's not much more than what you can see

here. So there's a lot of stuff not
included in these.

The next thing I did was, I drove the car

for a few weeks and I let a device
attached that would constantly log all

memory using the rebuy address thing, and
every few minutes I would get one memory

dump, basically. It's a few hundred
kilobytes of RAM, and then I put this into

my disassembly, and that allowed me to
understand more of what individual

variables do there. And I found some
interesting things. So the first thing,

one of the first things I found, was
basically something that resembles this.

So there was something that look at the
ambient temperature, and this basically

checks for range, right, and it did...
this was for controlling the SCR systems,

and it's interesting to know that the NEDC
requires the temperature between 20

and 30°C, and this is right
centered around this, when they check from

17.5 to 33°C. But this was of
course nothing new. I found something

similar, however, another temperature
check. And as you can see it's written in

a different way. It effectively achieves
the same thing, but it's a separate piece

of code, and this time it was for the EGR
system. So we have these two exhaust

treatment or optimization mechanisms
there, EGR and SCR, and they don't share

code. They have their own temperature
window. So we found the temperature

window, which was known to exist. The
question was, is there more? And one thing

we found was this: It's basically reading
the vehicle speed and comparing to a fixed

number, and it turned out it's something
like this. So it would check the

vehicle speed and if it's above 145 km/h
it would set a flag and then under 140 it

would clear. Keep in mind that the NEDC
maximum speed

120 km/h, so during a test cycle that
would never happen. So let's see if this,

what we found in software, if this really
translate something the car does in the

real world, and it's getting slightly
technical here, I apologize, but we need

to log some variables and a useful value
to to know is, how much NOx is there after

the engine, and after the SCR catalyst,
and luckily there are 2 NOx sensors in the

car. One before and one after the
catalyst, and they give you basically the

NOx concentration in ppm. So we log that,
and we also log the signal of how much

AdBlue is dosed into the system, and we
log the catalyst temperature. And one

thing to keep in mind is that there's also
this amount of ammonia that's stored in

the catalyst. We don't have this as a
value, but just keep this in mind. And

this is how we've driven the car. The
blue line is the vehicle speed. You can

see that it goes from 0 to 150 km/h, and
the critical point here is the 145 km/h

that we found in the firmware. The green
one is the catalyst temperature, which we

see between ambient level, and then up to
380 degrees. The critical point here is

200 degrees Celsius, where this urea to
ammonia process starts to work. We logged

something that is the SCR strategy. So it
turns out there are multiple ways how the

ECU computes how much AdBlue to dose and I
call them strategy. So 0 means off, no

AdBlue is dosed. 1 means the regular way
that keeps into account the storage

mechanism, and then 2 is a special reduced
way. And then also we log the actual

dosing value. And then we also had the
sensor data from between the engine and

the catalyst, and between the catalyst
and the exhaust. The first thing that

happens... or, actually nothing happens
until the point where we reach 200°C

at the catalyst. You can...
until that point, as I said the required

temperature is not... does not allow
AdBlue dosing, and then it starts dosing

quite a few amount of AdBlue. But then,
when we cross the 145 km/h, the SCR

strategy changes, and no further AdBlue is
dosed until basically this point, and this

point is exactly 120 seconds after we go
lower than 140 km/h. So this matches what

we found
in the software, right, this was what we

found in the
software. So we can see that this was

actually true. This is real behavior of
the ECU. And to look at the effect of

this, you have to check the difference
between the blue and the green line in the

lower diagram, between basically the
amount of NOx that is removed by the SCR

catalyst. And you can see during the
regular operation quite a lot of NOx is

removed. The blue line goes up because
we're driving faster and faster, and the

green line goes down almost to zero, and
this this works for quite a while, and it

even keeps working a while until the
catalyst runs out of ammonia, and then it

would need more AdBlue to operate, but
because we're in the reduced mode it does

not put any more AdBlue into the system.
So the SCR basically stops working, and

the emission levels reach the engine
emissions, so no further... The SCR system

does not work in this red area. And here
we see this again, so here are the

sequences of active dosing. Here we see
where the catalyst temperature is too low

for dosing. We see the regular operation.
We see where it's still working,

because there's still ammonia stored and
then until we run out of ammonia and no

refill happens, until exactly 120 seconds
after going below 140 kilometers an hour.

So our conclusion after this is that the
SCR is programmed to stop working at 145

km/h. The efficiency goes to 0. Opel
offered a hand-waving explanation, one of

the press releases why this is necessary.
They argued with some physical details,

and we presented these physical details to
some experts, professors that work with

combustion engines for a long time. Most
of them disagree with these explanations,

I mean, yeah. But more importantly, other
cars including my Volkswagen Sharan

device, which is Euro 5 car, so one
generation older, and it's known to have a

defeat device, and it performs
significantly better than this car. OK, we

continue to look. We found something here
that is a... that looks like this. It

takes a... there's a
barometric pressure sensor that sends us

the pressure of the air and compares it
with a value and if we look at how

pressure is related to height we see that
what they check with is 91.5 kilopascal

and which corresponds to 850 meter. And
apparently Europe's highest test center's

at 800 meter, which may be a coincidence
or not. But above that point they reduce

their CR system as well. Now, the
interesting thing is... yeah barometric

pressure is something very important to
know for an ECU. There's a good reason to

have the sensor for all of the combustion
process. You need to know how much air

there is. So for EGR it makes a lot of
sense to have this, but for SCR, which is

the system after the engine, no combustion
is happening. We are not aware of any

effect that the outside air pressure has
on the SCR system, and also other SC

equipped cars don't have this mechanism,
so... for us it does not make

physically... it doesn't seem to be
physically required. So far we looked at

SCR. Let's look at EGR. What we saw was,
when we drove the car during the test

cycle, so we put it in the lab and drive
the

test cycle, we consistently saw much
higher EGR values, much higher than

compared to driving on the street,
compared to all kind of scenarios that we

drove on the street. So higher EGR value
here means, that the EGR valve, that I

showed you earlier, is more open, more
exhaust gas recirculates to the engine. It

causes lower NOx emissions before the SCR
catalyst, and we really... we're curious

why did the car behave so differently when
running on a street than running in a test

cycle. And we already took into account
temperature, so the temperature was not

the issue anymore. And thankfully the car,
when it computes the reason for reducing

EGR, it stores a reason in some variable
that we can log, and it looks like this.

There is a number of things that can
happen, that causes the ECU to switch to

some low EGR mode, and a few of them
make sense, for example if something is

broken, fault flags are set, or if the, I
don't know, the coolant temperature is out

of range, it makes sense to just keep the
device running at all cost. But when none

of these reasons apply, the value stored
is 2, and 2 basically means, that the full

EGR operation is used, so it's basically
the NOx-optimized mode with the fewest

emissions. And then we looked at some
real-world driving, you can see this in

the background - the vehicle speed is in
the background - and we saw that... the

red graph shows you the reason to go to
this limited EGR mode and what we saw is

that most of the time the reason is 13 and
only a few times it's 2, which means that

it's not limited. And looking into this
more details, we see it sometimes drops

back to 2, to the unlimited mode, to the
optimized... emission optimized mode, but

any acceleration, or almost any
acceleration switches it back to 13, and

then it stays there for a long time. And
13, if we look it up, is what I call load

limit. And then, interestingly, if we run
it through the NEDC, we never saw a 13. So

the engine stays in mode 2 all the time,
and 16 just means that the engine is off.

But we never see 13. So this explains why
the EGR values were so different in a test

cycle. So, let's look into this load limit
function that we found. It's basically

defined by curves, by five curves. For
every gear there's a curve, or for a

bucket of gears. It's basically that they
look up RPM, they get a value for that

curve, and if you exceed that value, they
switch to the reduced EGR mode. What they

compare this threshold with is the amount
of fuel injected per cylinder per

revolution, but you can also say this is
torque, just with a

constant factor. And then once you are
outside of one of these curves, it

switches to the non-optimized mode where
it emits a lot more emissions, and then

you have to go back into the green area to
switch back to the optimized mode. So

let's see what this means in practice. So
here we

have a car, and the traffic light is red,
so the car stops, and then the traffic

light goes green and the car accelerates,
and accelerates, and accelerates, gets

faster and faster, and then it's at the
highest speed here, and drives for a

while. And this is a typical city cycle,
this is there to... how you drive in a

city, and then the next traffic light
turns red and the car brakes and stops in

front of the traffic light. Let's take a
look at this again with one more variable,

the RPM. We can see that when the car
starts moving, the RPM goes up. And then

at some point there is a drop in RPM, and
this is because it's a manual transmission

and the driver switched to the next gear.
Now it's switched to again the next gear,

and this causes the RPM to drop, but the
speed to remain almost

constant, and it drives for a long time in
the same gear, and then the traffic light

goes red, the driver presses the clutch,
the engine goes back to idle state, there

is no connection anymore to the wheels,
between the engines and the wheels, and

the car gets slower. OK, one more
variable. It's the last one, I promise. It

is torque. The engine power in kilowatt or
something is not just a function of RPM,

it's a function of RPM and torque. so RPM
and torque together are very useful to

characterize engine behavior. And a very
good way to do this is to have a graph

where we put RPM on the one axis and
torque we put on the other axis, and then

we draw this in two dimensions, and so we
get this, basically. This is the operating

points we go through when driving the
cycle we saw. So the green dot here

indicates where we are. And so we restart
the car, the car accelerates, sorry, the

car idles for a while, so the green dot
stays there. It idles at around 800 RPM,

almost no torque, because there's nothing
to move, and then the driver accelerates

and the torque goes up, the RPM goes up
more slowly, and then at some point, the

driver presses the clutch, which
disconnects the engine, the

torque goes down, the RPM adjusts to the
speed of the next gear, and then the

driver releases the clutch and now the
engine again has to move the car, so the

torque goes up until reaching the the
highest RPM value and then that the driver

again switches to the next gear, so the
whole thing repeats, and then while the

car is driving, the majority of this the
cycle, the engine spends in this one

operating point. We're currently at 1800
RPM or something, and 80 Newton meter or

so torque. And then at some point the
driver presses the clutch, the engine goes

back to idle and stays there, basically.
So this is how you read this diagram. And

now what we found in the firmware was that
overlaid basically on this representation

we see a mask, or a limit. If we go over
this curve, those are the same curves that

I showed you earlier, just laid on top of
this. If we go over this curve,

then we switch to the worse emission mode,
we switch to the mode where the EGR value

is limited. So we can see in our driving
that this happens basically at this point,

the point where the driver
accelerates above a certain point, that

causes it to go over the load limit and
the engine basically switches or

significantly reduces EGR. And that's fine
because EGR doesn't work when you need a

lot of engine power, so it make sense that
that's at that point, and what we would

think is that it switches back once we
leave this load envelope, once we go below

the limit again, once we are inside the
limit, we would expect the ECU to switch

back to the full EGR operation. But what
we see instead is that this does not

happen, and the reason is that you don't
have to go under the maximum, the load

limit, you have to go into this green
area. You have to go back to idling at a

very low RPM to switch back to the full
EGR mode and this only happens at the very

end. When the driving cycle is almost
done, when the driver presses the clutch

and lets the engine idle. So especially
this long sequence where the driver... the

car was driving at the same speed, we were
technically in ... within the load limit,

where we're not exceeding the load limit,
but because we previously exceeded the

load limit and it doesn't matter for how
long you exceeded it, and we did not go to

the green area before, we were still in
this low EGR, high emission mode, even

though we're still within the load limit
imposed by the software. So let's take a

look at how often this actually happens in
real-world data. So here's us driving

through a city, and we can see we
constantly exceed these load limits. And

this is driving on the Autobahn, and yeah
we constantly exceed those. But they look

interesting. They look as if they had been
designed according to something, right,

they have the specific form and it's not
just... yeah, I... I don't know... and it

turns out if you do something really
strange, you can stay within these limits,

so we tried that and we managed to stay
within the limit by doing something, and

we... it was reproducible, we could do
this a lot of time it would always stay in

this limit and the answer is: If you drive
the test cycle you're staying in this

limit.
<i>applause</i>

So yeah, these curves basically defined...
they closely correlate to the limits that

you need to pass the NEDC. Okay, to be
clear it is fully acceptable that the EGR

rate is reduced when... for higher engine
loads. It's natural, you have to do this.

For example, when you accelerate the EGR
rate will decrease up to zero probably,

when you do it ... when you're running at
high speeds, all of that is great. So this

method of having a load limit ... well,
you can argue if really having the load

limit exactly where the NEDC is makes
sense, but having a load limit is okay,

right? However, what we think is not okay
is that, if you only exceeded the limit

once ... um... you would stay in this high
emissions mode for potentially a long time

until you get back to low speed idle the
next time. And we think that is the

problem. We ... so far this was all based
on what we saw in the software, so let's

see if this translates to something that
happens in reality. So to repro this we...

the car... drive at constantly... or we
let it idle, then we accelerate it to

2,000 RPM, we let it drive there for a
while and then we quickly exceeded the

load limit by going to 3,000 and then
going back and then after doing that we

would again stay at 2,000 RPM. So it looks
like this and we would naturally expect

the engine to operate in the same way on
the left and on the right side because the

engine is doing the same thing there, it's
the same torque level, it's the same RPM,

everything is the same. So we would expect
the same emissions, right, um ... and it

turns out it isn't. And ... this is a
slightly convoluted diagram. So if you

look at the green and red bars in the
middle you can see what happens before and

after exceeding the limit for just once.
And in the middle you can see the EGR

position, the EGR valve position, and you
can see that we get pretty high values

between... 6... maybe 65 percent or
something before exceeding the load limit

once.
And after we exceeded it once even though

the engine again is operating in the same
exact operating point, we see much lower

EGR valve positions, around 50% or
something. And if we look at the bottom we

see what the engine NOx emissions and we
see that they are significantly higher on

the right side than they are on the left
side. So this... for me, this does not

sound like this is truly optimized for
emissions because the engine is doing the

same thing, in both cases the emissions
should be low. So going back to this quote

that it works, the EGR and SCR injection
work to the full extent in a temperature

range of 20 to 30°C. Okay,
but what about the EGR load limit and what

about the the barometric pressure limit
for SCR and what about the SCR speed

limit? That would not be "to the full
extent", right? And the Opel answer is

really interesting. Of course, they denied
doing a test cycle detection, they say

they don't do that. And what they said is,
when asked whether they lied to the KBA

when saying that it works to the full
extent they said "The statement 'fully'

was really related to the NEDC test
schedule, right, which... it went on and

further... the Opel CEO had to say this.
He said: "The recent

accusations based on the findings of
hacker Mr. Felix Domke" - hey, that's me -

"are misleading oversimplifications and
misinterpretations of the complicated

interrelationships of a modern emission
control system of a diesel engine.

Emission control devices are highly
sophisticated integrated systems which

cannot be broken down into isolated
parameters." Especially not by a hacker,

right?
<i>applause</i>

That was kind of funny. There was another
funny thing. Sorry, I only have a German

quote and I didn't want to translate it,
but when Opel basically ... they

repeatedly say they don't have a cycle
detection, right, and they say it's not a

cycle detection because, if you use the
car on the street in the same way as you

would do them during the test cycle, the
car would behave in the same way, so it's

not...,right? <i>applause</i> ... and ... okay.
But what is with Volkswagen, right, they

have the same thing, if you drive the NEDC
on the street the car will go to test mode

they have the same thing. I don't see how
this does not represent a cycle detection.

That was a lot of things to say about
Opel, but on the bright side, they also

said that they will - even though all that
was incorrect, what we found - they said

"We will further improve the efficiency of
emissions after treatment of our SCR

diesel engines and so on as far as the
laws of physics allow. This includes a

voluntary service action" - and this
basically means a software update for your

car - "for the cars that are already on
the road starting in June." So that is

great. They're actually improving
something. Question's in which year,

because this statement is from May 2016
and it's not out yet, but... Opel actually

provided a new software already in July
and I think they already worked on this

for quite a while and in July 16 the German
KBA, the Kraftfahrtbundesamt, the Federal

Motor Transport Authority, they are pretty
nice actually, and they do know about what

they do, they are bit limited by the
resources they have, and by the manpower

they have, but they know about cars and
they know how to do these investigations.

I mean, they're a little bit bound, but
what they should do and what they should

not do, but they asked me to review a new
ECU software that was given to them by

Opel for the Zafira in question and
Insignia, which had a similar ECU and I

looked at that software and I dumped the
firmware and I looked at basically all the

code sequences that I looked at before and
I was positively surprised because they

removed... they addressed each of our
concerns. All of them, within the physical

limitations of course. So they improved
the temperature window and everything, so

there was a significant improvement. They
were able to improve the software and they

let the DUH, which is the German
Environmental Aid, they used a PEMS system

- PEMS is a portable
emissions measurement system. It's

something you put on the exhaust pipe on
your car and then you can measure the

exhaust during real-world driving, and
Opel gave them a car with the new ECU

software. Otherwise the car was identical
to the old software, and the results are

this, right, so on the left side you see
the old software, that has all these

things that we criticized, and on the
right side you see the same car with a new

ECU software and it's significantly
better. It's only slightly above the

limit, right, but it's much better than
before and to put this in relation,

before they were on the list pretty bad -
so this is sorted by worst to best - so

they are in the, well, upper half at
least, and now they are almost one of the

best cars, just by switching the ECU
software. And I mean this is great news,

right, they actually improved their cars.
Let's just hope they get this out to the

cars soon. Let's just hope it doesn't have
side effects and something, but I'm sure

Opel knows how to test for this. Going
back to these, we worked on the Opel

thing... I think the Opel case, it....
once they actually upgrade the cars, and

once the cars really show these great
values that the preliminary software

showed, I think we can close the Opel
case, but there's a lot of other cars

still to look at, and really, I mean...
the effort to do this does not scale to so

many cars, so we need to do something more
fundamentally to improve the situation.

What I found out is that digital control
systems, they are black boxes. The

manufacturers have designed them to be
black boxes. They even boast to you that

they are 7,000 parameter in there and no
hacker can understand this and it's a very

sophisticated problem. They are designed
to be black box, and this is not just true

for Opel, this is true for all car
manufacturers. Nobody wants anyone to look

into their ECUs, and people seem to be ok
with that. Like they think "Oh this is so

complicated, there are so many German
engineers working on

this problem, they must have found a great
solution." So we are trusting these black

boxes and we are not able to review the
black boxes that we put into our cars and

we have to trust the manufacturer to do
the right thing and currently, the

investigation to do this without
assistance from the manufacturer, it does

not scale. We can do it but... the
manufacturers can put more security on

their ECUs... it probably can be broken,
but it takes a lot more time, so it simply

does not scale sufficiently. The issue is
black boxes are really powerful, right.

Black boxes can hurt people with, for
example, excessive emissions. They can

kill people if we think think about
autonomous cars that do mistakes. So what

we do need, I think, is more transparency.
A system that can kill people needs to be

reviewable by the people. I think this is
a very important thing.

<i>applause</i>

So, to have a system that can kill

people... to have it reviewable by the
people, we need to do things. For example,

we need... we want access to source code
for reviews. It doesn't necessarily mean

we want open source, but we don't ask at
all the car manufacturers to open source

all the software. That's not what I'm
talking about. What we need is... think

about how Microsoft is sharing source code
of Windows with universities or other

countries. We need experts to look at the
source code, and we want control software

that is reviewable by design, that has a
lot of documentation, that has good

comments, that is human readable code. I
don't want to see a disassembly, I want to

see the source, the MATLAB, or whatever
they are using to define the functionality

source, and read that. And I want to
understand why did they choose that

curve of that map in this way? What was
the design criteria? That needs to be

reviewed. And we need transparency for
control software decisions, which means

that if a car operates in a certain way,
if I'm driving that car, I want to choose

that I can log what the car is doing, for
example by putting

in, I don't know, a USB stick or something
if it's my car, and then the car will log

all the data to that. That is... in the
end that allows me to reconstruct any

decision that the software does. I think
this is required to have the necessary

transparency, that allows us to un-
blackbox these devices. All right.

Thank you very much.
<i>applause</i>

Okay, I actually finished five minutes
early. I didn't think this would happen,

so...
Herald: I'm so surprised.

F: I am surprised too.
Herald: You are on time. You have five

minutes left
F: Wow, what do I do with these five

minutes
Herald: We can walk around the stage or...

Maybe people have some questions?
F: I think so!

Herald: Well, let's ask the Internet! Is
the Internet ready?

Signal Angel: Yes. Our first question:
What dou you think is the responsibility

of Bosch as a supplier for having their
software and hardware used for this?

F: So the question was: What's the
responsibility for Bosch, who built the

software for Volkswagen? It's a good
question and I have to be careful in what

I answer. My personal opinion, and let's
take this aside from Volkswagen and Bosch,

is that if you build software that you
know is used to be illegally it should...

it must be your responsibility to not do
that. And I'm not sure if this is

something that is legally enforceable, but
it should be something that's enforceable

ethically or for all of us programmers,
that we don't build software that is

designed to break the law.
<i>applause</i>

Herald: We quickly hop over to microphone
1 please.

Microphone: Thank you for a wonderful
talk. I'm just wondering if you're aware

of some cases of Volkswagen cars in
Australia, which was suffering from sudden

and rapid power loss. This was happening
about five years ago and there was a case

where a Volkswagen suffered rapid power
loss on a motorway. The driver was Mrs.

Melissa Ryan and she was rear-ended by a
truck and killed. So when you say that

these things can cause death, were you...
are you aware that any sort of Volkswagen

software has been leading to power loss in
the vehicles and affecting

performance on the road, now I don't know
whether Australian driving conditions are

different to European driving conditions,
and how that might affect that. Have you

done any tests that might indicate that
could be happening in normal driving?

F: Yeah, so... the question was whether
I'm aware of, I think an Australian

incident, right, where...
M1: Can I...

F: Yeah.
M1: There were many reported cases. One of

them was fatal, but there were many
reported cases of that happening.

F: Of a sudden power loss, is that right?
M1: Sudden and rapid power loss in the

engine.
F: Yeah, of the engine. I'm not aware of

these incidents and I what I do know
and... is that the the personal safety is

the number one design criteria for ECUs.
That does not mean that they are perfect,

of course, that could mean that rare
bugs... that there could be malfunctions.

I don't know about this, but at least it's
the first design principle to provide the

safety for the people driving the car,
which i think is a good thing, right. It's

not the profit or anything, or at least we
can hope so. I'm not aware of this

particular incidence, and so I can't
really say anything more about this. It

would be great if... Are you aware of any
additional details that were found in the

investigation, please sent them to me.
M1: Volkswagen was claiming that this was

a gearbox problem on automatic cars, but
then it started happening on manual cars

as well, so that excuse went out of the
window.

F: The issue with the problems is that
most of them are very complex, so they

probably involve more than just the engine
ECU, so they're very... but it's a

good example of where we need to
understand exactly what is happening, and

where we may not want to rely on
Volkswagen or any other manufacturer alone

to assist in figuring out what happens. We
need more transparency there so that we

can have definitely neutral accident
investigations.

Herald: This was a long question and
really detailed answer. Thank you very

much.
F: Sorry, I will be short

Herald: Felix, that's your applause
<i>applause</i>

<i>music</i>

subtitles created by c3subtitles.de
in the year 2018. Join, and help us!