0:00:00.000,0:00:14.630
33C3 preroll music
0:00:14.630,0:00:18.544
Herald Angel: And without further to do,[br]please welcome Guillaume and P1ckachu on
0:00:18.544,0:00:24.501
stage now.[br]applause
0:00:24.501,0:00:34.460
Guillaume: Thank you.[br]P1kachu: Okay. So hi everybody. Hi bingu.
0:00:34.460,0:00:42.143
So we are going to present what we've been[br]doing lately with cars actually. So who
0:00:42.143,0:00:48.508
are we? My name is Stanislas Lejay[br]"P1kachu". I'm an IT student in EPITA a
0:00:48.508,0:00:54.260
school in France and I'm part of EPITA's[br]system and security laboratory the LSE.
0:00:54.260,0:00:58.856
I'm currently an intern at Quarkslab. I[br]like a lot of stuff, like reverse
0:00:58.856,0:01:03.639
engineering, everything that is related to[br]cars or mechanics and if there is
0:01:03.639,0:01:08.720
something stupid to do I shall already be[br]doing it. And with me will be Guillaume
0:01:08.720,0:01:12.400
Heilles.[br]Guillaume: Hello my name is Guillaume. I
0:01:12.400,0:01:18.719
work as at Quarkslab as a security[br]engineer. I'm quite new to the security
0:01:18.719,0:01:25.180
field as I worked in the industry before.[br]And I switched to the security field
0:01:25.180,0:01:29.950
because it's very fun and I like to[br]reverse almost everything and I will give
0:01:29.950,0:01:35.857
a small talk about reversing a piece of[br]hardware that you can find in an
0:01:35.857,0:01:43.500
automobile.[br]P: So what is this talk about? This
0:01:43.500,0:01:47.219
talk will be in two different parts the[br]first one is how to drift with any car.
0:01:47.219,0:01:52.950
And it's an introduction to how to automotive[br]systems what you can do with them and what
0:01:52.950,0:01:56.979
we actually did with them. And the second[br]part, which name is out to properly write
0:01:56.979,0:02:02.988
an amazon review, you'll see why just[br]after, is OBD dongle. So analysis, reverse
0:02:02.988,0:02:09.075
engineering, stuff like this. So first[br]part "drifting with any car". The idea is
0:02:09.075,0:02:12.970
that I'm a student, so I work at my[br]school's lab, so I had to find a way to
0:02:12.970,0:02:18.792
explain why I was bringing different cars[br]every day at my school's garage. So the
0:02:18.792,0:02:24.370
official goal was to look at our car works[br]and what arise from this is what can I do
0:02:24.370,0:02:30.420
what can one do with a modern car system.[br]The restriction I had was that since I'm a
0:02:30.420,0:02:35.426
student I'm poor so I don't have a lot of[br]money and I don't have a lot of cars. So I
0:02:35.426,0:02:40.074
was actually taking my family's different[br]cars and trying to analyze them. So I
0:02:40.074,0:02:47.946
wouldn't, I wasn't able to break anything[br]or remove any parts from the car. So the
0:02:47.946,0:02:54.931
test subjects, what which cars was I[br]playing with. I had five or six of them.
0:02:54.931,0:03:00.774
The first one for posterity, is mine[br]actually. It's a 2006 Volkswagen Polo.
0:03:00.774,0:03:05.370
What is nice is that you can spend the[br]whole day trying to find some messages on
0:03:05.370,0:03:11.190
your bus. If your car is too old there are[br]no messages. So you can take the
0:03:11.190,0:03:16.310
oscilloscope and try to find them, you[br]won't find them. Anyway, just before doing
0:03:16.310,0:03:23.689
anything try to think is the something I'm[br]looking for ready in there. The second car
0:03:23.689,0:03:28.395
is my grandmother's car it's a Volkswagen[br]Polo of 2013. And the last guy we'll talk
0:03:28.395,0:03:35.656
about is my mom's Fiat 500 convertible.[br]It's from 2010. The dates are important
0:03:35.656,0:03:41.990
because the CAN bus I will talk about just[br]after is quite recent in a way that
0:03:41.990,0:03:48.654
security on the CAN bus changes greatly[br]from one year to another. So the CAN bus I
0:03:48.654,0:03:54.980
was playing with on this car was quite[br]different from the 2013 Volkswagen Polo
0:03:54.980,0:04:01.505
for example. Okay, so talking with the[br]car. So this is the introduction part, so
0:04:01.505,0:04:04.590
if people already know about what I'm[br]going to talk about, but I want everybody
0:04:04.590,0:04:10.410
to be on the same first step. So first of[br]all an ECU it stands for electronic
0:04:10.410,0:04:15.437
control unit and it's a small computer[br]that you get all around your car. So there
0:04:15.437,0:04:20.100
are many of them. You can have at most 70[br]of them in very modern cars and take
0:04:20.100,0:04:24.858
control different parts of it. So you have[br]the engine, the powertrain, the
0:04:24.858,0:04:29.997
transmission, ABS, stuff like this. And[br]they talk to each other on what we call
0:04:29.997,0:04:37.029
the CAN bus. The CAN bus is a message[br]based broadcast protocol. Messages are
0:04:37.029,0:04:41.532
mostly composed of two important things[br]which are the arbitration ID which, I will
0:04:41.532,0:04:49.167
refer to ID from now on, they can be 11 or[br]29 bits long and you have data. Data is 8
0:04:49.167,0:04:53.120
bytes long on the standard that CAN[br]message but they are on top protocols, I
0:04:53.120,0:04:58.560
can group messages together to get bigger[br]lengths of data. What is interesting is
0:04:58.560,0:05:04.090
that it's a broadcast protocol, so the[br]collision detection system is based on the
0:05:04.090,0:05:10.130
ID. The lower your ID the higher your[br]priority. So very important CAN message
0:05:10.130,0:05:17.180
will have a very low IDs they will be sent[br]from an ECU that are very low ID and less
0:05:17.180,0:05:22.040
important one will have a bigger[br]arbitration ID. How do you talk to your
0:05:22.040,0:05:26.810
CAN bus without cutting any wire in the[br]car? For this you see there is the OBD2
0:05:26.810,0:05:31.800
port so OBD stands for onboard diagnostic[br]and is the vehicle self diagnostic and
0:05:31.800,0:05:36.980
reporting capability. When you are driving[br]you have allowed a LED that start to blink
0:05:36.980,0:05:41.120
on your dashboard saying "ok something's[br]wrong", you bring your car to your car
0:05:41.120,0:05:45.670
repair shop and the car repair guy will[br]just plug itself to this port which is
0:05:45.670,0:05:53.074
located around the steering wheel often[br]and query information using PIDs. So PID
0:05:53.074,0:05:57.620
is a parameter ID. It means "okay I want[br]to have information about for example the
0:05:57.620,0:06:02.870
RPM or the speed or the fuel level[br]something like this" and you can set or
0:06:02.870,0:06:07.962
reset diagnostic trouble codes a[br]diagnostic trouble code means "ok
0:06:07.962,0:06:12.847
something is wrong with this part of the[br]car" for example. Here is my setup. So
0:06:12.847,0:06:20.030
with just a Raspberry Pi, PiCAN 2 shield[br]and a DV 9 to OBD 2 cable, I was able to
0:06:20.030,0:06:26.054
have a full linux that that can understand[br]CAN messages and talk with the CAN bus. So
0:06:26.054,0:06:30.090
with that I could just communicate with my[br]car without breaking anything, which is
0:06:30.090,0:06:35.850
quite nice. What does it look like? So in[br]Python, I just import import can, so it's
0:06:35.850,0:06:40.960
a standard package, python-can, you create[br]an interface, so it's socket CAN, so it's
0:06:40.960,0:06:45.260
like any kind of interface you just create[br]a can0 interface and you can communicate
0:06:45.260,0:06:50.912
with your CAN bus. You create your[br]message, so the data is here. What is
0:06:50.912,0:06:55.728
important is that the first byte tells how[br]many bytes are important in the message.
0:06:55.728,0:07:01.420
You can have 8 bytes of data. The number[br]of bytes processed will be this number, so
0:07:01.420,0:07:06.669
like there it says "ok, there are only 2[br]bytes of data that are interesting, just
0:07:06.669,0:07:11.880
discard the 5 of the ones.". Here, it asks[br]for the first mode, so OBD have different
0:07:11.880,0:07:18.350
mode. The first mode says "Okay, I want[br]the current value of what I'm looking for"
0:07:18.350,0:07:24.560
and 0x0c is RPM. So I want the current[br]value of the RPM. If I put two there, it's
0:07:24.560,0:07:29.540
the second mode and it asks for the RPM[br]when the last data trouble code was
0:07:29.540,0:07:33.230
actually set. You have different like[br]that, but what interested me was "Okay
0:07:33.230,0:07:40.861
what is a current RPM?". You create your[br]message, 0x7df is the classic ID for
0:07:40.861,0:07:49.594
diagnostic tools, so most ECUs will answer[br]to OBD queries if you have this ID. On 29
0:07:49.594,0:07:55.419
bits, it depends on the car, on the Fiat[br]500, for example, it was this one. You
0:07:55.419,0:08:02.060
send your message, you get your answer and[br]that's it. Okay, so this was the theory:
0:08:02.060,0:08:06.900
how do you talk, but how did I actually[br]talk with my cars? So the first OBD answer
0:08:06.900,0:08:12.320
I was able to get was on my grandmother's[br]Polo. It's quite a recent car, 2013, so
0:08:12.320,0:08:17.150
there was a gateway, a sort of firewall[br]between the OBD2 port and the actual CAN
0:08:17.150,0:08:22.770
bus. So when I plugged myself to the CAN[br]bus, I wouldn't receive anything unless I
0:08:22.770,0:08:28.460
send an OBD query. I would receive my[br]answer but that's all. Else, the bus would
0:08:28.460,0:08:34.029
be completely silent. So here are some[br]examples, so this is the one from just
0:08:34.029,0:08:39.429
before, how can I get the RPM, so this is[br]the value of the RPM. Here, I can get the
0:08:39.429,0:08:44.425
engine coolant temperature, very[br]important, so the idea is that it answers
0:08:44.425,0:08:52.100
83 and 83 is 131 degrees. The idea is that[br]you are working with unsigned bytes, so if
0:08:52.100,0:08:58.740
you want to get a negative temperature,[br]the standard tells you to subtract 40 from
0:08:58.740,0:09:06.819
your temperature. If you are outside of[br]-40 or 215 degrees, you have other
0:09:06.819,0:09:14.821
problems than your coolant temperature.[br]So, seems to work. Okay, nice. So,
0:09:14.821,0:09:18.490
displaying everything. This was to explain[br]to my grandmother why I was stealing her
0:09:18.490,0:09:23.329
car for two weeks right now. So, with[br]this, I'm able to get the RPM, the speed,
0:09:23.329,0:09:28.059
engine coolant temperature, always very[br]important, throttle and accelerator pedal
0:09:28.059,0:09:33.679
pedal position and the elapsed time since[br]engine started. So anyway, kind of
0:09:33.679,0:09:40.812
graphical, my grandmother understands,[br]everybody's happy. Right, so right now I
0:09:40.812,0:09:45.843
can query standard OBD PIDs, I can have[br]the RPM, speed, fuel level, anything you
0:09:45.843,0:09:51.378
would want to have on your dashboard, but[br]if you want to get some probably more
0:09:51.378,0:09:57.009
interesting stuff, you have to go with the[br]constructor-specific PIDs. For example,
0:09:57.009,0:10:00.259
the steering wheel position, brake and[br]clutch pedal, gearbox status light or
0:10:00.259,0:10:05.059
blinkers are constructor-specific, so you[br]have to break stuff to be able to find
0:10:05.059,0:10:11.073
them or are very good friends with[br]manufacturer, which I haven't. Nice, we
0:10:11.073,0:10:18.093
can query stuff, mostly. Can we modify[br]anything interesting from OBD? Because,
0:10:18.093,0:10:23.900
still, I don't want to mess with the car[br]by cutting any wire. So first issue: what
0:10:23.900,0:10:28.810
protocol am I actually talking to? There[br]are on-top protocols like with KWP, which
0:10:28.810,0:10:33.642
is Keyword Protocol 2000, Unified[br]Diagnostic System is OTP, the volkswagen
0:10:33.642,0:10:38.860
version of ISO-TP, like really, and stuff[br]like this. Which protocol am I talking to?
0:10:38.860,0:10:44.730
Okay, let's just brute-force by sending[br]the classic introduction kind of message
0:10:44.730,0:10:52.466
and try to find for valid answer. With[br]this on the 2013 Polo, I could speak UDS.
0:10:52.466,0:10:57.319
So UDS enables different kind of thing[br]like resetting ECUs, which can be quite
0:10:57.319,0:11:04.069
interesting, query-specific PIDs, read DTC[br]information, stuff like this. However,
0:11:04.069,0:11:08.550
nice stuff like dump the firmware, are[br]only available through security session.
0:11:08.550,0:11:13.020
And security session on this car requires[br]an authentication through a challenge
0:11:13.020,0:11:19.020
response kind of algorithm, so here is the[br]example: I would start a diagnostic
0:11:19.020,0:11:25.279
session, UDS diagnostic session, first,[br]then query for seed to get through the
0:11:25.279,0:11:30.579
security session, compute my answers, send[br]it back, the cars compute its own answer,
0:11:30.579,0:11:35.820
compare and I would fail, because I would[br]just send the feedback like, maybe they
0:11:35.820,0:11:40.959
didn't implement a real algorithm, you[br]never know. But hey, okay, well done
0:11:40.959,0:11:46.819
Volkswagen, they did it quite well.[br]Actually, the car has a four-byte seed,
0:11:46.819,0:11:50.864
which is different at each try. This is[br]important to notice because on Guillaume's
0:11:50.864,0:11:57.633
car, it's a 2-byte seed, which is always[br]the same. You have more than three seconds
0:11:57.633,0:12:02.649
required between each try and if you fail[br]multiple time, it will just freeze for ten
0:12:02.649,0:12:06.740
minutes if you don't want to remove the[br]battery, all that kind of complicated
0:12:06.740,0:12:12.699
stuff. So, how to break this? Brute-force?[br]Way too long. Timing attack would be too
0:12:12.699,0:12:18.129
unstable because of the priority-kind of[br]thing, because you can just get delayed by
0:12:18.129,0:12:23.554
other more important messages and so it[br]will delay your timing attack. Disassemble
0:12:23.554,0:12:27.629
the car is out of the question, you know[br]why, and get PCs from a repair shop is
0:12:27.629,0:12:31.492
tedious. You know, get an ECU, try to[br]recreate the CAN bus around, stuff like
0:12:31.492,0:12:37.874
this, and I'm broke, so I don't have any[br]money. Okay, so, my car, let's sum up, way
0:12:37.874,0:12:42.710
too old. My grandmother's car, bit too recent[br]because of the Gateway, my family's car is
0:12:42.710,0:12:47.499
a Lancia Voyageur 2014, so even more[br]recent, but it has Uconnect, so maybe for
0:12:47.499,0:12:56.809
another time. Who's left? Oh, mommy? So,[br]my mom has a 2010 Fiat 500 convertible,
0:12:56.809,0:13:01.929
she loves it, so she doesn't like when I[br]take it and she even more doesn't like when
0:13:01.929,0:13:12.570
I tried to do stuff with it. So one night[br]I stole the key. Laughter Sorry. And I
0:13:12.570,0:13:17.929
tried to plug myself in and oh! It talks, it[br]talks a lot. In four seconds, I was able
0:13:17.929,0:13:23.896
to get 2000 around message, so it's about[br]500 messages per second. There is no
0:13:23.896,0:13:28.300
gateway, so I have a lot of broadcasted[br]message already. They are from few
0:13:28.300,0:13:32.670
different arbitration IDs, so a few[br]different ECUs are actually talking on
0:13:32.670,0:13:38.274
this bus. When I'm in the car, I tried[br]pressing random buttons and I see that the
0:13:38.274,0:13:43.190
data evolves, so the nice funny things to[br]do is to try to understand what each
0:13:43.190,0:13:49.499
message mean. It's quite tricky with CAN[br]dump, which is the standard Linux utils
0:13:49.499,0:13:55.377
which will just flood your stdout with CAN[br]messages, but Python CAN monitor helps a
0:13:55.377,0:14:02.046
lot by grouping messages by arbitration[br]ID. So here I'm in the Fiat 500 and I am
0:14:02.046,0:14:07.749
driving actually, and you can see the[br]different arbitration ID there and the
0:14:07.749,0:14:12.569
data that is evolving. The two last one,[br]which are way bigger, are the standard
0:14:12.569,0:14:19.179
OBD, meaning that okay, I have a priority[br]that is way lower than the other kind of
0:14:19.179,0:14:27.547
messages. So, reversing a bit, what can we[br]find? I found the speed, four time, the
0:14:27.547,0:14:33.528
values were quite different but quite[br]close anyway, so was it at four different
0:14:33.528,0:14:37.667
time or at the for different wheels? And[br]it was actually at the four different
0:14:37.667,0:14:43.703
wheels, because when I turned it would[br]change drastically two values out of four.
0:14:43.703,0:14:47.579
I have the clutch pedal with respect to[br]the accelerator am i accelerating while
0:14:47.579,0:14:53.329
depressing or pressing the clutch, the[br]brake data are the doors closed which one
0:14:53.329,0:14:58.179
are closed is a contact on is the[br]handbrake up or down and this one is quite
0:14:58.179,0:15:05.187
interesting because it would change every[br]minute. Actually it's the time and date.
0:15:05.187,0:15:12.639
So it was 9:00 p.m. on the 24th May of[br]2017 meaning that they created an ECU
0:15:12.639,0:15:17.619
would which only job was to send the[br]current time and date readable in
0:15:17.619,0:15:23.844
hexadecimal format on the CAN dump like[br]this.
0:15:23.844,0:15:27.939
laughter[br]But what that was I found it funny I've
0:15:27.939,0:15:33.600
weird sense of humor, anyway so this thing[br]even masters this time to explain to my
0:15:33.600,0:15:38.940
mother what I'm doing with her car so this[br]was a kind of capture was doing from my
0:15:38.940,0:15:43.889
school to my home like I was recording[br]what I was doing in the car, recording at
0:15:43.889,0:15:47.433
the same time a CAN dump and displaying[br]what I could display so I have the
0:15:47.433,0:15:52.619
handbrake, start and stop and engine is on[br]okay it seems to be the doors are closed
0:15:52.619,0:16:00.364
hopefully okay. So this was quite fun[br]to do actually. Okay what can we do with
0:16:00.364,0:16:04.540
that? Can we do something useful for[br]humanity can we do maybe something a
0:16:04.540,0:16:08.562
little bit challenging or else it's[br]absolutely not interesting? How can I at
0:16:08.562,0:16:16.375
least put something on my resume after[br]that something I can be proud of? Yes or
0:16:16.375,0:16:22.202
we could try to do something completely[br]stupid and that's what I was I mean to do.
0:16:22.202,0:16:30.850
So I created CANPad. The idea of CANPad is[br]that with the steering wheel or brake and
0:16:30.850,0:16:43.059
an accelerator pedal you can drive any car[br]in any video game. So.. Laugher
0:16:43.059,0:16:55.450
Applause[br]So that's what I did. I take the CAN
0:16:55.450,0:17:01.420
messages from OBD sensor and back pass it[br]to a piece on CAN and client and float
0:17:01.420,0:17:06.937
them through libuinput to be able to [br]create a virtual gamepad and plays it in
0:17:06.937,0:17:14.888
V-Drift. So V-drift is an open-source[br]racing game that allows one to play on
0:17:14.888,0:17:20.212
Linux through at least libuinput. So[br]this is a start and stop button that I use
0:17:20.212,0:17:28.240
as a toggle to send data and here I'm[br]driving with my mum's car, a car in a
0:17:28.240,0:17:30.240
video game.[br]driving noise
0:17:30.240,0:17:34.840
So I have the steering wheel the handbrake[br]all every pedals is quite it's quite hard
0:17:34.840,0:17:38.285
to drive right now.[br]laughter
0:17:38.285,0:17:46.970
And my official goal is to drift. So at[br]first I have to learn how to drive at all.
0:17:46.970,0:17:56.539
It was actually quite nice when I managed[br]to do anything at all. So you can see that
0:17:56.539,0:18:07.309
data is only like 16 bytes long and[br]music
0:18:07.309,0:18:19.850
applause[br]That's the best drift I was able to do on
0:18:19.850,0:18:26.590
this game. So I was actually quite[br]disappointed right now. So features and
0:18:26.590,0:18:30.597
limitation of this. So the features is[br]what I was explaining right now. But the
0:18:30.597,0:18:35.539
limitation are that the engine needs to be[br]running because else I don't have the
0:18:35.539,0:18:42.799
assisted direction which makes the wheel[br]quite hard to turn. Also on a real car if
0:18:42.799,0:18:47.771
you really see steering wheel it will by[br]itself try to match the car direction
0:18:47.771,0:18:52.651
which I don't have so I would just spend[br]all my time turning the wheel. And the
0:18:52.651,0:18:58.530
control simplicity going through libuinput[br]limits it to V-Drift because no
0:18:58.530,0:19:04.809
other Linux game recognized my virtual[br]gamepad as a real one. So I was quite sad
0:19:04.809,0:19:10.760
and but I really wanted to drift. Oh wait[br]I created another version which is CANpad
0:19:10.760,0:19:18.440
v2. CANpad v2 I just understood that on[br]the real game pad game box - Xbox, Xbox
0:19:18.440,0:19:24.429
gamepad. If I plug the Xbox gamepad and[br]don't touch anything no inputs will be
0:19:24.429,0:19:30.510
sent. On the other hand if I put a PS4[br]gamepad and don't touch anything it will
0:19:30.510,0:19:35.779
flood the status of every button all the[br]time so what I would do is take the Xbox
0:19:35.779,0:19:41.172
controller put it on the table and hijack[br]its port to send data instead of it. So I
0:19:41.172,0:19:45.030
would have a real, a real plugged-in[br]controller that is recognized by nicer
0:19:45.030,0:19:51.926
games like V-Drift, like DiRT and I could[br]send inputs by my, myself. I change this
0:19:51.926,0:19:58.049
few stuff like the gas pedal because I had[br]to flow in the real world to flow in the
0:19:58.049,0:20:07.808
game which was quite fuel consuming, the[br]steering wheel rotation was adjusted so
0:20:07.808,0:20:13.509
that it matches, it matches rally cars[br]like if I turn it 180 degrees it will turn
0:20:13.509,0:20:17.360
all the way in the game so quite nice, and[br]I found the direct command to query and
0:20:17.360,0:20:22.350
break in the in the video. In the next[br]video you'll see that when I turn abruptly
0:20:22.350,0:20:26.679
in the game and I release at the same time[br]the brake the wheel will take a little bit
0:20:26.679,0:20:32.100
of time before stopping to turn because I[br]have a small delay. But now I have the
0:20:32.100,0:20:39.514
real input so it's way easier. so:[br]demonstration. So, some sensors:
0:20:39.514,0:20:50.840
soundtrack Start and Stop soundtrack[br]I just wanted the music. So, anyway, as you
0:20:50.840,0:20:56.377
can see it's way easier to play because of[br]the steering wheel which was adjusted it's
0:20:56.377,0:21:11.130
way nicer to drift in it. I can do the[br]crane drift
0:21:11.130,0:21:19.750
applausesoundtrack[br]my brothers were very fond of this. My
0:21:19.750,0:21:23.164
mother was only thinking about her tires[br]right now
0:21:23.164,0:21:31.139
audience laughing[br]soundtrack
0:21:31.139,0:21:37.840
Anyway. Sorry. I'll give you the title of[br]the song later if you want. So I can now
0:21:37.840,0:21:43.929
drift with my front-wheel drive car in any[br]kind of video game which is almost quite
0:21:43.929,0:21:50.299
very nice. So possible upgrades - yes[br]there're always upgrades: I could get the
0:21:50.299,0:21:54.741
gearbox tattoos to put the car on the lift[br]and try to put it in manual which would a
0:21:54.741,0:22:01.490
be a bit more life... life kind and[br]create a better gamepad so that I'm able
0:22:01.490,0:22:07.650
to race on my Micro- windows because right[br]now it's only on Linux. Okay this was fun
0:22:07.650,0:22:12.220
but it was actually consuming a lot of gas[br]for nursing. So with Guillaume we try to
0:22:12.220,0:22:17.320
find a way to reduce gas consumption and[br]that's what he will - he is going to talk
0:22:17.320,0:22:20.098
to you about right now.[br]Guillaume?
0:22:20.098,0:22:29.710
Guillaume: Thank you, Stan.[br]Applause
0:22:29.710,0:22:33.996
So, Stan had a little problem about the[br]gas consumption and the friend of us told
0:22:33.996,0:22:40.223
us about this little nitro OPD dongle[br]which is supposed to save fuel. It's sold
0:22:40.223,0:22:45.500
on Amazon and the reviews are quite good[br]so we said "ok, strange but ok" let's try
0:22:45.500,0:22:53.590
it. First of all just a reminder about the[br]- what is an OBD2 dongle? An OBD2 dongle
0:22:53.590,0:23:01.610
is a small device that you plug into the[br]OBD2 port of your car. Any recent car has
0:23:01.610,0:23:07.317
an OBD2 port you can find it by googling[br]the model of your car and OBD2 port and
0:23:07.317,0:23:12.590
you will find a picture of it and the[br]interesting thing is that you just have to
0:23:12.590,0:23:18.299
pull the panel to access to your OBD2 port[br]and it's very cool because we don't have
0:23:18.299,0:23:24.519
to take anything apart or whatever. So,[br]just buy the thing on Amazon, pull the
0:23:24.519,0:23:32.159
panel and put it there. That's all. So,[br]this dongle is supposed to save fuel by
0:23:32.159,0:23:40.670
reprogramming the main ECU - the engine[br]ECU of your car. And this is done for
0:23:40.670,0:23:46.745
quite some times: This is known as a chip[br]tuning and you can find it on internet. It
0:23:46.745,0:23:51.965
works pretty well it will break your[br]warranty, but the very interesting
0:23:51.965,0:23:57.580
thing about this dongle is that you will[br]not break your warranty because, if you
0:23:57.580,0:24:02.191
remove it you will go back to factory[br]settings and this is very new. So, it
0:24:02.191,0:24:10.981
works on any car, well any recent car and[br]well it seems to work really well. Ok so
0:24:10.981,0:24:17.259
why did we reverse engineer this dongle?[br]Because it just an amazing piece of
0:24:17.259,0:24:24.759
hardware. If you think about it: it works[br]on any car and it also reprograms any car
0:24:24.759,0:24:31.340
so it must contain all authentication[br]codes. Stan explained the challenge and
0:24:31.340,0:24:38.559
response mechanisms so this one must[br]contain all of them. It will also contain
0:24:38.559,0:24:45.809
the reprogramming software for any car of[br]any manufacturer and this is also just
0:24:45.809,0:24:51.480
amazing and I just wanted to have a look[br]at this and it is able to adapt itself to
0:24:51.480,0:24:55.350
the way you are driving for a few[br]kilometers then it will reprogram your
0:24:55.350,0:25:00.570
engine and I say wow there must be a very[br]smart algorithm inside this very small
0:25:00.570,0:25:06.261
piece of hardware and I just wanted to[br]have a look at this software. As I said
0:25:06.261,0:25:14.570
also - it also modifies the RAM of your[br]engine and I was not aware of anything
0:25:14.570,0:25:20.092
that will be able to do that because from[br]the things I know about chip tuning it
0:25:20.092,0:25:24.990
will change the flash of your ECU. That's[br]why the warranty is broken but not this
0:25:24.990,0:25:28.809
one, not this one. And this is just[br]amazing. I just wanted to have a look at
0:25:28.809,0:25:35.009
the source code while the binary. Ok so.[br]The first thing about reverse engineering
0:25:35.009,0:25:42.179
such a piece of hardware is monitoring the[br]CAN signals to see if it's talking and
0:25:42.179,0:25:49.453
what he - what it is doing exactly if it's[br]opening security sessions or not. Well,
0:25:49.453,0:25:56.029
all this stuff. So, here you see in my[br]car. There is the OBD2 port right there
0:25:56.029,0:26:02.110
and I used the same configuration as Stan[br]to record the CAN messages which is a
0:26:02.110,0:26:07.331
Raspberry Pi here and the PI CAN2 shield[br]and well just for fun a picoscope to
0:26:07.331,0:26:13.309
check the signals and a computer to - to[br]monitor this. The thing is you just have
0:26:13.309,0:26:19.389
one OBD2 port in a car and - here - and[br]you cannot plug at the same time the
0:26:19.389,0:26:28.850
dongle like - like this and the[br]wires for the Raspberry Pi. So we took
0:26:28.850,0:26:36.500
apart the dongle and after a bit of[br]reversing the PCBs we found the can lines
0:26:36.500,0:26:42.029
and ground and we just soldered three[br]wires on it. And with using this approach
0:26:42.029,0:26:48.879
you can reverse the messages sent on the[br]bus. The interesting thing is that as you
0:26:48.879,0:26:53.257
are plugged directly on the dongle[br]you will monitor exactly what the
0:26:53.257,0:27:01.610
dongle is doing and what he's seeing. Just[br]for reference you just have three wires to
0:27:01.610,0:27:09.831
put in a car to hijack or to communicate[br]on the CAN bus. Those are CAN high, CAN
0:27:09.831,0:27:17.597
low and the ground and that's basically[br]all you need to connect to a CAN bus. Just
0:27:17.597,0:27:24.605
for reference: you can find on today's[br]cars you can find many many CAN buses in
0:27:24.605,0:27:31.610
in the different parts of the car. So the[br]OBD2 port is just more accessible but it's
0:27:31.610,0:27:41.632
basically another CAN bus just like[br]another one. Okay. So, we did two
0:27:41.632,0:27:48.429
measurements: one with basically no OBD[br]dongle plugged in and there is a one with
0:27:48.429,0:27:53.289
the OBD dongle plugged in. Stan explained[br]in the first part of the presentation that
0:27:53.289,0:28:00.580
every CAN message is sent by an ECU and[br]the identifier of the ECU is called the
0:28:00.580,0:28:07.169
message ID and the lower it is the higher[br]priority is. Here you are the most - you
0:28:07.169,0:28:12.610
have the most prior - you have the message[br]with the - the biggest priority and here
0:28:12.610,0:28:18.201
with the lowest priority and you see here[br]the - the content of the messages. The
0:28:18.201,0:28:22.821
thing is, if you look at the lists of the[br]message IDs - here - and the list of the
0:28:22.821,0:28:27.751
of the message IDs - here - you can see:[br]it's the same list. Basically it means
0:28:27.751,0:28:35.150
that no other ECU was talking on the bus[br]when we plugged the OBD - the Nitro OBD2
0:28:35.150,0:28:39.690
dongle. So, it means that the dongle[br]basically doesn't speak at all on the CAN
0:28:39.690,0:28:45.033
bus. And that's too bad because we say how[br]is it possible that it works if it's not
0:28:45.033,0:28:54.994
talking on the CAN bus? Okay. Is it over,[br]is it just not working? Well not really. The
0:28:54.994,0:29:02.780
dongle is advertised as working after 120[br]kilometres. It will just listen silently
0:29:02.780,0:29:08.621
to the way you are driving, then reprogram[br]your engine after this small amounts of
0:29:08.621,0:29:15.279
kilometres. So it was still possible that[br]the dongle was not sending anything during
0:29:15.279,0:29:20.790
the first kilometers. And - but we[br]couldn't just monitor the CAN bus during
0:29:20.790,0:29:28.289
such a big period of time and so we needed[br]another approach and we chose to reverse
0:29:28.289,0:29:36.610
the PCB. If you take the dongle apart, you[br]can see two PCBs. The first one here is
0:29:36.610,0:29:43.630
just connected on the OBD 2 port and the[br]other one seems to contain, well,
0:29:43.630,0:29:49.139
something. Okay, so this is a picture of[br]the first one. As you can see, there is no
0:29:49.139,0:29:56.990
components on it at all. It's just routing[br]the CAN wires from there to the second
0:29:56.990,0:30:02.609
board. So okay, let's go on, and the[br]second one is more interesting. On the
0:30:02.609,0:30:07.183
front side, you can see, well, a few[br]components, but there are not so many. You
0:30:07.183,0:30:15.259
have a voltage regulator here, 7805, you[br]have a push-button, this diode is part of
0:30:15.259,0:30:21.610
the voltage regulation and that's pretty[br]much all you have here. And three LEDs,
0:30:21.610,0:30:26.259
you have three LEDs, okay. On the back[br]side, you can see, here there is the
0:30:26.259,0:30:33.172
footprints of a very small[br]microcontroller, and here is a picture
0:30:33.172,0:30:37.700
before dissoldering it. And the[br]interesting thing is that there is
0:30:37.700,0:30:44.110
absolutely no reference on this device, as[br]if the manufacturer took a special care to
0:30:44.110,0:30:49.250
hide what was inside. And this is not so[br]common because usually you can find a
0:30:49.250,0:31:00.070
reference in a chip. Also, there is no CAN[br]transceiver on this device, yeah, it's
0:31:00.070,0:31:08.110
strange. What is a CAN transceiver? A CAN[br]transceiver is a piece of hardware to
0:31:08.110,0:31:15.730
translate the signals from the CPU, which[br]are basically UARTs, into CAN signals
0:31:15.730,0:31:25.539
which, are CAN high, CAN low, this is a[br]differential pair. But this device is not
0:31:25.539,0:31:30.179
just about adapting the signals and[br]electric conversion. It's also about real-
0:31:30.179,0:31:36.220
time monitoring and checking. Stan[br]explained before that in each frame, you
0:31:36.220,0:31:45.640
got a CRC and an error bit. And if there[br]is a transmission error on a frame, any
0:31:45.640,0:31:51.960
CAN transfer has the duty to assert the[br]fault in real-time, so it just has a few
0:31:51.960,0:31:56.879
microseconds to compute the CRC in real-[br]time and say "Okay, no you just have to
0:31:56.879,0:32:02.259
discard this frame". Basically, two tasks[br]for this one: electrical signal conversion
0:32:02.259,0:32:09.389
and checking in real-time. Okay, so you[br]have no CAN communication, no CAN
0:32:09.389,0:32:16.230
transceiver, okay, it smells weird. A few[br]guys told us "yeah but maybe it's possible
0:32:16.230,0:32:21.080
to do that in software because, you see,[br]those are just signals and maybe with an
0:32:21.080,0:32:26.549
IDC and so on you can do that in[br]software." I put a link, if you are
0:32:26.549,0:32:29.299
interested, here, for Stack Overflow[br]discussion, which is very interesting and
0:32:29.299,0:32:33.549
a few guys say "ok, yes, it's possible to[br]do that in full software, so you basically
0:32:33.549,0:32:39.490
don't need a CAN transceiver". The thing,[br]is as the CAN transceiver has to react in
0:32:39.490,0:32:44.139
a real-time, you have to have a very fast[br]CPU to do that in real-time. And the guys
0:32:44.139,0:32:48.860
on Stack Overflow say "Ok, it's possible,[br]but at a very low speed like 10 kilobits
0:32:48.860,0:32:53.830
per seconds or something like this." But[br]on a real CAN bus on a real car, the speed
0:32:53.830,0:33:05.919
is more like 500,000 bits per second, so[br]it's not the same order of magnitude. And
0:33:05.919,0:33:10.630
then, some of the guys say "Okay, maybe[br]there is some CAN transceiver inside this
0:33:10.630,0:33:15.659
chip", and I say "okay, yes, it's just a[br]small A Super8 chip, there is nothing
0:33:15.659,0:33:20.150
there, just a small microcontroller ",[br]but, just to be sure and because we like
0:33:20.150,0:33:28.169
to decap chips, laughing I asked my intern to do[br]that because, you know, there are toxic
0:33:28.169,0:33:41.409
fumes and things like that. So here is[br]Stan in my garden and, well, it was pretty
0:33:41.409,0:33:48.090
- it was the first time I did that, and[br]Stan also, and the thing is, it's pretty
0:33:48.090,0:33:51.730
easy to do that, but if you want to do it,[br]just be careful because it is very
0:33:51.730,0:33:59.929
dangerous stuff. You can buy it on the[br]internet, it's very cheap, and, what do
0:33:59.929,0:34:07.960
you need? You need cooking plates, here,[br]to produce some heat, crème brûlée, or
0:34:07.960,0:34:12.719
just the ceramic plate. You pour the[br]sulfuric acid in it, you wait for it to be
0:34:12.719,0:34:18.719
hot enough and that's all, basically. Just[br]throw your chip in it and you're done.
0:34:18.719,0:34:25.469
Just wait 10 minutes and that's all. So[br]again, if you want to do it, just do it
0:34:25.469,0:34:29.520
because it's fun, but use protections[br]because it's very dangerous. Okay, well,
0:34:29.520,0:34:36.560
here is the results. I put a real CAN[br]transceiver here, and this is the chip you
0:34:36.560,0:34:42.750
have in the nitro OBD 2 dongle. Some of[br]you, you will recognize the basic
0:34:42.750,0:34:47.480
structure of a small microcontroller.[br]Here, you have the CPU logic, here you
0:34:47.480,0:34:54.770
have the memory banks and some glue logic[br]there. And that's pretty much all you have
0:34:54.770,0:35:01.460
there. The interesting thing is that, this[br]does not fit into this. So definitely,
0:35:01.460,0:35:09.500
there is no CAN transceiver in the Nitro[br]OBD 2 dongle. The other thing I would like
0:35:09.500,0:35:18.010
to show is if you look at this, we said[br]before that the Nitro OBD 2 had to contain
0:35:18.010,0:35:22.950
a database for all authentication[br]algorithms. All the way to reprogram any
0:35:22.950,0:35:28.580
car on the market and so on. And this is[br]all the flash you have inside. I was
0:35:28.580,0:35:34.380
expecting at least a big chip of flash,[br]but there is nothing here. So basically,
0:35:34.380,0:35:41.960
it just looks like a tiny microcontroller,[br]like an Arduino or something like this.
0:35:41.960,0:35:49.580
But I really wanted to know what chip it,[br]was so we have a game at the office, it
0:35:49.580,0:35:55.920
was looking for Waldo, and because the[br]chip manufacturer like to write chip
0:35:55.920,0:36:04.210
reference inside their chip, and, well,[br]there is something here. If you look at
0:36:04.210,0:36:07.840
the chip, the big magnification power, you[br]will see this and this is the chip
0:36:07.840,0:36:14.470
reference. Unfortunately, I could not find[br]any reference on the internet about this
0:36:14.470,0:36:18.650
chip. I asked a few friends on Twitter and[br]so on, but nobody could find it, which
0:36:18.650,0:36:23.600
means, well, I don't know, this is not a[br]big chip, very well-known. If you know
0:36:23.600,0:36:29.870
what it is, just tell me, send a mail or[br]whatever and take the microphone during
0:36:29.870,0:36:35.000
the question answer session, it will be[br]nice. So, just to sum up this part, this
0:36:35.000,0:36:40.870
dongle is very nice but there is no CAN[br]communication, does not contain any CAN
0:36:40.870,0:36:48.300
transceiver, it has not enough CPU power[br]to emulate a CAN transceiver in full
0:36:48.300,0:36:54.290
software, and the most important thing is[br]that it has no flash in it to contain the
0:36:54.290,0:36:58.720
database, you know, to reprogram any[br]engine and so on. But the links are
0:36:58.720,0:37:04.271
blinking very well, so, yeah. If you[br]really want to reprogram your car, use
0:37:04.271,0:37:23.980
something else. Thank you. Applause I[br]would like to invite all of you, if you
0:37:23.980,0:37:30.010
are interested in car hacking, to try and[br]put some OBD cable into your car because
0:37:30.010,0:37:36.120
it's very easy. You just have to pull a[br]panel to get access to your OBD port. You
0:37:36.120,0:37:40.890
will just need a Raspberry Pi, CAN shield[br]and a cable and that's pretty much all you
0:37:40.890,0:37:48.350
need. Just a few words: so you don't need[br]to take anything apart, so it's pretty
0:37:48.350,0:37:55.030
easy, you can do many interesting things[br]just by using the OBD2 port of your car,
0:37:55.030,0:38:00.550
like fuzzing and so on. But please be[br]careful, you can hurt yourself or break
0:38:00.550,0:38:04.690
your engine if it's running, so if you do[br]some fuzzing, please stop the engine
0:38:04.690,0:38:11.440
before.[br]P1kachu: Because as you saw at the
0:38:11.440,0:38:16.630
beginning, I was actually recording CAN[br]data or querying stuff while I was
0:38:16.630,0:38:23.330
driving, which was the stupidest thing I[br]did from the hole analysis. I was able to
0:38:23.330,0:38:30.340
disengage ABS by fuzzing, too - stuff like[br]this - because they have some systems that
0:38:30.340,0:38:35.740
if they receive too many invalid kind of[br]messages, they will just shut off, so I
0:38:35.740,0:38:40.350
was able to disengage stuff like this, so,[br]yeah, if you are doing stuff like this,
0:38:40.350,0:38:45.880
just don't drive while doing it, for[br]example. That's the kind of stupid mistake
0:38:45.880,0:38:52.590
you do when - or disable the airbags.[br]Guillaume: That's very important.
0:38:52.590,0:38:59.160
P: You never know.[br]G: Well, thank you again, and, yeah, if
0:38:59.160,0:39:02.810
you want to speak with us, you're more[br]than welcome. Thank you!
0:39:02.810,0:39:14.728
applause[br]Herald Angel: Thank you deep guys, I could
0:39:14.728,0:39:17.810
normally skip the car hacking talks. This[br]time it was really amusing and I'm happy
0:39:17.810,0:39:23.700
that I didn't do that. We have a lot of[br]time for questions, if you want to line
0:39:23.700,0:39:28.051
up, there's one over there or two of[br]there, one over here and one over there.
0:39:28.051,0:39:36.069
Are there questions from the audience?[br]Signal angel?
0:39:36.069,0:39:38.610
Signal Angel: So, people on the stream are[br]wondering where they can find your
0:39:38.610,0:39:43.390
software and whether you contributed any[br]signals you found to the open DBC project
0:39:43.390,0:39:46.960
that is collecting signals from the CAN[br]bus.
0:39:46.960,0:40:00.380
P: I haven't really heard about this -[br]yet. So right now, not that much, but I
0:40:00.380,0:40:06.730
will take a look at this after this. Sorry
0:40:06.730,0:40:12.170
Herald Angel: Mic 1.[br]Q: I was wondering you try to reverse
0:40:12.170,0:40:19.018
engineer to get into the secure mode so[br]that you can access all the issues. You
0:40:19.018,0:40:22.100
want to... we reverse engineer this[br]challenge/response authentication.
0:40:22.100,0:40:25.310
P: Yes.[br]Q: Why does he not try to reverse engineer
0:40:25.310,0:40:28.080
the diagnostic software that is used by[br]the dealers?
0:40:28.080,0:40:35.980
P: Because this infringe, we call this[br]valise, like luggage, and it costs if I
0:40:35.980,0:40:42.400
recall correctly about 5,000 Euros by car[br]manufacturer. So we went to a garage and
0:40:42.400,0:40:47.490
asked the guy "Can you lend us your[br]valise?" and he just laughed at us because
0:40:47.490,0:40:54.360
no he didn't wanted to but there are some[br]partnership you can have. [There] is a
0:40:54.360,0:40:59.560
group of manufacturers that offer that[br]kind of information if you pay every month
0:40:59.560,0:41:05.480
a very huge sum of money.[br]Q: [...] pay 6 Euros and can be used for
0:41:05.480,0:41:10.681
an hour.[br]P: I haven't heard of it I just saw a big
0:41:10.681,0:41:15.290
numbers and I told myself, okay, I find[br]another way.
0:41:15.290,0:41:19.120
Herald Angel: Microphon 3.[br]Q: A great presentation. Thank you very
0:41:19.120,0:41:23.360
much. I was just wondering, how much more[br]work is needed to actually control your
0:41:23.360,0:41:36.700
car with an Xbox controller? Laughter[br]Applause
0:41:36.700,0:41:45.340
P: I was asked this question before. Not[br]that much Laughter if you find the right
0:41:45.340,0:41:52.600
guys with the right amount of knowledge.[br]The idea that you'll get, of course. You
0:41:52.600,0:41:58.980
have to find a way to control the car from[br]the CAN bus which is not something that
0:41:58.980,0:42:04.590
easily done. Because for all I know right,[br]now the CAN bus I was only used for
0:42:04.590,0:42:11.529
broadcasting information not really using[br]this information for real-time data. We
0:42:11.529,0:42:17.250
actually tried to find some way to know[br]how the ECU's interact with each other
0:42:17.250,0:42:22.120
with Young's car. So the idea was that we[br]go to a field, I am on the passenger seat,
0:42:22.120,0:42:27.840
and he would just tell me "okay try to[br]find the ABS ECU I will brake very hard"
0:42:27.840,0:42:32.528
so he was driving fast breaking. I was[br]just checking which ECU would actually
0:42:32.528,0:42:36.080
send something different and after we've [br]tried to recreate some messages,
0:42:36.080,0:42:39.250
but without a lot of luck. [br]So from the CAN bus I don't think
0:42:39.250,0:42:46.060
that's quite possible. But they did it.[br]Nissan did it like two months ago with the
0:42:46.060,0:42:52.410
GTRC. They created a Nissan GTR that is[br]actually controlled by a gamepad
0:42:52.410,0:42:57.510
controller. But they have a full robot in[br]it just controlling the steering wheel and
0:42:57.510,0:43:01.704
pedal so it's quite easy when you have[br]money. Laughter
0:43:01.704,0:43:04.871
Herald Angel: Microphone 2 in the back,[br]please
0:43:04.871,0:43:10.930
Q: Okay, hi nice talk. Thank you. First of[br]all don't play around with the Airbags
0:43:10.930,0:43:15.660
please. I tried to reverse engineer my old[br]Mitsubishi - I'm a passionate Mitsubishi
0:43:15.660,0:43:25.610
driver - please don't try mine. You get[br]hurt, really. So my real question is: Did
0:43:25.610,0:43:33.200
you try to reverse engineer cars with an[br]older bus then OBD, ever? Because mine is
0:43:33.200,0:43:38.350
from the 90s.[br]P: Yeah, No I didn't because I had my and
0:43:38.350,0:43:44.330
full already with the with OBD. To be[br]honest before this analysis I hadn't
0:43:44.330,0:43:50.050
touched any kind of bus or any kind of car[br]systems ever. So I was really discovering
0:43:50.050,0:43:55.490
everything from scratch. So I just focused[br]on the OBD port and the CAN bus and stuff
0:43:55.490,0:44:00.420
like this. But I know there are a lot of[br]different stuff Valasek and Miller already
0:44:00.420,0:44:06.320
did different kind of attacks on the Jeep[br]for example of the Prius with different
0:44:06.320,0:44:12.020
buses. So I ought to be looking at them[br]but right now no I didn't do anything else
0:44:12.020,0:44:15.460
from the OBD or CAN bus.[br]Herald Angel: Is there another question
0:44:15.460,0:44:25.460
from the internet? Okay otherwise mic 1.[br]Q: Sorry, just one sentence. I guess
0:44:25.460,0:44:29.140
because of the Mitsubishi stuff you've[br]mentioned the car your parents or so I
0:44:29.140,0:44:33.225
guess we should talk about the Lancer.[br]Okay?
0:44:33.225,0:44:37.198
P: Okay. laughter[br]Herald Angel: Mic 1.
0:44:37.198,0:44:43.750
Q: Thank you. There are some other buses[br]like EtherCAT or Flex Ray in other car
0:44:43.750,0:44:50.860
manufacturers. What about hacking them? So[br]you also said, you already said that maybe
0:44:50.860,0:44:57.630
you will try it in the future?[br]P: Well quite the same answer also. I read
0:44:57.630,0:45:04.180
the car CAN books, so I just have a few a[br]little grasp of other kind of protocols
0:45:04.180,0:45:08.290
and other stuff like this. Right now I[br]didn't do anything. I am planning on
0:45:08.290,0:45:14.600
trying different new buses but right now[br]just the - I haven't touched them I can't
0:45:14.600,0:45:20.100
answer and more honestly than this - I don't know.[br]G: The other thing is that on the OBD 2
0:45:20.100,0:45:29.860
port you just have access to the CAN bus[br]and as far as I remember the Flex bus is
0:45:29.860,0:45:36.650
internal and dedicated to high speed[br]buses. So it's not as easy to plug
0:45:36.650,0:45:43.220
yourself onto this bus because[br]you have to open your car and take things
0:45:43.220,0:45:48.860
apart and stuff like this. But it's[br]definitely interesting to look at it also.
0:45:48.860,0:45:53.110
P: Sorry.[br]Herald Angel: Okay, another question from
0:45:53.110,0:45:58.900
the 3, please.[br]Q: Oh it's 4. Okay, so just a little
0:45:58.900,0:46:04.200
hint. OBD2 is actually just half of the[br]fun so you should definitely remove your
0:46:04.200,0:46:10.070
car radio and check if there's a CAN bus[br]behind that I know for BMW have it and
0:46:10.070,0:46:15.200
there of course it's much easier to[br]control of all of the fancy buttons that
0:46:15.200,0:46:20.310
you have in your car. Like window and[br]wipers and all that stuff because that's
0:46:20.310,0:46:24.930
completely unencrypted and so can simply[br]listen on this and also send your own
0:46:24.930,0:46:27.550
commands.[br]P: Okay, so, check the other CAN bus in
0:46:27.550,0:46:30.490
the car, right?[br]Q: Yeah it's I mean it's maybe the car
0:46:30.490,0:46:35.550
radio, because you don't have to cut[br]anything just plug it off, take an adaptor
0:46:35.550,0:46:42.980
and put your own bias on that.[br]P: Thank you. Maybe another talk.
0:46:42.980,0:46:47.344
Herald Angel: And yet we have one question[br]from the internet now and then the 1.
0:46:47.344,0:46:50.616
Signal Angel: So there's a person from the[br]darknet who would like to leak you
0:46:50.616,0:46:56.300
original diagnostic software for that kind[br]of hardware and the person wants to know
0:46:56.300,0:47:01.310
whether you would be interested in that?[br]P: I haven't heard the end of the sentence
0:47:01.310,0:47:03.860
but the beginning.[br]Signal Angel: Would you be interested in a
0:47:03.860,0:47:19.550
software leak of original diagnostic[br]software? laughter Actually you don't have to
0:47:19.550,0:47:24.030
answer that because the person is outside[br]but if you want to say something you can.
0:47:24.030,0:47:30.380
P: Coughing You have my Twitter.[br]Herald Angel: Yeah question please.
0:47:30.380,0:47:36.710
Q: First thank you for your very inspiring[br]speech luckily or unfortunately I don't
0:47:36.710,0:47:40.840
own a car myself otherwise... Well, what I[br]wanted to say was, you now have your hands
0:47:40.840,0:47:46.770
on a few Volkswagens. If you could choose[br]a car yourself what brand would you like
0:47:46.770,0:47:53.630
to monitor.[br]P: Ah, to monitor. Actually, what I wanted
0:47:53.630,0:47:58.760
but I haven't taken the time right now,[br]was to play with the Lancer, the big mother's
0:47:58.760,0:48:03.060
bus, because it has UConnect and as far as[br]I remember it was one of the attack
0:48:03.060,0:48:10.390
vectors Miller and Valasek used in the past,[br]so I think I would go with the one with
0:48:10.390,0:48:16.440
full features everywhere and remove parts[br]to be able to get to the fun stuff. So I
0:48:16.440,0:48:21.600
would take one with a lot of electronics,[br]not too much, because it's expensive, but
0:48:21.600,0:48:26.890
at least a bit of electronics, so that I[br]could remove stuff and do interesting and
0:48:26.890,0:48:29.800
nice stuff.[br]Herald Angel: Thank you okay and another
0:48:29.800,0:48:35.200
one over there.[br]Q: Hi thank you and I enjoyed your talk. I
0:48:35.200,0:48:42.380
think I read you already online or I read[br]something about doing that what what you
0:48:42.380,0:48:48.380
have done. It's really fun just a few[br]correction to the last part - the
0:48:48.380,0:48:55.320
transceiver does not do any error[br]correction it's just a transceiver. And
0:48:55.320,0:49:02.250
there are chips actually available which[br]have a cortex m0 and D transceiver on chip
0:49:02.250,0:49:04.380
for few bucks.[br]P: Okay.
0:49:04.380,0:49:10.900
Q: So those chips exist and are used in[br]automotive and just for your fun for next
0:49:10.900,0:49:18.000
year: choose the right car just depending[br]that question from that girl. There are
0:49:18.000,0:49:25.880
car manufacturers who can do networking[br]and who can do and your... let's say you
0:49:25.880,0:49:32.734
are candy with the right brands. Like the[br]Italian.
0:49:32.734,0:49:36.720
P: Thank you very much. I have way more[br]information that when I started this talk
0:49:36.720,0:49:45.390
which isn't much what I expected at first.[br]Herald Angel: I would say final question
0:49:45.390,0:49:48.250
Mic 1.[br]Q: Very small question but did you
0:49:48.250,0:49:52.250
consider lifting the front wheels instead[br]of starting the engine to make it steer
0:49:52.250,0:50:03.590
easy. Yes I put it on parpar - the block[br]of cement you find - but it's not the
0:50:03.590,0:50:10.760
easiest part. What would be easier what[br]was done was to put cardboard under the
0:50:10.760,0:50:15.760
wheels to make it easier with a little bit[br]of oil to turn but here to be able to play
0:50:15.760,0:50:22.180
without the engine turned on and with[br]assistic direction. Kind of putting the
0:50:22.180,0:50:27.460
car on a car lift would be the safest way.[br]Because just putting the front wheels I
0:50:27.460,0:50:30.550
wouldn't see anything from the windscreen[br]which would be a bit disappointing.
0:50:30.550,0:50:38.304
laughter And yes I indeed I plan to put[br]it on a car lift soon.
0:50:38.304,0:50:41.850
Herald Angel: Anyone who didn't get the chance[br]to pass the question on stage, I'm sure that
0:50:41.850,0:50:46.310
the speaker's can be approached next to[br]it. Thank you again for being here and
0:50:46.310,0:50:47.840
drift on.[br]P: Thank you very much.
0:50:47.840,0:50:49.365
G: Thank you.
0:50:49.365,0:50:56.483
Applause
0:50:56.483,0:51:08.945
34C3 postroll music
0:51:08.945,0:51:18.000
subtitles created by c3subtitles.de[br]in the year 2020. Join, and help us!