1
00:00:00,000 --> 00:00:14,630
33C3 preroll music
2
00:00:14,630 --> 00:00:18,544
Herald Angel: And without further to do,
please welcome Guillaume and P1ckachu on
3
00:00:18,544 --> 00:00:24,501
stage now.
applause
4
00:00:24,501 --> 00:00:34,460
Guillaume: Thank you.
P1kachu: Okay. So hi everybody. Hi bingu.
5
00:00:34,460 --> 00:00:42,143
So we are going to present what we've been
doing lately with cars actually. So who
6
00:00:42,143 --> 00:00:48,508
are we? My name is Stanislas Lejay
"P1kachu". I'm an IT student in EPITA a
7
00:00:48,508 --> 00:00:54,260
school in France and I'm part of EPITA's
system and security laboratory the LSE.
8
00:00:54,260 --> 00:00:58,856
I'm currently an intern at Quarkslab. I
like a lot of stuff, like reverse
9
00:00:58,856 --> 00:01:03,639
engineering, everything that is related to
cars or mechanics and if there is
10
00:01:03,639 --> 00:01:08,720
something stupid to do I shall already be
doing it. And with me will be Guillaume
11
00:01:08,720 --> 00:01:12,400
Heilles.
Guillaume: Hello my name is Guillaume. I
12
00:01:12,400 --> 00:01:18,719
work as at Quarkslab as a security
engineer. I'm quite new to the security
13
00:01:18,719 --> 00:01:25,180
field as I worked in the industry before.
And I switched to the security field
14
00:01:25,180 --> 00:01:29,950
because it's very fun and I like to
reverse almost everything and I will give
15
00:01:29,950 --> 00:01:35,857
a small talk about reversing a piece of
hardware that you can find in an
16
00:01:35,857 --> 00:01:43,500
automobile.
P: So what is this talk about? This
17
00:01:43,500 --> 00:01:47,219
talk will be in two different parts the
first one is how to drift with any car.
18
00:01:47,219 --> 00:01:52,950
And it's an introduction to how to automotive
systems what you can do with them and what
19
00:01:52,950 --> 00:01:56,979
we actually did with them. And the second
part, which name is out to properly write
20
00:01:56,979 --> 00:02:02,988
an amazon review, you'll see why just
after, is OBD dongle. So analysis, reverse
21
00:02:02,988 --> 00:02:09,075
engineering, stuff like this. So first
part "drifting with any car". The idea is
22
00:02:09,075 --> 00:02:12,970
that I'm a student, so I work at my
school's lab, so I had to find a way to
23
00:02:12,970 --> 00:02:18,792
explain why I was bringing different cars
every day at my school's garage. So the
24
00:02:18,792 --> 00:02:24,370
official goal was to look at our car works
and what arise from this is what can I do
25
00:02:24,370 --> 00:02:30,420
what can one do with a modern car system.
The restriction I had was that since I'm a
26
00:02:30,420 --> 00:02:35,426
student I'm poor so I don't have a lot of
money and I don't have a lot of cars. So I
27
00:02:35,426 --> 00:02:40,074
was actually taking my family's different
cars and trying to analyze them. So I
28
00:02:40,074 --> 00:02:47,946
wouldn't, I wasn't able to break anything
or remove any parts from the car. So the
29
00:02:47,946 --> 00:02:54,931
test subjects, what which cars was I
playing with. I had five or six of them.
30
00:02:54,931 --> 00:03:00,774
The first one for posterity, is mine
actually. It's a 2006 Volkswagen Polo.
31
00:03:00,774 --> 00:03:05,370
What is nice is that you can spend the
whole day trying to find some messages on
32
00:03:05,370 --> 00:03:11,190
your bus. If your car is too old there are
no messages. So you can take the
33
00:03:11,190 --> 00:03:16,310
oscilloscope and try to find them, you
won't find them. Anyway, just before doing
34
00:03:16,310 --> 00:03:23,689
anything try to think is the something I'm
looking for ready in there. The second car
35
00:03:23,689 --> 00:03:28,395
is my grandmother's car it's a Volkswagen
Polo of 2013. And the last guy we'll talk
36
00:03:28,395 --> 00:03:35,656
about is my mom's Fiat 500 convertible.
It's from 2010. The dates are important
37
00:03:35,656 --> 00:03:41,990
because the CAN bus I will talk about just
after is quite recent in a way that
38
00:03:41,990 --> 00:03:48,654
security on the CAN bus changes greatly
from one year to another. So the CAN bus I
39
00:03:48,654 --> 00:03:54,980
was playing with on this car was quite
different from the 2013 Volkswagen Polo
40
00:03:54,980 --> 00:04:01,505
for example. Okay, so talking with the
car. So this is the introduction part, so
41
00:04:01,505 --> 00:04:04,590
if people already know about what I'm
going to talk about, but I want everybody
42
00:04:04,590 --> 00:04:10,410
to be on the same first step. So first of
all an ECU it stands for electronic
43
00:04:10,410 --> 00:04:15,437
control unit and it's a small computer
that you get all around your car. So there
44
00:04:15,437 --> 00:04:20,100
are many of them. You can have at most 70
of them in very modern cars and take
45
00:04:20,100 --> 00:04:24,858
control different parts of it. So you have
the engine, the powertrain, the
46
00:04:24,858 --> 00:04:29,997
transmission, ABS, stuff like this. And
they talk to each other on what we call
47
00:04:29,997 --> 00:04:37,029
the CAN bus. The CAN bus is a message
based broadcast protocol. Messages are
48
00:04:37,029 --> 00:04:41,532
mostly composed of two important things
which are the arbitration ID which, I will
49
00:04:41,532 --> 00:04:49,167
refer to ID from now on, they can be 11 or
29 bits long and you have data. Data is 8
50
00:04:49,167 --> 00:04:53,120
bytes long on the standard that CAN
message but they are on top protocols, I
51
00:04:53,120 --> 00:04:58,560
can group messages together to get bigger
lengths of data. What is interesting is
52
00:04:58,560 --> 00:05:04,090
that it's a broadcast protocol, so the
collision detection system is based on the
53
00:05:04,090 --> 00:05:10,130
ID. The lower your ID the higher your
priority. So very important CAN message
54
00:05:10,130 --> 00:05:17,180
will have a very low IDs they will be sent
from an ECU that are very low ID and less
55
00:05:17,180 --> 00:05:22,040
important one will have a bigger
arbitration ID. How do you talk to your
56
00:05:22,040 --> 00:05:26,810
CAN bus without cutting any wire in the
car? For this you see there is the OBD2
57
00:05:26,810 --> 00:05:31,800
port so OBD stands for onboard diagnostic
and is the vehicle self diagnostic and
58
00:05:31,800 --> 00:05:36,980
reporting capability. When you are driving
you have allowed a LED that start to blink
59
00:05:36,980 --> 00:05:41,120
on your dashboard saying "ok something's
wrong", you bring your car to your car
60
00:05:41,120 --> 00:05:45,670
repair shop and the car repair guy will
just plug itself to this port which is
61
00:05:45,670 --> 00:05:53,074
located around the steering wheel often
and query information using PIDs. So PID
62
00:05:53,074 --> 00:05:57,620
is a parameter ID. It means "okay I want
to have information about for example the
63
00:05:57,620 --> 00:06:02,870
RPM or the speed or the fuel level
something like this" and you can set or
64
00:06:02,870 --> 00:06:07,962
reset diagnostic trouble codes a
diagnostic trouble code means "ok
65
00:06:07,962 --> 00:06:12,847
something is wrong with this part of the
car" for example. Here is my setup. So
66
00:06:12,847 --> 00:06:20,030
with just a Raspberry Pi, PiCAN 2 shield
and a DV 9 to OBD 2 cable, I was able to
67
00:06:20,030 --> 00:06:26,054
have a full linux that that can understand
CAN messages and talk with the CAN bus. So
68
00:06:26,054 --> 00:06:30,090
with that I could just communicate with my
car without breaking anything, which is
69
00:06:30,090 --> 00:06:35,850
quite nice. What does it look like? So in
Python, I just import import can, so it's
70
00:06:35,850 --> 00:06:40,960
a standard package, python-can, you create
an interface, so it's socket CAN, so it's
71
00:06:40,960 --> 00:06:45,260
like any kind of interface you just create
a can0 interface and you can communicate
72
00:06:45,260 --> 00:06:50,912
with your CAN bus. You create your
message, so the data is here. What is
73
00:06:50,912 --> 00:06:55,728
important is that the first byte tells how
many bytes are important in the message.
74
00:06:55,728 --> 00:07:01,420
You can have 8 bytes of data. The number
of bytes processed will be this number, so
75
00:07:01,420 --> 00:07:06,669
like there it says "ok, there are only 2
bytes of data that are interesting, just
76
00:07:06,669 --> 00:07:11,880
discard the 5 of the ones.". Here, it asks
for the first mode, so OBD have different
77
00:07:11,880 --> 00:07:18,350
mode. The first mode says "Okay, I want
the current value of what I'm looking for"
78
00:07:18,350 --> 00:07:24,560
and 0x0c is RPM. So I want the current
value of the RPM. If I put two there, it's
79
00:07:24,560 --> 00:07:29,540
the second mode and it asks for the RPM
when the last data trouble code was
80
00:07:29,540 --> 00:07:33,230
actually set. You have different like
that, but what interested me was "Okay
81
00:07:33,230 --> 00:07:40,861
what is a current RPM?". You create your
message, 0x7df is the classic ID for
82
00:07:40,861 --> 00:07:49,594
diagnostic tools, so most ECUs will answer
to OBD queries if you have this ID. On 29
83
00:07:49,594 --> 00:07:55,419
bits, it depends on the car, on the Fiat
500, for example, it was this one. You
84
00:07:55,419 --> 00:08:02,060
send your message, you get your answer and
that's it. Okay, so this was the theory:
85
00:08:02,060 --> 00:08:06,900
how do you talk, but how did I actually
talk with my cars? So the first OBD answer
86
00:08:06,900 --> 00:08:12,320
I was able to get was on my grandmother's
Polo. It's quite a recent car, 2013, so
87
00:08:12,320 --> 00:08:17,150
there was a gateway, a sort of firewall
between the OBD2 port and the actual CAN
88
00:08:17,150 --> 00:08:22,770
bus. So when I plugged myself to the CAN
bus, I wouldn't receive anything unless I
89
00:08:22,770 --> 00:08:28,460
send an OBD query. I would receive my
answer but that's all. Else, the bus would
90
00:08:28,460 --> 00:08:34,029
be completely silent. So here are some
examples, so this is the one from just
91
00:08:34,029 --> 00:08:39,429
before, how can I get the RPM, so this is
the value of the RPM. Here, I can get the
92
00:08:39,429 --> 00:08:44,425
engine coolant temperature, very
important, so the idea is that it answers
93
00:08:44,425 --> 00:08:52,100
83 and 83 is 131 degrees. The idea is that
you are working with unsigned bytes, so if
94
00:08:52,100 --> 00:08:58,740
you want to get a negative temperature,
the standard tells you to subtract 40 from
95
00:08:58,740 --> 00:09:06,819
your temperature. If you are outside of
-40 or 215 degrees, you have other
96
00:09:06,819 --> 00:09:14,821
problems than your coolant temperature.
So, seems to work. Okay, nice. So,
97
00:09:14,821 --> 00:09:18,490
displaying everything. This was to explain
to my grandmother why I was stealing her
98
00:09:18,490 --> 00:09:23,329
car for two weeks right now. So, with
this, I'm able to get the RPM, the speed,
99
00:09:23,329 --> 00:09:28,059
engine coolant temperature, always very
important, throttle and accelerator pedal
100
00:09:28,059 --> 00:09:33,679
pedal position and the elapsed time since
engine started. So anyway, kind of
101
00:09:33,679 --> 00:09:40,812
graphical, my grandmother understands,
everybody's happy. Right, so right now I
102
00:09:40,812 --> 00:09:45,843
can query standard OBD PIDs, I can have
the RPM, speed, fuel level, anything you
103
00:09:45,843 --> 00:09:51,378
would want to have on your dashboard, but
if you want to get some probably more
104
00:09:51,378 --> 00:09:57,009
interesting stuff, you have to go with the
constructor-specific PIDs. For example,
105
00:09:57,009 --> 00:10:00,259
the steering wheel position, brake and
clutch pedal, gearbox status light or
106
00:10:00,259 --> 00:10:05,059
blinkers are constructor-specific, so you
have to break stuff to be able to find
107
00:10:05,059 --> 00:10:11,073
them or are very good friends with
manufacturer, which I haven't. Nice, we
108
00:10:11,073 --> 00:10:18,093
can query stuff, mostly. Can we modify
anything interesting from OBD? Because,
109
00:10:18,093 --> 00:10:23,900
still, I don't want to mess with the car
by cutting any wire. So first issue: what
110
00:10:23,900 --> 00:10:28,810
protocol am I actually talking to? There
are on-top protocols like with KWP, which
111
00:10:28,810 --> 00:10:33,642
is Keyword Protocol 2000, Unified
Diagnostic System is OTP, the volkswagen
112
00:10:33,642 --> 00:10:38,860
version of ISO-TP, like really, and stuff
like this. Which protocol am I talking to?
113
00:10:38,860 --> 00:10:44,730
Okay, let's just brute-force by sending
the classic introduction kind of message
114
00:10:44,730 --> 00:10:52,466
and try to find for valid answer. With
this on the 2013 Polo, I could speak UDS.
115
00:10:52,466 --> 00:10:57,319
So UDS enables different kind of thing
like resetting ECUs, which can be quite
116
00:10:57,319 --> 00:11:04,069
interesting, query-specific PIDs, read DTC
information, stuff like this. However,
117
00:11:04,069 --> 00:11:08,550
nice stuff like dump the firmware, are
only available through security session.
118
00:11:08,550 --> 00:11:13,020
And security session on this car requires
an authentication through a challenge
119
00:11:13,020 --> 00:11:19,020
response kind of algorithm, so here is the
example: I would start a diagnostic
120
00:11:19,020 --> 00:11:25,279
session, UDS diagnostic session, first,
then query for seed to get through the
121
00:11:25,279 --> 00:11:30,579
security session, compute my answers, send
it back, the cars compute its own answer,
122
00:11:30,579 --> 00:11:35,820
compare and I would fail, because I would
just send the feedback like, maybe they
123
00:11:35,820 --> 00:11:40,959
didn't implement a real algorithm, you
never know. But hey, okay, well done
124
00:11:40,959 --> 00:11:46,819
Volkswagen, they did it quite well.
Actually, the car has a four-byte seed,
125
00:11:46,819 --> 00:11:50,864
which is different at each try. This is
important to notice because on Guillaume's
126
00:11:50,864 --> 00:11:57,633
car, it's a 2-byte seed, which is always
the same. You have more than three seconds
127
00:11:57,633 --> 00:12:02,649
required between each try and if you fail
multiple time, it will just freeze for ten
128
00:12:02,649 --> 00:12:06,740
minutes if you don't want to remove the
battery, all that kind of complicated
129
00:12:06,740 --> 00:12:12,699
stuff. So, how to break this? Brute-force?
Way too long. Timing attack would be too
130
00:12:12,699 --> 00:12:18,129
unstable because of the priority-kind of
thing, because you can just get delayed by
131
00:12:18,129 --> 00:12:23,554
other more important messages and so it
will delay your timing attack. Disassemble
132
00:12:23,554 --> 00:12:27,629
the car is out of the question, you know
why, and get PCs from a repair shop is
133
00:12:27,629 --> 00:12:31,492
tedious. You know, get an ECU, try to
recreate the CAN bus around, stuff like
134
00:12:31,492 --> 00:12:37,874
this, and I'm broke, so I don't have any
money. Okay, so, my car, let's sum up, way
135
00:12:37,874 --> 00:12:42,710
too old. My grandmother's car, bit too recent
because of the Gateway, my family's car is
136
00:12:42,710 --> 00:12:47,499
a Lancia Voyageur 2014, so even more
recent, but it has Uconnect, so maybe for
137
00:12:47,499 --> 00:12:56,809
another time. Who's left? Oh, mommy? So,
my mom has a 2010 Fiat 500 convertible,
138
00:12:56,809 --> 00:13:01,929
she loves it, so she doesn't like when I
take it and she even more doesn't like when
139
00:13:01,929 --> 00:13:12,570
I tried to do stuff with it. So one night
I stole the key. Laughter Sorry. And I
140
00:13:12,570 --> 00:13:17,929
tried to plug myself in and oh! It talks, it
talks a lot. In four seconds, I was able
141
00:13:17,929 --> 00:13:23,896
to get 2000 around message, so it's about
500 messages per second. There is no
142
00:13:23,896 --> 00:13:28,300
gateway, so I have a lot of broadcasted
message already. They are from few
143
00:13:28,300 --> 00:13:32,670
different arbitration IDs, so a few
different ECUs are actually talking on
144
00:13:32,670 --> 00:13:38,274
this bus. When I'm in the car, I tried
pressing random buttons and I see that the
145
00:13:38,274 --> 00:13:43,190
data evolves, so the nice funny things to
do is to try to understand what each
146
00:13:43,190 --> 00:13:49,499
message mean. It's quite tricky with CAN
dump, which is the standard Linux utils
147
00:13:49,499 --> 00:13:55,377
which will just flood your stdout with CAN
messages, but Python CAN monitor helps a
148
00:13:55,377 --> 00:14:02,046
lot by grouping messages by arbitration
ID. So here I'm in the Fiat 500 and I am
149
00:14:02,046 --> 00:14:07,749
driving actually, and you can see the
different arbitration ID there and the
150
00:14:07,749 --> 00:14:12,569
data that is evolving. The two last one,
which are way bigger, are the standard
151
00:14:12,569 --> 00:14:19,179
OBD, meaning that okay, I have a priority
that is way lower than the other kind of
152
00:14:19,179 --> 00:14:27,547
messages. So, reversing a bit, what can we
find? I found the speed, four time, the
153
00:14:27,547 --> 00:14:33,528
values were quite different but quite
close anyway, so was it at four different
154
00:14:33,528 --> 00:14:37,667
time or at the for different wheels? And
it was actually at the four different
155
00:14:37,667 --> 00:14:43,703
wheels, because when I turned it would
change drastically two values out of four.
156
00:14:43,703 --> 00:14:47,579
I have the clutch pedal with respect to
the accelerator am i accelerating while
157
00:14:47,579 --> 00:14:53,329
depressing or pressing the clutch, the
brake data are the doors closed which one
158
00:14:53,329 --> 00:14:58,179
are closed is a contact on is the
handbrake up or down and this one is quite
159
00:14:58,179 --> 00:15:05,187
interesting because it would change every
minute. Actually it's the time and date.
160
00:15:05,187 --> 00:15:12,639
So it was 9:00 p.m. on the 24th May of
2017 meaning that they created an ECU
161
00:15:12,639 --> 00:15:17,619
would which only job was to send the
current time and date readable in
162
00:15:17,619 --> 00:15:23,844
hexadecimal format on the CAN dump like
this.
163
00:15:23,844 --> 00:15:27,939
laughter
But what that was I found it funny I've
164
00:15:27,939 --> 00:15:33,600
weird sense of humor, anyway so this thing
even masters this time to explain to my
165
00:15:33,600 --> 00:15:38,940
mother what I'm doing with her car so this
was a kind of capture was doing from my
166
00:15:38,940 --> 00:15:43,889
school to my home like I was recording
what I was doing in the car, recording at
167
00:15:43,889 --> 00:15:47,433
the same time a CAN dump and displaying
what I could display so I have the
168
00:15:47,433 --> 00:15:52,619
handbrake, start and stop and engine is on
okay it seems to be the doors are closed
169
00:15:52,619 --> 00:16:00,364
hopefully okay. So this was quite fun
to do actually. Okay what can we do with
170
00:16:00,364 --> 00:16:04,540
that? Can we do something useful for
humanity can we do maybe something a
171
00:16:04,540 --> 00:16:08,562
little bit challenging or else it's
absolutely not interesting? How can I at
172
00:16:08,562 --> 00:16:16,375
least put something on my resume after
that something I can be proud of? Yes or
173
00:16:16,375 --> 00:16:22,202
we could try to do something completely
stupid and that's what I was I mean to do.
174
00:16:22,202 --> 00:16:30,850
So I created CANPad. The idea of CANPad is
that with the steering wheel or brake and
175
00:16:30,850 --> 00:16:43,059
an accelerator pedal you can drive any car
in any video game. So.. Laugher
176
00:16:43,059 --> 00:16:55,450
Applause
So that's what I did. I take the CAN
177
00:16:55,450 --> 00:17:01,420
messages from OBD sensor and back pass it
to a piece on CAN and client and float
178
00:17:01,420 --> 00:17:06,937
them through libuinput to be able to
create a virtual gamepad and plays it in
179
00:17:06,937 --> 00:17:14,888
V-Drift. So V-drift is an open-source
racing game that allows one to play on
180
00:17:14,888 --> 00:17:20,212
Linux through at least libuinput. So
this is a start and stop button that I use
181
00:17:20,212 --> 00:17:28,240
as a toggle to send data and here I'm
driving with my mum's car, a car in a
182
00:17:28,240 --> 00:17:30,240
video game.
driving noise
183
00:17:30,240 --> 00:17:34,840
So I have the steering wheel the handbrake
all every pedals is quite it's quite hard
184
00:17:34,840 --> 00:17:38,285
to drive right now.
laughter
185
00:17:38,285 --> 00:17:46,970
And my official goal is to drift. So at
first I have to learn how to drive at all.
186
00:17:46,970 --> 00:17:56,539
It was actually quite nice when I managed
to do anything at all. So you can see that
187
00:17:56,539 --> 00:18:07,309
data is only like 16 bytes long and
music
188
00:18:07,309 --> 00:18:19,850
applause
That's the best drift I was able to do on
189
00:18:19,850 --> 00:18:26,590
this game. So I was actually quite
disappointed right now. So features and
190
00:18:26,590 --> 00:18:30,597
limitation of this. So the features is
what I was explaining right now. But the
191
00:18:30,597 --> 00:18:35,539
limitation are that the engine needs to be
running because else I don't have the
192
00:18:35,539 --> 00:18:42,799
assisted direction which makes the wheel
quite hard to turn. Also on a real car if
193
00:18:42,799 --> 00:18:47,771
you really see steering wheel it will by
itself try to match the car direction
194
00:18:47,771 --> 00:18:52,651
which I don't have so I would just spend
all my time turning the wheel. And the
195
00:18:52,651 --> 00:18:58,530
control simplicity going through libuinput
limits it to V-Drift because no
196
00:18:58,530 --> 00:19:04,809
other Linux game recognized my virtual
gamepad as a real one. So I was quite sad
197
00:19:04,809 --> 00:19:10,760
and but I really wanted to drift. Oh wait
I created another version which is CANpad
198
00:19:10,760 --> 00:19:18,440
v2. CANpad v2 I just understood that on
the real game pad game box - Xbox, Xbox
199
00:19:18,440 --> 00:19:24,429
gamepad. If I plug the Xbox gamepad and
don't touch anything no inputs will be
200
00:19:24,429 --> 00:19:30,510
sent. On the other hand if I put a PS4
gamepad and don't touch anything it will
201
00:19:30,510 --> 00:19:35,779
flood the status of every button all the
time so what I would do is take the Xbox
202
00:19:35,779 --> 00:19:41,172
controller put it on the table and hijack
its port to send data instead of it. So I
203
00:19:41,172 --> 00:19:45,030
would have a real, a real plugged-in
controller that is recognized by nicer
204
00:19:45,030 --> 00:19:51,926
games like V-Drift, like DiRT and I could
send inputs by my, myself. I change this
205
00:19:51,926 --> 00:19:58,049
few stuff like the gas pedal because I had
to flow in the real world to flow in the
206
00:19:58,049 --> 00:20:07,808
game which was quite fuel consuming, the
steering wheel rotation was adjusted so
207
00:20:07,808 --> 00:20:13,509
that it matches, it matches rally cars
like if I turn it 180 degrees it will turn
208
00:20:13,509 --> 00:20:17,360
all the way in the game so quite nice, and
I found the direct command to query and
209
00:20:17,360 --> 00:20:22,350
break in the in the video. In the next
video you'll see that when I turn abruptly
210
00:20:22,350 --> 00:20:26,679
in the game and I release at the same time
the brake the wheel will take a little bit
211
00:20:26,679 --> 00:20:32,100
of time before stopping to turn because I
have a small delay. But now I have the
212
00:20:32,100 --> 00:20:39,514
real input so it's way easier. so:
demonstration. So, some sensors:
213
00:20:39,514 --> 00:20:50,840
soundtrack Start and Stop soundtrack
I just wanted the music. So, anyway, as you
214
00:20:50,840 --> 00:20:56,377
can see it's way easier to play because of
the steering wheel which was adjusted it's
215
00:20:56,377 --> 00:21:11,130
way nicer to drift in it. I can do the
crane drift
216
00:21:11,130 --> 00:21:19,750
applausesoundtrack
my brothers were very fond of this. My
217
00:21:19,750 --> 00:21:23,164
mother was only thinking about her tires
right now
218
00:21:23,164 --> 00:21:31,139
audience laughing
soundtrack
219
00:21:31,139 --> 00:21:37,840
Anyway. Sorry. I'll give you the title of
the song later if you want. So I can now
220
00:21:37,840 --> 00:21:43,929
drift with my front-wheel drive car in any
kind of video game which is almost quite
221
00:21:43,929 --> 00:21:50,299
very nice. So possible upgrades - yes
there're always upgrades: I could get the
222
00:21:50,299 --> 00:21:54,741
gearbox tattoos to put the car on the lift
and try to put it in manual which would a
223
00:21:54,741 --> 00:22:01,490
be a bit more life... life kind and
create a better gamepad so that I'm able
224
00:22:01,490 --> 00:22:07,650
to race on my Micro- windows because right
now it's only on Linux. Okay this was fun
225
00:22:07,650 --> 00:22:12,220
but it was actually consuming a lot of gas
for nursing. So with Guillaume we try to
226
00:22:12,220 --> 00:22:17,320
find a way to reduce gas consumption and
that's what he will - he is going to talk
227
00:22:17,320 --> 00:22:20,098
to you about right now.
Guillaume?
228
00:22:20,098 --> 00:22:29,710
Guillaume: Thank you, Stan.
Applause
229
00:22:29,710 --> 00:22:33,996
So, Stan had a little problem about the
gas consumption and the friend of us told
230
00:22:33,996 --> 00:22:40,223
us about this little nitro OPD dongle
which is supposed to save fuel. It's sold
231
00:22:40,223 --> 00:22:45,500
on Amazon and the reviews are quite good
so we said "ok, strange but ok" let's try
232
00:22:45,500 --> 00:22:53,590
it. First of all just a reminder about the
- what is an OBD2 dongle? An OBD2 dongle
233
00:22:53,590 --> 00:23:01,610
is a small device that you plug into the
OBD2 port of your car. Any recent car has
234
00:23:01,610 --> 00:23:07,317
an OBD2 port you can find it by googling
the model of your car and OBD2 port and
235
00:23:07,317 --> 00:23:12,590
you will find a picture of it and the
interesting thing is that you just have to
236
00:23:12,590 --> 00:23:18,299
pull the panel to access to your OBD2 port
and it's very cool because we don't have
237
00:23:18,299 --> 00:23:24,519
to take anything apart or whatever. So,
just buy the thing on Amazon, pull the
238
00:23:24,519 --> 00:23:32,159
panel and put it there. That's all. So,
this dongle is supposed to save fuel by
239
00:23:32,159 --> 00:23:40,670
reprogramming the main ECU - the engine
ECU of your car. And this is done for
240
00:23:40,670 --> 00:23:46,745
quite some times: This is known as a chip
tuning and you can find it on internet. It
241
00:23:46,745 --> 00:23:51,965
works pretty well it will break your
warranty, but the very interesting
242
00:23:51,965 --> 00:23:57,580
thing about this dongle is that you will
not break your warranty because, if you
243
00:23:57,580 --> 00:24:02,191
remove it you will go back to factory
settings and this is very new. So, it
244
00:24:02,191 --> 00:24:10,981
works on any car, well any recent car and
well it seems to work really well. Ok so
245
00:24:10,981 --> 00:24:17,259
why did we reverse engineer this dongle?
Because it just an amazing piece of
246
00:24:17,259 --> 00:24:24,759
hardware. If you think about it: it works
on any car and it also reprograms any car
247
00:24:24,759 --> 00:24:31,340
so it must contain all authentication
codes. Stan explained the challenge and
248
00:24:31,340 --> 00:24:38,559
response mechanisms so this one must
contain all of them. It will also contain
249
00:24:38,559 --> 00:24:45,809
the reprogramming software for any car of
any manufacturer and this is also just
250
00:24:45,809 --> 00:24:51,480
amazing and I just wanted to have a look
at this and it is able to adapt itself to
251
00:24:51,480 --> 00:24:55,350
the way you are driving for a few
kilometers then it will reprogram your
252
00:24:55,350 --> 00:25:00,570
engine and I say wow there must be a very
smart algorithm inside this very small
253
00:25:00,570 --> 00:25:06,261
piece of hardware and I just wanted to
have a look at this software. As I said
254
00:25:06,261 --> 00:25:14,570
also - it also modifies the RAM of your
engine and I was not aware of anything
255
00:25:14,570 --> 00:25:20,092
that will be able to do that because from
the things I know about chip tuning it
256
00:25:20,092 --> 00:25:24,990
will change the flash of your ECU. That's
why the warranty is broken but not this
257
00:25:24,990 --> 00:25:28,809
one, not this one. And this is just
amazing. I just wanted to have a look at
258
00:25:28,809 --> 00:25:35,009
the source code while the binary. Ok so.
The first thing about reverse engineering
259
00:25:35,009 --> 00:25:42,179
such a piece of hardware is monitoring the
CAN signals to see if it's talking and
260
00:25:42,179 --> 00:25:49,453
what he - what it is doing exactly if it's
opening security sessions or not. Well,
261
00:25:49,453 --> 00:25:56,029
all this stuff. So, here you see in my
car. There is the OBD2 port right there
262
00:25:56,029 --> 00:26:02,110
and I used the same configuration as Stan
to record the CAN messages which is a
263
00:26:02,110 --> 00:26:07,331
Raspberry Pi here and the PI CAN2 shield
and well just for fun a picoscope to
264
00:26:07,331 --> 00:26:13,309
check the signals and a computer to - to
monitor this. The thing is you just have
265
00:26:13,309 --> 00:26:19,389
one OBD2 port in a car and - here - and
you cannot plug at the same time the
266
00:26:19,389 --> 00:26:28,850
dongle like - like this and the
wires for the Raspberry Pi. So we took
267
00:26:28,850 --> 00:26:36,500
apart the dongle and after a bit of
reversing the PCBs we found the can lines
268
00:26:36,500 --> 00:26:42,029
and ground and we just soldered three
wires on it. And with using this approach
269
00:26:42,029 --> 00:26:48,879
you can reverse the messages sent on the
bus. The interesting thing is that as you
270
00:26:48,879 --> 00:26:53,257
are plugged directly on the dongle
you will monitor exactly what the
271
00:26:53,257 --> 00:27:01,610
dongle is doing and what he's seeing. Just
for reference you just have three wires to
272
00:27:01,610 --> 00:27:09,831
put in a car to hijack or to communicate
on the CAN bus. Those are CAN high, CAN
273
00:27:09,831 --> 00:27:17,597
low and the ground and that's basically
all you need to connect to a CAN bus. Just
274
00:27:17,597 --> 00:27:24,605
for reference: you can find on today's
cars you can find many many CAN buses in
275
00:27:24,605 --> 00:27:31,610
in the different parts of the car. So the
OBD2 port is just more accessible but it's
276
00:27:31,610 --> 00:27:41,632
basically another CAN bus just like
another one. Okay. So, we did two
277
00:27:41,632 --> 00:27:48,429
measurements: one with basically no OBD
dongle plugged in and there is a one with
278
00:27:48,429 --> 00:27:53,289
the OBD dongle plugged in. Stan explained
in the first part of the presentation that
279
00:27:53,289 --> 00:28:00,580
every CAN message is sent by an ECU and
the identifier of the ECU is called the
280
00:28:00,580 --> 00:28:07,169
message ID and the lower it is the higher
priority is. Here you are the most - you
281
00:28:07,169 --> 00:28:12,610
have the most prior - you have the message
with the - the biggest priority and here
282
00:28:12,610 --> 00:28:18,201
with the lowest priority and you see here
the - the content of the messages. The
283
00:28:18,201 --> 00:28:22,821
thing is, if you look at the lists of the
message IDs - here - and the list of the
284
00:28:22,821 --> 00:28:27,751
of the message IDs - here - you can see:
it's the same list. Basically it means
285
00:28:27,751 --> 00:28:35,150
that no other ECU was talking on the bus
when we plugged the OBD - the Nitro OBD2
286
00:28:35,150 --> 00:28:39,690
dongle. So, it means that the dongle
basically doesn't speak at all on the CAN
287
00:28:39,690 --> 00:28:45,033
bus. And that's too bad because we say how
is it possible that it works if it's not
288
00:28:45,033 --> 00:28:54,994
talking on the CAN bus? Okay. Is it over,
is it just not working? Well not really. The
289
00:28:54,994 --> 00:29:02,780
dongle is advertised as working after 120
kilometres. It will just listen silently
290
00:29:02,780 --> 00:29:08,621
to the way you are driving, then reprogram
your engine after this small amounts of
291
00:29:08,621 --> 00:29:15,279
kilometres. So it was still possible that
the dongle was not sending anything during
292
00:29:15,279 --> 00:29:20,790
the first kilometers. And - but we
couldn't just monitor the CAN bus during
293
00:29:20,790 --> 00:29:28,289
such a big period of time and so we needed
another approach and we chose to reverse
294
00:29:28,289 --> 00:29:36,610
the PCB. If you take the dongle apart, you
can see two PCBs. The first one here is
295
00:29:36,610 --> 00:29:43,630
just connected on the OBD 2 port and the
other one seems to contain, well,
296
00:29:43,630 --> 00:29:49,139
something. Okay, so this is a picture of
the first one. As you can see, there is no
297
00:29:49,139 --> 00:29:56,990
components on it at all. It's just routing
the CAN wires from there to the second
298
00:29:56,990 --> 00:30:02,609
board. So okay, let's go on, and the
second one is more interesting. On the
299
00:30:02,609 --> 00:30:07,183
front side, you can see, well, a few
components, but there are not so many. You
300
00:30:07,183 --> 00:30:15,259
have a voltage regulator here, 7805, you
have a push-button, this diode is part of
301
00:30:15,259 --> 00:30:21,610
the voltage regulation and that's pretty
much all you have here. And three LEDs,
302
00:30:21,610 --> 00:30:26,259
you have three LEDs, okay. On the back
side, you can see, here there is the
303
00:30:26,259 --> 00:30:33,172
footprints of a very small
microcontroller, and here is a picture
304
00:30:33,172 --> 00:30:37,700
before dissoldering it. And the
interesting thing is that there is
305
00:30:37,700 --> 00:30:44,110
absolutely no reference on this device, as
if the manufacturer took a special care to
306
00:30:44,110 --> 00:30:49,250
hide what was inside. And this is not so
common because usually you can find a
307
00:30:49,250 --> 00:31:00,070
reference in a chip. Also, there is no CAN
transceiver on this device, yeah, it's
308
00:31:00,070 --> 00:31:08,110
strange. What is a CAN transceiver? A CAN
transceiver is a piece of hardware to
309
00:31:08,110 --> 00:31:15,730
translate the signals from the CPU, which
are basically UARTs, into CAN signals
310
00:31:15,730 --> 00:31:25,539
which, are CAN high, CAN low, this is a
differential pair. But this device is not
311
00:31:25,539 --> 00:31:30,179
just about adapting the signals and
electric conversion. It's also about real-
312
00:31:30,179 --> 00:31:36,220
time monitoring and checking. Stan
explained before that in each frame, you
313
00:31:36,220 --> 00:31:45,640
got a CRC and an error bit. And if there
is a transmission error on a frame, any
314
00:31:45,640 --> 00:31:51,960
CAN transfer has the duty to assert the
fault in real-time, so it just has a few
315
00:31:51,960 --> 00:31:56,879
microseconds to compute the CRC in real-
time and say "Okay, no you just have to
316
00:31:56,879 --> 00:32:02,259
discard this frame". Basically, two tasks
for this one: electrical signal conversion
317
00:32:02,259 --> 00:32:09,389
and checking in real-time. Okay, so you
have no CAN communication, no CAN
318
00:32:09,389 --> 00:32:16,230
transceiver, okay, it smells weird. A few
guys told us "yeah but maybe it's possible
319
00:32:16,230 --> 00:32:21,080
to do that in software because, you see,
those are just signals and maybe with an
320
00:32:21,080 --> 00:32:26,549
IDC and so on you can do that in
software." I put a link, if you are
321
00:32:26,549 --> 00:32:29,299
interested, here, for Stack Overflow
discussion, which is very interesting and
322
00:32:29,299 --> 00:32:33,549
a few guys say "ok, yes, it's possible to
do that in full software, so you basically
323
00:32:33,549 --> 00:32:39,490
don't need a CAN transceiver". The thing,
is as the CAN transceiver has to react in
324
00:32:39,490 --> 00:32:44,139
a real-time, you have to have a very fast
CPU to do that in real-time. And the guys
325
00:32:44,139 --> 00:32:48,860
on Stack Overflow say "Ok, it's possible,
but at a very low speed like 10 kilobits
326
00:32:48,860 --> 00:32:53,830
per seconds or something like this." But
on a real CAN bus on a real car, the speed
327
00:32:53,830 --> 00:33:05,919
is more like 500,000 bits per second, so
it's not the same order of magnitude. And
328
00:33:05,919 --> 00:33:10,630
then, some of the guys say "Okay, maybe
there is some CAN transceiver inside this
329
00:33:10,630 --> 00:33:15,659
chip", and I say "okay, yes, it's just a
small A Super8 chip, there is nothing
330
00:33:15,659 --> 00:33:20,150
there, just a small microcontroller ",
but, just to be sure and because we like
331
00:33:20,150 --> 00:33:28,169
to decap chips, laughing I asked my intern to do
that because, you know, there are toxic
332
00:33:28,169 --> 00:33:41,409
fumes and things like that. So here is
Stan in my garden and, well, it was pretty
333
00:33:41,409 --> 00:33:48,090
- it was the first time I did that, and
Stan also, and the thing is, it's pretty
334
00:33:48,090 --> 00:33:51,730
easy to do that, but if you want to do it,
just be careful because it is very
335
00:33:51,730 --> 00:33:59,929
dangerous stuff. You can buy it on the
internet, it's very cheap, and, what do
336
00:33:59,929 --> 00:34:07,960
you need? You need cooking plates, here,
to produce some heat, crème brûlée, or
337
00:34:07,960 --> 00:34:12,719
just the ceramic plate. You pour the
sulfuric acid in it, you wait for it to be
338
00:34:12,719 --> 00:34:18,719
hot enough and that's all, basically. Just
throw your chip in it and you're done.
339
00:34:18,719 --> 00:34:25,469
Just wait 10 minutes and that's all. So
again, if you want to do it, just do it
340
00:34:25,469 --> 00:34:29,520
because it's fun, but use protections
because it's very dangerous. Okay, well,
341
00:34:29,520 --> 00:34:36,560
here is the results. I put a real CAN
transceiver here, and this is the chip you
342
00:34:36,560 --> 00:34:42,750
have in the nitro OBD 2 dongle. Some of
you, you will recognize the basic
343
00:34:42,750 --> 00:34:47,480
structure of a small microcontroller.
Here, you have the CPU logic, here you
344
00:34:47,480 --> 00:34:54,770
have the memory banks and some glue logic
there. And that's pretty much all you have
345
00:34:54,770 --> 00:35:01,460
there. The interesting thing is that, this
does not fit into this. So definitely,
346
00:35:01,460 --> 00:35:09,500
there is no CAN transceiver in the Nitro
OBD 2 dongle. The other thing I would like
347
00:35:09,500 --> 00:35:18,010
to show is if you look at this, we said
before that the Nitro OBD 2 had to contain
348
00:35:18,010 --> 00:35:22,950
a database for all authentication
algorithms. All the way to reprogram any
349
00:35:22,950 --> 00:35:28,580
car on the market and so on. And this is
all the flash you have inside. I was
350
00:35:28,580 --> 00:35:34,380
expecting at least a big chip of flash,
but there is nothing here. So basically,
351
00:35:34,380 --> 00:35:41,960
it just looks like a tiny microcontroller,
like an Arduino or something like this.
352
00:35:41,960 --> 00:35:49,580
But I really wanted to know what chip it,
was so we have a game at the office, it
353
00:35:49,580 --> 00:35:55,920
was looking for Waldo, and because the
chip manufacturer like to write chip
354
00:35:55,920 --> 00:36:04,210
reference inside their chip, and, well,
there is something here. If you look at
355
00:36:04,210 --> 00:36:07,840
the chip, the big magnification power, you
will see this and this is the chip
356
00:36:07,840 --> 00:36:14,470
reference. Unfortunately, I could not find
any reference on the internet about this
357
00:36:14,470 --> 00:36:18,650
chip. I asked a few friends on Twitter and
so on, but nobody could find it, which
358
00:36:18,650 --> 00:36:23,600
means, well, I don't know, this is not a
big chip, very well-known. If you know
359
00:36:23,600 --> 00:36:29,870
what it is, just tell me, send a mail or
whatever and take the microphone during
360
00:36:29,870 --> 00:36:35,000
the question answer session, it will be
nice. So, just to sum up this part, this
361
00:36:35,000 --> 00:36:40,870
dongle is very nice but there is no CAN
communication, does not contain any CAN
362
00:36:40,870 --> 00:36:48,300
transceiver, it has not enough CPU power
to emulate a CAN transceiver in full
363
00:36:48,300 --> 00:36:54,290
software, and the most important thing is
that it has no flash in it to contain the
364
00:36:54,290 --> 00:36:58,720
database, you know, to reprogram any
engine and so on. But the links are
365
00:36:58,720 --> 00:37:04,271
blinking very well, so, yeah. If you
really want to reprogram your car, use
366
00:37:04,271 --> 00:37:23,980
something else. Thank you. Applause I
would like to invite all of you, if you
367
00:37:23,980 --> 00:37:30,010
are interested in car hacking, to try and
put some OBD cable into your car because
368
00:37:30,010 --> 00:37:36,120
it's very easy. You just have to pull a
panel to get access to your OBD port. You
369
00:37:36,120 --> 00:37:40,890
will just need a Raspberry Pi, CAN shield
and a cable and that's pretty much all you
370
00:37:40,890 --> 00:37:48,350
need. Just a few words: so you don't need
to take anything apart, so it's pretty
371
00:37:48,350 --> 00:37:55,030
easy, you can do many interesting things
just by using the OBD2 port of your car,
372
00:37:55,030 --> 00:38:00,550
like fuzzing and so on. But please be
careful, you can hurt yourself or break
373
00:38:00,550 --> 00:38:04,690
your engine if it's running, so if you do
some fuzzing, please stop the engine
374
00:38:04,690 --> 00:38:11,440
before.
P1kachu: Because as you saw at the
375
00:38:11,440 --> 00:38:16,630
beginning, I was actually recording CAN
data or querying stuff while I was
376
00:38:16,630 --> 00:38:23,330
driving, which was the stupidest thing I
did from the hole analysis. I was able to
377
00:38:23,330 --> 00:38:30,340
disengage ABS by fuzzing, too - stuff like
this - because they have some systems that
378
00:38:30,340 --> 00:38:35,740
if they receive too many invalid kind of
messages, they will just shut off, so I
379
00:38:35,740 --> 00:38:40,350
was able to disengage stuff like this, so,
yeah, if you are doing stuff like this,
380
00:38:40,350 --> 00:38:45,880
just don't drive while doing it, for
example. That's the kind of stupid mistake
381
00:38:45,880 --> 00:38:52,590
you do when - or disable the airbags.
Guillaume: That's very important.
382
00:38:52,590 --> 00:38:59,160
P: You never know.
G: Well, thank you again, and, yeah, if
383
00:38:59,160 --> 00:39:02,810
you want to speak with us, you're more
than welcome. Thank you!
384
00:39:02,810 --> 00:39:14,728
applause
Herald Angel: Thank you deep guys, I could
385
00:39:14,728 --> 00:39:17,810
normally skip the car hacking talks. This
time it was really amusing and I'm happy
386
00:39:17,810 --> 00:39:23,700
that I didn't do that. We have a lot of
time for questions, if you want to line
387
00:39:23,700 --> 00:39:28,051
up, there's one over there or two of
there, one over here and one over there.
388
00:39:28,051 --> 00:39:36,069
Are there questions from the audience?
Signal angel?
389
00:39:36,069 --> 00:39:38,610
Signal Angel: So, people on the stream are
wondering where they can find your
390
00:39:38,610 --> 00:39:43,390
software and whether you contributed any
signals you found to the open DBC project
391
00:39:43,390 --> 00:39:46,960
that is collecting signals from the CAN
bus.
392
00:39:46,960 --> 00:40:00,380
P: I haven't really heard about this -
yet. So right now, not that much, but I
393
00:40:00,380 --> 00:40:06,730
will take a look at this after this. Sorry
394
00:40:06,730 --> 00:40:12,170
Herald Angel: Mic 1.
Q: I was wondering you try to reverse
395
00:40:12,170 --> 00:40:19,018
engineer to get into the secure mode so
that you can access all the issues. You
396
00:40:19,018 --> 00:40:22,100
want to... we reverse engineer this
challenge/response authentication.
397
00:40:22,100 --> 00:40:25,310
P: Yes.
Q: Why does he not try to reverse engineer
398
00:40:25,310 --> 00:40:28,080
the diagnostic software that is used by
the dealers?
399
00:40:28,080 --> 00:40:35,980
P: Because this infringe, we call this
valise, like luggage, and it costs if I
400
00:40:35,980 --> 00:40:42,400
recall correctly about 5,000 Euros by car
manufacturer. So we went to a garage and
401
00:40:42,400 --> 00:40:47,490
asked the guy "Can you lend us your
valise?" and he just laughed at us because
402
00:40:47,490 --> 00:40:54,360
no he didn't wanted to but there are some
partnership you can have. [There] is a
403
00:40:54,360 --> 00:40:59,560
group of manufacturers that offer that
kind of information if you pay every month
404
00:40:59,560 --> 00:41:05,480
a very huge sum of money.
Q: [...] pay 6 Euros and can be used for
405
00:41:05,480 --> 00:41:10,681
an hour.
P: I haven't heard of it I just saw a big
406
00:41:10,681 --> 00:41:15,290
numbers and I told myself, okay, I find
another way.
407
00:41:15,290 --> 00:41:19,120
Herald Angel: Microphon 3.
Q: A great presentation. Thank you very
408
00:41:19,120 --> 00:41:23,360
much. I was just wondering, how much more
work is needed to actually control your
409
00:41:23,360 --> 00:41:36,700
car with an Xbox controller? Laughter
Applause
410
00:41:36,700 --> 00:41:45,340
P: I was asked this question before. Not
that much Laughter if you find the right
411
00:41:45,340 --> 00:41:52,600
guys with the right amount of knowledge.
The idea that you'll get, of course. You
412
00:41:52,600 --> 00:41:58,980
have to find a way to control the car from
the CAN bus which is not something that
413
00:41:58,980 --> 00:42:04,590
easily done. Because for all I know right,
now the CAN bus I was only used for
414
00:42:04,590 --> 00:42:11,529
broadcasting information not really using
this information for real-time data. We
415
00:42:11,529 --> 00:42:17,250
actually tried to find some way to know
how the ECU's interact with each other
416
00:42:17,250 --> 00:42:22,120
with Young's car. So the idea was that we
go to a field, I am on the passenger seat,
417
00:42:22,120 --> 00:42:27,840
and he would just tell me "okay try to
find the ABS ECU I will brake very hard"
418
00:42:27,840 --> 00:42:32,528
so he was driving fast breaking. I was
just checking which ECU would actually
419
00:42:32,528 --> 00:42:36,080
send something different and after we've
tried to recreate some messages,
420
00:42:36,080 --> 00:42:39,250
but without a lot of luck.
So from the CAN bus I don't think
421
00:42:39,250 --> 00:42:46,060
that's quite possible. But they did it.
Nissan did it like two months ago with the
422
00:42:46,060 --> 00:42:52,410
GTRC. They created a Nissan GTR that is
actually controlled by a gamepad
423
00:42:52,410 --> 00:42:57,510
controller. But they have a full robot in
it just controlling the steering wheel and
424
00:42:57,510 --> 00:43:01,704
pedal so it's quite easy when you have
money. Laughter
425
00:43:01,704 --> 00:43:04,871
Herald Angel: Microphone 2 in the back,
please
426
00:43:04,871 --> 00:43:10,930
Q: Okay, hi nice talk. Thank you. First of
all don't play around with the Airbags
427
00:43:10,930 --> 00:43:15,660
please. I tried to reverse engineer my old
Mitsubishi - I'm a passionate Mitsubishi
428
00:43:15,660 --> 00:43:25,610
driver - please don't try mine. You get
hurt, really. So my real question is: Did
429
00:43:25,610 --> 00:43:33,200
you try to reverse engineer cars with an
older bus then OBD, ever? Because mine is
430
00:43:33,200 --> 00:43:38,350
from the 90s.
P: Yeah, No I didn't because I had my and
431
00:43:38,350 --> 00:43:44,330
full already with the with OBD. To be
honest before this analysis I hadn't
432
00:43:44,330 --> 00:43:50,050
touched any kind of bus or any kind of car
systems ever. So I was really discovering
433
00:43:50,050 --> 00:43:55,490
everything from scratch. So I just focused
on the OBD port and the CAN bus and stuff
434
00:43:55,490 --> 00:44:00,420
like this. But I know there are a lot of
different stuff Valasek and Miller already
435
00:44:00,420 --> 00:44:06,320
did different kind of attacks on the Jeep
for example of the Prius with different
436
00:44:06,320 --> 00:44:12,020
buses. So I ought to be looking at them
but right now no I didn't do anything else
437
00:44:12,020 --> 00:44:15,460
from the OBD or CAN bus.
Herald Angel: Is there another question
438
00:44:15,460 --> 00:44:25,460
from the internet? Okay otherwise mic 1.
Q: Sorry, just one sentence. I guess
439
00:44:25,460 --> 00:44:29,140
because of the Mitsubishi stuff you've
mentioned the car your parents or so I
440
00:44:29,140 --> 00:44:33,225
guess we should talk about the Lancer.
Okay?
441
00:44:33,225 --> 00:44:37,198
P: Okay. laughter
Herald Angel: Mic 1.
442
00:44:37,198 --> 00:44:43,750
Q: Thank you. There are some other buses
like EtherCAT or Flex Ray in other car
443
00:44:43,750 --> 00:44:50,860
manufacturers. What about hacking them? So
you also said, you already said that maybe
444
00:44:50,860 --> 00:44:57,630
you will try it in the future?
P: Well quite the same answer also. I read
445
00:44:57,630 --> 00:45:04,180
the car CAN books, so I just have a few a
little grasp of other kind of protocols
446
00:45:04,180 --> 00:45:08,290
and other stuff like this. Right now I
didn't do anything. I am planning on
447
00:45:08,290 --> 00:45:14,600
trying different new buses but right now
just the - I haven't touched them I can't
448
00:45:14,600 --> 00:45:20,100
answer and more honestly than this - I don't know.
G: The other thing is that on the OBD 2
449
00:45:20,100 --> 00:45:29,860
port you just have access to the CAN bus
and as far as I remember the Flex bus is
450
00:45:29,860 --> 00:45:36,650
internal and dedicated to high speed
buses. So it's not as easy to plug
451
00:45:36,650 --> 00:45:43,220
yourself onto this bus because
you have to open your car and take things
452
00:45:43,220 --> 00:45:48,860
apart and stuff like this. But it's
definitely interesting to look at it also.
453
00:45:48,860 --> 00:45:53,110
P: Sorry.
Herald Angel: Okay, another question from
454
00:45:53,110 --> 00:45:58,900
the 3, please.
Q: Oh it's 4. Okay, so just a little
455
00:45:58,900 --> 00:46:04,200
hint. OBD2 is actually just half of the
fun so you should definitely remove your
456
00:46:04,200 --> 00:46:10,070
car radio and check if there's a CAN bus
behind that I know for BMW have it and
457
00:46:10,070 --> 00:46:15,200
there of course it's much easier to
control of all of the fancy buttons that
458
00:46:15,200 --> 00:46:20,310
you have in your car. Like window and
wipers and all that stuff because that's
459
00:46:20,310 --> 00:46:24,930
completely unencrypted and so can simply
listen on this and also send your own
460
00:46:24,930 --> 00:46:27,550
commands.
P: Okay, so, check the other CAN bus in
461
00:46:27,550 --> 00:46:30,490
the car, right?
Q: Yeah it's I mean it's maybe the car
462
00:46:30,490 --> 00:46:35,550
radio, because you don't have to cut
anything just plug it off, take an adaptor
463
00:46:35,550 --> 00:46:42,980
and put your own bias on that.
P: Thank you. Maybe another talk.
464
00:46:42,980 --> 00:46:47,344
Herald Angel: And yet we have one question
from the internet now and then the 1.
465
00:46:47,344 --> 00:46:50,616
Signal Angel: So there's a person from the
darknet who would like to leak you
466
00:46:50,616 --> 00:46:56,300
original diagnostic software for that kind
of hardware and the person wants to know
467
00:46:56,300 --> 00:47:01,310
whether you would be interested in that?
P: I haven't heard the end of the sentence
468
00:47:01,310 --> 00:47:03,860
but the beginning.
Signal Angel: Would you be interested in a
469
00:47:03,860 --> 00:47:19,550
software leak of original diagnostic
software? laughter Actually you don't have to
470
00:47:19,550 --> 00:47:24,030
answer that because the person is outside
but if you want to say something you can.
471
00:47:24,030 --> 00:47:30,380
P: Coughing You have my Twitter.
Herald Angel: Yeah question please.
472
00:47:30,380 --> 00:47:36,710
Q: First thank you for your very inspiring
speech luckily or unfortunately I don't
473
00:47:36,710 --> 00:47:40,840
own a car myself otherwise... Well, what I
wanted to say was, you now have your hands
474
00:47:40,840 --> 00:47:46,770
on a few Volkswagens. If you could choose
a car yourself what brand would you like
475
00:47:46,770 --> 00:47:53,630
to monitor.
P: Ah, to monitor. Actually, what I wanted
476
00:47:53,630 --> 00:47:58,760
but I haven't taken the time right now,
was to play with the Lancer, the big mother's
477
00:47:58,760 --> 00:48:03,060
bus, because it has UConnect and as far as
I remember it was one of the attack
478
00:48:03,060 --> 00:48:10,390
vectors Miller and Valasek used in the past,
so I think I would go with the one with
479
00:48:10,390 --> 00:48:16,440
full features everywhere and remove parts
to be able to get to the fun stuff. So I
480
00:48:16,440 --> 00:48:21,600
would take one with a lot of electronics,
not too much, because it's expensive, but
481
00:48:21,600 --> 00:48:26,890
at least a bit of electronics, so that I
could remove stuff and do interesting and
482
00:48:26,890 --> 00:48:29,800
nice stuff.
Herald Angel: Thank you okay and another
483
00:48:29,800 --> 00:48:35,200
one over there.
Q: Hi thank you and I enjoyed your talk. I
484
00:48:35,200 --> 00:48:42,380
think I read you already online or I read
something about doing that what what you
485
00:48:42,380 --> 00:48:48,380
have done. It's really fun just a few
correction to the last part - the
486
00:48:48,380 --> 00:48:55,320
transceiver does not do any error
correction it's just a transceiver. And
487
00:48:55,320 --> 00:49:02,250
there are chips actually available which
have a cortex m0 and D transceiver on chip
488
00:49:02,250 --> 00:49:04,380
for few bucks.
P: Okay.
489
00:49:04,380 --> 00:49:10,900
Q: So those chips exist and are used in
automotive and just for your fun for next
490
00:49:10,900 --> 00:49:18,000
year: choose the right car just depending
that question from that girl. There are
491
00:49:18,000 --> 00:49:25,880
car manufacturers who can do networking
and who can do and your... let's say you
492
00:49:25,880 --> 00:49:32,734
are candy with the right brands. Like the
Italian.
493
00:49:32,734 --> 00:49:36,720
P: Thank you very much. I have way more
information that when I started this talk
494
00:49:36,720 --> 00:49:45,390
which isn't much what I expected at first.
Herald Angel: I would say final question
495
00:49:45,390 --> 00:49:48,250
Mic 1.
Q: Very small question but did you
496
00:49:48,250 --> 00:49:52,250
consider lifting the front wheels instead
of starting the engine to make it steer
497
00:49:52,250 --> 00:50:03,590
easy. Yes I put it on parpar - the block
of cement you find - but it's not the
498
00:50:03,590 --> 00:50:10,760
easiest part. What would be easier what
was done was to put cardboard under the
499
00:50:10,760 --> 00:50:15,760
wheels to make it easier with a little bit
of oil to turn but here to be able to play
500
00:50:15,760 --> 00:50:22,180
without the engine turned on and with
assistic direction. Kind of putting the
501
00:50:22,180 --> 00:50:27,460
car on a car lift would be the safest way.
Because just putting the front wheels I
502
00:50:27,460 --> 00:50:30,550
wouldn't see anything from the windscreen
which would be a bit disappointing.
503
00:50:30,550 --> 00:50:38,304
laughter And yes I indeed I plan to put
it on a car lift soon.
504
00:50:38,304 --> 00:50:41,850
Herald Angel: Anyone who didn't get the chance
to pass the question on stage, I'm sure that
505
00:50:41,850 --> 00:50:46,310
the speaker's can be approached next to
it. Thank you again for being here and
506
00:50:46,310 --> 00:50:47,840
drift on.
P: Thank you very much.
507
00:50:47,840 --> 00:50:49,365
G: Thank you.
508
00:50:49,365 --> 00:50:56,483
Applause
509
00:50:56,483 --> 00:51:08,945
34C3 postroll music
510
00:51:08,945 --> 00:51:18,000
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!