Give a warm welcome to Redford (@redford@infosec.exchange)
Q3K (@Q3K@social.hackerspace.pl)
and Mr. Trick (@mrtick@infosec.exchange)
and it's an honour to announce the talk
"Breaking DRM in Polish trains"
Reverse engineering a train
to analyze a suspicious malfunction
(Applause)
Hi, I'm Redford, this is Q3K and
MrTick (not Trick)
and we'll talk today about trains.
We'll do a quick intro,
tell the story and
then go into technical details.
So, we sometimes play CTF's together
with Dragon Sector and Poland Can into space
I work for invisible things lab
I mostly do low level security and reverse engineering
And [the others] will introduce themselves in a few slides
Let's start with the story
As you already know, the story is about trains
and the story actually starts a long time ago, in 2016
when Koleje Dolnoslaskie , a local polish train operator
bought eleven Impulse trains
(of which one of them is on the photo)
Then after some time,
the train started reaching one million kilometer on the odometers
and by this amount, you must do a big maintaince
and because the manufacturers warranty already expired
they started a tender
so to select the best offer for servicing
and the offer was won by SPS
it's an independent train workshop in Poland
And in the first quarter of 2022
the first train reached the workshop
So, let's see the public timeline
The servicing started with train #24
Their workshop took apart the whole train
sent the parts to the manufacturers
and then assembled the train back
But the problem was that
the train didn't start afterwards.
And, then, they took another train for servicing,
and it was the same:
the trains didn't want to start
after servicing.
And, what's even more interesting
is that in the meantime
another workshop
started servicing trains for different train operator
and they run into exact the same problem
So, it's getting a bit suspicious
and the story got noticed by media in Poland
because you had like less trains running
So, the manufacturer issued a public press release
and they said that
among many other accusations
they said that "someone interfered with the security system"
whatever that is
And, something happened in between
And the workshop (SPS)
started returning the trains
which worked.
So, what happened?
And what happened in the meantime?
After the workshop got into trouble
the issues didn't look like normal issues
because the competitor was saying
that everything is fine
and they had some pointers
into the direction of
the manufacturers involvement
but they didn't have any idea what to do.
So they googled "Polish Hackers"
and found us
(Laughter+Applause)
So, we got in contact
we got the trains,
but about that later
In august, we managed to unlock the first train
and a few months later
we gathered enough evidence to
notify authorities about
and that is what we will talk about today.
(Laughter)
Allright, I think it is my turn
So, hi, I'm Mister Tick
Known in Poland as <????>
In Germany as <????>
Ich bin ein grosser Bahnfan
(I'm a big railway fanatic)
So, Redford, briefly introduce you
(Applause)
I want to walk you through some initial terms here
So, before I tell you how to
unlock a train
let's define what a "locked train" is.
So, we have basically a train
you enter a cabin
All the system reports says that the train is
ready to roll
There is this device combined throttle and brake lever
So you push it forward
the train loses all the brakes
and then it should accelerate
but it doesn't.
That's the brakes
Nothing happens
You can see the "zero" on the screen
So, we had a locked train
the workshop bought additional two CPUs
of the
Jup, that's one of them
and got access to all service documents