Give a warm welcome to Redford (@redford@infosec.exchange) Q3K (@Q3K@social.hackerspace.pl) and Mr. Trick (@mrtick@infosec.exchange) and it's an honour to announce the talk "Breaking DRM in Polish trains" Reverse engineering a train to analyze a suspicious malfunction (Applause) Hi, I'm Redford, this is Q3K and MrTick (not Trick) and we'll talk today about trains. We'll do a quick intro, tell the story and then go into technical details. So, we sometimes play CTF's together with Dragon Sector and Poland Can into space I work for invisible things lab I mostly do low level security and reverse engineering And [the others] will introduce themselves in a few slides Let's start with the story As you already know, the story is about trains and the story actually starts a long time ago, in 2016 when Koleje Dolnoslaskie , a local polish train operator bought eleven Impulse trains (of which one of them is on the photo) Then after some time, the train started reaching one million kilometer on the odometers and by this amount, you must do a big maintaince and because the manufacturers warranty already expired they started a tender so to select the best offer for servicing and the offer was won by SPS it's an independent train workshop in Poland And in the first quarter of 2022 the first train reached the workshop So, let's see the public timeline The servicing started with train #24 Their workshop took apart the whole train sent the parts to the manufacturers and then assembled the train back But the problem was that the train didn't start afterwards. And, then, they took another train for servicing, and it was the same: the trains didn't want to start after servicing. And, what's even more interesting is that in the meantime another workshop started servicing trains for different train operator and they run into exact the same problem So, it's getting a bit suspicious and the story got noticed by media in Poland because you had like less trains running So, the manufacturer issued a public press release and they said that among many other accusations they said that "someone interfered with the security system" whatever that is And, something happened in between And the workshop (SPS) started returning the trains which worked. So, what happened? And what happened in the meantime? After the workshop got into trouble the issues didn't look like normal issues because the competitor was saying that everything is fine and they had some pointers into the direction of the manufacturers involvement but they didn't have any idea what to do. So they googled "Polish Hackers" and found us (Laughter+Applause) So, we got in contact we got the trains, but about that later In august, we managed to unlock the first train and a few months later we gathered enough evidence to notify authorities about and that is what we will talk about today. (Laughter) Allright, I think it is my turn So, hi, I'm Mister Tick Known in Poland as <????> In Germany as <????> Ich bin ein grosser Bahnfan (I'm a big railway fanatic) So, Redford, briefly introduce you (Applause) I want to walk you through some initial terms here So, before I tell you how to unlock a train let's define what a "locked train" is. So, we have basically a train you enter a cabin All the system reports says that the train is ready to roll There is this device combined throttle and brake lever So you push it forward the train loses all the brakes and then it should accelerate but it doesn't. That's the brakes Nothing happens You can see the "zero" on the screen So, we had a locked train the workshop bought additional two CPUs of the Jup, that's one of them and got access to all service documents