-
33C3 preroll music
-
Herald Angel: And without further to do,
please welcome Guillaume and P1ckachu on
-
stage now.
applause
-
Guillaume: Thank you.
P1kachu: Okay. So hi everybody. Hi bingu.
-
So we are going to present what we've been
doing lately with cars actually. So who
-
are we? My name is Stanislas Lejay
"P1kachu". I'm an IT student in EPITA a
-
school in France and I'm part of EPITA's
system and security laboratory the LSE.
-
I'm currently an intern at Quarkslab. I
like a lot of stuff, like reverse
-
engineering, everything that is related to
cars or mechanics and if there is
-
something stupid to do I shall already be
doing it. And with me will be Guillaume
-
Heilles.
Guillaume: Hello my name is Guillaume. I
-
work as at Quarkslab as a security
engineer. I'm quite new to the security
-
field as I worked in the industry before.
And I switched to the security field
-
because it's very fun and I like to
reverse almost everything and I will give
-
a small talk about reversing a piece of
hardware that you can find in an
-
automobile.
P: So what is this talk about? This
-
talk will be in two different parts the
first one is how to drift with any car.
-
And it's an introduction to how to automotive
systems what you can do with them and what
-
we actually did with them. And the second
part, which name is out to properly write
-
an amazon review, you'll see why just
after, is OBD dongle. So analysis, reverse
-
engineering, stuff like this. So first
part "drifting with any car". The idea is
-
that I'm a student, so I work at my
school's lab, so I had to find a way to
-
explain why I was bringing different cars
every day at my school's garage. So the
-
official goal was to look at our car works
and what arise from this is what can I do
-
what can one do with a modern car system.
The restriction I had was that since I'm a
-
student I'm poor so I don't have a lot of
money and I don't have a lot of cars. So I
-
was actually taking my family's different
cars and trying to analyze them. So I
-
wouldn't, I wasn't able to break anything
or remove any parts from the car. So the
-
test subjects, what which cars was I
playing with. I had five or six of them.
-
The first one for posterity, is mine
actually. It's a 2006 Volkswagen Polo.
-
What is nice is that you can spend the
whole day trying to find some messages on
-
your bus. If your car is too old there are
no messages. So you can take the
-
oscilloscope and try to find them, you
won't find them. Anyway, just before doing
-
anything try to think is the something I'm
looking for ready in there. The second car
-
is my grandmother's car it's a Volkswagen
Polo of 2013. And the last guy we'll talk
-
about is my mom's Fiat 500 convertible.
It's from 2010. The dates are important
-
because the CAN bus I will talk about just
after is quite recent in a way that
-
security on the CAN bus changes greatly
from one year to another. So the CAN bus I
-
was playing with on this car was quite
different from the 2013 Volkswagen Polo
-
for example. Okay, so talking with the
car. So this is the introduction part, so
-
if people already know about what I'm
going to talk about, but I want everybody
-
to be on the same first step. So first of
all an ECU it stands for electronic
-
control unit and it's a small computer
that you get all around your car. So there
-
are many of them. You can have at most 70
of them in very modern cars and take
-
control different parts of it. So you have
the engine, the powertrain, the
-
transmission, ABS, stuff like this. And
they talk to each other on what we call
-
the CAN bus. The CAN bus is a message
based broadcast protocol. Messages are
-
mostly composed of two important things
which are the arbitration ID which, I will
-
refer to ID from now on, they can be 11 or
29 bits long and you have data. Data is 8
-
bytes long on the standard that CAN
message but they are on top protocols, I
-
can group messages together to get bigger
lengths of data. What is interesting is
-
that it's a broadcast protocol, so the
collision detection system is based on the
-
ID. The lower your ID the higher your
priority. So very important CAN message
-
will have a very low IDs they will be sent
from an ECU that are very low ID and less
-
important one will have a bigger
arbitration ID. How do you talk to your
-
CAN bus without cutting any wire in the
car? For this you see there is the OBD2
-
port so OBD stands for onboard diagnostic
and is the vehicle self diagnostic and
-
reporting capability. When you are driving
you have allowed a LED that start to blink
-
on your dashboard saying "ok something's
wrong", you bring your car to your car
-
repair shop and the car repair guy will
just plug itself to this port which is
-
located around the steering wheel often
and query information using PIDs. So PID
-
is a parameter ID. It means "okay I want
to have information about for example the
-
RPM or the speed or the fuel level
something like this" and you can set or
-
reset diagnostic trouble codes a
diagnostic trouble code means "ok
-
something is wrong with this part of the
car" for example. Here is my setup. So
-
with just a Raspberry Pi, PiCAN 2 shield
and a DV 9 to OBD 2 cable, I was able to
-
have a full linux that that can understand
CAN messages and talk with the CAN bus. So
-
with that I could just communicate with my
car without breaking anything, which is
-
quite nice. What does it look like? So in
Python, I just import import can, so it's
-
a standard package, python-can, you create
an interface, so it's socket CAN, so it's
-
like any kind of interface you just create
a can0 interface and you can communicate
-
with your CAN bus. You create your
message, so the data is here. What is
-
important is that the first byte tells how
many bytes are important in the message.
-
You can have 8 bytes of data. The number
of bytes processed will be this number, so
-
like there it says "ok, there are only 2
bytes of data that are interesting, just
-
discard the 5 of the ones.". Here, it asks
for the first mode, so OBD have different
-
mode. The first mode says "Okay, I want
the current value of what I'm looking for"
-
and 0x0c is RPM. So I want the current
value of the RPM. If I put two there, it's
-
the second mode and it asks for the RPM
when the last data trouble code was
-
actually set. You have different like
that, but what interested me was "Okay
-
what is a current RPM?". You create your
message, 0x7df is the classic ID for
-
diagnostic tools, so most ECUs will answer
to OBD queries if you have this ID. On 29
-
bits, it depends on the car, on the Fiat
500, for example, it was this one. You
-
send your message, you get your answer and
that's it. Okay, so this was the theory:
-
how do you talk, but how did I actually
talk with my cars? So the first OBD answer
-
I was able to get was on my grandmother's
Polo. It's quite a recent car, 2013, so
-
there was a gateway, a sort of firewall
between the OBD2 port and the actual CAN
-
bus. So when I plugged myself to the CAN
bus, I wouldn't receive anything unless I
-
send an OBD query. I would receive my
answer but that's all. Else, the bus would
-
be completely silent. So here are some
examples, so this is the one from just
-
before, how can I get the RPM, so this is
the value of the RPM. Here, I can get the
-
engine coolant temperature, very
important, so the idea is that it answers
-
83 and 83 is 131 degrees. The idea is that
you are working with unsigned bytes, so if
-
you want to get a negative temperature,
the standard tells you to subtract 40 from
-
your temperature. If you are outside of
-40 or 215 degrees, you have other
-
problems than your coolant temperature.
So, seems to work. Okay, nice. So,
-
displaying everything. This was to explain
to my grandmother why I was stealing her
-
car for two weeks right now. So, with
this, I'm able to get the RPM, the speed,
-
engine coolant temperature, always very
important, throttle and accelerator pedal
-
pedal position and the elapsed time since
engine started. So anyway, kind of
-
graphical, my grandmother understands,
everybody's happy. Right, so right now I
-
can query standard OBD PIDs, I can have
the RPM, speed, fuel level, anything you
-
would want to have on your dashboard, but
if you want to get some probably more
-
interesting stuff, you have to go with the
constructor-specific PIDs. For example,
-
the steering wheel position, brake and
clutch pedal, gearbox status light or
-
blinkers are constructor-specific, so you
have to break stuff to be able to find
-
them or are very good friends with
manufacturer, which I haven't. Nice, we
-
can query stuff, mostly. Can we modify
anything interesting from OBD? Because,
-
still, I don't want to mess with the car
by cutting any wire. So first issue: what
-
protocol am I actually talking to? There
are on-top protocols like with KWP, which
-
is Keyword Protocol 2000, Unified
Diagnostic System is OTP, the volkswagen
-
version of ISO-TP, like really, and stuff
like this. Which protocol am I talking to?
-
Okay, let's just brute-force by sending
the classic introduction kind of message
-
and try to find for valid answer. With
this on the 2013 Polo, I could speak UDS.
-
So UDS enables different kind of thing
like resetting ECUs, which can be quite
-
interesting, query-specific PIDs, read DTC
information, stuff like this. However,
-
nice stuff like dump the firmware, are
only available through security session.
-
And security session on this car requires
an authentication through a challenge
-
response kind of algorithm, so here is the
example: I would start a diagnostic
-
session, UDS diagnostic session, first,
then query for seed to get through the
-
security session, compute my answers, send
it back, the cars compute its own answer,
-
compare and I would fail, because I would
just send the feedback like, maybe they
-
didn't implement a real algorithm, you
never know. But hey, okay, well done
-
Volkswagen, they did it quite well.
Actually, the car has a four-byte seed,
-
which is different at each try. This is
important to notice because on Guillaume's
-
car, it's a 2-byte seed, which is always
the same. You have more than three seconds
-
required between each try and if you fail
multiple time, it will just freeze for ten
-
minutes if you don't want to remove the
battery, all that kind of complicated
-
stuff. So, how to break this? Brute-force?
Way too long. Timing attack would be too
-
unstable because of the priority-kind of
thing, because you can just get delayed by
-
other more important messages and so it
will delay your timing attack. Disassemble
-
the car is out of the question, you know
why, and get PCs from a repair shop is
-
tedious. You know, get an ECU, try to
recreate the CAN bus around, stuff like
-
this, and I'm broke, so I don't have any
money. Okay, so, my car, let's sum up, way
-
too old. My grandmother's car, bit too recent
because of the Gateway, my family's car is
-
a Lancia Voyageur 2014, so even more
recent, but it has Uconnect, so maybe for
-
another time. Who's left? Oh, mommy? So,
my mom has a 2010 Fiat 500 convertible,
-
she loves it, so she doesn't like when I
take it and she even more doesn't like when
-
I tried to do stuff with it. So one night
I stole the key. Laughter Sorry. And I
-
tried to plug myself in and oh! It talks, it
talks a lot. In four seconds, I was able
-
to get 2000 around message, so it's about
500 messages per second. There is no
-
gateway, so I have a lot of broadcasted
message already. They are from few
-
different arbitration IDs, so a few
different ECUs are actually talking on
-
this bus. When I'm in the car, I tried
pressing random buttons and I see that the
-
data evolves, so the nice funny things to
do is to try to understand what each
-
message mean. It's quite tricky with CAN
dump, which is the standard Linux utils
-
which will just flood your stdout with CAN
messages, but Python CAN monitor helps a
-
lot by grouping messages by arbitration
ID. So here I'm in the Fiat 500 and I am
-
driving actually, and you can see the
different arbitration ID there and the
-
data that is evolving. The two last one,
which are way bigger, are the standard
-
OBD, meaning that okay, I have a priority
that is way lower than the other kind of
-
messages. So, reversing a bit, what can we
find? I found the speed, four time, the
-
values were quite different but quite
close anyway, so was it at four different
-
time or at the for different wheels? And
it was actually at the four different
-
wheels, because when I turned it would
change drastically two values out of four.
-
I have the clutch pedal with respect to
the accelerator am i accelerating while
-
depressing or pressing the clutch, the
brake data are the doors closed which one
-
are closed is a contact on is the
handbrake up or down and this one is quite
-
interesting because it would change every
minute. Actually it's the time and date.
-
So it was 9:00 p.m. on the 24th May of
2017 meaning that they created an ECU
-
would which only job was to send the
current time and date readable in
-
hexadecimal format on the CAN dump like
this.
-
laughter
But what that was I found it funny I've
-
weird sense of humor, anyway so this thing
even masters this time to explain to my
-
mother what I'm doing with her car so this
was a kind of capture was doing from my
-
school to my home like I was recording
what I was doing in the car, recording at
-
the same time a CAN dump and displaying
what I could display so I have the
-
handbrake, start and stop and engine is on
okay it seems to be the doors are closed
-
hopefully okay. So this was quite fun
to do actually. Okay what can we do with
-
that? Can we do something useful for
humanity can we do maybe something a
-
little bit challenging or else it's
absolutely not interesting? How can I at
-
least put something on my resume after
that something I can be proud of? Yes or
-
we could try to do something completely
stupid and that's what I was I mean to do.
-
So I created CANPad. The idea of CANPad is
that with the steering wheel or brake and
-
an accelerator pedal you can drive any car
in any video game. So.. Laugher
-
Applause
So that's what I did. I take the CAN
-
messages from OBD sensor and back pass it
to a piece on CAN and client and float
-
them through libuinput to be able to
create a virtual gamepad and plays it in
-
V-Drift. So V-drift is an open-source
racing game that allows one to play on
-
Linux through at least libuinput. So
this is a start and stop button that I use
-
as a toggle to send data and here I'm
driving with my mum's car, a car in a
-
video game.
driving noise
-
So I have the steering wheel the handbrake
all every pedals is quite it's quite hard
-
to drive right now.
laughter
-
And my official goal is to drift. So at
first I have to learn how to drive at all.
-
It was actually quite nice when I managed
to do anything at all. So you can see that
-
data is only like 16 bytes long and
music
-
applause
That's the best drift I was able to do on
-
this game. So I was actually quite
disappointed right now. So features and
-
limitation of this. So the features is
what I was explaining right now. But the
-
limitation are that the engine needs to be
running because else I don't have the
-
assisted direction which makes the wheel
quite hard to turn. Also on a real car if
-
you really see steering wheel it will by
itself try to match the car direction
-
which I don't have so I would just spend
all my time turning the wheel. And the
-
control simplicity going through libuinput
limits it to V-Drift because no
-
other Linux game recognized my virtual
gamepad as a real one. So I was quite sad
-
and but I really wanted to drift. Oh wait
I created another version which is CANpad
-
v2. CANpad v2 I just understood that on
the real game pad game box - Xbox, Xbox
-
gamepad. If I plug the Xbox gamepad and
don't touch anything no inputs will be
-
sent. On the other hand if I put a PS4
gamepad and don't touch anything it will
-
flood the status of every button all the
time so what I would do is take the Xbox
-
controller put it on the table and hijack
its port to send data instead of it. So I
-
would have a real, a real plugged-in
controller that is recognized by nicer
-
games like V-Drift, like DiRT and I could
send inputs by my, myself. I change this
-
few stuff like the gas pedal because I had
to flow in the real world to flow in the
-
game which was quite fuel consuming, the
steering wheel rotation was adjusted so
-
that it matches, it matches rally cars
like if I turn it 180 degrees it will turn
-
all the way in the game so quite nice, and
I found the direct command to query and
-
break in the in the video. In the next
video you'll see that when I turn abruptly
-
in the game and I release at the same time
the brake the wheel will take a little bit
-
of time before stopping to turn because I
have a small delay. But now I have the
-
real input so it's way easier. so:
demonstration. So, some sensors:
-
soundtrack Start and Stop soundtrack
I just wanted the music. So, anyway, as you
-
can see it's way easier to play because of
the steering wheel which was adjusted it's
-
way nicer to drift in it. I can do the
crane drift
-
applausesoundtrack
my brothers were very fond of this. My
-
mother was only thinking about her tires
right now
-
audience laughing
soundtrack
-
Anyway. Sorry. I'll give you the title of
the song later if you want. So I can now
-
drift with my front-wheel drive car in any
kind of video game which is almost quite
-
very nice. So possible upgrades - yes
there're always upgrades: I could get the
-
gearbox tattoos to put the car on the lift
and try to put it in manual which would a
-
be a bit more life... life kind and
create a better gamepad so that I'm able
-
to race on my Micro- windows because right
now it's only on Linux. Okay this was fun
-
but it was actually consuming a lot of gas
for nursing. So with Guillaume we try to
-
find a way to reduce gas consumption and
that's what he will - he is going to talk
-
to you about right now.
Guillaume?
-
Guillaume: Thank you, Stan.
Applause
-
So, Stan had a little problem about the
gas consumption and the friend of us told
-
us about this little nitro OPD dongle
which is supposed to save fuel. It's sold
-
on Amazon and the reviews are quite good
so we said "ok, strange but ok" let's try
-
it. First of all just a reminder about the
- what is an OBD2 dongle? An OBD2 dongle
-
is a small device that you plug into the
OBD2 port of your car. Any recent car has
-
an OBD2 port you can find it by googling
the model of your car and OBD2 port and
-
you will find a picture of it and the
interesting thing is that you just have to
-
pull the panel to access to your OBD2 port
and it's very cool because we don't have
-
to take anything apart or whatever. So,
just buy the thing on Amazon, pull the
-
panel and put it there. That's all. So,
this dongle is supposed to save fuel by
-
reprogramming the main ECU - the engine
ECU of your car. And this is done for
-
quite some times: This is known as a chip
tuning and you can find it on internet. It
-
works pretty well it will break your
warranty, but the very interesting
-
thing about this dongle is that you will
not break your warranty because, if you
-
remove it you will go back to factory
settings and this is very new. So, it
-
works on any car, well any recent car and
well it seems to work really well. Ok so
-
why did we reverse engineer this dongle?
Because it just an amazing piece of
-
hardware. If you think about it: it works
on any car and it also reprograms any car
-
so it must contain all authentication
codes. Stan explained the challenge and
-
response mechanisms so this one must
contain all of them. It will also contain
-
the reprogramming software for any car of
any manufacturer and this is also just
-
amazing and I just wanted to have a look
at this and it is able to adapt itself to
-
the way you are driving for a few
kilometers then it will reprogram your
-
engine and I say wow there must be a very
smart algorithm inside this very small
-
piece of hardware and I just wanted to
have a look at this software. As I said
-
also - it also modifies the RAM of your
engine and I was not aware of anything
-
that will be able to do that because from
the things I know about chip tuning it
-
will change the flash of your ECU. That's
why the warranty is broken but not this
-
one, not this one. And this is just
amazing. I just wanted to have a look at
-
the source code while the binary. Ok so.
The first thing about reverse engineering
-
such a piece of hardware is monitoring the
CAN signals to see if it's talking and
-
what he - what it is doing exactly if it's
opening security sessions or not. Well,
-
all this stuff. So, here you see in my
car. There is the OBD2 port right there
-
and I used the same configuration as Stan
to record the CAN messages which is a
-
Raspberry Pi here and the PI CAN2 shield
and well just for fun a picoscope to
-
check the signals and a computer to - to
monitor this. The thing is you just have
-
one OBD2 port in a car and - here - and
you cannot plug at the same time the
-
dongle like - like this and the
wires for the Raspberry Pi. So we took
-
apart the dongle and after a bit of
reversing the PCBs we found the can lines
-
and ground and we just soldered three
wires on it. And with using this approach
-
you can reverse the messages sent on the
bus. The interesting thing is that as you
-
are plugged directly on the dongle
you will monitor exactly what the
-
dongle is doing and what he's seeing. Just
for reference you just have three wires to
-
put in a car to hijack or to communicate
on the CAN bus. Those are CAN high, CAN
-
low and the ground and that's basically
all you need to connect to a CAN bus. Just
-
for reference: you can find on today's
cars you can find many many CAN buses in
-
in the different parts of the car. So the
OBD2 port is just more accessible but it's
-
basically another CAN bus just like
another one. Okay. So, we did two
-
measurements: one with basically no OBD
dongle plugged in and there is a one with
-
the OBD dongle plugged in. Stan explained
in the first part of the presentation that
-
every CAN message is sent by an ECU and
the identifier of the ECU is called the
-
message ID and the lower it is the higher
priority is. Here you are the most - you
-
have the most prior - you have the message
with the - the biggest priority and here
-
with the lowest priority and you see here
the - the content of the messages. The
-
thing is, if you look at the lists of the
message IDs - here - and the list of the
-
of the message IDs - here - you can see:
it's the same list. Basically it means
-
that no other ECU was talking on the bus
when we plugged the OBD - the Nitro OBD2
-
dongle. So, it means that the dongle
basically doesn't speak at all on the CAN
-
bus. And that's too bad because we say how
is it possible that it works if it's not
-
talking on the CAN bus? Okay. Is it over,
is it just not working? Well not really. The
-
dongle is advertised as working after 120
kilometres. It will just listen silently
-
to the way you are driving, then reprogram
your engine after this small amounts of
-
kilometres. So it was still possible that
the dongle was not sending anything during
-
the first kilometers. And - but we
couldn't just monitor the CAN bus during
-
such a big period of time and so we needed
another approach and we chose to reverse
-
the PCB. If you take the dongle apart, you
can see two PCBs. The first one here is
-
just connected on the OBD 2 port and the
other one seems to contain, well,
-
something. Okay, so this is a picture of
the first one. As you can see, there is no
-
components on it at all. It's just routing
the CAN wires from there to the second
-
board. So okay, let's go on, and the
second one is more interesting. On the
-
front side, you can see, well, a few
components, but there are not so many. You
-
have a voltage regulator here, 7805, you
have a push-button, this diode is part of
-
the voltage regulation and that's pretty
much all you have here. And three LEDs,
-
you have three LEDs, okay. On the back
side, you can see, here there is the
-
footprints of a very small
microcontroller, and here is a picture
-
before dissoldering it. And the
interesting thing is that there is
-
absolutely no reference on this device, as
if the manufacturer took a special care to
-
hide what was inside. And this is not so
common because usually you can find a
-
reference in a chip. Also, there is no CAN
transceiver on this device, yeah, it's
-
strange. What is a CAN transceiver? A CAN
transceiver is a piece of hardware to
-
translate the signals from the CPU, which
are basically UARTs, into CAN signals
-
which, are CAN high, CAN low, this is a
differential pair. But this device is not
-
just about adapting the signals and
electric conversion. It's also about real-
-
time monitoring and checking. Stan
explained before that in each frame, you
-
got a CRC and an error bit. And if there
is a transmission error on a frame, any
-
CAN transfer has the duty to assert the
fault in real-time, so it just has a few
-
microseconds to compute the CRC in real-
time and say "Okay, no you just have to
-
discard this frame". Basically, two tasks
for this one: electrical signal conversion
-
and checking in real-time. Okay, so you
have no CAN communication, no CAN
-
transceiver, okay, it smells weird. A few
guys told us "yeah but maybe it's possible
-
to do that in software because, you see,
those are just signals and maybe with an
-
IDC and so on you can do that in
software." I put a link, if you are
-
interested, here, for Stack Overflow
discussion, which is very interesting and
-
a few guys say "ok, yes, it's possible to
do that in full software, so you basically
-
don't need a CAN transceiver". The thing,
is as the CAN transceiver has to react in
-
a real-time, you have to have a very fast
CPU to do that in real-time. And the guys
-
on Stack Overflow say "Ok, it's possible,
but at a very low speed like 10 kilobits
-
per seconds or something like this." But
on a real CAN bus on a real car, the speed
-
is more like 500,000 bits per second, so
it's not the same order of magnitude. And
-
then, some of the guys say "Okay, maybe
there is some CAN transceiver inside this
-
chip", and I say "okay, yes, it's just a
small A Super8 chip, there is nothing
-
there, just a small microcontroller ",
but, just to be sure and because we like
-
to decap chips, laughing I asked my intern to do
that because, you know, there are toxic
-
fumes and things like that. So here is
Stan in my garden and, well, it was pretty
-
- it was the first time I did that, and
Stan also, and the thing is, it's pretty
-
easy to do that, but if you want to do it,
just be careful because it is very
-
dangerous stuff. You can buy it on the
internet, it's very cheap, and, what do
-
you need? You need cooking plates, here,
to produce some heat, crème brûlée, or
-
just the ceramic plate. You pour the
sulfuric acid in it, you wait for it to be
-
hot enough and that's all, basically. Just
throw your chip in it and you're done.
-
Just wait 10 minutes and that's all. So
again, if you want to do it, just do it
-
because it's fun, but use protections
because it's very dangerous. Okay, well,
-
here is the results. I put a real CAN
transceiver here, and this is the chip you
-
have in the nitro OBD 2 dongle. Some of
you, you will recognize the basic
-
structure of a small microcontroller.
Here, you have the CPU logic, here you
-
have the memory banks and some glue logic
there. And that's pretty much all you have
-
there. The interesting thing is that, this
does not fit into this. So definitely,
-
there is no CAN transceiver in the Nitro
OBD 2 dongle. The other thing I would like
-
to show is if you look at this, we said
before that the Nitro OBD 2 had to contain
-
a database for all authentication
algorithms. All the way to reprogram any
-
car on the market and so on. And this is
all the flash you have inside. I was
-
expecting at least a big chip of flash,
but there is nothing here. So basically,
-
it just looks like a tiny microcontroller,
like an Arduino or something like this.
-
But I really wanted to know what chip it,
was so we have a game at the office, it
-
was looking for Waldo, and because the
chip manufacturer like to write chip
-
reference inside their chip, and, well,
there is something here. If you look at
-
the chip, the big magnification power, you
will see this and this is the chip
-
reference. Unfortunately, I could not find
any reference on the internet about this
-
chip. I asked a few friends on Twitter and
so on, but nobody could find it, which
-
means, well, I don't know, this is not a
big chip, very well-known. If you know
-
what it is, just tell me, send a mail or
whatever and take the microphone during
-
the question answer session, it will be
nice. So, just to sum up this part, this
-
dongle is very nice but there is no CAN
communication, does not contain any CAN
-
transceiver, it has not enough CPU power
to emulate a CAN transceiver in full
-
software, and the most important thing is
that it has no flash in it to contain the
-
database, you know, to reprogram any
engine and so on. But the links are
-
blinking very well, so, yeah. If you
really want to reprogram your car, use
-
something else. Thank you. Applause I
would like to invite all of you, if you
-
are interested in car hacking, to try and
put some OBD cable into your car because
-
it's very easy. You just have to pull a
panel to get access to your OBD port. You
-
will just need a Raspberry Pi, CAN shield
and a cable and that's pretty much all you
-
need. Just a few words: so you don't need
to take anything apart, so it's pretty
-
easy, you can do many interesting things
just by using the OBD2 port of your car,
-
like fuzzing and so on. But please be
careful, you can hurt yourself or break
-
your engine if it's running, so if you do
some fuzzing, please stop the engine
-
before.
P1kachu: Because as you saw at the
-
beginning, I was actually recording CAN
data or querying stuff while I was
-
driving, which was the stupidest thing I
did from the hole analysis. I was able to
-
disengage ABS by fuzzing, too - stuff like
this - because they have some systems that
-
if they receive too many invalid kind of
messages, they will just shut off, so I
-
was able to disengage stuff like this, so,
yeah, if you are doing stuff like this,
-
just don't drive while doing it, for
example. That's the kind of stupid mistake
-
you do when - or disable the airbags.
Guillaume: That's very important.
-
P: You never know.
G: Well, thank you again, and, yeah, if
-
you want to speak with us, you're more
than welcome. Thank you!
-
applause
Herald Angel: Thank you deep guys, I could
-
normally skip the car hacking talks. This
time it was really amusing and I'm happy
-
that I didn't do that. We have a lot of
time for questions, if you want to line
-
up, there's one over there or two of
there, one over here and one over there.
-
Are there questions from the audience?
Signal angel?
-
Signal Angel: So, people on the stream are
wondering where they can find your
-
software and whether you contributed any
signals you found to the open DBC project
-
that is collecting signals from the CAN
bus.
-
P: I haven't really heard about this -
yet. So right now, not that much, but I
-
will take a look at this after this. Sorry
-
Herald Angel: Mic 1.
Q: I was wondering you try to reverse
-
engineer to get into the secure mode so
that you can access all the issues. You
-
want to... we reverse engineer this
challenge/response authentication.
-
P: Yes.
Q: Why does he not try to reverse engineer
-
the diagnostic software that is used by
the dealers?
-
P: Because this infringe, we call this
valise, like luggage, and it costs if I
-
recall correctly about 5,000 Euros by car
manufacturer. So we went to a garage and
-
asked the guy "Can you lend us your
valise?" and he just laughed at us because
-
no he didn't wanted to but there are some
partnership you can have. [There] is a
-
group of manufacturers that offer that
kind of information if you pay every month
-
a very huge sum of money.
Q: [...] pay 6 Euros and can be used for
-
an hour.
P: I haven't heard of it I just saw a big
-
numbers and I told myself, okay, I find
another way.
-
Herald Angel: Microphon 3.
Q: A great presentation. Thank you very
-
much. I was just wondering, how much more
work is needed to actually control your
-
car with an Xbox controller? Laughter
Applause
-
P: I was asked this question before. Not
that much Laughter if you find the right
-
guys with the right amount of knowledge.
The idea that you'll get, of course. You
-
have to find a way to control the car from
the CAN bus which is not something that
-
easily done. Because for all I know right,
now the CAN bus I was only used for
-
broadcasting information not really using
this information for real-time data. We
-
actually tried to find some way to know
how the ECU's interact with each other
-
with Young's car. So the idea was that we
go to a field, I am on the passenger seat,
-
and he would just tell me "okay try to
find the ABS ECU I will brake very hard"
-
so he was driving fast breaking. I was
just checking which ECU would actually
-
send something different and after we've
tried to recreate some messages,
-
but without a lot of luck.
So from the CAN bus I don't think
-
that's quite possible. But they did it.
Nissan did it like two months ago with the
-
GTRC. They created a Nissan GTR that is
actually controlled by a gamepad
-
controller. But they have a full robot in
it just controlling the steering wheel and
-
pedal so it's quite easy when you have
money. Laughter
-
Herald Angel: Microphone 2 in the back,
please
-
Q: Okay, hi nice talk. Thank you. First of
all don't play around with the Airbags
-
please. I tried to reverse engineer my old
Mitsubishi - I'm a passionate Mitsubishi
-
driver - please don't try mine. You get
hurt, really. So my real question is: Did
-
you try to reverse engineer cars with an
older bus then OBD, ever? Because mine is
-
from the 90s.
P: Yeah, No I didn't because I had my and
-
full already with the with OBD. To be
honest before this analysis I hadn't
-
touched any kind of bus or any kind of car
systems ever. So I was really discovering
-
everything from scratch. So I just focused
on the OBD port and the CAN bus and stuff
-
like this. But I know there are a lot of
different stuff Valasek and Miller already
-
did different kind of attacks on the Jeep
for example of the Prius with different
-
buses. So I ought to be looking at them
but right now no I didn't do anything else
-
from the OBD or CAN bus.
Herald Angel: Is there another question
-
from the internet? Okay otherwise mic 1.
Q: Sorry, just one sentence. I guess
-
because of the Mitsubishi stuff you've
mentioned the car your parents or so I
-
guess we should talk about the Lancer.
Okay?
-
P: Okay. laughter
Herald Angel: Mic 1.
-
Q: Thank you. There are some other buses
like EtherCAT or Flex Ray in other car
-
manufacturers. What about hacking them? So
you also said, you already said that maybe
-
you will try it in the future?
P: Well quite the same answer also. I read
-
the car CAN books, so I just have a few a
little grasp of other kind of protocols
-
and other stuff like this. Right now I
didn't do anything. I am planning on
-
trying different new buses but right now
just the - I haven't touched them I can't
-
answer and more honestly than this - I don't know.
G: The other thing is that on the OBD 2
-
port you just have access to the CAN bus
and as far as I remember the Flex bus is
-
internal and dedicated to high speed
buses. So it's not as easy to plug
-
yourself onto this bus because
you have to open your car and take things
-
apart and stuff like this. But it's
definitely interesting to look at it also.
-
P: Sorry.
Herald Angel: Okay, another question from
-
the 3, please.
Q: Oh it's 4. Okay, so just a little
-
hint. OBD2 is actually just half of the
fun so you should definitely remove your
-
car radio and check if there's a CAN bus
behind that I know for BMW have it and
-
there of course it's much easier to
control of all of the fancy buttons that
-
you have in your car. Like window and
wipers and all that stuff because that's
-
completely unencrypted and so can simply
listen on this and also send your own
-
commands.
P: Okay, so, check the other CAN bus in
-
the car, right?
Q: Yeah it's I mean it's maybe the car
-
radio, because you don't have to cut
anything just plug it off, take an adaptor
-
and put your own bias on that.
P: Thank you. Maybe another talk.
-
Herald Angel: And yet we have one question
from the internet now and then the 1.
-
Signal Angel: So there's a person from the
darknet who would like to leak you
-
original diagnostic software for that kind
of hardware and the person wants to know
-
whether you would be interested in that?
P: I haven't heard the end of the sentence
-
but the beginning.
Signal Angel: Would you be interested in a
-
software leak of original diagnostic
software? laughter Actually you don't have to
-
answer that because the person is outside
but if you want to say something you can.
-
P: Coughing You have my Twitter.
Herald Angel: Yeah question please.
-
Q: First thank you for your very inspiring
speech luckily or unfortunately I don't
-
own a car myself otherwise... Well, what I
wanted to say was, you now have your hands
-
on a few Volkswagens. If you could choose
a car yourself what brand would you like
-
to monitor.
P: Ah, to monitor. Actually, what I wanted
-
but I haven't taken the time right now,
was to play with the Lancer, the big mother's
-
bus, because it has UConnect and as far as
I remember it was one of the attack
-
vectors Miller and Valasek used in the past,
so I think I would go with the one with
-
full features everywhere and remove parts
to be able to get to the fun stuff. So I
-
would take one with a lot of electronics,
not too much, because it's expensive, but
-
at least a bit of electronics, so that I
could remove stuff and do interesting and
-
nice stuff.
Herald Angel: Thank you okay and another
-
one over there.
Q: Hi thank you and I enjoyed your talk. I
-
think I read you already online or I read
something about doing that what what you
-
have done. It's really fun just a few
correction to the last part - the
-
transceiver does not do any error
correction it's just a transceiver. And
-
there are chips actually available which
have a cortex m0 and D transceiver on chip
-
for few bucks.
P: Okay.
-
Q: So those chips exist and are used in
automotive and just for your fun for next
-
year: choose the right car just depending
that question from that girl. There are
-
car manufacturers who can do networking
and who can do and your... let's say you
-
are candy with the right brands. Like the
Italian.
-
P: Thank you very much. I have way more
information that when I started this talk
-
which isn't much what I expected at first.
Herald Angel: I would say final question
-
Mic 1.
Q: Very small question but did you
-
consider lifting the front wheels instead
of starting the engine to make it steer
-
easy. Yes I put it on parpar - the block
of cement you find - but it's not the
-
easiest part. What would be easier what
was done was to put cardboard under the
-
wheels to make it easier with a little bit
of oil to turn but here to be able to play
-
without the engine turned on and with
assistic direction. Kind of putting the
-
car on a car lift would be the safest way.
Because just putting the front wheels I
-
wouldn't see anything from the windscreen
which would be a bit disappointing.
-
laughter And yes I indeed I plan to put
it on a car lift soon.
-
Herald Angel: Anyone who didn't get the chance
to pass the question on stage, I'm sure that
-
the speaker's can be approached next to
it. Thank you again for being here and
-
drift on.
P: Thank you very much.
-
G: Thank you.
-
Applause
-
34C3 postroll music
-
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
