Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)

Edit subtitles

0:00 - 0:09

♪ (preroll music) ♪
0:09 - 0:16

Angel: After half a year, Volkswagen committed
to tweaks to their emission readings.
0:16 - 0:20

Those two boys, Daniel Lange and
Felix Domke here on my left,
0:20 - 0:22

will share some insights with us.
0:22 - 0:24

Daniel will not only focus on the ECUs,
0:24 - 0:27

which is the acronym for the
Electronic Control Unit,
0:27 - 0:30

and I think we're seeing one
over here already,
0:30 - 0:34

whereby Felix will show us some tricks
to extract and tweak the firmware.
0:34 - 0:38

On both sides we will see how many people
have been involved in the entire process
0:38 - 0:42

and we would get an idea what everything
is involved in there.
0:42 - 0:48

So, you applause and I'm gonna take over
the Bildschirm.
0:48 - 0:51

Good luck!
0:53 - 0:57

Felix: Alright. Hello? Okay.
0:57 - 1:01

Hey, so, I'm Felix Domke.
1:01 - 1:04

Do we see the video output yet?
No.
1:04 - 1:06

Anyway, I'm Felix Domke.
1:06 - 1:08

I'm here on my own
because I was personally interested
1:08 - 1:13

in how Volkswagen is cheating
on their emission control.
1:13 - 1:17

And maybe we get video at some point.
1:19 - 1:21

I want to stress that I was self-funded.
1:21 - 1:26

I did this with my own money because I was
personally interested in this.
1:26 - 1:30

So I did not do this on behalf of anyone else.
1:30 - 1:35

Daniel: Let's start the Keynote again and
see whether that one works better then.
1:35 - 1:38

F: I am sure we figure this out.
1:38 - 1:41

D: Oh, it worked before?
1:42 - 1:47

Yes, that's because one of us two wanted
to use a Mac.
1:47 - 1:49

audience laughs
1:49 - 1:53

F: But I wanted to use Keynote,
I don't care which operating system.
1:53 - 1:54

D: This one works.
1:54 - 1:58

F: Anyway. So I will now hand off to Daniel
which will give the first part of this talk
1:58 - 2:01

and after that I will give
the second part of this talk.
2:01 - 2:04

D: Okay, thanks Felix.
My name is Daniel.
2:04 - 2:10

I used to work for a big Bavarian auto
manufacturer which is not Audi...
2:10 - 2:13

audience laughing
2:13 - 2:14

...for 14 years.
2:14 - 2:19

I've been running the IT strategy,
I've been doing IT architecture.
2:19 - 2:21

And most relevant to this talk,
2:21 - 2:26

I've been responsible for the
process chain electronics and electric.
2:26 - 2:31

I've done the rollout of
Connected Drive in China.
2:31 - 2:35

So I kind of have quite deep insight into
how the automotive industry works
2:35 - 2:37

and I'd like to share a bit with you.
2:37 - 2:41

I'm an Engineer by training,
I guess many of you are.
2:41 - 2:45

And I want to share
how the engineers think
2:45 - 2:49

inside such a big corporation
like Volkswagen,
2:49 - 2:53

and what pressures, what boundary
conditions they are working on.
2:53 - 2:56

I have my own company now
which makes my life a bit easier
2:56 - 2:59

than Felix's, as you see
in the legal disclaimer.
2:59 - 3:04

Those are folks from the UK.
3:04 - 3:10

They're called "Brandalism", I hope you
notice the "McDonald's"-M at the end.
3:10 - 3:15

Those are folks who started a few years
ago to reclaim the public space.
3:15 - 3:19

They were just annoyed by
all of that advertising.
3:19 - 3:24

And when the Paris negotiations
for the eco treatment came,
3:24 - 3:28

they just felt a big invitation to
use the opportunity
3:28 - 3:31

that Volkswagen has created
for all of us
3:31 - 3:35

and make advertising in their style, but
perhaps not in the message
3:35 - 3:37

they would usually have conveyed.
3:37 - 3:41

I'm a strategist.
3:41 - 3:47

So what is the thing that defines how the
automotive indusry works today?
3:47 - 3:51

We are in a saturated market.
3:51 - 3:57

In the developed countries, so everywhere
in Europe, in the North Americas,
3:57 - 4:00

everybody has a car that wants one.
Some have two.
4:00 - 4:02

So when you want to sell another car
4:02 - 4:07

you're basically talking about replacing
an existing car with another one.
4:07 - 4:10

The only growth you have
is in the BRIC states.
4:10 - 4:13

BRIC is: Brazil, Russia, India, and China.
4:13 - 4:16

And, here, especially in China.
4:16 - 4:20

You have a big overcapacity. There's just
too many automotive manufacturers
4:20 - 4:22

and there's too many plants they have.
4:22 - 4:27

So all of them basically struggle
to get the loads on the plants,
4:27 - 4:32

to produce enough cars and to have
those cars sold at some point in time.
4:32 - 4:35

Because the queueing in between
production and sales
4:35 - 4:42

is actually the big parking spaces you see
in Bremerhaven or so
4:42 - 4:46

where there's ten thousands, in some
countries even hundreds of thousands of cars
4:46 - 4:51

basically stored in between
production and sales.
4:51 - 4:54

Ten years ago, fifteen years ago,
that didn't exist.
4:54 - 4:58

The cars were basically sold off the factory.
4:58 - 5:03

But people have been moving away
very, very slowly from cars.
5:03 - 5:05

They have, as I said, a saturated market.
5:05 - 5:09

It's just not that easy
to sell a car anymore.
5:09 - 5:12

That is because of social shifts.
5:12 - 5:16

When I was young, there was
"The Dukes of Hazzard",
5:16 - 5:20

there was "General Lee", this car
that basically is the star of the show.
5:20 - 5:24

There was "Knight Rider" and nobody watched
it for David Hasselhoff, not even the girls.
5:24 - 5:28

They watched it for KITT.
5:28 - 5:31

When I was young, I wanted to own a car.
5:31 - 5:34

I wanted to have KITT, possibly.
5:34 - 5:37

And when I grew old enough, I found out
I can get a car that looks like KITT
5:37 - 5:40

but, you know, all the
fun stuff is not in there,
5:40 - 5:44

so I turned to computers.
5:44 - 5:49

The next thing is organization,
megacities.
5:49 - 5:51

We live in very condensed spaces
in those cities.
5:51 - 5:56

If you talk about a place like Beijing
where there's like 21 million people
5:56 - 6:02

in an area that is one city,
where there's nothing big inbetween,
6:02 - 6:04

there's no river, there's no forest,
6:04 - 6:06

it's just like one city.
6:06 - 6:10

If you go to Tokyo, Yokohama,
you can drive on the motorway
6:10 - 6:15

for nearly three hours when you enter
the city before you leave the city.
6:15 - 6:18

And you're driving on the motorway,
you're driving on an elevated road
6:18 - 6:22

for which you paid toll
so you actually can drive.
6:22 - 6:25

But it's three hours before
you leave the city again.
6:25 - 6:28

And in these cities owning a car
and operating a car
6:28 - 6:32

is about the worst thing you can do.
You just don't want to do that.
6:32 - 6:41

The average speed of a car in Beijing
these days is 12 km/h.
6:41 - 6:44

If you're a good runner you can beat that.
6:44 - 6:49

And incidentally this is exactly the speed
that a horse carriage makes.
6:49 - 6:56

audience laughs and applauds
6:56 - 7:01

We have managed to undo
all of the innovation of the last 200 years,
7:01 - 7:06

it's just the interior
is a little bit more comfortable.
7:06 - 7:10

The actual getting from A to B is the same
as with a horse carriage these days.
7:10 - 7:12

And then there's technology shifts.
7:12 - 7:18

The problem is, there are big things,
big visions that everybody follows,
7:18 - 7:21

like electric mobility.
Electric mobility means:
7:21 - 7:24

You buy a car that's one and a half times
the price of your standard car,
7:24 - 7:29

you lug around 300 kg of batteries for
no apparent reason to do so,
7:29 - 7:32

and you now need to install something
in your garage —
7:32 - 7:35

which you most probably don't have,
look at megacities —
7:35 - 7:39

to be able to recharge the car
because it only goes a hundred miles.
7:39 - 7:45

So it's currently not a very compelling
thing to sell to the end customer.
7:45 - 7:49

There's self-driving cars, which is kind of
a great, big vision.
7:49 - 7:52

But I would really call that a "vision".
7:52 - 7:56

A "vision" is something that's not being
implemented in my lifetime.
7:56 - 7:58

And then there's downsizing.
7:58 - 8:00

Downsizing means ...
8:00 - 8:02

Everybody wanted to have
the biggest engine,
8:02 - 8:05

everybody wanted to have the
biggest car, let's say, 10 years ago.
8:05 - 8:09

You wanted to have that six cylinder
that was giving you status.
8:09 - 8:12

But now the automotive industry
has an overall cap
8:12 - 8:17

on how much emissions the average
new car fleet my have.
8:17 - 8:22

And they can only reach that if they manage
to sell smaller engines to you.
8:22 - 8:24

Because for everybody who buys
a really big engine
8:24 - 8:27

that will never ever make that emission cap,
8:27 - 8:30

they need somebody whom they've
sold a small car to —
8:30 - 8:35

preferrably an electric car, because
they even have statistical advantages
8:35 - 8:37

to make them a bit more attractive —
8:37 - 8:39

to set that off.
8:39 - 8:43

So very literally the poor guy
with the small car needs to exist
8:43 - 8:48

for the rich guy that drives the
eight cylinder and doesn't give a shit.
8:51 - 8:58

Strategy-wise, there's only two things
that an automotive car company is driven in.
8:58 - 9:01

And that's really everything there is.
9:01 - 9:03

There is "reach a target ROCE".
9:03 - 9:07

ROCE is: Return on Capital Employed.
That is just two numbers:
9:07 - 9:12

your EBIT, which is your Earnings
Before Income Tax,
9:12 - 9:17

and the amount of money you have
in your company, the employed capital,
9:17 - 9:19

which you got from people
that lent it to you
9:19 - 9:23

or from your stakeholders, from your investors.
9:23 - 9:26

And that is what the company
is measured against.
9:26 - 9:28

Every automotive company
basically runs like this.
9:28 - 9:31

Just this one figure,
it's a percentage like "30%."
9:31 - 9:39

"30%" means: On the money you have
you made a 30% return during that year.
9:39 - 9:45

The downside of measuring in ROCE is that
everytime you use that Euro or Dollar
9:45 - 9:49

it counts again because
the money works for you.
9:49 - 9:50

That means what you're looking at
9:50 - 9:55

is a company that gradually moves
from a very industrial type of application
9:55 - 9:57

to something that tries to move faster,
9:57 - 10:03

that tries to be quick and
regain money faster.
10:03 - 10:05

And then there's
"outperform the competition."
10:05 - 10:08

You have to understand the situation
10:08 - 10:11

that there's a good dozen companies
10:11 - 10:14

and everybody has the
same strategic position:
10:14 - 10:17

"We will outperform the competition."
10:17 - 10:20

So statistically, you will know that
half of them are going to fail
10:20 - 10:25

because that won't happen, right?
Somebody has to be the lower half.
10:25 - 10:29

But the only thing I have seen
in about five or six companies
10:29 - 10:33

where I know the strategy in detail,
is: the sequence.
10:33 - 10:37

Is the first or is the latter
the more important one?
10:37 - 10:39

And sometimes that depends on markets.
10:39 - 10:42

There's this new emerging market and
you want to outperform the competition,
10:42 - 10:44

you want to grow more.
10:44 - 10:48

And then there's this laggard market somewhere
in the European Union
10:48 - 10:52

where you just look at the money, you know,
how much money are we making on this.
10:52 - 10:57

But that's all, that is how an engineer is
basically steered, that is the strategy.
10:57 - 11:04

And that means when you break that down
through the levels of hierarchy, what is counting is:
11:04 - 11:07

How much money do you
need to make this?
11:07 - 11:10

How much money are you
gonna make on this?
11:10 - 11:14

Those two divided will be
contributing to the ROCE.
11:14 - 11:20

And do you deliver anything that can
help us outperform the competition?
11:20 - 11:24

You notice that there is a lack, which is,
you know: What does the customer want?
11:24 - 11:28

Or: What is good for associates?
Or something like that.
11:28 - 11:31

Just in case you hadn't noticed before.
11:31 - 11:37

Okay, I'd like to do a bit of a quiz with
you before you all fall asleep after lunch.
11:37 - 11:39

Eleven million.
11:39 - 11:43

"Eleven million" in the context of the
exhaust emission scandal.
11:43 - 11:44

What is that number?
11:44 - 11:47

Audience: Cars affected!
11:47 - 11:49

Correct! Cars affected.
11:49 - 11:52

Eleven million is actually the
Volkswagen cars
11:52 - 11:55

which need to be recalled world-wide
11:55 - 12:00

to get this little filter thing fixed
and their software updated
12:00 - 12:05

to meet the emission targets which they
had been produced against.
12:05 - 12:08

1500 ...?
12:10 - 12:12

A: Number of engineers!
12:12 - 12:14

Number of engineers?
No, not correct.
12:14 - 12:20

Number of engineers would be above 10000
for a car in Volkswagen Group. Sorry?
12:20 - 12:23

A: Cost for fixing it per car?
12:23 - 12:27

Cost for fixing it per car? No, that's
maximum 600, we're gonna see later.
12:27 - 12:29

unintelligible suggestion from audience
12:29 - 12:32

No? Well that was too difficult then,
and that was a bit intentional.
12:32 - 12:37

That's the amount of hard disks they
collected from the associates.
12:37 - 12:42

audience laughs and applauds
12:42 - 12:48

Now the thing is, we've had in the press
that there is maximum 13 managers
12:48 - 12:54

which are responsible for this
emission scandal within Volkswagen.
12:54 - 13:00

But then they collect 1500 hard disks and
USB sticks from 380 associates,
13:00 - 13:04

and that number is a month old because
they haven't reported newer numbers.
13:04 - 13:08

So something is mismatching there, right?
Something is mismatching there.
13:08 - 13:10

So the first number we have is
for how many associates
13:10 - 13:13

are actually somehow
affected by this is 380.
13:13 - 13:18

Because you come to work somewhere in
Wolfsburg I think, right?
13:18 - 13:21

And then there's this nice chap coming up
and telling you,
13:21 - 13:24

"Uhm, actually we took
the hard disk off your PC,
13:24 - 13:27

you're gonna get a new one from IT,
we guess tomorrow,
13:27 - 13:32

they're a bit behind with, you know ..."
13:32 - 13:35

6.7 billion ...?
13:35 - 13:37

Just shout!
13:37 - 13:39

unintelligible suggestions from audience
13:39 - 13:43

Fine? No that will be less, much less.
13:43 - 13:44

unintelligible suggestions from audience
13:44 - 13:47

Yes, you're getting close.
It's the money they put back,
13:47 - 13:52

they set aside to actually pay
for the recall and the legal fees.
13:52 - 13:57

Now if you divide that by 11 million
you get about €600 per car.
13:57 - 14:02

So it's not that much money per car.
14:02 - 14:08

In Europe, the plan is basically that you
go to the dealer and get a software update.
14:08 - 14:15

In the States, people already got $1000
in cash and in coupons
14:15 - 14:17

as a goodwill measure.
14:17 - 14:23

So something I learnt from Martin Haase
here going to the CCC Congress all the time
14:23 - 14:26

is that we need to read text really well.
14:26 - 14:30

So the upper one is the original in German,
the lower one is my English translation.
14:30 - 14:35

The English translation is as accurate as
possible, so it's not good English.
14:35 - 14:40

Please excuse that, it is so you get the gist
in case you can only read the English.
14:40 - 14:44

So that is Mr. Pötsch, he's the president
of the Volkswagen supervisory board.
14:44 - 14:50

He is the poor guy that now
has to sort it all out.
14:50 - 14:55

He used to be the CFO. We're gonna see why
that is important a little bit later.
14:55 - 14:59

And he has made this analysis:
14:59 - 15:04

It was "individual misbehaviour",
so it's not an organizational problem,
15:04 - 15:07

it's "weaknesses in particular processes",
15:07 - 15:10

and it's "the attitude in
particular sub-partitions" ...
15:10 - 15:14

"Teilbereiche des Unternehmens",
it's impossible to translate in English,
15:14 - 15:20

it's actually impossible in German, but,
you know, the legal team came up with that.
15:20 - 15:25

So the "attitude in particular sub-partitions
of the company to tolerate rule violations."
15:25 - 15:29

Now, if we go through this very quickly:
It's not a rule violation,
15:29 - 15:32

you violated the fucking law.
15:32 - 15:37

The other thing is, if you have particular
processes, you have particular associates,
15:37 - 15:40

and you have particular sub-partitions
of the company,
15:40 - 15:44

That tells you something, right?
That just tells you something.
15:44 - 15:47

This was probably two days' work of
somebody in the legal team,
15:47 - 15:51

and I guess you noticed, right?
I guess you notice.
15:51 - 15:56

"Legal team" is probably these people.
15:56 - 16:02

Jones Day is a big American lawyer company
16:02 - 16:05

and they've asked them to help
with sorting out this.
16:05 - 16:12

Now the funny thing is, there's public prosecutors
all over the planet interested in Volkswagen
16:12 - 16:14

but Volkswagen thinks it's
not really clever
16:14 - 16:17

to have those people come in
and find all the info,
16:17 - 16:22

it's better to have Jones Day,
their own kind of bought-in legal team,
16:22 - 16:25

ask the associates first.
16:25 - 16:31

Now the problem is, whenever the let's say
German prosecutors wake up and go in there
16:31 - 16:36

and say, like, "We would like
to see what has happened,
16:36 - 16:40

so please hand over the material,
please hand over the hard disks,"
16:40 - 16:45

they would get a very, very nice reception,
be greeted with coffee and shown a room
16:45 - 16:47

where all of the hard disks
and everything is stored,
16:47 - 16:52

"We collected it for you."
16:52 - 16:56

I have no idea whether they gonna show
everything to them
16:56 - 17:01

I have no idea whether there may be
some material lost in between.
17:01 - 17:05

We've heard from Anna earlier
in Germany it seems to be
17:05 - 17:08

that things hit the shredder and
hard disks get lost and everything.
17:08 - 17:13

So if it works like that in the government
I have no idea how it works in companies.
17:13 - 17:18

But if I was on the prosecutors I'd
probably see that I speed up a little
17:18 - 17:21

because otherwise you'll get
all pre-prepared material.
17:21 - 17:23

And because Jones Day
can't do all of that —
17:23 - 17:26

you have to interview all of those people,
and you have to look through the hard disks —
17:26 - 17:29

they asked Deloitte
to come in and help them.
17:29 - 17:33

Now Deloitte are a very good company,
they have very, very good forensic teams,
17:33 - 17:36

so that's a very good choice.
But the important thing here is:
17:36 - 17:41

Out of the four big consulting companies
that do finance analysis and stuff
17:41 - 17:45

those are the only Americans. The others
are headquartered somewhere else.
17:45 - 17:52

So what it tells you here —
American legal teams, American auditors —
17:52 - 17:56

that's where Volkswagen looks.
Volkswagen is actually afraid of America.
17:56 - 18:03

They are not that afraid of Europe or some
other country in some other continent.
18:05 - 18:09

Now, let's talk text a bit again.
18:11 - 18:17

"We have no findings on the involvement
of the supervisory board
18:17 - 18:20

or the board of management presented."
18:20 - 18:25

Now, again, "no findings", okay,
"presented", right?
18:25 - 18:28

It's not "we don't have any findings"
or "there is nothing",
18:28 - 18:31

it says "we have no findings presented."
18:31 - 18:34

And the other thing is "involvement",
that's an odd term.
18:34 - 18:37

In German, "Involvierung",
that's not even German, right?
18:37 - 18:41

If you look it up, "Involvierung", nobody
of you talks of "Involvierung"
18:41 - 18:44

when you talk to your family or
when you do something at work.
18:44 - 18:50

The trick here is, the supervisory board
has a reason for existing: supervision.
18:50 - 18:54

audience laughs and applauds
18:54 - 18:59

The board of management has a reason for
existing and that is: decision.
18:59 - 19:01

They are the deciding body.
19:01 - 19:04

None of them are ever "involved", right?
19:04 - 19:08

When you work on something
in a big hierarchical company
19:08 - 19:11

there is no "involvement"
of your board member,
19:11 - 19:14

there is no "involvement"
of your supervisory board member.
19:14 - 19:18

So per definition, they cannot
have an involvement, right?
19:18 - 19:21

If he wanted to be straight
he would have said:
19:21 - 19:27

"I, as a former board of management director
and now as the head of the supervisory board,
19:27 - 19:33

I guarantee there was no involvement
of my or my colleagues in this.
19:33 - 19:37

And if there was, I would pay back my
salary, I will go to jail, I will ... whatever."
19:37 - 19:40

Right, sacrifice a goat?
19:40 - 19:43

But that would have been
straight communication.
19:43 - 19:47

But this is not straight communication,
this is... bullshit.
19:48 - 19:52

Okay, quiz time!
10 ...?
19:52 - 19:59

You remember, this guy here told us there's
no involvement in anything fishy, right?
19:59 - 20:03

It's all those small engineers,
all those bad, bad people down there.
20:03 - 20:05

But they are gonna hunt 'em down, right?
20:05 - 20:08

So there's no involvement
with anything fishy here.
20:08 - 20:11

So, in that context, what is "10"?
20:11 - 20:12

A: Board members!
20:12 - 20:14

10 board members?
Close, they have a little more.
20:14 - 20:16

A: Levels of hierarchy.
20:16 - 20:20

Levels of hierarchy — quite good. It's,
I think, eight or so, but you're quite close.
20:20 - 20:29

No, it's actually the amount of planes
that Volkswagen owns.
20:29 - 20:31

All of them are jet planes.
20:31 - 20:35

Because if you're a board member
you have to, you know, fly in style.
20:35 - 20:39

And because there's nothing
ever fishy at Volkswagen
20:39 - 20:44

it's run by Lion Air Services
out of the Braunschweig airport.
20:44 - 20:50

And obviously, Lion Air Servives is registered
in Georgetown on the Cayman Islands.
20:50 - 20:53

applause and laughter
20:53 - 20:55

Nothing fishy ever in that company.
20:55 - 20:58

Okay, let's get back to topic. I have
about another ten minutes
20:58 - 21:03

before I want to get Felix the chance to
show you what he has done on the ECUs.
21:03 - 21:10

So I need to get you up to speed
about how all of this context here works.
21:10 - 21:16

And this here is called the NEDC,
it's the New European Driving Cycle.
21:16 - 21:21

This is what your car is tested
against for emissions.
21:21 - 21:25

It works like that: You condition
the vehicle a day before.
21:25 - 21:27

Which means you really
drive it hard on the Autobahn
21:27 - 21:31

so the exhaust is really free
and everything.
21:31 - 21:37

And then you do these cycles here where
you basically accelerate the vehicle,
21:37 - 21:40

slow down, accelerate the vehicle,
slow down, accelerate the vehicle,
21:40 - 21:44

slow a bit down, slow a bit more down,
and then you cycle again.
21:44 - 21:47

And the last, cycle 5, is an optional one,
depending on what you measure,
21:47 - 21:49

that is actually going to the autobahn
21:49 - 21:56

and you're going up to a top speed of
120 km/h for a very short period of time.
21:56 - 22:05

The people that have detected the
tweaked emissions
22:05 - 22:11

in the VW Jetta and Passat they looked at,
they have called this
22:11 - 22:16

"a very light usage cycle,"
and they called it "unrealistic".
22:16 - 22:21

Because basically nobody drives the car
like this, it's a very artificial thing.
22:21 - 22:23

And that is the problem
for the engineer, right?
22:23 - 22:28

The engineer looks at this and says,
"Yeah, you know, it's a standard.
22:28 - 22:30

It's something we do to measure against."
22:30 - 22:33

But nobody drives like this.
It's not realistic, right?
22:33 - 22:38

So if you fake the data in this we're not
actually faking something our customer uses
22:38 - 22:42

because no customer drives like this,
it's very artificial.
22:42 - 22:46

And there's a very good report by ICCT
which is, "Mind the Gap".
22:46 - 22:49

Which is what you hear in London when you
go into the Tube.
22:49 - 22:55

And what they mean is the gap between what
gets out when you measure emissions like this
22:55 - 22:58

and what gets out when you
actually drive the car.
22:58 - 23:01

And that gap is widening
year by year by year.
23:01 - 23:06

Because engineers get better and better
at optimizing for this cycle.
23:06 - 23:11

The cars on the street? Phhh, they do get
better as well, but less, right?
23:11 - 23:14

That's why the gap widens.
23:14 - 23:17

And trickery on those tests
is very common.
23:17 - 23:21

I'm sorry you can't probably
read that in the stream
23:21 - 23:24

and probably can't read that
when you're back down there.
23:24 - 23:27

But that's an original slide I had to take
from Transport & Environment,
23:27 - 23:29

from that report which I just named.
23:29 - 23:33

And what it says there is
what tricks people are doing
23:33 - 23:35

to actually drive down the emissions.
23:35 - 23:38

For example, they blow up the tyres
23:38 - 23:42

by 3 bars more than you could
actually use them on the road.
23:42 - 23:46

Now when you do, the bottom of the tyre
looks like this, right?
23:46 - 23:48

So that means you only have a very, very
small portion of the tyre
23:48 - 23:53

that still touches the ground,
so your resistance gets reduced.
23:53 - 24:00

They put diesel into the oil beause diesel
is lighter than the oil which you are using
24:00 - 24:03

inside the vehicle, so friction gets reduced.
24:03 - 24:07

They take off the mirror, the side mirror
on the passenger side
24:07 - 24:10

because that is not legally
required to be existing,
24:10 - 24:14

so, you know, it's resistance,
so get away with it.
24:14 - 24:18

They tape close all of the
openings of the vehicle
24:18 - 24:20

because obviously when the
wind goes over it
24:20 - 24:23

it goes much smoother
once you have everything taped.
24:23 - 24:30

Now all of these things are either okay or
they are kind of borderline grey area.
24:30 - 24:33

And they do this. This is how
actually emissions are tested.
24:33 - 24:36

So this is why an engineer,
when he looks at this, says,
24:36 - 24:40

"Yeah, it's an optimization problem. They
want me to get a low number
24:40 - 24:46

and I have pretty clever ideas, which involve
diesel and sticky tape and everything,
24:46 - 24:47

to reduce the number."
24:47 - 24:50

sighs
24:50 - 24:53

The results are this.
24:53 - 24:59

That's from a 2012 report from — a 2013
report, I'm sorry — from ADAC,
24:59 - 25:03

the German MRT company.
25:03 - 25:07

And what you see, the lighter blue ones
are actually the emissions
25:07 - 25:12

which the car produces in this cycle.
25:12 - 25:14

The darker blue ones are the ones
which are produced
25:14 - 25:17

when you just go on the motorway
and drive them.
25:17 - 25:19

And you see that there is a discrepancy
25:19 - 25:27

which is ten times, twenty times, thirty
times what is the measured data.
25:27 - 25:32

So what you need to understand is that
even in the past nobody ever thought,
25:32 - 25:36

nobody in the industry ever thought that
the data which was measured
25:36 - 25:40

had any real connection with reality, right?
25:40 - 25:44

The only connection was, you knew that
what you're measuring
25:44 - 25:48

within the duty cycle NEDC
is definitely less
25:48 - 25:51

than what you would ever see
in any realtime use.
25:51 - 25:54

But that's it, that's it.
That's no secret, right?
25:54 - 25:58

It's something that has been
out there for years.
26:00 - 26:05

Now the folks at Deutsche Umwelthilfe,
which are actually people that helped
26:05 - 26:09

find out what Volkswagen did, they wanted
to see that others do it as well.
26:09 - 26:12

And because I wanted to give you as much
information as possible
26:12 - 26:18

we are going to look at this product here now,
which is not a Volkswagen as you may see.
26:18 - 26:22

And when you measure this car
it actually looks like this.
26:22 - 26:27

So that means when the car is thinking it
is running an NEDC —
26:27 - 26:31

because it is conditioned to do so,
it is the right temperature,
26:31 - 26:35

it is the right setup —
it actually delivers the blue bars.
26:35 - 26:40

And if you run it because you just run it
and you don't do the conditioning
26:40 - 26:42

it delivers the grey bars.
26:42 - 26:46

Now there's many things you can say
about how they measured this
26:46 - 26:52

because, obviously, this is not science to
the best level of accuracy.
26:52 - 26:55

But you do see a pattern here,
and you do see the pattern
26:55 - 27:00

of the 30-, 35-fold emissions.
And that is what you always see
27:00 - 27:03

because this is what an engine
like the one in this car —
27:03 - 27:06

a 1.6 l diesel engine
if I remember correctly —
27:06 - 27:11

actually does when it's just
operated normally.
27:11 - 27:17

And the lower ones are the ones which you
get when the engineers did all the good tweaking.
27:18 - 27:24

Now why has all of this ...
Oh sorry, so this is just one test, right?
27:24 - 27:29

And you see that this test,
when the vehicle is cold,
27:29 - 27:35

you get fresh air with a nice rose smell
out of the exhaust.
27:35 - 27:39

And when the vehicle is operated normally
you basically get what you expect,
27:39 - 27:42

you get the combustion products
out of burning diesel.
27:42 - 27:45

Now why is all of this now a problem?
27:45 - 27:48

This is now a problem because of the
American legal system.
27:48 - 27:50

The American legal system is
very, very different
27:50 - 27:55

from what people in the European Union
are used to.
27:55 - 28:00

In America, there are two things which are
a bit strange perhaps
28:00 - 28:04

to somebody who's accustomed with a
German legal system.
28:04 - 28:06

The first thing is, there's jurys.
28:06 - 28:10

So there's common people that actually
decide about what's right or what's wrong.
28:10 - 28:14

And that means, what they
award as compensation
28:14 - 28:20

to people that have had a disadvantage
are often astronomic figures.
28:20 - 28:24

Now these figures are sometimes
reduced again by the judges,
28:24 - 28:30

but it's not uncommon that if something
hurt you or you got into an accident
28:30 - 28:33

you're awarded million dollar sums.
28:33 - 28:37

In Germany, if somebody shoots your
eye out, you may be getting €100,000.
28:37 - 28:40

So there's a huge discrepancy there.
28:40 - 28:43

And the other thing is, in America
there are punitive damages.
28:43 - 28:48

"Punitive damages" means: You did
something wrong, you did it on purpose,
28:48 - 28:50

and you're punished for it.
28:50 - 28:54

In Europe, a company basically is,
you did something wrong
28:54 - 28:59

so now you have to compensate the
disadvantage somebody else had.
28:59 - 29:03

So to a certain extent,
a company that doesn't try to trick
29:03 - 29:10

actually kind of loses an opportunity because
if they are not detected to be tricking
29:10 - 29:11

they have just saved money.
29:11 - 29:15

There's no punitive element, there's no
"You will go to jail for this."
29:15 - 29:20

At least in this context of
environmental regulation.
29:20 - 29:24

Now in case you couldn't read that, that's
actually a sign I took in california.
29:24 - 29:28

You go into a store and it tells you
that basically everything you see there
29:28 - 29:34

and touch there is giving you cancer and
your unborn children will be damaged.
29:34 - 29:36

This is what it says there: Belts, shoes,
jewellery, handbags,
29:36 - 29:38

all products with metal, and everything
29:38 - 29:42

causes cancer, birth defects,
and other reproducive damages.
29:42 - 29:44

So this is America, right?
29:44 - 29:51

Their view of protecting the consumer is
completely different from Europe.
29:51 - 29:55

And this is why Volkswagen goes and says,
"We will show good faith.
29:55 - 30:00

We will give you, American Volkswagen
owner, a thousand dollars
30:00 - 30:05

because we just wanna make sure that
you at least know we care."
30:05 - 30:08

It's important that you care because
the jury will say,
30:08 - 30:11

"Well at least they awarded $1000,
maybe a little too little,
30:11 - 30:13

but at least they did something."
30:13 - 30:18

The jury would say that. A professional
judge in Germany would say, "Pshh, why?"
30:18 - 30:23

So this is why as a European customer
you actually go to the dealership,
30:23 - 30:25

and if that guy is really nice
you may be getting a coffee
30:25 - 30:29

while you wait the hour
that he flashes your car.
30:29 - 30:34

So that's the only thing you're currently
supposedly getting in Europe.
30:34 - 30:39

Okay, now the problem is:
What they did hurts.
30:39 - 30:42

And it hurts because,
if you do the statistics ...
30:42 - 30:50

Very nice people have published a
publication here, a real scientific publication
30:50 - 30:52

where they did the maths,
and they say:
30:52 - 30:56

59 people may be dying
earlier in the United States
30:56 - 30:59

because of the additional emissions
in the environment
30:59 - 31:03

which they took in and which may
damage their body.
31:03 - 31:06

The social cost of treating those people —
because they may be developing cancer,
31:06 - 31:08

they may be going to a hospital,
and so on —
31:08 - 31:12

is about 450 million Euros.
Now that's statistics, right?
31:12 - 31:17

"Lies, damn lies, and statistics."
Mark Twain is often quoted with that.
31:17 - 31:21

But the problem is: That is a real cost,
it is a real damage.
31:21 - 31:28

If you do violate emission laws it is
something that is damaging people's health.
31:28 - 31:31

It may be something that is difficult
to prove statistically,
31:31 - 31:36

but it is something which you don't only
do to save money here or there,
31:36 - 31:39

it is something which you do
to actually hurt people.
31:41 - 31:47

Okay, I need to speed up a bit. Very
sorry, skip this, that's the next quiz.
31:47 - 31:51

15.9 million is actually the salary
of this guy here.
31:53 - 31:57

That's a lady from BMW,
I just wanted to put that out there.
31:57 - 32:00

She says, "It shouldn't be called
Dieselgate, it's Volkswagen-Gate.
32:00 - 32:03

We never did anything wrong at BMW."
32:03 - 32:07

And the SZ, actually, yay, they follow,
right? In November, it was "Abgasskandal",
32:07 - 32:10

in December, it's "Volkswagen-
Abgasskandal".
32:10 - 32:16

The only problem is that even in 2000,
BMW was cought cheating on the Motorrad.
32:16 - 32:21

So this is 15 years ago. 15 years ago
BMW actually put the same code
32:21 - 32:30

which we are now seeing in Volkswagen
into their ECUs for the F 650 motorcycle.
32:30 - 32:36

And we will see again here the same 34,
in this case, -fold increase
32:36 - 32:40

in between real use and test bench use.
32:40 - 32:45

Now, honestly, they've been caught, they've
been caught earlier, and they fixed it.
32:45 - 32:49

So in 2001, they actually
brought a new version
32:49 - 32:53

and apparantly that didn't have
this cheat code anymore.
32:53 - 32:57

But here we see a pattern again:
too little time for development,
32:57 - 33:00

too little money willing
to be spent on this,
33:00 - 33:02

so engineers try to trick.
33:02 - 33:04

When you get caught,
and you get caught early
33:04 - 33:07

nobody probably of you
remember this here.
33:07 - 33:10

It's fine, it kinda fades away into history.
33:10 - 33:14

If you're Volkswagen, if you have
11 million cars out of there,
33:14 - 33:16

you have a big problem.
33:16 - 33:20

Okay, I'll skip this one, it's really
nice, you can see it in the slides.
33:20 - 33:26

But I have to go to this here
to give Felix enough time.
33:26 - 33:28

So how does component development work?
33:28 - 33:34

There's a huge set of legal frameworks.
It's a very structured top-down process.
33:34 - 33:39

You get requirements from the people
that represent the market in the company,
33:39 - 33:43

you get requirements from the CFO,
from the finance director.
33:43 - 33:48

And these are broken down into documents
which are more than a thousand pages long.
33:48 - 33:54

And there's every single detail that
could exist in this ECU written out.
33:54 - 33:58

There's a piece of paper
for everything it does.
33:58 - 34:03

Everything. There's not a bit in this thing
which is not pushed down
34:03 - 34:07

into a very hard set of requirements.
34:07 - 34:12

This is then put into a tool,
often Rational DOORS by IBM or something,
34:12 - 34:15

and then every time something changes
this is documented.
34:15 - 34:18

There's a complete paper trail, right?
34:18 - 34:21

So that means unless there
will be a cover-up,
34:21 - 34:24

unless we're not given all the information
as a public,
34:24 - 34:29

there's no way Volkswagen cannot find out
who did exactly what at what point in time,
34:29 - 34:32

which level of management was involved.
34:32 - 34:36

Because every step of the development goes
through a Q-Gate, a Quality Gate.
34:36 - 34:40

There's managers sitting there and they're
approving everything it does,
34:40 - 34:43

every progress that has been made,
and they're getting reports,
34:43 - 34:46

at least bi-weekly, on the progress.
34:46 - 34:51

And these reports go up the ladder, they
are copied to the next levels of management.
34:51 - 34:55

So this is a fully transparent process and
this is a fully top-down driven process.
34:55 - 35:00

It is completely impossible that you have
an engineer that sits there and says, like,
35:00 - 35:05

"Well, I wanna cheat," and does the code.
There's no motivation for him to do either.
35:05 - 35:11

He doesn't get any money for it, he would
only be risking his career, so he won't do.
35:11 - 35:15

And this is why we have paper trails,
and this is why engineers have written down,
35:15 - 35:18

"I'm doing this because my
manager told me to do this."
35:18 - 35:23

And this is why you have Bosch sending
a letter in 2007 to Volkswagen which says,
35:23 - 35:28

"We delivered you this code you
requested. We're your supplier, we do.
35:28 - 35:31

But if you send it into production
it will be illegal."
35:31 - 35:33

And they did.
35:35 - 35:41

So this is how actually this
exhaust system works.
35:41 - 35:44

And this is a little bit important to
understand what Felix is now doing
35:44 - 35:50

and showing you how the ECU
that manages this all works.
35:50 - 35:53

To the left would be the engine,
to the right is the exhaust,
35:53 - 35:57

the end of the exhaust
where the remainders come out.
35:57 - 36:03

And the first thing is,
you have diesel oxid cathalytic
36:03 - 36:07

and it basically takes out ...
The interesting stuff here is CO,
36:07 - 36:13

so carbon oxide, and PM, the
particle mass, through 98%, 50%.
36:13 - 36:17

The hydrocarbonides before that,
they just kind of don't go through
36:17 - 36:22

the rest of the process anymore.
36:22 - 36:27

Then you have a filter that basically
traps all of the diesel particles,
36:27 - 36:30

the stuff that causes
cancer in your lungs.
36:30 - 36:35

But you have to burn them out at some
point in time, about every 700 km,
36:35 - 36:37

when there have been enough collected.
36:37 - 36:38

So it's a bit a trick, right?
36:38 - 36:44

The trick is: You collect them so they
don't exit the exhaust
36:44 - 36:48

but at some point in time you have to burn
them again, so they do exit the exhaust.
36:48 - 36:53

Now the positive thing here is,
they get larger, and the larger they are,
36:53 - 36:59

the less risk they — at least as much
as we know — cause as a health hazard.
36:59 - 37:05

So this is the DPF here. And then at the end,
this is the really interesting thing,
37:05 - 37:08

this is what most of the
scandal now focuses on:
37:08 - 37:11

There's a selective catalytic reduction.
37:11 - 37:14

And what this thing does is,
it does reduce the particle mass,
37:14 - 37:16

it does reduce the particles.
That's nice.
37:16 - 37:23

But the interesting thing is NOx.
It goes against this to about 90%.
37:23 - 37:27

So this is what it is made for.
37:27 - 37:36

It basically injects urea into the airflow
and helps to reduce the NOx content
37:36 - 37:42

by creating by-products
which are mostly water
37:42 - 37:45

that comes out the end of the exhaust.
37:45 - 37:48

And this is the system, this is a very
complex technical system
37:48 - 37:52

that has to be managed,
and this is managed by an ECU.
37:52 - 37:56

This ECU which they selected to do this,
and everybody does, is the engine ECU.
37:56 - 38:00

Because to the left of the diagram before
was this big engine, you didn't see it,
38:00 - 38:05

it fell off the diagram, but that's
actually the fan blowing into the system.
38:05 - 38:11

So this is what you want to manage to
actually control what happens there.
38:11 - 38:16

Now this thing is quite
a sophisticated processor,
38:16 - 38:20

it's about the most complex device
outside multimedia and entertainment
38:20 - 38:25

which we find in the car, and it is a
very proprietory thing
38:25 - 38:28

because it contains a
physical model of engines.
38:28 - 38:32

So there have been hundreds, if not
thousands of engineers sitting there
38:32 - 38:37

and modelling how an engine works,
really physically modelling it.
38:37 - 38:42

And the things that an OEM —
an original equipment manufacturer,
38:42 - 38:45

a car maker — can actually tweak
are variables.
38:45 - 38:49

They can say,
"My engine has this and this size,
38:49 - 38:52

my combustion cycle looks like this and that."
38:52 - 38:55

But the code itself is opaque to the OEM.
38:55 - 39:02

It's a proprietory product which you can
buy from Continental, or Bosch, or so.
39:02 - 39:07

And there's about 20,000 variables
which you can tune.
39:07 - 39:13

And this thing is simulated and tested
to death. Because it is hugely important.
39:13 - 39:17

Because you have this machine here
that has like 100, 200 horsepowers
39:17 - 39:22

and if you steer it wrong it will blow up,
and it will blow up really hard.
39:22 - 39:29

So this is why this thing is about the best
tested piece of software you will ever find.
39:29 - 39:35

Which also again means there's everything
documented, everything is written down,
39:35 - 39:39

everything is seen by everybody
who's working with these,
39:39 - 39:42

whether it's in development,
whether it's in integration,
39:42 - 39:46

whether it's in the plants that
flash these things, and so on.
39:46 - 39:48

There's nothing secret here in this, right?
39:48 - 39:51

The functions which are there are
actually there to be seen,
39:51 - 39:59

well, seen if they are named apparantly, and
that is something that Felix will talk about.
40:01 - 40:10

audience applauds
40:10 - 40:13

F: Thank you. Hey, okay.
So I will do the second part of this talk.
40:13 - 40:15

I'm Felix, by the way.
40:15 - 40:18

So my motivation with this
was a little bit different.
40:18 - 40:26

I'm curious, and, I mean, we can find a lot
of source material for this whole scandal.
40:26 - 40:28

We can find a lot of
information in the press,
40:28 - 40:32

a lot of information in the
Volkswagen press releases.
40:32 - 40:37

However, it should be easier
because all the cars are there,
40:37 - 40:43

the 11 million cars are out there
that have the cheat code in them.
40:43 - 40:47

And we are hackers, and we know code,
and the truth is in the code.
40:47 - 40:53

So my approach was, well,
let's take a car, let's take it apart,
40:53 - 40:56

let's take the firmware out of it,
let's throw it in a disassembler,
40:56 - 40:59

maybe get some measurements, and
then look at what the car is actually doing
40:59 - 41:05

instead of relying on all of this
second-hand, third-hand information.
41:05 - 41:07

So what do we need for this approach?
41:07 - 41:11

So first of all, we need a car
that's affected.
41:11 - 41:15

You need to drive that car somehow,
and driving a car on an open road
41:15 - 41:18

can be dangerous if you have to follow
particular driving cycles.
41:18 - 41:22

So there's a "dyno" you can put the car on
and then you can just drive
41:22 - 41:24

without the car physically moving.
41:24 - 41:26

The wheels are moving,
but the car isn't moving.
41:26 - 41:28

And this is what other people have done,
41:28 - 41:31

and they have taken very interesting
measurements out of this.
41:31 - 41:34

However, we as hackers,
we can go one step further.
41:34 - 41:38

We can take a look at the ECU itself.
41:38 - 41:45

And not only that, we can also ask
other people who worked with these things
41:45 - 41:50

and may be able to get
more information about them.
41:50 - 41:52

I will talk about this in a minute.
41:52 - 41:58

So first of all, this is my car, luckily that
car was affected by the recall.
41:58 - 42:02

So I was very happy when I got the letter
telling me I have to go to the shop in January
42:02 - 42:06

and get a firmware update because
firmware updates are exciting, right?
42:06 - 42:10

I love updating things,
so updating a car seems great.
42:10 - 42:14

Yeah, it sucked that my car was putting out
more emissions than it should have,
42:14 - 42:18

but otherwise, it gave me the chance
to actually look at the car.
42:18 - 42:25

I mean, I could have rented a car or
something, but that makes it much easier.
42:25 - 42:28

I also went on a dyno with my car.
On a dyno, there are no speed limits
42:28 - 42:33

or no people to run over when you just
have to keep a constant speed or something,
42:33 - 42:35

so it makes things much easier.
42:35 - 42:40

And I talked about ripping apart
my car and disassembling it.
42:40 - 42:44

I didn't really want to do that,
so what I did instead was what I always do:
42:44 - 42:50

I go to eBay and I bought an extra ECU.
42:50 - 42:55

Here it is, maybe you can show it?
42:55 - 42:58

You can go here after the talk
and take a look at it.
42:58 - 43:04

This is the ECU. This here is the main CPU
that also includes the flash.
43:04 - 43:10

On the other side there are the power drivers
that drive the actual stuff in the car.
43:10 - 43:12

And then there's other
watchdog circuits and so on.
43:12 - 43:15

Okay, thank you.
43:17 - 43:23

So, the ECU was built by Bosch,
it's an EDC17C46,
43:23 - 43:25

that's the name of the hardware.
43:25 - 43:29

And it can easily be obtained on eBay,
and you can put it on your desk,
43:29 - 43:32

you apply 12 volt to it and then it boots.
43:32 - 43:34

It will complain about a lot of
sensors being missing and so on
43:34 - 43:38

but you can see it executing code.
43:38 - 43:43

And it doesn't have the very same
firmware as my car, but it's very close.
43:43 - 43:46

The flash chip is unfortunately in the
same pakage as the main CPU,
43:46 - 43:50

which is an Infineon TriCore chip,
43:50 - 43:52

which is apparantly only used
in automotive equipment,
43:52 - 43:56

or at least I'm only aware of it
being used there.
43:56 - 43:59

And I was able to dump the flash by
attacking the hardware
43:59 - 44:04

and exploiting a bug in the hardware
that I haven't found documented anywhere,
44:04 - 44:06

but it was not that complicated.
44:06 - 44:10

And then I had a firmware dump, I had a
2 megabit binary,
44:10 - 44:12

and I throw it in a disassembler.
44:12 - 44:17

And what we see is interesting because
the code is written very different
44:17 - 44:19

from other code that we know.
44:19 - 44:21

So usually, code has
a lot of flow control
44:21 - 44:24

and usually more or less
resembles spaghetti code.
44:24 - 44:27

This was the exact opposite.
44:27 - 44:32

It's more like someone took electrical
schematics and put them into code.
44:32 - 44:36

There's a set of input signals,
there's a set of processing on it,
44:36 - 44:37

and there's a set of output signals.
44:37 - 44:42

That gets updated every 10 ms or
once per rotation depending on processoids.
44:42 - 44:47

Really interesting way of writing software
and building this.
44:47 - 44:52

Also it's very data-driven, so a large
part of the firmware is not code but is data.
44:52 - 44:56

All of the computations,
they don't use constants at all,
44:56 - 44:59

they always refer to something
from the data section.
44:59 - 45:07

As Daniel said, Bosch writes this code,
the code is not directly visible to Volkswagen,
45:07 - 45:10

but they have visibility into this data,
and they know what the data does.
45:10 - 45:12

They have tools to change the data.
45:12 - 45:17

Volkswagen and other companies
can customize this,
45:17 - 45:20

really they cannot just customize it,
45:20 - 45:24

they can change the whole
behaviour of this ECU
45:24 - 45:30

by changing just the data, not the code.
45:30 - 45:34

The ECU really is a small embedded machine
in your car that takes care of the engine,
45:34 - 45:39

it's an Engine Electronic Control Unit,
there are multiple names for it.
45:39 - 45:42

The most important thing that it does is
that it takes sensor input,
45:42 - 45:46

for example the throttle, and then it
applies control to the system.
45:46 - 45:49

For example it calculates the amount of fuel
to inject, the amount of air to inject
45:49 - 45:55

to make the motor running at the speed
you want it to run.
45:55 - 45:57

These days it's much more complicated.
45:57 - 46:02

One important thing the ECU does
these days is emission control.
46:02 - 46:07

This is why we would expect to find the
"cheat code", the code that cheats
46:07 - 46:10

that Volkswagen used to
cheat in the whole thing,
46:10 - 46:13

we would expect to find it in the ECU.
46:13 - 46:17

Now taking a look at
two megabyte firmware binaries
46:17 - 46:20

that doesn't have any visible strings in it,
46:20 - 46:23

it's kind of painful if you're just suscepting
a code analysis.
46:23 - 46:30

So what I did was to do realtime logging.
46:30 - 46:35

You can actually read data from your ECU
by plugging into this OBD-II port
46:35 - 46:37

which is next to your steering wheel.
46:37 - 46:40

And while the engine is running you can
read out certain data.
46:40 - 46:43

Usually you can read out boring data
like RPM, and speed,
46:43 - 46:47

and some things that the
vendor wants you to see.
46:47 - 46:49

But there's also a mode that's
a little bit hidden,
46:49 - 46:51

but you can get pretty easily into it,
46:51 - 46:55

where you can read by address,
where you can just read the whole memory.
46:55 - 46:59

Well, not everything.
Some security data is locked out.
46:59 - 47:03

But the data we are interested in,
we can read that memory.
47:03 - 47:08

Now we still need to understand
where the interesting stuff is.
47:08 - 47:10

We can disassemble the firmware,
and that's all fine.
47:10 - 47:13

We can also get a little help
from something called "A2L files".
47:13 - 47:18

The chip tuners use them extensively
when they change the mappings,
47:18 - 47:21

they want to optimize an engine
for a different goal,
47:21 - 47:25

for example for more power instead of
long lifetime, or something.
47:25 - 47:29

They change things in the ECU firmware.
47:29 - 47:34

They do reverse engineer a lot,
but they also got these files.
47:34 - 47:37

And I'm not sure how they got them,
but they are out there.
47:37 - 47:41

And if you use the right Google terms
you will find them.
47:41 - 47:43

They are specific to each firmware.
47:43 - 47:45

I wasn't able to find one for
my actual firmware
47:45 - 47:50

but I was able to find one for
firmware that is close to mine.
47:50 - 47:53

And if you look into this file,
what you see is the symbol names,
47:53 - 47:55

it's basically a fancy map file.
47:55 - 48:01

You see the symbol names, you see a
mostly German description of that symbol,
48:01 - 48:06

you see a real-use unit, and you see the
adress in memory that we can read at.
48:06 - 48:12

So with the help of these files we can read
out almost any internal state in the ECU.
48:12 - 48:17

We still have to make sense out of that,
but at least we know where the data is
48:17 - 48:20

and what to look for.
48:20 - 48:26

It's surprising how complex an ECU is.
For example, this thing, what does it display?
48:26 - 48:32

Everybody would say it's a function of RPM,
it shows you how fast the engine is running.
48:32 - 48:37

Well, it's not quite the case,
and if we look careful we see that
48:37 - 48:42

this code is post-processing
the RPM signal.
48:42 - 48:47

It's 12 kilobyte of densely written code
that has a lot of internal state
48:47 - 48:50

that tries to make the RPM value,
48:50 - 48:53

convert it to something
that the customer wants to see.
48:53 - 48:57

For example, you want your idle speed
to be stuck at 780, you don't want it to oscillate.
48:57 - 49:01

But in reality it does,
and this code takes away all of that
49:01 - 49:06

and makes it flat 780.
49:06 - 49:10

You realize probably at this point that there
is a lot of cheating that could go on here
49:10 - 49:12

without most people noticing.
49:12 - 49:18

You don't really believe that the speedometer
in your car displays your actual speed, right?
49:18 - 49:22

It displays something related to speed ...
49:23 - 49:25

But let's get back to topic.
49:25 - 49:29

Selective Catalytic Reduction is the process
of, well, if you don't have it
49:29 - 49:34

you get a lot of NOx, of nitrogen oxides
at the end of the exhaust.
49:34 - 49:37

That's bad, you don't want that.
49:37 - 49:42

There is one way of getting rid of this,
is to add an SCR catalyst.
49:42 - 49:46

And the SCR catalyst —
I simplified this a lot,
49:46 - 49:49

you can find a lot more information
about this —
49:49 - 49:57

SCR is a process that reduces the NOx
using something called DEF,
49:57 - 50:01

or AdBlue is a term for it.
It's some fluid that you put in there.
50:04 - 50:07

Basically it's an Urea/water solution.
50:07 - 50:13

And the AdBlue, at a high temperature,
converts to Ammonia
50:13 - 50:16

and then it reacts with the NOx
to nitrogen and water.
50:16 - 50:22

Which is great because that's not
in any way harmful to us.
50:22 - 50:26

However, there's a problem here because
the dosage of the AdBlue needs to be correct
50:26 - 50:29

and it's very hard to do.
50:29 - 50:34

If we dose too little of that
the conversion is not perfect
50:34 - 50:36

and we will still get
a lot of NOx at the output.
50:36 - 50:38

Which is better than not doing anything.
50:38 - 50:42

It's not perfect,
but it's not more harmful than before.
50:42 - 50:45

However, if you put in
too much of the AdBlue
50:45 - 50:50

what you get at the output is ammonia,
and you really don't want that.
50:50 - 50:55

So the primary goal of emission control
is, if you have the SCR system,
50:55 - 50:59

is to eliminate as much
as possible of the NOx
50:59 - 51:03

and minimize the amount of ammonia
that comes out of the exhaust pipe.
51:03 - 51:07

Ammonia is NH3.
51:07 - 51:11

Calculating the right dosage works
with a model again.
51:11 - 51:13

They modeled everything that happens
in the exhaust process,
51:13 - 51:17

they have a model of the catalyst,
they have a model of the internal state,
51:17 - 51:23

they do have a number of sensors and
outputs from the other models
51:23 - 51:25

that tell them a lot of values.
51:25 - 51:30

And the model uses this with a lot of
internal storage, internal state.
51:30 - 51:35

And the model then calculates
the amount of AdBlue to dose
51:35 - 51:43

to convert as much NOx as possible
without leaking any ammonia.
51:43 - 51:47

The way things usually work in an ECU is,
there's one system that controls things
51:47 - 51:50

and there's another system
that monitors things.
51:50 - 51:54

It's independent from the main system,
it tries to be as independent as possible.
51:54 - 51:58

It's still running on the same hardware
but it's not sharing a lot of code.
51:58 - 52:04

There is an efficiency monitoring scheme that,
if the conversion is not good enough anymore,
52:04 - 52:08

it will flag this as an OBD-II error
52:08 - 52:10

and you will see your
"check engine" light going on,
52:10 - 52:14

and then you go to the shop, and the shop
will diagnose your car and will fix this,
52:14 - 52:19

for example if your catalyst is broken.
52:19 - 52:22

Based on the test results we would have
expected this efficiency monitoring
52:22 - 52:27

to actually flag the inefficiencies.
But it didn't.
52:27 - 52:30

It turns out the main model
doesn't always work.
52:30 - 52:34

There are some operating conditions
where the main model is not sufficient,
52:34 - 52:38

it has certain bounds where it works,
and outside of these conditions —
52:38 - 52:45

for example if the engine is too hot or if
the exhaust mass is too large —
52:45 - 52:47

the model doesn't produce
meaningful results.
52:47 - 52:52

It may overdose the AdBlue,
and we don't want that.
52:52 - 52:55

There's an alternative model
which is much, much simpler,
52:55 - 52:58

and takes only a few sensory inputs,
52:58 - 53:02

and doesn't rely on as many variables
to be perfect.
53:02 - 53:05

It will still calculate an AdBlue dosage.
53:05 - 53:10

However, the main goal of this alternative
model is to make the exhaust processing work
53:10 - 53:17

in all situations without ever
overdosing the NH3.
53:17 - 53:23

They're calculating both of these models and
then they are selecting one of the models.
53:23 - 53:26

The output of the selection then controls
the AdBlue dosage,
53:26 - 53:29

the pump that injects the AdBlue
into the exhaust.
53:29 - 53:34

There's code that controls
which of the models to use.
53:34 - 53:39

There's also a statistics model that counts
how often each mode is selected.
53:39 - 53:43

Again, all of this model selection
depends on the data.
53:43 - 53:46

It's code that does the selection
but it depends on a lot of data,
53:46 - 53:49

there are parameters tought of this.
53:49 - 53:52

Let's take a look at the selection criteria
for this alternative model.
53:52 - 53:55

We see that a lot of these parameters
are dummy variables,
53:55 - 53:57

things that can never happen.
53:57 - 54:02

For example, the athmospheric pressure
can't be negative, that can never happen.
54:02 - 54:06

Or the air temperature ...
I hope it's never larger than that,
54:06 - 54:09

or smaller than 0.1K, right?
54:09 - 54:12

However, one thing stuck out,
54:12 - 54:18

and that was a check if the engine condition
is larger than negative temperature.
54:18 - 54:20

Which does not exist,
the temperature is always positive.
54:20 - 54:23

That last one is always true,
54:23 - 54:28

so the model that would be selected would
always be the alternative model.
54:28 - 54:30

That sounded weird and
I was looking at the firmware.
54:30 - 54:35

Maybe I understood it incorrectly,
or maybe I looked at the wrong place
54:35 - 54:38

when looking at these parameters?
54:38 - 54:42

But if we look at the intermediate results
there is a bit at a certain location
54:42 - 54:48

that tells us which model was selected,
and that bit is indeed always set.
54:48 - 54:51

That is weird, it sounds fishy.
54:51 - 54:57

Let's take a look at the statistics,
the car counts what model you're in.
54:57 - 55:00

20% of the cases
my car does not do dosing at all.
55:00 - 55:03

So I drove some time and then
looked at the values.
55:03 - 55:06

And the 20% where it doesn't do anything
is mostly the warm-up cycle.
55:06 - 55:09

But everytime it does something,
it's actually the alternative model
55:09 - 55:15

which we know does underdose NH3
because it doesn't want to leak ammonia.
55:15 - 55:19

And that makes sense because my car
uses much less than expected of the AdBlue.
55:19 - 55:26

The expected value is roughly 2.5 liters
per 1000 kilometers, of the AdBlue.
55:26 - 55:29

In my case it only used 0.6 liters
per 1000 kilometers.
55:29 - 55:32

Which is great for me because I don't have
to refill this tank very often.
55:32 - 55:37

In fact, I never had to do it,
the shop always does it when I'm there.
55:37 - 55:42

But this is fishy,
and let's take a look at this.
55:42 - 55:46

What we also see is that sometimes
the regular model is active,
55:46 - 55:48

so there must be something more.
55:48 - 55:53

If we look at the selection criteria we find
that there's an additional term there
55:53 - 55:55

that I haven't found before.
55:55 - 55:57

There's an additional condition
that has to be true
55:57 - 56:02

in order to go to the alternative model
that underdoses.
56:02 - 56:05

We look at the particular conditions
and we find a lot of stuff
56:05 - 56:08

that is related to diagnostics,
things they can do in the shop.
56:08 - 56:10

So that's definitely not
happening on the street.
56:10 - 56:13

But one of the criteria,
that really was weird
56:13 - 56:19

because it looks if the engine and fuel
temperature is larger than 50°C,
56:19 - 56:24

it looks at the athmospheric pressure
and if it's lower than 750m,
56:24 - 56:26

that must be satisfied.
56:26 - 56:30

If all of these conditions are satisfied
it will move back to the main model
56:30 - 56:34

that does the proper exhaust processing.
And one thing was really weird.
56:34 - 56:36

There were seven curves,
not all of them used,
56:36 - 56:39

that define an upper and a lower bound
56:39 - 56:43

on the distance driven
after a certain amount of time.
56:43 - 56:46

This is how it looks in disassembly.
I'm not sure if you can read this.
56:46 - 56:53

But the comments are from this A2L file
and they call it "acoustic function".
56:53 - 56:55

I'm not sure if this has anything
to do with acoustics.
56:55 - 57:01

I tried to find all the usages, and there
was nothing related to sound or anything.
57:01 - 57:04

I think it's just a name for it.
57:04 - 57:10

Now if we go and take a look at these
upper and lower bounds, we see this:
57:10 - 57:17

These are three curves that are defined,
each of them has an upper and a lower bound.
57:17 - 57:19

It's basically the distance
57:19 - 57:23

that you need to have driven
after a certain amount of time.
57:23 - 57:27

And if you ever fall out of one of these curves
we're switching back to the alternative model
57:27 - 57:31

that underdoses NH3
and causes the inefficiencies.
57:31 - 57:34

This is weird,
and I didn't really know what this is.
57:34 - 57:39

Let's get back to something
completely different, which is the NEDC.
57:39 - 57:43

We've seen this slide before,
the NEDC mandates you how to drive.
57:43 - 57:46

One thing is also interesting:
It mandates you that ...
57:46 - 57:50

You want this test at "cold-start",
and what's better for a cold start
57:50 - 57:55

than heating the car to 20°C
and keep it that warm until you start.
57:55 - 58:03

That's the "cold-start", that's the
cold start as defined in the law: 20°C.
58:03 - 58:10

This is speed over time, so to get
distance over time we need to integrate this.
58:10 - 58:13

And we get this graph.
58:13 - 58:17

And if we overlay what we found in the
firmware we get this.
58:17 - 58:27

audience laughs and applauds
58:27 - 58:32

What we can see here is that if you drive
the driving cycle correctly
58:32 - 58:36

you will exactly be in the bounds
of one of these curves.
58:36 - 58:37

And you can do this on the street,
you can do this everywhere.
58:37 - 58:43

As long as you satisfy the distance over
time and your car is warm enough
58:43 - 58:47

it will detect this in some way.
58:47 - 58:50

Well, you can drive this on a street,
but it's really dangerous
58:50 - 58:53

because you have to follow
a given speed pattern.
58:53 - 58:56

So i did this on a dyno,
I put my laptop in there,
58:56 - 58:59

I logged the data in real-time
and then displayed it.
58:59 - 59:03

Basically, this is what it looks like.
In the middle you see a bar.
59:03 - 59:06

You have to drive and keep this
middle bar in the middle,
59:06 - 59:11

which means you are well within this upper
and lower bound, and not try to escape it.
59:11 - 59:17

And as long as you do, one of the
other green boxes will tell you
59:17 - 59:22

that the car is still detecting this
as being in this cycle.
59:22 - 59:30

Then what I did in the end, I stayed in the
cycle for a while and I logged all the data.
59:30 - 59:32

At the end I would just hit
a constant speed
59:32 - 59:36

which would eventually get me
out of the conditions.
59:36 - 59:40

This is the log that I made.
59:40 - 59:42

On the first graph you see
the vehicle speed,
59:42 - 59:45

you see how I tried to follow the NEDC
more or less successfully.
59:45 - 59:50

On the second graph you see
the distance over time,
59:50 - 59:55

you see that I stay within the bounds
enforced by the firmware.
59:55 - 59:57

You an also see on the third graph—
59:57 - 59:59

this is the actual signal at the AdBlue pump—
59:59 - 60:02

that it actually doses
quite a lot of AdBlue.
60:02 - 60:06

It calculates the amount of AdBlue to dose
based on the model output
60:06 - 60:09

which you see in graph 5 and 6.
60:09 - 60:15

By the way, graph 4 is the actual NOx
emitted by the engine based on their model.
60:15 - 60:21

That's the RML, their mission model then
calculates the amout of the dosing to happen.
60:21 - 60:26

As we see, as long as we stay within the
limits enforced that match the NEDC
60:26 - 60:30

everthing is good
and a lot of AdBlue is dosed.
60:30 - 60:33

And then, in the end, I drove too fast.
60:33 - 60:36

And you can see in the second graph
that I crossed the upper bar,
60:36 - 60:38

the blue line goes
over the red line, right?
60:38 - 60:41

You can see that the car
immediately detects this,
60:41 - 60:45

that I'm no longer in the driving cycle.
60:45 - 60:52

The interesting part you see here is the
effect on the AdBlue dosing, which is here.
60:52 - 60:58

It immediately stops doing the dosing.
And you can see in the model below
60:58 - 61:02

the model still calculates that
AdBlue should be dosed.
61:02 - 61:05

But after they have the max,
after they switch the model
61:05 - 61:09

and switch to the alternative model,
the alternative model just outputs zeroes,
61:09 - 61:12

it doesn't dose anything.
61:12 - 61:14

This shows that when we're
following the cycle
61:14 - 61:18

everything is fine,
enough Urea is dosed,
61:18 - 61:25

and then once we leave the cycle,
there's a severe reduction in the dosing.
61:25 - 61:27

And it's all based on
detecting this driving cycle.
61:27 - 61:29

Two more slides.
A: Two more slides.
61:29 - 61:32

F: Two more slides.
A: Two more slides, here we go!
61:32 - 61:38

audience laughs and applauds
61:38 - 61:41

I have to be clear
on the limitations here.
61:41 - 61:44

All of this was looking at
disassembled code and so on,
61:44 - 61:48

I could have done something wrong here,
so take this with a grain of salt.
61:48 - 61:51

We couldn't do NOx measurements
on the dyno, unfortunately.
61:51 - 61:56

And I have to stress: We looked at one
particular car that uses SCR processing,
61:56 - 61:58

not all of the affected cars are doing this,
61:58 - 62:00

there are some other
mechanisms in the other cars.
62:00 - 62:03

And I looked at a car
for the German market,
62:03 - 62:06

at least the curves have to be different
for the other markets.
62:06 - 62:11

Let's reenumerate the results—
and this is my last slide.
62:11 - 62:17

Most of the time, on a regular car,
a nonstandard treatment mode is active
62:17 - 62:21

that is not as efficient
as the real mode that is implemented.
62:21 - 62:23

We can show the code
that is responsible for this:
62:23 - 62:26

This is this negative temperature limit
that they look at
62:26 - 62:30

which doesn't make any sense and
always selects the alternative mode.
62:30 - 62:33

And we can see, in the logs,
the state selection bit,
62:33 - 62:38

we can see the counters that count
that the alternative model is active.
62:38 - 62:42

We can see that there's an AdBlue
underdosing in this state
62:42 - 62:45

which causes the inefficient
NOx conversions,
62:45 - 62:50

that's what we've seen before when
people put the car on the dyno.
62:50 - 62:53

We know that the efficiency checks
are only enabled in the main mode
62:53 - 62:57

and the car does exceed the limits.
62:57 - 63:03

This shows how the alternate model is
selected where it doses too little AdBlue
63:03 - 63:07

and causes the inefficient conversion.
63:07 - 63:10

We can see that if we
follow the driving cylce,
63:10 - 63:12

the minimum temperature and
the distance over time,
63:12 - 63:15

we will see that it switches
to the main model
63:15 - 63:18

that should have been active
all the time.
63:18 - 63:20

We can show the code
that's responsible for that,
63:20 - 63:24

the driving cycle detection that uses
the upper bound and the lower bound.
63:24 - 63:29

We can extract the exact limits, overlay
the NEDC data and see that there's a match.
63:29 - 63:34

We can, if we do this actually on a dyno,
we can see how it switches the SCR state.
63:34 - 63:37

We can show the effect on the DEF dosing,
on the AdBlue dosing.
63:37 - 63:41

As you've seen on the slide before,
as soon as we switch out of the driving cycle
63:41 - 63:48

into the street mode,
the dosing will get close to zero.
63:48 - 63:51

Once you're back in the main model
all the efficiency checks are enabled,
63:51 - 63:55

for example to take better Urea.
63:55 - 63:57

So the efficiency checks are there,
but they are not active
63:57 - 64:01

because the car is forced to run
in the alternative model.
64:01 - 64:05

These results are all in line
with the Volkswagen press releases.
64:05 - 64:08

These are basically just the details
as extracted from the firmware
64:08 - 64:10

to show you the background.
64:10 - 64:12

Thank you.
64:12 - 64:16

audience applauds
64:16 - 64:20

A: Wow!
Thank you very much, Daniel and Felix.
64:20 - 64:36

audience applauds
64:38 - 64:40

I'm really sorry,
but we have to clear the stage.
64:40 - 64:43

There is not going to be time
for the Q&A session.
64:43 - 64:47

Do that down there. I'm sure that a few
people just come down,
64:47 - 64:50

grab you and ask questions.
Unfortunately, we can't do that.
64:50 - 64:54

I have to close it in exactly four seconds
over here because we have to go off the stream.
64:54 - 64:58

Thank you very much Felix,
thank you very much Daniel.
64:58 - 65:03

F: Thank you.
65:03 - 65:06

♪ postroll music ♪
65:06 - 65:11

subtitles created by c3subtitles.de
Join, and help us!

Title:: Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
Description:: more » « less
Video Language:: English
Duration:: 01:05:11

	C3Subtitles edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
	Patrick edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
	fritten edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
	fritten edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
	fritten edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
	fritten edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
	takimata edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)
	takimata edited English subtitles for Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)

Show all

English subtitles

Revisions

Revision 14 Edited

C3Subtitles

Daniel Lange (DLange), Felix "tmbinc" Domke: The exhaust emissions scandal („Dieselgate“)

Revisions

Our website uses cookies

Operating cookies (Required)