Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Как «вправить» автомобилю «мозги»


Published on

ECU (Electronic Control Unit) для современного гоночного автомобиля представляет собой микроконтроллер, реализующий детальное управление всеми системами болида. Внутри ECU работает операционная система, принимающая информацию от различных датчиков и выдающая управляющие команды в соответствии с заданным профилем. Владелец может менять настройки профиля, но в базовых версиях своего оборудования разработчики ECU обычно запрещают использование некоторых функций, позволяющих добиться максимальной эффективности систем автомобиля. Целью нашего исследования было получение доступа к управлению всеми настройками ECU и полное раскрытие его потенциала.

Published in: Technology
  • Be the first to comment

Как «вправить» автомобилю «мозги»

  1. 1. How to Straighten up a Car's "Brains" Kirill Ermakov, Dmitry Sklyarov Department for Advanced Developments Positive Technologies Positive Hack Days III, May 23-24, 2013
  2. 2. Engine Control Units (ECUs)
  3. 3. Factory Engine Control Units (ECUs) How they operates: ― Reads values from a multitude of sensors ― Interprets the data using multidimensional performance maps (called Look-up tables) ― Electronically controls a series of actuators on an internal combustion engine to ensure the optimum running Features: ― Installed by car manufacturers ― Calibrated during factoring ― Tuning parameters are usually not available for adjustment
  4. 4. Programmable ECUs Features: ― Engine tuner can connect the ECU to a PC ― Adjustments can be made with tuning software ― On-board data logging Also allows control: ― Traction ― Boost ― Other equipment (servo motors, pumps, fans, …) Ref & Sync trigger Temperature inputs Voltage inputs Lambda sensor inputs Digital inputs Fuel injector drivers Ignition drivers Auxiliary outputs Sensor power supply Power Communications Inputs Outputs
  5. 5. Sample ECU wiring
  6. 6. Experimental ECU Features ― Controller Area Network (CAN) bus interface ― USB to CAN adapter ― ECU Manager software for Windows ― Upgradable firmware in “Intel HEX”-like format ― Motorola 68xxx-compatible CPU ― Some useful features are disabled in basic version of ECU • Fortunately “Enable ECU Options…” menu item exists :-) • But it asks for a password :-( ― Full-featured ECU near 3 times more expensive rather than Basic one
  7. 7. Digging into the problem
  8. 8. Analyzing ECU Manager software ― ECU Manager software is C++ Builder application with sophisticated classes hierarchy (static analysis is difficult) ― Client-side ECU Access Password verification (easy to bypass with kiddie bit-hack) ― Passwords that needed for enabling ECU features are sent to ECU and verified in firmware
  9. 9. Sniffing and logging USB traffic ― Simple protocol, no encryption ― Packet layout is recoverable by visual log analysis prefix len cmd dir argsseq CRC payload Header length Command ID Direction 2:snd,3:rcv Sequential packet No Cmd args (e.g. offs/len of payload) Packet header CRC-16 of packet header
  10. 10. Analyzing USB traffic ― “Enable Feature” password is transferred as “Write” request ― Wrong passwords not written (error returned) ― ECU switched between “Firmware” and “Loader” states during firmware update ID Command action Command arguments 0x0 Initialize 00 0x3 Write memory <offset> <length> <region ID> 0x4 Read memory <offset> <length> <region ID> 0x6 ??? 4B 00 00 00 48 80 00 00 01 00 00 00 0xA Switch state 40 00 00 00 <state name> 0xF Reset -
  11. 11. ECU memory layout Reading data from region 0x3E00-0x4000 returns only 0xFF’s (both through Loader and Firmware) Address, length Content Memory type 0x00000000, 0x23B4 Loader ROM 0x00003E00, 0x200 Secret constants ROM, read prohibited 0x00004000, 0x200 Feature-enable passwords Flash, verified before write 0x00060000, 0xFDEA All 0x00 Flash, FW-upgradeable 0x00070000, 0x7914 Default configuraion data Flash, FW-upgradeable 0x00400000, 0x3E036 Main firmware Flash, FW-upgradeable
  12. 12. Analyzing and hacking ECU firmware ― Writing DWORDs into 0x4000-0x4200 requires verification based on Secret constants (stored in 0x3E00-0x4000) ― Verification algorithm is identifiable by lot or EOR (exclusive OR) instructions that rare used in automotive functions ;-) ― We could modify firmware and upload it to ECU to allow reading Secret table! ― After obtaining Secret table it is easy to reproduce the verification algorithm to calculate password for any feature
  13. 13. Beware of the Dead End ― Any feature of ECU could be enabled just by providing calculated password through ECU Manager software ― Some feature MUST NOT be enabled simultaneously! ― If so, ECU locks in Loader state and seems totally “bricked” ― It is still possible to upload Firmware Update, but that makes no help ― We have several nasty hours after putting out ECU in this state…
  14. 14. Life is beautiful [again] ;-) Accessing password cell: ― Can’t write wrong DWORD (due to verification in Loader) ― Can write 8 bytes (verification performed only for DWORDs) Writing to Flash memory: ― It is easy to change arbitrary bit from ‘1’ to ‘0’ ― But not vice versa ― It is possible to set bits to ‘1’ by erasing flash block ― After that just enable all necessary features 0 2 4 6 8 10 Value of device ($K)
  15. 15. Conclusion General thoughts: ― XOR is not needed in table look-ups. Using it in protection algorithm is not a smart approach ― Ability to run crafted code on device makes all protection useless ― It is a good idea to digitally sign Firmware updates and check signature in Loader But, anyway: ― Nobody cares about such things in automotive industry! ;-)
  16. 16. That’s all Thanks for your attention Kirill Ermakov, Dmitry Sklyarov Department for Advanced Developments Positive Technologies And special thanks to A.Raspopov and A.Tlyapov