 All right, so to start this off officially, Ben Gardner and Chris Bohr are here to talk to you about trailer shouting. Please help me welcome them to the stage. That's going to be needed. Thank you very much. So yeah, Chris and I are here to talk to you about some research that we have done together with NMFTA and AIS. Should be 45 minutes, I hope. We are going to end ‑‑ yeah, it's definitely going to be 45 minutes. We're going to end with a demo video. So they said that actually trying to do this remote induction attack on stage in this RF environment was a bad idea. They're probably right. So you'll see a video instead. First about us, I'm Ben Gardner with the National Motor Freight Traffic Association. I'm a cybersecurity research engineer there. I have a career in reverse engineering and embedded systems development. I'd like to volunteer at various things and I've had the pleasure of being an instructor at the Cybertruck Challenge for every year. And this is Chris Bohr. Hi, I'm Chris Bohr, senior reverse engineer at Assured Information Security. My company does a lot of things, but one of them is work with people like Ben here to find vulnerabilities and come up with mitigations for those. You may have seen me yesterday at the demo labs showing off Fischer, the RF framework. Some of the tools in this talk are included with that software, so check it out at my company's GitHub page if you get a chance. And it goes without saying that, you know, Chris and I are just the lucky two people that are up here on stage. We're part of a much larger team. I actually see one of them in the audience, so Dan Salome right there. Eric Thayer is on our team. We had some anonymous people as well help us out and of course what we've done would not have been possible without the member fleets, the people that own the trucks that are members of the NMFTA. So big thanks to them. So we're here to tell you about an issue with J2497, also known as PLC for Trucks. And for you to understand the issue, you have to know what is this PLC for Trucks. The PLC that we're talking about is not programmable logic controllers. It's the other PLC. It's power line communications. This technology dates all the way back to the 1950s when it was introduced as ripple control and has been applied all over the place since then. You can see a chart here from Xavier Carcell that has a survey of a bunch of different types of technologies. Today, you might be most familiar with power line carrier when you're dealing with home plug. If you have ever installed like Ethernet adapters that plug into your AC mains and they extend your Ethernet network, that's home plug. Home plug is also found in the combined charging system for plug in electric vehicles. And that's a reduced subset called home plug green fi. That technology is actually produced originally by Intalon, which was bought by Atheros and then was bought by Qualcomm. And you can see there's a whole bunch of Intalon in this power line carrier chart from Xavier Carcell. This talk though is really about a different Intalon technology. They made it in the SSCP 485. And PLC for Trucks has been around for 30 years. So it kind of fits into the chart right there. It has some similarities with the CE bus technology that you can see pictured. Similar frequency ranges, but the signaling is slightly different. And this talk is not about HPGP or home plug. It's about this weird PLC for Trucks technology. The reason we have it is actually that you needed to send trailer fault data from the trailer up into the tractor and the fleets wouldn't accept any more connectors. So they added power line carrier onto the existing 12-volt line to send that data over to you. PLC for Trucks was implemented as a spread spectrum technology. You can see we're showing you where it sits in the spectrum, which is down in the 100 to 400 kilohertz range. It's much wider than a lot of the other power line carrier technologies that are out there. It was developed to be sort of a bridge for UART. So as an analogy, when you bridge Ethernet, you're obviously putting Ethernerver power lines. This technology is like UART over power lines on Trucks. The chirps go up and down in frequency and they last about, you know, 400 microseconds each, but they get put together into larger millisecond messages. And if you see it on your spectrogram, you might see these horizontal lines because it's a spread spectrum technology that's short in time. And that's a waterfall plot there on top of that chart. The signaling is actually pretty clever. It has a different preamble and a different body. In the preamble, it uses amplitude shift keying and then it switches over to phase shift keying in the body, using the same chirps with slightly different timings. And there's a lot of kind of interesting design decisions that are put in here. And most of them were made for this reason, to make it wire compatible with the technology that predates it called J-1708. So they made this chip, the SSC P485, that's a bi-directional bridge. If it receives 17 to 8 messages, it wraps them in additional information for the preamble and these signalings that you can kind of see highlighted on the outsides of the message on the bottom here. And if it receives that on PowerLine, it does the reverse. It creates the J-1708 message in response. So it's this bi-directional transparent link that kind of bridges the J-1708 UART technology over PowerLine. So another J standard that you need to understand, sorry, it's J-1708. What is this thing? 1708 predates J-1939, which would be the normal way that you would deal with communications on trucks today. J-1708 was introduced for really the same reason that CAN was introduced, it's to move time varying signals around the vehicle. So they would pack the data into small fields and move them in smaller frames so they could have just two wires instead of one wire per signal, right? So a lot of 1708 is actually encoded in J-1587 messages, which is like the application layer that defines exactly how everything is packed together. So by an analogy, you can kind of think of J-1587 as the data standard like J-1939 is, on top of CAN. But here, you can put J-1587 on top of J-2497 or you can put it on top of J-1708. So 2497 is just like an alternative transport for J-1587. Now 1587 has more than just the time varying messages that it was intended for during mission time. All the diagnostics are put in there also. And there's data link escape messages that people use for doing their diagnostics. And 2497 adds one other thing, which is a dynamic address claim for the MIDs, which makes it a little bit different. So that's kind of our crash course on J-2497 and J-1708. There is a lot of other details in the previous talks that Chris and I have done as well as in dense loams talk on 1708 that you can find on the media server. So this technology was introduced, as I said, to move the fault information from the trailer to the tractor. But it didn't come without a little bit of funny business. And we'll talk to you about the patents that surround this technology. Back in the 1990s, NHTSA had been telling the fleet for some time that they were going to require that the trailer fault information was displayed on the dash of the truck. And they knew this was coming. And so the industry actually worked together to select how they would do this without adding another connector, because the fleet said they couldn't have another connector added between the tractor and the trailer. And they actually settled on this technology PLC for trucks. And you can see the quote here that it was selected because it was generic and wouldn't have any licensing. But surprise, unfortunately, the next year SAE actually withdrew its blessing of J2497, because there was someone that was in the meetings and filing patents around what they had been hearing in the development of these technologies. So eventually what happened is everyone that was involved did end up paying licensing fees to the individual that held the patent, including the company that bought his company since the licensing had to be done to the individual. And that was a bit of a surprise too. And SAE did eventually issue the draft anyways, for J2497, despite the patents, I was told that at one meeting, this individual walked in and was given an award for J2497 and then asked to leave the room, which is kind of funny. And this is also this part is disputed, but I've also been told that the reason we read those IP disclosure and patent statements, and I see some SAE people in the room, we read those every single time because of what happened with the J2497. So let me tell you a little bit about what we've discovered now that you know what this technology is. Previously, Chris and I in 2019, we told everyone that you can read 2497 from a distance of about six to eight feet with active antennas. Since then, Chris has improved some of the receiver antennas and got those green ones working. And I hope you tell people about the other thing down the road. Today, we're happy to tell you that not only can you read this traffic, you can also write it. So it's possible to write it. The distances and the powers involved vary. And I'll tell you a little bit about that. When we were dealing with CISA to get the CVE allocated and to do this disclosure process, one of the things that was kind of difficult was they need to do a categorization to CVEs, like they have to put a CWE against the CVE. But there really isn't a common weakness for inducing RF messages. And the closest thing they could come up with is this improper protection against EMFI, which is electromagnetic fault injection protections, which is something that you might assign to like a microprocessor that isn't guarded against fault injection. Hence the title of the talk, Trailer Shouting, which is a nod to the amazing Colin O'Flynn. And then finally, there was other research that's been put out about HP GP, which is that combined charging system technology that we talked about earlier from Intalon. Back in 2019, when we said you could read the technology, the PLC for Trucks remotely, Martinovic and Baker from Oxford University, they put out research saying that, yeah, you can actually read HP GP remotely from charging stations. And roughly at about the same time that we did our coordinated disclosure for this remote right, they also put out another paper called Broken Wire, which shows that they can interrupt the HP GP charging sessions. The big difference between the research that they released this year and ours is that we're writing valid J2497 messages onto the bus. We're not interrupting the communication. We can create brand new valid messages. So this is how our testing works. We set up this antenna next to the trailer at varying distances. We start close. We play something we call the Unichuff signal, which is a recording of all the possible solenoid test commands, which are diagnostic commands. And I'll tell you more about that. And we play them in a loop, and we dial up the power until we can hear the trailer brakes clicking. We can hear the solenoid test. And then we know we've confirmed that the trailer equipment has received that signal. The tables here are a little bit weird and they don't line up. You'll notice that like the minimum power for a distance kind of caps out at different numbers unpredictably. And this is because I had a really bad habit of blowing up the power amplifiers we were using to test. And they just wouldn't work. And we would look down and say, what's going on? And then we would notice that the test was invalidated at various points. And that's why it's, you know, 50 here and 45 in the other location. So yeah, I'd a bad habit of breaking things. But you can see that on the left here, we have a dry van with metal decking. And it is possible to actually induce messages on dry vans of metal decking. There is no table for dry vans of wood decking because we found that we weren't able to get signals induced at any power level, even for close distances. So that change from wood decking to metal decking seems to make the equipment more susceptible to the induction of the messages. The one in the middle is tests on a tanker. And this is really the most unfortunate situation. For, you know, about $100 US, you can put out 12 watts at these frequencies. And that is enough power in our test to get you from 12 feet away from the trailer to successfully induce the messages. So for tankers, it's particularly bad. And then the third table on your far right is when we took dry van trailers with wood decking, but extended them into a triple road train. And once they're in this triple road train configuration, then we find that they are once against susceptible. But the costs involved end up being much higher than in the tanker case. We estimate, you know, upwards of $10,000 for the kinds of power amplifiers that are required to accomplish the successful induction. So we had two CDs issued. The first is the fact that you can induce the messages. The other is sort of this otherwise non issue. The diagnostic software that's implemented in all these trailer ECU controllers has no authentication or authorization. So you can just send the correct byte sequence at it without any back and forth challenge response or anything really even a password. And it'll just respond. And if you think about it, you know, the era where this software really comes from is sort of the 80s. The SSC P485 was created as a bridge between existing J1708 and the new J2497. So people were able to just forward port their firmware and stick the chip in front of it. So we're dealing with, you know, diagnostic software that predates 2497 itself. And it would be unreasonable to expect that it would have authorization and authentication. It's the era of peaks and pokes. But when you combine the fact that you can create these messages with RF and that there's no authenticated authorization, that's when you get this problem. So Chris, I hope you're going to help fill in the blanks on some of what's happening with this RF. Black magic. So let's try to go over some of the voodoo that we're doing to these trailers and navigate the RF black magic that's going on in the background. When they first told me about this idea, I thought there's no way you're going to be able to get a meaningful signal on that wire at those low frequencies in such wide bandwidths. I didn't think it was possible. It was such a complicated signal too. But I decided to let it play through and we did the testing and we ended up getting it to work. But there were a lot of things that didn't work. We went through and we tried all types of antenna configurations. We found that loop antennas weren't that effective. We tried making our own loading coils by taping a couple of buckets together and just wrapping wire around it. That didn't work for us. We tried rolling out our own ground planes along the length of the trailer using screen door type material and not so much. And then someone suggested that we try using the signal that's produced from a modified truck duct using the GPIO pins. And that's not really a good idea. You shouldn't do it because that signal is much less quality compared to the real thing. It just doesn't really compare. Then, as Ben mentioned, we had the habit of breaking the power amplifiers. You can only imagine the joy of going across the country. And then within like the first 10 minutes of testing you break the power amplifier accidentally. I hope, yes. But what does work? Surprisingly, the FL-2K dongle worked for us. For those of you that don't know, it's a USB to VGA adapter that can be used as an SDR. And surprisingly, it provides more output power at those low frequencies than a lot of the SDRs that you'll see. And it's much cheaper, especially with prices going up these days. So in the picture there, you see the FL-2K plugged into a small five watt amplifier going into a balan and a couple of wire antennas connected to that. And we found that lengthy wire runs placed along parallel to the trailer produced the best results for us. We recently updated our GRJ2497 code that's found on my company's GitHub page there. Before it only did receive, but now we put in transmit capabilities. So if you're using a FL-2K or in our Hacker F, you can transmit directly at those frequencies. Or if you have a different SDR that doesn't go that low, you can use a down converter and you might have to amplify the signal coming out of the down converter. But what's really going on in that wire? What makes the chip understand our signals as we transmit onto it? There's a couple of things working in our favor. For one, there's a lack of differential signaling going on. It's just one wire in ground. It's not like there's two wires going along the length of the trailer. And then there's the resonance effects effect that Ben was mentioning where doubles and triples may behave as better antennas than just, you know, a single trailer. Then there's the high sensitivity of the chips themselves. I mean, typically they work on the order of volts. These messages peak to peak, but we can induce a signal and it gets interpreted as low as a few millivolts, which is great if you're trying to inject something onto a wire. And then there's other theories that we're thinking about, about why it's doing this. And one could be that it's getting onto the ground better than it is the wire, and the chip only cares about the difference. So our signal could be stronger on the ground, for all we know. So we were able to do it, despite my earlier doubts, things like the low frequency, the wide relative bandwidth, it's all near field at these distances and frequencies. The trailers, the wires, they're not comparable to the way wavelengths that we're trying to work with here. So they make for bad transmit and receive antennas, but it's still good enough to work. And then there could be reflections going on and impedance mismatches. It's not meant for RF. And the the chirp frequencies go from 100 to 400 kilo hertz, and there's a big difference between 100 and 400 kilo hertz in terms of wavelength. So certain frequencies might be transmitted and received better than others. And I've also seen just by traveling down the highway, I've taken my receive antenna and the passenger seat, held it up to the window, and I could see that certain trailers transmit the signals naturally, better than others, based on the configurations of the wires and the the metal and the trailer. I've seen some cables tucked away in like metal tubing and you can't really get much from the signal. So it depends on the trailer configuration. And then you got to manage your amplifier harmonics and signal conditioning challenges, which will will come up when you're trying to transmit. Now Ben will give you a timeline about how we discovered all this and went through it. Ben. Thanks, Chris. Yeah, we've actually been at this for a while since 2019. We started and as you know, we did disclose that you could read this stuff back in safe mode, safe mode DEF CON. But in 2019 we were actually doing some some testing. And we did start the public disclosure process about remote read. At the time, we also had results that did suggest that you could do remote write. But we couldn't actually confirm that our testing method at that time wasn't due to galvanic coupling, which means that so we had like an oscilloscope that was plugged into the mains power. And we had a signal generator that was plugged into the mains power. And we couldn't discount the possibility that the signal was actually traveling through the ground and or mains lines, you know, from the signal generator to the oscilloscope, and that it wasn't being induced. And that was, you know, true. So we did set up a set out to then test this to make sure there was no galvanic coupling. But of course, the pandemic happened and got in the way of our our darn testing schedule. But that's that's okay, there's more important things happening. Thanks to our member fleets and some anonymous equipment suppliers, though, we did manage to complete like a gauntlet of testing in late 2021 and confirm that yeah, you can write these signals. There's definitely no galvanic coupling because we stopped measuring the signal. We found that we were making signals that were very small, so small that they're within the noise of the oscilloscope, you could resolve them with a very sensitive str like 16 bit strs, but you couldn't resolve them with something like the eight bit hacker after very, very small signals, but they're still small enough to trigger reception on the trailer equipment. So yeah, so we stopped measuring. I'll talk a little bit more about that. We we work with CC to get a coordinated disclosure. And it was very quick, I think, and it was nice. We wanted to get done in time to talk to the American Trucking Association's Technical Maintenance Council. They have a task force that was putting together the new specifications for tractor trailer interfaces. And we really wanted to make sure that that task force and the stakeholders thereof were aware of the problems of J2497 so that the new interface wouldn't inherit all the same problems that have been there in 2497 for the past 30 odd years. So we were able to do that thankfully by the time that they had their meeting in March. And eventually, we were also able to contact the American Tanker Truck Association, which is good because the issue is the worst on tankers. So about the Unichuff signal, because we stopped kind of trying to measure how much we could induce because it was way down in this very dirty, noisy, you know, 12 volt line on the trailer. We put together a signal we called Unichuff. It contains the diagnostic commands for all three trailer brake suppliers. And we send them to all five of the possible trailer brake locations. And we just do that on a loop, because if you remember the CVE that was issued, there is no authentication or authorization required. So we just play it over and over again, which lets us move where our intent is, change our powers, and eventually we hear clicking. And then we know that it worked. And we did this for solenoid tests because you can hear the clicking, it's very useful as a test, but this is also applicable to other diagnostic commands. And we'll talk a bit about that later. So Chris, how can they do this? Should they do this? So if you're on the highway, you should not do this to other people's trucks. This is not a good idea. They're big machines, you don't own them, don't mess with them. But if you have your own truck or you want to make your own bench setup, I strongly encourage that. And there are different things you can do if you have a bench setup. You can tap directly into the wires and view these signals. One way to do it is with a DC block to get rid of the 12 volts that's on the power line and just see the signal and you don't harm your scopes or your SDRs or whatever you get plugged in. Another method is you can get a hardware hacking diagnostic adapter. They sell some that go from J2497 to 1708. And you can plug it in on one end and then if you get your hands on a supplier diagnostic adapter that goes right into a brake controller or something, you can view entire session traffic and capture that. If you want to make your own FL2K adapter like we did, there are schematics out there for buying or you just buy a board that goes from VGA to SMA and you're often running there. And if you're making your own bench setup, you can add bonus features such as wheel speed simulation or pressurized air. And then if you want to go online and see our code, you can do it yourself with the SDRs and the down converter and amplifier methods. This is an example of a bench setup that Ben's been using for the past couple of years. I'll let him talk more about it. It's pretty interesting. Yeah, this is actually a CTF challenge at the car hacking village. We have it again this year. This year the contestants have to use an SDR. In the past, we've given them a diagnostic adapter. And because it's DEF CON, Ankui also helped me modify it and we started a launch war with each other yesterday. So it's pretty fun and you should come check it out if you like. And yeah, I mean bench setups can be really key if you want to take on the challenge of doing your own J2497 research on a bench, it might behoove you to know that if you find something, whatever you find is now remotely exploitable, right? So this is the environment that you would have in the situation of possibly remote inducing messages. Not that you're going to do it, but your bench setup may be set up to look like this. You're going to have at least a tractor brake controller and one trailer brake controller. But here in North America, you can actually run triples, meaning three trailers. A lot of those triples actually require converter dollies and that's what kind of changes the back of a normal trailer into something that looks like the back of a truck so that you can put another trailer on it. And these converter dollies, of course, have their own trailer brake controllers, so even though you can have up to a triple, you can have up to five trailer brake controllers. So if you want to have like an authentic test bench, you might want to consider all five being present. And yes, hang on a second. I lost my notes. Right. So when you're looking at this stuff on your bench, keep in mind that the only required functionality while the truck is rolling at mission time is sending the lamp messages from the trailer to the tractor to show whether there's a fault. There's a lot of other stuff going on, but most of that is really value add from the vendors and doesn't necessarily need to be happening on J2497, especially when we get to new tractor trailer interfaces. The our experience with J2497 has kind of uncovered that it's a little strange and there's a lot of things about what we found that suggests that either it's not been explored or that possibly this patent had a real chilling effect on the technology. You can see this picture at the bottom, which is sort of this weird chirp fragment coming out. And as soon as we started capturing these signals, we were seeing these chirp fragments and we couldn't tell if it was us or if it was something we were doing on the software. Eventually we broke out the signals and it really was just this tri-state output on the bridge that a tri-state is when you kind of try to turn off external amplifiers. And this output was just going high for some unknown reason. It's highly unlikely that no one has ever seen this before. There's a lot of really smart engineers that, you know, work on this technology. We suspect that this and other things really suggest that whenever someone encountered this stuff, the answer was probably, well, this is patented and we can't do anything about it. We can't make an alternative technology. How can we change it? So we think that all of the weirdness here that you see we summarized really did have a chilling effect. And, you know, Michael Osmond has talked about this, how patents can be harmful to innovation. In his case, he talked about, you know, forceps and that really caused really bad things. This is, thankfully, hasn't hurt anybody. But we do believe that the patents being present has had like a chilling effect. And I've heard of that as well, that in 1998 when they evaluated this technology amongst the other ones, there was a whole list of dozens and dozens of features that they could integrate over J2497. And to this day, really none of them have been implemented. And I've been told by some engineers that that really was because of licensing and the patent. So the other thing to note here is the preamble is discarded on receive. We previously had reported that you can make frames that have a different priority on 2497 than they have on J178 when they received. It's actually worse than that. It turns out that the preamble isn't used at all. And we found that in one case, this one break controller was just sending random bites for its preamble. It never was sending the correct LAMP message and which explains why we couldn't decode it that first time we had a capture. So another mystery solved. And the other two break controllers, only one of them implements arbitration correctly. And that one actually has a priority inversion bug. Because it's doing it correctly, it still can hold up its transmit if it has a low transmit priority and ahead of a high transmit priority. So even though it implemented arbitration correctly, it mess something else up, which is unfortunate, but kind of funny. So solenoid tests. A lot of the testing we've done, a lot of what we've disclosed here is all about these tests. When the trailer break controller receives them, it makes a clicking noise if there's no air present. If the air is present and the driver's foot is on the break, it will actually release compressed air through the exhaust port of the trailer break controller, which makes a chuffing sound. And that's why these are called chuffed tests. The difference also is in dollies. Dollies don't have traditional air breaks. It you don't need the driver's foot to be on the break to chuff air. If they receive a solenoid test, they will chuff air regardless of the configuration. So when you have a road train with dollies, you'll actually exhaust air much, much quicker. But it's important to remember that, you know, even though we're talking about solenoid tests, they were a good stand-in for us to do our testing because we could hear the results when they were received. They were also kind of bad enough. There were fleets that got upset about just this, but there is more that's possible. On tractors, you know, the tractor units are really supposed to be receiving those Lant messages. That's their function, but they're doing more than that. Some of them are actually resetting in response to messages that they receive on the 2497 bus. And when a tractor brake controller resets, it sounds off its modulators, which is another chuffed test. So it does four or more chuffed tests in response to these reset commands, which is actually a well-defined J-1587 message, not even a hidden proprietary one. There are a lot of the brake controllers that are doing bridging. Thankfully, that bridging is from 2497 to 1708, and we don't find 1708 on modern trucks, although there are a lot of trucks on the road that aren't modern. So it's not a zero impact thing. There are tractor brake controllers that enable diagnostics from 1939 to 2497. So we know that some of the software does include higher privilege bridging, and it's not clear, you know, whether it goes backwards, we certainly haven't found any that do that so far. And we haven't found any tractor brake controllers that respond to legitimate diagnostic commands on 2497, which is good. Back to trailers. There are other diagnostic commands on trailer brake controllers that aren't solenoid tests. You can change the tone ring size, which tells the ABS controller like how fast is the wheel going based on the signal that it sees. The good news is that when you give it nonsensical values, the ones that we've tested don't do anything bad. We thought maybe if you give it a nonsense value, it might start ABS events. It doesn't, which is good news. You can also change the axle number. You can do all your DTC reading and clearing, et cetera. Now 2497 is really the only interface to access trailer brake controllers in North America. And so all the engineering tools also work over 2497. And even though those tools aren't supposed to be in customer hands, the software that receives the engineering tool commands is in the trailer brake controller and will respond to them. So things like, you know, uploading scripts. Some of the manufacturers have scripting languages that they put in their trailer brake controllers. We're also told that firmware updates do happen over 2497 on some of these trailer brake controllers. So there's a lot more in the solenoid tests that are all all possible. So with all this happening, and you know, there's there's some bad stuff happening here. It's not a zero impact. Why would we come up here and tell you all about it at Defcon? The timing was really kind of important about it. And it does present a dilemma because on we recognize that the dilemma is not unique to us. This happens in a lot of situations with security disclosures. On the one hand, if we talk about it, it's going to put unwanted attention on thousands of deployed vulnerable devices. On the other hand, if we don't talk about it, then the issue can't be widely understood and people might, you know, just keep doing the same thing they've always done. And this is this last part is particularly important right now because we're starting to define the new tractor trailer interface and if they said that it had to maintain complete backwards compatibility with J2497, which is something that fleets would reasonably want because they want to make sure that their old equipment works with their new equipment, the fleets would then also inherit all of these security problems with J2497. So because right now that task force is working to define these things, we felt it was really important to do this public disclosure with CISA so that we could tell the various task forces and tanker associations and carrier associations to make sure that everyone understands the issue. We have asked the task force to make sure that J2497 is deprecated in the next interface and that will actually come to a vote in September the in-person ATATMC meeting and we hope they will they will agree. Which brings us to probably the reason you all came here is let's look at some trucks chuffing, right? Okay. Now actually getting time to test trucks is pretty difficult. So we'll just show you how Chris and I prepare for our tests. Okay. Got it. Thank you for those of you that laughed. I appreciate that. Okay. In all seriousness, we will show you chuffing trucks. This is our demo setup. We have the Unichuff signal in that black box. We turn that into a J2497 signal with some code that's now public and available. We serialize that and play it on an FL2K USB dongle that Chris told you about. That goes into a variable attenuator which feeds a power amplifier. The reason for the variable attenuator is so that I don't blow up any more power amplifiers. That's important. And then we feed that into the antenna which is sitting next to the truck. So let's do the demo. There we go. So that sound you're hearing, that's the chuffing sound. That's the trailer brake controller exhausting the air. I can see it down here. You can kind of see the antenna here strung on the pylon. So it's those two red wires that are just to the left. And we're at a pretty decent distance here. This is a triple with grain haulers which are type B trailers. So there's no dollies. It's just three tractor three trailer brake controllers on these grain haulers. And of course the driver is in the cab and he has his foot on the brake. And because he's in the cab with his foot on the break that's why we're hearing the air chuffing out. Here you can see the laptop and the programmable attenuator and the power amplifier that feeds the antennas and there's nothing else between the setup and the truck. They're independent. Now what happens if you do this test for a while? It's it's not super easy to hear here at Defconn but the air stops to chuffs. We ran the test for quite a while and you can hear just the solenoid clicking much more than the air. There just isn't enough air in the reservoirs to keep up with the continuous chuffing commands that we're sending, right? And you definitely hear that it's different at least. And of course if they don't have enough air in the reservoir then they can't release the brakes to move the truck. So if a truck were caught in this situation long enough roughly two to three minutes in this configuration for that tractor and these trailers that it probably wouldn't be able to roll away until its compressor could keep up. Back to that. Okay. So I think you'll find that Chris and I have showed you that it's it's possible to both read and write these messages remotely on some tractor and trailer configurations. And in the worst case writing remotely can be done for pretty cheap $300 U.S. at a very large separation something that would work for ditched road. And the rights don't just reach the trailer equipment they actually reach the tractor brake controller as well. And both the trailer brake controllers and those tractor brake controllers are doing more than just the regulation required LAMP messages. We could not have done the cool stuff here without the assistance of AIS. This was a really great team effort and we're very grateful for your assistance and Dan, thank you very much. And Eric who's not here but on the stream hopefully. This would not have been possible without the support of the NMFTA member fleet carriers. So thank you very much to them. And a huge thank you to this long list of people that I won't read out because it'll embarrass those of you that are in the audience. But thank you very much to you. And we're happy to take your questions now. Thank you. Yes, sir. Yeah. So the question is, you know, we mentioned that there's some interoperability. I was saying bridging between 1939, which is a can bus and this 2497, which is a power line carrier, the tractor brake controllers. They connect J 1939 because they're, you know, they're responsible for actuating the brakes and responding to torque and all the other messages on the bus. Those tractor brake controllers in North America, they also have to, for regulation reasons, receive 2497 messages. So they're like the nexus that connects to both of those buses and the software in them does in some cases, you know, move data for various reasons. Does that answer your question, sir? Welcome. Yes. Yeah. So that that is a that's a good question. It's definitely a natural question. We have tested something like this when it's when it's moving. The results were negative. So what we found and, you know, we mentioned that if you change the tone ring size, it doesn't make things bad either. What we found is that because these are ABS units, they have wheel speed sensors like built right into them. The software knows intrinsically how fast it's going. All the ones we've tested will just not receive any diagnostic commands while they're in motion. I think you'll find in one of the slides earlier, I didn't say it verbally, but it's there that if they're in a fault state, some of them will actually still respond to the diagnostic commands. Either in motion, they have a fault and they will respond. And that's for some some of them for some versions on some things. So your mileage may vary. It, I mean, so we're talking about OK, so the question is like what would happen if this was somehow theoretically possible in motion or happened, right? And sorry, is that the question? Yeah, OK, so these are air spring brakes. If it's just rolling and you start to deplete the brake pressure and no one has their foot on the brake or anything, the effect is not really going to be anything unless you get all that supplier out and then the brakes would start to close and it would slow down the vehicle. So it's pretty decent failure state, I think, in terms of impact. The thing that kind of bothers the fleets about it is the access to the other diagnostic functions and the potential immobilization of tractor trailers that are stationary and then made to stay stationary. Because they're big and hard to move and that would make things bad in a lot of cases, right? Does that answer your question, sir? Welcome. Thank you. Oh, do we have a question back here? Yes, please. Good question. So the question is, can we use the same method to actually block activation of brakes? Right? So brake control in North America, at least, is all pneumatic, which means it's all through pressurized air control. So application of the brakes and release of the brakes is both through the blue line that signals relay control, but it's all pneumatic. There's no way to control the brakes with any of the research that we've done here in that way. Yes, sir? Right. And so the question is sort of like the talk last year that was involved with stealing and or completely disabling all the shopping trolleys, which is a great talk, and is 7 kilohertz similar, just like kind of Chris mentioned, there's a big difference between 400 kilohertz and 100 kilohertz. There's actually an even bigger difference between one and seven. The thing that is similar is that there's no authentication or authorization required. So like that loop that he did, that just play the thing, that's kind of what we did with the UNICEF as well. The other really important distinction is that those trolleys, the equipment that he was attacking had antennas that were designed to receive RF. They were electrical engineers, real electrical engineers, you know, did the thing and made the antennas to receive it. What we're doing is like convincing a power line system to receive RF when it really shouldn't. And so we need a lot more power and oomph to make that happen. You're welcome. I think we're good. Thank you everybody very much.