 Okay everybody I'm going to go ahead and get started on this. Hi my name is Mike Metzger I'm going to give a talk about tire pressure monitoring systems and some of the details about how they're implemented and some of the unfortunate side effects about the implementation choices that the manufacturers made. So to get started a little about the history of the TPMS systems the first one that was implemented was actually for Porsche. This was implemented on the 959 in 1986. I got this from Wikipedia and it goes into a lot more detail about what actually happens on how that system worked as with most new technology it's pretty convoluted and they've made it much simpler since then. After that you saw a bunch of various styles used in assorted luxury vehicles so they do various systems that would try to get the TPMS working and then finally the piece that brought us to where we are today is the TRED Act. I'm sure everyone remembers the Ford Explorer problems that caused the flips and the other sort of tire problems so what they did was as part of the TRED Act required that TPMS be implemented on all systems from 2008 on. So basically if you buy a new car you've got TPMS built into it at least if you're in the U.S. in the U.N. other places you're going to see more of that happening. There's a couple of different TPMS types there's what's called direct TPMS this is what's used in most vehicles and you see two little variations of that there's the one with the battery and what's called a battery less. Then you also have indirect this is something that uses the ABS from the computer and does various calculations instead of an actual sensor to determine what the pressure is and this talk is going to talk about the battery powered direct TPMS systems. So a little more about the direct TPMS typically you're going to see four sensors maybe five depending on if you have a spare in there and this is going to be mounted on the wheel behind the valve stem so you actually have the rim itself and then the TPMS is mounted the sensor itself and then the part that is your where you put the air in the actual valve stem is part of the TPMS sensor itself. The receiver is going to be built into the car and this is often co-located with the remote keyless entry and some of the other wireless features that are in the the vehicle itself and then depending on the manufacturer the car's ECU or the PCM basically the engine control unit or the power train control module processes the info and it behaves differently depending on the car itself and how it's programmed and there's various versions of the individual flash per car vehicle. The main thing you'll see in most cars is the annoying TPMS light. This is a visual of the dash from my RxA from 2005 and the yellow light in the middle with the slightly flat tire with the exclamation point in the middle that's the symbol that is kind of the universal TPMS icon. So a little about the sensors themselves these things are built for in pretty rough environmental system situations you know you've got a high rate of speed rotation heat cold various air levels things like that. So for the most part it's a combination of an ASIC meaning a microcontroller at mill free scale microchip pretty much everybody makes a TPMS based system. You're going to see a pressure sensor and then some RF components. Again this is typically part of the valve stem and sits in a recessed area of the rim inside the tire and then the RF transmission itself is going to be in the 315 megahertz band for the US or the 433 for the EU. Now this isn't a hard rule my wife has a 2009 Volvo that actually works in the 433 so sometimes it depends on the country of manufacturer and sometimes it just depends on what they've decided to do at that point. So a little more about the sensors these can be woken up by rotation this is the most typical situation sometimes by a low frequency transmission meaning you'll see 125 kilohertz signal this is going to be either modulated or a continuous signal and in some of the most sophisticated ones you'll see it activated by magnets. The transmission system itself it does vary based on the manufacturer but it's typically once a minute this is to prevent issues on the battery. This is device that is meant to last between seven and ten years before it needs to be replaced so they are very low power and they don't do a whole lot. The side effect to that once a minute is if you do have a pressure problem meaning you have really high pressure really low pressure or it's changed significantly within a certain time period then you're going to see that light come on or something happen where the sensor is sending out the signals more often meaning maybe every five seconds every 20 rotations something it just depends on how the sensor itself behaves and the transmissions can overlap requiring retransmits. So an example sensor internal this is from my RxA again Siemens VDO created the actual device and this uses an Atmil AT092. I'd never heard of this thing before but it's apparently a four-bit microprocessor and looking at the data sheet it's one of the most ugly processors I've ever seen to be able to program. Attached to that is a MEMS style pressure sensor. MEMS is the microelectronic mechanical switch so this is a surface mount component that is actually a little mechanical pressure sensor itself and then some simple RF transmission components. Finally you have a pretty good sized battery it's a CR2302 most people like in our badges are the 2032s so these hold charge a little bit longer and are again designed to last seven years or so but the sensor does not actually use that much power when it comes on. Finally there's just a sort of passive components depending on what's needed so when I was researching this I obviously didn't want to break my car because there's a lot of problems with getting it fixed and they charge somewhere on the order of two to four hundred dollars per sensor if you go to the dealer to get them replaced so I found one on ebay I picked this up and decided to start looking around at it so you see the before picture where there's the one side of it and then on the reverse side we see this pink goop this is basically silicone rubber this stuff does not come off for anything so you can I tried acetone I tried you know various other assorted methods to remove it and finally what did the best job was getting out a pair of pliers and starting to pull the stuff off so this was before I started then during the process I had to get around some of the plastic components and get around to the back of it so the big plastic blobs you see what happens when you take a Dremel at about 25,000 rpm and run across the plastic to the point that it melts and it's spraying plastic across you at the whole time and then you can kind of see it off to the right but I did end up hitting the battery and causing a lot of sparks another assorted battery asked to go flying everywhere but finally I did get it apart and you end up with the circuit board for the pressure sensor and pretty much everything pulled off of the chips themselves so we have the actual AT092 and then some of the other components that are required for the actual transmission along with just a few other components that are in there so after I did all this I was looking at it and thinking okay I really don't want to go through this again this was not fun and it didn't really help because I did end up scratching some of the components just by physically removing the silicone rubber I have one that I'll be happy to show later but the actual sensor itself is probably about that large so after I did this I made a small discovery and that's that the FCC does have a database of pretty much every device that's out there and I knew that this was there but I didn't quite realize what they included with it so if you look on the sensor you see the grantee in the product code when you enter that in you get the FCC testing documents and what you'll end up with is a nice pretty sensor that doesn't have any of the environmental components that are needed and you get to see the the pure circuit board and how everything's put together the one nice thing about actually pulling everything apart though is that they did block the type of microcontroller that was used so if I hadn't taken that apart I wouldn't have known that it was the AT092 because in this image they have that covered with that TXXX so in addition to just the pictures you get things like spectrum analyzer output a general description of the operation often that even a build of materials along with costs and all sorts of other things so it's quite a bit of information that you can reverse engineer and say okay look at the spectrum analyzer output let's see what type of transmission is this actually putting forward and then use that to later on create your own transmissions or read the information that's coming from it so the the next question is how do you find all the FCC IDs easiest way I found was eBay typing in the model of car that you're interested in and TPMS will usually return the the picture of the TPMS so you can buy copies and by the way if you do need TPMS sensors this is usually the cheapest way to do it getting one of these and then finding the method to make your ECU know what it needs to do is much cheaper than going to the dealer and paying you know 400 to a thousand dollars to get them replaced but going back to the eBay piece the nice thing about this is that usually the pictures will include the FCC ID on the device so if you're interested in knowing what is say a Nissan 350Z use I can just type in TPMS 350Z and then get back some images about what it is look up in the FCC database and have a pretty good idea about how the TPMS will work so a little bit about the receiver itself these things are typically going to be in the trunk or behind the glove box and depending on the way the vehicle is set up you may have multiple receiver elements sometimes the batteries on these are so weak that they will actually put an antenna in inside the wheel well for all four wheels and most receivers will typically remember between four to ten sensors almost all of them will do four or five there's a few models that will handle up to ten in case you have summer or winter wheels so that it doesn't require you to go the dealer every time you swap out your your wheels and tires most unfortunately do require special tools and operations to go into what's called a learning mode this basically tells it okay this is your TPMS sensor and this is which you know this is the ones you need to monitor from now on and possibly forget the other ones what will happen is if you do remove a TPMS sensor from any given wheel and your ECU is expecting it you'll get things from the TPMS light going on you'll get a lot of beeps or you get things like in some circumstances the check engine light will actually come on so a little more about the way the sensor itself communicates this is done over RF and this varies considerably based on the sensor so again using my example TPMS sensor from the Rx8 this is a Siemens VDO FE01 37140 I'm sure that means so much to everybody but this uses a combination of ASK and FSK transmission and basically what that means is the ASK is amplitude shift keying it more or less turns it on and off and then for the FSK its frequency shift keying it means it changes the frequency for specifying the type of bits or the the way the bits are transferred so for this particular sensor it does 12 pulses of ASK wake up and then three pulses of the FSK transmission that contains the actual sensor data now the sensor data is going to be the pressure that's actually being read in some circumstances a timestamp or just some sort of marker that it's counting on and then an ID and I'll go into that a little more in a second but what'll happen is this repeats you know once per minute over 20 miles or every five seconds with the pressure problem so as I mentioned every transmission consists of the pressure level the battery level and a sensor ID this exists to identify which wheel is actually causing the problem now the biggest problem with the IDs that I found is that these things are way too precise we're talking between 32 and 108 bits of ID information per sensor so at the low end we're looking at 4.2 billion separate sensor IDs that are out there possibly quite a bit more and this is encoded information again this is encoded with the type of transmission meaning the ASK the FSK or some of the other frequency methods but if you combine this with four to five sensors per car it's very easy to identify a car by the tires alone so this is something that with a strong enough antenna and the ability to read what the information is you can then start tracking vehicles do all sorts of other assorted purposes now dealer and tire repair shops have um universal tools that have been created these things cost between 150 to about $3,000 depending on how complex they are most will usually generate the 125 kilohertz signals this often contains a special tool aka a magnet GM and Chrysler I'm not Chrysler I'm sorry GM and Cadillac sell a tool that's a magnet for about 125 to 150 bucks to activate the TPMS or you can go to Radio Shack and pick up the little round six pack of magnets for about $3 and stick it on the valve stem and you've activated it the same way of scale models are going to decode the transmission based on the make model year and so forth others are simply going to indicate the reception of a signal so you'll see like a red or green light saying yes I've got the TPMS signal or no I don't so when I was looking at this I realized that I wanted to create some of my own tools that did this didn't want to pay for you know the 150 to 3000 to be able to do this information especially considering how simple most of this is you know there's some practical and some nefarious purposes for it and I wanted to make this based on commodity parts so the first part is a do-it-yourself receiver this is mostly complete and will probably be implemented as an Arduino shield it contains some RF receiver elements this chip varies based on what the ease of programming is there's a maximum 1471 that does pretty much everything I needed to do there's a C110 from chipcon and then there's some micro chip options as I mentioned it's from Arduino add an LCD display if needed obviously stick a magnet on there 125 kilohertz transmitter and then make the appropriate code open source and then a database for the transmission method so I've got the database started with this is from the assorted FS FCC IDs and the ways that these communicate and I'll have that up shortly after the talk using the receiver you can store multiple IDs these are going to be great for car PCs with for vehicles with limited TPMS like my rx8 one thing I hate about it is that light will go off but it won't tell me which tire is actually low or by how much this was also an easy way to verify that the TPMS sensors are there that they're working and you can also just walk around parking lots and get the IDs of interesting vehicles that you want to track or see what's happening transmitter this is more so into more development just because of some finniqueness about how everything works but it's not really a sensor it's more of a spoofer again this is going to be transmitter elements this is likely a maximum 732 it's transceiver that'll do both receiving and transmitting so we can combine everything into one device it's aren't we know again for simplicity but it could be something like a microchip rf pic also again this is going to be open and the database is going to be the same because to receive it is going to be the same as to send it using the transmitter certain wheels can't accept TPMS sensors so if you do aftermarket swap outs you want to do the transmitter to get the expected IDs to the ECU so that you don't get the annoying lights or beeps or anything else you can get the IDs send it to the spoof messages send spoof messages confusing your ECU or other ECUs you know low pressure high pressure no pressure and then one option I thought of was set up near stop light a good sensor with an antenna grab the IDs of a bunch of systems that are around there retransmit with false TPMS info and then go talk to a bunch of tire car dealers and say you know hey I want to cut off all the work that you do on this some more ideas you know set up a network of receivers tied to the loggers you know track pretty much any given vehicle that you want to and the more frightening idea is if you start fuzzing the TPM formats obviously I did not do this to my own car again because I do need to drive it but as I'm sure everyone knows there's more and more computer control of everything that's happening in a car your ABS the as seen with the Toyota the acceleration problems fuel injection pretty much anything related to the internal behaviors and so forth if you can start using fuzzing the TPM and get a good overflow into one of the systems that's based there more of these are being based on ARM now and you might be able to take over the car from remote a couple things about countermeasures real quick on privacy they mainly need to drop the ID length to about 16 bits or less these are there so that your cars the IDs are there so your cars don't get confused when they're next to each other and pick up another transmission but you don't need 32 to 108 bits worth of information to identify to generally verify that your TPM sensors are okay or the other option is just encrypt the sensor communication there's absolutely no encryption right now they could do something as simple as you know triple des or even a yes in most of these microcontrollers and not require a whole lot of work and then what I'd say is from a general need the vehicle vendors need to make sure that the TPMs processing modules can handle the bad data otherwise we're going to see a whole lot of problems with cars from remote based on the computers being taken over for the future this project I need to drastically build out the database for the TPM communication formats and this is going along further than when the slot was created but ideally create the single device capable of acting in the send and receive configuration for multiple devices this gets a little tricky based on the different types of transmission formats and the type of antennas you need but it's should be doable so finally just some thanks to some people that helped out with this project and inspired me on a couple of different methods to verify that this was working and that'd be it so thanks everyone