 So, thank you all of you for being here today with us. We're gonna talk about some um uh card hacking topic. And let's go fast because I think we made 20 slides. Let's see. So yeah, who are we? I'm Javier Vazquez. I'm a hardware security specialist. I work at Code White, a German company with phone stuff. I'm from Cadiz, Spain. I guess you can figure it out already. I'm sort of dark stuff. And yeah, I reverse engineer stuff, blah, blah, blah. I like cake when it's not alive and barbecues. I mean, who doesn't like barbecues? So, uh, so hi everyone. I'm Hendrik Fettin at Nature, uh, Ferdi for short. I also work at Code White in southern Germany, uh, among many things I also like barbecues of course, and lasers. Like lasers are fun, right? So, uh, we had to decide between doing stuff with lasers and card hacking. And I don't know. Maybe you can imagine what we went for. So, card hacking status. What's going on? So yeah, uh, besides remote stuff, like, yeah, focus is on the canvas because data, blah, blah, blah. Replay attacks, like, yeah, you can record and then replay, like such awesome stuff, like, yeah. Some researchers also found remote exploits, like, uh, slashing wheel tires and stuff, but yeah. Yeah, it's like hardware stuff. So, and also some really awesome tools to help understand the UDS protocol. But, is there anything else? So, yeah, chip tuning is like, uh, its own thing, but it has a lot of common with card hacking actually. It is card hacking. And uh, there's issues being cloned, uh, keys being dumped and data being manipulated to get more horsepower or, yeah, that sort of stuff. Yeah. Also, uh, in the internal data manipulation, uh, chip tuners often enable, for example, writing over OBD, which is disabled. That's actually quite a hack. I mean, you need to bypass checks and so I would say signatures. So, that's a cool topic. And yeah, we all know OEM diagnostics, right? They can do also fancy stuff. So, yeah, what's the secret, uh, that might have fell down? So, EDS is not the only protocol. Like, really, there's also tunneling protocol, which is the canvas version of the keyword protocol 2000, which was used on all cards over KLAN. And, both of, uh, series of services, uh, SIDs, which are like actually quite interesting, but people don't care that much about them. And yeah, using these services, you can get a lot of fancy information, even memdums. Want to explain that? So, yeah, uh, let's compare the UDS and TP 2.0 very quick. So, for TP 2.0, you actually have to negotiate a channel where the communication will happen, retain the set tester and the module. So, let me see. Yeah. Uh, first, we have a response, like 200 is always the channel negotiation request. And, like, you can see the different fields split up. And on the bottom one, you can see the response, which is 200 plus the target address. And then you can communicate. Yeah, and then you have, like, the transmission. Transmission is just, like, the ID, which is the can ID, you have the frame counter, the frame type, the, and then, like, data, blah, blah, blah, blah. We will share the slides. So, don't worry if you're not getting it this fast. Then, UDS, the only difference between UDS and TP is that you don't need to negotiate a channel. You just, like, podcasts. You have your type of frames. Uh, they're first by this length and the type of frame. But in the end, the data that's in the payload is what matters. That's the SIDs, the firmware, whatever. So, they are pretty similar. They are both, uh, transport protocols actually. And just to make, uh, if it's somewhat visible, uh, that's the difference between TP, KWP, and UDS. There's just, like, some services are, like, divided into more, smaller services like on UDS, we have communication control. On KWP, you have, for example, start com, stop com, disable normal message. All that is handled by a single SID on UDS. You have four on KWP, which is standing protocol. So, that's the only difference on our protocol level. So, here we will shortly list a couple of interesting services. So, the first one is security access, which is, uh, the way you authenticate the tester against the ECU, right? So, the security access will unlock different levels of functionality. It's like a challenge response. Then there's read memory by address. You give it an offset and it will return the contents. And often but not always requires security access. Uh, read and write data by ID is like for, for example, for getting the VIN, the vehicle identification number. Um, you give it parameters, retrieve the data. Uh, request upload is like from the ECU's perspective. So, don't confuse the name. It's like to retrieve the firmware from the ECU. And routine control allows to start, like, custom routines, for example, erasing the flash, uh, triggering all sorts of stuff, like, yeah. There are some fancy routines, uh, we found in some vehicles, well ECU's actually not vehicles. Uh, name it, uh, Bosch, uh, that would allow you to retrieve the, the boot keys in EDC 17 and MED 17. So basically you just trigger the routine, you get the key, and then you can unlock the boot load mode. Uh, so yeah, why all this stuff? Because come, Badger. So, yeah, Glitcher's gonna glitch. So let's take a look at the hardware overview. Uh, it's an MED, the LPC 1768 or PC Espresso. It has external RAM, 128 kilobyte to speed things up, 2db9 for, uh, CAN, 2D back headers, SD card, ECU power controlled by a MOSFET. We have UART, we'll see later why. For GPIOs, if you wanna add fancy LEDs, and it runs in three different modes. A standalone USB, which is a CDC device, USB over serial, or network. And yeah, can be powered with power and has a blinky LED. So that's really fancy. And it's really cheap to make. It's under 25 bucks. Yeah. And we made it like easy to solder, so this, it's really easy to set up. So the firmware consider it a proof of concept. Okay? Uh, the actions are always handled by the CAN Badger itself. So it doesn't really require a laptop or computer, whatever, to perform any logic. It's all implemented in the firmware. Like UDS, CP2.0 browsing, rock, hand logging, uh, just as a start. We have a man in the middle mode with the emulator mode. And we also mentioned that you can have three different modes of operation. That is standalone mode without anything attached. Uh, UART mode where you get a CDC device on your computer and connect with your terminal. And then there's Ethernet mode, which we will, I will go into that, don't worry. But it's for use with the CAN Badger server. So you can have multiple CAN Badgers in parallel. Yeah. So, fancy stuff. Yeah. So, uh, just a quick overview on the protocol analysis. So yeah, many SIDs are already included in the firmware. It's just a switch case. So adding support for additional ones is really a piece of cake. It's extremely verbose. It parses the SIDs and the parameters. Uh, everything is done by the CAN Badger firmware. So no need for PC. Just the serial part. So you need a terminal. And everything is stored in the SD of the CAN Badger. So you can retrieve it later. And it works with UDS and TP2.0. So yeah, for the interactive session. The interactive session is, uh, interactive. So it doesn't require scripting. And it allows you to perform actions on the go. I don't know if you guys saw before we were starting the presentation. I popped that termite and I was doing some stuff. That's actually the, the interactive session. So you start a diagnostic session and then you can think what's your next, what your next move is going to be. You don't need like to write a script or anything. You can just try stuff, see what happens, change something, try again, like with no rush. And there are built-in scanners for SID parameters. So for example, if you want to go and check if there's any hidden type of diagnostic session or do you want to see what offsets are readable by read memory by address or whatever you want to check. There are some built-in scanners for that to make things easy and fast. Uh, let's talk a little bit about the men in the middle mode. It's also, as I mentioned already, men, uh, all implemented in pure firmware. So on the right hand you can see the original traffic on the top and the men in the middle traffic on the bottom where the payload has been changed. And on the left brackets you can see that there's no delay added. So it's pretty fast and we tested it out with like 30 or 40 rules and basically it will match any incoming packet on either port against your set of rules on the SD card and it will like do basic operations like dropping frames, uh, doing math operations, or substituting simple bytes. Uh, yeah. So, um, we thought we could make it even easier to use the cambedger. So we wanted to have cambedgers talking over Ethernet so maybe they could exchange some data uh to each other or just to have multiple ones running in parallel. And this is why we had the cambedger server. Uh it's written in python and here is a small snatch shot. It's actually not themed but uh it looks different now. So on the left hand you can see the connected node and this is where you will switch between different cambedgers. And uh the GUI was really inspired a lot by Burp Suit so you can you have everything in one place and you can exchange data between different modules like the logger. For example send a frame from the logger to the replay tab or create a rule for that. Uh, yeah. So security access hijack. Why? So yeah we were talking about security access and it's now starting to be more known uh so yeah uh just uh test authenticating itself against the ECU. So but you need to know obviously the algorithm being used and the key being used. Since it's random uh you cannot brute force it. I mean the uh the challenge is gonna change every time and after three failed uh authentication items the ECU locks down for ten minutes to thirty minutes. So no brute forcing there. What's the other solution? Hijacking security access. So you just need a tool that is able to authenticate. You don't need to care about what the tool does. It just needs to be able to authenticate. So for that for example we bought a cheap uh clone interface for tuning the cars and every time we want to have access to something like I don't know the restricted diagnostics mode for example or reading some offsets that are not standard we just hijacked the security access. And yeah then we have secret access without caring about that. So how does it work? The combator gets into a transparent mode uh bridge mode so it waits for the security access to happen. If the security access succeeds it will disconnect the external tool and then it will take over the session and give you a nice menu with a lot of stuff to do. So yeah let's try the demo. We are running a little bit bad on time but why not? Let's try the demo. So let's fire up our Super Windows XP. Because why not? Yeah we all love waiting right? Yeah. Okay so in the meantime let's, although being worried we'll do it soon, we're gonna do the demo in a while. Let's let up the, because we're not that good on time. So yeah let's travel to the future on the next slide. So yeah. So we hopefully we survived the demo. So what else can the combator do? So another fancy thing is dumping the TP and UDS transfers. We are, which are used for firmware updates. So let's say a vehicle gets an over-the-air update so that will be encrypted, signed, blah blah blah blah but then it needs to distribute the firmware updates over the network to the different modules. So it does that over the can. Most of the time, not every time. So if it goes that way and it decides not to use encryption, which we have found some manufacturers do, then the combator can just like grab the whole transfer and dump the data. So basically dump the firmware that was being updated. It can also spoof OBD2 data to the one in the middle and the emulator. The emulator is like some other fancy stuff. We will explain later. And yeah, you can use GPIO pins for boot loading for tricord, you know, like some people call it zero-day, it's just on the datasheet. We call it like a function. And yeah, it can manipulate GPS signals via your pins. So why do we mention GPS? Hmm. Well, many of you guys might know those kind of downloads that give you rewards or allow you to track vehicles, for example, from insurance companies and they turn your safe driving into savings. Hmm. Let's play a game. So the thing with these downloads is that they implicitly trust the data that is coming from the car. It's requesting data over like diagnosis protocols and also they're dependent on GPS so they do have some cross validation or some features that require that. And by spoofing the OBD data, you can have your own driving habits. Yeah, well. And maybe if you spoof your location too, it's going to be more money for you. So here we have an Android radio that's not a stock radio. So basically running an Android app connecting to a Bluetooth dongle that is plugged to the car. And you can see that there's like stuff going on, RPMs going up and down. But the car is not really turned on. Hmm. And now I can see that we stopped the camberger. The data will stop changing. Yeah. And there you see the feature you can just control it with a button you don't need to do anything. So yeah, that was emulator we were talking about. So how does emulator work? So just set up a file inside the camberger's D and tell it to broadcast every 10 milliseconds whatever a request which is a request for a PID which is the data used by these insurance dongles. So it just keeps on making those requests as long as you want it to. You could be like two hours logging all the data that will be used for the emulation which is actually real driving. I mean you just like go around in circles for one hour logging the data. Then you create the emulators. Once you create the emulator, you got the data. Then you use the camberger to create the emulation data. So the camberger will look on which SIDs were used, which PIDs were used, and just like ask you from which one do you want to create the emulation data. So the way that the emulation data is stored in the camberger because like we said earlier everything is running inside the camberger. No computer needed for this. Just press a button. So we created a header that has the IDs, the protocol used, the SID, the PID and then the start offset and end offset. So that's sort of a lookup table. And then it maps everything else in the RAM. So whenever it gets a frame, I mean on every single frame it gets. It will check the contents of that frame against the whole emulation data. If it finds data that can be used for that SID, for that frame, then it will provide the emulation data. If it does not, it will just forward the request straightforward. So the dongle, the insurance dongle really doesn't know if there's anything in between. It's getting all the stuff. And yeah, it's a story using timestamps, so to get stuff real. It will only check for the data, change the data when it actually changes. So to keep the emulation, yeah, what a genius. So the thing is that it will, to reduce the size of the emulation files, it will only log the changes using the timestamp. Yeah, when there's nothing left, then it just starts over. So, yeah. Now we'll do the demo. So yeah, let's do the demo now. Hopefully the- So we'll be having a workshop. Unfortunately it's already sold out, sort of. But we're gonna release all the code and schematics on GitHub, their GPL. You're also welcome to go, hack the stuff. It doesn't have that much dependencies. And if you're like an embedded coder anyway, will be really easy to get set up for you. So. Yeah, all fancy Windows XP machine doesn't want to work because why not? So let's show something else instead. We hope you guys will like it. So how much time do we have left? Okay, we have something. So are we connected to the COMBAT? Yeah, let's actually- So that's the COMBAT USB interface. So right now we have an Bosch EDC 17 ECU connected. It's from Appleswag and Passat. So let's have some fun with it. Just to quickly show you how it works. So yeah, let's start that session. So you tell it your own ID, you tell it the ECU ID. So yeah, we got UDS session established. So then you say, okay, I wanna read memory because I just want dumps. So yeah, let's try to read memory. So you tell it the offset. You tell it I wanna read FF bytes. Oops. We got an error. Service not supported in the update session. Okay, so let's see. Yeah, I don't really know what sessions are there. So let's scan for session types. There we go. So we have like different session types that can be initialized. One and three are standard, 40 and 4F are not. Yeah, I'll cheat a little bit because I already know it's 4F, okay? So let's try 4F. So let's switch to a custom one. Let's go for 4F. So it's established correctly. Okay, let's try to read again. So yeah, read, the same thing. Yeah, sure. And FF. So damn it, now security access required. Okay, so yeah. Again, we already reversed that ECU. We already have security access. So let's cheat again. Okay, so yeah, we're, oh, that was, well, it worked. Awesome. So yeah, level three. So yeah. So yeah, security access granted. Okay, let's see if it's true. Let's try again. So read memory by address. Let's try blah, blah, blah. And let's try FF. Yeah, so this time it worked. So, and we got a lot of fancy ASCII stuff. So that's sort of the way the Kanbager works. Like you can, you know, interactively try stuff. You don't need to script. You can like, okay, let's see if this works. It doesn't. Okay, let's try something else. So it speeds up things a lot. And yeah, so let's like quickly because we need to get out already. Blah, blah, blah, blah, blah, blah, blah. So yeah. So yeah, as I mentioned earlier, code and schematics, our GPL will be published on GitHub. Like give us one or two weeks to clean it up a little bit. But we're gonna tweet about it as well. So you might want to get our Twitter handle. So yeah, we are very thankful for you having us here. Also we'd like to thank CodeWide which have given us a lot of support and trust. Time especially. And of course our family and friends who've been supporting all the way down. Even if we run out of coffee. Yeah, thanks to everyone for being here today with us. And I hope we, everyone in Goose Defcon.