 How are you Defcon? Okay. So, you know, you're looking, this is our presentation. We are speaking about car hacking and later about how to do a forensic job into a car after a crash, after an accident, to retrieve all the speed, the RPM, the brake position and this kind of things. Okay. So, let's start. You know, the talk is called, dude, what the fuck in my car? I'm Alberto, he's Javier, Javi. Okay. I'm going to introduce him before of all. He's a hardware specialist. Okay. He loves breaking toys. Every time I meet with him, he's always with some wire and some stuff just with the hands very dark, completely dirty, you know, but dirty in the sense of the hand only. Okay. So, he's freelance. Okay. He's working alone. And he's from Cadiz. We are from Spain. Okay. This is important to understand the jokes and this kind of things. Yeah. I know. Sometimes we are different kind of jokes, but I think the Spanish jokes are cool. Anyway, I don't know if you have been on Spain, if you have ever been on Spain, but he's from Cadiz. Cadiz is a city that is in the very south of Spain, just near from Morocco, Maracos, whatever. And that's him. Okay. And I'm this guy on the left, the youngest one. The other guy is my grandpa. Yeah. This is my second time here in DEF CON. Last year I was speaking here about other stuff. The thing is, thank you. The thing is, I don't want to introduce myself like the typical times like, oh, I'm doing the shit or whatever. So, the thing is that I'm going to use a video of the last year. Yeah. It's a piece of the talk of last year here in DEF CON. So, I think it will be enough to introduce myself. You see, I just am very lazy. I just reuse the slides. And I'm from Valladolid. Valladolid is a city 200 kilometers on the north of Madrid. And I'm 24 years old. I'm single. If anyone wants to, okay. No, I'm not like girls. Sorry. Okay. The thing is that I'm 25 years old right now, but all the rest is the same. Okay. So, only girls, please. Okay. Let's go. Okay. Like I told you at the beginning, we are speaking about hacking the car, hacking the ECU. The ECU is like the brain of the car. There are different brains around the car, but we are trying to get the control to interact with this ECU. The main one are the ECUs where the configuration of the car is stored. Okay. So, this is the first part. This is going to be the first part of the talk. And then, like I told you, we are going to do the forensic job. Okay. So, we can know what happened in an accident. And if someone is guilty or not, or whatever. Yeah. So, for now, I'm going to give the micro to my friend, my partner. And he's going to start. Okay. So, as Alberto said, I'm Javier. I'm from Cadiz. And all the stuff is not going to tell again. So, why did this happen? The car hacking thing. Well, I had a friend. I used to do this chip tuning stuff with my laptop, like everyone does. And he kept on bugging me, you know. Like, now I want a factory, now I want a chip. So, I said, man, I fucking make one piece of hardware. So, you keep, you know, just stop bugging me. So, that's how it all started. You know, I just wanted him not to keep on calling me. So, well, at first, of course, I used Google, you know. I tried the easy way, but it didn't work quite much. So, I needed a plan. So, I had to sort it out. At first, I needed some information. Of course, I needed to see how our car did work. So, I realized that there were different electronic control units that they were all networked in the, in the same bus. So, they were addressable. They had some security. I didn't really know that much. I will explain in a while. And I knew that data was storing them. That's so-called chip tuning, for example, but there's other interesting data as well. There are some communication protocols. Here we have the most widespread. These are not the only ones, but they are the most common, especially Kambas. It's the most recent one. And it's the one that's been here. So, here are the differences. And, well, one of the most important things is when I started with this thing was a prize. You know, when I was going to develop the tool, it was from my friend. I wanted a chip, so K-Line was like $10 cheaper. I am that cheap. I just went for the $10 interface. K-Line. Why did I choose it? Well, as I said, it is cheaper. It is just one I see for Kambas. We need two ICs. And, you know, ECUs that work with K-Line are older. They're for more cheap. It's all about money after all. Yeah, it's not a match. You know, it's like $10, $8, but that's something. Then the question, if it's different, is it easy to implement it? Well, actually, the difference between K-Line and Kambas is just a protocol layer. So, it's layer one and layer two. All the encryption, all the communication is the same. So, if we wanted to move from K-Line to Kambas, it would take no time. It would be quite easy. Just changing the hardware and changing how the packets are structured. Kambas works on SPI, but not really a big deal. So, now, at first, what did we know about the ECUs before? We knew that they were expensive. And usually, that they are inside cars. You know, I haven't yet seen one, like, walking down there or spotting the wire, you know, as I say. So, then, once I decided to start with it, I had two options. One was to do some research and navigate through the technical information. Or we could just hook the logic analyzer. We decided to go 50-50, you know, just not to make it too boring or too interesting either way. So, that's what we found. After a little bit of research, they are responsible for the engine management, engine ECUs, not all ECUs. We have ABS ECUs. We have even LOX ECUs, which are called Comfort. We have many others, but this is just engine ones. This is one store, engine faults, of course. They hold immobilizer routines as well. And they contain firmware that determines the way the car behaves. So the target hardware, which is the ECU itself, the physical thing, is composed of internal and external flash. Internal flash is most of the times OTP. It's not accessible normally from the outside. It has internal EPROM, external EPROM most of the times as well. And I really know, in black rubber, you know, it's like something when you try to open it, it's stuck. You need to hit it. It sucks. You have to deal with it anyway. So, as I said, we attached the logic analyzer. And we saw this stuff. This is exactly from an EDC 15, which is like the first generation to say, somehow, they are all the generations. But this one is the first one of the ones we will be talking about. We can see some parts. The first part is the wake-up pattern. It's just the address for the control module, which is 01, sent at five knots. That's it. Then we negotiate the speed, which is just to request the speed star as supported by the device. Then we change the speed to higher ones because you start at 3,400 knots. You do the authentication. You set the address you want to read. Actually, you write at first on EDC 15. You have to send a loader on 16. You don't have to do that. I'll talk about that later as well. And the fourth part we can see here is just sending the loader plus operations. So, of course, I was ignorant about that. I just said, man, this is easy. I just replayed. It didn't work. It wasn't that easy. So, after some dumps, after some research, what did I find? Well, actually, we just noticed that there was an authentication that was not static. That's why the replay attack didn't work. So, it's called a seed key algorithm. What is it? It's just a challenge. You know, the ECU acts as a server. So, you just request authorization. The ECU will send you a seed. You will have to do some stupid maths. You will send the result. That's called the key. And there you go. That's it. It has checksum, of course, to check the integrity of the data that you are uploading. When you want to mod it, if you download it, it already has the checksum seen. So, you don't need to really check anything. And on EDC 15, it requires a loader, as I was saying. Yes, for the operations, it's usually in assembler. And it lets you access the apron, access the flash, you know, internal flash. On EDC 16, we have this seed key algorithm as well. But it's not like on EDC 15. There, it is just one level. Because you just write, send the loader. And then you do the operations with that loader. Here, we have level three to read, which is a pretty easy seed key challenge. It's just an add to a number. And we have level two, which is for apron operations. And we have level one, which is to write the flash of the device. Which is a little bit more complex. But it's quite like EDC 15. They didn't change it at all. You know, just small things. We have RSA encryption. When you want to download from EDC 16, it's plain. You know, it's just a binary. You can put it into IDA or your favorite tool. No problem. It's easy. But when you want to upload it, of course, you need to have the checksums like you did earlier. But it needs to be RSA encrypted into two blocks of 256 kilobytes in this case. Well, actually, whatever you want to upload, it must be always encrypted in blocks of 256 kilobytes. Well, how did we do it? My wife helped me just a little bit. Just a nice one. Now, why is this interesting? Well, you know, I think we all want to save a few bucks. So if you mod your car to have more mileage per gallon, that's good. As well, the difference between most of cars, you know, like, for example, my own car is a SEAT Ibiza. I have the CUPRA one, which is 167 horsepower. I just modded it. Now it's 210 horsepower. That's easy. It's free. You know. That's good. Of course, it's cool to tweak with a car. You know, it's like, man, it's a fucking huge suspensive. I'm just hacking it. That's cool. So it's just 26 bucks to do that. So what does the ECU tool code look like? Well, at first I started with EDC 15, which was the ECU in my car and in my friend's car. So I developed the whole thing. It was 1,800 lines of code for Arduino, which you see. Then I wanted to start reversing it for EDC 16 as well. So I just had to start from scratch as well. So I got two different binaries, one for EDC 16, which is almost the same lines, even though procedures are different. Well, that's the first point. I am missing that mega 328p and Arduino Uno to say. So I had to be really careful by coding it due to the limitations of the MCU itself. And we're actually working now on externalizing. For example, I coded these loaders in the firmware, but we thought that it would be better to externalize it into binary so we could them out. And by making it with modules, you know, the procedures, we can make a universal firmware. So we don't need to be updating it every time we want to add support for new ECUs. And that's what we are working on now. This is how a Bosch EDC 15 board looks like. As I said, it has an apron. In this case, it's external. It has the MCU. And it has the external flash. This is a little bit of code from the EDC 15 authentication, the SID key. The algorithm is static, but then, for example, here, I have an EDC 15p. This has one set of keys to say, even though the algorithm is the same for all the EDC 15 family. If we get an EDC 15v, then the keys change. And the VM keys are different. So we would need to extract the keys for every single ECU. But that's not a hard task. It can be done with brute forcing and some power tricks, to say. Because it stores the times you have done a wrong login, but you can glitch it just to forget about it all. As it got drunk, you know, it's the same. Now, this is the board for a Bosch EDC 16. In this case, the apron is internal. But there's our variants, which have an external apron. There's the MCU, the internal flash. We store the SID key algorithm. Interesting. We have the external flash. And we have a JTAG port, which is called the BDM bench diagnostics mod. But it's just a JTAG. Here we have part of the code for the level one authentication for EDC 16 as well. Well, just like it happens on EDC 15, for example, we have an EDC CP34. It's a different model. It's still EDC 16. The algorithm will be the same. The key will be different. Still, the brute force method that works on EDC 15 works on EDC 16. So we can do it exactly the same way to dump the keys from it. This is the level three authentication. That's, as I said, it's just not, you know, the ECU sends you a challenge. You just add, I don't remember what number is it, 2FC9X. You just add whatever is sent that number and you got it. That's how much they brainstorm for this. And here we can see an example of RSA encryption in EDC 16. On the first part, the top is the binary. So I just pointed out this red square so we can see the data we're working on this one. Part two, you can see a readout. The data is the same. So you can just retrieve the data, a plane. It has no encryption. It has nothing. Then part three is the write out. When you're writing this data down here, even though it's completely different, it's the same. It's just encrypted. So that's how it looks. You know, it looks different. How did we handle it? RSA encryption in the tool. Well, ASM instructions, you know, were that lazy. We didn't really want to. You will see it. It takes approximately 10 seconds to encode 512 kilobytes, which is the map for chip tuning. That's the size. And we do it before the ECU unit because it takes 10 seconds and that will suppose time out in the communication with the ECU if we first check if it's there. And we cannot afford to lose communication due to the speed. And of course the checksum is calculated at the same time. We are reading the source file. The checksum is calculated for the non-encrypted file, not for the encrypted one. So we do both things at the same time encryption and checksum. This is a small part. It was like four pages. So I was showing the first one for the EDC-16 encryption algorithm. So we can see that's the kind of operations. Yeah. Like he told you, his wife helped him to do that. So that's the, you know, his wife. He's a bitch. He's with everyone. So this is just assembler. Well, this is not a new concept chip tuning. You know, you can get tools for that. It's not like these are the prices. I can't see if that is expensive. I don't know about you. So this is what our tool costs. It's a little bit cheaper. Thanks. And this is how it looks. It's really fancy. It has moustaches. And it's portable. You don't need a laptop at all. It doesn't work, so don't worry. And well, you know, I will be releasing the code soon. So this is open source. You can do whatever you want on it. So you're paying 26 bucks for a device that you will be able to tweak. So I think it's worth than paying like $5,000 for a closed tool. These are the features for our tool. It is not locked to a single vehicle. There are some other standalone tools there that require no computer, but you're paying like $1,000 to be able to use it on your own car. I don't believe in that. It doesn't store encrypted files. I don't want you to need to use my tool. You can use whatever you want. Just download it with my tool or download it with any other tool. It does not use a master slave row, which is pretty much the encrypted files thing. And as I said, open source, so you can just add support for whatever you want. Any other models, diagnostics. There will be some cool stuff coming. This is the lower interface side. We can see the Arduino mini pro that it is in the left, middle. On the bottom is the level shifter. Sorry. Yeah. This is just a voltage regulator, 7805, to get the five volts out of the 12. And this is an SD card, really. The top, you know, it's just an LCD I2C and the buttons. I think you can see it's homemade. And this is a very cute eagle interface board. It's just the same hardware. This part is an RG45 connector, so you can get the thought of how tiny it is. And it has FTDI already embedded in, so you can update it or whatever, you know, straight off. The thing is, that is homemade, okay? The thing that you saw before, this is homemade. If you want to do it better with this board, it's much smaller than this, okay? This is just a case to hold all the things that he told you, okay? But these things maybe just, maybe... Take a hand. A quarter size of this. Yeah, so it's smaller. And the thin of the smaller side is interesting because we are speaking later about what evil things we can do with this thing, okay? So that's not smart, okay. We're so evil. So here's an example, how to make it wireless. This is just the same thing. What we did is the serial console, we just ported it to, you know, we added Bluetooth. It's just $1. And we can control it with our Android phone. So it's wireless. And it's cheap. Now, some samples of this for it. Like I was saying, we can mod it to have less mormilish per gallon. How to bypass it more? A mobilizer on C15. It's just a patch in the apron. It's just two bytes. You just do the inverse for them and you have no more. The loader is embedded for reading and writing the apron. So it's just, you know, quite easy in the menus. You just click on a button and it's done. And of course, you can later enable it. Well, this evening, a car is fun. You connect the tool, you start to write to it. And when it's in the middle of the writing process, you pull the cable. So it's fucked up. No checksum, no anything. You know, you've got a expensive piece of metal. But later on, you can still recover it. Not everything is lost. There are recovery procedures for it. By the diagnostic support, you don't need to pull the eco of the car. And it will eventually work again. But it's funny for a joke. Yeah, it's funny. Yeah. You know, to find out a friend, when he finds out his car is not working. Yeah, it's so funny. And a sample of three PUs. Well, you know, we can add any interface, 3G, we can add Wi-Fi, we can add Bluetooth as we saw with the phone. And, well, we can disable a car. We could, eventually, it is not yet implemented that is completely different. We could control a car with this device as well with other firmware. We could disable or start modules, functions, like turn on the air conditioner and make whoever get a really bad cold, you know. He wouldn't be able to disable. It would be terrible. But, and now we're going to do a demo on the EDC 16. It will be console, but we will be able to see the process. Well, I'm going to show, because you cannot see it from there, but I'm going to explain what we have here. We have an EDC 16, we see you here connected. We have an Arduino mega, 2560. And we have a normal 10-box diagnostics cable. So what did they do here? I just wired up the level shifter from the diagnostics to the Arduino, and then this level shifter to the ECU. So we are going to be sending commands from the Arduino to read the information, to read the flash, and to write the, well, we're actually going to kill the ECU. We're going to revive it again, and we're going to read the info after that. And so let's get to it. Okay, so let's see if it works. We're going to read the info first. We can see that's fast. It doesn't take too much time. Here we have the information, the software version, the engine. This is for a Volkswagen Passat. It is not connected to a chassis, but as I said, information is all around the K-line bus. So we could get the chassis number, the bin number. And this is the software date. So now we're going to read the external flash. It would take a while. So, a meanwhile, what can I say about this? It's just so fancy. I like flashing here, you know. It's a pity you cannot see it flashing. Well, actually, when I was reversing the protocol, I noticed that there were huge time gaps. You know, this is based on packets. So between each packet is form of bytes, of course. Between each byte, there was a huge time. I don't know how to explain it. I delay, you know, that after some testing, I realized that it wasn't necessary. So I speeded it up. We changed the protocol. We made it faster. It works like approximately 25% faster than original tools on ADC 16. And it works like 400 times percent more faster on ADC 15. So they didn't really brainstorm too much about that anyway. I will not show the dump at this time because we are running low on time. So now we're going to kill the ECU. Now it's processing the RSA. You have to believe that. Okay. But we are going to show the logical analyzer after that. Okay. A capture of the logical analyzer. Yeah. We will show now the logical analyzer capture so you can see what's going on. So we got to be faster now. So what we are going to do to kill since we have no cable to plug, we're just going to start writing. We're going to send just one packet of data. Then we are going to stop communicating with the ECU. So now it's deactivated. I need to power cycle it once again. So now we're going to try to read the information. Of course, since it's disabled, it won't be replying. So we got no response. It's disabled. It's just a piece of junk right now. But now we're going to make it work again. Yeah, it should be fast. Yes, these are, say, things so slow. You know, it's an 8-bit processor with two kilobytes of RAM. It takes a while. No. Actually, to revive it, since we screwed up the flash, you know, we were starting to write. We erased the whole flash. It was blank. We started to write. So checks and swearing correct. Now to fix it, we need to write the whole flash again. We are writing what we read out the first time. So now, as I said, RSA encryption here is divided in blocks of 256 kilobytes. The full flash is 512 kilobytes. So we will be writing two blocks. This is the first block. Now we're starting with the second block. Since we are running out of time, we will go now on with the four things. If there's enough time, we will show the log analyzer. It will be fast. Just showing out the, or maybe while it's writing, we can just show, okay, I'll show the, this is the seed key. Okay, we will, these packets, this is a small, 82 is the address, the target address, 10 is the source address, F1 is a request. Now, 27 means we want to have security access. We are sending this packet. Now, this is the level, O1, which is to write. So the ECU will reply. With 67, O1 means okay, I will send you the challenge. So here we have, for example, 86, 58, 80, 60. That will be the seed for the challenge. Now, we will process this. And we should send 27, O2, we must add one to the security level we requested. And these are just four bytes, these ones here. And then if we succeed, it will reply with 67. If we fail, it will reply 7F, which means denied. And when writing, we can see this is a huge block here. Then we stop. We delete the second block, we write the second block, and then we are done. That's a writing process. So one second, I need to power cycle it. We are going to read the info again to see it works. So again, it's alive after killing it. It reads the info. So now it works. No, it's not connected. It's not connected, so you didn't see the joke. Windows. It was a joke. Okay, yeah. Spanish, you know. Anyway. So I have only like 10 minutes, so I'm going to go fast. Yeah, what happened in the accident? That the police usually do is just to, you know, look the marks in the floor when the accident happens and look at the deformation of the car and these kind of things to know what was the speed and the things that happened. But the IT guys, we have a really cooler way to get all the data and to know all the exactly parameters of the accident. So let's go to see what happened. In all the cars, in our cars, we have like a black box, just the same like in a plane. The only difference is that it doesn't record the sound. So don't worry if you speak dirty things or whatever. So this is not a source, okay? So it stores information before and after the crash. It is very interesting because even after the crash, there is a memory that stores information. So we could know, we could have more information about the accident itself. So that's information, like I told you in the beginning, it's related with the speed, because it's the most important, the RPM, brake use, ABS activity, and it depends on the brand, okay? On the brand of the, that have made the ACU. But there are a lot of information that it's stored in the ACU. Usually this information is stored in the airbag ACU, okay? Most of the times. So we have to take this part of the car, the ACU is similar, it's a little bit smaller than the ACU, the CCU. And the info is stored in the EEPROM memory. The EEPROM is not non volatile or volatile, yeah? And so we can access to the data after the crash, okay? It's not, it's great for that. There is costly hardware and software that is outside and you can use it. But the thing is, this talk is about how to make a thing that costs only 25 bucks instead of a thousand of dollars. And in that case, even the tools used to get information are more expensive than to modify the ACUs. So the cool thing is that we did something to the poor people. So, yeah, we are speaking all the time about five minutes, okay? We are speaking all the time about the boss ACUs, ACUs, okay? So there are three different ways to extract information from an ACU after a crash. In that case, from the ACU. The first of all is connecting to the ODB. There is an option to connect to the ODB. The ODB is the port that is behind the wheel in the car and we can just access to the information. Not in all the time because, you know, in some crashes, the car is completely fucked. So, what? So there is the connection is lost so we can retrieve the information, okay? So the other most common way is just to connect directly to the ACU, okay? And get the information. But for that, we need an authentication, okay? We need a kind of authentication. Maybe it's not a strong authentication, but anyway, it's an authentication. And finally, we have the fancy way, the cool way, I think it's really directly the eProm memory, okay? I've said that all information is just in the eProm, so we can read it, okay? Yes. It's more hardware stuff than software stuff. I'm a software guy, okay? For me, maybe it's more difficult, but for this kind of people of ours, it's like eating a cream, an ice cream. Okay, this is the first one. This is the ODB port behind the wheel. So this is the first way. This is the other way that is connecting directly to the airbag DCU to get information. And the last one is, this is an eProm memory. This is the size of the eProm. You see it in the finger. So it's very small, but we can do it. We can do it. So this is the hardware I told you before. Hardware and software, okay? The hardware is like no hardware because it doesn't do almost anything. But anyway, and this is the real important part of this kit. The premium tool hardware kit costs almost $9,000. Yeah. I'm not going to pay for that. So what about the poor guys? What about people like me that have just ended the school and university and these kind of things and we don't have money? The software that is for me, I think the important part is you can access to him for free, okay? It's free software. So the code about parsing the data that is most important because we can retrieve the information of the eProm, but we have to parse this information to know, okay, from the byte 11 until the byte 40 is the speed. And from the byte whatever, until the byte whatever is whatever. Okay? So we have to parse it. So yeah, we can, I know, his wife is very known and I sleep with his wife once too. Sorry, man. Okay. And that's the thing. In this tool, these are the models of the vehicles that are supported, okay? So there are a large list of vehicles, the brands of vehicles that are supported to do this. But do you miss something? Mercedes? Mercedes? Yeah, it's not in the list. So what happened? Once upon a time, a client contacted us to do a forensic job into a car and the car was a Mercedes. So we said one, maybe two. Okay, one. Okay, so we said what are we doing to do? So what do we do? First of all, we read the eProm, okay? That's soldering. It's soldering. It's a lack of the eProm memory to extract information. Yeah. And then we retrieved all the information on the eProm, but we said, okay, we have the info, but we don't know how to parse this info. We don't know what parts of the binary because it's a binary. We don't know what parts of the binary are real, the speed, the RPM or whatever. So what we did is just to erase one copy of this binary and make a bindiff. Okay? So we knew what exactly parts were modified after the crash. So at least it's a good point to start. Okay? So the next step was already filtered. The information, we only have the information. We only have the parts of the ECU. Okay, I'm going. It's one minute. A half. I think it's a... Okay. Yeah, we used WinOLS. It's a software to print the graphics, to print the cartography. Difference between the graphics that are... Crescent and decrescent. Okay? So what are you saying? The speed will be in a crash. Decrescent, right? If you crash, the speed is the crescent. So we found this. Okay? You can see, looking a lot, we found this graphic that matches in our... Gathering information, in our research. So we had... Anyway, so we are running out of time. We want to say thank you to you, like always to our family, to our friends, and all those who want to understand how and why things work. Thank you very much.