 Hey, I'm Eric Gershman, and I'm going to be talking about defeating the Chevy Stable track for track time fun. This is a bit about me. It's some of my contact info. You can find me at Eric Gershman on Twitter, Eric at EricGershman.com on my email, and Hexis on Discord. So I started out in IT as a systems administrator, and I quickly made my way into Infosec. During that time, I was hacking most of my career on the side, or either for work, and I've been a pentester for the last five years. I learned how to wrench in college, how to work in cars in college, because I just couldn't afford to get my oil changed. I had to do my oil changes myself, and that quickly led to changing my brakes. And then finally, at one point, I got a 93 Miata, and I changed my clutch on the Miata, and that was the largest car project that I've ever done. This photo here is from the car hacking village from Defcon 24 in 2016. It was the first time I went to the car hacking village. I came up to this car setup that was designed so that people could interact with it and find sensors. I looked inside, and everyone had picked over the interior, gone to all the sensors, and so I decided to look under the bumper, and was quickly stopped by the car hacking village staff, because they didn't want me to start removing body panels to get to sensors. I just wanted us to really look at the interior. I feel like I've come a really long way since then, and I just wanted to say to them excited about contributing back to the car hacking village after experiencing it over the past several Defcons. A quick disclaimer, the electronic stability control, which is what Stabilitrac is. Each manufacturer uses their own trademark name for their electronic stability control. Reduces the likelihood of crashes by up to 43% according to the IAHS, so disabled Stabilitrac and other safety systems in your car at your own risk. Now, going into the reason why the starting of the title for this talk is Safety Third, that being said, safety can't really be great. Safety Third is the idea that it should be jarring. Most of the time we hear safety first, but safety really is a mindset, and it's up to us. You can't always have safety first, there has to be a balance with risk. So for electronic stability control, it's commonly disabled for motor sports events and classes, even if it does save lives, because in the end, you're responsible for your own acceptable risk level. And you might be asking like, why would you disable ESC and these other safety systems if they work so well on the road? And the best summary I could find was from the Timo Neil Rallis School in New Hampshire. In their video, the best car modification, they say that the easiest and best performance modification you can do is to disable traction control ABS and stability control, because those systems are designed for the street and they'll work different when you're on the track, and they'll prevent you from really learning and becoming a better race car driver. Now the flip side of that is even when racing, it really is a case-by-case basis. It depends on what car you're driving. So for a car like a Tesla Model Y, the stability control on that car is supposed to be amazing. I've never driven one, but it's supposed to be spot on with the balancing performance and being able to keep traction and keep you safe. So there's a lot of cars out there, performance cars like Corvettes, the Toyota Supra, where the traction control and the stability control systems are tuned for the performance of those cars. And also the likelihood of you crashing if you turn those systems off increases a lot when compared to slower cars. With Timo Neil, they're racing and teaching on sometimes base Ford Fiesta's that when you lose traction or you slip the wheels, you're not getting in as much trouble as if you were in a much faster car. And that's really represented by this article from Road and Track about turning off stability control. They say the author says that the fact is that you can get the most cars to within two or three seconds of their best lap time with all these systems turned on. Now getting past just the safety aspects of this and the disclaimers, you might be asking why am I trying to race and why am I getting, what started this talk? And it really is that I want to share my love of cars and racing with my son. If I really just wanted to race for myself, I would buy another 90s Miata that has none of these safety features and add safety features like a roll over bar and proper seats. But really I want to share this with my son and I was really inspired by Jalopnik's Will It Baby line of like articles where they test different cars and come up with can you transport your little ones in it and still have fun. And so I test drove a large number of different cars and from the Fiat 500 to the Pacific SI, a lot of cars that they recommended. Unfortunately, the Miata didn't make a cut, but I did end up on a what I thought is like a compromise between hot hatches. When I did the test drives, I realized that I either wanted a fast manual transmission car or a car that had a single speed and didn't have the lag of automatic transmission. And I came upon the Sparky B while researching electric cars and coming across this car and driver article about the 2013 to 2014 compliance cars. And they were super impressed by the Spark. It was the quickest car that they had, which is still slow when you look at like hot hatch. Other hot hatches like the Fiat 500, it was getting zero to 60 in mid seven, mid to high sevens. But I decided to give this car a try. And when I started driving it more and more, I realized that the traction control was going to be a huge issue. So that's the reason that that's really the motivation behind this talk. Moving on to ESC itself. ESC is a system that detects when vehicles steering is going in an unintended direction. When the vehicle is going the wrong way compared to the direction that the driver wants to take it. And it compensates that understeer or oversteer by using single wheel braking in the ABS system. The ESC components, most electronic stability control systems include a electronic stability control module. In this case, the Chevy calls that the electronic brake control module. Sensors for the throttle, the pedal, a sensor for each wheel to detect wheel slip. The anti lock brake system modular, which would is able to break each of the four wheels. And then a number of other sensors, including the twerk angle sensor, the R-Rate and steering angle. To sum this up, you can think of the electronic stability control as an add-on on top of ABS. And it takes the sensors and the components that are required for ABS. And it adds a yaw sensor and a steering wheel angle sensor to detect the intended direction and the direction the car is going. Now, knowing those components, one of the first steps I took was trying to pull the fuses. Team O'Neill has a lot of good videos on how to disable the different safety systems and they recommend pulling the fuses first. So I went through my owner's manual and I found that there were four different fuses. There was an ABS pump fuse, a valve fuse, an oil feeding fuse, and a fuse for the computer itself, the EBCM fuse. Out of all of these, I had the best results with the valve fuse. The pump and oil fuse didn't come up with any results other than a check engine light. And the EBCM fuse cut half the power to the EBCM, where the traction control system still seemed to be enabled, but the throttle was still being cut, even though it wasn't doing the same braking as before. So I pulled the ABS valve fuse and I immediately got a message for service stability track. So that means that the stability track system is disabled and that worked out great. I was able to drive with, I was able to produce understeer, I was able to do skid. The car wasn't being cut off on power and it worked pretty well. The brakes didn't seem like they were up to the previous performance with stability track enabled, but it worked well for the first ignition switch. When I turned the car off and turned it back on, I got a service brake assist message and the power brakes on the car actually cut off. So on that next ignition cycle, I had no power brakes. It made braking really hard, so I quickly put the fuse back in. And this turned out to be not a tenable solution because it messes with the power brakes and I would have to pull and put the fuse back in for each ignition cycle. And also it seemed to disable the electronic brake distribution that controls the brake bias. And that's the braking that the car does, the percentage of braking that it does between the front and rear wheels. So I moved on from there and I decided to go after the rest of the attack surface, starting with the yaw sensor. I know I just bought the car, but I quickly pulled the interior. I pulled the seats out, I pulled the carpet out and I started searching everywhere in the car for the yaw sensor and I couldn't find it. At the same time, I was checking Chilton DIY and all data that had service manuals for this newer car, relatively newer car. And the only thing that the Chilton manual said was that the yaw sensor would take an hour to be replaced. It didn't say where the yaw sensor was, it said how to calibrate it, but it didn't say where it was in the car. I checked on forums, I learned a little bit more about the yaw sensor and how it works that it should be in the center of mass. And I still couldn't find it inside the car. I even talked to the local parts dealer and they said that it just doesn't exist. The yaw sensor part doesn't exist. So it must be included in another component or they may have a simulator and that could be why it's cutting in so much for people who drive this car PB. And so I had to move on from there. I moved to the steering sensor, if I can maybe unplug the steering sensor, I might be able to disable just the stability tracking, not the ABS. The ABCM when I looked up the steering angle sensor, when I tried to get to it, I couldn't get to it without pulling the steering wheel. And that involved when I looked into the specifics on it, $150 steering wheel puller from Chevy. And I also at that point tried to go after the ABCM. And the unfortunately the ABCM is not accessible. Unless you go through the radiator and take the radiator out in the electric spark, they mounted the ABCM under the car battery and behind the radiator. So it's really hard to get to. From there, I was inspired by an article by rapid seven on building car hacking development workbench to try to put together a workbench for a gas sparky be because there were no sparky bees at the local pull parts near my house. Finally, I found a sparky be a gas sparky be made it out to the junkyard and immediately found the yaw sensor. That was super frustrating it was excited but it was, it was right under where the noisemaker is the pedestrian noisemaker is on the electric version of the car. And I was able to pull it out of the junkyard car in like five minutes. The ABS module was super easy to pull for the jump for the gas part because it was right where you would expect the brake modules to be easily accessible from the hood. I pulled the ABS module, which included the EPCM, and I pulled the yaw sensor, and I tried pulling the rest of the wiring harness, but I quickly went over my estimated effort on pulling this, and it ended up having to cut the wiring harness. And because of the time limits, I wasn't able to create a full harness but I was able to pull the EPCM module which is on the lower half of this picture here and hook it up to a bench power supply. After hooking it to the bench though, it didn't power on correctly. The voltage was lower. I found some pads. I have the EPCM module here. I found some pads inside the module I made some wire cutoffs to like access the diagnostic pads, but the module itself, or the, when I hooked a multimeter up to it. It produced a fraction of a bolt. So I knew something was wrong and that ended up being a dead end. So, that's kind of where my research stops. At this point, if I plan on racing in the next month, so I'm going to try and go after a few other future attack paths. The first one is that I believe that I can decode the traction control shot off message from the physical switch that's in the center console. It puts into the body control module, which is a separate module that controls auxiliary functions in the car, and appears to only talk to the EPCM over can bus. So I'm going to attempt to see if there's any messages that can further disable the track stability track, or at least make it easier to disable. The second option is, I believe I can get the EPCM through the front driver side wheel well. You can use this trick before when changing oil, and when trying to access components in cars. Sometimes the manufacturer says to do it one way, and you're able to go through the wheel well on one side or the other to access something that would normally take a much longer amount of time. And then finally, I'm going to build another non eb stable attract bench in a car that doesn't require a steering wheel or I know the Chevy cruise doesn't require that. Thankfully my junkyard has five Chevy cruises. So the local junkyard seems like the best bet for that. So I would be able to start reversing each of the components and observe them by hooking up a logic analyzer while the system is more functional. Going on the lessons learned. While I had the interior out on the spark. I thought, you know, I traced all of the modules in the interior, and one of them was on star which I don't have the subscription for, and I will need for racing like I'm not going to be calling on star. So I decided to pull the on star module and immediately the check engine light came on. I was like, okay, that's kind of expected. And I started driving. And the first time this happened, I made it onto one of the main roads, or closer roads near my house, and the propulsion for the power was kind. And it came up with this propulsion powers reduced message. And I was like, okay, this isn't too bad I should be able to make it home fine. I'm still getting like 14 kilowatts in this screenshot, or in this picture of power. You know that's still a decent amount of acceleration. But then, while I was driving I hit 20 miles per hour, and it drastically cut power. It said speed limit set to 20 miles per hour on the message. And then the, I floored the accelerator, and it only gave me like one or two kilowatts of energy for going to the motor. And that meant that the miles per hour was only incrementing like once every two or three seconds. So it was a really scary moment. But I want to learn from it. And my plan is to figure out why the on star system do does this when you unplug it. The only thing I can think of is for immobilizing in the event that somebody stole the car and tried to disable on star. And that's the only way to do it because it's easily accessible. The other thing I want to see is, could this be triggered by canvas messages or by, by flooding the canvas with the, the on star messages, or the lack of an on start, like basically on star messages. The other lesson was pretty unfortunate too. And that was bring a scope to the inspection. Now the Chevy spark EV has a lot of plastic cladding they tried to hide kind of that it's an electric vehicle. And all this plastic cladding meant that during when I went to buy the car and when I looked in the engine bay, I didn't see any problems. Everything seemed fine. But when I actually pulled the plastic off to try to get to the ABCM. I came across this nest here, and it's using like insulation from the car and a bunch of sticks. And I discovered the nest and I was like, Oh no birds moved in. But then I started looking more through it and looking at the components of the car and I found mass dropping. So, I definitely recommend getting at the like $25 scope from Herbert freight or from online and USB scope and looking around in the engine bay when you're going to buy a used car. I have a recommendation a lot of places for when inspecting a used car but it would have saved me on this thankfully it seems that the mice really didn't like the orange cables the high voltage cables in the car but it looks like I'm going to have to replace at least one or two groundstraps before I take the car on a track. And that's my talk. Thank you car hacking village. Thank you for giving me the opportunity to speak. And I wanted to thank everyone that helped me with my research my coworkers. I definitely want to thank my family and my wife especially for dealing with the car that had like no interior. I still haven't put the carpet back in the car. And I really appreciate you. Taking the time to listen to my talk. So, these are a bunch of links that that wanted to include for what I came across. A lot of it is covered throughout the talk, but I just wanted to also mention the children DIY and all data was really useful and the easy way for me to get access to the service data. The next thing I want to mention is I'm going to be at Defcon in person, and I'll be on the discord. So if you have any questions, and you're not able to ask in the Q&A, feel free to track me down. Talk to me on discord or DM me on Twitter. Thanks everyone.