 Hello, everybody. I'm Don. I'm doing a presentation on gateways. So there's a lot of different challenges that we have in cybersecurity. A lot of times, in fact, the very first time that I worked with car for car, I'll pronounce it that way. The very first time he showed me how to fool the vehicle so that the radio thought it was in park, and I could watch a video while I'm driving. Okay, so that was literally my first exposure to faking the car out. A lot of times we have to change a signal or a PDU or a collection of signals. We want to block something, we want to override something, we want to change something in a frame. Maybe you want to add something, but it can only go to the target ECU. I don't want it to be sent to any other ECU. We need to convert something to some format, some protocol. For instance, maybe I have CAN FD, or I have LIN, but I really have a device that can only do CAN 2.0 or classical CAN. Or maybe I'm doing CCP or XCP, and I need to actually convert that out to some periodic CAN signal because some device that I have can't deal with the CCP or XCP data. Sometimes we need to limit the number of frames that are going to some device. Okay, so for instance, a good example is you might have 16 ECUs in a battery pack, for instance. And all those 16 ECUs might be doing some work. You might want to talk to those, but there's so much traffic already that if you send that traffic out and you're also sending it to all the other ECUs connected to it and monitoring those, then you might actually cause the crash. So being able to either limit the traffic down to a manageable amount or to consolidate specific frames or even take different signals, which I'll demonstrate at the end. Take different signals and consolidate them into a single frame of traffic is something that you want to do. And one thing that is just starting to hit the scene right now is protected PDUs. Protected PDUs are basically when we're sending up a PDU or a collection of signals, and it's sent with essentially a protection value of MAC, as well as a freshness value. And so changing that data, if we were to say try to tweak it, means that the target ECU is essentially going to ignore the frame, because the MAC is created with the PDU or a collection of signals, as well as the freshness value. So changing the signal changes what the MAC should be. And so if we wanted to make a change in that it's going to be a lot tougher, but we'll get to that. Okay. So the solution. I've heard it called many names. Okay, I've heard it called a gateway, a translator, a converter, a bypass. But essentially all these devices will ingest some traffic from some network, and then it will put the traffic out on the other side in some certain format. Sometimes it simply bypasses it's a total pass through both directions it does not affect the data but you can see what's coming in and going out just to examine it and do further analysis. But I will call it a gateway. So essentially gateway is really that conduit of information going from one vehicle network to another. So I've done, or I've done several of these I used to do them all manually programming them in our in the devices that my company happens to sell. But you know doing can can or can to win, you know when when you can win you essentially see that see that all the time, because there's always a can ECU that operates as the win master can to Ethernet or Ethernet Ethernet like you see inside of vehicles. Some many vehicles now have a central gateway or a common gateway, several different names for but essentially all the traffic goes to it, and gets routed out to minimize repeating traffic on multiple buses and into segment the vehicle That's not really the the central gateways or common gateways are not the subject of what I'm talking about today. That's really kind of for another day to talk about defeating those that kind of thing. So how, how do you make the gateway. Well, when back when I was a little younger, I used to go to myself. When you do that, one of the biggest problems with it is, it's easy for somebody like me to get confused, you know what's going what's being received versus what's being transmitted. You have to keep in mind, if I'm going from one bus to another, one thing has been received in one side to be transmitted on the other, I have to be able to make sure I don't accidentally retransmit the thing I transmitted on the other side back again, causing the big loop right. So coding it yourself can be can be a problem because of the amount of time it takes it can also be a problem because of the performance of the device. Okay, not everybody can afford a hill and be able to send out traffic really fast and have super high performance as though you are you are in a vehicle network. So, another way to do this is a rapid development tool. And that's what I'm going to show today. So that's but the tools themselves are really a side one. Okay, the idea is to show certain examples of the things that you might need gateway or things that are possible. Maybe a couple of things you haven't thought of yet. But I plan on doing a demonstration of those all today. So, and I already talked about this part but essentially, these are the function blocks that are inside of intrepid vehicles by software. And I used to write these, you know, step by step, and write all the code that goes around it to do a gateway. Generally, it would take me hours, and then some time to troubleshoot to get any gateway right. So, so one thing that our customers often demanded was they did not want to write anything, which is kind of a tall order. How do you make some type of interface where you can create gateways and it automatically generate the code. Well, after several years of dreaming. That actually is done inside a vehicle spot. There are other tools out there, of course, some that are actually can you can actually run embedded C code in some of these tools actually run embedded C code as well. But most of the tools that intrepid makes can actually run gateways or simulating ECUs for that matter. And many of them can actually run C code as well as as running the function blocks that I just showed. So, the idea is essentially, we have a new view or new relatively new view inside a vehicle spy called the gateway builder. And the gateway builder essentially creates those function blocks for you, and on occasion will also create embedded C code, depending on the tasks that you're doing. So it's really pretty straightforward. I'm not going to tell you that I love the interface, but it's not bad. It takes a little bit of getting getting used to, but it's really our first attempt at the GUI, but it does definitely do a lot of things. So essentially start out by loading the databases that you create, or maybe some that you already have. And you essentially drag and drop the networks or messages or the signals from the input side to the output side, and you can create multiple layers of these so that you can do things like, I'm going to pass this one. This one entire frame as it is every time, or I might also want to pass a single signal and then lock down what the other values are. So, but in any case, once you create it then you can click on a button that downloads that programming into the standalone hardware. So, to give you an example of what you can potentially do with this, I'm going to pull up this little guy here, because it actually is connected up to this right here. What's happening here is that on my PC, I've got this new life fire to it's connected up to this new ECU, the new ECU 12 here, which is essentially like a little ECU simulator. It basically is pretty straightforward is really very cheap. What we're doing here is that we're sending can out dual wire can out. It goes into the new ECU 12. From the new ECU 12 it's actually coming out as Lynn, and that comes out over here. And that connects up to this guy cluster. So, and I can, of course, adjust that cluster because there's actually gateway going on, see that it gets a little bit dimmer and a little bit dimmer fuel level go up and down. So we see it rpms up to like six grand vehicle speed let's go to like 260 got it penned but if you look up there you'll see the speeds up there like 248 that's kind of cool. So, this is actually gateway that was programmed inside of that new ECU 12, and the fire to that I showed is really just a way of showing it. Okay, but that's just a quick example of something you can do you can use it for like a prototype. I'll use it for testing. You see it a lot in industry, or an automotive design in validation as part of a test bench. But can be pretty useful, the hacker realm, because now I can take something and say well, I don't like that sending out the signal here I can change it to something on the other side. I can change it to what I want change it to something that might give me a result and give me more clues as what to do. So, so what I'm going to do here is essentially give you a quick view, a rundown of the gateway builder view, but I'm also going to pull up several examples to show how this can work for you. So essentially on the left side here, you'll see it says inputs, what this means is we've loaded in databases, and in this case it's loaded up to HS can this might be in our future products it's called can one so the first can channel. And so the databases loaded up over here. The input side, which is input network on the output network. I've got MS can in this case, and another set of databases here. So essentially have to have a database on the input side and on the output side, so that the gateway builder knows the structure of the messages the signals PDUs on both sides. And you can you can then tell it, pull the signal in change its value putting into this other signal on the other side. Okay, so in that case, with the exception of gate wing the entire network. We have to have a full database of some sort, even if that's something you created. And these databases are actually totally fictitious. Some I created a she's over 10 years ago now using for training all the time. So now I'm going to go through a number of demos and explain what's going on. Basically, here on my desk. I've got same setup you see there on the slides. And basically I've got two fires that are tied together with a test board. So, essentially there's a termination between somewhere that powers up the whole setup. I'm going to put that guy in like you see on the slide. Now, let's do some demos. So the first demo I'm going to show you is essentially a bidirectional gateway, really, really simple doesn't get simpler than this. So, what I can do is actually just rip this thing apart and put it back together again real quick, just to show you what what it's actually doing. And in fact, well, yeah, this should be fun. I'm going to do this. So, one thing you can do is you start out with an input network. And this one I'll choose is HS can. And this is one of the few that does not need the database at all. But I have the databases loaded. So input side, where I'm going to start out, HS can on the output side, I change it to MS can. Simply just just push the button that says gateway entire network, click that and now all the messages that are on that one network will be sent across to the other network. Okay. Now, if I want the messages that are on the other side on MS can to come across and come back to the HS can network. I can do that too. Select the MS can on the input side and HS can on the output side. And again, click on gateway entire network. And that basically is both sides of the network. So what I'm going to do is actually plug in a new vibe that actually you'll see it says HS plus MS can on it. That's because it's actually sending traffic out on both those networks. And I'll show you that. If I were this guy up, I would actually show you all the traffic. So you'll see here it says FC and there's another one FC this wheel speeds is actually being pulled in on HS can and transmitted back out an MS can. And if you go through here a little bit farther you'll find there are some that are on MS can, like the stat one right here, and it's being retransmitted on HS can. So, that's pretty quick. I basically ripped apart the gateway rebuilt it again inside a vehicle spy like that, not that. So, what's the use of this besides just showing off. Well, the thing is, I can tell by this traffic here. Oh, where's my mouse decided to die. Awesome. Wake up. Oh, there we go. Sorry about that. So I'll just type in filter here. So I can tell that this message is coming out of the subject or the target ECU, the one that has the simulation insights not plugged into my computer, because I'm receiving it on my test tool, and I'm retransmitting it on the other side. So if I were to have something like this, that were actually connected between an ECU and the rest of the vehicle, I could potentially figure out all the things that transmits probably a lot quicker though just to disconnect the ECU see what disappears. You may get some other things that do appear. But this is something where you can actually connect up still keep everything running. The timing is actually very, very good. And you could then start to play with it and build a gateway, take messages away, keep all the other messages coming along. Now I'll show you all that here in a moment. So now here's another one. These will all get a little more useful as we go along promise. So, basically, what might be a little bit more useful is I grab on to a single frame, a single PDU a set of signals, and I want to say transmit that on another bus, and I might do something else with it. Okay. So I'll go online with this one just to show what's going on here. And you'll see there's only one being transmitted. It's just that MS can, and that actually is being retransmitted from the state of seven. It's not being changed. It's just being transmitted at the same rate. So in the gateway builder to build this. Let me go offline for a second. It's really pretty easy. I can hit this delete all button that gets rid of all the stuff. And all I've got to really do is go over here and say, Well, I want to grab this one frame. So this right here at the top of the tree. I can just drag it over, drop it in. And then off I go. It's already going to forward that message. So you see here on the input for the message, and it's going to automatically show up on the other side. I don't have to tell it what message to put it into at this point. When I say forward, it will take the message as it is and just forward it across. It's not going to play with it. Yeah, it will be like that soon. So, if I go online, I'll just start firing up again just like you did before. There we go. So now we'll do something a little more fun. Oh, so say that I wanted to do something a little more exotic. I wanted to choose when and if I retransmit based on some data. Now this data could be data that's in another frame. So I'm going to go online and I'll show you what's really going on here. May not be clear right away, but it will be once I tell you what to watch for. So just like before we're retransmitting data seven. But basically we're going to wait until that target speed goes below 10. Once it goes below 10 it will stop retransmitting. So to show you how that works, we'll come back to it. You can actually see that happen. Essentially, instead of just forwarding the message, which is what we did in the last example, we put a condition on it over here. And so that condition is actually built into this expression editor. So target speed is greater than 10. And then in a little bit of time, time passes. And oh, yeah, it went way up again. I should have let it run. But basically, that's another alternative that you could do that. You can do things where you're not using the data from the thing that you're retransmitting. So this could be based on another message, something from another network, you really could do whatever you want. Eventually you'll see that guy go down. I'll let that guy run for a while while we're going for the next one. And eventually you'll see this guy is going to stop transmitting because that guy right there will actually start to fade away. You'll see that that highlighting will fade away. In the meantime, I'm going to pull another one. Because this is probably something that I see requested a lot. Okay. This guy's just about over here. It's just about to go away. But basically, I might want to grab something and then just change the arbitration ID. Okay, change the ID. And by the way, this one just finally went away. That's why it stopped at 292. It's no longer transmitting. So it just jumped up again and now it's transmitting again. So in this one, set up in a similar way. However, if we're going to remap it, then what we need to do is to choose something a bit different down here for the action cannot just forward it. We're actually going to what we call map it to another, another message. So over here, I've got in this case is data seven, it was pulled over here. I will end up deleting the second one here in a second, I'm just going to rebuild that first one, get rid of the second one and then run this demonstration but essentially if I want to map it. Now it starts looking for a message saying select the message. So over here, I have to find a message that I'm going to map it to. And in this case, we've actually made a transmit message that I can grab. And since I'm grabbing the entire frame data seven here. So let's got all the signals in it right. I'm going to grab this entire frame and drag it down and drop it right in here. Okay. And that's how I created that first one. So I'm going to go online and then you'll see that this is actually duplicated. So I've got the CM believe it. Oh, yeah, there we go. It's 123. Let's see if I got them right. Yeah, looks like they're, yeah, they're right next to each other there. So that's another tweak I can do. So now I'm getting a little more sophisticated, a little more realistic of two things that you might want to do. Okay, this is something that I've had people ask me many times to do. It's just in testing validation. Also, you know, for cybersecurity, they want to change something hook it up to some other device recorded, etc. All right, next one is I have it in can and it needs to go to can fd. So, again, the same idea, you're dragging over from your message, your input, and then on the output you're picking another frame for to go to. In this case, it's simply a classical can frame this data seven, and we created a can fd frame on the other side. Just a second here I'm trying to see, because my eyes are terrible. So, essentially you'll see that it's got three separate signals in here, you can ignore those other things those are actually just properties of that can data seven. And you'll also see that they have the same exact names over here as well. So those will automatically get mapped over. But the size of this frame is different. You'll see that here in just a moment. The warning that it's talking about is the length of bites is 20. The warning on this little warning flashing light. But this one's eight. So this is actually 20 bites just show it's can fd. It'll still go online though. So I know I'm throwing these up really quick. But the fact is, I haven't used this, probably in a year and a half, and I actually went through all these and did this all within the last two hours and trouble shot everything and got it running. So, even if if you're a totally new to vehicle spy and gateway builder, then you could get this done like started 10 o'clock in the morning and be done by lunch, probably have everything in trouble shot and ready to go easily. You will have it done in a few minutes if it's a simpler one. So you can see this one right here is actually standard can. You can tell that because in this view you'll see there's FDF and the VRS ESI. Those are different switches for can fd they are not present in all the other data because that's all standard can or classical can. But you do see that those values are in this frame and of course it's 20 bites so that's kind of a dead giveaway. All right. All right. Now we're getting to more and more fun. So, in this next demonstration, I'm basically grabbing a certain signal and tweaking that signal. Okay, so let me show you what this is doing this time. In this case, what we've done is not grab the whole message or frame. I've actually grabbed one signal. So in this case, it says LF wheel speed. So left front wheel speed and we just drag that in and now we've got a signal. So if we do a single signal, then it will be interesting to see what really happens when we do this as a gateway, because of course, it's not like you can get one signal and just forget all the rest of the data bites in your frame. Right. So, in this case, what we're doing is we're actually still forwarding it just like we had been forwarding entire can frames. But we are taking this one signal, and we are changing it by using this expression check box. And in that expression we're making it 255. So we're going to make it ff essentially because this is going to be one bite. Let's fire this up and see what happens. I'll just go ahead and get rid of that filter. You can see that everything else is still working, but you only have this one MS can coming across here. And this data five is what we actually were grabbing one signal from. So let's filter this out and see exactly what's really going on. So, in this case this LF wheel speed. You can see unfortunately these are all the same value and they stay that way, but this LF wheel speed is actually bite for. And that's why it says ff here, but it doesn't show any values from the other ones. So one question. Why would it not transfer the other ones. Well you did not tell it to do it. You can transfer that one single. So if you want to you can transfer the other ones, and you can change those if you want, or just transfer the existing value. So that way you can tweak right down to the bite, you know whatever signal you make, even if it's a single, just a single bit, you can actually tweak it in this manner. Okay, we're ready. I've got two more demos and then a few more slides and then we're ready to roll. Okay, so now we're going to get to something a little more elaborate. So essentially what we're going to do is take a couple, a couple data bytes, and we're going to send those across. We go online on this one might have actually found a bug in our existing software in this one. Something tells me that this one was not working quite the way I wanted it to. So basically, in this one. I think this is one that actually is not working quite the way it should, because it's not actually wrong. This one was actually supposed to have a different calibration is engineering RPM. Let me try something different. I'm going to try to reload this in. Essentially what I would do is grab this engineering RPM, pull it up and then choose map down here. And then the mapping would actually be to when I map it to the other signal so that I can pull this guy in drop them in here. Yeah, there is it stopped now it seems a warning. But it looks like we've got some errors somewhere. I found some bug in this just a couple hours ago. But you can see that the scaling. Originally, there's no scaling. But in this case, I'm actually sending it to a signal that has a different scaling. And in this case, I could actually change the scaling on the fly as part of the gateway. So let me go online with this and we'll see if it works. I have a feeling it's not going to work. So, oh, yeah, yeah, we got a problem with that one. There's definitely a bug in there. Sorry guys. It happens. Now we got real problems. Give me a second here. I'll try to find that one. See if I can actually make this other one run because we are almost done. Actually, you know what, I'm good. That is actually the last one. Let me know no this one I want to do definitely this last one is actually combining the signals from different different from different frames. Essentially, I've taken one signal from this data six frame, a couple from data seven and one from steering wheel angle, and I put them all together in a separate database over here. So essentially, those are now all combined and all four of these run at the same time. Let's see if we can get away with running this. I don't know if I'm going to the other that other instance crashed on me so I might get away with it. I might not. So basically what you see here is that we are actually taking the values from each of these that I've mapped like in this case I think it's fuel alcohol percent. You can see that guy is the same target speed is mapped. I think the only thing is I should have forced this to a certain data rate that's why it's jumping around so much it's pulling in. It's it's transmitting every single time any one of them changes and they're all on the same. So, let me jump out of this. We can kill all these instances we've got enough I've done enough vehicle spikers. Holy shmoly. How many copies I have running about 15. So, so essentially, last couple slides here. This won't take long as like a more slides were done. So message injection. So or signal injection. Sometimes you want to just change the data in a certain can frame and in the old school way is to simply just transmit twice as fast as the existing frame on the bus. And when you do that, essentially, what happens is the ECUs that are monitoring that will essentially always see your value to see your frame, because yours is coming out twice as fast. Unless it's exactly on the money that you're going to that ECU will always see your values, not the actual ECUs values. So, that's really pretty easy. And that's the way we've done it for many years ever since can has been out there. Anytime somebody wants to play with something for something in a certain ECU that's great. However, problem is, we have protected P us. So the protected P us are essentially, you know, they're part of all those hours secure on board communication. It, it makes the vehicle or the ECU immune to replay attacks. And you cannot override can frame because the Mac value that's being transmitted and the freshest value along with it is part. Well, it's part of the signals in the freshest value are part of the Mac. So therefore, if you change your fresh freshness value if you change the, the PDU or the signals, then you have to have a new Mac. And if that Mac doesn't jive on the other side, then no go the ECU that receives it will ignore it. So you essentially have to have a man in the middle. Okay. And that's just the beginning. Okay, so if you if you are going to do this, that means you'd actually have to put secured into the neophyte. Okay, or into your box. And the fact is, we actually have already already implemented this for some OEMs, because they have to use it to test there is no way to do this and that injection testing to force a certain signal, unless you can change the signal, you have to execute the Mac up, keep the freshness value and send that and do it quick enough like a hill in order to be accepted by the ECU. And I'd love to demonstrate it, but I can't. Not that I can't do it, just that I'm not allowed to show you, but it can be done. So any questions feel free to contact me. I'll be in the village, and I'll be Q&A here. I'm sure when the video stops playing. Thanks a lot.