 All right, thanks for coming to my talk. So first, the obligatory who am I slide. I'm a research scientist at the University of Washington. I was also a grad student there. And back when I was a grad student, I did some of the early car hacking work there. And we did that in collaboration with UC San Diego. And after I finished my PhD, I went there as a postdoc to start on a project where they were looking to do some of the similar type of research that we did with the cars, but on planes instead. And so that's how I got into looking at these avionics systems. So first of all, what is ARINC? ARINC is a company that was founded in 1929 to basically manage all the aviation-related radio licenses. This was chartered by the Federal Radio Commission, the predecessor to the FCC, because that didn't come around until 1934. But basically, they initially managed those radio licenses. And then later, they started to define some of the communication protocols. The company was up until fairly recently owned by a lot of the major airlines and some of the manufacturers like Boeing. And it was sort of a neutral way for airlines and manufacturers to agree upon standards. So the reason that they're important is they developed this thing called ACARS in 1978. And this was initially to automatically report these OOOI events. So that is when a plane gets off the ground or out of the gate, off the ground, on the ground, and in the gate. And this determines crew pay, apparently. So this was very important to the airlines to get that accurate. And so ACARS was developed to automatically report these events over radio when these happened. And since then, ACARS has been expanded to be a generic way of doing ground-to-air messaging. So if you get connecting flight information, that is often pushed through messages sent to ACARS and various things like that. So Air Inc developed ACARS back in 1978. But they've gone on since to develop a number of standards to encourage interoperability between manufacturers of these avionics systems. They also run the ACARS infrastructure. They do have another competitor, but they are one of the major providers. They were acquired by Rockwell Collins fairly recently and now they're owned by United Technologies. But there was sort of a conflict of interest between sort of the commercial messaging services and their standards division. And so the standards part got acquired by SAE International, who does a bunch of the automotive standards. So there's sort of three different classes of standards that Air Inc defines. And so this is right out of the forward of one of their specifications. So there are things that they call characteristics which are not necessarily a full-blown specification, but basically expressing the desires of the various airline manufacturers. Airline, airline, God, why am I blinking? The airliners, yeah. So, and then there's the actual specifications which are more technical and they fully define things like the various data buses that are used in planes. And then there's reports that, well, they're not that interesting to us hackers. So let's start with Air Inc. 429. So I like to call this the CAN bus of aviation. So as you might know, the CAN bus is used to send messages between different components in the cart. And similarly on airplanes, on a lot of them they use Air Inc. 429. And instead of sending several bytes at a time, as within CAN, Air Inc. 429 can only send 32-bit words. They're sent over a differential pair. There's both low-speed and high-speed versions of Air Inc. 429. The low-speed version goes at, what, 12 and a half kilobits per second and the high-speed version is 100 kilobits per second. Like CAN, there's sort of a label which either defines the message type or it defines the recipient of a particular message based on the type of message that it is. And one of the really interesting things that distinguishes 429 from CAN is that it is physically a single sender, multiple receiver network. And so this means that if your in-flight entertainment system is connected up to some other part of the plane, say the flight management computer to receive like the current altitude or things like that to show passengers, it can only, it only has the physical hardware to receive that information. It can't actually assert that back onto the bus. And so you might have heard claims before about SEM37s could go sideways or whatnot through the in-flight entertainment system. What I think probably happened there is they might have gotten on to the in-flight entertainment system and ran something similar to Wireshark and saw all these packets coming in and assumed you could just send and spoof them but you actually can't, you can just receive them. For various reasons, the label is at most significant bit first while the rest of the data is least significant bit first. And honestly, this is the hardest part about dealing with 429, especially because some transceivers decide to be helpful and automatically swap the endianess for you. And then you have to figure out if it was automatically swapped or not. And then in some cases, it'll have like, so if you do an exchange between two different units where they exchange their system address labels, you have to deal with the endianess there and it's just complete insanity. So that's a bit unfortunate, but it is what it is. So there's a few different types of messages. Some of the original stuff were sort of status messages and they have a few bits dedicated to what they call this signed status matrix. And so they'll send values like the current altitude or current heading and the signed status matrix bits, say either whether it's positive or negative north or south, whether a system is okay or failing or running a self-test, things like that. There's also what they call the character oriented protocol and this is used to send sort of character streams between various systems. So this is used, for example, between the communications management unit that I'll talk about in a bit and the MCDU, the display unit that I'll talk about in a bit. It's also used to push things to the printer, for example. And then there's also this bit oriented protocol that I'll talk about in a second. So this is right out of the 429 specification just to make it a bit more concrete as to what this looks like. So you have this parity bit here as the last bit. You have this label. This SDI is either a source or destination. So in planes, you'll have redundant units. And so this will indicate whether it's the, which side of the plane the redundant unit is on. And then this is a pretty old standard. So they'll commonly send things as binary coded decimal values or in some cases binary values. And you can also send discrete bits as well from like sensors to say whether the wheels are on the ground or not. Yeah, so a bit more about the character oriented protocol as opposed to these sort of status messages. They specify the receiver of a particular message and the label. This is used by the communications management unit, the display, the printer, things like that. And there's sort of a handshake that goes on, but between the various units involved where the unit that wants to initiate a transfer sends a request to send, the other unit says a clear send back and they sort of acknowledge data as it goes along. This has been, this is still used, but it's kind of been deprecated in a favor for something they call the bit oriented protocol, which is used to send five nibbles at a time, which is oh, so fun to deal with. There's two versions. The first version is sort of similar to the character oriented protocol where basically there's a handshake and it says how much data you're about to transfer and which block you're transferring and things like that. So that goes back and forth. And then surprise, version three, it's Ethernet. It is, this just blew my mind that they actually decided to put a 802 frame right into and shove it into these airing 429 words. And this is used by the new VHF data radio standard that I'll talk about in a bit. And it also has a 16 bit CRC along with the standard Ethernet bits there as well. 615 defines the data loader. So this is used to update flight navigation databases, firmware in some cases, things like that. The protocol is pretty similar to the character oriented protocol with some minor differences to deal with specifics of data loading. And this is actually a photo from a 737 of a data loader that is installed into the plane. And yes, it literally takes floppies and you set the little switch to which unit you wanna update and you press go and then it updates the system, which I thought was pretty weird. But yeah, again, it is what it is. And yeah, almost certainly no code signing there. And I've heard that the recommended best practice for authenticating these updates is to check the return address on the label from where you got it from. It's better now in newer planes, but this is still sort of in many planes today. 618 defines the air ground link in ACARS. So those ACARS messages consist of a mode. There's sort of two different modes that of ACARS messages that you can send. It has the address of the aircraft that you're talking to, which is based on the tail number. There's an acknowledgement counter, which is used to, it's basically like a TCP acknowledgement number that just cycles through so that you can confirm that aircraft has received a particular packet. There's a two character label, which identifies the type of message. And if it's a multi, if the message can't fit within a single ACARS packet, it gets split up into blocks. And so there's a block identifier there to indicate which particular part of the message it is. Then there's just the regular text and a checksum. So 618 also defines how this gets transmitted over the air and it's basically just a frequency shift keying or minimum shift keying modem. If you tune in on what is it, 131.5 megahertz using just AM modulation, you'll hear these squawks occasionally, which are these ACARS packets. The radio itself, the interface between the communications management unit and the radio itself is defined in Air Inc. 716, which basically just lets the communications management unit retune the radio and it defines the analog signals that are sent between them. There's this new thing too called VDL2, a VHF Datalink 2, which is a new digital mode. It uses sort of a newer modulation scheme that's completely digital. And instead of this sort of homegrown ACARS protocol for doing acknowledgments and things like that, it uses this AVLC framing system, which is based on HDLC, which is sort of a common way of dealing with acknowledgments and sort of the link layer issues. So there's the Air Inc. 750 standard that defines both the radio and this new digital mode. But there's a, in 618 they also define ACARS over AVLC and so you can carry these traditional ACARS messages over this new VDL link. This new VDL link also will support things like automatically contacting of air traffic control, so there's air traffic control applications that are being sent over this now. I believe that's used more in Europe than the US, but maybe that's coming. There's a couple of other ACARS standards that you should know about. So 619 defines the interface between this communication management unit and other LRUs. So LRUs are line replaceable units, they're basically just in generic term for the other units in a plane. So things like the flight management computer, cockpit printer, the MCDU, all these other things are just LRUs. It's kind of the car equivalent would be ECU for example. Each industry sort of has its own term. So this just defines sort of a generic way to forward messages from the CMU to these other systems. For example, pushing a message from the CMU to the cockpit printer to have your connecting gate information for example. And then 620 sort of defines the way that the ground segment works and how airlines communicate with the service provider to send this information back and forth. So speaking of the communications management unit, they have a standard for that as well. Originally this was just called the A-cars unit, but now it's sort of a generic communications hub. Can send things like engine performance and diagnostic data. It'll talk to the printer. It can push flight plan updates to the FMS although they have to be manually confirmed by the pilots. And it also sort of defines the physical interface to the rest of the aircraft. So here's a couple of figures from the standard which basically define what all the pins are on the back connector. And there's a bunch of different 429 buses that connect and a lot of discrete inputs especially for those out, off, in and out, off, on, in messages. Yeah. So the way that you typically interact with this communications management unit is with what's called the MCDU. This is also defined in an airing standard, this is in 39A. It stands for multi-purpose control and display unit and this is sort of a common interface for the communications management unit, flight management system, things like that. Originally they were sort of separate systems that had their own display but this now allows a common interface to all these systems. So this was, I thought this was a 20 minute talk so I was gonna wrap it up here by mentioning some other airing standards that are interesting. So 702A talks a bit. What? Okay, well yeah, it's just, yeah. It's fine. So there are standards that cover the flight management system, cockpit printer. The 777 has its own unique data bus which, well, to be honest, you can't get surplus 777 parts off of eBay so I'm not that interested in them. Same with 664. This is actually a deterministic Ethernet for aviation, sort of a high reliability version of Ethernet that guarantees no packet loss and this is used on near aircraft such as the 787 or A380 and it sort of simulates those unidirectional 429 buses with VLANs and supposedly that works. Probably works but there's, we'll see. There's this standard called gate link which lets you do wifi to the aircraft and this connects with the communications management unit and so this is a way to push updates to the plane through wifi instead of going over the much more expensive VHF radios or satellite and then there's also a 25 which I recently just became aware of which is basically using or adapting the CAN bus for aviation so basically that's all I have so thanks for your attention and I'll take any questions, questions. Okay, sure. So the thing that stops them from sending messages is that the hardware to send and receive 429 packets is different and so basically it's just a, it's physically just a receiver module there and so even if you take total control over the system it's basically just a receiver module there and so even if you take total control over the system even if you take total control over the system you still can't physically turn that into something that can transmit data back onto that 429 bus. Yes. Okay. So you got 429, you got the 429 over a VLAN thing. Yes. Yeah so the question is simulating 429 with VLANs is that gonna supplant 429? So I believe in the 787 and A380 it does. They use Ethernet. I'm getting a ish so, okay. So he said basic systems still have 429 but yes, yes. So the question there was does that change the assumption about just having the hardware to send or just having the hardware to receive and yes it does and that's why you have to ensure this isolation through the network switches and with VLANs and things like that. I wish I could get my hands on a switch to play with this but they cost like $50,000 and they're not really falling off of the back of a truck or anything so I'm sad. Anything else? You mentioned that, your speaker gift is. Oh wow. Next please join me in thanking Kyle for his presentation. All right, thanks.