Post on 07-Aug-2015
How toStraighten up aCar's "Brains"
Kirill Ermakov, Dmitry SklyarovDepartment for Advanced Developments
Positive Technologies
Positive Hack Days III, May 23-24, 2013
Factory Engine Control Units (ECUs)How they operates:― Reads values from a multitude of sensors― Interprets the data using multidimensional
performance maps (called Look-up tables)― Electronically controls a series of actuators on an
internal combustion engine to ensure the optimum running
Features:― Installed by car manufacturers― Calibrated during factoring― Tuning parameters are usually not available for
adjustment
Programmable ECUsFeatures:― Engine tuner can connect the ECU to a PC― Adjustments can be made with tuning software― On-board data logging
Also allows control:― Traction― Boost― Other equipment
(servo motors,pumps, fans, …)
Ref & Sync trigger
Temperature inputs
Voltage inputs
Lambda sensor inputs
Digital inputs
Fuel injector drivers
Ignition drivers
Auxiliary outputs
Sensor power supply
Power
Communications
Inputs Outputs
Experimental ECU Features― Controller Area Network (CAN) bus interface― USB to CAN adapter― ECU Manager software for Windows― Upgradable firmware in “Intel HEX”-like format― Motorola 68xxx-compatible CPU
― Some useful features are disabled in basic version of ECU• Fortunately “Enable ECU Options…” menu item
exists :-)• But it asks for a password :-(
― Full-featured ECU near 3 times more expensive rather than Basic one
Analyzing ECU Manager software
― ECU Manager software is C++ Builder application with sophisticated classes hierarchy (static analysis is difficult)
― Client-side ECU Access Password verification (easy to bypass with kiddie bit-hack)
― Passwords that needed for enabling ECU features are sent to ECU and verified in firmware
Sniffing and logging USB traffic― Simple protocol, no encryption― Packet layout is recoverable by visual log analysis
prefix len cmd dir argsseq CRC payload
Headerlength
CommandID
Direction2:snd,3:rcv
Sequentialpacket No
Cmd args(e.g. offs/lenof payload)
Packetheader
CRC-16 ofpacket header
Analyzing USB traffic― “Enable Feature” password is transferred as
“Write” request― Wrong passwords not written (error returned)― ECU switched between “Firmware” and “Loader”
states during firmware updateID Command action Command arguments
0x0 Initialize 00
0x3 Write memory <offset> <length> <region ID>
0x4 Read memory <offset> <length> <region ID>
0x6 ??? 4B 00 00 00 48 80 00 00 01 00 00 00
0xA Switch state 40 00 00 00 <state name>
0xF Reset -
ECU memory layoutReading data from region 0x3E00-0x4000 returns only 0xFF’s (both through Loader and Firmware)
Address, length Content Memory type
0x00000000, 0x23B4 Loader ROM
0x00003E00, 0x200 Secret constants ROM, read prohibited
0x00004000, 0x200 Feature-enable passwords Flash, verified before write
0x00060000, 0xFDEA All 0x00 Flash, FW-upgradeable
0x00070000, 0x7914 Default configuraion data Flash, FW-upgradeable
0x00400000, 0x3E036 Main firmware Flash, FW-upgradeable
Analyzing and hacking ECU firmware― Writing DWORDs into 0x4000-0x4200 requires
verification based on Secret constants (stored in 0x3E00-0x4000)
― Verification algorithm is identifiable by lot or EOR (exclusive OR) instructions that rare used in automotive functions ;-)
― We could modify firmware and upload it to ECU to allow reading Secret table!
― After obtaining Secret table it is easy to reproduce the verification algorithm to calculate password for any feature
Beware of the Dead End― Any feature of ECU could be enabled just by
providing calculated password through ECU Manager software
― Some feature MUST NOT be enabled simultaneously!
― If so, ECU locks in Loader state and seems totally “bricked”
― It is still possible to upload Firmware Update, but that makes no help
― We have several nasty hours after putting out ECU in this state…
Life is beautiful [again] ;-)Accessing password cell:― Can’t write wrong DWORD (due to verification in
Loader)― Can write 8 bytes (verification performed only for
DWORDs)
Writing to Flash memory:― It is easy to change
arbitrary bit from ‘1’ to ‘0’― But not vice versa― It is possible to set bits to ‘1’
by erasing flash block― After that just enable all
necessary features
Basic
+2 featu
res
+5 featu
tes
wrong f
eature
FW update
d
block eras
ed
recove
redall
OK
02468
10
Value of device ($K)
ConclusionGeneral thoughts:― XOR is not needed in table look-ups. Using it in
protection algorithm is not a smart approach― Ability to run crafted code on device makes all
protection useless― It is a good idea to digitally sign Firmware updates
and check signature in Loader
But, anyway:― Nobody cares about such things in automotive
industry! ;-)
That’s allThanks for your attention
Kirill Ermakov, Dmitry Sklyarov
KErmakov@ptsecurity.ruDSklyarov@ptsecurity.ru
Department for Advanced DevelopmentsPositive Technologies
And special thanks toA.Raspopov and A.Tlyapov