How toStraighten up aCar's "Brains"

Kirill Ermakov, Dmitry SklyarovDepartment for Advanced Developments

Positive Technologies

Positive Hack Days III, May 23-24, 2013

Engine Control Units (ECUs)

Factory Engine Control Units (ECUs)How they operates:― Reads values from a multitude of sensors― Interprets the data using multidimensional

performance maps (called Look-up tables)― Electronically controls a series of actuators on an

internal combustion engine to ensure the optimum running

Features:― Installed by car manufacturers― Calibrated during factoring― Tuning parameters are usually not available for

adjustment

Programmable ECUsFeatures:― Engine tuner can connect the ECU to a PC― Adjustments can be made with tuning software― On-board data logging

Also allows control:― Traction― Boost― Other equipment

(servo motors,pumps, fans, …)

Ref & Sync trigger

Temperature inputs

Voltage inputs

Lambda sensor inputs

Digital inputs

Fuel injector drivers

Ignition drivers

Auxiliary outputs

Sensor power supply

Power

Communications

Inputs Outputs

Sample ECU wiring

Experimental ECU Features― Controller Area Network (CAN) bus interface― USB to CAN adapter― ECU Manager software for Windows― Upgradable firmware in “Intel HEX”-like format― Motorola 68xxx-compatible CPU

― Some useful features are disabled in basic version of ECU• Fortunately “Enable ECU Options…” menu item

exists :-)• But it asks for a password :-(

― Full-featured ECU near 3 times more expensive rather than Basic one

Digging into the problem

Analyzing ECU Manager software

― ECU Manager software is C++ Builder application with sophisticated classes hierarchy (static analysis is difficult)

― Client-side ECU Access Password verification (easy to bypass with kiddie bit-hack)

― Passwords that needed for enabling ECU features are sent to ECU and verified in firmware

Sniffing and logging USB traffic― Simple protocol, no encryption― Packet layout is recoverable by visual log analysis

prefix len cmd dir argsseq CRC payload

Headerlength

CommandID

Direction2:snd,3:rcv

Sequentialpacket No

Cmd args(e.g. offs/lenof payload)

Packetheader

CRC-16 ofpacket header

Analyzing USB traffic― “Enable Feature” password is transferred as

“Write” request― Wrong passwords not written (error returned)― ECU switched between “Firmware” and “Loader”

states during firmware updateID Command action Command arguments

0x0 Initialize 00

0x3 Write memory <offset> <length> <region ID>

0x4 Read memory <offset> <length> <region ID>

0x6 ??? 4B 00 00 00 48 80 00 00 01 00 00 00

0xA Switch state 40 00 00 00 <state name>

0xF Reset -

ECU memory layoutReading data from region 0x3E00-0x4000 returns only 0xFF’s (both through Loader and Firmware)

Address, length Content Memory type

0x00000000, 0x23B4 Loader ROM

0x00003E00, 0x200 Secret constants ROM, read prohibited

0x00004000, 0x200 Feature-enable passwords Flash, verified before write

0x00060000, 0xFDEA All 0x00 Flash, FW-upgradeable

0x00070000, 0x7914 Default configuraion data Flash, FW-upgradeable

0x00400000, 0x3E036 Main firmware Flash, FW-upgradeable

Analyzing and hacking ECU firmware― Writing DWORDs into 0x4000-0x4200 requires

verification based on Secret constants (stored in 0x3E00-0x4000)

― Verification algorithm is identifiable by lot or EOR (exclusive OR) instructions that rare used in automotive functions ;-)

― We could modify firmware and upload it to ECU to allow reading Secret table!

― After obtaining Secret table it is easy to reproduce the verification algorithm to calculate password for any feature

Beware of the Dead End― Any feature of ECU could be enabled just by

providing calculated password through ECU Manager software

― Some feature MUST NOT be enabled simultaneously!

― If so, ECU locks in Loader state and seems totally “bricked”

― It is still possible to upload Firmware Update, but that makes no help

― We have several nasty hours after putting out ECU in this state…

Life is beautiful [again] ;-)Accessing password cell:― Can’t write wrong DWORD (due to verification in

Loader)― Can write 8 bytes (verification performed only for

DWORDs)

Writing to Flash memory:― It is easy to change

arbitrary bit from ‘1’ to ‘0’― But not vice versa― It is possible to set bits to ‘1’

by erasing flash block― After that just enable all

necessary features

Basic

+2 featu

res

+5 featu

tes

wrong f

eature

FW update

d

block eras

ed

recove

redall

OK

02468

10

Value of device ($K)

ConclusionGeneral thoughts:― XOR is not needed in table look-ups. Using it in

protection algorithm is not a smart approach― Ability to run crafted code on device makes all

protection useless― It is a good idea to digitally sign Firmware updates

and check signature in Loader

But, anyway:― Nobody cares about such things in automotive

industry! ;-)

That’s allThanks for your attention

Kirill Ermakov, Dmitry Sklyarov

KErmakov@ptsecurity.ruDSklyarov@ptsecurity.ru

Department for Advanced DevelopmentsPositive Technologies

And special thanks toA.Raspopov and A.Tlyapov