ECU (Electronic Control Unit) для современного гоночного автомобиля представляет собой микроконтроллер, реализующий детальное управление всеми системами болида. Внутри ECU работает операционная система, принимающая информацию от различных датчиков и выдающая управляющие команды в соответствии с заданным профилем. Владелец может менять настройки профиля, но в базовых версиях своего оборудования разработчики ECU обычно запрещают использование некоторых функций, позволяющих добиться максимальной эффективности систем автомобиля. Целью нашего исследования было получение доступа к управлению всеми настройками ECU и полное раскрытие его потенциала.

2. How to
Straighten up a
Car's "Brains"
Kirill Ermakov, Dmitry Sklyarov
Department for Advanced Developments
Positive Technologies
Positive Hack Days III, May 23-24, 2013

3. Engine Control Units
(ECUs)

4. Factory Engine Control Units (ECUs)
How they operates:
― Reads values from a multitude of sensors
― Interprets the data using multidimensional performance
maps (called Look-up tables)
― Electronically controls a series of actuators on an internal
combustion engine to ensure the optimum running
Features:
― Installed by car manufacturers
― Calibrated during factoring
― Tuning parameters are usually not available for adjustment

5. Programmable ECUs
Features:
― Engine tuner can connect the ECU to a PC
― Adjustments can be made with tuning software
― On-board data logging
Also allows control:
― Traction
― Boost
― Other equipment
(servo motors,
pumps, fans, …)
Ref & Sync trigger
Temperature inputs
Voltage inputs
Lambda sensor inputs
Digital inputs
Fuel injector drivers
Ignition drivers
Auxiliary outputs
Sensor power supply
Power
Communications
Inputs Outputs

6. Sample ECU wiring

7. Experimental ECU Features
― Controller Area Network (CAN) bus interface
― USB to CAN adapter
― ECU Manager software for Windows
― Upgradable firmware in “Intel HEX”-like format
― Motorola 68xxx-compatible CPU
― Some useful features are disabled in basic version of ECU
• Fortunately “Enable ECU Options…” menu item exists :-)
• But it asks for a password :-(
― Full-featured ECU near 3 times more expensive rather than
Basic one

8. Digging into the problem

9. Analyzing ECU Manager software
― ECU Manager software is C++ Builder application with
sophisticated classes hierarchy (static analysis is difficult)
― Client-side ECU Access Password verification (easy to bypass
with kiddie bit-hack)
― Passwords that needed for enabling ECU features are sent
to ECU and verified in firmware

10. Sniffing and logging USB traffic
― Simple protocol, no encryption
― Packet layout is recoverable by visual log analysis
prefix len cmd dir argsseq CRC payload
Header
length
Command
ID
Direction
2:snd,3:rcv
Sequential
packet No
Cmd args
(e.g. offs/len
of payload)
Packet
header
CRC-16 of
packet header

11. Analyzing USB traffic
― “Enable Feature” password is transferred as “Write” request
― Wrong passwords not written (error returned)
― ECU switched between “Firmware” and “Loader” states
during firmware update
ID Command action Command arguments
0x0 Initialize 00
0x3 Write memory <offset> <length> <region ID>
0x4 Read memory <offset> <length> <region ID>
0x6 ??? 4B 00 00 00 48 80 00 00 01 00 00 00
0xA Switch state 40 00 00 00 <state name>
0xF Reset -

12. ECU memory layout
Reading data from region 0x3E00-0x4000 returns only 0xFF’s
(both through Loader and Firmware)
Address, length Content Memory type
0x00000000, 0x23B4 Loader ROM
0x00003E00, 0x200 Secret constants ROM, read prohibited
0x00004000, 0x200 Feature-enable passwords Flash, verified before write
0x00060000, 0xFDEA All 0x00 Flash, FW-upgradeable
0x00070000, 0x7914 Default configuraion data Flash, FW-upgradeable
0x00400000, 0x3E036 Main firmware Flash, FW-upgradeable

13. Analyzing and hacking ECU firmware
― Writing DWORDs into 0x4000-0x4200 requires verification
based on Secret constants (stored in 0x3E00-0x4000)
― Verification algorithm is identifiable by lot or EOR (exclusive
OR) instructions that rare used in automotive functions ;-)
― We could modify firmware and upload it to ECU to allow
reading Secret table!
― After obtaining Secret table it is easy to reproduce the
verification algorithm to calculate password for any feature

14. Beware of the Dead End
― Any feature of ECU could be enabled just by providing
calculated password through ECU Manager software
― Some feature MUST NOT be enabled simultaneously!
― If so, ECU locks in Loader state and seems totally “bricked”
― It is still possible to upload Firmware Update, but that
makes no help
― We have several nasty hours
after putting out ECU in this state…

15. Life is beautiful [again] ;-)
Accessing password cell:
― Can’t write wrong DWORD (due to verification in Loader)
― Can write 8 bytes (verification performed only for DWORDs)
Writing to Flash memory:
― It is easy to change
arbitrary bit from ‘1’ to ‘0’
― But not vice versa
― It is possible to set bits to ‘1’
by erasing flash block
― After that just enable all
necessary features
0
2
4
6
8
10
Value of device ($K)

16. Conclusion
General thoughts:
― XOR is not needed in table look-ups. Using it in protection
algorithm is not a smart approach
― Ability to run crafted code on device makes all protection
useless
― It is a good idea to digitally sign Firmware updates and
check signature in Loader
But, anyway:
― Nobody cares about such things in automotive industry! ;-)

17. That’s all
Thanks for your attention
Kirill Ermakov, Dmitry Sklyarov
KErmakov@ptsecurity.ru
DSklyarov@ptsecurity.ru
Department for Advanced Developments
Positive Technologies
And special thanks to
A.Raspopov and A.Tlyapov