ECU (Electronic Control Unit) для современного гоночного автомобиля представляет собой микроконтроллер, реализующий детальное управление всеми системами болида. Внутри ECU работает операционная система, принимающая информацию от различных датчиков и выдающая управляющие команды в соответствии с заданным профилем. Владелец может менять настройки профиля, но в базовых версиях своего оборудования разработчики ECU обычно запрещают использование некоторых функций, позволяющих добиться максимальной эффективности систем автомобиля. Целью нашего исследования было получение доступа к управлению всеми настройками ECU и полное раскрытие его потенциала.
CNIC Information System with Pakdata Cf In Pakistan
Как «вправить» автомобилю «мозги»
1.
2. How to
Straighten up a
Car's "Brains"
Kirill Ermakov, Dmitry Sklyarov
Department for Advanced Developments
Positive Technologies
Positive Hack Days III, May 23-24, 2013
4. Factory Engine Control Units (ECUs)
How they operates:
― Reads values from a multitude of sensors
― Interprets the data using multidimensional performance
maps (called Look-up tables)
― Electronically controls a series of actuators on an internal
combustion engine to ensure the optimum running
Features:
― Installed by car manufacturers
― Calibrated during factoring
― Tuning parameters are usually not available for adjustment
5. Programmable ECUs
Features:
― Engine tuner can connect the ECU to a PC
― Adjustments can be made with tuning software
― On-board data logging
Also allows control:
― Traction
― Boost
― Other equipment
(servo motors,
pumps, fans, …)
Ref & Sync trigger
Temperature inputs
Voltage inputs
Lambda sensor inputs
Digital inputs
Fuel injector drivers
Ignition drivers
Auxiliary outputs
Sensor power supply
Power
Communications
Inputs Outputs
7. Experimental ECU Features
― Controller Area Network (CAN) bus interface
― USB to CAN adapter
― ECU Manager software for Windows
― Upgradable firmware in “Intel HEX”-like format
― Motorola 68xxx-compatible CPU
― Some useful features are disabled in basic version of ECU
• Fortunately “Enable ECU Options…” menu item exists :-)
• But it asks for a password :-(
― Full-featured ECU near 3 times more expensive rather than
Basic one
9. Analyzing ECU Manager software
― ECU Manager software is C++ Builder application with
sophisticated classes hierarchy (static analysis is difficult)
― Client-side ECU Access Password verification (easy to bypass
with kiddie bit-hack)
― Passwords that needed for enabling ECU features are sent
to ECU and verified in firmware
10. Sniffing and logging USB traffic
― Simple protocol, no encryption
― Packet layout is recoverable by visual log analysis
prefix len cmd dir argsseq CRC payload
Header
length
Command
ID
Direction
2:snd,3:rcv
Sequential
packet No
Cmd args
(e.g. offs/len
of payload)
Packet
header
CRC-16 of
packet header
11. Analyzing USB traffic
― “Enable Feature” password is transferred as “Write” request
― Wrong passwords not written (error returned)
― ECU switched between “Firmware” and “Loader” states
during firmware update
ID Command action Command arguments
0x0 Initialize 00
0x3 Write memory <offset> <length> <region ID>
0x4 Read memory <offset> <length> <region ID>
0x6 ??? 4B 00 00 00 48 80 00 00 01 00 00 00
0xA Switch state 40 00 00 00 <state name>
0xF Reset -
12. ECU memory layout
Reading data from region 0x3E00-0x4000 returns only 0xFF’s
(both through Loader and Firmware)
Address, length Content Memory type
0x00000000, 0x23B4 Loader ROM
0x00003E00, 0x200 Secret constants ROM, read prohibited
0x00004000, 0x200 Feature-enable passwords Flash, verified before write
0x00060000, 0xFDEA All 0x00 Flash, FW-upgradeable
0x00070000, 0x7914 Default configuraion data Flash, FW-upgradeable
0x00400000, 0x3E036 Main firmware Flash, FW-upgradeable
13. Analyzing and hacking ECU firmware
― Writing DWORDs into 0x4000-0x4200 requires verification
based on Secret constants (stored in 0x3E00-0x4000)
― Verification algorithm is identifiable by lot or EOR (exclusive
OR) instructions that rare used in automotive functions ;-)
― We could modify firmware and upload it to ECU to allow
reading Secret table!
― After obtaining Secret table it is easy to reproduce the
verification algorithm to calculate password for any feature
14. Beware of the Dead End
― Any feature of ECU could be enabled just by providing
calculated password through ECU Manager software
― Some feature MUST NOT be enabled simultaneously!
― If so, ECU locks in Loader state and seems totally “bricked”
― It is still possible to upload Firmware Update, but that
makes no help
― We have several nasty hours
after putting out ECU in this state…
15. Life is beautiful [again] ;-)
Accessing password cell:
― Can’t write wrong DWORD (due to verification in Loader)
― Can write 8 bytes (verification performed only for DWORDs)
Writing to Flash memory:
― It is easy to change
arbitrary bit from ‘1’ to ‘0’
― But not vice versa
― It is possible to set bits to ‘1’
by erasing flash block
― After that just enable all
necessary features
0
2
4
6
8
10
Value of device ($K)
16. Conclusion
General thoughts:
― XOR is not needed in table look-ups. Using it in protection
algorithm is not a smart approach
― Ability to run crafted code on device makes all protection
useless
― It is a good idea to digitally sign Firmware updates and
check signature in Loader
But, anyway:
― Nobody cares about such things in automotive industry! ;-)
17. That’s all
Thanks for your attention
Kirill Ermakov, Dmitry Sklyarov
KErmakov@ptsecurity.ru
DSklyarov@ptsecurity.ru
Department for Advanced Developments
Positive Technologies
And special thanks to
A.Raspopov and A.Tlyapov