Translation should not seek to communicate the meaning of the original because the communication of its content is not in the least essential to our appreciation of it. Therefore, no translator needs to concern himself very much with what the original means, or so Benjamin claims.
Breaking Code Read Protection on the NXP LPC-family Microcontrollers
But, of course, no translator can possibly be expected to tackle all the languages of the world in a single work of translation and in practical terms the task of the translator is somewhat provisional: he or she only marks the intersection of two languages in the vast linguistic mass which is the sum total of all languages, the pure language. After all, computer memory can achieve that which no single human can, namely to store and retrieve previously unimaginable masses of linguistic information in multiple languages.
Could we not see these linguistic databases as a technological approximation of pure language, made possible by the massive memory capacity of modern computing? And furthermore, since online translation tools use precisely these vast stores of linguistic material in order to produce translations—does this not imply that online translations are quite literally powered by pure language?
To clarify the relationship between languages encapsulated in pure language, Benjamin introduces a distinction between what is meant, das Gemeinte , and the manner of meaning it, Art des Meinens. In other words, the translator should not simply translate the words pain or Brot as bread , but show that bread means differently in French and German. For instance, the German word Brot incorporates the shorter word rot —meaning the colour red. This is mirrored in the sound of the English bread that likewise rhymes with the colour red.
Such a relationship between bread and redness is, however, wholly absent in the French equivalents pain and rouge. The bread has become moldy and the dates blown down by the wind; the iron has slipped from the helve. The wool was to be dyed red but the dyer dyed it black. The dead woman has forgotten her comb and tube of eye-paint; the dead cobbler has forgotten his knife, the dead butcher his chopper, and the dead carpenter his adze. Dyed red, died red, dead.
But also dyed black, which is, of course, the colour of death, and perhaps also the colour dye of the eye-paint that the dead woman has forgotten. Perhaps Reznikoff is also alluding to the superstition that the person who places shoes on a table as cobblers do risks death to a family member, the butcher of course more explicitly deals with death in his vocation, whereas the carpenter may well use his adze to manufacture coffins. Benjamin sought to expand this characteristically poetic mode of attending to the manner of how words mean to encompass translation as well.
It follows that for him the form, Art des Meinens , is more important in translation than the content, das Gemeinte, because it is the manner of meaning that is unique to that other language, whereas what is meant is ultimately the same in all languages. The translation, then, should reveal not what the original is about, but its manner of meaning.
This transparency not only reveals in the receiving language how the foreign language means, but also, conversely, underlines the unique manner of meaning found in the original. The sentence, with its linear progression of words that builds up into a meaningful utterance, is the non-essential and hence obstructing element in the work of a translator. In reading a sentence we are drawn to what it communicates at the expense of the manner in which it means, its construction as it were.
It is here that translation engines come into their own: they are as excellent at literalism as they are bad at communicative interpretation—in machine translation the meaning-laden significance of the literary text is lost and the text becomes nothing more than a task to resolve. In generating a translation, the online engine, unlike the human translator, approaches the original language merely as form, a code to be decoded and recoded in fact, machine translation arose out of the code-cracking technology used during the Second World War. While the human translator has to struggle against the hermeneutic imperative to interpret what he reads, the machine goes straight for the syntactical relations between words, finds their dictionary equivalents and jumbles together a sentence that is, more often than not, heavily indebted to the word order of the original language.
This approach prioritises the meanings of individual words over sentences or phrases—which also explains the clunky and unidiomatic nature of such translations.
As an algorithmic process it is rigidly literal, with not a single degree of freedom in it, and yet in its effects it wanders wildly adrift of its original text. To illustrate his argument, Dibbell uses the Babelfish translation engine to translate a poem by William Butler Yeats back and forth into Portuguese until it stops altering. Higher-end ones should have manufacturer-specific databases that allow you to perform much more detailed testing. DTCs usually erase themselves once the fault no longer appears during conditions similar to when the fault was first found.
For this purpose, similar is defined as the following:. The reason for this is simple enough: to prevent mechanics from manually turning off the MIL and clearing the DTCs when the problem still exists. Unfortunately, although UDS was designed to make vehicle information accessible to even the mom-and-pop mechanic, the reality is a bit different: CAN packets are sent the same way but the contents vary for each make, model, and even year.
Auto manufacturers sell dealers licenses to the details of the packet contents. In practice, UDS just works as a gateway to make some but not all of this vehicle information available. Diagnostic tests like these send the system a request to perform an action, and that request generates signals, such as other CAN packets, that are used to perform the work. For instance, a diagnostic tool may make a request to unlock the car doors, which results in the component sending a separate CAN signal that actually does the work of unlocking the doors.
In this listing, 7df is the OBD diagnostic code, 02 is the size of the packet, 01 is the mode show current data; see Appendix B for a list of common modes and PIDs , and 0d is the service a vehicle speed of 0 because the vehicle was stationary. The response adds 0x8 to the ID 7e8 ; the next byte is the size of the response.
Responses then add 0x40 to the type of request, which is 0x41 in this case. Then, the service is repeated and followed by the data for the service. ISO-TP specifies a method to receive response data. Table lists the most common error responses. In this response, we can see that after 0x7e8, the next byte is 0x03, which represents the size of the response. The next byte, 0x7F, represents an error for service 0x11, the third byte. The final byte, 0x11, represents the error returned—in this case, service not supported SNS. Run istotpsend in one terminal, and then run isotpsniffer or isotprecv in another terminal to see the response to your istotpsend commands.
Then, in another terminal, send the request packet via the command line:. In the case of UDS, the source is 0x7df, and the destination response is 0x7e8. The first 3 bytes make up the UDS response. Enter this VIN into Google, and you should see detailed information about this vehicle, which was taken from an ECU pulled from a wrecked car found in a junkyard.
Table shows the information you should see. Table VIN Information. The first byte of the data section in a diagnostic code is the mode. Shows data streams of a given PID. Has the same PID values as 0x01, except that the data returned is from the freeze frame state. Allows a technician to activate and deactivate the system actuators manually.
System actuators allow drive-by-wire operations and physically control different devices. Dealership scan tools have a lot more access to vehicle internals and are an interesting target for hackers to reverse engineer. This mode pulls DTCs that have been erased via mode 0x One such module is a DCM module that deals specifically with discovering diagnostic services. Set your channel to that of your SocketCAN device.
Now, to discover what diagnostics your vehicle supports, run the following:. This will send the tester-present code to every arbitration ID. Here is an example discovery session using CaringCaribou:. Next, we probe the different services on 0x Notice that the output lists several duplicate services for service 0x As of this writing, CaringCaribou is in its early stages of development, and your results may vary.
Restart the scan from where it left off using the -min option, as follows:. In our example, the scan will also stop scanning a bit later at this more common diagnostic ID:.
Chapter 7: Design and Development
In order to keep the vehicle in this state, you need to continuously send a packet to let the vehicle know that a diagnostic technician is present. The tester present packet keeps the car in a diagnostic state. One possible workaround is to tell slcand to use canX style names instead of slcanX. The enhanced version, 0x22, can return information not available with standard OBD tools.
Use the SecurityAccess command 0x27 to access protected information. This can be a rolling key, meaning that the password or key changes each time, but the important thing is that the controller responds if successful. You likely know that airplanes have black boxes that record information about flights as well as conversations in the cockpit and over radio transmissions. All and newer vehicles are also required to have a type of black box, known as an event data recorder EDR , but EDRs record only a portion of the information that a black box on an airplane would.
While this data is very similar to freeze frame data, its purpose is to collect and store information during a crash. The EDR constantly stores information, typically only about 20 seconds worth at any one time. These boxes collect data from other ECUs and sensors and store them for recovery after a crash. Figure shows a typical EDR. Figure A typical event data recorder. CDR kits include both proprietary hardware and software. The format of vehicle crash data is often considered proprietary as well, and many manufacturers license the communication protocol to tool providers that make CDRs.
Obviously, this is not in the best interest of the consumer. The SAE J standard lists recommended practices for event data collection and defines event records by sample rate: high, low, and static. While the SAE J states latitude and longitude recordings, many manufacturers claim not to record this information for privacy reasons.
Your research may vary. Not all manufacturers conform the to SAE J standard. The SDM does not record any post-crash information. These coincide with other crash recovery systems and extend the functionality by contacting the manufacturer or third party. ACNs are specific to each manufacturer, and each system will send different information. For example, the Veridian automated collision notification system released in reports this information:. Captured freeze frame snapshots rarely contain information that would help determine whether the DTC was triggered by malicious intent.
This type of attack would most likely occur during the research phase of an attack when an attacker is trying to determine what components the randomly generated packets were affecting , not during an active exploit. Accessing and fuzzing manufacturer-specific PIDs—by flashing firmware or using mode 0x08—can lead to interesting results. Unfortunately, security professionals will need to reverse or fuzz these proprietary interfaces to determine what is exposed before work can be done to determine whether there are vulnerabilities.
If they can keep undocumented entry points and weaknesses a secret, then their exploit will last longer without being detected. You have learned how CAN packets can be linked together to write larger messages or to create two-directional communications over CAN. You also learned how to read and clear any DTCs. You looked at how to find undocumented diagnostic services and saw what types of data are recorded about you and your driving habits. You also explored some ways in which diagnostic services can be used by malicious parties. In order to reverse engineer the CAN bus, we first have to be able to read the CAN packets and identify which packets control what.
The rest of the nondiagnostic packets are the ones that the car actually uses to perform actions. See Chapter 2 for common locations of the OBD connectors and their pinouts. CAN wires are typically two wires twisted together. This can be difficult to identify because the bus is often noisy. The CAN bus uses a ohm terminator on each end of the bus, so there should be 60 ohms between the two twisted-pair wires you suspect are CAN.
You should get a constant signal because the differential signals should cancel each other out. If the car is turned off, the CAN bus is usually silent, but something as simple as inserting the car key or pulling up on the door handle will usually wake the vehicle and generate signals. First, you need to determine the type of communication running on the bus. In order to do so, locate the bus those target components use, and then reverse engineer the packets traveling on that bus to identify their purpose.
There are a ton of these devices on the market. However, a proprietary device specifically designed to sniff CAN should still work. If your background is in networking, your first instinct may be to use Wireshark to look at CAN packets. This technically works, but we will soon see why Wireshark is not the best tool for the job. Wireshark can listen on both canX and vcanX devices, but not on slcanX because serial-link devices are not true netlink devices and they need a translation daemon in order for them to work.
If you need to use a slcanX device with Wireshark, try changing the name from slcanX to canX. I discuss CAN interfaces in detail Chapter 2. Figure Wireshark on the CAN bus. Listing uses slcan0 as the sniffer device. Listing candump of traffic streaming through a CAN bus. Devices on a CAN network are noisy, often pulsing at set intervals or when triggered by an event, such as a door unlocking. This noise can make it futile to stream data from a CAN network without a filter. Good CAN sniffer software will group changes to packets in a data stream based on their arbitration ID, highlighting only the portions of data that have changed since the last time the packet was seen.
The cansniffer command line tool groups the packets by arbitration ID and highlights the bytes that have changed since the last time the sniffer looked at that ID. For example, Figure shows the result of running cansniffer on the device slcan0. Figure cansniffer example output. You can add the -c flag to colorize any changing bytes. For example, to see only IDs and as cansniffer collects packets, enter this:. The command uses a bitmask , which does a bit-level comparison against the arbitration ID.
Any binary value of 1 used in a mask is a bit that has to be true, while a binary value of 0 is a wildcard that can match anything. A bitmask of all 0s tells cansniffer to match any arbitration ID. The minus sign - in front of the bitmask removes all matching bits, which is every packet.
You can also use a filter and a bitmask with cansniffer to grab a range of IDs. Using 7FF as a mask is the same as not specifying a bitmask for an ID. For example. For those not familiar with AND operations, each binary bit is compared, and if both are a 1 then the output is a 1. Figure Kayak GUI interface. The can-utils suite records CAN packets using a simple ASCII format, which you can view with a simple text editor, and most of its tools support this format for both recording and playback.
For example, you can record with candump , redirect standard output or use the command line options to record to a file, and then use canplayer to play back recordings. Figure Kayak recording to a logfile. Once your packet capture is complete, the logging should show in the Log Directory drop-down menu see Figure Figure Right pane of Log files tab settings. To play back the capture, right-click the Log Description in the right panel, and open the recording see Figure Listing shows the logfile created by candump using the -l command line option:. Listing candump logfile.
Notice in Listing that the candump logfiles are almost identical to those displayed by Kayak in Figure First, you may have missed the action in the recording, so try recording and performing the action again. Try unlocking the passenger door instead while recording. Try to replay the recording a few times to make sure the playback is working. Once you have a recording that performs the desired action, use the method shown in Figure to filter out the noise and locate the exact packet and bits that are used to unlock the door via the CAN bus.
The quickest way to do this is to open your sniffer and filter on the arbitration ID you singled out. Unlock the door, and the bit or byte that changed should highlight. You should be able to tell exactly which bit must be changed in order to unlock each door. Figure Sample unlock reversing flow. For instance, by removing different halves of a logfile, you can identify the one ID that triggers the door to unlock:. The specifics will vary for each vehicle. Now, what happens when you change the 0x0F?
To find out, unlock the car and this time send a 0x But why did 0x03 control two doors and not a different third door? The answer may make more sense when you look at the binary representation:. What about the remaining four bits? The best way to find out what they do is to simply set them to 1 and monitor the vehicle for changes. If not, they might control different door-like behavior, such as unlatching the trunk.
For the UDS protocol, this value is actually as follows:. This is because vehicles often compress the RPM value using a proprietary method. Be sure to put the car in park before you do this, and even lift the vehicle off the ground or put it on rollers first to avoid it starting suddenly and crushing you.
Ignore all the blinking warning lights, and follow the flowchart shown in Figure to find the arbitration ID that causes the tachometer to change. Consequently, you may have to play and record more traffic than before. Remember the value conversions mentioned earlier, and keep in mind that more than one byte in this arbitration ID will probably control the reported speed. Again, make sure that the car is immobilized in an open area, with the emergency brake on, and maybe even up on blocks or rollers. Start recording and give the engine a good rev. Then, stop recording and play back the data.
Once you have the reaction you expect from the vehicle, repeat the halving process used to find the door unlock, with some additional Kayak options. The slider represents the number of packets captured. Use the slider to pick which packet you start and stop with during playback. You can quickly jump to the middle or other sections of the recording using the slider, which makes playing back half of a section very easy. Figure Kayak playback interface. To override this noise, you need to talk even faster than the normal communication to avoid colliding all the time.
For instance, if you play your packets right after the real packet plays, then the last seen update will be the modified one. Reducing noise on the bus results in fewer collisions and cleaner demos. If you can send your fake packet immediately after the real packet, you often get better results than you would by simply flooding the bus.
To send packets continuously with can-utils , you can use a while loop with cansend or cangen. The instrument cluster simulator ICSim is one of the most useful tools to come out of Open Garages, a group that fosters open collaboration between mechanics, performance tuners, and security researchers see Appendix A. ICSim was designed as a safe way to familiarize yourself with CAN reversing so that the transition to an actual vehicle is as seamless as possible. To use ICSim, first load the instrument cluster to the vcan device like this:.
In response, you should see the ICSim instrument cluster with turn signals, a speedometer, and a picture of a car, which will be used to show the car doors locking and unlocking see Figure Figure ICSim instrument cluster. Figure ICSim control interface. The screen looks like a game controller; in fact, you can plug in a USB game controller, and it should be supported by ICSim.
As of this writing, you can use sixad tools to connect a PS3 controller over Bluetooth as well. You can use the controller to operate the ICSim in a method similar to driving a car using a gaming console, or you can control it by pressing the corresponding keys on your keyboard see Figure Once the control panel is loaded, you should see the speedometer idle just above 0 mph.
The control application writes only to the CAN bus and has no other way to communicate with the icsim. The only way to control the virtual car is through the CAN. Accelerate up arrow Press this to make the speedometer go faster. The longer you hold the key down, the faster the virtual vehicle goes. Play around with the controls to make sure that the ICSim is responding properly. Try to identify which packets control the vehicle, and create scripts to control ICSim without using the control panel.
Most of the changing data you see in Figure is caused by a replay file of a real CAN bus. All methods of replay and packet sending will work with ICSim, so you can validate your findings. Figure Screen layout for using ICSim. One of the great things about ICSim is that you can challenge yourself by making it harder to find the target CAN traffic.
ICSim supports four difficulty levels—0 through 3, with level 1 as the default. Level 0 is a super simple CAN packet that does the intended operation without any background noise, while level 3 randomizes all the bytes in the packet as well. You can replay or share a specific seed value as well. If you find one you like or if you want to race your friends to see who can decipher the packets first, launch ICSim with a set seed value like this:. It may take you a while to locate the proper packets the first time using ICSim, but after a few passes, you should be able to quickly identify which packets are your targets.
Depending on your vehicle, one solution to reverse engineering the CAN bus is OpenXC, an open hardware and software standard that translates proprietary CAN protocols into an easy-to-read format. This access could be read-only or allow you to transmit packets. If more auto manufacturers eventually support OpenXC, it could provide third-party tools with more raw access to a vehicle than they would have with standard UDS diagnostic commands. Different vehicles may support different signals than the ones listed here or no signals at all.
Notice how the metadata definitions in JSON make it fairly easy for both humans and a programming language to read and interpret. However, if you want to write an app or embedded graphical interface to only read and react to your vehicle and you own a new Ford, then this may be the quickest route to those goals. Hooray, open source! First, we define the bus by creating a JSON file with a text editor. If all goes well, you should have a. By making your own config files for OpenXC, you can bypass the restrictions set up in prereleased firmware and support other vehicles besides Ford.
Fuzzing the CAN bus can be a good way to find undocumented diagnostic methods or functions. Fuzzing takes a random, shotgun-like approach to reversing. When fuzzing , you send random-ish data to an input and look for unexpected behavior, which in the case of a vehicle could be physical changes, such as IC messages, or component crashes, such as shutdowns or reboots. Also, some CAN packets are visible only from within a moving vehicle, which would be very dangerous. Several other open source CAN sniffing solutions allow for easy scripting or programming with languages such as Python.
When fuzzing undocumented UDS modes, we typically look for any type of response from an unknown mode. If you use brute-forcing tools such as CaringCaribou, however, there are often cleaner ways of accomplishing the same thing, such as monitoring or reversing the diagnostic tools themselves. Here are a few common problems and solutions. This can drain a battery much faster than you might think. To restart it, jump the vehicle with a spare battery.
Look for main fuses around major electronics. The fuses that control the headlamps probably are not the culprits. Use a process of elimination to determine the device that is causing the issue. This is a bad, but fortunately rare, situation. Reverse engineering the CAN bus should never result in bricking—that is, breaking the vehicle so completely that it can do nothing. To brick a vehicle, you would need to mess around with the firmware, which would put the vehicle or component out of warranty and is done at your own risk.
In this chapter, you learned how to identify CAN wires from the jumble of wires under the dash, and how to use tools like cansniffer and Kayak to sniff traffic and identify what the different packets were doing. You also learned how to group CAN traffic to make changes easier to identify than they would be when using more traditional packet-sniffing tools, such as Wireshark. You should now be able to look at CAN traffic and identify changing packets.
Once you identify these packets, you can write programs to transmit them, create files for Kayak to define them, or create translators for OpenXC to make it easy to use dongles to interact with your vehicle. You now have all the tools you need to identify and control the components of your vehicle that run on CAN. A vehicle typically has as many as a dozen or more electronic controllers, many of which are networked to communicate with each other.
These computerized devices go by many different names, including electronic control unit or engine control unit ECU , transmission control unit TCU , or transmission control module TCM. While these terms may have specific meanings in a formal setting, similar terms are often used interchangeably in practice. What may be a TCU to one manufacturer is a TCM to another, yet both electronic controllers perform the same or extremely similar functions.
Most automotive control modules have measures in place to prevent you from altering their code and operation; these range from very strong to laughably weak. The attack vectors for ECUs fall into three different classes:. Front door attacks Commandeering the access mechanism of the original equipment manufacturer OEM. Backdoor attacks Applying more traditional hardware-hacking approaches. Exploits Discovering unintentional access mechanisms.
However, OEMs are generally not very creative and seldom change their ways, so insight into one controller likely applies to similar models from the same manufacturer. The OBD-II standard mandates that you be able to reprogram vehicles through the OBD-II connector, and reverse engineering the original method for programming is a guaranteed attack vector.
The SAE J standard, or simply J , was developed to promote interoperability among digital tool vendors through the use of the J API, which outlines the recommended way for Microsoft Windows to communicate with a vehicle. Prior to the adoption of the J standard, each software vendor created its own proprietary hardware and drivers for communicating with a vehicle in order to perform computerized repairs.
J introduced a series of DLLs that map standard API calls to instructions necessary to communicate with a vehicle, thereby allowing multiple manufacturers to release software designed to work with Jcompatible hardware. J tools provide a convenient way to observe OEM tools interacting with vehicle computers. Manufacturers often leverage J to update computer firmware and sometimes to provide powerful diagnostic software.
When using J tools to attack vehicle systems, the basic idea is to observe, record, analyze, and extend functionality. Of course, the first step is to obtain and configure a J application and its corresponding interface hardware in order to perform a task you want to observe. Once you have your setup, the next step is to observe and record communications with the target while using the J tools to perform an action on the target, like updating a configuration parameter. Successful analysis of this communication will give you the knowledge you need to access vehicle systems the way the OEMs do.
The J shim is a software J interface that connects to a physical J interface and then passes along and logs all commands that it receives. This dummy interface is a kind of man-in-the-middle attack that allows you to record all API calls between the J application and the target. You can then examine the log of commands to determine the actual data exchanged between the J interface and the device. To find an open source J shim, search code. You should also be able to find precompiled binaries. You can also use J to generate interesting traffic that you can then observe and record with a third party sniffer.
See Chapter 5 for more information on monitoring network traffic. For more on the Keyword Protocol , see Chapter 2. Seed-key algorithms usually generate a pseudorandom seed and expect a particular response, or key , for each seed before allowing access. A typical valid exchange could look something like this:.
You might have a bit seed and bit key, a bit seed and bit key, or a bit seed and bit key. The algorithm that generates a key from a given seed also varies from platform to platform. Most algorithms are a combination of simple arithmetic operations and one or more values used as part of the computation. There are several techniques for figuring out these algorithms in order to give you access to the ECU:. Disassemble it and analyze the embedded code to find the code responsible for generating seed-key pairs.
The main advantage of this method over purely passive observation is that it allows you to pick seeds for which you can reproduce the keys. Sometimes front door attacks are too tricky; you may not have the right tools or the lock might be too hard to figure out. In fact, using more direct-to-hardware backdoor approaches often makes more sense than trying to reverse engineer the front door lock placed by the factory, especially when trying to reprogram engine modules.
If you can obtain a dump of the module, you can often disassemble and analyze it to figure out how the keys to the front door work. The first step in a hardware backdoor attack is analyzing the circuit board. When reversing a circuit board of any system, you should start with the largest chips first. These larger processor and memory chips are likely to be the most complex.
The type of memory used varies immensely from one platform to another; every single variety listed here has been found in the wild. Newer designs are less likely to have parallel memories and more likely to have serial chips. Newer microcontrollers are less likely to have any external memories at all, as their internal flash capacities have dramatically increased.
Any nonvolatile memory chip present can be removed from the circuit board, read, and then replaced. Chapter 8 goes into much more detail on reverse engineering the circuit board. Although arguably just another example of a backdoor approach, exploits deserve special attention. Rather than taking apart a computer, exploits involve feeding a system carefully crafted inputs to make it do things outside normal operation.
Typically, exploits build on a bug or problem. This bug might cause a system to crash, reboot, or perform some undesirable behavior from the perspective of the vehicle user. Some of these bugs present the opportunity for buffer overflow attacks, which open the door for commandeering the vulnerable device merely by feeding it unexpected inputs.
A cleverly crafted set of inputs triggers the bug, which then makes the device execute arbitrary code provided by the attacker instead of triggering the usual fault condition. Not all bugs can be turned into exploits, however—some bugs only cause problems or shut down core systems. And while bugs are usually discovered by accident, most exploits require careful craft.
Most of the time, this knowledge needs to be gathered through research prior to writing an exploit. While it is foolish to discount the relevance of exploits, the other methods presented here and in Chapter 8 are much more practical paths to understanding and reprogramming automotive systems in most cases. Hacking into an automotive control module far enough to retrieve its current firmware and configuration is really just the beginning of the adventure.
At this point, you probably have anywhere from 4KB to 4MB of raw machine-ready code, with a mixture of various parameters and actual code that forms the program the processor will run. Next you need to disassemble the binary. First, you must know which chip this binary is for. There are several free decompilers for different chips out on the Internet. Otherwise you can drop some cash and buy IDA Pro, which supports a large variety of chips. These tools will convert the hex values in the binary into assembler instructions. The next stage is to figure out what exactly you are looking at.
You can follow a number of breadcrumbs , or clues, for starters; these breadcrumbs are almost guaranteed to lead you to interesting and useful material. Every engine controller has some type of self-diagnostic system that typically monitors most critical engine functions, and analyzing this is an excellent route to understanding firmware. A good first step in investigative disassembly is to identify the location of these procedures.
This will provide you with insight into the memory locations involved in all of the sensors and functions that are checked for errors. For example, knowing that code 10 refers to a failed intake air temperature sensor means you can find the piece of code that sets error code 10 to help you identify the internal variables associated with the air temperature sensor. For more detailed information on using diagnostics, see Chapter 4.
Being able to change the behavior of a control unit is often one of the primary goals of reverse engineering ECU firmware, and identifying data used by a controller is an important step in the process. Most ECUs have a set of library functions used for routine tasks throughout the code. Each time a table is used, a function is called to fetch a result. Calls to this type of function are among the most frequent, making them easy to spot. Usually each type of data stored within the ECU—one-dimensional array of bytes; two-dimensional array of words; three-dimensional array of unsigned, signed, and float shorts; and so on—has a unique reference function.
When called, each table lookup routine needs to be passed, at a minimum, the table index or start address and the axis variables.
7.3. Quality Design
Often, table lookup routines can be reused to pass information about the structure of the table, such as how many rows and columns are present. Calibration data is usually stored in program memory, along with the routines accessing them. Microcontrollers typically have special instructions to access program memory, which provide a unique signature to search for and make table lookup routines particularly easy to spot.
A secondary characteristic of these lookup routines is that they tend to have lots of interpolation math. After identifying reference routines, searching for all calls to them can provide a key to identifying the vast majority of data used by the controller to make decisions. The arguments passed to these functions typically include the start address of a table, its structure or shape, and which variables index elements of the table. One way to identify tables is to leverage the specific physical and electrical characteristics of vehicle sensors, which will display identifiable characteristics within ECU firmware.
For example, an ECU with a MAF sensor will have a table that translates raw readings of voltage or frequency from the MAF into airflow into the engine, providing an internal representation. This will result in the tables having a characteristic set of values that can be observed in the ROM.
Figures and show similarly shaped Ford and Nissan sensor curves; the similarity they illustrate extends to multiple manufacturers. Figure Ford MAF transfer graph. Figures through show five different views of the same data. Figure shows how the VQ curve pictured in Figure would look in a hex editor. Figure VQ table in HxD hex editor: bytes or to bit words.
Figures and show the VQ table in analyze. A simple visualization tool, analyze. Figure VQ table in analyze. Figure First four rows of 16xbit values. Notice how the smooth nonlinear curve in Figures and mimics the smooth nonlinear progression of values. Figure shows the same values in a column layout, so you can see the full gradient of the first four rows from Figure Figure to bit words per row.
Data visualization tools like hex editors or analyze. Figure shows an example of the clear visual pattern of data in analyze.
- Confessions of a Bible Thumper: My Homebrewed Quest for a Reasoned Faith.
- A Simple Guide To Work Related Heat Diseases (What You Need to Prevent Work Related Heat Diseases) (A Simple Guide to Medical Conditions)!
- Los días contados (Libros del Asteroide) (Spanish Edition).
- DNA function & structure (with diagram) (article) | Khan Academy!
On the other hand, when you look at code like that in Figure , there is a more random, chaotic appearance. Hopefully, these examples help connect knowledge of the table data you expect to find with their representation within a binary blob. Learning the capabilities of the microcontroller unit MCU used in a target system can shed light on the types of data to expect when looking over the binary data. Generally, data representation formats are dictated by the hardware present.
Knowing the size of registers on the MCU running the show can be a big help for identifying parameters. Most parameters tend to be the same size as or smaller than the registers of a given MCU. The more the better! Doing a simple compare in a hex editor will show which bytes differ between the files. Figures and compare a V8 Mustang and a V6 Thunderbird, showing 6, differences out of , bytes. Most processors use an interrupt vector table defined by the processor being used. Tracing interrupt pins on the processor to circuitry within the ECU to pins you can reference in a vehicle wiring diagram can help you identify code blocks used to service such hardware functions as fuel and spark control, crank and cam signal processing, and idle functions.
Figure File compare function of the HxD hex editor. WinOLS is a popular commercial program for modifying bins. It combines a series of tools for calculating and updating checksums within a ROM with a set of tools for identifying tables. Figures and illustrate WinOLS in use. If the ROM type is known, it has many templates that automatically identify configuration parameters. Templates and configurations can be saved, shared, and sold to enable users to make modifications to specific files with greater ease.
Code analysis can be a long, complicated task. An ECU from with 32 kilobytes not megabytes of code will have upward of 10, assembly instructions to sort out. Bottom line: do not underestimate how much work this approach will take. After all, entire books have been written solely on code analysis. Knowing what processor executed the blob of binary will help you choose an appropriate software tool to further assist. To analyze code, you might need to find a disassembler.
A quick Google search reveals that there are lots of them out there. Some target a single architecture—for example, Dis51—and some are custom-written for automotive reverse engineering—for example, Dis66k. Rebuilding binutils with all architectures enabled will open a few doors.
Your budget and supported processors will determine which disassemblers are an option. Bust out the disassembly tools and start trying to make sense of the mess, but as I warned earlier, this might take hundreds of hours. A divide-and-conquer mentality works best—focus on the smaller tasks rather than the project as a whole. If you obtained the binary by backdoor methods, you probably already took the ECU apart to identify the processor. If you cracked the J programming routines, you might not have a clue what processor is running the show.
If you can find the patents relevant to your system, you may end up with a guided tour of the code being disassembled. This is probably the most consistently available high-level procedural guide to help you understand the logic in an automotive computer. Patents usually lead production by at least one to two years, if not more.
You can often infer a model of behavior from tables available to be modified in aftermarket software. This should tell you which piece of MCU hardware handles which function. Cross reference the interrupt tables, or look for calls to service particular pieces of hardware in order to identify which piece s of code service that hardware function. A plain, or old-style, disassembler will output very verbose text. Each individual instruction is parsed. Some disassemblers will attempt to mark areas referenced as data and void disassembling them.
Other disassemblers need to be specifically told which areas are code and which areas are data. DASMx comes with minimal instructions: to disassemble foo. Time for a crash course in the architecture! This information tells you what to expect when looking at the addresses in your binary blob. It also helps to search online to see whether others are trying to do something similar.
The more legwork and research you do prior to actually invoking a disassembler, the more likely you are to get reasonable results. Figure shows the symbol table for the ZX binary. Next to each symbol is the memory address used by the firmware. These memory addresses can hold values such as incoming data from different physical pins on the chip or internal information, like timing. The result is the vector table shown in Figure , which looks sane enough: all addresses are above the 0x entry point specified.
Figure Disassembled vector table. We can disassemble the code at 0xBE6D for the reset vector, which is also the entry point for code. This is a plausible part of the initial reset sequence because often when booting, firmware will initialize the data region to all 0s. Figure Reset vector disassembly.
Now, for the hard part: following the code, breaking it into routines, and trying to figure out how it works. As of this writing, IDA Pro is the most popular interactive disassembler available. It performs the same tasks as the simple disassembler just discussed, and more. IDA Pro also graphs code to visualize program flow. Lastly, IDA Pro supports more embedded platforms out of the box than just about any other disassembler currently available. Figures and are screenshots from real code analysis with IDA Pro. Thanks to Matt Wallace for graciously posting these examples in a public forum.
Next, the user determined the necessary functions to log data from the ECU and alter its operation. The result allowed the user to use forced induction—that is, turbochargers and superchargers—with a factory computer; this would have been impossible without ECU modification. Because hacking on the ECU often involves processors that are smaller than those used in more powerful modern devices, such as cell phones, the tools used for reversing the firmware differ for each target.
The methods discussed in this chapter are techniques commonly used by performance tuners to adjust how a vehicle handles fuel efficiency. All can be used to unlock features hidden in the code of your vehicle. The most basic test bench is the device that you want to target and a power supply. When you give an ECU the proper amount of power, you can start performing tests on its inputs and communications. Figure A simple ECU test bench. To make it easier to turn the device on and off, you can add a switch to the power supply. One place to find an ECU is, of course, at the junkyard.
Be sure that the ECU you buy includes the wire bundles. One downside to buying an ECU online is that it may be difficult to acquire parts from the same car if you need multiple parts. Simulators can generate faults and MIL lights, and they include fault knobs for changing common vehicle parameters, such as speed.
Try to mentally break down each component to get a better idea of which wires to focus on. Figure Example of an ECU wiring diagram. Block diagrams are often easier to read than wiring diagrams that show all components on the same sheet. Block diagrams usually show the wiring for only one component and offer a higher-level overview of the main components, whereas schematics show all the circuitry details. Table Example Connector Legend. The legend should give the connector number, its number pin count, and the color. L-GY probably means light gray, and so on.
A connector number like C refers to connector 2, pin The connectors usually have a number on the first and last pin in the row. When you provide power—a power supply from an old PC should suffice—and add a CAN sniffer, you should see packets. If you have everything wired correctly, the scan tool should be able to identify the vehicle, assuming that your test bench includes the main ECU.
To address this problem, start by adding a ohm resistor, as a CAN bus has ohm resistors at each end of the bus. The maximum missing resistance should be ohms. A lot of components communicate with the ECU in a simple manner, either via set digital signals or through analog signals. Analog signals are easy to simulate with a potentiometer and you can often tie a 1 kilohm potentiometer to the engine temp and fuel lines to control them. Notice that the optional IC has two 1 kilohm potentiometers, or variable resistors, on the lower left side, both of which are tied to the engine temperature and fuel lines.
We use these potentiometers to generate sensor signals, as discussed in the following section. This particular test bench also includes a small MCU that allows you to simulate sending crankshaft and camshaft signals to the ECU. Figure More complex test bench. A more complex unit like the one in Figure makes it trivial to determine CAN traffic: just load a sniffer, adjust the knob, and watch for the packets to change.
As I mentioned, you can use the potentiometers in this setup to simulate various vehicle sensors, including the following:. If your goal is to generate more complex or digital signals, use a small microcontroller, such as an Arduino, or a Raspberry Pi. In order to do this, we need a little background on how the ECU measures speed. Hall effect sensors are often used to sense engine speed and crankshaft position CKP and to generate digital signals. In Figure , the Hall effect sensor uses a shutter wheel, or a wheel with gaps in it, to measure the rotation speed. The gallium arsenate crystal changes its conductivity when exposed to a magnetic field.
As the shutter wheel spins, the crystal detects the magnet and sends a pulse when not blocked by the wheel. By measuring the frequency of pulses, you can derive the vehicle speed. Figure Shutter wheel diagram for Hall effect sensor. You can also use the camshaft timing sprocket to measure speed. When you look at the camshaft timing sprocket, the magnet is on the side of the wheel see Figure Figure Camshaft timing sprocket. Using a scope on the signal wire shows that the Hall effect sensor produces a square wave.
Typically, there are three wires on the camshaft sensor: power, ground, and sensor. Camshaft sensors also come as optical sensors, which work in a similar fashion except an LED is on one side and a photocell is on the other. You can gauge full rotation timing with a missing tooth called a trigger wheel or with a timing mark. An inductive camshaft sensor produces a sine wave and will often have a missing tooth to detect full rotation.
Figure shows the camshaft sensor repeating approximately every 2 milliseconds. The jump or a gap you see in the wave at around the millisecond mark occurs when the missing tooth is reached. The location of that gap marks the point at which the camshaft has completed a full rotation. Figure Camshaft sensor signals under a scope. This will give us the exact year, make, model, and engine type of the vehicle.
Table shows the results.
Table Vehicle Information. Then, we can send simulated speed data to the ECU in order to measure effects. Using wiring diagrams to simulate real engine behavior can make it easy to identify target signals on the CAN bus. Figure Wiring diagram showing the engine speed pin. The wiring diagram in Figure shows how you can trace the wire from the CKP sensor so that connector C2, pin 27 receives the engine speed from the crankshaft sensor.
Having identified this pin in the wiring diagram, we locate the corresponding wire on the ECU. We can connect this wire to any digital IO pin on an Arduino. Pin 2 will send output to C2, pin In order to simulate engine speed sent from the CKP sensor, we code up an Arduino sketch to send high and low pulses with a delay interval mapped to the potentiometer position see Listing Listing Arduino sketch designed to simulate engine speed.
Now, we upload this sketch to the Arduino, power up the test bench, and when we turn the knob on the potentiometer, the RPM dial moves on the IC. In Figure , the second line of the cansniffer traffic shows bytes 2 and 3—0x0B and 0x89—changing as we rotate the potentiometer knob for Arbitration ID 0x the column labeled ID. Figure cansniffer identifying RPMs. A is the first byte and B is the second byte. You can simplify this method to taking 0xB89, which is in decimal form.
When you divide this by 4, you get While this method works and, once connected, takes only a few seconds to identify the CAN packet responsible for RPMs, there are still some visible issues. Every so often a CAN signal shows up that resets the values to 00 00 and stops the speedometer from moving. In two different terminals, we can check whether there was a diagnostic code. You can also use a scan tool. And in another terminal, send this command:.
Looks like we have a DTC set. The first two bytes make up the standard DTC 0x00 0x Fixing these may not actually fix our problem, though. The PCM may continue to think the vehicle is running smoothly, but unless you really care about fudging all the data, you may be able to find other ways to trick the signals you want out of the PCM without having to be immune to triggering DTC faults. Another great alternative is the JimStim for Megasquirt. In this chapter you learned how to build an ECU test bench as an affordable solution to safe vehicle security testing. We went over where you can get parts for building a test bench and how to read wiring diagrams so you know how to hook those parts up.
You also learned how to build a more advanced test bench that can simulate engine signals, in order to trick components into thinking the vehicle is present. Building a test bench can be a time-consuming process during your initial research, but it will pay off in the end. Not only is it safer to do your testing on a test bench, but these units are also great for training and can be transported to where you need them. The ECU is a common target of reverse engineering, sometimes referred to as chip tuning. As mentioned in Chapter 7 , the most popular ECU hack is modifying the fuel map to alter the balance of fuel efficiency and performance in order to give you a higher-performance vehicle.
This chapter will focus on generic embedded-system methods of attack as well as side-channel attacks. These methodologies can be applied to any embedded system, not just to the ECU, and they may even be used to modify a vehicle with the help of aftermarket tools. The first step in attacking the ECU or any embedded system in a vehicle is to analyze the target circuit board.
When reversing a circuit board, first look at the model numbers of the microcontroller chips on the board.
These model numbers can help you track down valuable information that can be key to your analysis. When you encounter older chips like these, remove them from the board and plug them in to an EPROM programmer in order to read their firmware. You should be able to reprogram modern systems directly via debugging software, like JTAG. Once you locate a data sheet, try to identify the microcontrollers and memory locations on each chip to determine how things are wired together and where to find diagnostic pins—a potential way in.
The logo shown in Figure is for STMicroelectronics. Often, a light-up magnifier or a cheap USB microscope can prove very handy in reading these markings. Much like VIN numbers, model numbers are often broken down into sections representing model number and different variations. Figure STM32 chipset identification. To determine the function of the various pins, scan the data sheet to find the package pinout diagrams, and look for the package that matches yours for pin count.
For example, as you can see in Figure , each side of the chip has 25 pins for a total of , which matches the LQFP pinout in the data sheet shown in Figure Sometimes pin 1 on a chip is indicated by a cut-off corner. If you find nothing on a chip that allows you to identify pin 1, look for things you can identify. For example, if another chip on the board is a common CAN transceiver, you could use a multitool to trace the lines to figure out which pins it connects to.
You could then reference the data sheet to see which side of the chip contains these CAN pins. To do this, put your multimeter in continuity mode. Figure STM32F4 data sheet pinout. You can use a variety of debugging protocols to debug chips just as you do software. JTAG is a protocol that allows for chip-level debugging and downloading and uploading firmware to a chip.
You can locate the JTAG connections on a chip using its data sheet. Developers will disable JTAG firmware via either software or hardware. This is harder to bypass with glitch attacks, though voltage glitching or the more invasive optical glitches may succeed. When debugging ST chips, you can use a tool like ST-Link to connect, debug, and reflash the processor.
You can also use a STM32 Discovery board. These are actually developer boards with their own programmer. In order to use the Discovery kit as a generic programmer, remove the jumpers from the pins labeled ST-Link , and then connect the six pins on the opposite side labeled SWD see Figure Pin 1 starts next to the white dot on the SWD connector. Renesas is a popular automotive chipset used in ECUs see Figure When dealing with Freescale chips, such as the MCP5xxx series, keep in mind that the debugger may be Nexus.
Side-channel analysis is another hardware attack used to bypass ECU and other microcontroller protections and to crack built-in cryptography. This type of attack takes advantage of various characteristics of embedded electronic systems instead of directly targeting specific hardware or software.
- Lord Fix My Wife.
- Breaking Code Read Protection on the NXP LPC-family Microcontrollers.
- The Car Hacker’s Handbook;
- Glossary of Computer Related Terms?
Figure MultiTarget Victim Board. By changing jumpers on the board, you can pass power to enable or disable different systems, but be careful to enable only one section at a time, or you may short the board. Pay attention to the jumper settings before testing.