1
00:00:00,000 --> 00:00:01,999
(Music Playing.)    JAVIER: Hello!

2
00:00:01,999 --> 00:00:02,999
How are you, DEF CON?

3
00:00:02,999 --> 00:00:07,501
(Applause.)    ALBERTO: How are you DEF CON?

4
00:00:07,501 --> 00:00:08,501
Okay.

5
00:00:08,501 --> 00:00:12,209
So, you know, this is our presentation, we are speaking about car hacking.

6
00:00:12,209 --> 00:00:16,083
Later about how to do a forensic job into a car after a crash,

7
00:00:16,083 --> 00:00:20,083
after an accident, to retrieve all the speed, the RPM,

8
00:00:20,083 --> 00:00:24,918
the brake position and this kind of things, okay.

9
00:00:25,751 --> 00:00:27,042
Let's start.

10
00:00:27,459 --> 00:00:32,999
You know it's called "Dude, Where the Fuck in My Car?"

11
00:00:32,999 --> 00:00:39,918
I'm Alberto, he's Javier, I'm going to introduce him and he's

12
00:00:39,918 --> 00:00:43,250
a hardware specialist.

13
00:00:43,999 --> 00:00:46,626
He loves breaking toys.

14
00:00:47,000 --> 00:00:52,501
Every time I meet with him, he is always with some staff

15
00:00:52,501 --> 00:01:00,959
with the hands completely dirty, dirty in the sense of the hand, only, okay?

16
00:01:01,083 --> 00:01:03,334
So he's freelance, okay?

17
00:01:03,334 --> 00:01:04,375
He's working alone.

18
00:01:05,125 --> 00:01:09,501
He's from we are from Spain, okay, this is important to understand

19
00:01:09,501 --> 00:01:13,542
the jokes and this kind of things (Laughter.) Sometimes we are

20
00:01:13,542 --> 00:01:18,751
different kind of jokes, but I think the Spanish jokes are cool.

21
00:01:20,292 --> 00:01:22,834
Have you ever been top Spain?

22
00:01:23,667 --> 00:01:31,250
He is from a city in the part of Spain that is in the very south,

23
00:01:31,250 --> 00:01:36,876
close to Morocco and that's him, okay?

24
00:01:40,792 --> 00:01:42,542
I am this guy.

25
00:01:42,626 --> 00:01:45,083
On the left.

26
00:01:45,083 --> 00:01:46,083
The youngest one!

27
00:01:46,375 --> 00:01:49,209
The other guy is my Grandpa!

28
00:01:51,542 --> 00:01:55,125
(Laughter.) This is my second time here in DEF CON,

29
00:01:55,125 --> 00:01:59,709
last year I was speaking here about other stuff.

30
00:01:59,709 --> 00:02:04,501
The thing is (Applause.) Thank you!

31
00:02:04,501 --> 00:02:07,626
The thing is I don't want to introduce myself

32
00:02:07,626 --> 00:02:13,999
like the typical times, like, I'm doing the shit or whatever, blah, blah, blah,

33
00:02:13,999 --> 00:02:20,250
so the thing is I'm going to use a video of the last year, yeah?

34
00:02:20,250 --> 00:02:24,542
It's a piece of the total of last year here at DEF CON.

35
00:02:24,876 --> 00:02:28,501
So I think it will be enough to introduce myself.

36
00:02:31,292 --> 00:02:37,125
You see, I reuse the slides, I am lazy!

37
00:02:37,501 --> 00:02:42,083
I am from a city 200 kill meters to the north of Madrid,

38
00:02:42,083 --> 00:02:49,584
and I am 24 years old, I'm single, if anyone wants to (Laughter.) Okay?

39
00:02:50,375 --> 00:02:53,584
No, I'm only like girls, sorry!

40
00:02:58,999 --> 00:03:04,876
(Laughter.) (Applause.) I am only 25 years old now, and all the rest

41
00:03:04,876 --> 00:03:08,751
is the same so only girls, please!

42
00:03:08,751 --> 00:03:14,999
(Applause.) Okay, let's go.

43
00:03:18,125 --> 00:03:21,999
Okay, like I told you at the beginning we are speaking

44
00:03:21,999 --> 00:03:27,626
about hacking the car, hacking the ECU, like the brain of the car.

45
00:03:27,626 --> 00:03:31,417
There are different brains around the car but we are trying

46
00:03:31,417 --> 00:03:36,459
to get the control to interact with the ECU, the main one, the ECU

47
00:03:36,459 --> 00:03:41,083
is where the configuration of the car is stored.

48
00:03:42,626 --> 00:03:48,709
So this is the first part of the talk and like I told you, we are going

49
00:03:48,709 --> 00:03:52,083
to do the forensic job, okay?

50
00:03:52,083 --> 00:03:55,959
So we can know what happened in an accident and if someone

51
00:03:55,959 --> 00:03:59,626
is guilty or not or whatever, yeah.

52
00:03:59,834 --> 00:04:03,959
So for now I'm going to give the am I correct phone to my friend,

53
00:04:03,959 --> 00:04:07,375
my partner, and he's going to start.

54
00:04:07,375 --> 00:04:10,542
JAVIER: Okay, so as Alberto said I'm Javier I'm

55
00:04:10,542 --> 00:04:13,999
from Cardiff and all that stuff.

56
00:04:14,834 --> 00:04:18,209
Why did this happen, the car hacking thing?

57
00:04:18,209 --> 00:04:23,083
Well, I had a friend well, I used to do this stuff with my laptop,

58
00:04:23,083 --> 00:04:28,501
like everyone does and he kept on bugging me, you want a factory,

59
00:04:28,501 --> 00:04:34,459
I want it cheap and I thought, man, I make one piece hardware so you stop

60
00:04:34,459 --> 00:04:41,918
bugging me, and that's how it started, I wanted him to not keep on calling me.

61
00:04:47,417 --> 00:04:52,542
At first I use this, it didn't work (Laughter.) I needed

62
00:04:52,542 --> 00:04:54,083
a plan.

63
00:04:54,334 --> 00:04:56,834
I had to sort it out.

64
00:04:58,083 --> 00:05:03,083
At first I needed some information, of course, I needed to see how

65
00:05:03,083 --> 00:05:09,125
the car did work so I realized that there were different electronic control units

66
00:05:09,125 --> 00:05:12,876
that they were all networked in the same bus, so

67
00:05:12,876 --> 00:05:16,584
they were address huddled, they had some security,

68
00:05:16,584 --> 00:05:20,667
I didn't know that much, I was playing a little while,

69
00:05:20,667 --> 00:05:26,709
and I knew that data was stored in them, and it's interesting data.

70
00:05:32,083 --> 00:05:36,834
There are some communication protocols, these are widely spread.

71
00:05:37,083 --> 00:05:42,083
They are not the only once but they are most common, this

72
00:05:42,083 --> 00:05:47,334
is the one that is being used the most, Com Bus.

73
00:05:47,334 --> 00:05:51,999
AUDIENCE MEMBER: (Away from microphone.)    JAVIER: One

74
00:05:51,999 --> 00:05:59,999
of the most important things when I started with this thing was the price.

75
00:05:59,999 --> 00:06:03,542
When i was going to develop the tool, my friend wanted it cheap,

76
00:06:03,542 --> 00:06:06,375
and K Line was $10 cheaper.

77
00:06:06,375 --> 00:06:09,459
I am not cheap I just we want for the interface, K Line.

78
00:06:12,709 --> 00:06:14,709
Why did I choose it?

79
00:06:15,751 --> 00:06:17,999
As I said, it is cheaper.

80
00:06:19,999 --> 00:06:24,542
For Comm Bus we need ICs, and ECUs that work

81
00:06:24,542 --> 00:06:27,959
for K Line are cheaper.

82
00:06:27,999 --> 00:06:31,999
ALBERTO: (Away from microphone.)    JAVIER: It's $10,

83
00:06:31,999 --> 00:06:34,999
$8, but that's something.

84
00:06:41,167 --> 00:06:45,999
Then the question, if I say different, to implement it?

85
00:06:46,209 --> 00:06:49,999
The difference between K Line and Comm Bus is protocol layers,

86
00:06:49,999 --> 00:06:52,751
so it's layer 1 and layer 2.

87
00:06:53,667 --> 00:06:58,751
All the encryption is the same so if you wanted to move from K Line

88
00:06:58,751 --> 00:07:03,959
to Comm Bus it would take no time, it would be changing the hardware

89
00:07:03,959 --> 00:07:07,584
and changing the structure, Comm Bus works on SPI

90
00:07:07,584 --> 00:07:10,542
but not really a big deal.

91
00:07:13,999 --> 00:07:15,999
What did we know about ECU?

92
00:07:25,083 --> 00:07:30,792
We know they are in cars, and once I decided to start

93
00:07:30,792 --> 00:07:34,501
with it I had two options.

94
00:07:34,501 --> 00:07:37,999
One was to do some research and navigate

95
00:07:37,999 --> 00:07:45,792
through the technical information, or hook the logic analyzer.

96
00:07:45,999 --> 00:07:49,751
We decided to go 50/50 to make it not too interesting

97
00:07:49,751 --> 00:07:51,459
either way.

98
00:07:53,501 --> 00:07:55,999
So that's what we found.

99
00:07:56,334 --> 00:08:01,834
After a little bit of research they are responsible

100
00:08:01,834 --> 00:08:09,792
for the engine management engine is ECU, not all, we have locks ECUs,

101
00:08:09,792 --> 00:08:15,459
many others, but this is the engine ones.

102
00:08:15,999 --> 00:08:21,334
This is stored and they hold mobilizer routine and

103
00:08:21,334 --> 00:08:27,918
they contain and determine the way the car behaves.

104
00:08:29,999 --> 00:08:33,999
So the hardware which is the ECU itself the physical thing

105
00:08:33,999 --> 00:08:37,918
is composed of internal and external flash.

106
00:08:37,918 --> 00:08:44,834
Internal flash is most of the times OTP, it's not accessible, normally,

107
00:08:44,834 --> 00:08:47,626
from the outside.

108
00:08:48,334 --> 00:08:54,083
It has internal external most of the times as well and it's

109
00:08:54,083 --> 00:09:01,999
like something when you try to hope it you start to hate it, it sucks.

110
00:09:02,167 --> 00:09:06,999
You have to deal with it anyway, so.

111
00:09:07,459 --> 00:09:12,375
As I said we attached the logic analyzer and we saw this stuff.

112
00:09:17,501 --> 00:09:22,542
This is exactly from an EDC15, this is one of the first ones we

113
00:09:22,542 --> 00:09:27,918
will talk about, the first part is the weak up pattern, the address

114
00:09:27,918 --> 00:09:31,667
for the control module which is 01.

115
00:09:38,667 --> 00:09:42,584
Then we request the speed to support the bus,

116
00:09:42,584 --> 00:09:48,501
and then we change the speed to higher, because you start at 10,400,

117
00:09:48,501 --> 00:09:53,459
you do authentication, you set address actually, you have

118
00:09:53,459 --> 00:09:56,999
to send EDC15 you have to send a loader,

119
00:09:56,999 --> 00:10:03,667
on 16 you don't have to do that, but I will talk about 245 later.

120
00:10:04,250 --> 00:10:10,542
The fourth part is sending the loader plus operations.

121
00:10:12,834 --> 00:10:17,959
Of course I was ignorant about this, I said "man this is easy" it didn't work.

122
00:10:19,999 --> 00:10:21,626
It wasn't that easy.

123
00:10:26,751 --> 00:10:31,667
So after research what did I found?

124
00:10:32,999 --> 00:10:38,918
Actually we just noticed that there was an authentication that was not static.

125
00:10:38,918 --> 00:10:41,459
That's why it didn't work.

126
00:10:43,417 --> 00:10:45,501
So it's called a algorithm.

127
00:10:48,751 --> 00:10:51,626
The ECU acts as a server so you request

128
00:10:51,626 --> 00:10:55,999
authorization, the ECU will send you a seat, you will have

129
00:10:55,999 --> 00:11:00,167
to do some maps, it will send the result and that's called

130
00:11:00,167 --> 00:11:03,167
the "key" and there you go.

131
00:11:03,250 --> 00:11:04,501
That's it.

132
00:11:04,959 --> 00:11:10,083
It has checks to check the integrity of the data that you are uploading.

133
00:11:11,999 --> 00:11:16,459
When you download it already hats checks so you don't need

134
00:11:16,459 --> 00:11:20,375
to check anything, so on EDC15 it requires a loader

135
00:11:20,375 --> 00:11:22,667
as I was saying.

136
00:11:23,334 --> 00:11:29,125
For the operations it's usually an assembler, and it has internal flash.

137
00:11:34,999 --> 00:11:43,626
On we have this algorithm, as well, but it is just one level, you send

138
00:11:43,626 --> 00:11:50,792
the loader and do the operations with that loader.

139
00:11:50,999 --> 00:11:56,417
Here we have level 3, which is pretty easy, the challenge is just

140
00:11:56,417 --> 00:12:02,876
to a number, and we have level 2 can, which is operations and level 1

141
00:12:02,876 --> 00:12:06,584
is to write the flash of the device which

142
00:12:06,584 --> 00:12:13,584
is a little more complicated but it's like EDC 15 they didn't change at all,

143
00:12:13,584 --> 00:12:17,083
you know, just small things.

144
00:12:17,292 --> 00:12:21,083
We have RSA encryption, when you want to download

145
00:12:21,083 --> 00:12:25,959
from an EDC 16 it's plain, it's binary, you can put it

146
00:12:25,959 --> 00:12:31,083
into IDA or your favorite tool no problem, easy.

147
00:12:31,209 --> 00:12:35,959
Bullet when you want to upload it of course you need to have

148
00:12:35,959 --> 00:12:41,999
the check zones, like you did earlier but it RSA encrypted and it needs

149
00:12:41,999 --> 00:12:47,417
to be in blocks of 256 kilobytes, in this case, whatever you want

150
00:12:47,417 --> 00:12:53,334
to upload it must be encrypted in blocks of 256 kilobytes.

151
00:12:54,542 --> 00:12:56,999
Well, how did we do it?

152
00:12:57,250 --> 00:13:00,501
My wife helped me a little bit!

153
00:13:05,209 --> 00:13:08,459
Why is this interesting?

154
00:13:08,999 --> 00:13:14,999
Well, I think we all want to save a few bucks so if you want your car

155
00:13:14,999 --> 00:13:19,876
to have more mileage per gallon, that's good.

156
00:13:21,292 --> 00:13:27,999
The difference between most cars, like for example my own cars,

157
00:13:27,999 --> 00:13:33,709
I have a Cooper 1 which is 167 horse power, I modified

158
00:13:33,709 --> 00:13:37,792
and now it's 210 horse power.

159
00:13:38,125 --> 00:13:41,792
It's easy, free, that's good!

160
00:13:48,459 --> 00:13:53,542
It's cool, inexpensive to do it.

161
00:13:59,459 --> 00:14:06,999
At first, I started with EDC 15 was the ECU in my car and my friend's car

162
00:14:06,999 --> 00:14:11,999
and I developed the whole thing it was 1,800 lines

163
00:14:11,999 --> 00:14:16,584
of code, and then I wanted to start reversing

164
00:14:16,584 --> 00:14:21,584
for EDC16 and I had to start from scratch so I go

165
00:14:21,584 --> 00:14:25,959
to different binaries, one for EDC16 which

166
00:14:25,959 --> 00:14:31,999
is the same even though the processor is different.

167
00:14:38,167 --> 00:14:43,292
This is the first point I had to be really careful code it go due

168
00:14:43,292 --> 00:14:47,292
the two limitations of the NCU itself.

169
00:14:49,292 --> 00:14:53,999
We're actually working now on externalizing.

170
00:14:57,667 --> 00:15:01,792
For example, I coded it and we thought it would be

171
00:15:01,792 --> 00:15:07,083
better to externalize it and bring the binary out and by making it

172
00:15:07,083 --> 00:15:10,459
with modules, the processors, we can make

173
00:15:10,459 --> 00:15:15,999
a universal firmware so we don't need to update every time we want

174
00:15:15,999 --> 00:15:21,667
to support new ECUs and that's what we are working on now.

175
00:15:23,626 --> 00:15:29,250
This is how an EDC15 board looks like, as I said, it has an external, and

176
00:15:29,250 --> 00:15:32,876
the external flash and the ECUs.

177
00:15:36,083 --> 00:15:42,125
This is a little bit of code from the EDC15 app they not indication,

178
00:15:42,125 --> 00:15:43,999
the key.

179
00:15:46,083 --> 00:15:54,542
The algorithm is static but, for example, here I have an EDC15P.

180
00:15:54,876 --> 00:15:58,918
This has one set of keys.

181
00:15:58,918 --> 00:16:02,834
Even though the algorithm is the same for all the EDC15 family.

182
00:16:02,959 --> 00:16:07,083
If we get an EDC15V, the keys change and the VM

183
00:16:07,083 --> 00:16:12,709
the keys have different so we would need to construct the keys

184
00:16:12,709 --> 00:16:15,584
for every single ECU.

185
00:16:16,751 --> 00:16:20,918
But that's not a hard task, it can be done with bruit force

186
00:16:20,918 --> 00:16:23,375
and some power tricks.

187
00:16:24,083 --> 00:16:27,250
Because at times you have done a wrong log in,

188
00:16:27,250 --> 00:16:30,999
but you can glitch it to forget about it or, you know,

189
00:16:30,999 --> 00:16:33,334
try something else.

190
00:16:36,292 --> 00:16:42,459
This is the EDC16, in this case it's internal and there are

191
00:16:42,459 --> 00:16:47,417
variants which have an external apron.

192
00:16:47,999 --> 00:16:54,751
The ECU is stored internally, this is the algorithm,

193
00:16:54,751 --> 00:17:00,834
we have external flash and a port which is BDM,

194
00:17:00,834 --> 00:17:04,792
bench diagnostics mode.

195
00:17:08,584 --> 00:17:16,542
Here we have part of the code for the level 1 authentication

196
00:17:16,542 --> 00:17:19,999
for EDC16 as well.

197
00:17:20,876 --> 00:17:27,999
Just like it happened on EDC15 for example, we have an EDC CP34,

198
00:17:27,999 --> 00:17:34,999
it's a different model, the 16, the algorithm will be the same

199
00:17:34,999 --> 00:17:43,250
the key will be different and we can do this exactly the same way to create

200
00:17:43,250 --> 00:17:46,083
the keys for it.

201
00:17:48,334 --> 00:17:56,999
This is level 3 authentication, that's, as I said, the ECU, since you challenge,

202
00:17:56,999 --> 00:18:03,083
you add that I don't remember what number is it?

203
00:18:03,250 --> 00:18:07,667
2FC9X, you assemble that number and you got it.

204
00:18:07,709 --> 00:18:11,292
That's how much they brainstormed for this.

205
00:18:14,083 --> 00:18:18,626
Here we can see an example of our encryption, in EDC16.

206
00:18:19,083 --> 00:18:23,459
On the first part the top is the binary so I just brought

207
00:18:23,459 --> 00:18:28,125
out this red square, so you can see the read out.

208
00:18:30,584 --> 00:18:35,918
The next one the data is the same, it has no encryption, nothing,

209
00:18:35,918 --> 00:18:40,751
then part 3 is the write out, what you are writing this data

210
00:18:40,751 --> 00:18:44,999
down here even though it's completely different it's

211
00:18:44,999 --> 00:18:48,250
the same it's just encrypted.

212
00:18:48,834 --> 00:18:52,459
So that's how it looks.

213
00:18:52,459 --> 00:18:54,209
It looks different.

214
00:18:56,999 --> 00:18:58,999
How did we handle it?

215
00:18:59,334 --> 00:19:01,667
RSA encryption in the tool.

216
00:19:01,667 --> 00:19:09,417
Well, same instructions, we didn't really want to the you

217
00:19:09,417 --> 00:19:12,167
will see it.

218
00:19:12,167 --> 00:19:16,667
It takes approximately 10 seconds to code 512 kilobytes the map

219
00:19:16,667 --> 00:19:21,834
for chip tuning, that's the size and we do it before the ECU

220
00:19:21,834 --> 00:19:26,292
in it because it takes 10 seconds and that was a time

221
00:19:26,292 --> 00:19:31,999
out in communication with the ECU if we first check if it's there

222
00:19:31,999 --> 00:19:35,918
and we cannot afford to lose communication due

223
00:19:35,918 --> 00:19:37,999
to the speed.

224
00:19:38,417 --> 00:19:44,626
Of course the check is calculated at the same time and it is calculated

225
00:19:44,626 --> 00:19:50,375
for the nonencrypted file not for the encrypted one so we do things

226
00:19:50,375 --> 00:19:54,876
at the same time, encryption and check.

227
00:19:56,542 --> 00:20:02,501
This is small part it was for four pages, showing the first one

228
00:20:02,501 --> 00:20:06,918
for the EDC16 encryption algorithm.

229
00:20:09,626 --> 00:20:13,918
So we can see that's the kind of operations    ALBERTO: Yeah,

230
00:20:13,918 --> 00:20:18,667
like he told you, his wife helped him to do that so that's, you know,

231
00:20:18,667 --> 00:20:21,709
you know his wife is a bitch!

232
00:20:21,959 --> 00:20:23,042
With everyone!

233
00:20:28,042 --> 00:20:29,292
Sorry!

234
00:20:29,292 --> 00:20:30,918
JAVIER: This is assembler.

235
00:20:34,999 --> 00:20:39,999
This is not a new thing, chip tuning, you can get tool for that.

236
00:20:42,999 --> 00:20:44,999
These are the prices.

237
00:20:44,999 --> 00:20:48,042
I consider that expensive, I don't know about you.

238
00:20:50,959 --> 00:20:55,999
This is what our tool costs.

239
00:20:55,999 --> 00:20:56,999
It's cheaper.

240
00:20:59,751 --> 00:21:02,999
(Applause.) Thanks.

241
00:21:03,334 --> 00:21:08,584
This is how it looks, it's fancy, it has mustaches,

242
00:21:08,584 --> 00:21:14,876
and it's portable you don't need the laptop at all.

243
00:21:14,876 --> 00:21:17,876
It doesn't work so don't worry!

244
00:21:23,999 --> 00:21:27,459
(Laughter.) I will be releasing the code soon, the schematics,

245
00:21:27,459 --> 00:21:29,918
so this is Open Source you can do whatever

246
00:21:29,918 --> 00:21:31,709
you want on it.

247
00:21:31,709 --> 00:21:36,834
You are paying $26 for the stuff you will be able to tweak.

248
00:21:37,501 --> 00:21:43,125
So I think it's worth, I'm paying like $500 for a closed tool.

249
00:21:44,334 --> 00:21:47,334
These are the features for our tool.

250
00:21:47,459 --> 00:21:52,292
It is not locked to a single vehicle, there are other stand alone tools there

251
00:21:52,292 --> 00:21:55,918
that require no computer but you are paying like $1,000

252
00:21:55,918 --> 00:21:59,083
to be able to use it on your own car.

253
00:21:59,999 --> 00:22:01,792
I don't believe in that.

254
00:22:01,999 --> 00:22:06,250
It doesn't store encrypted files, I don't want you to need to use my tool,

255
00:22:06,250 --> 00:22:08,999
you can use whatever you want.

256
00:22:09,209 --> 00:22:12,709
Download it with my tool or with any other tool.

257
00:22:13,542 --> 00:22:19,834
It does not use a master slave, which is encrypted, and as I said,

258
00:22:19,834 --> 00:22:26,083
Open Source so you can add support for whatever you want.

259
00:22:26,083 --> 00:22:32,292
Any other models, diagnostics, there will be some cool stuff coming.

260
00:22:33,959 --> 00:22:36,999
This is the lower interface.

261
00:22:37,626 --> 00:22:41,999
We can see they are doing a Mini Pro that is his on the left,

262
00:22:41,999 --> 00:22:45,584
on the bottom level is the shifter.

263
00:22:46,417 --> 00:22:47,709
Sorry.

264
00:22:49,667 --> 00:22:57,459
This is just a regulator and a 7805 to get the 5 bolts out of the 12

265
00:22:57,459 --> 00:23:05,083
and this is an SD car, this is the LCD 2IC and I think you can see

266
00:23:05,083 --> 00:23:07,751
it's homemade.

267
00:23:10,250 --> 00:23:17,709
This is a very cute eagle interface board, just the same hardware.

268
00:23:18,083 --> 00:23:21,999
This part is on RG45 connector so you can get

269
00:23:21,999 --> 00:23:27,209
the thought of how tiny it is and it has FTDI already imbedded

270
00:23:27,209 --> 00:23:32,334
in and you can update it whatever, straight off.

271
00:23:32,334 --> 00:23:34,667
ALBERTO: The thing is that is homemade,

272
00:23:34,667 --> 00:23:39,167
the thing that you saw before this is homemade.

273
00:23:39,167 --> 00:23:42,292
If you want to do it better with this board it's much

274
00:23:42,292 --> 00:23:47,417
more than this, okay, this is just a case to haul all the things that

275
00:23:47,417 --> 00:23:49,834
he told you, okay?

276
00:23:49,834 --> 00:23:56,709
But this thing maybe just maybe like a    JAVIER: A quarter size of this.

277
00:23:56,709 --> 00:24:00,083
ALBERTO: So smaller and the thing of the smaller side

278
00:24:00,083 --> 00:24:03,542
is interesting because we are speaking later

279
00:24:03,542 --> 00:24:08,876
about what evil things we can do with this thing, okay?

280
00:24:08,876 --> 00:24:12,083
So that's not okay.

281
00:24:12,334 --> 00:24:15,167
JAVIER: We're so evil!

282
00:24:16,459 --> 00:24:19,999
Here is an example of how to make it wireless.

283
00:24:19,999 --> 00:24:24,667
This is just the same thing but with it is the serial console

284
00:24:24,667 --> 00:24:29,626
but without the blue tooth it's $1 and we can control it

285
00:24:29,626 --> 00:24:35,459
with our Android phone so it's wireless and it's cheap.

286
00:24:37,999 --> 00:24:44,918
Some examples of this, like I was saying, we can mold it

287
00:24:44,918 --> 00:24:52,709
to have less more mileage per gallon, how to bypass immobilizer,

288
00:24:52,709 --> 00:24:57,626
is just a process, it's 2 bytes.

289
00:25:01,751 --> 00:25:06,959
The loader is embedded for reading and writing, so you click a button

290
00:25:06,959 --> 00:25:11,834
and it's done and of course you can later enable it.

291
00:25:13,999 --> 00:25:19,667
This car is fun, you connect to the tool and when it's in the middle

292
00:25:19,667 --> 00:25:25,501
of the writing process you pull the cable, so it's fucked up, no check,

293
00:25:25,501 --> 00:25:30,792
no anything (Laughter.) You've got an expensive piece of metal,

294
00:25:30,792 --> 00:25:36,959
but later on you can still recover it, not everything is lost.

295
00:25:36,999 --> 00:25:40,999
There are recovery processes for it, by the diagnostics part you don't need

296
00:25:40,999 --> 00:25:45,584
to pull the off the car and it will eventually work again.

297
00:25:47,999 --> 00:25:51,083
ALBERTO: But it's funny for a joke!

298
00:25:51,083 --> 00:25:54,417
JAVIER: When he finds out his car isn't working it's so funny!

299
00:25:54,667 --> 00:25:55,667
Yeah!

300
00:26:00,250 --> 00:26:06,292
(Laughter.) An example well, you know, we can have any interface, 3G, wifi,

301
00:26:06,292 --> 00:26:09,999
blue tooth as we saw with the phone and, well,

302
00:26:09,999 --> 00:26:13,542
we can disable a car, we could eventually it

303
00:26:13,542 --> 00:26:17,751
is not yet implemented that is completely different,

304
00:26:17,751 --> 00:26:21,459
we could control a car with this device as well

305
00:26:21,459 --> 00:26:27,167
with other firmware, we could disable or start modules, funks, like turn

306
00:26:27,167 --> 00:26:30,751
on the air conditioner and make whoever get

307
00:26:30,751 --> 00:26:33,999
a really bad cold, you know?

308
00:26:33,999 --> 00:26:37,626
(Laughter.) He couldn't be able to disable, it would be terrible.

309
00:26:45,083 --> 00:26:49,375
Now, we're going to do a demo on the EDC16.

310
00:26:50,334 --> 00:26:54,209
It will be console but we will be able to see the process.

311
00:26:56,834 --> 00:26:59,292
I'm going to show because you cannot see it

312
00:26:59,292 --> 00:27:03,542
from there but I'm going to explain what we have here.

313
00:27:03,751 --> 00:27:13,751
We have an EDC16 connected and a mega 2,560 and we have normal

314
00:27:13,751 --> 00:27:18,417
$10 diagnostics cable.

315
00:27:18,417 --> 00:27:19,999
So what did they do here?

316
00:27:24,250 --> 00:27:28,999
Wired up the level shifter up to the ECU so we are going

317
00:27:28,999 --> 00:27:34,292
to is send comments to read the information and read the flash

318
00:27:34,292 --> 00:27:39,999
and to write we're actually going to kill the ECU, revive it again

319
00:27:39,999 --> 00:27:43,417
and read the info after that.

320
00:27:45,209 --> 00:27:47,167
So let's get to it.

321
00:27:47,167 --> 00:27:54,542
ALBERTO: Yeah.

322
00:27:54,542 --> 00:28:15,375
JAVIER: Okay.

323
00:28:17,751 --> 00:28:20,876
So let's see if it works!

324
00:28:23,292 --> 00:28:25,999
We're going to read the info first.

325
00:28:26,709 --> 00:28:28,959
We can see that's fast.

326
00:28:28,999 --> 00:28:30,959
It doesn't take too much time.

327
00:28:30,999 --> 00:28:36,167
Here we have the information, the software version, the engine this

328
00:28:36,167 --> 00:28:41,999
is for a Volkswagen Passat, where it is not connected to a chassis,

329
00:28:41,999 --> 00:28:48,083
but the inside is all around the K Line bus, so we can get the number,

330
00:28:48,083 --> 00:28:54,083
the chassis number and now we're going to read the external flash, it

331
00:28:54,083 --> 00:28:56,709
will take a while.

332
00:28:58,083 --> 00:29:02,918
Meanwhile, what can I say about this?

333
00:29:02,918 --> 00:29:06,959
It's fancy, I like flashing here, it's a pity you cannot see it flashing.

334
00:29:08,959 --> 00:29:13,999
(Laughter.) Well, actually, when it was reversing the protocol,

335
00:29:13,999 --> 00:29:18,334
I noticed that there were huge time gaps, you know, this

336
00:29:18,334 --> 00:29:20,999
is based on packets.

337
00:29:20,999 --> 00:29:25,292
So between each packet is bytes, of course, and

338
00:29:25,292 --> 00:29:32,999
between byte there was time I don't know how to explain a delay.

339
00:29:33,209 --> 00:29:38,709
After testing I realized it wasn't necessary so I speed it up.

340
00:29:41,667 --> 00:29:48,209
We changed protocol, made it faster, works 25% faster than

341
00:29:48,209 --> 00:29:53,959
the original tool on EDC16 and it works 400 times

342
00:29:53,959 --> 00:30:00,667
percent faster, on EDC15 so they didn't brainstorm too much

343
00:30:00,667 --> 00:30:03,876
about that, anyway.

344
00:30:05,125 --> 00:30:09,584
I will not show that at this time because we are running low

345
00:30:09,584 --> 00:30:13,876
on time so now we are going to kill the ECU.

346
00:30:16,334 --> 00:30:18,999
Now it's processing the RSA.

347
00:30:19,083 --> 00:30:21,501
ALBERTO: You have to believe that, but we are going to show

348
00:30:21,501 --> 00:30:25,459
the logical analyzer after that, okay, a capture of the analyzer.

349
00:30:25,459 --> 00:30:26,999
JAVIER: We will show another logic analyzer

350
00:30:26,999 --> 00:30:29,999
capture so you can see what is going on.

351
00:30:29,999 --> 00:30:32,709
ALBERTO: Obviously we are running out of time.

352
00:30:32,834 --> 00:30:35,876
JAVIER: So we got to be faster now.

353
00:30:38,584 --> 00:30:42,042
So what we are going to do to kill since we have no cable

354
00:30:42,042 --> 00:30:46,709
to plug we're going to start writing, we're going to send just one packet

355
00:30:46,709 --> 00:30:51,542
of data, then we are going to stop communicating with the ECU.

356
00:30:51,999 --> 00:30:54,959
So now it's deactivated.

357
00:30:55,125 --> 00:30:57,667
I need to power cycle it once again.

358
00:31:09,959 --> 00:31:13,375
Now we are going to try to read the information.

359
00:31:13,375 --> 00:31:16,709
Of course since it's disabled it won't be replying.

360
00:31:21,375 --> 00:31:25,999
So we got no response it's disabled, just a piece of junk right now.

361
00:31:26,876 --> 00:31:34,667
But now we are going to make it work again!

362
00:31:39,959 --> 00:31:41,375
Should be fast!

363
00:31:43,501 --> 00:31:47,083
Things so slow, it's an AB processor.

364
00:31:47,083 --> 00:31:53,667
With two kilobytes of RAM, it takes a while.

365
00:31:56,083 --> 00:32:02,999
Now actual you will to revive it since we screwed up the flash,

366
00:32:02,999 --> 00:32:11,083
we erased the flash, we started to right, so checks and swearing, correct,

367
00:32:11,083 --> 00:32:18,125
so now to fix it we need to write the whole flash again.

368
00:32:18,125 --> 00:32:20,999
We are writing what we read out the first time.

369
00:32:26,083 --> 00:32:34,459
As I said, RSA encryption here is provided in blocks of 256 kilobytes,

370
00:32:34,459 --> 00:32:39,584
this is the first block, now we're starting

371
00:32:39,584 --> 00:32:43,083
with the second block.

372
00:32:52,876 --> 00:32:58,334
Since we are running out of time we will go now on with the other things.

373
00:32:58,334 --> 00:33:02,999
If there is enough time we will show the logic analyzer, it will be fast.

374
00:33:03,167 --> 00:33:11,999
Showing out maybe while it's writing we can show okay, I'll show this is the key,

375
00:33:11,999 --> 00:33:19,250
this buckets this is so small, the address, the target address,

376
00:33:19,250 --> 00:33:26,292
the source address, this is our request, now 27 means we want

377
00:33:26,292 --> 00:33:30,083
to have security access.

378
00:33:30,083 --> 00:33:36,999
We are send this gone packet, now this is the level, level 01 which

379
00:33:36,999 --> 00:33:41,999
is to write, so the ECU will reply.

380
00:33:42,999 --> 00:33:48,501
With a 6701 means okay I will send you the challenge.

381
00:33:48,626 --> 00:33:54,999
So here we have, for example, 86, 58, 86, that will be the seed.

382
00:33:55,125 --> 00:33:56,999
For the challenge.

383
00:33:57,709 --> 00:34:05,999
Now we will process this and we should send okay, 2702 we must add 1

384
00:34:05,999 --> 00:34:13,626
to the security level we requested and these are just 4 bytes,

385
00:34:13,626 --> 00:34:16,250
this one here.

386
00:34:17,375 --> 00:34:22,083
Then if we succeed it will reply with 67.

387
00:34:22,125 --> 00:34:25,083
If we fail it will reply 7F.

388
00:34:25,250 --> 00:34:27,083
Which means "denied."

389
00:34:27,375 --> 00:34:32,584
When writing we can see this is a huge block here, then we stop

390
00:34:32,584 --> 00:34:36,999
with the letter second block, we write the second block

391
00:34:36,999 --> 00:34:42,083
and then we are done, that's the writing response.

392
00:34:42,626 --> 00:34:45,292
One second I need to power cycle it.

393
00:34:52,459 --> 00:34:56,083
We are going to read info again to see it works.

394
00:34:57,584 --> 00:35:00,083
So, again, it's alive!

395
00:35:00,083 --> 00:35:01,584
After killing it!

396
00:35:03,417 --> 00:35:08,626
(Laughter.) So now it works!

397
00:35:08,999 --> 00:35:14,334
ALBERTO: Wait.

398
00:35:14,709 --> 00:35:15,834
It's not connected.

399
00:35:16,083 --> 00:35:19,209
It's fast as light but it's not connected so you didn't see

400
00:35:19,209 --> 00:35:20,834
the joke!

401
00:35:20,834 --> 00:35:33,626
JAVIER: Windows.

402
00:35:33,626 --> 00:35:37,501
ALBERTO: It was a joke, Spanish.

403
00:35:38,999 --> 00:35:40,083
Anyway.

404
00:35:41,167 --> 00:35:49,375
So I have only like 10 minutes so I'm going to go fast.

405
00:35:49,375 --> 00:35:54,918
What happens in an accident, the police usually look at the marks

406
00:35:54,918 --> 00:35:58,999
in the floor with the accident happens and

407
00:35:58,999 --> 00:36:06,334
they look at the condition of the car to figure out the speed and things that

408
00:36:06,334 --> 00:36:10,542
happen but the IT guys we have a cooler way

409
00:36:10,542 --> 00:36:15,999
to know exactly the parameter of the accident.

410
00:36:19,125 --> 00:36:25,999
In all the cars, our cars, we have a black box, same as in a plane.

411
00:36:25,999 --> 00:36:29,918
The only difference is it doesn't record sound so don't

412
00:36:29,918 --> 00:36:36,209
worry if you speak dirty things or whatever, it's not storing that.

413
00:36:36,584 --> 00:36:40,709
So it stores information before and after the crash, it is interesting

414
00:36:40,709 --> 00:36:46,083
because even after the crash there is memory that stores information.

415
00:36:46,167 --> 00:36:50,626
So we can have more information about the accident itself.

416
00:36:51,250 --> 00:36:58,083
So that's information like I told you at the beginning this is related

417
00:36:58,083 --> 00:37:04,167
with the speed, the most important, the RPM, brake, and depends

418
00:37:04,167 --> 00:37:09,876
on the plan, the plan that have made in the ECU but there

419
00:37:09,876 --> 00:37:14,626
is other information stored in the ECU.

420
00:37:15,083 --> 00:37:19,417
This information is stored in the A block ECU, okay, most

421
00:37:19,417 --> 00:37:21,292
of the time.

422
00:37:21,834 --> 00:37:27,375
So we have to take this part of the car, this ECU is similar, it's just

423
00:37:27,375 --> 00:37:30,250
a little smaller than.

424
00:37:30,834 --> 00:37:31,999
Okay?

425
00:37:35,834 --> 00:37:39,584
It's stored in the apron memory, it's nonvolatile, so we can get access

426
00:37:39,584 --> 00:37:42,375
to the data after the crash, okay?

427
00:37:42,834 --> 00:37:44,417
It's great for that.

428
00:37:44,626 --> 00:37:49,999
There is hardware and software that is outside and you can use it

429
00:37:49,999 --> 00:37:53,999
but the thing is this talk is about how to make

430
00:37:53,999 --> 00:37:57,999
a thing that cost only $25 instead of $1,000 and

431
00:37:57,999 --> 00:38:03,959
in that case even the tools used to get information are more expensive

432
00:38:03,959 --> 00:38:06,999
than to mod fry the ECUs.

433
00:38:07,083 --> 00:38:13,876
So the cool thing is we did something to the poor people.

434
00:38:14,834 --> 00:38:18,626
Yeah, we are speaking all the time about 5 minutes okay.

435
00:38:18,626 --> 00:38:21,959
We are speaking all the time about the ECUs, okay?

436
00:38:24,125 --> 00:38:26,918
There are different ways to track information

437
00:38:26,918 --> 00:38:29,125
from an ECU after crash.

438
00:38:31,751 --> 00:38:36,083
The first of all is to connect into the ODB, it is the port

439
00:38:36,083 --> 00:38:38,167
behind the wheel in the car

440
00:38:38,167 --> 00:38:41,501
and we can access information.

441
00:38:41,501 --> 00:38:45,083
Not all the time because in some crashes, the car

442
00:38:45,083 --> 00:38:48,999
is completely fucked, so what?

443
00:38:50,542 --> 00:38:55,250
So there is the the connection is lost so we can't retrieve information.

444
00:38:55,792 --> 00:39:01,292
The other way is to connect directly to the ECU and get information so

445
00:39:01,292 --> 00:39:07,667
for that we need authentication, maybe it's not a strong authentication,

446
00:39:07,667 --> 00:39:11,709
but it is an authentication anyway.

447
00:39:11,834 --> 00:39:19,999
Finally we have the fancy way, directly with the apron memory.

448
00:39:20,375 --> 00:39:25,999
I said all the information is in the apron so we can read it, okay?

449
00:39:25,999 --> 00:39:31,834
Yes, it's hardware more than software, I'm a software guy maybe it's more

450
00:39:31,834 --> 00:39:38,876
difficult but for these people hardware is like eating ice cream.

451
00:39:39,375 --> 00:39:44,083
This is the first one, behind the wheel, so this is the first way, this

452
00:39:44,083 --> 00:39:48,999
is the other way, connecting directly to the ECU to get information and

453
00:39:48,999 --> 00:39:52,250
the last way is this is from the apron memory this

454
00:39:52,250 --> 00:39:56,999
is the size of the apron you can see it in the fingers, it's very small

455
00:39:56,999 --> 00:40:00,042
but we can do it, we can do it.

456
00:40:00,834 --> 00:40:05,999
This is the hardware I told you before, hardware and software, okay,

457
00:40:05,999 --> 00:40:08,292
the hardware is like no hardware

458
00:40:08,292 --> 00:40:13,459
because it doesn't do almost anything but, anyway, and the software,

459
00:40:13,459 --> 00:40:17,083
the real important part of this kit.

460
00:40:17,459 --> 00:40:24,999
The premium tool our kit costs almost $9,000, yeah, I'm not going

461
00:40:24,999 --> 00:40:27,792
to pay for that!

462
00:40:27,999 --> 00:40:30,000
What about the poor guys?

463
00:40:30,000 --> 00:40:32,709
What about people like me that have just ended school

464
00:40:32,709 --> 00:40:37,876
and University and these kinds of things and we don't have money.

465
00:40:37,999 --> 00:40:42,834
The software that is for me, the important part is you can access

466
00:40:42,834 --> 00:40:45,250
to it for free, okay?

467
00:40:47,626 --> 00:40:48,999
Free software.

468
00:40:48,999 --> 00:40:53,292
The code of the data, because this is important information and we have

469
00:40:53,292 --> 00:40:58,501
to parse this information to know, okay, from the bytes 11 to 40 is the speed

470
00:40:58,501 --> 00:41:02,792
and from bytes whatever to whatever is whatever.

471
00:41:02,999 --> 00:41:05,083
So we have to parse it.

472
00:41:05,709 --> 00:41:14,584
So, yeah, we can his wife is I sleep with his wife once too.

473
00:41:14,834 --> 00:41:17,083
(Laughter.) Sorry, man!

474
00:41:20,751 --> 00:41:21,999
Okay.

475
00:41:25,250 --> 00:41:29,501
Other thing, this tool this are supported, okay,

476
00:41:29,501 --> 00:41:35,834
so there are very cool brands that are supported to do this.

477
00:41:36,083 --> 00:41:37,250
Did you miss something?

478
00:41:40,999 --> 00:41:44,792
It's not interlaced, so what happened?

479
00:41:45,083 --> 00:41:50,334
One time a client contacted us to do a forensic job on a car and

480
00:41:50,334 --> 00:41:56,834
the car was a Mercedes, so we said one, maybe two okay, one.

481
00:41:57,083 --> 00:42:01,083
We said what are we going to do?

482
00:42:01,083 --> 00:42:04,083
So what do we do?

483
00:42:21,375 --> 00:42:26,999
First of all we read the apron, okay, soldering, to the apron, and we read

484
00:42:26,999 --> 00:42:30,501
the parts of the binary, so we erased one copy

485
00:42:30,501 --> 00:42:33,918
of this binary and make a okay?

486
00:42:34,834 --> 00:42:40,417
So when you parse will modify after the crash so it's a good point

487
00:42:40,417 --> 00:42:42,751
of start, okay?

488
00:42:42,834 --> 00:42:47,999
So the next step was already filter it, the information, we only have

489
00:42:47,999 --> 00:42:54,209
the information, only have the parts of the ECU, okay, I'm going.

490
00:42:54,209 --> 00:42:55,209
One minute.

491
00:42:55,667 --> 00:42:56,667
Half!

492
00:42:56,999 --> 00:42:58,999
(Laughter.) Okay.

493
00:43:02,999 --> 00:43:09,209
We just it's the software to bring the graphics to bring the difference

494
00:43:09,209 --> 00:43:14,083
in the graphics between the crescent and the crescent,

495
00:43:14,083 --> 00:43:19,584
okay, so the speed will be in the crash, the crescent, right,

496
00:43:19,584 --> 00:43:25,375
if you crash you stop yeah, the speed is the crescent.

497
00:43:25,375 --> 00:43:27,834
So we found this.

498
00:43:27,999 --> 00:43:28,999
Okay?

499
00:43:28,999 --> 00:43:29,999
You can see.

500
00:43:29,999 --> 00:43:38,792
After looking at it a lot we found this graphic that gives us

501
00:43:38,792 --> 00:43:45,542
information in our research so we had anyway,

502
00:43:45,542 --> 00:43:50,999
so we are running out of time.

503
00:43:51,375 --> 00:43:53,999
We want to say thank you to you!

504
00:43:56,375 --> 00:43:59,999
(Applause.) Like always, to our family and friends, and

505
00:43:59,999 --> 00:44:03,250
all those who want to understand how and why things

506
00:44:03,250 --> 00:44:05,999
work, thank you very much!