1 00:00:00,000 --> 00:00:14,630 *33C3 preroll music* 2 00:00:14,630 --> 00:00:18,544 Herald Angel: And without further to do, please welcome Guillaume and P1ckachu on 3 00:00:18,544 --> 00:00:24,501 stage now. *applause* 4 00:00:24,501 --> 00:00:34,460 Guillaume: Thank you. P1kachu: Okay. So hi everybody. Hi bingu. 5 00:00:34,460 --> 00:00:42,143 So we are going to present what we've been doing lately with cars actually. So who 6 00:00:42,143 --> 00:00:48,508 are we? My name is Stanislas Lejay "P1kachu". I'm an IT student in EPITA a 7 00:00:48,508 --> 00:00:54,260 school in France and I'm part of EPITA's system and security laboratory the LSE. 8 00:00:54,260 --> 00:00:58,856 I'm currently an intern at Quarkslab. I like a lot of stuff, like reverse 9 00:00:58,856 --> 00:01:03,639 engineering, everything that is related to cars or mechanics and if there is 10 00:01:03,639 --> 00:01:08,720 something stupid to do I shall already be doing it. And with me will be Guillaume 11 00:01:08,720 --> 00:01:12,400 Heilles. Guillaume: Hello my name is Guillaume. I 12 00:01:12,400 --> 00:01:18,719 work as at Quarkslab as a security engineer. I'm quite new to the security 13 00:01:18,719 --> 00:01:25,180 field as I worked in the industry before. And I switched to the security field 14 00:01:25,180 --> 00:01:29,950 because it's very fun and I like to reverse almost everything and I will give 15 00:01:29,950 --> 00:01:35,857 a small talk about reversing a piece of hardware that you can find in an 16 00:01:35,857 --> 00:01:43,500 automobile. P: So what is this talk about? This 17 00:01:43,500 --> 00:01:47,219 talk will be in two different parts the first one is how to drift with any car. 18 00:01:47,219 --> 00:01:52,950 And it's an introduction to how to automotive systems what you can do with them and what 19 00:01:52,950 --> 00:01:56,979 we actually did with them. And the second part, which name is out to properly write 20 00:01:56,979 --> 00:02:02,988 an amazon review, you'll see why just after, is OBD dongle. So analysis, reverse 21 00:02:02,988 --> 00:02:09,075 engineering, stuff like this. So first part "drifting with any car". The idea is 22 00:02:09,075 --> 00:02:12,970 that I'm a student, so I work at my school's lab, so I had to find a way to 23 00:02:12,970 --> 00:02:18,792 explain why I was bringing different cars every day at my school's garage. So the 24 00:02:18,792 --> 00:02:24,370 official goal was to look at our car works and what arise from this is what can I do 25 00:02:24,370 --> 00:02:30,420 what can one do with a modern car system. The restriction I had was that since I'm a 26 00:02:30,420 --> 00:02:35,426 student I'm poor so I don't have a lot of money and I don't have a lot of cars. So I 27 00:02:35,426 --> 00:02:40,074 was actually taking my family's different cars and trying to analyze them. So I 28 00:02:40,074 --> 00:02:47,946 wouldn't, I wasn't able to break anything or remove any parts from the car. So the 29 00:02:47,946 --> 00:02:54,931 test subjects, what which cars was I playing with. I had five or six of them. 30 00:02:54,931 --> 00:03:00,774 The first one for posterity, is mine actually. It's a 2006 Volkswagen Polo. 31 00:03:00,774 --> 00:03:05,370 What is nice is that you can spend the whole day trying to find some messages on 32 00:03:05,370 --> 00:03:11,190 your bus. If your car is too old there are no messages. So you can take the 33 00:03:11,190 --> 00:03:16,310 oscilloscope and try to find them, you won't find them. Anyway, just before doing 34 00:03:16,310 --> 00:03:23,689 anything try to think is the something I'm looking for ready in there. The second car 35 00:03:23,689 --> 00:03:28,395 is my grandmother's car it's a Volkswagen Polo of 2013. And the last guy we'll talk 36 00:03:28,395 --> 00:03:35,656 about is my mom's Fiat 500 convertible. It's from 2010. The dates are important 37 00:03:35,656 --> 00:03:41,990 because the CAN bus I will talk about just after is quite recent in a way that 38 00:03:41,990 --> 00:03:48,654 security on the CAN bus changes greatly from one year to another. So the CAN bus I 39 00:03:48,654 --> 00:03:54,980 was playing with on this car was quite different from the 2013 Volkswagen Polo 40 00:03:54,980 --> 00:04:01,505 for example. Okay, so talking with the car. So this is the introduction part, so 41 00:04:01,505 --> 00:04:04,590 if people already know about what I'm going to talk about, but I want everybody 42 00:04:04,590 --> 00:04:10,410 to be on the same first step. So first of all an ECU it stands for electronic 43 00:04:10,410 --> 00:04:15,437 control unit and it's a small computer that you get all around your car. So there 44 00:04:15,437 --> 00:04:20,100 are many of them. You can have at most 70 of them in very modern cars and take 45 00:04:20,100 --> 00:04:24,858 control different parts of it. So you have the engine, the powertrain, the 46 00:04:24,858 --> 00:04:29,997 transmission, ABS, stuff like this. And they talk to each other on what we call 47 00:04:29,997 --> 00:04:37,029 the CAN bus. The CAN bus is a message based broadcast protocol. Messages are 48 00:04:37,029 --> 00:04:41,532 mostly composed of two important things which are the arbitration ID which, I will 49 00:04:41,532 --> 00:04:49,167 refer to ID from now on, they can be 11 or 29 bits long and you have data. Data is 8 50 00:04:49,167 --> 00:04:53,120 bytes long on the standard that CAN message but they are on top protocols, I 51 00:04:53,120 --> 00:04:58,560 can group messages together to get bigger lengths of data. What is interesting is 52 00:04:58,560 --> 00:05:04,090 that it's a broadcast protocol, so the collision detection system is based on the 53 00:05:04,090 --> 00:05:10,130 ID. The lower your ID the higher your priority. So very important CAN message 54 00:05:10,130 --> 00:05:17,180 will have a very low IDs they will be sent from an ECU that are very low ID and less 55 00:05:17,180 --> 00:05:22,040 important one will have a bigger arbitration ID. How do you talk to your 56 00:05:22,040 --> 00:05:26,810 CAN bus without cutting any wire in the car? For this you see there is the OBD2 57 00:05:26,810 --> 00:05:31,800 port so OBD stands for onboard diagnostic and is the vehicle self diagnostic and 58 00:05:31,800 --> 00:05:36,980 reporting capability. When you are driving you have allowed a LED that start to blink 59 00:05:36,980 --> 00:05:41,120 on your dashboard saying "ok something's wrong", you bring your car to your car 60 00:05:41,120 --> 00:05:45,670 repair shop and the car repair guy will just plug itself to this port which is 61 00:05:45,670 --> 00:05:53,074 located around the steering wheel often and query information using PIDs. So PID 62 00:05:53,074 --> 00:05:57,620 is a parameter ID. It means "okay I want to have information about for example the 63 00:05:57,620 --> 00:06:02,870 RPM or the speed or the fuel level something like this" and you can set or 64 00:06:02,870 --> 00:06:07,962 reset diagnostic trouble codes a diagnostic trouble code means "ok 65 00:06:07,962 --> 00:06:12,847 something is wrong with this part of the car" for example. Here is my setup. So 66 00:06:12,847 --> 00:06:20,030 with just a Raspberry Pi, PiCAN 2 shield and a DV 9 to OBD 2 cable, I was able to 67 00:06:20,030 --> 00:06:26,054 have a full linux that that can understand CAN messages and talk with the CAN bus. So 68 00:06:26,054 --> 00:06:30,090 with that I could just communicate with my car without breaking anything, which is 69 00:06:30,090 --> 00:06:35,850 quite nice. What does it look like? So in Python, I just import import can, so it's 70 00:06:35,850 --> 00:06:40,960 a standard package, python-can, you create an interface, so it's socket CAN, so it's 71 00:06:40,960 --> 00:06:45,260 like any kind of interface you just create a can0 interface and you can communicate 72 00:06:45,260 --> 00:06:50,912 with your CAN bus. You create your message, so the data is here. What is 73 00:06:50,912 --> 00:06:55,728 important is that the first byte tells how many bytes are important in the message. 74 00:06:55,728 --> 00:07:01,420 You can have 8 bytes of data. The number of bytes processed will be this number, so 75 00:07:01,420 --> 00:07:06,669 like there it says "ok, there are only 2 bytes of data that are interesting, just 76 00:07:06,669 --> 00:07:11,880 discard the 5 of the ones.". Here, it asks for the first mode, so OBD have different 77 00:07:11,880 --> 00:07:18,350 mode. The first mode says "Okay, I want the current value of what I'm looking for" 78 00:07:18,350 --> 00:07:24,560 and 0x0c is RPM. So I want the current value of the RPM. If I put two there, it's 79 00:07:24,560 --> 00:07:29,540 the second mode and it asks for the RPM when the last data trouble code was 80 00:07:29,540 --> 00:07:33,230 actually set. You have different like that, but what interested me was "Okay 81 00:07:33,230 --> 00:07:40,861 what is a current RPM?". You create your message, 0x7df is the classic ID for 82 00:07:40,861 --> 00:07:49,594 diagnostic tools, so most ECUs will answer to OBD queries if you have this ID. On 29 83 00:07:49,594 --> 00:07:55,419 bits, it depends on the car, on the Fiat 500, for example, it was this one. You 84 00:07:55,419 --> 00:08:02,060 send your message, you get your answer and that's it. Okay, so this was the theory: 85 00:08:02,060 --> 00:08:06,900 how do you talk, but how did I actually talk with my cars? So the first OBD answer 86 00:08:06,900 --> 00:08:12,320 I was able to get was on my grandmother's Polo. It's quite a recent car, 2013, so 87 00:08:12,320 --> 00:08:17,150 there was a gateway, a sort of firewall between the OBD2 port and the actual CAN 88 00:08:17,150 --> 00:08:22,770 bus. So when I plugged myself to the CAN bus, I wouldn't receive anything unless I 89 00:08:22,770 --> 00:08:28,460 send an OBD query. I would receive my answer but that's all. Else, the bus would 90 00:08:28,460 --> 00:08:34,029 be completely silent. So here are some examples, so this is the one from just 91 00:08:34,029 --> 00:08:39,429 before, how can I get the RPM, so this is the value of the RPM. Here, I can get the 92 00:08:39,429 --> 00:08:44,425 engine coolant temperature, very important, so the idea is that it answers 93 00:08:44,425 --> 00:08:52,100 83 and 83 is 131 degrees. The idea is that you are working with unsigned bytes, so if 94 00:08:52,100 --> 00:08:58,740 you want to get a negative temperature, the standard tells you to subtract 40 from 95 00:08:58,740 --> 00:09:06,819 your temperature. If you are outside of -40 or 215 degrees, you have other 96 00:09:06,819 --> 00:09:14,821 problems than your coolant temperature. So, seems to work. Okay, nice. So, 97 00:09:14,821 --> 00:09:18,490 displaying everything. This was to explain to my grandmother why I was stealing her 98 00:09:18,490 --> 00:09:23,329 car for two weeks right now. So, with this, I'm able to get the RPM, the speed, 99 00:09:23,329 --> 00:09:28,059 engine coolant temperature, always very important, throttle and accelerator pedal 100 00:09:28,059 --> 00:09:33,679 pedal position and the elapsed time since engine started. So anyway, kind of 101 00:09:33,679 --> 00:09:40,812 graphical, my grandmother understands, everybody's happy. Right, so right now I 102 00:09:40,812 --> 00:09:45,843 can query standard OBD PIDs, I can have the RPM, speed, fuel level, anything you 103 00:09:45,843 --> 00:09:51,378 would want to have on your dashboard, but if you want to get some probably more 104 00:09:51,378 --> 00:09:57,009 interesting stuff, you have to go with the constructor-specific PIDs. For example, 105 00:09:57,009 --> 00:10:00,259 the steering wheel position, brake and clutch pedal, gearbox status light or 106 00:10:00,259 --> 00:10:05,059 blinkers are constructor-specific, so you have to break stuff to be able to find 107 00:10:05,059 --> 00:10:11,073 them or are very good friends with manufacturer, which I haven't. Nice, we 108 00:10:11,073 --> 00:10:18,093 can query stuff, mostly. Can we modify anything interesting from OBD? Because, 109 00:10:18,093 --> 00:10:23,900 still, I don't want to mess with the car by cutting any wire. So first issue: what 110 00:10:23,900 --> 00:10:28,810 protocol am I actually talking to? There are on-top protocols like with KWP, which 111 00:10:28,810 --> 00:10:33,642 is Keyword Protocol 2000, Unified Diagnostic System is OTP, the volkswagen 112 00:10:33,642 --> 00:10:38,860 version of ISO-TP, like really, and stuff like this. Which protocol am I talking to? 113 00:10:38,860 --> 00:10:44,730 Okay, let's just brute-force by sending the classic introduction kind of message 114 00:10:44,730 --> 00:10:52,466 and try to find for valid answer. With this on the 2013 Polo, I could speak UDS. 115 00:10:52,466 --> 00:10:57,319 So UDS enables different kind of thing like resetting ECUs, which can be quite 116 00:10:57,319 --> 00:11:04,069 interesting, query-specific PIDs, read DTC information, stuff like this. However, 117 00:11:04,069 --> 00:11:08,550 nice stuff like dump the firmware, are only available through security session. 118 00:11:08,550 --> 00:11:13,020 And security session on this car requires an authentication through a challenge 119 00:11:13,020 --> 00:11:19,020 response kind of algorithm, so here is the example: I would start a diagnostic 120 00:11:19,020 --> 00:11:25,279 session, UDS diagnostic session, first, then query for seed to get through the 121 00:11:25,279 --> 00:11:30,579 security session, compute my answers, send it back, the cars compute its own answer, 122 00:11:30,579 --> 00:11:35,820 compare and I would fail, because I would just send the feedback like, maybe they 123 00:11:35,820 --> 00:11:40,959 didn't implement a real algorithm, you never know. But hey, okay, well done 124 00:11:40,959 --> 00:11:46,819 Volkswagen, they did it quite well. Actually, the car has a four-byte seed, 125 00:11:46,819 --> 00:11:50,864 which is different at each try. This is important to notice because on Guillaume's 126 00:11:50,864 --> 00:11:57,633 car, it's a 2-byte seed, which is always the same. You have more than three seconds 127 00:11:57,633 --> 00:12:02,649 required between each try and if you fail multiple time, it will just freeze for ten 128 00:12:02,649 --> 00:12:06,740 minutes if you don't want to remove the battery, all that kind of complicated 129 00:12:06,740 --> 00:12:12,699 stuff. So, how to break this? Brute-force? Way too long. Timing attack would be too 130 00:12:12,699 --> 00:12:18,129 unstable because of the priority-kind of thing, because you can just get delayed by 131 00:12:18,129 --> 00:12:23,554 other more important messages and so it will delay your timing attack. Disassemble 132 00:12:23,554 --> 00:12:27,629 the car is out of the question, you know why, and get PCs from a repair shop is 133 00:12:27,629 --> 00:12:31,492 tedious. You know, get an ECU, try to recreate the CAN bus around, stuff like 134 00:12:31,492 --> 00:12:37,874 this, and I'm broke, so I don't have any money. Okay, so, my car, let's sum up, way 135 00:12:37,874 --> 00:12:42,710 too old. My grandmother's car, bit too recent because of the Gateway, my family's car is 136 00:12:42,710 --> 00:12:47,499 a Lancia Voyageur 2014, so even more recent, but it has Uconnect, so maybe for 137 00:12:47,499 --> 00:12:56,809 another time. Who's left? Oh, mommy? So, my mom has a 2010 Fiat 500 convertible, 138 00:12:56,809 --> 00:13:01,929 she loves it, so she doesn't like when I take it and she even more doesn't like when 139 00:13:01,929 --> 00:13:12,570 I tried to do stuff with it. So one night I stole the key. *Laughter* Sorry. And I 140 00:13:12,570 --> 00:13:17,929 tried to plug myself in and oh! It talks, it talks a lot. In four seconds, I was able 141 00:13:17,929 --> 00:13:23,896 to get 2000 around message, so it's about 500 messages per second. There is no 142 00:13:23,896 --> 00:13:28,300 gateway, so I have a lot of broadcasted message already. They are from few 143 00:13:28,300 --> 00:13:32,670 different arbitration IDs, so a few different ECUs are actually talking on 144 00:13:32,670 --> 00:13:38,274 this bus. When I'm in the car, I tried pressing random buttons and I see that the 145 00:13:38,274 --> 00:13:43,190 data evolves, so the nice funny things to do is to try to understand what each 146 00:13:43,190 --> 00:13:49,499 message mean. It's quite tricky with CAN dump, which is the standard Linux utils 147 00:13:49,499 --> 00:13:55,377 which will just flood your stdout with CAN messages, but Python CAN monitor helps a 148 00:13:55,377 --> 00:14:02,046 lot by grouping messages by arbitration ID. So here I'm in the Fiat 500 and I am 149 00:14:02,046 --> 00:14:07,749 driving actually, and you can see the different arbitration ID there and the 150 00:14:07,749 --> 00:14:12,569 data that is evolving. The two last one, which are way bigger, are the standard 151 00:14:12,569 --> 00:14:19,179 OBD, meaning that okay, I have a priority that is way lower than the other kind of 152 00:14:19,179 --> 00:14:27,547 messages. So, reversing a bit, what can we find? I found the speed, four time, the 153 00:14:27,547 --> 00:14:33,528 values were quite different but quite close anyway, so was it at four different 154 00:14:33,528 --> 00:14:37,667 time or at the for different wheels? And it was actually at the four different 155 00:14:37,667 --> 00:14:43,703 wheels, because when I turned it would change drastically two values out of four. 156 00:14:43,703 --> 00:14:47,579 I have the clutch pedal with respect to the accelerator am i accelerating while 157 00:14:47,579 --> 00:14:53,329 depressing or pressing the clutch, the brake data are the doors closed which one 158 00:14:53,329 --> 00:14:58,179 are closed is a contact on is the handbrake up or down and this one is quite 159 00:14:58,179 --> 00:15:05,187 interesting because it would change every minute. Actually it's the time and date. 160 00:15:05,187 --> 00:15:12,639 So it was 9:00 p.m. on the 24th May of 2017 meaning that they created an ECU 161 00:15:12,639 --> 00:15:17,619 would which only job was to send the current time and date readable in 162 00:15:17,619 --> 00:15:23,844 hexadecimal format on the CAN dump like this. 163 00:15:23,844 --> 00:15:27,939 *laughter* But what that was I found it funny I've 164 00:15:27,939 --> 00:15:33,600 weird sense of humor, anyway so this thing even masters this time to explain to my 165 00:15:33,600 --> 00:15:38,940 mother what I'm doing with her car so this was a kind of capture was doing from my 166 00:15:38,940 --> 00:15:43,889 school to my home like I was recording what I was doing in the car, recording at 167 00:15:43,889 --> 00:15:47,433 the same time a CAN dump and displaying what I could display so I have the 168 00:15:47,433 --> 00:15:52,619 handbrake, start and stop and engine is on okay it seems to be the doors are closed 169 00:15:52,619 --> 00:16:00,364 hopefully okay. So this was quite fun to do actually. Okay what can we do with 170 00:16:00,364 --> 00:16:04,540 that? Can we do something useful for humanity can we do maybe something a 171 00:16:04,540 --> 00:16:08,562 little bit challenging or else it's absolutely not interesting? How can I at 172 00:16:08,562 --> 00:16:16,375 least put something on my resume after that something I can be proud of? Yes or 173 00:16:16,375 --> 00:16:22,202 we could try to do something completely stupid and that's what I was I mean to do. 174 00:16:22,202 --> 00:16:30,850 So I created CANPad. The idea of CANPad is that with the steering wheel or brake and 175 00:16:30,850 --> 00:16:43,059 an accelerator pedal you can drive any car in any video game. So.. *Laugher* 176 00:16:43,059 --> 00:16:55,450 *Applause* So that's what I did. I take the CAN 177 00:16:55,450 --> 00:17:01,420 messages from OBD sensor and back pass it to a piece on CAN and client and float 178 00:17:01,420 --> 00:17:06,937 them through libuinput to be able to create a virtual gamepad and plays it in 179 00:17:06,937 --> 00:17:14,888 V-Drift. So V-drift is an open-source racing game that allows one to play on 180 00:17:14,888 --> 00:17:20,212 Linux through at least libuinput. So this is a start and stop button that I use 181 00:17:20,212 --> 00:17:28,240 as a toggle to send data and here I'm driving with my mum's car, a car in a 182 00:17:28,240 --> 00:17:30,240 video game. *driving noise* 183 00:17:30,240 --> 00:17:34,840 So I have the steering wheel the handbrake all every pedals is quite it's quite hard 184 00:17:34,840 --> 00:17:38,285 to drive right now. *laughter* 185 00:17:38,285 --> 00:17:46,970 And my official goal is to drift. So at first I have to learn how to drive at all. 186 00:17:46,970 --> 00:17:56,539 It was actually quite nice when I managed to do anything at all. So you can see that 187 00:17:56,539 --> 00:18:07,309 data is only like 16 bytes long and *music* 188 00:18:07,309 --> 00:18:19,850 *applause* That's the best drift I was able to do on 189 00:18:19,850 --> 00:18:26,590 this game. So I was actually quite disappointed right now. So features and 190 00:18:26,590 --> 00:18:30,597 limitation of this. So the features is what I was explaining right now. But the 191 00:18:30,597 --> 00:18:35,539 limitation are that the engine needs to be running because else I don't have the 192 00:18:35,539 --> 00:18:42,799 assisted direction which makes the wheel quite hard to turn. Also on a real car if 193 00:18:42,799 --> 00:18:47,771 you really see steering wheel it will by itself try to match the car direction 194 00:18:47,771 --> 00:18:52,651 which I don't have so I would just spend all my time turning the wheel. And the 195 00:18:52,651 --> 00:18:58,530 control simplicity going through libuinput limits it to V-Drift because no 196 00:18:58,530 --> 00:19:04,809 other Linux game recognized my virtual gamepad as a real one. So I was quite sad 197 00:19:04,809 --> 00:19:10,760 and but I really wanted to drift. Oh wait I created another version which is CANpad 198 00:19:10,760 --> 00:19:18,440 v2. CANpad v2 I just understood that on the real game pad game box - Xbox, Xbox 199 00:19:18,440 --> 00:19:24,429 gamepad. If I plug the Xbox gamepad and don't touch anything no inputs will be 200 00:19:24,429 --> 00:19:30,510 sent. On the other hand if I put a PS4 gamepad and don't touch anything it will 201 00:19:30,510 --> 00:19:35,779 flood the status of every button all the time so what I would do is take the Xbox 202 00:19:35,779 --> 00:19:41,172 controller put it on the table and hijack its port to send data instead of it. So I 203 00:19:41,172 --> 00:19:45,030 would have a real, a real plugged-in controller that is recognized by nicer 204 00:19:45,030 --> 00:19:51,926 games like V-Drift, like DiRT and I could send inputs by my, myself. I change this 205 00:19:51,926 --> 00:19:58,049 few stuff like the gas pedal because I had to flow in the real world to flow in the 206 00:19:58,049 --> 00:20:07,808 game which was quite fuel consuming, the steering wheel rotation was adjusted so 207 00:20:07,808 --> 00:20:13,509 that it matches, it matches rally cars like if I turn it 180 degrees it will turn 208 00:20:13,509 --> 00:20:17,360 all the way in the game so quite nice, and I found the direct command to query and 209 00:20:17,360 --> 00:20:22,350 break in the in the video. In the next video you'll see that when I turn abruptly 210 00:20:22,350 --> 00:20:26,679 in the game and I release at the same time the brake the wheel will take a little bit 211 00:20:26,679 --> 00:20:32,100 of time before stopping to turn because I have a small delay. But now I have the 212 00:20:32,100 --> 00:20:39,514 real input so it's way easier. so: demonstration. So, some sensors: 213 00:20:39,514 --> 00:20:50,840 *soundtrack* Start and Stop *soundtrack* I just wanted the music. So, anyway, as you 214 00:20:50,840 --> 00:20:56,377 can see it's way easier to play because of the steering wheel which was adjusted it's 215 00:20:56,377 --> 00:21:11,130 way nicer to drift in it. I can do the crane drift 216 00:21:11,130 --> 00:21:19,750 *applause**soundtrack* my brothers were very fond of this. My 217 00:21:19,750 --> 00:21:23,164 mother was only thinking about her tires right now 218 00:21:23,164 --> 00:21:31,139 *audience laughing* *soundtrack* 219 00:21:31,139 --> 00:21:37,840 Anyway. Sorry. I'll give you the title of the song later if you want. So I can now 220 00:21:37,840 --> 00:21:43,929 drift with my front-wheel drive car in any kind of video game which is almost quite 221 00:21:43,929 --> 00:21:50,299 very nice. So possible upgrades - yes there're always upgrades: I could get the 222 00:21:50,299 --> 00:21:54,741 gearbox tattoos to put the car on the lift and try to put it in manual which would a 223 00:21:54,741 --> 00:22:01,490 be a bit more life... life kind and create a better gamepad so that I'm able 224 00:22:01,490 --> 00:22:07,650 to race on my Micro- windows because right now it's only on Linux. Okay this was fun 225 00:22:07,650 --> 00:22:12,220 but it was actually consuming a lot of gas for nursing. So with Guillaume we try to 226 00:22:12,220 --> 00:22:17,320 find a way to reduce gas consumption and that's what he will - he is going to talk 227 00:22:17,320 --> 00:22:20,098 to you about right now. Guillaume? 228 00:22:20,098 --> 00:22:29,710 Guillaume: Thank you, Stan. *Applause* 229 00:22:29,710 --> 00:22:33,996 So, Stan had a little problem about the gas consumption and the friend of us told 230 00:22:33,996 --> 00:22:40,223 us about this little nitro OPD dongle which is supposed to save fuel. It's sold 231 00:22:40,223 --> 00:22:45,500 on Amazon and the reviews are quite good so we said "ok, strange but ok" let's try 232 00:22:45,500 --> 00:22:53,590 it. First of all just a reminder about the - what is an OBD2 dongle? An OBD2 dongle 233 00:22:53,590 --> 00:23:01,610 is a small device that you plug into the OBD2 port of your car. Any recent car has 234 00:23:01,610 --> 00:23:07,317 an OBD2 port you can find it by googling the model of your car and OBD2 port and 235 00:23:07,317 --> 00:23:12,590 you will find a picture of it and the interesting thing is that you just have to 236 00:23:12,590 --> 00:23:18,299 pull the panel to access to your OBD2 port and it's very cool because we don't have 237 00:23:18,299 --> 00:23:24,519 to take anything apart or whatever. So, just buy the thing on Amazon, pull the 238 00:23:24,519 --> 00:23:32,159 panel and put it there. That's all. So, this dongle is supposed to save fuel by 239 00:23:32,159 --> 00:23:40,670 reprogramming the main ECU - the engine ECU of your car. And this is done for 240 00:23:40,670 --> 00:23:46,745 quite some times: This is known as a chip tuning and you can find it on internet. It 241 00:23:46,745 --> 00:23:51,965 works pretty well it will break your warranty, but the very interesting 242 00:23:51,965 --> 00:23:57,580 thing about this dongle is that you will not break your warranty because, if you 243 00:23:57,580 --> 00:24:02,191 remove it you will go back to factory settings and this is very new. So, it 244 00:24:02,191 --> 00:24:10,981 works on any car, well any recent car and well it seems to work really well. Ok so 245 00:24:10,981 --> 00:24:17,259 why did we reverse engineer this dongle? Because it just an amazing piece of 246 00:24:17,259 --> 00:24:24,759 hardware. If you think about it: it works on any car and it also reprograms any car 247 00:24:24,759 --> 00:24:31,340 so it must contain all authentication codes. Stan explained the challenge and 248 00:24:31,340 --> 00:24:38,559 response mechanisms so this one must contain all of them. It will also contain 249 00:24:38,559 --> 00:24:45,809 the reprogramming software for any car of any manufacturer and this is also just 250 00:24:45,809 --> 00:24:51,480 amazing and I just wanted to have a look at this and it is able to adapt itself to 251 00:24:51,480 --> 00:24:55,350 the way you are driving for a few kilometers then it will reprogram your 252 00:24:55,350 --> 00:25:00,570 engine and I say wow there must be a very smart algorithm inside this very small 253 00:25:00,570 --> 00:25:06,261 piece of hardware and I just wanted to have a look at this software. As I said 254 00:25:06,261 --> 00:25:14,570 also - it also modifies the RAM of your engine and I was not aware of anything 255 00:25:14,570 --> 00:25:20,092 that will be able to do that because from the things I know about chip tuning it 256 00:25:20,092 --> 00:25:24,990 will change the flash of your ECU. That's why the warranty is broken but not this 257 00:25:24,990 --> 00:25:28,809 one, not this one. And this is just amazing. I just wanted to have a look at 258 00:25:28,809 --> 00:25:35,009 the source code while the binary. Ok so. The first thing about reverse engineering 259 00:25:35,009 --> 00:25:42,179 such a piece of hardware is monitoring the CAN signals to see if it's talking and 260 00:25:42,179 --> 00:25:49,453 what he - what it is doing exactly if it's opening security sessions or not. Well, 261 00:25:49,453 --> 00:25:56,029 all this stuff. So, here you see in my car. There is the OBD2 port right there 262 00:25:56,029 --> 00:26:02,110 and I used the same configuration as Stan to record the CAN messages which is a 263 00:26:02,110 --> 00:26:07,331 Raspberry Pi here and the PI CAN2 shield and well just for fun a picoscope to 264 00:26:07,331 --> 00:26:13,309 check the signals and a computer to - to monitor this. The thing is you just have 265 00:26:13,309 --> 00:26:19,389 one OBD2 port in a car and - here - and you cannot plug at the same time the 266 00:26:19,389 --> 00:26:28,850 dongle like - like this and the wires for the Raspberry Pi. So we took 267 00:26:28,850 --> 00:26:36,500 apart the dongle and after a bit of reversing the PCBs we found the can lines 268 00:26:36,500 --> 00:26:42,029 and ground and we just soldered three wires on it. And with using this approach 269 00:26:42,029 --> 00:26:48,879 you can reverse the messages sent on the bus. The interesting thing is that as you 270 00:26:48,879 --> 00:26:53,257 are plugged directly on the dongle you will monitor exactly what the 271 00:26:53,257 --> 00:27:01,610 dongle is doing and what he's seeing. Just for reference you just have three wires to 272 00:27:01,610 --> 00:27:09,831 put in a car to hijack or to communicate on the CAN bus. Those are CAN high, CAN 273 00:27:09,831 --> 00:27:17,597 low and the ground and that's basically all you need to connect to a CAN bus. Just 274 00:27:17,597 --> 00:27:24,605 for reference: you can find on today's cars you can find many many CAN buses in 275 00:27:24,605 --> 00:27:31,610 in the different parts of the car. So the OBD2 port is just more accessible but it's 276 00:27:31,610 --> 00:27:41,632 basically another CAN bus just like another one. Okay. So, we did two 277 00:27:41,632 --> 00:27:48,429 measurements: one with basically no OBD dongle plugged in and there is a one with 278 00:27:48,429 --> 00:27:53,289 the OBD dongle plugged in. Stan explained in the first part of the presentation that 279 00:27:53,289 --> 00:28:00,580 every CAN message is sent by an ECU and the identifier of the ECU is called the 280 00:28:00,580 --> 00:28:07,169 message ID and the lower it is the higher priority is. Here you are the most - you 281 00:28:07,169 --> 00:28:12,610 have the most prior - you have the message with the - the biggest priority and here 282 00:28:12,610 --> 00:28:18,201 with the lowest priority and you see here the - the content of the messages. The 283 00:28:18,201 --> 00:28:22,821 thing is, if you look at the lists of the message IDs - here - and the list of the 284 00:28:22,821 --> 00:28:27,751 of the message IDs - here - you can see: it's the same list. Basically it means 285 00:28:27,751 --> 00:28:35,150 that no other ECU was talking on the bus when we plugged the OBD - the Nitro OBD2 286 00:28:35,150 --> 00:28:39,690 dongle. So, it means that the dongle basically doesn't speak at all on the CAN 287 00:28:39,690 --> 00:28:45,033 bus. And that's too bad because we say how is it possible that it works if it's not 288 00:28:45,033 --> 00:28:54,994 talking on the CAN bus? Okay. Is it over, is it just not working? Well not really. The 289 00:28:54,994 --> 00:29:02,780 dongle is advertised as working after 120 kilometres. It will just listen silently 290 00:29:02,780 --> 00:29:08,621 to the way you are driving, then reprogram your engine after this small amounts of 291 00:29:08,621 --> 00:29:15,279 kilometres. So it was still possible that the dongle was not sending anything during 292 00:29:15,279 --> 00:29:20,790 the first kilometers. And - but we couldn't just monitor the CAN bus during 293 00:29:20,790 --> 00:29:28,289 such a big period of time and so we needed another approach and we chose to reverse 294 00:29:28,289 --> 00:29:36,610 the PCB. If you take the dongle apart, you can see two PCBs. The first one here is 295 00:29:36,610 --> 00:29:43,630 just connected on the OBD 2 port and the other one seems to contain, well, 296 00:29:43,630 --> 00:29:49,139 something. Okay, so this is a picture of the first one. As you can see, there is no 297 00:29:49,139 --> 00:29:56,990 components on it at all. It's just routing the CAN wires from there to the second 298 00:29:56,990 --> 00:30:02,609 board. So okay, let's go on, and the second one is more interesting. On the 299 00:30:02,609 --> 00:30:07,183 front side, you can see, well, a few components, but there are not so many. You 300 00:30:07,183 --> 00:30:15,259 have a voltage regulator here, 7805, you have a push-button, this diode is part of 301 00:30:15,259 --> 00:30:21,610 the voltage regulation and that's pretty much all you have here. And three LEDs, 302 00:30:21,610 --> 00:30:26,259 you have three LEDs, okay. On the back side, you can see, here there is the 303 00:30:26,259 --> 00:30:33,172 footprints of a very small microcontroller, and here is a picture 304 00:30:33,172 --> 00:30:37,700 before dissoldering it. And the interesting thing is that there is 305 00:30:37,700 --> 00:30:44,110 absolutely no reference on this device, as if the manufacturer took a special care to 306 00:30:44,110 --> 00:30:49,250 hide what was inside. And this is not so common because usually you can find a 307 00:30:49,250 --> 00:31:00,070 reference in a chip. Also, there is no CAN transceiver on this device, yeah, it's 308 00:31:00,070 --> 00:31:08,110 strange. What is a CAN transceiver? A CAN transceiver is a piece of hardware to 309 00:31:08,110 --> 00:31:15,730 translate the signals from the CPU, which are basically UARTs, into CAN signals 310 00:31:15,730 --> 00:31:25,539 which, are CAN high, CAN low, this is a differential pair. But this device is not 311 00:31:25,539 --> 00:31:30,179 just about adapting the signals and electric conversion. It's also about real- 312 00:31:30,179 --> 00:31:36,220 time monitoring and checking. Stan explained before that in each frame, you 313 00:31:36,220 --> 00:31:45,640 got a CRC and an error bit. And if there is a transmission error on a frame, any 314 00:31:45,640 --> 00:31:51,960 CAN transfer has the duty to assert the fault in real-time, so it just has a few 315 00:31:51,960 --> 00:31:56,879 microseconds to compute the CRC in real- time and say "Okay, no you just have to 316 00:31:56,879 --> 00:32:02,259 discard this frame". Basically, two tasks for this one: electrical signal conversion 317 00:32:02,259 --> 00:32:09,389 and checking in real-time. Okay, so you have no CAN communication, no CAN 318 00:32:09,389 --> 00:32:16,230 transceiver, okay, it smells weird. A few guys told us "yeah but maybe it's possible 319 00:32:16,230 --> 00:32:21,080 to do that in software because, you see, those are just signals and maybe with an 320 00:32:21,080 --> 00:32:26,549 IDC and so on you can do that in software." I put a link, if you are 321 00:32:26,549 --> 00:32:29,299 interested, here, for Stack Overflow discussion, which is very interesting and 322 00:32:29,299 --> 00:32:33,549 a few guys say "ok, yes, it's possible to do that in full software, so you basically 323 00:32:33,549 --> 00:32:39,490 don't need a CAN transceiver". The thing, is as the CAN transceiver has to react in 324 00:32:39,490 --> 00:32:44,139 a real-time, you have to have a very fast CPU to do that in real-time. And the guys 325 00:32:44,139 --> 00:32:48,860 on Stack Overflow say "Ok, it's possible, but at a very low speed like 10 kilobits 326 00:32:48,860 --> 00:32:53,830 per seconds or something like this." But on a real CAN bus on a real car, the speed 327 00:32:53,830 --> 00:33:05,919 is more like 500,000 bits per second, so it's not the same order of magnitude. And 328 00:33:05,919 --> 00:33:10,630 then, some of the guys say "Okay, maybe there is some CAN transceiver inside this 329 00:33:10,630 --> 00:33:15,659 chip", and I say "okay, yes, it's just a small A Super8 chip, there is nothing 330 00:33:15,659 --> 00:33:20,150 there, just a small microcontroller ", but, just to be sure and because we like 331 00:33:20,150 --> 00:33:28,169 to decap chips, *laughing* I asked my intern to do that because, you know, there are toxic 332 00:33:28,169 --> 00:33:41,409 fumes and things like that. So here is Stan in my garden and, well, it was pretty 333 00:33:41,409 --> 00:33:48,090 - it was the first time I did that, and Stan also, and the thing is, it's pretty 334 00:33:48,090 --> 00:33:51,730 easy to do that, but if you want to do it, just be careful because it is very 335 00:33:51,730 --> 00:33:59,929 dangerous stuff. You can buy it on the internet, it's very cheap, and, what do 336 00:33:59,929 --> 00:34:07,960 you need? You need cooking plates, here, to produce some heat, crème brûlée, or 337 00:34:07,960 --> 00:34:12,719 just the ceramic plate. You pour the sulfuric acid in it, you wait for it to be 338 00:34:12,719 --> 00:34:18,719 hot enough and that's all, basically. Just throw your chip in it and you're done. 339 00:34:18,719 --> 00:34:25,469 Just wait 10 minutes and that's all. So again, if you want to do it, just do it 340 00:34:25,469 --> 00:34:29,520 because it's fun, but use protections because it's very dangerous. Okay, well, 341 00:34:29,520 --> 00:34:36,560 here is the results. I put a real CAN transceiver here, and this is the chip you 342 00:34:36,560 --> 00:34:42,750 have in the nitro OBD 2 dongle. Some of you, you will recognize the basic 343 00:34:42,750 --> 00:34:47,480 structure of a small microcontroller. Here, you have the CPU logic, here you 344 00:34:47,480 --> 00:34:54,770 have the memory banks and some glue logic there. And that's pretty much all you have 345 00:34:54,770 --> 00:35:01,460 there. The interesting thing is that, this does not fit into this. So definitely, 346 00:35:01,460 --> 00:35:09,500 there is no CAN transceiver in the Nitro OBD 2 dongle. The other thing I would like 347 00:35:09,500 --> 00:35:18,010 to show is if you look at this, we said before that the Nitro OBD 2 had to contain 348 00:35:18,010 --> 00:35:22,950 a database for all authentication algorithms. All the way to reprogram any 349 00:35:22,950 --> 00:35:28,580 car on the market and so on. And this is all the flash you have inside. I was 350 00:35:28,580 --> 00:35:34,380 expecting at least a big chip of flash, but there is nothing here. So basically, 351 00:35:34,380 --> 00:35:41,960 it just looks like a tiny microcontroller, like an Arduino or something like this. 352 00:35:41,960 --> 00:35:49,580 But I really wanted to know what chip it, was so we have a game at the office, it 353 00:35:49,580 --> 00:35:55,920 was looking for Waldo, and because the chip manufacturer like to write chip 354 00:35:55,920 --> 00:36:04,210 reference inside their chip, and, well, there is something here. If you look at 355 00:36:04,210 --> 00:36:07,840 the chip, the big magnification power, you will see this and this is the chip 356 00:36:07,840 --> 00:36:14,470 reference. Unfortunately, I could not find any reference on the internet about this 357 00:36:14,470 --> 00:36:18,650 chip. I asked a few friends on Twitter and so on, but nobody could find it, which 358 00:36:18,650 --> 00:36:23,600 means, well, I don't know, this is not a big chip, very well-known. If you know 359 00:36:23,600 --> 00:36:29,870 what it is, just tell me, send a mail or whatever and take the microphone during 360 00:36:29,870 --> 00:36:35,000 the question answer session, it will be nice. So, just to sum up this part, this 361 00:36:35,000 --> 00:36:40,870 dongle is very nice but there is no CAN communication, does not contain any CAN 362 00:36:40,870 --> 00:36:48,300 transceiver, it has not enough CPU power to emulate a CAN transceiver in full 363 00:36:48,300 --> 00:36:54,290 software, and the most important thing is that it has no flash in it to contain the 364 00:36:54,290 --> 00:36:58,720 database, you know, to reprogram any engine and so on. But the links are 365 00:36:58,720 --> 00:37:04,271 blinking very well, so, yeah. If you really want to reprogram your car, use 366 00:37:04,271 --> 00:37:23,980 something else. Thank you. *Applause* I would like to invite all of you, if you 367 00:37:23,980 --> 00:37:30,010 are interested in car hacking, to try and put some OBD cable into your car because 368 00:37:30,010 --> 00:37:36,120 it's very easy. You just have to pull a panel to get access to your OBD port. You 369 00:37:36,120 --> 00:37:40,890 will just need a Raspberry Pi, CAN shield and a cable and that's pretty much all you 370 00:37:40,890 --> 00:37:48,350 need. Just a few words: so you don't need to take anything apart, so it's pretty 371 00:37:48,350 --> 00:37:55,030 easy, you can do many interesting things just by using the OBD2 port of your car, 372 00:37:55,030 --> 00:38:00,550 like fuzzing and so on. But please be careful, you can hurt yourself or break 373 00:38:00,550 --> 00:38:04,690 your engine if it's running, so if you do some fuzzing, please stop the engine 374 00:38:04,690 --> 00:38:11,440 before. P1kachu: Because as you saw at the 375 00:38:11,440 --> 00:38:16,630 beginning, I was actually recording CAN data or querying stuff while I was 376 00:38:16,630 --> 00:38:23,330 driving, which was the stupidest thing I did from the hole analysis. I was able to 377 00:38:23,330 --> 00:38:30,340 disengage ABS by fuzzing, too - stuff like this - because they have some systems that 378 00:38:30,340 --> 00:38:35,740 if they receive too many invalid kind of messages, they will just shut off, so I 379 00:38:35,740 --> 00:38:40,350 was able to disengage stuff like this, so, yeah, if you are doing stuff like this, 380 00:38:40,350 --> 00:38:45,880 just don't drive while doing it, for example. That's the kind of stupid mistake 381 00:38:45,880 --> 00:38:52,590 you do when - or disable the airbags. Guillaume: That's very important. 382 00:38:52,590 --> 00:38:59,160 P: You never know. G: Well, thank you again, and, yeah, if 383 00:38:59,160 --> 00:39:02,810 you want to speak with us, you're more than welcome. Thank you! 384 00:39:02,810 --> 00:39:14,728 *applause* Herald Angel: Thank you deep guys, I could 385 00:39:14,728 --> 00:39:17,810 normally skip the car hacking talks. This time it was really amusing and I'm happy 386 00:39:17,810 --> 00:39:23,700 that I didn't do that. We have a lot of time for questions, if you want to line 387 00:39:23,700 --> 00:39:28,051 up, there's one over there or two of there, one over here and one over there. 388 00:39:28,051 --> 00:39:36,069 Are there questions from the audience? Signal angel? 389 00:39:36,069 --> 00:39:38,610 Signal Angel: So, people on the stream are wondering where they can find your 390 00:39:38,610 --> 00:39:43,390 software and whether you contributed any signals you found to the open DBC project 391 00:39:43,390 --> 00:39:46,960 that is collecting signals from the CAN bus. 392 00:39:46,960 --> 00:40:00,380 P: I haven't really heard about this - yet. So right now, not that much, but I 393 00:40:00,380 --> 00:40:06,730 will take a look at this after this. Sorry 394 00:40:06,730 --> 00:40:12,170 Herald Angel: Mic 1. Q: I was wondering you try to reverse 395 00:40:12,170 --> 00:40:19,018 engineer to get into the secure mode so that you can access all the issues. You 396 00:40:19,018 --> 00:40:22,100 want to... we reverse engineer this challenge/response authentication. 397 00:40:22,100 --> 00:40:25,310 P: Yes. Q: Why does he not try to reverse engineer 398 00:40:25,310 --> 00:40:28,080 the diagnostic software that is used by the dealers? 399 00:40:28,080 --> 00:40:35,980 P: Because this infringe, we call this valise, like luggage, and it costs if I 400 00:40:35,980 --> 00:40:42,400 recall correctly about 5,000 Euros by car manufacturer. So we went to a garage and 401 00:40:42,400 --> 00:40:47,490 asked the guy "Can you lend us your valise?" and he just laughed at us because 402 00:40:47,490 --> 00:40:54,360 no he didn't wanted to but there are some partnership you can have. [There] is a 403 00:40:54,360 --> 00:40:59,560 group of manufacturers that offer that kind of information if you pay every month 404 00:40:59,560 --> 00:41:05,480 a very huge sum of money. Q: [...] pay 6 Euros and can be used for 405 00:41:05,480 --> 00:41:10,681 an hour. P: I haven't heard of it I just saw a big 406 00:41:10,681 --> 00:41:15,290 numbers and I told myself, okay, I find another way. 407 00:41:15,290 --> 00:41:19,120 Herald Angel: Microphon 3. Q: A great presentation. Thank you very 408 00:41:19,120 --> 00:41:23,360 much. I was just wondering, how much more work is needed to actually control your 409 00:41:23,360 --> 00:41:36,700 car with an Xbox controller? *Laughter* *Applause* 410 00:41:36,700 --> 00:41:45,340 P: I was asked this question before. Not that much *Laughter* if you find the right 411 00:41:45,340 --> 00:41:52,600 guys with the right amount of knowledge. The idea that you'll get, of course. You 412 00:41:52,600 --> 00:41:58,980 have to find a way to control the car from the CAN bus which is not something that 413 00:41:58,980 --> 00:42:04,590 easily done. Because for all I know right, now the CAN bus I was only used for 414 00:42:04,590 --> 00:42:11,529 broadcasting information not really using this information for real-time data. We 415 00:42:11,529 --> 00:42:17,250 actually tried to find some way to know how the ECU's interact with each other 416 00:42:17,250 --> 00:42:22,120 with Young's car. So the idea was that we go to a field, I am on the passenger seat, 417 00:42:22,120 --> 00:42:27,840 and he would just tell me "okay try to find the ABS ECU I will brake very hard" 418 00:42:27,840 --> 00:42:32,528 so he was driving fast breaking. I was just checking which ECU would actually 419 00:42:32,528 --> 00:42:36,080 send something different and after we've tried to recreate some messages, 420 00:42:36,080 --> 00:42:39,250 but without a lot of luck. So from the CAN bus I don't think 421 00:42:39,250 --> 00:42:46,060 that's quite possible. But they did it. Nissan did it like two months ago with the 422 00:42:46,060 --> 00:42:52,410 GTRC. They created a Nissan GTR that is actually controlled by a gamepad 423 00:42:52,410 --> 00:42:57,510 controller. But they have a full robot in it just controlling the steering wheel and 424 00:42:57,510 --> 00:43:01,704 pedal so it's quite easy when you have money. *Laughter* 425 00:43:01,704 --> 00:43:04,871 Herald Angel: Microphone 2 in the back, please 426 00:43:04,871 --> 00:43:10,930 Q: Okay, hi nice talk. Thank you. First of all don't play around with the Airbags 427 00:43:10,930 --> 00:43:15,660 please. I tried to reverse engineer my old Mitsubishi - I'm a passionate Mitsubishi 428 00:43:15,660 --> 00:43:25,610 driver - please don't try mine. You get hurt, really. So my real question is: Did 429 00:43:25,610 --> 00:43:33,200 you try to reverse engineer cars with an older bus then OBD, ever? Because mine is 430 00:43:33,200 --> 00:43:38,350 from the 90s. P: Yeah, No I didn't because I had my and 431 00:43:38,350 --> 00:43:44,330 full already with the with OBD. To be honest before this analysis I hadn't 432 00:43:44,330 --> 00:43:50,050 touched any kind of bus or any kind of car systems ever. So I was really discovering 433 00:43:50,050 --> 00:43:55,490 everything from scratch. So I just focused on the OBD port and the CAN bus and stuff 434 00:43:55,490 --> 00:44:00,420 like this. But I know there are a lot of different stuff Valasek and Miller already 435 00:44:00,420 --> 00:44:06,320 did different kind of attacks on the Jeep for example of the Prius with different 436 00:44:06,320 --> 00:44:12,020 buses. So I ought to be looking at them but right now no I didn't do anything else 437 00:44:12,020 --> 00:44:15,460 from the OBD or CAN bus. Herald Angel: Is there another question 438 00:44:15,460 --> 00:44:25,460 from the internet? Okay otherwise mic 1. Q: Sorry, just one sentence. I guess 439 00:44:25,460 --> 00:44:29,140 because of the Mitsubishi stuff you've mentioned the car your parents or so I 440 00:44:29,140 --> 00:44:33,225 guess we should talk about the Lancer. Okay? 441 00:44:33,225 --> 00:44:37,198 P: Okay. *laughter* Herald Angel: Mic 1. 442 00:44:37,198 --> 00:44:43,750 Q: Thank you. There are some other buses like EtherCAT or Flex Ray in other car 443 00:44:43,750 --> 00:44:50,860 manufacturers. What about hacking them? So you also said, you already said that maybe 444 00:44:50,860 --> 00:44:57,630 you will try it in the future? P: Well quite the same answer also. I read 445 00:44:57,630 --> 00:45:04,180 the car CAN books, so I just have a few a little grasp of other kind of protocols 446 00:45:04,180 --> 00:45:08,290 and other stuff like this. Right now I didn't do anything. I am planning on 447 00:45:08,290 --> 00:45:14,600 trying different new buses but right now just the - I haven't touched them I can't 448 00:45:14,600 --> 00:45:20,100 answer and more honestly than this - I don't know. G: The other thing is that on the OBD 2 449 00:45:20,100 --> 00:45:29,860 port you just have access to the CAN bus and as far as I remember the Flex bus is 450 00:45:29,860 --> 00:45:36,650 internal and dedicated to high speed buses. So it's not as easy to plug 451 00:45:36,650 --> 00:45:43,220 yourself onto this bus because you have to open your car and take things 452 00:45:43,220 --> 00:45:48,860 apart and stuff like this. But it's definitely interesting to look at it also. 453 00:45:48,860 --> 00:45:53,110 P: Sorry. Herald Angel: Okay, another question from 454 00:45:53,110 --> 00:45:58,900 the 3, please. Q: Oh it's 4. Okay, so just a little 455 00:45:58,900 --> 00:46:04,200 hint. OBD2 is actually just half of the fun so you should definitely remove your 456 00:46:04,200 --> 00:46:10,070 car radio and check if there's a CAN bus behind that I know for BMW have it and 457 00:46:10,070 --> 00:46:15,200 there of course it's much easier to control of all of the fancy buttons that 458 00:46:15,200 --> 00:46:20,310 you have in your car. Like window and wipers and all that stuff because that's 459 00:46:20,310 --> 00:46:24,930 completely unencrypted and so can simply listen on this and also send your own 460 00:46:24,930 --> 00:46:27,550 commands. P: Okay, so, check the other CAN bus in 461 00:46:27,550 --> 00:46:30,490 the car, right? Q: Yeah it's I mean it's maybe the car 462 00:46:30,490 --> 00:46:35,550 radio, because you don't have to cut anything just plug it off, take an adaptor 463 00:46:35,550 --> 00:46:42,980 and put your own bias on that. P: Thank you. Maybe another talk. 464 00:46:42,980 --> 00:46:47,344 Herald Angel: And yet we have one question from the internet now and then the 1. 465 00:46:47,344 --> 00:46:50,616 Signal Angel: So there's a person from the darknet who would like to leak you 466 00:46:50,616 --> 00:46:56,300 original diagnostic software for that kind of hardware and the person wants to know 467 00:46:56,300 --> 00:47:01,310 whether you would be interested in that? P: I haven't heard the end of the sentence 468 00:47:01,310 --> 00:47:03,860 but the beginning. Signal Angel: Would you be interested in a 469 00:47:03,860 --> 00:47:19,550 software leak of original diagnostic software? *laughter* Actually you don't have to 470 00:47:19,550 --> 00:47:24,030 answer that because the person is outside but if you want to say something you can. 471 00:47:24,030 --> 00:47:30,380 P: *Coughing* You have my Twitter. Herald Angel: Yeah question please. 472 00:47:30,380 --> 00:47:36,710 Q: First thank you for your very inspiring speech luckily or unfortunately I don't 473 00:47:36,710 --> 00:47:40,840 own a car myself otherwise... Well, what I wanted to say was, you now have your hands 474 00:47:40,840 --> 00:47:46,770 on a few Volkswagens. If you could choose a car yourself what brand would you like 475 00:47:46,770 --> 00:47:53,630 to monitor. P: Ah, to monitor. Actually, what I wanted 476 00:47:53,630 --> 00:47:58,760 but I haven't taken the time right now, was to play with the Lancer, the big mother's 477 00:47:58,760 --> 00:48:03,060 bus, because it has UConnect and as far as I remember it was one of the attack 478 00:48:03,060 --> 00:48:10,390 vectors Miller and Valasek used in the past, so I think I would go with the one with 479 00:48:10,390 --> 00:48:16,440 full features everywhere and remove parts to be able to get to the fun stuff. So I 480 00:48:16,440 --> 00:48:21,600 would take one with a lot of electronics, not too much, because it's expensive, but 481 00:48:21,600 --> 00:48:26,890 at least a bit of electronics, so that I could remove stuff and do interesting and 482 00:48:26,890 --> 00:48:29,800 nice stuff. Herald Angel: Thank you okay and another 483 00:48:29,800 --> 00:48:35,200 one over there. Q: Hi thank you and I enjoyed your talk. I 484 00:48:35,200 --> 00:48:42,380 think I read you already online or I read something about doing that what what you 485 00:48:42,380 --> 00:48:48,380 have done. It's really fun just a few correction to the last part - the 486 00:48:48,380 --> 00:48:55,320 transceiver does not do any error correction it's just a transceiver. And 487 00:48:55,320 --> 00:49:02,250 there are chips actually available which have a cortex m0 and D transceiver on chip 488 00:49:02,250 --> 00:49:04,380 for few bucks. P: Okay. 489 00:49:04,380 --> 00:49:10,900 Q: So those chips exist and are used in automotive and just for your fun for next 490 00:49:10,900 --> 00:49:18,000 year: choose the right car just depending that question from that girl. There are 491 00:49:18,000 --> 00:49:25,880 car manufacturers who can do networking and who can do and your... let's say you 492 00:49:25,880 --> 00:49:32,734 are candy with the right brands. Like the Italian. 493 00:49:32,734 --> 00:49:36,720 P: Thank you very much. I have way more information that when I started this talk 494 00:49:36,720 --> 00:49:45,390 which isn't much what I expected at first. Herald Angel: I would say final question 495 00:49:45,390 --> 00:49:48,250 Mic 1. Q: Very small question but did you 496 00:49:48,250 --> 00:49:52,250 consider lifting the front wheels instead of starting the engine to make it steer 497 00:49:52,250 --> 00:50:03,590 easy. Yes I put it on parpar - the block of cement you find - but it's not the 498 00:50:03,590 --> 00:50:10,760 easiest part. What would be easier what was done was to put cardboard under the 499 00:50:10,760 --> 00:50:15,760 wheels to make it easier with a little bit of oil to turn but here to be able to play 500 00:50:15,760 --> 00:50:22,180 without the engine turned on and with assistic direction. Kind of putting the 501 00:50:22,180 --> 00:50:27,460 car on a car lift would be the safest way. Because just putting the front wheels I 502 00:50:27,460 --> 00:50:30,550 wouldn't see anything from the windscreen which would be a bit disappointing. 503 00:50:30,550 --> 00:50:38,304 *laughter* And yes I indeed I plan to put it on a car lift soon. 504 00:50:38,304 --> 00:50:41,850 Herald Angel: Anyone who didn't get the chance to pass the question on stage, I'm sure that 505 00:50:41,850 --> 00:50:46,310 the speaker's can be approached next to it. Thank you again for being here and 506 00:50:46,310 --> 00:50:47,840 drift on. P: Thank you very much. 507 00:50:47,840 --> 00:50:49,365 G: Thank you. 508 00:50:49,365 --> 00:50:56,483 *Applause* 509 00:50:56,483 --> 00:51:08,945 *34C3 postroll music* 510 00:51:08,945 --> 00:51:18,000 subtitles created by c3subtitles.de in the year 2020. Join, and help us!