0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/92 Thanks! 1 00:00:10,120 --> 00:00:12,579 So, hi, welcome. 2 00:00:14,440 --> 00:00:15,999 We are running a few minutes late 3 00:00:16,000 --> 00:00:17,739 because, as you might have seen, we've 4 00:00:17,740 --> 00:00:19,269 got a rather complicated setup 5 00:00:20,320 --> 00:00:21,819 here in front. 6 00:00:21,820 --> 00:00:24,669 So I'm really intrigued 7 00:00:24,670 --> 00:00:26,919 about what are we going to see 8 00:00:26,920 --> 00:00:27,849 now? 9 00:00:27,850 --> 00:00:29,589 So this is Felix. 10 00:00:29,590 --> 00:00:32,048 Felix is going to talk about computers 11 00:00:32,049 --> 00:00:33,049 and cars. 12 00:00:34,240 --> 00:00:36,309 Please give him a round of 13 00:00:36,310 --> 00:00:38,709 one plus and 14 00:00:38,710 --> 00:00:39,710 have fun. 15 00:00:46,110 --> 00:00:48,389 Hey. Yeah. I'm Felix Tomeka AM. 16 00:00:48,390 --> 00:00:50,519 Today's talk will be about 17 00:00:50,520 --> 00:00:52,170 scripting your car. 18 00:00:53,910 --> 00:00:56,139 So I did some other 19 00:00:56,140 --> 00:00:58,079 hacking work before I worked on gaming 20 00:00:58,080 --> 00:01:00,269 consoles, and the number 21 00:01:00,270 --> 00:01:02,489 one goal for me was always to run my own 22 00:01:02,490 --> 00:01:04,349 code on anything. 23 00:01:05,730 --> 00:01:07,470 So I guess that should include cars. 24 00:01:08,910 --> 00:01:11,189 I guess it's a valid question to ask why 25 00:01:11,190 --> 00:01:13,109 would you want to do anything like that? 26 00:01:13,110 --> 00:01:15,659 So I love hacking 27 00:01:15,660 --> 00:01:17,459 and I love programing and I love 28 00:01:17,460 --> 00:01:19,829 programing in Python, and 29 00:01:19,830 --> 00:01:21,089 I don't really love cars. 30 00:01:21,090 --> 00:01:23,429 I mean, they are a reasonable 31 00:01:23,430 --> 00:01:26,009 way of transportation, but 32 00:01:26,010 --> 00:01:27,209 I don't really love them. 33 00:01:27,210 --> 00:01:29,339 I mean, I use them and I used them 34 00:01:29,340 --> 00:01:31,019 way too often, actually, and I figured 35 00:01:31,020 --> 00:01:33,119 out that I'm spending so much time in 36 00:01:33,120 --> 00:01:35,549 a car that it would be stupid to not try 37 00:01:35,550 --> 00:01:38,459 to combine hacking and programing 38 00:01:38,460 --> 00:01:40,019 with cars. 39 00:01:40,020 --> 00:01:42,149 And although I read this on 40 00:01:42,150 --> 00:01:44,549 the internet that the next tempting 41 00:01:44,550 --> 00:01:47,639 new target is your car, so 42 00:01:47,640 --> 00:01:49,170 well, let's hack the car. 43 00:01:51,090 --> 00:01:53,429 And I guess you all heard this, and 44 00:01:53,430 --> 00:01:54,719 I guess it's true. 45 00:01:54,720 --> 00:01:56,939 If you can't open it, you don't own it. 46 00:01:56,940 --> 00:01:58,949 And I'm not a common canning. 47 00:01:58,950 --> 00:02:01,019 If I opened the car and take 48 00:02:01,020 --> 00:02:02,759 it apart, I'm pretty sure there will be 49 00:02:02,760 --> 00:02:04,379 some screws left when I put it back 50 00:02:04,380 --> 00:02:06,509 together and I 51 00:02:06,510 --> 00:02:07,589 don't want that. 52 00:02:07,590 --> 00:02:10,439 I want the car just to work, and 53 00:02:10,440 --> 00:02:12,389 I don't know much about car engines. 54 00:02:12,390 --> 00:02:14,459 So what's better than 55 00:02:14,460 --> 00:02:16,919 work on a car engine, at least for me? 56 00:02:16,920 --> 00:02:19,139 Well, it's adding python to your car, 57 00:02:20,460 --> 00:02:21,460 so. 58 00:02:25,240 --> 00:02:26,859 I need to be very clear on this, so 59 00:02:26,860 --> 00:02:28,209 there's no misunderstanding. 60 00:02:28,210 --> 00:02:30,399 So this is a python in your 61 00:02:30,400 --> 00:02:31,400 car. 62 00:02:38,950 --> 00:02:40,089 You don't want that. 63 00:02:40,090 --> 00:02:42,729 So don't do this, this is dangerous. 64 00:02:42,730 --> 00:02:43,689 Don't do this. 65 00:02:43,690 --> 00:02:46,449 So this is Python in your car? 66 00:02:46,450 --> 00:02:47,499 Yeah. Don't mix it up. 67 00:02:47,500 --> 00:02:48,879 So this is what we actually want and this 68 00:02:48,880 --> 00:02:50,199 is what this talk is about. 69 00:02:50,200 --> 00:02:51,550 Python in your car. 70 00:02:53,080 --> 00:02:55,179 So to add Python to my 71 00:02:55,180 --> 00:02:57,579 car, I'm the entry point I choose was 72 00:02:57,580 --> 00:02:58,749 the Bluetooth kit. 73 00:02:58,750 --> 00:03:00,639 And that sounds boring. 74 00:03:00,640 --> 00:03:02,529 I agree. So why would tagging the 75 00:03:02,530 --> 00:03:04,299 Bluetooth kit would be interesting at 76 00:03:04,300 --> 00:03:06,339 all? So if you look at this from a 77 00:03:06,340 --> 00:03:08,499 hacker's perspective, it's a little 78 00:03:08,500 --> 00:03:10,119 bit more clear because it shows up in the 79 00:03:10,120 --> 00:03:11,279 car dashboard menu. 80 00:03:11,280 --> 00:03:13,479 So it has the interaction to the rest 81 00:03:13,480 --> 00:03:15,159 of the car, leads to the steering wheel 82 00:03:15,160 --> 00:03:17,439 buttons and the dashboard menu, 83 00:03:17,440 --> 00:03:18,639 and it supports internet. 84 00:03:18,640 --> 00:03:20,139 And we all know, like internet enabled 85 00:03:20,140 --> 00:03:21,189 cars are the future. 86 00:03:21,190 --> 00:03:22,389 So sounds great 87 00:03:23,440 --> 00:03:25,659 as it can play audio because 88 00:03:25,660 --> 00:03:27,729 while it's Bluetooth kid, it's meant to 89 00:03:28,780 --> 00:03:30,309 connect your car to your 90 00:03:31,450 --> 00:03:33,999 phone, to your car's speakers 91 00:03:34,000 --> 00:03:35,079 and microphones. 92 00:03:35,080 --> 00:03:37,239 And the most important thing if the thing 93 00:03:37,240 --> 00:03:39,069 breaks while hiking on it, I can still 94 00:03:39,070 --> 00:03:41,199 drive. The car is not broken and I can 95 00:03:41,200 --> 00:03:43,659 probably replace the Bluetooth kit. 96 00:03:43,660 --> 00:03:45,459 So the blood of Kate is my entrance 97 00:03:45,460 --> 00:03:47,379 vector to adding Python to a car. 98 00:03:48,610 --> 00:03:51,729 So we have to look at where 99 00:03:51,730 --> 00:03:53,649 the blood of kids is in a car. 100 00:03:53,650 --> 00:03:55,719 So logically speaking. 101 00:03:55,720 --> 00:03:57,729 So most cars you can actually get 102 00:03:57,730 --> 00:03:58,839 schematics. 103 00:03:58,840 --> 00:04:00,009 Let's unreleased schematics. 104 00:04:00,010 --> 00:04:01,569 It's more like a wiring diagram. 105 00:04:01,570 --> 00:04:03,429 It's more like a wall. 106 00:04:03,430 --> 00:04:06,039 What the what they use to fix your car. 107 00:04:06,040 --> 00:04:09,249 But it has most of the wiring. 108 00:04:09,250 --> 00:04:11,319 And it can be 109 00:04:11,320 --> 00:04:12,819 interesting to read that because you can 110 00:04:12,820 --> 00:04:14,679 see how the different busses are 111 00:04:14,680 --> 00:04:16,989 connected to each other and it 112 00:04:16,990 --> 00:04:18,518 saves you from a whole lot of reverse 113 00:04:18,519 --> 00:04:20,078 engineering. If you can just download 114 00:04:20,079 --> 00:04:22,059 these diagrams and for example, for the 115 00:04:22,060 --> 00:04:24,429 Volkswagen Group, cars like Audi's 116 00:04:24,430 --> 00:04:26,649 seats that go down on 117 00:04:26,650 --> 00:04:29,619 those, they have a website called Alwin 118 00:04:29,620 --> 00:04:31,809 or Avin or whatever, and where you 119 00:04:31,810 --> 00:04:33,099 can actually download the official 120 00:04:33,100 --> 00:04:35,169 documents for a small fee so it costs 121 00:04:35,170 --> 00:04:37,329 like five euro, and then you can 122 00:04:37,330 --> 00:04:39,459 use one hour to just download 123 00:04:39,460 --> 00:04:41,109 all the PDFs. 124 00:04:41,110 --> 00:04:43,179 And if we if you 125 00:04:43,180 --> 00:04:45,159 do that, there's no need to pirate those 126 00:04:45,160 --> 00:04:47,439 or to get anything from 127 00:04:47,440 --> 00:04:49,179 some of the weird locations. 128 00:04:49,180 --> 00:04:51,519 You can just download those officially. 129 00:04:51,520 --> 00:04:53,529 And if we look at this while not a modern 130 00:04:53,530 --> 00:04:55,719 car, so I was told that modern cars try 131 00:04:55,720 --> 00:04:57,249 to not use can anymore, and they have all 132 00:04:57,250 --> 00:04:58,929 these pensare, ethernet and whatever. 133 00:04:58,930 --> 00:05:00,789 I don't know about this, but the car that 134 00:05:00,790 --> 00:05:01,839 I have, which is 135 00:05:02,860 --> 00:05:05,169 from a few years ago, it basically 136 00:05:05,170 --> 00:05:07,269 and most cars from the, 137 00:05:07,270 --> 00:05:09,129 let's say, the last 10 years or so are 138 00:05:09,130 --> 00:05:10,389 probably based on this. 139 00:05:10,390 --> 00:05:12,249 They have multiple canvases. 140 00:05:12,250 --> 00:05:14,289 So most of you probably heard what a 141 00:05:14,290 --> 00:05:16,479 canvas is. It's some 142 00:05:16,480 --> 00:05:18,789 bus system that's used in automotive 143 00:05:18,790 --> 00:05:21,129 or that's mostly used 144 00:05:21,130 --> 00:05:23,589 in automotive stuff and industrial stuff 145 00:05:23,590 --> 00:05:24,819 because it's very reliable. 146 00:05:24,820 --> 00:05:26,199 We will talk a little bit more about this 147 00:05:26,200 --> 00:05:27,339 later. And 148 00:05:28,900 --> 00:05:31,119 there are multiple canvases in the car, 149 00:05:31,120 --> 00:05:33,189 so one can mostly stick to follow the 150 00:05:33,190 --> 00:05:35,289 powertrain stuff that like there's the 151 00:05:35,290 --> 00:05:37,239 the engine control unit that controls the 152 00:05:37,240 --> 00:05:38,240 engine. 153 00:05:38,890 --> 00:05:41,229 This is what like chip tuners change 154 00:05:41,230 --> 00:05:44,109 to improve the car 155 00:05:44,110 --> 00:05:45,969 by really flashing the firmware. 156 00:05:45,970 --> 00:05:48,549 Then there's all the critical sensors, 157 00:05:48,550 --> 00:05:50,819 like radar sensors for 158 00:05:50,820 --> 00:05:52,269 four different types of 159 00:05:54,490 --> 00:05:55,569 driving assistance. 160 00:05:55,570 --> 00:05:57,939 There's like the brake control system, 161 00:05:57,940 --> 00:05:59,649 the ESP, the ABAC sensors, 162 00:06:01,630 --> 00:06:03,759 so that factory usually runs 163 00:06:03,760 --> 00:06:04,859 at a high speed. 164 00:06:04,860 --> 00:06:06,939 And then there's another canvas that 165 00:06:06,940 --> 00:06:09,579 has that controls like doors and 166 00:06:09,580 --> 00:06:11,649 the steering wheel stuff 167 00:06:11,650 --> 00:06:14,139 and like climate and 168 00:06:14,140 --> 00:06:15,309 air conditioning. 169 00:06:15,310 --> 00:06:17,549 And it's called convenience can or 170 00:06:17,550 --> 00:06:19,359 can for if he can. 171 00:06:19,360 --> 00:06:21,489 Is some German Tums all over the place 172 00:06:21,490 --> 00:06:23,649 for some reason, and it runs at a lower 173 00:06:23,650 --> 00:06:25,719 speed? And then there's a third canvas 174 00:06:25,720 --> 00:06:27,999 that is the infotainment can. 175 00:06:28,000 --> 00:06:30,309 That's where the navigation system, 176 00:06:30,310 --> 00:06:32,469 the radio, they talk to each other, the 177 00:06:32,470 --> 00:06:33,369 audio amps everything. 178 00:06:33,370 --> 00:06:35,229 That's not so critical. 179 00:06:35,230 --> 00:06:37,329 And this is also where the phone kid 180 00:06:37,330 --> 00:06:39,579 is. So it's on the on the same 181 00:06:39,580 --> 00:06:41,619 basis, the the radio and so on. 182 00:06:43,090 --> 00:06:44,629 All of these busses are basically 183 00:06:44,630 --> 00:06:46,599 firewall, you could say to each other. 184 00:06:46,600 --> 00:06:49,059 So there's the thing called Ken Gateway, 185 00:06:49,060 --> 00:06:51,249 and it connects to all 186 00:06:51,250 --> 00:06:53,379 the Ken busses, and it 187 00:06:53,380 --> 00:06:55,249 has some rules of what messages to 188 00:06:55,250 --> 00:06:57,249 forward to what bus and you can actually 189 00:06:57,250 --> 00:06:59,959 send messages to to request 190 00:06:59,960 --> 00:07:01,659 certain messages to be available on some 191 00:07:01,660 --> 00:07:02,829 other bus. 192 00:07:02,830 --> 00:07:05,199 So it's not a firewall in a security 193 00:07:05,200 --> 00:07:07,869 sense, it's more to like 194 00:07:07,870 --> 00:07:10,179 protect the power train can from bad 195 00:07:10,180 --> 00:07:11,559 stuff happening on the radio or 196 00:07:11,560 --> 00:07:12,789 something. 197 00:07:12,790 --> 00:07:15,069 And there's also 198 00:07:15,070 --> 00:07:16,779 most of you probably heard of the OBD two 199 00:07:16,780 --> 00:07:18,729 connector, which is usually in the 200 00:07:18,730 --> 00:07:20,829 driver's seat next to the 201 00:07:20,830 --> 00:07:22,719 driver's seat or something where you can 202 00:07:22,720 --> 00:07:24,489 download diagnostic information about 203 00:07:24,490 --> 00:07:26,559 your car. It's not directly 204 00:07:26,560 --> 00:07:27,939 connected to any can mass, but it 205 00:07:27,940 --> 00:07:29,829 connects to the Ken Gateway and then you 206 00:07:29,830 --> 00:07:31,600 can talk to Ken Gateway and then 207 00:07:33,190 --> 00:07:34,870 record some messages to the rest. 208 00:07:36,490 --> 00:07:38,139 But either way, so we are on the 209 00:07:38,140 --> 00:07:40,389 infotainment canvas, connected 210 00:07:40,390 --> 00:07:41,859 physically in the car. So this is my car 211 00:07:41,860 --> 00:07:44,199 excuse. The dark place I'm 212 00:07:44,200 --> 00:07:46,429 the Bluetooth key is below the passenger 213 00:07:46,430 --> 00:07:48,789 seat, so you can just open that up and 214 00:07:48,790 --> 00:07:49,779 remove it. 215 00:07:49,780 --> 00:07:51,189 And that's how it looks like. 216 00:07:51,190 --> 00:07:53,019 No screws to open, no screws to lose. 217 00:07:54,220 --> 00:07:56,049 And that's the module itself. 218 00:07:56,050 --> 00:07:57,639 I mean, of course, it usually does not 219 00:07:57,640 --> 00:07:59,019 come with the warranty white sticker 220 00:07:59,020 --> 00:08:00,020 removed. But 221 00:08:02,230 --> 00:08:03,969 so that's how the blue Typekit looks 222 00:08:03,970 --> 00:08:06,009 like. It's made by a company called 223 00:08:06,010 --> 00:08:08,289 Neuville, which is the German company. 224 00:08:08,290 --> 00:08:10,389 Again, I'm 225 00:08:10,390 --> 00:08:12,249 never I've never heard of that company, 226 00:08:12,250 --> 00:08:14,199 but I looked it up and it was actually 227 00:08:14,200 --> 00:08:16,269 Nokia's automotive group and 228 00:08:16,270 --> 00:08:17,799 they split up in 2008. 229 00:08:17,800 --> 00:08:20,079 So we expect to see some Nokia 230 00:08:20,080 --> 00:08:21,129 technology in there. 231 00:08:21,130 --> 00:08:22,130 Maybe 232 00:08:23,500 --> 00:08:24,879 if we open it up. 233 00:08:24,880 --> 00:08:26,169 We see this. 234 00:08:26,170 --> 00:08:28,269 So you can see that there's 235 00:08:28,270 --> 00:08:30,669 a 3G modem 236 00:08:30,670 --> 00:08:33,038 in it or basically a phone, 237 00:08:33,039 --> 00:08:35,199 right? And there's the car 238 00:08:35,200 --> 00:08:36,759 interface at the bottom. 239 00:08:36,760 --> 00:08:38,829 And if we look on the other side, we 240 00:08:38,830 --> 00:08:40,599 see this, which looks more interesting. 241 00:08:40,600 --> 00:08:41,918 So this is not the phone. Does this stop 242 00:08:41,919 --> 00:08:42,940 the car interface? 243 00:08:44,100 --> 00:08:46,379 And first of all, we see is some 244 00:08:46,380 --> 00:08:48,599 some microcontroller from Freescale, 245 00:08:48,600 --> 00:08:50,819 and it's as 12x some 246 00:08:50,820 --> 00:08:52,649 automotive stuff and some SRM for it. 247 00:08:53,780 --> 00:08:56,009 And it's about 248 00:08:56,010 --> 00:08:58,109 the can bus interface and so on. 249 00:08:58,110 --> 00:09:00,089 There's a six hour Bluetooth module, 250 00:09:00,090 --> 00:09:01,589 which we wouldn't expect because it's a 251 00:09:01,590 --> 00:09:02,729 bunch of kit. 252 00:09:02,730 --> 00:09:04,799 And then there's the Freescale. 253 00:09:04,800 --> 00:09:06,869 I am 31 and it has 254 00:09:06,870 --> 00:09:09,119 some some $b dram and big NAND 255 00:09:09,120 --> 00:09:10,049 flash. 256 00:09:10,050 --> 00:09:11,759 And that made me curious because if we 257 00:09:11,760 --> 00:09:14,339 look up the AMCs 41, it's 258 00:09:14,340 --> 00:09:16,139 a pretty big CPU. 259 00:09:16,140 --> 00:09:18,209 So it has an arm 11 260 00:09:18,210 --> 00:09:20,369 at 700 megahertz and it 261 00:09:20,370 --> 00:09:22,739 has like all kinds of interfaces 262 00:09:22,740 --> 00:09:24,690 like USB and it supports 263 00:09:25,980 --> 00:09:26,919 VIDEO. 264 00:09:26,920 --> 00:09:28,889 They don't use that, but it's a pretty 265 00:09:28,890 --> 00:09:30,149 interesting chip. 266 00:09:30,150 --> 00:09:31,739 And which was, I think, used in some 267 00:09:31,740 --> 00:09:33,859 phones back then, like 268 00:09:33,860 --> 00:09:35,639 some smartphones. 269 00:09:35,640 --> 00:09:38,099 And the interesting point is that I'm 270 00:09:38,100 --> 00:09:39,929 so free. States have two operating 271 00:09:39,930 --> 00:09:41,669 systems of supporting Linux and Windows 272 00:09:41,670 --> 00:09:43,559 CE. So let's hope. 273 00:09:43,560 --> 00:09:45,299 Let's hope it's Linux and not Windows CE, 274 00:09:46,560 --> 00:09:48,209 but it's usually not programed bare to 275 00:09:48,210 --> 00:09:50,489 the metal or any real time OS. 276 00:09:50,490 --> 00:09:53,129 So although it's pretty 277 00:09:53,130 --> 00:09:55,229 high powered and I wondered why is 278 00:09:55,230 --> 00:09:58,079 it so? Why do you need so much power to 279 00:09:58,080 --> 00:10:00,359 do Bluetooth like 280 00:10:00,360 --> 00:10:02,429 the Bluetooth phone 281 00:10:02,430 --> 00:10:03,809 bridging to your car? 282 00:10:05,190 --> 00:10:07,859 If we look at the features, the force, 283 00:10:07,860 --> 00:10:10,769 the devices called HD four and 284 00:10:10,770 --> 00:10:12,839 it supports one interesting feature 285 00:10:12,840 --> 00:10:14,279 that I didn't expect. 286 00:10:14,280 --> 00:10:16,589 But again, I don't know much about cars. 287 00:10:16,590 --> 00:10:18,549 It does not only support 288 00:10:19,560 --> 00:10:21,839 the handsfree profile, which is basically 289 00:10:21,840 --> 00:10:24,689 taking the audio data from the car and 290 00:10:24,690 --> 00:10:26,159 sending it over Bluetooth to the phone 291 00:10:26,160 --> 00:10:27,659 and side. 292 00:10:27,660 --> 00:10:29,549 It also supports that remote SIM access 293 00:10:29,550 --> 00:10:31,829 profile, which means that there's a full 294 00:10:31,830 --> 00:10:34,049 phone in the Bluetooth kit 295 00:10:34,050 --> 00:10:35,489 and but it doesn't have a SIM card. 296 00:10:35,490 --> 00:10:38,189 It uses the SIM card from the phone, 297 00:10:38,190 --> 00:10:40,529 so most modern phones 298 00:10:40,530 --> 00:10:41,459 don't support this. 299 00:10:41,460 --> 00:10:43,529 Unfortunately, like especially 300 00:10:43,530 --> 00:10:45,239 iPhones, don't support it. 301 00:10:45,240 --> 00:10:46,289 We're not. One doesn't support it. 302 00:10:46,290 --> 00:10:48,419 Android sometimes supports it, but 303 00:10:48,420 --> 00:10:50,579 on the Nokia feature phones 304 00:10:50,580 --> 00:10:53,189 that are so great, they also want this, 305 00:10:53,190 --> 00:10:55,359 and it basically turns 306 00:10:55,360 --> 00:10:58,089 the phone into a smart card reader. 307 00:10:58,090 --> 00:10:59,519 The Bluetooth smart card are nothing 308 00:10:59,520 --> 00:11:01,559 more, and the big advantage of this is 309 00:11:01,560 --> 00:11:03,629 that you can use the car's antenna 310 00:11:03,630 --> 00:11:05,879 and you save battery 311 00:11:05,880 --> 00:11:07,139 life on the phone. And so on 312 00:11:08,250 --> 00:11:10,049 and the 313 00:11:11,250 --> 00:11:13,349 day before also allows someone to take 314 00:11:13,350 --> 00:11:15,629 a laptop and use Bluetooth to connect 315 00:11:15,630 --> 00:11:17,819 to the internet over dial-up 316 00:11:17,820 --> 00:11:18,869 networking. 317 00:11:18,870 --> 00:11:21,029 It uses that it's done like 318 00:11:21,030 --> 00:11:22,440 gives you a P.P.P session 319 00:11:23,550 --> 00:11:26,369 over 3G, and 320 00:11:26,370 --> 00:11:28,779 it also the speech recognition and speeds 321 00:11:28,780 --> 00:11:31,229 send so you can do voice dialing 322 00:11:31,230 --> 00:11:33,389 with that and you can control it via 323 00:11:33,390 --> 00:11:35,909 voice, and it 324 00:11:35,910 --> 00:11:38,009 can do music streaming rights 325 00:11:38,010 --> 00:11:40,049 to the A2DP. 326 00:11:40,050 --> 00:11:42,149 So like an iPod, can also do 327 00:11:42,150 --> 00:11:44,249 this to play on the 328 00:11:44,250 --> 00:11:47,069 on the car's speakers with that. 329 00:11:47,070 --> 00:11:49,229 So this is like what they announced, 330 00:11:49,230 --> 00:11:50,219 the features they announced. 331 00:11:50,220 --> 00:11:51,659 And if we look at these features from the 332 00:11:51,660 --> 00:11:54,059 hacker perspective, the remote 333 00:11:54,060 --> 00:11:56,279 SIM access profile means that all the SIM 334 00:11:56,280 --> 00:11:58,679 traffic is basically software controlled 335 00:11:58,680 --> 00:12:00,599 because it's bridge to Bluetooth. 336 00:12:00,600 --> 00:12:02,669 And like, it's not just a wire 337 00:12:02,670 --> 00:12:05,429 or something that connects this to 338 00:12:05,430 --> 00:12:06,749 the phone's SIM card to something else, 339 00:12:06,750 --> 00:12:08,609 but it actually goes into the CPU and the 340 00:12:08,610 --> 00:12:10,649 CPU will send the request of a Bluetooth 341 00:12:10,650 --> 00:12:11,609 and so on. 342 00:12:11,610 --> 00:12:13,679 So is the same for the 343 00:12:13,680 --> 00:12:14,759 dial-up networking feature. 344 00:12:14,760 --> 00:12:16,409 It means that the software control over 345 00:12:16,410 --> 00:12:17,459 the P.P.S. 346 00:12:17,460 --> 00:12:19,569 so that the Bluetooth kit 347 00:12:19,570 --> 00:12:20,939 could actually build up their own 348 00:12:20,940 --> 00:12:22,799 internet connection, which may be 349 00:12:22,800 --> 00:12:24,749 interesting. And also, the voice control 350 00:12:24,750 --> 00:12:26,729 explains why they have such a beefy CPU 351 00:12:26,730 --> 00:12:29,009 because to do decent voice recognition, 352 00:12:29,010 --> 00:12:31,619 you need it quite a lot of CPU power, 353 00:12:31,620 --> 00:12:33,089 and that's why they have two 700 354 00:12:33,090 --> 00:12:35,279 megahertz CPU in there, mainly to do 355 00:12:35,280 --> 00:12:36,280 voice control. 356 00:12:37,230 --> 00:12:39,179 And then, of course, the the handsfree 357 00:12:39,180 --> 00:12:40,829 profile, which it still supports the next 358 00:12:40,830 --> 00:12:42,989 to RCF is that 359 00:12:42,990 --> 00:12:46,109 you can play audio and receive audio 360 00:12:46,110 --> 00:12:48,179 and yeah, 361 00:12:48,180 --> 00:12:49,529 to to to the car. 362 00:12:52,010 --> 00:12:54,229 So let's take 363 00:12:54,230 --> 00:12:55,230 a deeper look at this. 364 00:12:57,110 --> 00:12:59,329 The thing is in your car, so the obvious 365 00:12:59,330 --> 00:13:00,829 thing is, yeah, let's just get a laptop 366 00:13:00,830 --> 00:13:02,689 in your car and let's go. 367 00:13:02,690 --> 00:13:04,159 It should be easy. 368 00:13:04,160 --> 00:13:05,689 If you never tried that, it sounds like 369 00:13:05,690 --> 00:13:07,999 that if you do what it's called 370 00:13:08,000 --> 00:13:09,919 because you hack at night and the night 371 00:13:09,920 --> 00:13:11,199 is cold and you're in the car. 372 00:13:11,200 --> 00:13:13,369 And there's this really bad 373 00:13:13,370 --> 00:13:15,049 trade off, so you can either choose to 374 00:13:15,050 --> 00:13:17,179 leave the engine running or to not 375 00:13:17,180 --> 00:13:19,249 leave running so you either have a dead 376 00:13:19,250 --> 00:13:21,289 battery or you are that the next morning. 377 00:13:21,290 --> 00:13:23,359 So it's a really 378 00:13:23,360 --> 00:13:24,360 bad trade off. 379 00:13:25,610 --> 00:13:27,529 Also, environmental wise, it's probably a 380 00:13:27,530 --> 00:13:29,059 bad idea to leave the engine running. 381 00:13:29,060 --> 00:13:31,039 And the next thing is when you when you 382 00:13:31,040 --> 00:13:32,809 try random stuff to the thing and you may 383 00:13:32,810 --> 00:13:34,519 shortcut something you don't want to 384 00:13:34,520 --> 00:13:35,719 break the car. 385 00:13:35,720 --> 00:13:37,789 And if it looks something like that, 386 00:13:37,790 --> 00:13:38,790 you're doing it wrong. 387 00:13:39,920 --> 00:13:41,329 And I don't want to do it wrong. 388 00:13:41,330 --> 00:13:43,399 So I what I 389 00:13:43,400 --> 00:13:45,889 did was I went to eBay and I bought 390 00:13:45,890 --> 00:13:48,049 a Bluetooth kit, another 391 00:13:48,050 --> 00:13:50,119 one, so I could use that on my desk. 392 00:13:50,120 --> 00:13:52,159 So what I actually got was not the HD 393 00:13:52,160 --> 00:13:54,529 four, but the HD five, which is 394 00:13:54,530 --> 00:13:56,429 the more modern version from this year. 395 00:13:57,740 --> 00:13:59,659 They basically have one more feature, 396 00:13:59,660 --> 00:14:01,669 which is that they support Wi-Fi sharing. 397 00:14:01,670 --> 00:14:03,259 So they build up their own internet 398 00:14:03,260 --> 00:14:05,629 connection in the Bluetooth kit 399 00:14:05,630 --> 00:14:07,249 and provided the phone can do with the 400 00:14:07,250 --> 00:14:09,559 remote SIM stuff and they share 401 00:14:09,560 --> 00:14:10,939 it over Wi-Fi. 402 00:14:10,940 --> 00:14:13,069 So from from the hacker side, 403 00:14:13,070 --> 00:14:15,229 this means that it builds 404 00:14:15,230 --> 00:14:16,489 up a Wi-Fi access point. 405 00:14:16,490 --> 00:14:18,139 So it has all of that logic. 406 00:14:18,140 --> 00:14:20,479 It builds up its own internet connection 407 00:14:20,480 --> 00:14:22,609 and it sets the router and and 408 00:14:22,610 --> 00:14:24,889 that and it's much more likely that 409 00:14:24,890 --> 00:14:26,809 this is real operating system and not 410 00:14:26,810 --> 00:14:29,209 just some really bare to the metal 411 00:14:29,210 --> 00:14:31,219 or some real time stuff where we can't do 412 00:14:31,220 --> 00:14:32,220 anything. 413 00:14:32,960 --> 00:14:34,279 It also turns out it's a different 414 00:14:34,280 --> 00:14:36,829 hardware platform, so it looks like this 415 00:14:36,830 --> 00:14:37,909 except for the red cables. 416 00:14:37,910 --> 00:14:40,879 I added them so 417 00:14:40,880 --> 00:14:43,159 we can see the Freescale as 12 x 418 00:14:43,160 --> 00:14:44,749 the microcontroller, by the way, they are 419 00:14:44,750 --> 00:14:46,699 replaceable. So if you have the old one, 420 00:14:46,700 --> 00:14:48,499 you can just buy the new one and plug it 421 00:14:48,500 --> 00:14:49,489 in and it just works. 422 00:14:49,490 --> 00:14:51,559 So it made it 423 00:14:51,560 --> 00:14:52,969 a bit more convenient because I know I 424 00:14:52,970 --> 00:14:55,099 had a backup unit that works in 425 00:14:55,100 --> 00:14:56,659 my car and I could check the other one of 426 00:14:56,660 --> 00:14:58,999 them. I'm not 427 00:14:59,000 --> 00:15:01,069 risked making the car, not having a 428 00:15:01,070 --> 00:15:02,329 Bluetooth kit anymore. 429 00:15:02,330 --> 00:15:04,779 So there's again, you have the Freescale, 430 00:15:04,780 --> 00:15:06,439 the microcontroller. 431 00:15:06,440 --> 00:15:08,239 There's a gander at the CSR Bluetooth 432 00:15:08,240 --> 00:15:10,669 chip and there's the Wi-Fi 433 00:15:10,670 --> 00:15:12,950 chip, which is also some Marvell chip. 434 00:15:14,840 --> 00:15:16,399 And the interesting stuff is actually on 435 00:15:16,400 --> 00:15:17,929 the other side. 436 00:15:17,930 --> 00:15:20,059 So there's the there's 437 00:15:20,060 --> 00:15:22,219 the car interface, of course, those 438 00:15:22,220 --> 00:15:24,319 pins, but then there's 439 00:15:24,320 --> 00:15:25,519 a marvelous CPU. 440 00:15:25,520 --> 00:15:27,589 It's called 1895 n 441 00:15:27,590 --> 00:15:28,820 never heard of that before, 442 00:15:29,930 --> 00:15:32,149 but we see that there's quite 443 00:15:32,150 --> 00:15:34,609 a bit of ram again, 128 444 00:15:34,610 --> 00:15:36,589 megabytes of DDR ram. 445 00:15:36,590 --> 00:15:38,749 There is one megabyte of NAND flash, 446 00:15:38,750 --> 00:15:40,879 so it sounds beefy. 447 00:15:40,880 --> 00:15:43,189 There's some power management stuff. 448 00:15:43,190 --> 00:15:45,779 There's the 3G radio front end 449 00:15:45,780 --> 00:15:48,019 and the antenna, and there 450 00:15:48,020 --> 00:15:50,329 are two things that that 451 00:15:50,330 --> 00:15:52,399 were not present originally. 452 00:15:52,400 --> 00:15:54,710 I will talk a lot about that later. 453 00:15:56,420 --> 00:15:57,889 So if we look at a block diagram, it 454 00:15:57,890 --> 00:15:59,959 looks like that we have to Marvell Sibiu 455 00:15:59,960 --> 00:16:02,329 in the middle and we have the 456 00:16:02,330 --> 00:16:03,809 Wi-Fi attached of SDR. 457 00:16:03,810 --> 00:16:05,929 Now we have this use a Bluetooth 458 00:16:05,930 --> 00:16:07,649 chip. I think it's use B. 459 00:16:07,650 --> 00:16:09,709 We have the NAND flash, though the 460 00:16:09,710 --> 00:16:10,639 RAM. 461 00:16:10,640 --> 00:16:12,799 Well, it's basically a block diagram 462 00:16:12,800 --> 00:16:14,959 of any 463 00:16:14,960 --> 00:16:16,699 product that uses this mobile chip, 464 00:16:16,700 --> 00:16:18,379 except for the can stuff. 465 00:16:18,380 --> 00:16:20,719 That's Margret here 466 00:16:20,720 --> 00:16:22,939 with Astrup X and 467 00:16:22,940 --> 00:16:24,410 the whole car interface thing 468 00:16:25,790 --> 00:16:26,899 that this my LC views. 469 00:16:26,900 --> 00:16:29,209 So I Googled it and I wasn't 470 00:16:29,210 --> 00:16:30,739 successful, which is interesting. 471 00:16:31,790 --> 00:16:34,249 I'm looking for 472 00:16:34,250 --> 00:16:36,449 it's nine five five instead of nine five 473 00:16:36,450 --> 00:16:38,719 and gives a few more results, but still 474 00:16:38,720 --> 00:16:40,939 mainly some Chinese sites trying to sell 475 00:16:40,940 --> 00:16:41,940 you those chips. 476 00:16:42,950 --> 00:16:44,839 Marvell is pretty bad and providing 477 00:16:44,840 --> 00:16:47,569 actual information on their website. 478 00:16:47,570 --> 00:16:49,249 I don't know if it's better with an NDA 479 00:16:49,250 --> 00:16:50,839 or not, but I don't have an NDA, so I 480 00:16:50,840 --> 00:16:52,009 don't know. 481 00:16:52,010 --> 00:16:54,319 I would not buy those chips 482 00:16:54,320 --> 00:16:56,449 because I don't know anything 483 00:16:56,450 --> 00:16:58,489 about these chips, but apparently they 484 00:16:58,490 --> 00:17:00,709 did. So it seems to be a P60 five 485 00:17:00,710 --> 00:17:03,049 five. And the communication part that 486 00:17:03,050 --> 00:17:05,449 the CPU, I think, means that like 487 00:17:05,450 --> 00:17:07,759 they have this integrated 3G modem. 488 00:17:07,760 --> 00:17:09,949 So it's a Cortex-A8 at roughly 489 00:17:09,950 --> 00:17:12,078 one gigahertz or even better than the 490 00:17:12,079 --> 00:17:14,149 M31, and they 491 00:17:14,150 --> 00:17:16,249 have the 3G modem implemented on the 492 00:17:16,250 --> 00:17:18,379 same chip, so it's not implemented 493 00:17:18,380 --> 00:17:20,179 on the arm. So there's a separate CPU, 494 00:17:20,180 --> 00:17:22,699 apparently, but it's still in the same 495 00:17:22,700 --> 00:17:24,979 on the same chip and some cheap Android 496 00:17:24,980 --> 00:17:26,149 tablets or not. 497 00:17:26,150 --> 00:17:28,489 So. So see my cheap Android tablets 498 00:17:28,490 --> 00:17:29,490 use that. So. 499 00:17:31,790 --> 00:17:34,039 That's where this tip comes from. 500 00:17:35,960 --> 00:17:38,119 The gold star to boot disk on this 501 00:17:38,120 --> 00:17:39,349 thing, on my desk. 502 00:17:39,350 --> 00:17:41,569 And so the plan that I had 503 00:17:41,570 --> 00:17:43,849 was while in the car, we know 12 miles, 504 00:17:43,850 --> 00:17:45,259 everything is supplied by 12. 505 00:17:45,260 --> 00:17:46,849 Also, I connect to a fault 506 00:17:47,900 --> 00:17:50,179 to the right pins. I hope it boots. 507 00:17:50,180 --> 00:17:52,039 And when it when it's boots, I find that 508 00:17:52,040 --> 00:17:54,319 you erred by just randomly scoping 509 00:17:54,320 --> 00:17:56,419 on some test points and then I hope it's 510 00:17:56,420 --> 00:17:57,319 Linux that boots. 511 00:17:57,320 --> 00:17:59,329 And if it's Linux, I can install Python 512 00:17:59,330 --> 00:18:00,330 and then I'm done. 513 00:18:01,890 --> 00:18:03,919 So let's see how this worked out. 514 00:18:03,920 --> 00:18:05,749 So this is the car interface. 515 00:18:05,750 --> 00:18:08,029 It's some 45 pin connector 516 00:18:08,030 --> 00:18:09,979 that if you look at the schematics that 517 00:18:09,980 --> 00:18:11,809 I've talked about, you can drive the pin 518 00:18:11,810 --> 00:18:13,789 out the most important pins your art 519 00:18:13,790 --> 00:18:16,249 ground and 12th vault and the canvas 520 00:18:16,250 --> 00:18:18,049 pins that we may eventually need later. 521 00:18:19,160 --> 00:18:21,259 And and then all the audio pins and 522 00:18:21,260 --> 00:18:23,569 the rest of that, which 523 00:18:23,570 --> 00:18:25,009 we don't need right now. 524 00:18:25,010 --> 00:18:26,339 So powering a thing up. 525 00:18:26,340 --> 00:18:28,579 So what happens when I apply 526 00:18:28,580 --> 00:18:30,139 to default? And that's what I actually 527 00:18:30,140 --> 00:18:32,239 want to demo. Let's see if that works. 528 00:18:32,240 --> 00:18:34,579 So can you switch me over to V.J., 529 00:18:34,580 --> 00:18:35,929 please? 530 00:18:35,930 --> 00:18:36,930 Hello. 531 00:18:38,180 --> 00:18:39,180 BGA, please. 532 00:18:50,630 --> 00:18:52,939 It's a bit like explorer kind of zone. 533 00:18:52,940 --> 00:18:55,129 OK, so my my set up 534 00:18:55,130 --> 00:18:57,019 here is happy camera, 535 00:18:59,780 --> 00:19:00,780 punish them. 536 00:19:02,120 --> 00:19:03,089 The. OK. 537 00:19:03,090 --> 00:19:04,499 I don't want to mention that. 538 00:19:04,500 --> 00:19:06,079 So someone is coming up with the cameras. 539 00:19:08,680 --> 00:19:10,809 Anyway, so I wrote something that 540 00:19:10,810 --> 00:19:12,999 so I haven't left power supply here, and 541 00:19:13,000 --> 00:19:15,149 what you can see there is basically the 542 00:19:15,150 --> 00:19:16,689 the current voltage and the current power 543 00:19:16,690 --> 00:19:18,909 consumption, so it can't be switched off 544 00:19:18,910 --> 00:19:20,319 so that if it doesn't work with the 545 00:19:20,320 --> 00:19:22,689 camera, I can just show 546 00:19:22,690 --> 00:19:24,520 this to you. OK, that's great. 547 00:19:26,350 --> 00:19:28,030 Can you come here with the camera? 548 00:19:31,390 --> 00:19:32,390 But this. 549 00:19:35,410 --> 00:19:37,179 It takes 10 or 15 more minutes. 550 00:19:37,180 --> 00:19:39,249 OK, so can you switch back 551 00:19:39,250 --> 00:19:41,439 then please? So this head 552 00:19:41,440 --> 00:19:43,659 up here is I have a lap power supply. 553 00:19:43,660 --> 00:19:45,909 I have the Bluetooth kit and 554 00:19:45,910 --> 00:19:47,709 I have a yeah, it's a Windows PC. 555 00:19:47,710 --> 00:19:49,779 Sorry, that 556 00:19:49,780 --> 00:19:52,209 does show me basically 557 00:19:52,210 --> 00:19:53,769 a remote and face full episode. 558 00:19:54,880 --> 00:19:56,949 So what I do, I said it's a 12 559 00:19:56,950 --> 00:19:59,199 volt, so if I switch it on, 560 00:19:59,200 --> 00:20:01,299 we would expect the thing to boot and 561 00:20:02,800 --> 00:20:05,559 I would expect it to roughly 562 00:20:05,560 --> 00:20:07,659 consume like, let's say, $200 ampere or 563 00:20:07,660 --> 00:20:08,660 something. 564 00:20:09,310 --> 00:20:11,859 So I enabled 12 volt 565 00:20:11,860 --> 00:20:13,479 and it draws like $50 Ampere. 566 00:20:13,480 --> 00:20:15,729 So that's not so much. 567 00:20:15,730 --> 00:20:18,009 And then it goes 568 00:20:18,010 --> 00:20:19,010 out. 569 00:20:20,510 --> 00:20:21,510 Can you switch back, please? 570 00:20:25,470 --> 00:20:27,659 So despite this, nothing happens, 571 00:20:27,660 --> 00:20:29,309 it boots up for a short moment and then 572 00:20:29,310 --> 00:20:31,829 it goes off. And I 573 00:20:31,830 --> 00:20:33,389 mean, if we look at the block diagram 574 00:20:33,390 --> 00:20:35,789 kind of makes sense because the 575 00:20:35,790 --> 00:20:37,859 the power management should control from 576 00:20:37,860 --> 00:20:39,819 that from the microcontroller. 577 00:20:39,820 --> 00:20:42,119 And yes, you have this thing in a car, 578 00:20:42,120 --> 00:20:44,729 you don't want it to drain the battery. 579 00:20:44,730 --> 00:20:46,319 It's still connected to the battery all 580 00:20:46,320 --> 00:20:48,569 the time. The you want to be able to make 581 00:20:48,570 --> 00:20:50,819 Bluetooth phone calls when the engine 582 00:20:50,820 --> 00:20:53,159 is not running, but it cannot like 583 00:20:53,160 --> 00:20:55,289 consume 20 million power at the 584 00:20:55,290 --> 00:20:57,239 whole time. So they have some power 585 00:20:57,240 --> 00:20:58,259 management there. 586 00:20:58,260 --> 00:21:00,389 And it turns out that in this 587 00:21:00,390 --> 00:21:02,189 stage where it draws 60 million amps, 588 00:21:02,190 --> 00:21:03,809 that that's 5X is powered. 589 00:21:03,810 --> 00:21:05,730 But the main CPU is never powered. 590 00:21:06,750 --> 00:21:08,909 So maybe we have to send 591 00:21:08,910 --> 00:21:11,249 Ken message first to enable 592 00:21:11,250 --> 00:21:13,439 that. So this is a three 593 00:21:13,440 --> 00:21:15,899 slide crash course for canvas. 594 00:21:15,900 --> 00:21:18,299 Basically, Can is a Sebas system. 595 00:21:18,300 --> 00:21:19,979 There can be multiple devices connected 596 00:21:19,980 --> 00:21:20,980 to the same bus. 597 00:21:22,290 --> 00:21:23,849 It's a differential signaling. 598 00:21:23,850 --> 00:21:25,679 So what really matters is the voltage 599 00:21:25,680 --> 00:21:27,420 difference between two lines 600 00:21:28,470 --> 00:21:30,959 can each and can also high and low 601 00:21:30,960 --> 00:21:32,369 and some termination. 602 00:21:32,370 --> 00:21:34,499 So this is how it looks like. 603 00:21:34,500 --> 00:21:36,239 So again, it's always the voltage 604 00:21:36,240 --> 00:21:37,559 difference that matters. 605 00:21:37,560 --> 00:21:39,869 So if the voltage difference is small, so 606 00:21:39,870 --> 00:21:41,909 can high and low above. 607 00:21:41,910 --> 00:21:44,489 At 2.5 false, it's a logical 608 00:21:44,490 --> 00:21:45,479 one. 609 00:21:45,480 --> 00:21:46,919 That's just how it is. 610 00:21:46,920 --> 00:21:49,199 And if the voltage difference is big, 611 00:21:49,200 --> 00:21:51,299 like can those driven to low 612 00:21:51,300 --> 00:21:54,549 and can highest return to high, then 613 00:21:54,550 --> 00:21:56,159 then it's a logical zero. 614 00:21:56,160 --> 00:21:58,139 That's how the signaling works and can. 615 00:21:58,140 --> 00:22:00,689 And the interesting part is now that 616 00:22:00,690 --> 00:22:02,819 if the if none of these wires 617 00:22:02,820 --> 00:22:04,919 are driven, like if no device is 618 00:22:04,920 --> 00:22:07,009 talking, they will be at 2.5 619 00:22:07,010 --> 00:22:09,299 fold. So they are pulled to 2.5 volts and 620 00:22:09,300 --> 00:22:10,829 only if the device is actually driving 621 00:22:10,830 --> 00:22:12,899 the bus, it will generate zeros. 622 00:22:12,900 --> 00:22:14,669 And if the no device is driving, it will 623 00:22:14,670 --> 00:22:15,599 be one. 624 00:22:15,600 --> 00:22:17,759 So and 625 00:22:17,760 --> 00:22:19,469 this is used when two devices talk at the 626 00:22:19,470 --> 00:22:20,549 same point. So let's say this is the 627 00:22:20,550 --> 00:22:22,619 second device and it talks at the same 628 00:22:22,620 --> 00:22:24,719 time as the first device or there's 629 00:22:24,720 --> 00:22:26,309 a collision on the bus. 630 00:22:26,310 --> 00:22:28,619 Then it will drive 631 00:22:28,620 --> 00:22:30,809 where previously the bus was driven, so 632 00:22:30,810 --> 00:22:32,849 it will turn the one into a zero. 633 00:22:32,850 --> 00:22:35,039 And it's basically just means that it's 634 00:22:35,040 --> 00:22:36,359 when there are two devices talking at the 635 00:22:36,360 --> 00:22:39,089 same time and one device is driving 636 00:22:39,090 --> 00:22:41,279 one and the other device driving zero 637 00:22:41,280 --> 00:22:42,419 to zero will win. 638 00:22:42,420 --> 00:22:44,639 And that's why call called dominant bit 639 00:22:44,640 --> 00:22:46,889 and the one is called recessive. 640 00:22:46,890 --> 00:22:49,169 So it means that on the can bus 641 00:22:49,170 --> 00:22:51,329 collision is fully defined like, unlike 642 00:22:51,330 --> 00:22:53,219 Ethan, that we you just retry 643 00:22:54,810 --> 00:22:57,119 on a canvas, that there's an arbitration 644 00:22:57,120 --> 00:22:59,789 scheme. And basically. 645 00:22:59,790 --> 00:23:02,099 So the very simplified 646 00:23:02,100 --> 00:23:04,439 version is still every can frame 647 00:23:04,440 --> 00:23:06,539 can be zero to a database, 648 00:23:06,540 --> 00:23:08,729 and it has an 11 identifier, 649 00:23:08,730 --> 00:23:11,129 basically which devices which 650 00:23:11,130 --> 00:23:13,019 it's just an identifier so usually 651 00:23:13,020 --> 00:23:15,269 targets. It shows what kind of data 652 00:23:15,270 --> 00:23:17,369 it is that you're sending, and 653 00:23:18,750 --> 00:23:20,729 if there's a collision, then the one with 654 00:23:20,730 --> 00:23:22,019 the lower identifier will win. 655 00:23:22,020 --> 00:23:24,629 But we don't need to know that really. 656 00:23:24,630 --> 00:23:25,989 There's a lot of other stuff I could see 657 00:23:25,990 --> 00:23:27,569 or see we don't care about because if we 658 00:23:27,570 --> 00:23:29,999 use a can can interface 659 00:23:30,000 --> 00:23:32,849 to talk through the canvas, 660 00:23:32,850 --> 00:23:34,459 we use something that generates all the 661 00:23:34,460 --> 00:23:36,209 stuff. So we need to know here is that 662 00:23:36,210 --> 00:23:38,189 isn't that haven't been identified. 663 00:23:38,190 --> 00:23:40,319 That is what kind of data like the 664 00:23:40,320 --> 00:23:42,599 part number and zero eight bytes 665 00:23:42,600 --> 00:23:43,600 of data. 666 00:23:45,150 --> 00:23:47,279 So the revised plan to make this 667 00:23:47,280 --> 00:23:49,409 work and put on our desk is 668 00:23:49,410 --> 00:23:51,629 we connect to the canvas while the device 669 00:23:51,630 --> 00:23:53,789 is in the car and we capture 670 00:23:53,790 --> 00:23:56,039 all the can traffic and 671 00:23:56,040 --> 00:23:58,079 we go to the desk again and we replay the 672 00:23:58,080 --> 00:24:00,239 can traffic and we hope it boots 673 00:24:00,240 --> 00:24:02,309 and we find the word hope that 674 00:24:02,310 --> 00:24:03,759 it's layouts install Python in on. 675 00:24:05,340 --> 00:24:07,379 So we need a can interface. 676 00:24:07,380 --> 00:24:09,719 Any can interface adapter should work 677 00:24:09,720 --> 00:24:11,549 that's not totally stupid, so I use some 678 00:24:11,550 --> 00:24:13,289 specific one that looks like this. 679 00:24:13,290 --> 00:24:14,269 It's OK. 680 00:24:14,270 --> 00:24:17,249 Cost $800, it's 681 00:24:17,250 --> 00:24:19,229 it uses. Some can control that it does 682 00:24:19,230 --> 00:24:21,539 not support such a high number 683 00:24:21,540 --> 00:24:22,949 of packets. 684 00:24:22,950 --> 00:24:24,749 The packet rate is limited, but for 685 00:24:24,750 --> 00:24:26,819 puppies, it's OK and 686 00:24:26,820 --> 00:24:28,259 you can really use any microcontroller 687 00:24:28,260 --> 00:24:30,719 with Native can support like 688 00:24:30,720 --> 00:24:32,039 even the small ones. 689 00:24:32,040 --> 00:24:33,719 But please don't try to beat bank device 690 00:24:33,720 --> 00:24:36,809 because it's, well, 691 00:24:36,810 --> 00:24:38,429 it's not fun. 692 00:24:38,430 --> 00:24:40,769 So we need to emulate that. 693 00:24:40,770 --> 00:24:42,989 The vehicle has power and 694 00:24:42,990 --> 00:24:45,179 there is something I was back to German. 695 00:24:45,180 --> 00:24:47,549 There's an s contact or 696 00:24:47,550 --> 00:24:49,199 could infants, and there are some German 697 00:24:49,200 --> 00:24:51,149 standard that says that Klemmer Funston, 698 00:24:51,150 --> 00:24:53,519 which is basically Connect 15, 699 00:24:53,520 --> 00:24:55,769 is a contact that's 12 volt 700 00:24:55,770 --> 00:24:57,539 when the car is up, when the engine is 701 00:24:57,540 --> 00:24:59,669 running and zero when the car is 702 00:24:59,670 --> 00:25:02,039 grounded, when the car's not running. 703 00:25:02,040 --> 00:25:04,139 And while today's cars 704 00:25:04,140 --> 00:25:06,059 don't have physical wires anymore, but 705 00:25:06,060 --> 00:25:08,309 they still have the can messages to 706 00:25:08,310 --> 00:25:10,829 basically convert that 707 00:25:10,830 --> 00:25:11,849 into a can message. 708 00:25:11,850 --> 00:25:13,559 So let's try doing this. 709 00:25:14,910 --> 00:25:16,079 So basically 710 00:25:17,160 --> 00:25:19,259 replaying all the traffic, so can you 711 00:25:19,260 --> 00:25:21,149 switch to between? 712 00:25:21,150 --> 00:25:23,219 So here we have our power supply again, 713 00:25:23,220 --> 00:25:25,319 and let's hope this 714 00:25:25,320 --> 00:25:27,809 works. So I wrote a fantasy 715 00:25:27,810 --> 00:25:30,059 tool that 716 00:25:30,060 --> 00:25:32,489 so we first enabled the device again. 717 00:25:32,490 --> 00:25:34,619 We see it drops a little bit of power 718 00:25:34,620 --> 00:25:36,839 and eventually stops drawing a little 719 00:25:36,840 --> 00:25:39,029 bit of power after a few 720 00:25:39,030 --> 00:25:40,030 seconds. And 721 00:25:42,200 --> 00:25:43,679 yeah, great moment. 722 00:25:43,680 --> 00:25:45,389 OK, so this is the set up. 723 00:25:45,390 --> 00:25:48,029 This is the Bluetooth kit. 724 00:25:48,030 --> 00:25:49,529 This is the stupid Windows PC. 725 00:25:49,530 --> 00:25:51,779 It's super old APC that Bailey 726 00:25:51,780 --> 00:25:53,579 worked with whatever. 727 00:25:53,580 --> 00:25:55,889 And this is the the lap power 728 00:25:55,890 --> 00:25:58,079 supply and the rest are 729 00:25:58,080 --> 00:25:59,519 cables. 730 00:25:59,520 --> 00:26:00,520 OK. 731 00:26:01,260 --> 00:26:02,970 Yeah. Duncan just. 732 00:26:06,940 --> 00:26:07,940 So. 733 00:26:14,630 --> 00:26:15,630 Sorry. 734 00:26:16,910 --> 00:26:18,709 Well, I need the screen output, I'm 735 00:26:18,710 --> 00:26:19,710 sorry. 736 00:26:20,330 --> 00:26:22,519 So when I pressed run my 737 00:26:22,520 --> 00:26:24,829 my my stupid python, 738 00:26:24,830 --> 00:26:27,079 I run Python, whatever tool will send 739 00:26:27,080 --> 00:26:29,149 canned messages that emulate the 740 00:26:29,150 --> 00:26:32,029 the the clam often. 741 00:26:32,030 --> 00:26:35,359 So I press run and 742 00:26:35,360 --> 00:26:36,799 it should hopefully work. 743 00:26:36,800 --> 00:26:39,559 Yeah. And we see it draws more power 744 00:26:39,560 --> 00:26:41,659 and it draws what we expect the aid. 745 00:26:41,660 --> 00:26:42,660 So that's good. 746 00:26:49,430 --> 00:26:51,559 So I will switch off 747 00:26:51,560 --> 00:26:53,410 the device that was. 748 00:26:56,620 --> 00:26:59,169 And, yeah, 749 00:26:59,170 --> 00:27:01,509 sorry, can you switch to Dubai again, 750 00:27:01,510 --> 00:27:02,510 please? 751 00:27:04,210 --> 00:27:05,210 Just. 752 00:27:13,790 --> 00:27:15,709 All right, so the device has to a power 753 00:27:15,710 --> 00:27:18,559 now, so it seems to be running. 754 00:27:18,560 --> 00:27:20,659 I can isolate the can message to be 755 00:27:20,660 --> 00:27:22,999 this particular message, so I replayed 756 00:27:23,000 --> 00:27:24,859 just everything the car sent and then I 757 00:27:24,860 --> 00:27:26,929 gradually did a binary search, 758 00:27:26,930 --> 00:27:28,999 basically to isolate 759 00:27:29,000 --> 00:27:30,109 it to this message. 760 00:27:30,110 --> 00:27:31,669 And basically, it's a bit fiats of the 761 00:27:31,670 --> 00:27:33,079 three or the one I don't know which is 762 00:27:33,080 --> 00:27:35,299 actually ace means that claim information 763 00:27:35,300 --> 00:27:36,799 is false. 764 00:27:36,800 --> 00:27:38,869 But so sending this will 765 00:27:38,870 --> 00:27:40,099 make the device moot. 766 00:27:40,100 --> 00:27:42,510 So what's the firmware? 767 00:27:44,060 --> 00:27:45,679 The question is we are still hoping for 768 00:27:45,680 --> 00:27:47,239 Linux, right? 769 00:27:47,240 --> 00:27:48,169 So go. 770 00:27:48,170 --> 00:27:50,269 Next step was to find the uart 771 00:27:50,270 --> 00:27:51,380 and 772 00:27:53,060 --> 00:27:54,679 I could ask them to switch around, but I 773 00:27:54,680 --> 00:27:56,119 would say we have the pictures. 774 00:27:56,120 --> 00:27:58,369 So what we will see on the world, I 775 00:27:58,370 --> 00:28:00,069 just scoped a few test points and 776 00:28:00,070 --> 00:28:01,459 actually found you, and it was pretty 777 00:28:01,460 --> 00:28:02,989 easy. There are only like five test 778 00:28:02,990 --> 00:28:04,099 points and two of them on. 779 00:28:04,100 --> 00:28:06,469 There you are. So what we see is this 780 00:28:06,470 --> 00:28:07,909 it's you boot. 781 00:28:07,910 --> 00:28:09,299 Wow, it's you boot. 782 00:28:09,300 --> 00:28:11,089 Okay, that's cool. 783 00:28:11,090 --> 00:28:13,249 And it's 784 00:28:13,250 --> 00:28:14,250 Linux. 785 00:28:22,090 --> 00:28:24,219 And it's also a busy box, by the way, for 786 00:28:24,220 --> 00:28:27,219 some people. So I wonder 787 00:28:27,220 --> 00:28:28,279 how so? 788 00:28:30,730 --> 00:28:33,069 I saw the sign as is prohibited for GPL 789 00:28:33,070 --> 00:28:35,229 cars without safety, valve and 790 00:28:35,230 --> 00:28:37,959 my car doesn't have a self safety valve. 791 00:28:37,960 --> 00:28:39,909 This is weird. So where's my safe and 792 00:28:39,910 --> 00:28:42,180 sorry? It's just a pun on APD. 793 00:28:43,330 --> 00:28:45,409 So GPL, I didn't see a 794 00:28:45,410 --> 00:28:47,499 GPL in the owner's manual, which I 795 00:28:47,500 --> 00:28:48,759 guess is bad. 796 00:28:48,760 --> 00:28:51,129 And even more importantly, who? 797 00:28:51,130 --> 00:28:52,869 Where can I ask to get the source code? 798 00:28:52,870 --> 00:28:53,870 I want the source code. 799 00:28:55,210 --> 00:28:57,309 And I asked this on a mailing 800 00:28:57,310 --> 00:28:58,779 list, and it's complicated. 801 00:28:58,780 --> 00:29:01,089 I'm not a lawyer, but it seems I need 802 00:29:01,090 --> 00:29:02,859 one when I ever want to sell the car 803 00:29:02,860 --> 00:29:04,809 because now I have this thing with the 804 00:29:04,810 --> 00:29:06,489 GPL code in it, and I don't have the 805 00:29:06,490 --> 00:29:08,979 source and I'm sorry, I 806 00:29:08,980 --> 00:29:11,949 I'm a good. So if someone can explain me 807 00:29:11,950 --> 00:29:14,079 where I have to go to get the source 808 00:29:14,080 --> 00:29:15,080 code, that would be great. 809 00:29:23,600 --> 00:29:25,159 Because the thing is, I don't really want 810 00:29:25,160 --> 00:29:27,259 to blame the car dealer for not giving 811 00:29:27,260 --> 00:29:28,819 me the source code because they don't 812 00:29:28,820 --> 00:29:31,039 even know what the source code is or may 813 00:29:31,040 --> 00:29:32,779 not care, and I can understand that. 814 00:29:32,780 --> 00:29:34,939 On the other hand, I have to go 815 00:29:34,940 --> 00:29:37,069 somewhere. So I brought email to 816 00:29:37,070 --> 00:29:39,079 know Vivo and got no response. 817 00:29:39,080 --> 00:29:41,239 But yeah, so I guess I need 818 00:29:41,240 --> 00:29:43,729 some help here and doing the right thing. 819 00:29:43,730 --> 00:29:45,829 Either way, we are us so 820 00:29:45,830 --> 00:29:47,479 we can get further without the source 821 00:29:47,480 --> 00:29:49,729 code. You know, local access means route, 822 00:29:49,730 --> 00:29:51,799 of course, or does it? 823 00:29:51,800 --> 00:29:53,869 So the device runs boots 824 00:29:53,870 --> 00:29:55,369 into Linux. And 825 00:29:56,540 --> 00:29:58,789 yeah, I will show you later, but 826 00:29:58,790 --> 00:30:00,529 I'm basically boot into Linux. 827 00:30:00,530 --> 00:30:02,599 It gives you a login prompt and we don't 828 00:30:02,600 --> 00:30:03,600 know the password. 829 00:30:04,910 --> 00:30:07,279 I eventually got the hash, 830 00:30:07,280 --> 00:30:09,409 so if someone has some spare time, 831 00:30:09,410 --> 00:30:11,539 we didn't succeed and like a few days 832 00:30:11,540 --> 00:30:13,699 of CPU time to get us into a password, 833 00:30:13,700 --> 00:30:16,009 but we could just modify 834 00:30:16,010 --> 00:30:17,010 the flash and 835 00:30:18,140 --> 00:30:20,389 change their BGA flash and laughs. 836 00:30:20,390 --> 00:30:21,390 It's an effort. 837 00:30:22,100 --> 00:30:24,349 Fortunately, Ubud is used in an unsecure 838 00:30:24,350 --> 00:30:26,149 configuration, so you can just hammer 839 00:30:26,150 --> 00:30:27,979 control, see over the Syria part, and you 840 00:30:27,980 --> 00:30:29,749 will eventually get into the Ubud menu. 841 00:30:29,750 --> 00:30:32,059 And yeah, I mean. 842 00:30:34,620 --> 00:30:35,620 So. 843 00:30:39,090 --> 00:30:40,689 The traditional trick that you use, 844 00:30:40,690 --> 00:30:43,089 probably when you wanted to annoy 845 00:30:43,090 --> 00:30:44,799 your friends using Lennox and he didn't 846 00:30:44,800 --> 00:30:47,169 give you the password, just append it 847 00:30:47,170 --> 00:30:49,299 as agent and you get a root shell, right? 848 00:30:49,300 --> 00:30:51,519 And that should work well. 849 00:30:51,520 --> 00:30:53,079 It uses an N.E.R.D. 850 00:30:53,080 --> 00:30:55,299 So it's really equals something, 851 00:30:56,350 --> 00:30:57,309 however doesn't work. 852 00:30:57,310 --> 00:30:58,989 And I mean, the reason is we don't have 853 00:30:58,990 --> 00:31:00,969 the file system layer of that part of the 854 00:31:00,970 --> 00:31:03,400 N.E.R.D. And there is no def console and 855 00:31:05,110 --> 00:31:06,039 they run some unique script. 856 00:31:06,040 --> 00:31:07,809 By default, it doesn't need it. 857 00:31:07,810 --> 00:31:10,149 But however, what we can do is to use Ubu 858 00:31:10,150 --> 00:31:12,369 to just dump memory so we can just dump 859 00:31:12,370 --> 00:31:14,499 the unit already over the serial port. 860 00:31:14,500 --> 00:31:17,049 And then we do some, some unpack 861 00:31:17,050 --> 00:31:19,329 thing and then we have the script 862 00:31:19,330 --> 00:31:21,549 so we can just we 863 00:31:21,550 --> 00:31:22,629 don't need the script because it 864 00:31:22,630 --> 00:31:24,579 basically just finds the the right 865 00:31:24,580 --> 00:31:26,079 through the fast. We can just directly 866 00:31:26,080 --> 00:31:28,269 boot the real route AF-S, which is 867 00:31:28,270 --> 00:31:30,130 a it's actually a memo. 868 00:31:31,270 --> 00:31:33,429 So it's a full distribution 869 00:31:33,430 --> 00:31:35,769 and it has a bash and everything. 870 00:31:35,770 --> 00:31:37,749 So we can just use the trick there. 871 00:31:37,750 --> 00:31:38,709 And that actually works. 872 00:31:38,710 --> 00:31:40,839 And we can just remount the route, 873 00:31:40,840 --> 00:31:42,669 just pass BD to change the password to 874 00:31:42,670 --> 00:31:44,799 something we know and then we have route. 875 00:31:47,740 --> 00:31:49,329 So there were some hardware tricks on the 876 00:31:49,330 --> 00:31:51,429 device, so there is some pain out on the 877 00:31:51,430 --> 00:31:54,339 bottom that looked very suspiciously 878 00:31:54,340 --> 00:31:55,569 like a micro SD thought. 879 00:31:55,570 --> 00:31:57,699 So I added blindly added a micro 880 00:31:57,700 --> 00:31:58,599 SD slot. 881 00:31:58,600 --> 00:32:00,069 And yeah, it works. And if we look at the 882 00:32:00,070 --> 00:32:02,439 INI script, it actually and props for 883 00:32:02,440 --> 00:32:04,569 a root access on the micro SD card 884 00:32:04,570 --> 00:32:05,499 and just puts from there. 885 00:32:05,500 --> 00:32:06,760 So that's even easier. 886 00:32:15,020 --> 00:32:16,279 There's also a SIM slot, 887 00:32:17,720 --> 00:32:20,209 I that it requires apparently telling 888 00:32:20,210 --> 00:32:22,429 the device that there is a SIM slot, 889 00:32:22,430 --> 00:32:23,989 otherwise it won't really use it. 890 00:32:23,990 --> 00:32:26,119 So I see some traffic, but it still 891 00:32:26,120 --> 00:32:28,609 searches for a phone and it doesn't like 892 00:32:28,610 --> 00:32:30,409 use the modem until it sees the phone. 893 00:32:30,410 --> 00:32:32,809 So it seems that you can reconfigure 894 00:32:32,810 --> 00:32:34,909 this. We are some, some diak 895 00:32:34,910 --> 00:32:36,979 in the face of a can to use that. 896 00:32:36,980 --> 00:32:38,779 I don't know. And there's also use b o 897 00:32:38,780 --> 00:32:40,909 type OTG port 898 00:32:40,910 --> 00:32:42,349 that's actually externally accessible 899 00:32:42,350 --> 00:32:44,479 behind some small latch on the package. 900 00:32:44,480 --> 00:32:46,399 So even without opening the case, you can 901 00:32:46,400 --> 00:32:48,469 access that without destroying any 902 00:32:48,470 --> 00:32:49,470 guarantee device. 903 00:32:50,750 --> 00:32:52,159 They use this for firmware upgrades and 904 00:32:52,160 --> 00:32:54,199 diagnostics so you can put some. 905 00:32:54,200 --> 00:32:56,359 So it basically puts the lock files on 906 00:32:56,360 --> 00:32:58,699 on the message if you attach 907 00:32:58,700 --> 00:33:00,709 them as storage, or it will apply a 908 00:33:00,710 --> 00:33:02,119 firmware update upgrade. 909 00:33:02,120 --> 00:33:03,859 However, I don't have a firmware upgrade, 910 00:33:03,860 --> 00:33:05,989 so I I could only see the binaries 911 00:33:05,990 --> 00:33:08,149 doing this the 912 00:33:08,150 --> 00:33:10,429 HD for the slightly older 913 00:33:10,430 --> 00:33:13,039 Bluetooth kit I had with AMCs V1. 914 00:33:13,040 --> 00:33:15,289 It only has a host port 915 00:33:15,290 --> 00:33:17,299 and that is the real key port. 916 00:33:17,300 --> 00:33:19,579 So you need one of these fancy 917 00:33:19,580 --> 00:33:21,199 Android tablet dongles there. 918 00:33:21,200 --> 00:33:23,809 You can buy them for a few bucks 919 00:33:23,810 --> 00:33:26,149 anyway. I would just buy the 920 00:33:26,150 --> 00:33:28,459 Micro Micro, be on the one side 921 00:33:28,460 --> 00:33:30,649 and a 922 00:33:30,650 --> 00:33:32,299 on the other side and a socket on the 923 00:33:32,300 --> 00:33:33,300 other side. 924 00:33:33,860 --> 00:33:36,019 And then you can just put in any 925 00:33:36,020 --> 00:33:37,639 UFB device. 926 00:33:37,640 --> 00:33:39,949 But by default, when it's use be gadget, 927 00:33:39,950 --> 00:33:41,899 it's a serial port, the modem or 928 00:33:41,900 --> 00:33:43,519 something. But you can easily change just 929 00:33:43,520 --> 00:33:45,709 to use beef in that, which makes 930 00:33:45,710 --> 00:33:47,859 it a lot more convenient because 931 00:33:47,860 --> 00:33:49,849 should theoretically, you don't have to. 932 00:33:49,850 --> 00:33:52,279 Once you did that, you can close the 933 00:33:52,280 --> 00:33:54,559 whole package and you can just 934 00:33:54,560 --> 00:33:56,480 attach connected from the outside world. 935 00:33:57,710 --> 00:33:59,809 Hmm. OK, but we still 936 00:33:59,810 --> 00:34:02,149 want to, well, do something useful 937 00:34:02,150 --> 00:34:03,619 with the thing on our desk, so we have to 938 00:34:03,620 --> 00:34:05,719 emulate the car or at least 939 00:34:05,720 --> 00:34:07,669 the steering wheel buttons, the display 940 00:34:07,670 --> 00:34:10,039 and everything that makes it work 941 00:34:10,040 --> 00:34:13,039 and keeps it alive. So the back and 942 00:34:13,040 --> 00:34:15,319 they need the best contacts can 943 00:34:15,320 --> 00:34:16,819 message for some about some more stuff. 944 00:34:17,840 --> 00:34:19,968 And now I was while I was a bit naive, 945 00:34:19,969 --> 00:34:22,908 so I was hoping there was some candy, 946 00:34:22,909 --> 00:34:24,888 some Candyman that would just receive all 947 00:34:24,889 --> 00:34:26,959 the canned messages and would be. 948 00:34:26,960 --> 00:34:29,269 I imagined that it would be a big module 949 00:34:29,270 --> 00:34:31,399 having all kind of D-backs 950 00:34:31,400 --> 00:34:33,678 pew and symbols and everything, but 951 00:34:33,679 --> 00:34:35,359 there was no such thing. 952 00:34:35,360 --> 00:34:37,519 And in fact, when I send a can 953 00:34:37,520 --> 00:34:39,468 message on the bus with my with my 954 00:34:39,469 --> 00:34:41,539 candidate there, I could not see anything 955 00:34:41,540 --> 00:34:43,638 on the Linux side and only 956 00:34:43,639 --> 00:34:44,959 a very special can. 957 00:34:44,960 --> 00:34:46,488 Messages did anything at all. 958 00:34:46,489 --> 00:34:48,559 And it showed that this S12 x 959 00:34:48,560 --> 00:34:51,379 microcontroller that I showed you 960 00:34:51,380 --> 00:34:53,419 abstracts all of this on a very high 961 00:34:53,420 --> 00:34:55,729 level so that 962 00:34:55,730 --> 00:34:58,369 the interface they use between 963 00:34:58,370 --> 00:35:00,679 your dashboard display and the thing 964 00:35:00,680 --> 00:35:02,989 it's called B.A.P at 965 00:35:02,990 --> 00:35:05,479 very simplified. It allows the control 966 00:35:05,480 --> 00:35:06,859 unit like the Blue Typekit to provide 967 00:35:06,860 --> 00:35:09,139 some values, like a string content. 968 00:35:09,140 --> 00:35:11,599 And then it's the the protocol 969 00:35:11,600 --> 00:35:13,489 will make sure that whenever one of these 970 00:35:13,490 --> 00:35:15,829 messages change, it gets synchronized 971 00:35:15,830 --> 00:35:17,989 across devices on the bus. 972 00:35:17,990 --> 00:35:20,329 It basically sends update messages 973 00:35:20,330 --> 00:35:21,349 and sends heartbeat. 974 00:35:21,350 --> 00:35:23,449 And if the device goes that way by 975 00:35:23,450 --> 00:35:25,549 not responding, any to proper error 976 00:35:25,550 --> 00:35:26,749 message will be propagated. 977 00:35:26,750 --> 00:35:28,999 And all that, if a well-defined way 978 00:35:29,000 --> 00:35:31,549 of of providing messages 979 00:35:31,550 --> 00:35:32,869 providing values, I guess 980 00:35:34,580 --> 00:35:36,799 happy means between 981 00:35:36,800 --> 00:35:39,229 a protocol. So again, some German 982 00:35:39,230 --> 00:35:40,230 thing 983 00:35:42,790 --> 00:35:45,049 I don't know why they name so that 984 00:35:45,050 --> 00:35:46,249 the previous version, if that's what's 985 00:35:46,250 --> 00:35:48,379 called data display protocol 986 00:35:48,380 --> 00:35:51,169 and the new version is now a German name 987 00:35:51,170 --> 00:35:53,329 either way. So it was hard to 988 00:35:53,330 --> 00:35:55,759 find anything more technical than 989 00:35:55,760 --> 00:35:58,129 this. This table, which 990 00:35:58,130 --> 00:36:00,049 is about the only thing you'll find them 991 00:36:00,050 --> 00:36:02,599 if you Google phone for this thing 992 00:36:02,600 --> 00:36:04,309 and it's, well, it talks about ozone 993 00:36:04,310 --> 00:36:06,589 layer. So I don't 994 00:36:06,590 --> 00:36:07,639 mind whatever. 995 00:36:07,640 --> 00:36:09,769 So it gets slightly more useful when we 996 00:36:09,770 --> 00:36:11,239 look at what what it actually is. 997 00:36:11,240 --> 00:36:13,339 So when you talk about, well, there 998 00:36:13,340 --> 00:36:15,409 were 10 messages, one or more 999 00:36:15,410 --> 00:36:17,779 canned messages construct a bad message. 1000 00:36:17,780 --> 00:36:20,059 And that message is basically 1001 00:36:20,060 --> 00:36:21,529 there are several up quotes. 1002 00:36:21,530 --> 00:36:23,839 One of code can be sent me all the values 1003 00:36:23,840 --> 00:36:26,179 you have again, because I just rebooted 1004 00:36:26,180 --> 00:36:28,519 another message just like, OK, I 1005 00:36:28,520 --> 00:36:30,499 updated this value. Here's the new value 1006 00:36:30,500 --> 00:36:33,109 and then one of the upper layers. 1007 00:36:33,110 --> 00:36:34,279 It basically just. 1008 00:36:34,280 --> 00:36:36,529 And that's something that's implemented 1009 00:36:36,530 --> 00:36:37,879 not across the canvas anymore. 1010 00:36:37,880 --> 00:36:40,069 It exposes all these values 1011 00:36:40,070 --> 00:36:42,469 and the current value to the display 1012 00:36:42,470 --> 00:36:43,669 unit. 1013 00:36:43,670 --> 00:36:45,439 So I had to reverse this. 1014 00:36:45,440 --> 00:36:47,659 It's not that difficult, so weak on 1015 00:36:47,660 --> 00:36:49,789 life. We see the canned messages and 1016 00:36:49,790 --> 00:36:52,609 it's basically a fancy way of sending 1017 00:36:52,610 --> 00:36:54,919 more than eight bytes or messages 1018 00:36:54,920 --> 00:36:56,989 with more than eight bytes across the 1019 00:36:56,990 --> 00:36:58,669 box by just using multiple canned 1020 00:36:58,670 --> 00:36:59,659 messages. 1021 00:36:59,660 --> 00:37:01,999 And so I 1022 00:37:02,000 --> 00:37:04,189 did some white until four days, and 1023 00:37:04,190 --> 00:37:05,819 it looks like this so you can see that 1024 00:37:05,820 --> 00:37:07,819 they're all kind of off. 1025 00:37:07,820 --> 00:37:09,919 So they're decent SGI ID, which 1026 00:37:09,920 --> 00:37:11,779 is the Louverture Stoya great idea 1027 00:37:11,780 --> 00:37:13,809 against the German term. 1028 00:37:13,810 --> 00:37:15,429 Which basically means the control unit 1029 00:37:15,430 --> 00:37:17,649 number and then there are up 1030 00:37:17,650 --> 00:37:19,719 codes. So I don't know all the names for 1031 00:37:19,720 --> 00:37:21,849 all of these. I could get some of them 1032 00:37:21,850 --> 00:37:23,439 by looking at binaries, either, I just 1033 00:37:23,440 --> 00:37:24,609 guess. 1034 00:37:24,610 --> 00:37:26,109 But we see that, for example, one of 1035 00:37:26,110 --> 00:37:28,569 these messages that is synchronized 1036 00:37:28,570 --> 00:37:30,549 and cached is the current screen content, 1037 00:37:30,550 --> 00:37:32,679 so we can see how it 1038 00:37:32,680 --> 00:37:34,779 basically means the phone is booting or 1039 00:37:34,780 --> 00:37:35,780 something. 1040 00:37:36,730 --> 00:37:39,129 So what we have to do is to 1041 00:37:39,130 --> 00:37:41,469 write something that talks this 1042 00:37:41,470 --> 00:37:43,539 protocol and shows 1043 00:37:43,540 --> 00:37:45,729 me what would be shown on the car 1044 00:37:45,730 --> 00:37:47,619 because then we can start adding Python 1045 00:37:47,620 --> 00:37:49,809 and do all our stuff without freezing 1046 00:37:49,810 --> 00:37:51,069 to death in the car. 1047 00:37:51,070 --> 00:37:52,989 So I have a demo for that. 1048 00:37:52,990 --> 00:37:54,069 Can you please switch? 1049 00:37:57,630 --> 00:37:59,669 So, oh, that's cool. 1050 00:38:13,250 --> 00:38:14,250 So. 1051 00:38:17,120 --> 00:38:19,430 He the scenario Howard put. 1052 00:38:22,970 --> 00:38:25,419 Here's my fancy tool, and there's 1053 00:38:25,420 --> 00:38:26,420 the actual camera, 1054 00:38:27,650 --> 00:38:29,510 so I powered on. 1055 00:38:31,110 --> 00:38:33,779 And here we see it booting, 1056 00:38:33,780 --> 00:38:36,359 and it's going to us and bootloaders. 1057 00:38:36,360 --> 00:38:38,429 And here is his 1058 00:38:38,430 --> 00:38:41,069 new boots and now it's floating Linux. 1059 00:38:41,070 --> 00:38:43,290 And just here. 1060 00:38:44,570 --> 00:38:46,609 We see the immolated screen. 1061 00:38:46,610 --> 00:38:48,589 That's I mean, it's not pixel accurate, 1062 00:38:48,590 --> 00:38:49,969 but that's roughly how it looks in the 1063 00:38:49,970 --> 00:38:52,459 car and it 1064 00:38:52,460 --> 00:38:54,529 takes a whole lot of time 1065 00:38:54,530 --> 00:38:56,449 to boot. And it actually boots from an SD 1066 00:38:56,450 --> 00:38:58,129 card slightly faster when it boots from 1067 00:38:58,130 --> 00:39:00,259 Flash. But I just copied 1068 00:39:00,260 --> 00:39:02,459 the whole flash contents to the SD card. 1069 00:39:02,460 --> 00:39:04,609 So in case I screw up 1070 00:39:04,610 --> 00:39:05,610 anything, then? 1071 00:39:07,220 --> 00:39:08,220 It's not so bad. 1072 00:39:17,690 --> 00:39:20,629 Yeah, so here we see the Cannes adapter, 1073 00:39:20,630 --> 00:39:22,309 which has a USB token, 1074 00:39:24,260 --> 00:39:26,179 lots of cables, again different lengths 1075 00:39:26,180 --> 00:39:27,180 of wires. 1076 00:39:32,660 --> 00:39:34,789 OK, and here we are, so now about it, 1077 00:39:34,790 --> 00:39:36,919 and it tries to pair with my 1078 00:39:36,920 --> 00:39:38,629 phone. Sorry, the language is German. 1079 00:39:38,630 --> 00:39:40,669 I don't know which can message to change, 1080 00:39:40,670 --> 00:39:42,889 to change the language to non-German, 1081 00:39:42,890 --> 00:39:44,989 but either 1082 00:39:44,990 --> 00:39:47,209 way, so I can I can 1083 00:39:47,210 --> 00:39:49,669 hopefully about this. 1084 00:39:49,670 --> 00:39:51,169 And oh, it actually it now. 1085 00:39:51,170 --> 00:39:53,299 So I can press OK and I will be in 1086 00:39:53,300 --> 00:39:55,909 the main menu and it's basically 1087 00:39:55,910 --> 00:39:58,069 a simulation of the car should actually 1088 00:39:58,070 --> 00:39:59,089 work. I don't know why. 1089 00:39:59,090 --> 00:40:01,429 Oh, don't. Yeah, I'm stupid. 1090 00:40:01,430 --> 00:40:03,559 So you can go to the menu and 1091 00:40:03,560 --> 00:40:05,719 you can actually do what you could do in 1092 00:40:05,720 --> 00:40:08,029 the in the dashboard of the car and 1093 00:40:08,030 --> 00:40:09,169 the buttons they are actually on the 1094 00:40:09,170 --> 00:40:10,170 steering wheel. 1095 00:40:13,120 --> 00:40:15,189 So, OK, can 1096 00:40:15,190 --> 00:40:16,779 you switch back, please? 1097 00:40:16,780 --> 00:40:18,439 I think that's old enough for the camera 1098 00:40:18,440 --> 00:40:19,440 off and on. 1099 00:40:31,730 --> 00:40:33,169 But thank you a lot for the camera. 1100 00:40:33,170 --> 00:40:34,759 I think that's important, and if anyone 1101 00:40:34,760 --> 00:40:35,760 wants to see this. 1102 00:40:43,290 --> 00:40:46,019 Yeah, you can just come here, after all. 1103 00:40:46,020 --> 00:40:48,239 Well, look at this 1104 00:40:48,240 --> 00:40:50,369 anyway, so I'm going back to 1105 00:40:50,370 --> 00:40:51,899 the device and going back to Linux. 1106 00:40:51,900 --> 00:40:54,209 We see that dbus is used very 1107 00:40:54,210 --> 00:40:55,530 extensively. So 1108 00:40:56,670 --> 00:40:58,859 all the X messages, which are this 1109 00:40:58,860 --> 00:41:00,479 microcontroller that connects the card, 1110 00:41:00,480 --> 00:41:02,129 they are just posted on the device and 1111 00:41:02,130 --> 00:41:04,589 there are various other programs 1112 00:41:04,590 --> 00:41:05,819 that respond to this. 1113 00:41:05,820 --> 00:41:08,099 And. And so we see screen updates, 1114 00:41:08,100 --> 00:41:09,269 we see key presses. 1115 00:41:09,270 --> 00:41:10,679 We see Bluetooth events. 1116 00:41:10,680 --> 00:41:12,419 When I connected the thing, when I start 1117 00:41:12,420 --> 00:41:13,859 a phone call, all of that, all of this 1118 00:41:13,860 --> 00:41:15,419 communication between the individual 1119 00:41:15,420 --> 00:41:17,939 modules work over DBus. 1120 00:41:17,940 --> 00:41:20,939 However, we don't see raw canned messages 1121 00:41:20,940 --> 00:41:22,649 because they are abstracted away by this 1122 00:41:22,650 --> 00:41:25,319 12x. And so we see the the 1123 00:41:25,320 --> 00:41:27,059 dupes positions, for example, which is 1124 00:41:27,060 --> 00:41:29,159 nice. We see the speed, but 1125 00:41:29,160 --> 00:41:31,499 we don't see other stuff that's 1126 00:41:31,500 --> 00:41:32,999 on on, on the canvas. 1127 00:41:33,000 --> 00:41:35,159 And it may be possible to repair or 1128 00:41:35,160 --> 00:41:37,289 to to use 1129 00:41:37,290 --> 00:41:39,509 debug thing in their cutbacks 1130 00:41:39,510 --> 00:41:41,609 or reprogram it to do that, but by 1131 00:41:41,610 --> 00:41:42,959 default, doesn't do it. 1132 00:41:42,960 --> 00:41:44,939 So dbus, I try it. 1133 00:41:44,940 --> 00:41:47,069 So I'm not good at using graphics, but I 1134 00:41:47,070 --> 00:41:49,199 try to build the diagram 1135 00:41:49,200 --> 00:41:51,419 of all the communication on the DBUS from 1136 00:41:51,420 --> 00:41:52,499 the sender and receiver. 1137 00:41:52,500 --> 00:41:54,660 And I came up with this and 1138 00:41:56,130 --> 00:41:58,289 there was no way, I think even with 1139 00:41:58,290 --> 00:42:00,599 the best parameters to graphics to make 1140 00:42:00,600 --> 00:42:02,489 this a readable thing. 1141 00:42:02,490 --> 00:42:04,530 However, I assume I 1142 00:42:05,610 --> 00:42:07,439 if we zoom in and just look at what we 1143 00:42:07,440 --> 00:42:09,719 are interested in, so we see the 1144 00:42:09,720 --> 00:42:12,059 the tools providing the high level menus, 1145 00:42:12,060 --> 00:42:14,429 for example, just the settings provider, 1146 00:42:14,430 --> 00:42:16,259 which owns the Settings menu, there is 1147 00:42:16,260 --> 00:42:18,389 the call stack provider, 1148 00:42:18,390 --> 00:42:21,389 which does the call management stuff 1149 00:42:21,390 --> 00:42:23,159 and Mary stuff like that. 1150 00:42:23,160 --> 00:42:25,319 And they send messages to a 1151 00:42:25,320 --> 00:42:28,049 thing called generic display, which 1152 00:42:28,050 --> 00:42:30,089 handles the menus and handles scrolling 1153 00:42:30,090 --> 00:42:32,489 through the menus and so on, and receives 1154 00:42:32,490 --> 00:42:34,229 the key presses and then updates the 1155 00:42:34,230 --> 00:42:35,279 screen and so on. 1156 00:42:35,280 --> 00:42:36,959 But the screen data is actually at this 1157 00:42:36,960 --> 00:42:39,479 point, just a bunch of message IDs. 1158 00:42:39,480 --> 00:42:41,699 And the next thing is 1159 00:42:41,700 --> 00:42:43,859 then next, even 1160 00:42:43,860 --> 00:42:46,169 then localizes these based 1161 00:42:46,170 --> 00:42:48,839 on the selected language into real text 1162 00:42:48,840 --> 00:42:51,059 and converts it to screen data 1163 00:42:51,060 --> 00:42:52,289 that the current expects. 1164 00:42:52,290 --> 00:42:54,479 So this and it's not yet 1165 00:42:54,480 --> 00:42:56,460 the BJP protocol, but it's 1166 00:42:58,290 --> 00:43:00,239 it's more similar to that. 1167 00:43:00,240 --> 00:43:02,669 So. And then it sends those to the COVAX 1168 00:43:02,670 --> 00:43:04,859 rollout, which then sends them over a spy 1169 00:43:04,860 --> 00:43:06,989 base to the Astrup X microcontroller, 1170 00:43:06,990 --> 00:43:08,819 and that then sends it to the can. 1171 00:43:10,680 --> 00:43:12,839 So adding Python actually 1172 00:43:12,840 --> 00:43:14,369 at that point is pretty easy if you're 1173 00:43:14,370 --> 00:43:15,749 booting from SD card you. 1174 00:43:15,750 --> 00:43:18,009 So what I did was just to put a Debian 1175 00:43:18,010 --> 00:43:20,279 now root on there with Python 1176 00:43:20,280 --> 00:43:22,499 in it, I'm into 1177 00:43:22,500 --> 00:43:23,949 the screen from Python is actually not 1178 00:43:23,950 --> 00:43:25,319 more than this. 1179 00:43:25,320 --> 00:43:27,779 So you basically 1180 00:43:27,780 --> 00:43:30,029 you get the session, the devastation. 1181 00:43:30,030 --> 00:43:32,749 That's you, you get that AC 12 extruder 1182 00:43:32,750 --> 00:43:34,829 and you just send the 1183 00:43:34,830 --> 00:43:37,139 binary data that is the screen. 1184 00:43:37,140 --> 00:43:38,670 So there's some helloworld in it. 1185 00:43:40,350 --> 00:43:42,099 So that's how we can display something on 1186 00:43:42,100 --> 00:43:43,100 the screen. 1187 00:43:44,400 --> 00:43:46,169 However, there's some problem with it. 1188 00:43:46,170 --> 00:43:47,609 So if we look again at the regular data 1189 00:43:47,610 --> 00:43:49,769 flow, there's one of these providers 1190 00:43:49,770 --> 00:43:51,239 they send to screen and it gets 1191 00:43:51,240 --> 00:43:53,339 translated into or 1192 00:43:53,340 --> 00:43:55,109 it gets converted into screen data with 1193 00:43:55,110 --> 00:43:57,569 selections and it gets localized. 1194 00:43:57,570 --> 00:43:59,999 It gets formatted into the 1195 00:44:00,000 --> 00:44:02,579 thing. The Astrup extended of a can. 1196 00:44:02,580 --> 00:44:03,779 And then when I press a button on the 1197 00:44:03,780 --> 00:44:05,549 steering wheel, the keys are forwarded 1198 00:44:05,550 --> 00:44:08,009 and the menu eventually updates. 1199 00:44:08,010 --> 00:44:10,319 And now we're going there with our 1200 00:44:10,320 --> 00:44:12,509 with our Helloworld Python script, and 1201 00:44:12,510 --> 00:44:15,029 we're just sending it there and 1202 00:44:15,030 --> 00:44:17,219 it goes off the canvas and it shows up 1203 00:44:17,220 --> 00:44:18,299 in the dashboard. 1204 00:44:18,300 --> 00:44:19,829 And then I press the key and it still 1205 00:44:19,830 --> 00:44:20,969 goes to the original thing. 1206 00:44:20,970 --> 00:44:22,289 And the thing is just confused. 1207 00:44:22,290 --> 00:44:24,749 So we have to fix this slightly. 1208 00:44:25,860 --> 00:44:27,149 It's actually not a big deal. 1209 00:44:27,150 --> 00:44:29,389 So it's some more lines of code 1210 00:44:29,390 --> 00:44:31,469 that basically just create 1211 00:44:31,470 --> 00:44:33,779 a logical screen and set it as active. 1212 00:44:33,780 --> 00:44:35,729 And then suddenly all key presses are 1213 00:44:35,730 --> 00:44:37,839 forwarded to this new logical 1214 00:44:37,840 --> 00:44:39,719 screen that we created and not any much 1215 00:44:39,720 --> 00:44:40,889 of the original menu. 1216 00:44:40,890 --> 00:44:42,329 And now we can just hand the key presses 1217 00:44:42,330 --> 00:44:43,259 ourself. 1218 00:44:43,260 --> 00:44:45,539 And there are no more screen updates 1219 00:44:45,540 --> 00:44:46,619 from the original logic. 1220 00:44:46,620 --> 00:44:48,719 And so let me try to demo this. 1221 00:44:48,720 --> 00:44:50,460 Can you switch back to BGA, please? 1222 00:44:56,210 --> 00:44:58,909 So let me try to not screw this up now, 1223 00:44:58,910 --> 00:45:01,129 so I will log in 1224 00:45:01,130 --> 00:45:02,130 with the. 1225 00:45:03,540 --> 00:45:05,849 Password to that, I added with 1226 00:45:05,850 --> 00:45:08,279 that you need in this age thing. 1227 00:45:08,280 --> 00:45:10,709 I go into my 1228 00:45:10,710 --> 00:45:11,710 my debian route. 1229 00:45:13,280 --> 00:45:14,280 And 1230 00:45:15,860 --> 00:45:17,199 that's a bit smart. 1231 00:45:17,200 --> 00:45:18,739 Can you switch back? 1232 00:45:22,720 --> 00:45:24,280 Yeah, that's that's to. 1233 00:45:33,340 --> 00:45:35,499 So I start the script 1234 00:45:35,500 --> 00:45:37,959 that basically overrides the menu, 1235 00:45:37,960 --> 00:45:40,479 and it shows my custom menu 1236 00:45:40,480 --> 00:45:43,089 over the protocol and 1237 00:45:43,090 --> 00:45:44,839 it would work the same way in a car. 1238 00:45:44,840 --> 00:45:46,779 I mean, I had a hard time getting car in 1239 00:45:46,780 --> 00:45:48,849 here so I can show you in the car, but 1240 00:45:48,850 --> 00:45:50,649 I can promise you it actually works if I 1241 00:45:50,650 --> 00:45:51,969 put this back in the car. 1242 00:45:51,970 --> 00:45:54,099 So I have a menu here where I can 1243 00:45:54,100 --> 00:45:56,919 go to the choices and that I can 1244 00:45:56,920 --> 00:45:58,929 exit the stool and then it goes back to 1245 00:45:58,930 --> 00:45:59,930 the original menu. 1246 00:46:13,260 --> 00:46:14,399 Thank you. 1247 00:46:14,400 --> 00:46:17,069 So this actually allows us to. 1248 00:46:17,070 --> 00:46:19,019 Yeah, right, something that runs in the 1249 00:46:19,020 --> 00:46:21,209 car that you can use from 1250 00:46:21,210 --> 00:46:23,039 the steering wheel that you can you 1251 00:46:23,040 --> 00:46:24,509 shouldn't use it while you're driving by 1252 00:46:24,510 --> 00:46:25,510 A.. 1253 00:46:26,640 --> 00:46:28,199 It has access to the internet. 1254 00:46:28,200 --> 00:46:30,479 So if you connect a phone with with 1255 00:46:30,480 --> 00:46:32,429 a SIM card that has that has internet 1256 00:46:32,430 --> 00:46:35,189 access, it will just up the connection. 1257 00:46:35,190 --> 00:46:37,439 You get the GPS data from 1258 00:46:37,440 --> 00:46:39,959 from your from your GPS, 1259 00:46:39,960 --> 00:46:41,819 so you can. Right? 1260 00:46:41,820 --> 00:46:43,739 I don't know bad things and good things. 1261 00:46:43,740 --> 00:46:45,899 So the question is many people look 1262 00:46:45,900 --> 00:46:48,299 into adding a PC to their car, and 1263 00:46:48,300 --> 00:46:50,519 I want to propose this as an alternative, 1264 00:46:50,520 --> 00:46:51,629 of course. 1265 00:46:51,630 --> 00:46:53,909 So first of all, maybe if you have a car 1266 00:46:53,910 --> 00:46:55,529 from the last few years that's from the 1267 00:46:55,530 --> 00:46:57,719 Volkswagen Group, you maybe already have 1268 00:46:57,720 --> 00:46:59,369 the hardware required to do this. 1269 00:46:59,370 --> 00:47:01,349 Or if not, you can easily buy the 1270 00:47:01,350 --> 00:47:03,569 hardware from 1271 00:47:03,570 --> 00:47:06,149 eBay or something and put it in your car. 1272 00:47:06,150 --> 00:47:08,459 And so you have 1273 00:47:08,460 --> 00:47:11,069 if it's I paid for this 1274 00:47:11,070 --> 00:47:13,169 thing, two hundred, if the 1275 00:47:13,170 --> 00:47:14,519 older ones are cheaper. 1276 00:47:15,630 --> 00:47:18,360 So it is not super expensive. 1277 00:47:19,410 --> 00:47:20,429 And what you get is basically the 1278 00:47:20,430 --> 00:47:21,689 automotive program hardware. 1279 00:47:21,690 --> 00:47:23,579 So you get all the lifecycle management. 1280 00:47:23,580 --> 00:47:25,739 A lot of people at a car seek a car 1281 00:47:25,740 --> 00:47:28,739 into their PC so we can see into the car. 1282 00:47:28,740 --> 00:47:30,869 And then the 1283 00:47:30,870 --> 00:47:32,489 next day, the batteries drained because 1284 00:47:32,490 --> 00:47:34,799 somehow this shutdown 1285 00:47:34,800 --> 00:47:37,169 script or something, and 1286 00:47:37,170 --> 00:47:39,479 that's bad with this thing. 1287 00:47:39,480 --> 00:47:41,549 It actually sends a controlled shutdown 1288 00:47:41,550 --> 00:47:43,619 message when the Clemmie Funston goes 1289 00:47:43,620 --> 00:47:45,899 low and then it gives the thing 1290 00:47:45,900 --> 00:47:46,900 a few 1291 00:47:48,120 --> 00:47:49,919 a few minutes to shut down. 1292 00:47:49,920 --> 00:47:51,419 And if it doesn't shut down, it will cut 1293 00:47:51,420 --> 00:47:53,639 the power. And of this is implemented and 1294 00:47:53,640 --> 00:47:55,709 it's really hard to do anything harmful 1295 00:47:55,710 --> 00:47:57,899 to the car because of because of this 1296 00:47:57,900 --> 00:47:59,010 abstraction that happens. 1297 00:48:00,280 --> 00:48:02,549 Really, whatever the dark side 1298 00:48:02,550 --> 00:48:04,739 does, it will not 1299 00:48:04,740 --> 00:48:06,809 disrupt you from driving the car 1300 00:48:06,810 --> 00:48:08,039 and it will. 1301 00:48:08,040 --> 00:48:09,539 The worst thing that will happen is that 1302 00:48:09,540 --> 00:48:12,119 you can't do any phone calls anymore, but 1303 00:48:12,120 --> 00:48:13,229 at least that's the idea. 1304 00:48:13,230 --> 00:48:15,659 You cannot screw up anything else 1305 00:48:15,660 --> 00:48:16,889 if you want to. 1306 00:48:16,890 --> 00:48:19,169 You could, of course, send specific 1307 00:48:19,170 --> 00:48:21,539 messages to use any diagnostic 1308 00:48:21,540 --> 00:48:23,399 features and then reroute messages so 1309 00:48:23,400 --> 00:48:25,439 that there is no security at this point. 1310 00:48:25,440 --> 00:48:27,629 This is all from a safety perspective, so 1311 00:48:27,630 --> 00:48:29,909 you don't want to fire airbags 1312 00:48:29,910 --> 00:48:31,109 by doing this. 1313 00:48:31,110 --> 00:48:33,509 So can you break your car, 1314 00:48:33,510 --> 00:48:35,489 you? I will not say you can. 1315 00:48:35,490 --> 00:48:37,169 Definitely not. Otherwise, you will just 1316 00:48:37,170 --> 00:48:38,609 bring me brake cars. 1317 00:48:38,610 --> 00:48:40,109 Cars are. Yeah, they said. 1318 00:48:40,110 --> 00:48:42,209 They are designed for safety and not 1319 00:48:42,210 --> 00:48:43,829 yet, at least for security. 1320 00:48:43,830 --> 00:48:46,409 Maybe the really modern cars are, 1321 00:48:46,410 --> 00:48:48,749 but this is not designed for security, so 1322 00:48:48,750 --> 00:48:50,819 there was nothing in it that was terribly 1323 00:48:50,820 --> 00:48:52,859 hard to hack or something. 1324 00:48:52,860 --> 00:48:54,749 It's just that by default, it doesn't do 1325 00:48:54,750 --> 00:48:57,029 anything bad and the especially the 1326 00:48:57,030 --> 00:48:59,159 COVAX, if you send too many messages, too 1327 00:48:59,160 --> 00:49:00,929 few messages, it will always fail 1328 00:49:00,930 --> 00:49:02,399 gracefully. It will send the correct 1329 00:49:02,400 --> 00:49:04,499 error messages that it will not do random 1330 00:49:04,500 --> 00:49:06,059 bad stuff. 1331 00:49:06,060 --> 00:49:08,219 However, if 1332 00:49:08,220 --> 00:49:10,320 you theoretically could connect to the 1333 00:49:11,340 --> 00:49:13,469 to the power train canvas by 1334 00:49:13,470 --> 00:49:15,839 sending the right routing messages 1335 00:49:15,840 --> 00:49:17,909 and, well, 1336 00:49:17,910 --> 00:49:19,739 it really depends on what you're doing. 1337 00:49:19,740 --> 00:49:22,529 So whenever people come up with 1338 00:49:22,530 --> 00:49:24,359 attaching to the canvas, they refer to 1339 00:49:24,360 --> 00:49:26,409 this post and I want to just translate 1340 00:49:26,410 --> 00:49:28,499 this. It's a German post of of 1341 00:49:28,500 --> 00:49:30,359 the experience that someone had adding 1342 00:49:30,360 --> 00:49:31,379 something to his car. 1343 00:49:31,380 --> 00:49:33,599 So basically what that person 1344 00:49:33,600 --> 00:49:35,669 said and I just translated it to 1345 00:49:35,670 --> 00:49:37,079 doing this. So I don't know if it's true 1346 00:49:37,080 --> 00:49:39,449 or not. So he said, so I built an adapter 1347 00:49:39,450 --> 00:49:41,189 that would lock various data sources and 1348 00:49:41,190 --> 00:49:42,959 stored them on a PDA whenever the car was 1349 00:49:42,960 --> 00:49:45,269 moving based on instructions I found 1350 00:49:45,270 --> 00:49:46,559 on the internet. 1351 00:49:46,560 --> 00:49:48,629 And then one day one on the way from 1352 00:49:48,630 --> 00:49:50,939 Frankfurt to cooks have in the instrument 1353 00:49:50,940 --> 00:49:53,159 cluster failed and after the instruments 1354 00:49:53,160 --> 00:49:55,289 show values again, the engine stopped, 1355 00:49:55,290 --> 00:49:57,059 the central locking opened and all the 1356 00:49:57,060 --> 00:49:59,129 front abbots and Belfast net engaged. 1357 00:50:01,260 --> 00:50:03,209 The car was wrecked since the bypass 1358 00:50:03,210 --> 00:50:05,189 twisted due to the belt fasteners, and 1359 00:50:05,190 --> 00:50:06,869 somehow the insurance company figured out 1360 00:50:06,870 --> 00:50:08,459 that the Abbott control units didn't 1361 00:50:08,460 --> 00:50:10,079 register an incident from the 1362 00:50:10,080 --> 00:50:12,299 accelerometers, but somehow else 1363 00:50:12,300 --> 00:50:13,289 fired. 1364 00:50:13,290 --> 00:50:14,249 And then, of course, there were all the 1365 00:50:14,250 --> 00:50:16,259 custom cabling in the car behind the 1366 00:50:16,260 --> 00:50:18,389 dashboard, so it was a pretty expensive 1367 00:50:18,390 --> 00:50:20,369 experiment because the insurance didn't 1368 00:50:20,370 --> 00:50:22,409 cover it because they saw that there was 1369 00:50:22,410 --> 00:50:24,629 some tampering and the car still had 1370 00:50:24,630 --> 00:50:25,650 a significant volume. 1371 00:50:27,090 --> 00:50:28,889 I don't think this could happen, 1372 00:50:28,890 --> 00:50:30,959 especially when you 1373 00:50:30,960 --> 00:50:33,059 do this on the Linux side and there's 1374 00:50:33,060 --> 00:50:34,829 12 X, we're not attaching to the 1375 00:50:34,830 --> 00:50:36,809 powertrain canvas like this guy was 1376 00:50:36,810 --> 00:50:39,299 doing. But be careful. 1377 00:50:39,300 --> 00:50:40,379 It's your car. 1378 00:50:41,940 --> 00:50:43,060 Yeah, and 1379 00:50:44,370 --> 00:50:45,989 it's up to you to avoid diversity or not. 1380 00:50:47,790 --> 00:50:48,839 This is always interesting. 1381 00:50:48,840 --> 00:50:50,789 The whole thing for bad guys, because 1382 00:50:50,790 --> 00:50:52,019 this Bluetooth kid has access to a 1383 00:50:52,020 --> 00:50:53,939 microphone. Of course, it has access to 1384 00:50:53,940 --> 00:50:56,159 the internet and has access to GPS, so 1385 00:50:56,160 --> 00:50:58,169 this is the ideal hardware for tracking 1386 00:50:58,170 --> 00:50:59,739 back and a sort. 1387 00:50:59,740 --> 00:51:01,649 Physical access to the unit is enough, so 1388 00:51:01,650 --> 00:51:03,569 if you can build a firmware update 1389 00:51:03,570 --> 00:51:05,399 package, you don't even have to update 1390 00:51:05,400 --> 00:51:07,469 the unit. So sure, physical access to the 1391 00:51:07,470 --> 00:51:08,729 car is enough. 1392 00:51:08,730 --> 00:51:10,109 But on the other hand, you could just 1393 00:51:10,110 --> 00:51:11,669 deploy dedicated pack that you put 1394 00:51:11,670 --> 00:51:13,859 yourself. So I don't know if that's a big 1395 00:51:13,860 --> 00:51:16,109 deal or not, but it's definitely hard to 1396 00:51:16,110 --> 00:51:18,269 detect because you would really have 1397 00:51:18,270 --> 00:51:20,429 to dump the Flash and see if there's 1398 00:51:20,430 --> 00:51:21,749 anything changed. 1399 00:51:21,750 --> 00:51:24,029 So I don't know if that's something 1400 00:51:24,030 --> 00:51:26,099 you would call a real issue 1401 00:51:26,100 --> 00:51:28,569 or it's just for the tinfoil hat people, 1402 00:51:28,570 --> 00:51:30,779 I don't know. But for us, good guys, it 1403 00:51:30,780 --> 00:51:32,969 means we can do, for example, all sorts 1404 00:51:32,970 --> 00:51:34,199 of geofencing applications. 1405 00:51:34,200 --> 00:51:36,239 When I arrive at home, it switches on my 1406 00:51:36,240 --> 00:51:38,309 lights. Yeah, I 1407 00:51:38,310 --> 00:51:39,959 couldn't make up any better example, but 1408 00:51:39,960 --> 00:51:41,719 maybe you are more creative than I am. 1409 00:51:41,720 --> 00:51:43,289 You can do some, I don't know. 1410 00:51:43,290 --> 00:51:45,389 So if someone, for example, could read 1411 00:51:45,390 --> 00:51:47,459 the traffic fine from Google Maps or 1412 00:51:47,460 --> 00:51:49,739 being Maps and modulate them into TMC 1413 00:51:49,740 --> 00:51:51,809 so that the GPS takes it out there, that 1414 00:51:51,810 --> 00:51:53,099 would be interesting. 1415 00:51:53,100 --> 00:51:54,899 I'm sure there are many, many things you 1416 00:51:54,900 --> 00:51:56,249 can can do with this. 1417 00:51:57,510 --> 00:51:58,739 It's just Python, right? 1418 00:51:59,910 --> 00:52:01,559 So that's it. 1419 00:52:01,560 --> 00:52:02,729 And that's it. 1420 00:52:02,730 --> 00:52:04,859 So eventually I will upload my 1421 00:52:04,860 --> 00:52:06,959 code for the simulator, as well 1422 00:52:06,960 --> 00:52:09,149 as the Python script that you can 1423 00:52:09,150 --> 00:52:11,549 run on the thing to get help. 1424 00:52:11,550 --> 00:52:14,039 They are not there yet, but yeah, 1425 00:52:14,040 --> 00:52:15,719 that's all. And thanks for 1426 00:52:15,720 --> 00:52:16,720 listening. 1427 00:52:27,810 --> 00:52:30,269 OK. Thank you again very much, Felix, 1428 00:52:30,270 --> 00:52:32,849 we have four minutes left. 1429 00:52:32,850 --> 00:52:34,799 So if you have some urgent questions, 1430 00:52:34,800 --> 00:52:36,929 just go to the microphone next to 1431 00:52:36,930 --> 00:52:39,959 you. We have, I think, 8:00 in the hall, 1432 00:52:39,960 --> 00:52:41,429 so there should be one. 1433 00:52:41,430 --> 00:52:42,929 So we'll just start with you at the 1434 00:52:42,930 --> 00:52:44,129 microphone one over there. 1435 00:52:45,300 --> 00:52:46,079 Hello. 1436 00:52:46,080 --> 00:52:47,810 Thanks. Also, very interesting talk. 1437 00:52:49,680 --> 00:52:51,149 Sorry, just to interrupt you. 1438 00:52:51,150 --> 00:52:53,489 If you're already living, just please 1439 00:52:53,490 --> 00:52:55,939 stay quiet so we can finish the question 1440 00:52:55,940 --> 00:52:57,609 and the session. 1441 00:52:57,610 --> 00:52:58,739 That would be very nice. 1442 00:52:59,790 --> 00:53:00,790 OK. 1443 00:53:01,350 --> 00:53:03,419 There will be an obligation to install 1444 00:53:03,420 --> 00:53:06,089 so-called E call modules 1445 00:53:06,090 --> 00:53:08,159 in each and every car, which are 1446 00:53:08,160 --> 00:53:10,409 supposed to automatically 1447 00:53:10,410 --> 00:53:13,049 issue an emergency call when emergency 1448 00:53:13,050 --> 00:53:16,019 call when the car has a crash. 1449 00:53:16,020 --> 00:53:18,449 Do you know of if two hardware 1450 00:53:18,450 --> 00:53:20,789 juiced and that system is somehow similar 1451 00:53:20,790 --> 00:53:22,289 to the elements that you have 1452 00:53:22,290 --> 00:53:23,290 investigated? 1453 00:53:24,510 --> 00:53:25,510 I. 1454 00:53:26,190 --> 00:53:27,179 Yeah, sorry. 1455 00:53:27,180 --> 00:53:29,099 I actually don't know that hardware. 1456 00:53:29,100 --> 00:53:30,749 So it would be interesting to look at 1457 00:53:30,750 --> 00:53:32,849 these. I'm pretty sure, or I 1458 00:53:32,850 --> 00:53:34,739 would hope that they are not using some 1459 00:53:34,740 --> 00:53:36,689 Linux that first has to boot after an 1460 00:53:36,690 --> 00:53:38,909 accident or something. So I would 1461 00:53:38,910 --> 00:53:42,029 expect him to use something 1462 00:53:42,030 --> 00:53:44,309 more closer to the metal album, 1463 00:53:44,310 --> 00:53:46,559 something that's like redundant. 1464 00:53:47,820 --> 00:53:49,889 This whole thing is not. 1465 00:53:49,890 --> 00:53:51,749 The blue chip kit itself is not designed 1466 00:53:51,750 --> 00:53:53,759 for safety, so there are no redundancy. 1467 00:53:53,760 --> 00:53:55,799 And like if the router fast fails to 1468 00:53:55,800 --> 00:53:57,419 mount, it just fails to mount. 1469 00:53:57,420 --> 00:53:59,819 I would surely hope that the architecture 1470 00:53:59,820 --> 00:54:01,590 of some emergency 1471 00:54:03,410 --> 00:54:05,549 recall device would be better, 1472 00:54:05,550 --> 00:54:07,349 but I haven't looked at this and 1473 00:54:07,350 --> 00:54:08,819 unfortunately my car doesn't have one. 1474 00:54:08,820 --> 00:54:10,049 Otherwise I would have opened it. 1475 00:54:10,050 --> 00:54:12,119 But yeah, it would be interesting 1476 00:54:12,120 --> 00:54:13,380 to see what's inside them. 1477 00:54:15,390 --> 00:54:17,429 OK, so we'll just take one quick question 1478 00:54:17,430 --> 00:54:19,199 from the internet. 1479 00:54:19,200 --> 00:54:21,389 I I will put 1480 00:54:21,390 --> 00:54:23,069 two questions together here. 1481 00:54:23,070 --> 00:54:25,499 So Steve from ISI on the flux 1482 00:54:25,500 --> 00:54:28,259 from IAC ask 1483 00:54:28,260 --> 00:54:30,389 Could you ask if this 1484 00:54:30,390 --> 00:54:32,579 is a quote? The Linux device 1485 00:54:32,580 --> 00:54:34,859 being used to access 1486 00:54:34,860 --> 00:54:37,199 to microphones in the car and may be used 1487 00:54:37,200 --> 00:54:40,019 for spying if it had malicious firmware? 1488 00:54:40,020 --> 00:54:42,389 And how much effort 1489 00:54:42,390 --> 00:54:44,609 would it take to 1490 00:54:44,610 --> 00:54:47,129 get to sensitive stuff like the steering 1491 00:54:47,130 --> 00:54:48,539 servers? 1492 00:54:48,540 --> 00:54:50,729 So from 1493 00:54:50,730 --> 00:54:52,619 microphone, it's very easy. 1494 00:54:52,620 --> 00:54:54,779 So it's actually G Stream are used and 1495 00:54:54,780 --> 00:54:56,849 it's the proper regular 1496 00:54:56,850 --> 00:54:59,099 Lennox audio interface that you know 1497 00:54:59,100 --> 00:55:00,389 it's really easy to get access to the 1498 00:55:00,390 --> 00:55:02,459 microphone and upload them 1499 00:55:02,460 --> 00:55:04,139 over 3G or something. 1500 00:55:04,140 --> 00:55:06,329 So that's really easy getting 1501 00:55:06,330 --> 00:55:09,469 access to like 1502 00:55:09,470 --> 00:55:11,909 the power train canvas. 1503 00:55:11,910 --> 00:55:13,179 I don't know. 1504 00:55:13,180 --> 00:55:15,689 So if you could reprogram 1505 00:55:15,690 --> 00:55:17,909 the the AC 12 X, it 1506 00:55:17,910 --> 00:55:19,409 works for sure. And I know the firmware 1507 00:55:19,410 --> 00:55:21,359 update has a method to update that I 1508 00:55:21,360 --> 00:55:23,699 don't have to ask for a fix code 1509 00:55:23,700 --> 00:55:25,219 because I don't have a firmware upgrade. 1510 00:55:25,220 --> 00:55:27,359 So if you 1511 00:55:27,360 --> 00:55:29,519 send the right messages, I 1512 00:55:29,520 --> 00:55:31,559 do think it works. 1513 00:55:31,560 --> 00:55:34,289 However, it will not work by accident. 1514 00:55:34,290 --> 00:55:36,389 So it's not that you pulled some wrong 1515 00:55:36,390 --> 00:55:39,209 values and it suddenly makes the card 1516 00:55:39,210 --> 00:55:41,429 weird. But if you intentionally do 1517 00:55:41,430 --> 00:55:43,139 this, I'm pretty sure there's a way it's 1518 00:55:43,140 --> 00:55:44,789 just not as easy as getting access to a 1519 00:55:44,790 --> 00:55:45,790 microphone. 1520 00:55:47,220 --> 00:55:49,289 OK, one one last quick question 1521 00:55:49,290 --> 00:55:50,290 just from you over there 1522 00:55:51,480 --> 00:55:53,549 you you said you saw 1523 00:55:53,550 --> 00:55:55,619 the position data on the unit as 1524 00:55:55,620 --> 00:55:56,620 well. 1525 00:55:57,240 --> 00:55:59,309 The reason the navigation systems, or 1526 00:55:59,310 --> 00:56:01,109 at least the position data is sent via 1527 00:56:01,110 --> 00:56:03,179 Ken to this phone 1528 00:56:03,180 --> 00:56:04,259 unit. Yeah. 1529 00:56:04,260 --> 00:56:05,699 Do you know what it's used for? 1530 00:56:05,700 --> 00:56:07,799 I'm good news is that you found 1531 00:56:07,800 --> 00:56:09,869 it because I was looking for that or I 1532 00:56:09,870 --> 00:56:11,609 didn't have time to really investigate. 1533 00:56:11,610 --> 00:56:13,439 I'd only search on the internet and 1534 00:56:13,440 --> 00:56:14,579 didn't find any info yet. 1535 00:56:15,660 --> 00:56:16,859 So it's a good question. 1536 00:56:16,860 --> 00:56:18,329 Why is why it is there? 1537 00:56:18,330 --> 00:56:20,489 So I couldn't in that 1538 00:56:20,490 --> 00:56:22,589 route, the fact that I have I just 1539 00:56:22,590 --> 00:56:24,629 left for the message that is sent on the 1540 00:56:24,630 --> 00:56:26,939 device, and there's only the 1541 00:56:26,940 --> 00:56:28,529 traffic scenario that generates this 1542 00:56:28,530 --> 00:56:31,379 message based on can can messages. 1543 00:56:31,380 --> 00:56:33,449 There's no consumer. 1544 00:56:33,450 --> 00:56:35,729 So there is, at least 1545 00:56:35,730 --> 00:56:36,959 in this version of the software, does 1546 00:56:36,960 --> 00:56:39,899 nothing that would take this message. 1547 00:56:39,900 --> 00:56:41,969 So I don't know why 1548 00:56:41,970 --> 00:56:43,289 it is actually there. 1549 00:56:43,290 --> 00:56:44,549 Did did you check it? 1550 00:56:44,550 --> 00:56:46,689 If it's really, you know, 1551 00:56:46,690 --> 00:56:48,329 it's the repositioned take the real 1552 00:56:48,330 --> 00:56:50,049 position. OK. 1553 00:56:50,050 --> 00:56:52,259 And so the only thing I could imagine, so 1554 00:56:52,260 --> 00:56:53,729 these devices also have something where 1555 00:56:53,730 --> 00:56:55,769 you press a button in your car if you're 1556 00:56:55,770 --> 00:56:57,239 if you have a technical problem with your 1557 00:56:57,240 --> 00:56:59,459 car or something. And in theory, 1558 00:56:59,460 --> 00:57:02,189 they could like send that information 1559 00:57:02,190 --> 00:57:04,319 over for someone to help you 1560 00:57:04,320 --> 00:57:06,029 or something. But currently, that does 1561 00:57:06,030 --> 00:57:07,379 not exist in the software. 1562 00:57:07,380 --> 00:57:09,689 It's just a software thing, and currently 1563 00:57:09,690 --> 00:57:11,639 they are not using that information, at 1564 00:57:11,640 --> 00:57:12,989 least not in the form of version I'm 1565 00:57:12,990 --> 00:57:14,459 looking at. 1566 00:57:14,460 --> 00:57:16,499 The other question would be, as you have 1567 00:57:16,500 --> 00:57:18,599 like this help button like calling 1568 00:57:18,600 --> 00:57:21,029 the folks back in line or whatever, 1569 00:57:21,030 --> 00:57:22,469 and it depends on which country you 1570 00:57:22,470 --> 00:57:24,329 bought. So if you bought it somewhere 1571 00:57:24,330 --> 00:57:25,800 outside Germany, it'll call that. 1572 00:57:26,890 --> 00:57:28,989 Out out of outside of Germany help 1573 00:57:28,990 --> 00:57:30,879 line. Is there a chance to reprogram 1574 00:57:30,880 --> 00:57:31,749 that? 1575 00:57:31,750 --> 00:57:33,279 There's definitely a chance to reprogram 1576 00:57:33,280 --> 00:57:34,269 that number. 1577 00:57:34,270 --> 00:57:36,339 Did you try? I did not try it, but I 1578 00:57:36,340 --> 00:57:38,499 know they're like, there's this tool 1579 00:57:38,500 --> 00:57:41,109 wizards that you can use to reconfigure 1580 00:57:41,110 --> 00:57:42,579 your car and all the various ways. 1581 00:57:42,580 --> 00:57:44,139 And it's not a Volkswagen towards a third 1582 00:57:44,140 --> 00:57:45,499 party tool. And I know that's 1583 00:57:45,500 --> 00:57:47,139 true, but I didn't find a way to 1584 00:57:47,140 --> 00:57:47,859 reprogram 1585 00:57:47,860 --> 00:57:48,829 that there should be. 1586 00:57:48,830 --> 00:57:50,829 So I haven't tried personally, but I've 1587 00:57:50,830 --> 00:57:53,259 seen someone who claimed to have changed 1588 00:57:53,260 --> 00:57:54,669 that number there. 1589 00:57:54,670 --> 00:57:55,749 Oh, interesting. 1590 00:57:55,750 --> 00:57:56,949 Unanimous 77. 1591 00:57:56,950 --> 00:57:58,419 The telephone unit and then some. 1592 00:57:58,420 --> 00:57:59,319 I don't know the details. 1593 00:57:59,320 --> 00:58:01,989 Sorry, but it's a so it's in the prom 1594 00:58:01,990 --> 00:58:04,239 that's connected to the AC 12 X, and 1595 00:58:04,240 --> 00:58:06,339 the software pulls that number from this 1596 00:58:06,340 --> 00:58:07,459 12 X. And then that's 1597 00:58:07,460 --> 00:58:08,460 it. 1598 00:58:08,650 --> 00:58:09,939 Thanks. 1599 00:58:09,940 --> 00:58:11,319 OK, so time's up. 1600 00:58:11,320 --> 00:58:12,399 Thank you again very much.