This is probably one of the best write-ups I've seen around the basics of automotive control unit reverse engineering.
More modern VW control units are the same in broad strokes - they use UDS on ISO-TP instead of KWP on TP2.0, but this is just evolution of the same fundamentals. And instead of the wacky SGO format inside of FRF update files, they use the ASAM MCD-2 D-ODX format to define flashing layers. Most European automakers are similar.
One interesting difference and trend in automotive control modules (also mentioned in Willem's fantastic write-up) is that many EU modules started adding signature checking and encrypted updates in the late 2000s, while most US and Japanese automakers have only done so in the last 2-3 years.
These encrypted and signature checked updates are by and large still fairly vulnerable - often due to logic errors in the complex upgrade processes and occasionally due to a strange insistence on using RSA using PKCS#1.5 with e=3 and inadequate padding validation.
Agree. Absolutely awesome article except for this one little line:
> Ensure the patches to the calibration values are safe before using.
How would you do that? I've worked on both ends of steering on VW Bugs and Golfs (steering column fixes and tie rod replacements). You don't want to mess either of these up either, but the repairs are (a) well documented and (b) relatively easy to verify you did them correctly.
By contrast, I've seen software break catastrophically in the past from "harmless" updates like changing the number of commas in a version string. In this case it's not the kinda doesn't work problem but hitting an unexpected corner case on the freeway that would worry me.
> One interesting difference and trend in automotive control modules (also mentioned in Willem's fantastic write-up) is that many EU modules started adding signature checking and encrypted updates in the late 2000s
Do you mean the XOR encryption used? As someone working on the embedded linux(!= than embedded MCU) side i was very surprised to find such a crude "encryption" scheme employed. On the other hand i reckon there is only so much encryption an 8bit MCU can do. Also tolerance for complex encryption designs must be very low when you are trying to limit the scope of a life critical component.
The anti brute force measure was a bit more refined and almost got the job done.
Regardless, i agree. An great write-up. The binwalk and narrow down of possible CPUs used due to the ASIL-D constraint were really illuminating.
>many EU modules started adding signature checking and encrypted updates in the late 2000s
Ah, yeah, and this is irritating if you're a used car owner, particularly an owner of a car that's now lower value. I can't, for example, pick up a cheap used throttle body for my older Volvo because the main ECU will reject it until someone from the stealership charges me a LOT of money to "program" it.
> The electronics seemed to be fabricated using bare dies attached to some substrate, probably to lower cost and improve reliability at higher temperatures. The board is made up of two parts, a low-power part with the CPU and CAN transceivers, and some high-power part with 6 MOSFETs forming a three phase H-Bridge.
It doesn't really look cheap to me (large machined surfaces on the cast aluminium casing, two ceramic PCBs, everything connected with wire bonding, even the motor windings and the external connector, which means that at least those bonds are carried out on an almost completely assembled product; also look at the sheer size of the motor bonds) but it does look very reliable - everything is bonded or welded, zero connectors, no fasteners, all solid state.
Yeah, it looks like it's extremely optimised for reliability. The construction reminds me of some of the space stuff I'd seen made by a company I worked for (it was all done before my time though).
It probably wouldn't be incredibly expensive in this case (automotive) because all the wire bonding and tab welding can be automated, but clearly cost isn't the main concern behind the design!
I'm really surprized this is reliable (of course they know what they are doing). Maybe because all the wirebonds to the dies are encased in epoxy (?) and the other bonds are so thick. Even then I would be worried they would snap off or lift their pads.
I wasn't directly involved but I still have nightmares about wirebonding. For a large partice physics experiment, we bonded electronics to silicon (wafer) sensors. Those small bonds would start oscillating and break as soon as there was any noise with their resonance frequency. It took cooling and heating cycles also pretty badly. In the end they sorted out all problems somehow, but the association "wirebond = delicate" stuck with me.
This also makes the component prone to lights. All in all, very exotic and interesting.
Recently I opened up a Mitsubishi Electric power steering unit, and while mine looked a bit like a parallel world Enterprise, this one looks like Enterprise with a suffix couple alphabets later than the one in the intro. Mine was just a two PCB build of a logic board with Fujitsu microcontroller and a power board with an H bridge and input/output emergency isolation MOSFETs.
pretty sure this won't happen. regulations require computerized standards to be used for various parts of a cars functions. this would require some insane lobbying to pull off.
>> Only try this on an actual car if you know what you’re doing. Even though only two very small patches are made to the model specific calibration values, making changes to your EPS might have unintended consequences.
The author has no idea what he's doing, or more specifically what hazards might be lurking right under his nose. I worked in EPS for 6 years and it's all really cool stuff right up until you download code and it promptly turns left all the way to the stop the first time you touch the wheel. That was a bug ;-) I can't tell you how hazardous it may be to tweak tuning parameters - that depends on a lot of things. Tuning aside, just commanding it over CAN might allow you to do things that wouldn't normally happen and might damage something - i.e. are all protections still in place when taking an external command? I didn't work on this model, or at this company, I'm just saying I've seen a lot of stuff and wouldn't recommend messing around with safety-critical ECUs like this.
I think you are a little bit too harsh here. The author is one of the leading developers at Comma.ai - the company behind OpenPilot. I am closely following the project and regardless of what is your attitude towards OpenPilot, the author is definitely not someone, who jumps into EPS hacking without being aware of implications of his actions.
I have a totally stock EPS that will just apply random full torque left or right if the battery voltage drops below ~10 volts. One would imagine that's a scenario they tested for, but apparently not! It happens very easily on my car when all the electrics are turned on for a few hours while driving with low revs, like driving on a cold dark day on a 40mph road.
The first time I did it, my thumb was dislocated because it was inside the wheel! Didn't realise quite how powerful power steering systems are!
Now I have tape over the heated seats button with a warning to only use them or the rear defroster, not both.
Fun fact: The power steering uses 170 Amps when turning the wheel fast! Of course the voltage drops!
and it promptly turns left all the way to the stop the first time you touch the wheel.
I bet many have had nearly the same experience with rebuilding a power steering gear... yet that's no justification for taking away control from the things you own.
In this case the EPS already came stock with the functionality to request torque over CAN, that part of the code or the amount of torque was not touched. I agree it would not be a good idea to patch that functionality into an EPS that doesn't come with that from the factory.
> are all protections still in place when taking an external command
Diagnostic-specific commands are often restricted when the vehicle is in motion. On VW I remember that any "write" command such as an actuator test being declined even for "innocent" stuff such as lights or power windows on the body control module.
I'd love to do a torque mod on a modern Honda EPS, but there's simply no easy way for a "normal" person do it. The amount of time and effort is extreme with no background knowledge of the problem. (Yes, I understand there's liability, etc.).
It's completely taboo in openpilot discussions (e.g., the Discord channel), so I'm curious if there's an alternative community open to talking about it (distributing pre-patched or providing a patcher).
For Honda cars at least, openpilot is absolutely hindered by the low torque allowed by the stock firmware.
This may go without saying, but a word of caution for anyone who wants to try this themselves: doing any sort of automated scanning of ECU hardware (e.g. the equivalent of trying to find undocumented opcodes in a CPU) stands a good chance of bricking the hardware (permanently), so plan to buy several of them if you want/need to go that route.
Being willing to buy a second copy of the system you are hacking on is one of those things that separates the men from the boys or those who succeed from those who fail.
One question: in part 2 it shows that Ghidra is able to produce disassembly from machine code, does that mean Ghidra knows the instruction set V850 uses?
Ghidra uses an intermediate language called p-code. When defining the CPU opcodes (and how to parse them), you also write a small snippet of p-code that represent that instruction. This makes the decompiler architecture agnostic.
"After convincing the dongle to connect (even though most of the car was not present on the CAN bus) it was able to show some diagnostics information about the ECU."
I am picturing this as a scene out of a '50s sci-fi horror movie. The mad scientist with a power steering controller on a tray in his lab. :-)
This is timely! I just made the decision to buy a car (either a 2021 or 2022 Subaru WRX, most likely), and have been curious about hacking the ECU, CAN bus, etc.
I’m aware that tuning is a thing, but it’s generally not my scene. What I really want is to do the work myself instead of going to a tuner or buying one of those Cobb kits.
Can HN recommend any resources and/or other technically-oriented communities?
As far as I'm aware for Subarus, Taxtrix Openport 2.0[1] is popular with modders and seems to have good software/workflow.
Through this article though I discovered the Panda[2]. It reportedly does J2534 and I wonder if this means it can use the same workflow. The price of the white Panda is attractive.
I'm not sure if Openport is still actively developed. Oh, and stay away from the cheap clones. They're reportedly not good[3][4].
Does anyone have experience with the Pandas for remapping and use as a diagnostic tool?
Great write up! I am the author of the TP2.0 page you linked to. I went through a very similar process to you, ended up disassembling the code for a Siemens PPD ECU (PowerPC architecture from memory, it was about 10 years ago) so I could turn of the DPF regeneration functionality.
As cool as this is, I will never EVER hack/jailbreak car steering. I can't put my faith in unsupported (non-OEM may be a better term for it) software keeping me safe. I watch the tesla autopilot videos of them totally messing up and that is fully supported but still failing too much.
I think the 6 minute timeout it could be a fallback mode in case the component sending the commands malfunctions and keeps spamming the same command in a loop over and over again.
Granted, if this happens while driving you're likely to have an accident anyway, but if you don't, then waiting 6 minutes would allow you to reclaim your steering for the rest of the journey.
Very few ECUs have CCP/XCP writing wide open. A lot of magic is in the area of defeating the cryptographic signature check on the device (hash of flashed contents).
The driver is always responsible for what their vehicle does. As long as the driver can override the steering (which they can), then there is really nothing to be concerned about. This is the same for cars using openpilot, or Tesla's self driving systems or any other steering assistance features.
[+] [-] bri3d|4 years ago|reply
More modern VW control units are the same in broad strokes - they use UDS on ISO-TP instead of KWP on TP2.0, but this is just evolution of the same fundamentals. And instead of the wacky SGO format inside of FRF update files, they use the ASAM MCD-2 D-ODX format to define flashing layers. Most European automakers are similar.
One interesting difference and trend in automotive control modules (also mentioned in Willem's fantastic write-up) is that many EU modules started adding signature checking and encrypted updates in the late 2000s, while most US and Japanese automakers have only done so in the last 2-3 years.
These encrypted and signature checked updates are by and large still fairly vulnerable - often due to logic errors in the complex upgrade processes and occasionally due to a strange insistence on using RSA using PKCS#1.5 with e=3 and inadequate padding validation.
[+] [-] hodgesrm|4 years ago|reply
> Ensure the patches to the calibration values are safe before using.
How would you do that? I've worked on both ends of steering on VW Bugs and Golfs (steering column fixes and tie rod replacements). You don't want to mess either of these up either, but the repairs are (a) well documented and (b) relatively easy to verify you did them correctly.
By contrast, I've seen software break catastrophically in the past from "harmless" updates like changing the number of commas in a version string. In this case it's not the kinda doesn't work problem but hitting an unexpected corner case on the freeway that would worry me.
[+] [-] ptsneves|4 years ago|reply
Do you mean the XOR encryption used? As someone working on the embedded linux(!= than embedded MCU) side i was very surprised to find such a crude "encryption" scheme employed. On the other hand i reckon there is only so much encryption an 8bit MCU can do. Also tolerance for complex encryption designs must be very low when you are trying to limit the scope of a life critical component.
The anti brute force measure was a bit more refined and almost got the job done.
Regardless, i agree. An great write-up. The binwalk and narrow down of possible CPUs used due to the ASIL-D constraint were really illuminating.
[+] [-] tyingq|4 years ago|reply
Ah, yeah, and this is irritating if you're a used car owner, particularly an owner of a car that's now lower value. I can't, for example, pick up a cheap used throttle body for my older Volvo because the main ECU will reject it until someone from the stealership charges me a LOT of money to "program" it.
[+] [-] formerly_proven|4 years ago|reply
> https://blog.willemmelching.nl/images/vw/IMG_3181.jpg
It doesn't really look cheap to me (large machined surfaces on the cast aluminium casing, two ceramic PCBs, everything connected with wire bonding, even the motor windings and the external connector, which means that at least those bonds are carried out on an almost completely assembled product; also look at the sheer size of the motor bonds) but it does look very reliable - everything is bonded or welded, zero connectors, no fasteners, all solid state.
[+] [-] stephen_g|4 years ago|reply
It probably wouldn't be incredibly expensive in this case (automotive) because all the wire bonding and tab welding can be automated, but clearly cost isn't the main concern behind the design!
[+] [-] captainmuon|4 years ago|reply
I wasn't directly involved but I still have nightmares about wirebonding. For a large partice physics experiment, we bonded electronics to silicon (wafer) sensors. Those small bonds would start oscillating and break as soon as there was any noise with their resonance frequency. It took cooling and heating cycles also pretty badly. In the end they sorted out all problems somehow, but the association "wirebond = delicate" stuck with me.
[+] [-] numpad0|4 years ago|reply
Recently I opened up a Mitsubishi Electric power steering unit, and while mine looked a bit like a parallel world Enterprise, this one looks like Enterprise with a suffix couple alphabets later than the one in the intro. Mine was just a two PCB build of a logic board with Fujitsu microcontroller and a power board with an H bridge and input/output emergency isolation MOSFETs.
[+] [-] mrtksn|4 years ago|reply
[+] [-] unbanned|4 years ago|reply
[+] [-] olivermarks|4 years ago|reply
Until around mid 90's cars still had lots of relays and barely comprehensible wiring looms if you could get your hands on workshop manuals.
The sooner we go back to a BEV with the simplicity of a 1960's VW Beetle the better imo, not least so that the third world can get a look in.
[+] [-] t0mas88|4 years ago|reply
And manufactures see them as a chance to make an always connected car that phones home. Tesla was first but everyone else is copying them now.
[+] [-] Beached|4 years ago|reply
[+] [-] phkahler|4 years ago|reply
The author has no idea what he's doing, or more specifically what hazards might be lurking right under his nose. I worked in EPS for 6 years and it's all really cool stuff right up until you download code and it promptly turns left all the way to the stop the first time you touch the wheel. That was a bug ;-) I can't tell you how hazardous it may be to tweak tuning parameters - that depends on a lot of things. Tuning aside, just commanding it over CAN might allow you to do things that wouldn't normally happen and might damage something - i.e. are all protections still in place when taking an external command? I didn't work on this model, or at this company, I'm just saying I've seen a lot of stuff and wouldn't recommend messing around with safety-critical ECUs like this.
[+] [-] evdoks|4 years ago|reply
[+] [-] londons_explore|4 years ago|reply
The first time I did it, my thumb was dislocated because it was inside the wheel! Didn't realise quite how powerful power steering systems are!
Now I have tape over the heated seats button with a warning to only use them or the rear defroster, not both.
Fun fact: The power steering uses 170 Amps when turning the wheel fast! Of course the voltage drops!
[+] [-] userbinator|4 years ago|reply
I bet many have had nearly the same experience with rebuilding a power steering gear... yet that's no justification for taking away control from the things you own.
"Life is risk, risk is life."
[+] [-] pd0wm|4 years ago|reply
[+] [-] Nextgrid|4 years ago|reply
Diagnostic-specific commands are often restricted when the vehicle is in motion. On VW I remember that any "write" command such as an actuator test being declined even for "innocent" stuff such as lights or power windows on the body control module.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] torquemodwanted|4 years ago|reply
It's completely taboo in openpilot discussions (e.g., the Discord channel), so I'm curious if there's an alternative community open to talking about it (distributing pre-patched or providing a patcher).
For Honda cars at least, openpilot is absolutely hindered by the low torque allowed by the stock firmware.
[+] [-] blincoln|4 years ago|reply
[+] [-] j4hdufd8|4 years ago|reply
[+] [-] PaulHoule|4 years ago|reply
[+] [-] markus_zhang|4 years ago|reply
[+] [-] pd0wm|4 years ago|reply
Example: https://github.com/NationalSecurityAgency/ghidra/blob/master...
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] marcodiego|4 years ago|reply
[+] [-] throwaway0a5e|4 years ago|reply
[+] [-] bob1029|4 years ago|reply
Putting a computer between my foot/hands and the physics unfolding in front of me is a total non-starter.
[+] [-] mcguire|4 years ago|reply
I am picturing this as a scene out of a '50s sci-fi horror movie. The mad scientist with a power steering controller on a tray in his lab. :-)
[+] [-] omginternets|4 years ago|reply
I’m aware that tuning is a thing, but it’s generally not my scene. What I really want is to do the work myself instead of going to a tuner or buying one of those Cobb kits.
Can HN recommend any resources and/or other technically-oriented communities?
[+] [-] l8rlump|4 years ago|reply
I'm not sure if Openport is still actively developed. Oh, and stay away from the cheap clones. They're reportedly not good[3][4].
Does anyone have experience with the Pandas for remapping and use as a diagnostic tool?
[1] https://www.tactrix.com/index.php?page=shop.product_details&...
[2] https://comma.ai/shop/products/panda
[3] https://www.youtube.com/watch?v=N4XJSuh10Xs
[4] https://www.youtube.com/watch?v=jTNHqRYmzrk
[+] [-] symlinkk|4 years ago|reply
[+] [-] jazdw|4 years ago|reply
[+] [-] ewagsjr|4 years ago|reply
But cool POC for sure.
[+] [-] joshenders|4 years ago|reply
[+] [-] fnord77|4 years ago|reply
is this for safety or does the duty cycle of this require some off-time for cooling or whatever?
[+] [-] Nextgrid|4 years ago|reply
Granted, if this happens while driving you're likely to have an accident anyway, but if you don't, then waiting 6 minutes would allow you to reclaim your steering for the rest of the journey.
[+] [-] MuffinFlavored|4 years ago|reply
[+] [-] nnadams|4 years ago|reply
As others have mentioned most USA manufacturers are moving to encrypted CAN buses now though.
[+] [-] nickysielicki|4 years ago|reply
[+] [-] Txoko|4 years ago|reply
[+] [-] Veritio|4 years ago|reply
He should not do this on any public road and potentially he broke already some law.
[+] [-] birken|4 years ago|reply