2023-10-14 –, Hochschule München - R1.006
Forensic Fundamentals of Electronic Control Units
An Automotive Electronic Control Units (ECU) becomes, once installed in a vehicle, essentially a black box. Certain aftermarket endeavours, such as retrieving crash data for insurance purposes, providing access for independent repair shops, forensic analysis of mileage correction bugs used by aftermarket tools, or reprogramming the ECU to a blank slate in order to give it a new life on the second-hand market, are impossible without authenticated access to the ECU. In this workshop, we delve into the secret waters of ECU reverse engineering. Firstly, we look into firmware retrieval methodology. Therefore we introduce various frequently occuring hardware interfaces and their respective communication protocols with the ECU. Next, we touch upon two easily accessible hardware fault-injection techniques (voltage - and electromagnetic fault injection) which can assist in accessing the ECUs internal workings. Secondly, we apply these techniques to real-world targets in order to access their firmware. Analysing existing diagnostic tools and MCU debuggers, we show practical ways to ease the forensic process. We discuss which algorithms to target and how to locate them in what initially seems like a cluttered binary desert.
Forensic Fundamentals of Electronic Control Units
We intend to divide this workshop into the following sessions:
Hardware interfaces and communication protocols
In the first session, we introduce several automotive communication protocols and their physical layers. We will cover, among others:
- Unified Diagnostic Services (CAN)
- Bootloader interfaces (UART, SPI)
- Custom debug protocols and how to access them
Automotive Tooling
In this session, we focus on practical ways to conduct a forensic analysis. A first avenue we explore is that of the hardware MCU debugger. We show how to recover an unknown communication protocol, and pinpoint the crucial passages. We look at existing aftermarket tools and analyse the bugs they exploit to actually achieve e.g., mileage correction.
Hardware fault injection
We show several hardware Fault Injection (FI) techniques on real-world targets. We introduce the benefits, difficulties and peculiarities of two reasonably accessible techniques, namely Voltage - and Electromagnetic FI.
Firmware analysis
Finally, we take a look at ECU firmware and show the common analysis process. We point out several typical quirks of authentication routines, which eases locating them in the blob.
ECU Forensics, firmware analysis, fault attacks, reverse engineering
Dr. Jan Van den Herrewegen has been researching (along with the inevitable cursing on) the security of Electronic Control Units since 2016. He defended his PhD thesis "Automotive Firmware Extraction and Analysis Techniques" at the University of Birmingham in February 2021. Since then he has stayed involved in the goings of the automotive world and reverse engineering through EmberCrypt, his professional vessel. Going from more research focused during his PhD to tackling more practical challenges the past years, he is eager to share what he's learned on what to do (and especially not do) with an unknown ECU.