32C3: Dieselgate — Inside the VW’s ECU

[Daniel Lange] and [Felix Domke] gave a great talk about the Volkswagen emissions scandal at this year’s Chaos Communication Congress (32C3). [Lange] previously worked as Chief architect of process chain electronics for BMW, so he certainly knows the car industry, and [Domke] did a superb job reverse-engineering his own VW car. Combining these two in one talk definitely helps clear some of the smog around the VW affair.

[Lange]’s portion of the talk basically concerns the competitive and regulatory environments that could have influenced the decisions behind the folks at VW who made the wrong choices. [Lange] demonstrates how “cheating” Europe’s lax testing regime is fairly widespread, mostly because the tests don’t mimic real driving conditions. But we’re not sure who’s to blame here. If the tests better reflected reality, gaming the tests would be the same as improving emissions in the real world.

As interesting as the politics is, we’re here for the technical details, and the reverse-engineering portion of the talk begins around 40 minutes in but you’ll definitely want to hear [Lange]’s summary of the engine control unit (ECU) starting around the 38 minute mark.

[Domke] starts off with a recurring theme in our lives, and the 32C3 talks: when you want to reverse-engineer some hardware, you don’t just pull the ECU out of your own car — you go buy another one for cheap online! [Domke] then plugged the ECU up to a 12V power supply on his bench, hooked it up, presumably to JTAG, and found a bug in the firmware that enabled him to dump the entire 2MB of flash ROM into a disassembler. Respect! His discussion of how the ECU works is a must. (Did you know that the ECU reports a constant 780 RPM on the tacho when the engine’s idling, regardless of the actual engine speed? [Domke] has proof in the reverse-engineered code!)

The ECU basically takes in data from all of the car’s sensors, and based on a number of fixed data parameters that physically model the engine, decides on outputs for all of the car’s controls. Different car manufacturers don’t have to re-write the ECU code, but simply change the engine model. So [Domke] took off digging through the engine model’s data.

Long story short, the driving parameters that trigger an emissions reduction exactly match those that result from the EU’s standardized driving schedule that they use during testing — they’re gaming the emissions tests something fierce. You’ve really got to watch the presentation, though. It’s great, and we just scratched the surface.

And if you’re interested in our other coverage of the Congress, we have quite a collection going already.

Tamagotchi ROM dump and reverse engineering

tamagotchi-rom-dump-and-reverse engineering

Often the true key to success is persistence and that holds true for this project which dumped the ROM from the current generation of Tamagotchi toys. If you’re a fan of learning the secrets built into consumer electronics — and you know we are — you’ll want to go back and watch the 24-minute lecture on Tamagotchi hacking which [Natalie Silvanovich] gave a 29C3 last year. She had made quite a bit of headway hacking the playable pods, but wasn’t able to get her hands on a full ROM dump from the General Plus chip on board processor. This update heralds her success and shares the details of how it was done.

As we learned form the video lecture it was a huge chore just to figure out what processor this uses. It turned out to be a 6502 core with a few other things built in. After prowling the manufacturer’s website she found example code for writing to Port A. She was then able to execute her own code which was designed to dump one byte of ROM at a time using the SPI protocol.

[Natalie] posted her code dump if you’re interested in digging through it. But as usual we think the journey is the most interesting part.

[Thanks Itay]

A better way to hack iClass RFID readers

iClass is an RFID standard that is aimed at better security through encryption and authentication. While it is more secure than some other RFID implementations, it is still possible to hack the system. But initial iClass exploits were quite invasive. [Brad Antoniewicz] published a post which talks about early attacks on the system, and then demonstrates a better way to exploit iClass readers.

We remember seeing the talk on iClass from 27C3 about a year and a half ago. While the technique was interesting, it was incredibly invasive. An attacker needed multiple iClass readers at his disposal as the method involved overwriting part of the firmware in order to get a partial dump, then patching those image pieces back together. [Brad] makes the point that this is fine with an off-the-shelf system, but high-security installations will be using custom images. This means you would need to get multiple readers off the wall of the building you’re trying to sneak into.

But his method is different. He managed to get a dump of the EEPROM from a reader using an FTDI cable and external power source. If you wan to see how he’s circumventing the PIC read protection you’ll have to dig into the source code linked in his article.

2708 EPROM dumper

[Andrea “Mancausoft” Milazzo] has been restoring old equipment which often contain EPROM chips. He thought he was all set with an EPROM reader which easily dumped the data from 2716 chips and a few others. But he found that the hardware was unable to read 2708 and 2704 chips. His solution was to build a PIC-based EPROM dumper.

You may remember from some of our recent features that these chips are something of a ticking clock. They store program code and other information vital to the functioning of old hardware. Since they’re erased with UV light, years of exposure to ambient light can zap some of the data.

The specs needed to read a chip of this type are rather rudimentary. There are ten address pins and eight data pins. [Andrea] also needed a way to get data from the microcontroller to a computer for backup. He uses two more pins for this purpose, bringing the I/O count to 20. He went with  PIC 18F4610 and built the rest of the reader around it.

Taking a dump from some old hardware

NYC Resistor shows you how to have some fun with electronics from the junk bin. Their post called The Joy of Dumping encourages you to look around for older memory chips and see what they’ve been hiding away for all these years.

The targets of their hunt are EPROM chips. Note the single ‘E’. These are Erasable Programmable Read-Only Memory chips, and predate EEPROM which adds “Electrically” to the beginning of the acronym.  You used to use a UV light source to erase the older types of memory. In fact we’ve seen some EPROM erasers as projects from time to time. These shouldn’t be too hard to find as they were prevalent as cheap storage back in the 1980’s.

If the quartz window on the top of the chips has been shielded from ambient UV light, you should still be able to read them and it’s as easy as hooking up your Arduino. Is it useful? Not really, but it still can be neat to interface with what might otherwise never make its way back out of the junk box.