Inside A CAN Bus Mileage Manipulator

In the days of carburetors and leaf spring suspensions, odometer fraud was pretty simple to do just by disconnecting the cable or even winding the odometer backwards. With the OBD standard and the prevalence of electronics in cars, promises were made by marketing teams that this risk had all but been eliminated. In reality, however, the manipulation of CAN bus makes odometer fraud just as easy, and [Andras] is here to show us exactly how easy with a teardown of a few cheap CAN bus adapters.

We featured another project that was a hardware teardown of one of these devices, but [Andras] takes this a step further by probing into the code running on the microcontroller. One would imagine that basic measures would have been taken by the attackers to obscure code or at least disable debugging modes, but on this one no such effort was made. [Andras] was able to dump the firmware from both of his test devices and start analyzing them.

Analyzing the codes showed identical firmware running on both devices, which made his job half as hard. It looked like the code was executing a type of man-in-the-middle attack on the CAN bus which allowed it to insert the bogus mileage reading. There’s a lot of interesting information in [Andras]’s writeup though, so if you’re interested in CAN bus or attacks like this, it’s definitely worth a read.

28 thoughts on “Inside A CAN Bus Mileage Manipulator

        1. Maybe “how x works”, or “sneaky code from x” would have been a better title. Being a hardware enthusiast, the notion of inside requires a chisel to take the top off the chip.

          Quite second Aqib’s point. It would be nice to have something other than fluff and a pointer for a post.

          1. I suppose the word “inside” is used slightly metaphorically here, but not too much. The article explains all the components, and even gives a link to the datasheet of the microcontroller being used.

            I’m certainly glad to have read this post here on HaD, I’m unlikely to have seen the article otherwise.

      1. Sometimes the programming of clusters and the ECU’s are encrypted something fierce, yet the cluster still blindly accepts the information from the ECU during operation.
        So this is essentially a simple hardware “fix” for a software “flaw”, relying on the CANbus standard.

        1. It’s not a flaw, it’s working with assumption, that if you have direct access to hardware, sooner or later you will be able to do anything. Can is DESIGNED as a local bus and therefore not safeguarded against rogue devices.

  1. This is the reason why my country introduced mileage checks to all yearly vehicle diagnostics, vehicle database has mileage added and diagnosts imput new number with every check, then police can check it doing road inspections.It doesn’t stop cheating on importing used cars but all sales inside country are safer now.

    1. Yeah. Was gonna say: back in the day, you didn’t need a CAN bus. You just drove the car in reverse, or else you disconnected the speedo cable, hooked it up to a power drill, and spun it backwards as fast as you could. Sometimes they wouldn’t work in reverse, so worst case you had to open it up and manually reset it. Gotta have some other records for it other than the car itself.

        1. We had an 87 Nissan Sentra that would lower the mileage when driving in reverse.

          In fact, it was my wife’s first car, and she was sentimental about wanting to be driving it when it exceeded 100k miles .. unfortunately I was behind the wheel when it happened. Fortunately, it had just showed, so I backed the car up against a big log, and ran it in reverse for a bit until it was just under 100k.

          Sometimes, ya do what ya gotta do ..

  2. Just the other day I was seeing an imported mpv for our family. Checked the mileage via the VIN, as the price was below average, and they would remove any paint defects for no extra cost. It had 120kkms more than it displayed.
    Screw the seller.

    1. When can we just start using Megameters as in 120Mm, it makes sense right?
      I get that we are super used to using km and kkm is OK I guess, I have used this too for simplicity, but at HAD maybe we can start normalizing metric measurements when we are already using metric measurements.

  3. Speedometer manipulation always reminds me of Ferris Bueller’s Day Off. The Ferrari 250GT California in the movie would have had a speedometer that was driven off of the output of the transmission, so technically lifting the car and running it in reverse really would have taken miles off of the clock had it not fallen off the jack and went through the window.

    1. Did you watch the movie? Cameron starting kicking the car because the “driving in reverse” trick didn’t work. It hasn’t worked since the 1930’s at least.

        1. Pez is mistaken, confused, or lying.

          No Nissan sold in 1987 could have the odo rolled-back by driving it backwards. Period. If one could do that, it would have been all over the news. Dieselgate-level coverage.

          If you’ve seen the insides of a odometer it would be very difficult to modify them so driving backwards worked. The mechanism is a bunch of one-way ratchets. When criminals do roll-back odos, it’s by moving the upper digits /forward/ until they roll to a lower number.

    2. I don’t know if it’s true for that particular Ferrari, but modern mechanical speedometers have an anti-rollback mechanism so running the car in reverse doesn’t change the mileage (just like they showed in the movie.)

  4. Next time you look at a datasheet and wonder, “why did they include two CAN peripherals? Do they expect me to talk with two vehicles at once?”

    This is why! So you can bridge two networks and manipulate the data passing between them. The STM32F103 is an amazingly versatile chip for its age.

  5. Since these devices are roughly $10 on ebay, and completely unlocked, they seem like they might actually a pretty nice little package for CAN exploration/testing, or even a general purpose MCU.

  6. Any way somebody could use one to trick the inspector into thinking the check engine light isn’t on? Asking for a friend…

    Damn cars with engine computers. I’ve actually checked all the emissions sensors manually; everything is working as intended, but the dumb little proprietary computer isn’t reading its sensors correctly and throwing an error anyway. Of course it’s NOS only and expensive as hell. Just wish I could throw it in the garbage.

    1. Not sure how inspections work. That being said I have a few ideas. 1 Pull the cluster and break the light. 2 Grab a $25 scan tool and clear the dtc, if you checked each sensor it might stay off. Or it could be any number of other issues.

    2. most inspections that rely on the internal diagnostics to check stuff actually connect to the OBD port and read the readiness codes…if the ECU is not reading sensors correctly, then you either have defective cabling, a ground fault (those do wonders to sensor readouts) or a damaged ECU. Or the sensor is defective.
      If you don’t have a way of reading and resetting the fault codes, you need to find someone who does…an emissions fault might not have anything to with the sensors themselves being faulty, but it might be something “ahead” of them – a vacuum/boost leak, a faulty injector, MAF sensor…

      As for throwing it the garbage – depending on the laws where you live, you can get an aftermarket ECU, that lets you tweak pretty everything. The only problem is that few of them go below $1000, especially those that are “plug and play”.

  7. Might try taking sensor readings at the PCM harness rather than at the sensor, so as to rule out wiring issues, if this wasn’t already done. Options are limited if the car is ’96 or later.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.