[Willem Melching] owns a 2010 Volkswagen Golf – a very common vehicle in Europe – and noticed that whilst the electronic steering rack supports the usual Lane Keep Assist (LKAS) system, and would be theoretically capable of operating in a far more advanced configuration using openpilot, there were some shortcomings in VW’s implementation which means that it would not function for long enough to make it viable. Being very interested in and clearly extremely capable at reverse engineering car ECUs and hacking them into submission, [Willem] set about documenting his journey to unlocking openpilot support for his own vehicle.
And what a journey it was! The four-part blog series is beautifully written, showing every gory detail and all tools used along the way. The first part shows the Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6 module (which rides on the back of the three-phase steering rack motor) being cracked open to reveal an interesting multi-chip module approach, with bare die directly bonded to a pair of substrate PCBs, that are in turn, bonded to the back of the motor casing, presumably for heat dissipation reasons. Clever design, but frustrating at the same time as this makes part identification somewhat tricker!
[Willem] uses a variety of tools and tricks to power up and sniff the ECU traffic on the CAN bus, when hooked up to a SAE J2534-compliant debug tool, eventually determining it speaks the VW-specific TP2.0 CAN bus protocol, and managed to grab enough traffic to check that it was possible to use the standard KWP2000 diagnostic protocol to access some interesting data. Next was a very deep dive into reverse engineering update images found online, by first making some trivial XOR operations, then looking at an entropy plot of the file using Binwalk to determine if he really did have code, and if it was encrypted or not, After running cpu_rec, it was determined the CPU was a Renesas V850. Then the real work started – loading the image into Ghidra to start making some guesses of the architecture of the code, to work out what needed patching to make the desired changes. In the final part of the series, [Willem] extracts and uses the bootloader procedure to partially patch the code configuration area of his vehicle and unlocks the goal he was aiming at – remote control of his steering. (OK, the real goal was running openpilot.)
In our opinion, this is a very interesting, if long, read showing a fascinating subject expertly executed. But we do want to stress, that the vehicular EPS module is an ASIL-D safety tested device, so any hacks you do to a road-going vehicle will most definitely void your insurance (not to mention your warranty) if discovered in the event of a claim.
Older ECUs are a bit easier to hack, if you can pull the EPROM, and people out there are producing modules for allsorts of vehicular hacking. So plenty to tinker with!
This is what I come here for. Awesome!
+1 👍
This would make Mr Bean’s driving from the couch on the roof way easier.
++
“Any hacks you do to a road-going vehicle will most definitely void your insurance (not to mention your warranty) if discovered in the event of a claim.”
…so do it as long as you don’t get caught? Really HAD?
We can do better than that: “Don’t do this on public roads.”
There’s a reason things like this are regulated: you could kill not only yourself but other people.
I get what you say, but problem here is that if you leave it to the big companies then you end up impotent, knowing nothing, learning nothing and with them in ever increasing control of our lives. Though not mentioned in the article, Willem Melching is one of the lead devs on openpilot as you can see if you look on github. https://github.com/commaai
In case of Openpilot which is an open source effort not run by car companies R& D department, it is attempting to make cruise control safer by basing the system around monitoring the driver at all times while in cruise control( which would already have saved lives) and I believe that they are pioneers in this area of car safety.
By strictly following the rules and doing nothing, this project too would now be dead.
That said the project provides adequate warnings that no warranty is implied etc.
The article states the facts about what will happen, instead of just saying “don’t do this”. World is so full of meaningless “don’t do this” notes nowadays that they are useless.
insurance, at least in the states, wouldn’t bother investigating a 2010 VW. theyll just pay it and hike up your insurance rates and continue to collect money from all of us.
Anyone have Alfa Romeo CAN codes? I have a 2020 Giulia.
I can’t help but wonder if the lack of (serious) encryption is due to safety requirements. I mean, it would be terrible if the entire system collapsed because decoding failed. If not then you can expect future systems to be encrypted.
Trust me, current and future systems are and will be encrypted.
If the ASIL people don’t trust the decryption algorithm, they protect the decrypted data with a CRC.
So how can you do encrypted data, in scale, on a canbus, when a single message is often just 1 or 2 bytes?
You loose any (realtime) efficiency and cause probably more problems than encryption would solve here…
Exchange one-time pads ahead of time encrypted with a proper algorithm. Or simply exchange the seed to a secure PRNG and XOR with the individual bytes. Rekey often enough so you get a good chance to not run into problems, if you loose a byte.
They’ll only encrypt if they have too. That’s why engine computers are now encrypted(due to tuning or emissions bypasses)
Now this is how it is done. Amazing bunch of work and thankfully well-documented :) I definitely tip my hat to ya! Now, back to reading this interesting pile!
Autonomous driving is cool. But it’s such a popular project.
Perhaps one could extend the same hack to go RC. That would be fun.
Yah, Yah, not on the public road. Kind of goes without saying.
That goes well with a flux capacitor.
make sure to support the RPMAct so we can continue to see more of this. would be a shame if the US were to turn into germany as far as strict automotive laws. and I wouldn’t worry too much about insurance. I just got an LS3 from a wrecked Camaro that was sold at an insurance auction. It was pretty obvious it had a nitrous kit on it that was hastily taken off before the insurance adjuster took a look at it. (IAT sensor bypassed for extra fuel and timing retard, Tune showed different injectors than stock and the IAT ignition tables fudged)
Illegal almost everywhere. Look it up.