Security Vulnerabilities In Modern Cars Somehow Not Surprising

As the saying goes, there’s no lock that can’t be picked, much like there’s no networked computer that can’t be accessed. It’s usually a continual arms race between attackers and defenders — but for some modern passenger vehicles, which are essentially highly mobile computers now, the defenders seem to be asleep at the wheel. The computing systems that control these cars can be relatively easy to break into thanks to manufacturers’ insistence on using wireless technology to unlock or activate them.

This particular vulnerability involves the use of a piece of software called gattacker which exploits vulnerabilities in Bluetooth Low Energy (BLE), a common protocol not only for IoT devices but also to interface a driver’s smartphone or other wireless key with the vehicle’s security system. By using a man-in-the-middle attack the protocol between the phone and the car can be duplicated and the doors unlocked. Not only that, but this can be done without being physically close to the car as long as a network of some sort is available.

[Kevin2600] successfully performed these attacks on a Tesla Model 3 and a few other vehicles using the seven-year-old gattacker software and methods first discovered by security researcher [Martin Herfurt]. Some other vehicles seem to have patched these vulnerabilities as well, and [Kevin2600] didn’t have universal success with every vehicle, but it does remind us of some other vehicle-based attacks we’ve seen before.

A CH32V003 Toolchain — If You Can Get One To Try It On

We’re in an exciting time for cheap microcontrollers, as with both the rise of RISC-V and the split between ARM and its Chinese subsidiary, a heap of super-cheap and very capable parts are coming to market. Sometimes these cheap chips come with the catch of being difficult to program though, but for one of them the ever-dependable [CNLohr] has brought together his own open-source toolchain. The part in question is the WCH CH32V003, which is a ten-cent RISC-V part that has an impressive array of capabilities. As always though, there’s a snag, in that we’re also told that while supplies are improving this part can be hard to find. The repository is ready for when you can get them again though, and currently also contains some demo work including addressable LED driver code.

As an alternative there’s a comparable and slightly cheaper ARM-based part, the Puya PY32. It’s reckoned to be the cheapest of the flash-based microcontrollers, and like the WCH part is bearing down on the crop of one-time-programmable chips such as the famous and considerably less powerful 3-cent Padauk. This end of the market is certainly heating up a little, and from our point of view this can only mean some exciting projects ahead.

Screenshot of the code decompiled after these patches are applied, showing that all the register writes are nicely decompiled and appropriate register names are shown in the code

Making Ghidra Play Nice With RP2040

Developing firmware for RP2040 is undeniably fun, what’s with all these PIOs. However, sometimes you will want to switch it around and reverse-engineer some RP2040 firmware instead. If you’ve ever tried using Ghidra for that, your experience might have been seriously lackluster due to the decompiled output not making sense when it comes to addresses – thankfully, [Wejn] has now released patches for Ghidra’s companion, SVD-Loader, that turn it all around, and there’s a blog post to go with these.

SVD-Loader, while an indispensable tool for ARM work, didn’t work at all with the RP2040 due to a bug – fixed foremost. Then, [Wejn] turned to a pecularity of the RP2040 – Atomic Register Access, that changes addressing in a way where the usual decompile flow will result in nonsense addresses. Having brought a ton of memory map data into the equation, [Wejn] rewrote the decoding and got it to a point where peripheral accesses now map to nicely readable register writes in decompiled code – an entirely different picture!

You can already apply the patches yourself if you desire. As usual, there’s still things left in TODO for proper quality of life during your Ghidra dive, but the decompiled code makes way more sense now than it did before. Now, if you ever encounter a RP2040-powered water cooler or an air quality meter, you are ready to take a stab at its flash contents. Not yet familiar with the Ghidra life? Well, our own HackadayU has just the learning course for you!

A grey car sits in the background out of focus, its front facing the camera. It sits over an asphalt roadway with a metal rail extending from the foreground to behind the car in the distance. The rail has a two parallel slots and screws surrounding the slots running down the rail.

What Happened To Sweden’s Slot Car EV Road?

Many EVs can charge 80% of their battery in a matter of minutes, but for some applications range anxiety and charge time are still a concern. One possible solution is an embedded electrical rail in the road like the [eRoadArlanda] that Sweden unveiled in 2016.

Overhead electrical wires like those used in trolleys have been around since the 1800s, and there have been some tests with inductive coils in the roadway, but the 2 km [eRoadArlanda] takes the concept of the slot car to the next level. The top of the rail is grounded while the live conductor is kept well underground beneath the two parallel slots. Power is only delivered when a vehicle passes over the rail with a retractable contactor, reducing danger for pedestrians, animals, and other vehicles.

One of the big advantages of this technology being in the road bed is that both passenger and commercial vehicles could use it unlike an overhead wire system that would require some seriously tall pantographs for your family car. Testing over several Swedish winters shows that the system can shed snow and ice as well as rain and other road debris.

Unfortunately, the project’s website has gone dark, and the project manager didn’t respond when we reached out for comment. If there are any readers in Sweden with an update, let us know in the comments!

We’ve covered both overhead wire and embedded inductive coil power systems here before if you’re interested in EV driving with (virtually) unlimited range.

Continue reading “What Happened To Sweden’s Slot Car EV Road?”

A closeup of the faulty section of the dial - you can spot the plastic rivets that broke off

The Tale Of Two Broken Flukes

Some repairs happen as if by pure luck, and [Sebastian] shows us one such repair on Hackaday.io. He found two Fluke 175 meters being sold on eBay, with one having a mere beeper issue, and another having a “strange error”. Now, theoretically, swapping beepers around would give you one working meter and a kit of spare parts – but this is Fluke we’re talking about, and [Sebastian] wasn’t satisfied leaving it there.

First, he deduced that the beeper issue could be fixed by repositioning the piezo disk – and indeed, that brought the meter number one to working order. This left the mysterious error – the meter would only power up in certain rotations of the dial, and would misbehave, at that. Disassembly cleared things up – the dial mechanics failed, in that a half of the metal contacts came detached after all the plastic rivets holding the metal piece in place mysteriously vanished. The mechanics were indeed a bit intricate, and our hacker hoped to buy a replacement, but seeing the replacement switch prices in three-digit range, out came the epoxy tube.

An epoxy fix left overnight netted him two perfectly working Fluke meters, and while we don’t know what the listing price was for these, such a story might make you feel like taking your chances with a broken Fluke, too. The tale does end with a word of caution from [Sebastian], though – apparently, cleaning the meters took longer than the repairs themselves. Nevertheless, this kind of repair is a hobbyist’s dream – sometimes, you have to design a whole new case for your meter if as much as a wire breaks, or painstakingly replace a COB with a TQFP chip.

Self-Destructing USB Drive Releases The Magic Smoke

There were some that doubted the day would ever come, but we’re happy to report that the ambitious self-destructing USB drive that security researcher [Walker] has been working on for the last 6+ months has finally stopped working. Which in this case, is a good thing.

Readers may recall that the goal of the Ovrdrive project was to create a standard-looking flash drive that didn’t just hide or erase its contents when accessed by an unauthorized user, but actively damaged itself to try and prevent any forensic recovery of the data in question. To achieve this, [Walker] built a voltage doubler circuit into the drive that produces 10 volts from the nominal 5 VDC coming from the USB port. At the command of an onboard microcontroller, that 10 V is connected to the circuit’s 3.3 V rail to set off the fireworks.

Early attempts only corrupted some of the data, so [Walker] added some more capacitance to the circuit to build up more of a charge. With the revised circuit the USB controller IC visibly popped, but even after it was replaced, the NAND flash was still unresponsive. Sounds pretty dead to us.

Too user friendly, needs more buttons

Unfortunately, there’s still at least one issue that’s holding back the design. As we mentioned previously, [Walker] was having trouble getting the computer to actually acknowledge his homebrew drive had any free space available. It turns out that the SM3257EN USB controller IC he’s using needs to be initialized by some poorly documented Windows XP software, which might not be such a big deal if the goal was just to build one of them, but could obviously be a hindrance when going into production.

He hopes further reverse engineering will allow him to determine which commands the XP software is giving to the IC so that he can duplicate them in a less ancient environment. Sounds like a job for Wireshark to us — with any luck he should be able to capture the commands being sent to the hardware and replay them.

While we can understand some readers may have lingering doubts about the drive’s spit-detection authentication system, it’s clear [Walker] has made some incredible progress here. This project demonstrates that not only can an individual spin up their own sold state storage, but that should they ever need to, they can also destroy it in an instant.

A Thoroughly Modern Serial Terminal

The humble desktop serial terminal may have long disappeared from the world of corporate IT, but there are still plenty of moments when professionals and enthusiasts alike need to hook up to a serial port. Many of us use a serial port on our laptops or other mobile devices, but [Neil Crawforth] has gone one better than that with the VT2040. It’s an old-style serial terminal in a super-handy portable format, and as one might guess from the name, it has an RP2040 microcontroller at its heart.

Attached to the chip is a rather nice keyboard, and an ILI9488 480×320 LCD display. The software is modular, providing a handy set of re-usable libraries for the different functions including a PIO-based serial port. His main application seems to be talking to an ESP8266, but we’re guessing with a MAX232 or other level shifter chip it could drive a more traditional port. Everything can be found in the project’s GitHub repository, allowing anyone to join the fun.

As long-time readers will know, we’ve been partial to a few serial terminals in the past. Particularly beloved is this extremely retro model with vintage dot matrix LEDs.