Extracting SecOC Keys From A 2021 Toyota RAV4 Prime

March 8, 2024 by Maya Posch 7 Comments

With the recently introduced SecOC (Secure Onboard Communication) standard, car manufacturers seek to make the CAN bus networks that form the backbone of modern day cars more secure. This standard adds a MAC (message authentication code) to the CAN messages, which can be used to validate that these messages come from a genuine part of the car, and not from a car thief or some third-party peripheral.

To check that it isn’t possible to circumvent SecOC, [Willem Melching] and [Greg Hogan] got their hands on the power steering (EPS) unit of a Toyota RAV4 Prime, as one of the first cars to implement this new security standard.

As noted by [Willem], the ultimate goal is to be able to run the open source driver assistance system openpilot on these SecOC-enabled cars, which would require either breaking SecOC, or following the official method of ‘rekeying’ the SecOC gateway.

After dumping the firmware of the EPS Renesas RH850/P1M-E MCU via a voltage fault injection, the AES-based encryption routines were identified, but no easy exploits found in the main application. This left the bootloader as the next target.

Ultimately they managed to reverse-engineer the bootloader to determine how the update procedure works, which enabled them to upload shellcode. This script then enabled them to extract the SecOC keys from RAM and send these over the CAN bus. With these keys the path is thus opened to allow any device to generate CAN messages with valid SecOC MACs, effectively breaking encryption. Naturally, there are many caveats with this discovery.

Continue reading “Extracting SecOC Keys From A 2021 Toyota RAV4 Prime” →

A gray 3d-printed box with RV-bridge embossed on it, and a connector-terminated bundle of wires coming out of it.

RV-Bridge Takes HomeKit To The Open Road

March 9, 2023 by Arya Voronova 19 Comments

In the world of proprietary protocol darkness, it’s comforting to see that the RV realm (Recreational Vehicle, also known as a motorhome) has mostly settled on RV-C, an open protocol that lets various devices and systems inside an RV talk to each other over CAN. The undeniable openness of RV-C is surprising, but we haven’t seen many hobbyists tinker with it — yet.

Now, [Randy Ubillos] sets an example — his gift to us is an ESP32 firmware called RV-Bridge and it lets you control your RV’s RV-C network from HomeKit. After all, your motorhome could benefit from home automation, too!

The RV-C network in [Randy]’s family RV already had a factory-provided front-end and an iOS app, but naturally, it had a limited set of features. Having looked around online he found that both RV-C and HomeKit had open libraries for them, and set out to join these worlds together.

Now he’s released the first revision of RV-Bridge, fully-featured enough for comfortable day-to-day use, and with a setup guide for those who want to try it out! When it comes to hardware, you’ll want an ESP32 board with CAN support — [Randy] has found a perfect board for sale, and made it even more fitting by designing a 3D printed case for RV use; as usual, files are on GitHub!

Making your stock RV more comfy through hacker methods is exactly what we expect to grace our tips line! The kinds of RV projects we’ve seen so far, are also outstandingly cool, yet of different kind – things like building your own RVs out of something not meant to be an RV, whether it’s an abandoned airliner, a school bus, or a jet engine! Oh, and if your hackerspace owns a RV, you can always convert it to something else, be it a mobile hackerspace or a spaceship simulator.

This ESP32 CAN!

October 10, 2022 by Jenny List 15 Comments

Since modern cars use the CAN bus for so many of their functions, it’s unsurprising that it’s a frequent object of interest for those in our community. Some people go no further than commercial plug-in analysers, while others build their own CAN devices. This is what [Magnus Thomé] has done, with his RejsaCAN microcontroller board.

It’s a small PCB with an onboard CAN interface from an ESP32-S3 and a car-friendly power supply circuit, and perhaps most importantly, it has an auto-shutdown feature to prevent battery drain. Software-wise it’s a blank piece of paper for the user to roll their own application, but since the ESP32 is supported by the Arduino ecosystem, there are libraries that make talking CAN as easy as it can be.

[Magnus] has a list of potential applications for the board, many of which take advantage of the ESP’s wireless capabilities. So far, [Magnus] has hooked it up to an LCD display, but we can see so many other useful things coming out powered by something like this.

You haven’t tried playing with your car’s CAN bus yet? Maybe you should read this to whet your appetite.

UART Can’t? Arduino CANSerial Can!

July 4, 2022 by Elliot Williams 11 Comments

[Jacob Geigle] had a problem. A GPS unit and a Bluetooth-to-serial were tying up all the hardware UARTs on an AVR Arduino project. “Software serial”, I hear you say. But what if I told you [Jacob] already had the board in question sending out data over CAN bus?

[Jacob]’s sweet hack creates an arbitrary number of CAN “devices” inside the Arduino code, and can treat each one of them as its own serial data channel. The “N” in CAN stands for network, after all. The trick is to create a device ID for each desired CANSerial interface, which is done in his library using the usual Arduino setup step. A buffer takes care of storing all the different channels until they can be pushed out over the hardware CAN peripheral. On the big-computer side of things, some software listens for the different “device” enumeration IDs and assigns each a virtual serial port.

While this was a hack born of necessity, we can see it as a clever opportunity to segregate information coming from the microcontroller into different streams. Maybe a debug channel, a command channel, and a data channel? They’re virtual devices, so go nuts!

While we usually see CANbus in its native habitat – inside your car – it’s also cool to think of the uses we could put it to. For instance, controlling a 3D printer. Need a CAN refresher? We’ve got just the ticket.

[Bus photo: Malta Bus; The terminus, Valletta by John Haslam. Can photo: Paint Cans by Daniel R. Blume. Horrible visual pun: I’m afraid that’s on us. You try finding images for CANbus code!]

Hacking A Proper Dash Into The Tesla Model 3

January 28, 2022 by Lewin Day 60 Comments

The Tesla Model 3 and Model Y are popular electric vehicles that dispense with some of the usual provisions you’d expect in a typical car. Namely, there’s no dash cluster in front of the driver; instead, all information is solely displayed on the center console screen. [Nick Nguyen] wasn’t a fan of this setup, and decided to hack together a dash cluster of his own.

The CANdash works in a simple fashion, snooping the Tesla’s CAN bus for all the information relevant to the vehicle’s operation. It’s capable of displaying everything from speed to the remaining range in the battery, while also allowing the user to keep an eye on things like coolant temperatures and whether the Tesla Autopilot system is currently available.

The build relies on a CANserver, an ESP32-based device specifically built for hooking up to the CAN bus on Tesla vehicles and sharing the data externally. The data can then be piped wirelessly to an Android phone running CANdash to display all the desired information. With the help of an aftermarket dash clip or a 3D printed custom mount, the phone can then be placed behind the steering wheel to display data in the usual location.

It’s a simple, straightforward hack that gives Tesla owners a useful feature that they’re otherwise missing from the factory. The US automakers cars are proving to be fertile ground for hackers and DIYers, with one man recently saving thousands on a battery swap with a simple mod. Video after the break.

Continue reading “Hacking A Proper Dash Into The Tesla Model 3” →

Baby Steps Toward DIY Autonomous Driving: VW Golf Edition

January 8, 2022 by Dave Rowntree 18 Comments

Nice thermal design, but conformal coating and no ID marks make this tough to reverse engineer

[Willem Melching] owns a 2010 Volkswagen Golf – a very common vehicle in Europe – and noticed that whilst the electronic steering rack supports the usual Lane Keep Assist (LKAS) system, and would be theoretically capable of operating in a far more advanced configuration using openpilot, there were some shortcomings in VW’s implementation which means that it would not function for long enough to make it viable. Being very interested in and clearly extremely capable at reverse engineering car ECUs and hacking them into submission, [Willem] set about documenting his journey to unlocking openpilot support for his own vehicle.

And what a journey it was! The four-part blog series is beautifully written, showing every gory detail and all tools used along the way. The first part shows the Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6 module (which rides on the back of the three-phase steering rack motor) being cracked open to reveal an interesting multi-chip module approach, with bare die directly bonded to a pair of substrate PCBs, that are in turn, bonded to the back of the motor casing, presumably for heat dissipation reasons. Clever design, but frustrating at the same time as this makes part identification somewhat tricker!

Entropy less the 1.0, and zero sections indicate no encryption applied

[Willem] uses a variety of tools and tricks to power up and sniff the ECU traffic on the CAN bus, when hooked up to a SAE J2534-compliant debug tool, eventually determining it speaks the VW-specific TP2.0 CAN bus protocol, and managed to grab enough traffic to check that it was possible to use the standard KWP2000 diagnostic protocol to access some interesting data. Next was a very deep dive into reverse engineering update images found online, by first making some trivial XOR operations, then looking at an entropy plot of the file using Binwalk to determine if he really did have code, and if it was encrypted or not, After running cpu_rec, it was determined the CPU was a Renesas V850. Then the real work started – loading the image into Ghidra to start making some guesses of the architecture of the code, to work out what needed patching to make the desired changes. In the final part of the series, [Willem] extracts and uses the bootloader procedure to partially patch the code configuration area of his vehicle and unlocks the goal he was aiming at – remote control of his steering. (OK, the real goal was running openpilot.)

In our opinion, this is a very interesting, if long, read showing a fascinating subject expertly executed. But we do want to stress, that the vehicular EPS module is an ASIL-D safety tested device, so any hacks you do to a road-going vehicle will most definitely void your insurance (not to mention your warranty) if discovered in the event of a claim.

Older ECUs are a bit easier to hack, if you can pull the EPROM, and people out there are producing modules for allsorts of vehicular hacking. So plenty to tinker with!

Annoy Yourself Into Better Driving With This Turn Signal Monitor

November 7, 2021 by Dan Maloney 44 Comments

Something like 99% of the people on the road at any given moment will consider themselves an above-average driver, something that’s as statistically impossible as it is easily disproven by casual observation. Drivers make all kinds of mistakes, but perhaps none as annoying and avoidable as failure to use their turn signal. This turn signal monitor aims to fix that, through the judicious use of negative feedback.

Apparently, [Mark Radinovic] feels that he has a predisposition against using his turn signal due to the fact that he drives a BMW. To break him of that habit, one that cost him his first BMW, he attached Arduino Nano 33 BLEs to the steering wheel and the turn signal stalk. The IMUs sense the position of each and send that over Bluetooth to an Arduino Uno WiFi. That in turn talks over USB to a Raspberry Pi, which connects to the car’s stereo via Bluetooth to blare an alarm when the steering wheel is turned but the turn signal remains untouched. The video below shows it in use; while it clearly works, there are a lot of situations where it triggers even though a turn signal isn’t really called for — going around a roundabout, for example, or navigating a sinuous approach to a drive-through window.

While [Mark] clearly built this tongue firmly planted in cheek, we can’t help but think there’s a better way — sniffing the car’s CANbus to determine steering angle and turn signal status comes to mind. This great workshop on CANbus sniffing from last year’s Remoticon would be a great place to start if you’d like a more streamlined solution than [Mark]’s.

Continue reading “Annoy Yourself Into Better Driving With This Turn Signal Monitor” →