Baby Steps Toward DIY Autonomous Driving: VW Golf Edition

Nice thermal design, but conformal coating and no ID marks make this tough to reverse engineer

[Willem Melching] owns a 2010 Volkswagen Golf – a very common vehicle in Europe – and noticed that whilst the electronic steering rack supports the usual Lane Keep Assist (LKAS) system, and would be theoretically capable of operating in a far more advanced configuration using openpilot, there were some shortcomings in VW’s implementation which means that it would not function for long enough to make it viable. Being very interested in and clearly extremely capable at reverse engineering car ECUs and hacking them into submission, [Willem] set about documenting his journey to unlocking openpilot support for his own vehicle.

And what a journey it was! The four-part blog series is beautifully written, showing every gory detail and all tools used along the way. The first part shows the Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6 module (which rides on the back of the three-phase steering rack motor) being cracked open to reveal an interesting multi-chip module approach, with bare die directly bonded to a pair of substrate PCBs, that are in turn, bonded to the back of the motor casing, presumably for heat dissipation reasons. Clever design, but frustrating at the same time as this makes part identification somewhat tricker!

Entropy less the 1.0, and zero sections indicate no encryption applied

[Willem] uses a variety of tools and tricks to power up and sniff the ECU traffic on the CAN bus, when hooked up to a SAE J2534-compliant debug tool, eventually determining it speaks the VW-specific TP2.0 CAN bus protocol, and managed to grab enough traffic to check that it was possible to use the standard KWP2000 diagnostic protocol to access some interesting data. Next was a very deep dive into reverse engineering update images found online, by first making some trivial XOR operations, then looking at an entropy plot of the file using Binwalk to determine if he really did have code, and if it was encrypted or not, After running cpu_rec, it was determined the CPU was a Renesas V850. Then the real work started – loading the image into Ghidra to start making some guesses of the architecture of the code, to work out what needed patching to make the desired changes. In the final part of the series, [Willem] extracts and uses the bootloader procedure to partially patch the code configuration area of his vehicle and unlocks the goal he was aiming at – remote control of his steering. (OK, the real goal was running openpilot.)

In our opinion, this is a very interesting, if long, read showing a fascinating subject expertly executed. But we do want to stress, that the vehicular EPS module is an ASIL-D safety tested device, so any hacks you do to a road-going vehicle will most definitely void your insurance (not to mention your warranty) if discovered in the event of a claim.

Older ECUs are a bit easier to hack, if you can pull the EPROM, and people out there are producing modules for allsorts of vehicular hacking. So plenty to tinker with!

Prisoners Build DIY Computers And Hack Prison Network

The Internet is everywhere. The latest anecdotal evidence of this is a story of prison inmates that build their own computer and connected it to the internet. Back in 2015, prisoners at the Marion Correctional Institution in Ohio built two computers from discarded parts which they transported 1,100 feet through prison grounds (even passing a security checkpoint) before hiding them in the ceiling of a training room. The information has just been made public after the release of the Inspector General’s report (PDF). This report is fascinating and worth your time to read.

This Ethernet router was located in a training room in the prison. Physical access is everything in computer security.

Prisoners managed to access the Ohio Department of Rehabilitation and Corrections network using login credentials of a retired prison employee who is currently working as a contract employee. The inmates plotted to steal the identity of another inmate and file tax returns under their name. They also gained access to internal records of other prisoners and checked out websites on how to manufacture drugs and DIY weapons, before prison officers were able to find the hidden computers. From the report:

The ODAS OIT analysis also revealed that malicious activity had been occurring within the ODRC inmate network. ODAS OIT reported, “…inmates appeared to have been conducting attacks against the ODRC network using proxy machines that were connected to the inmate and department networks.” Additionally, ODAS OIT reported, “It appears the Departmental Offender Tracking System (DOTS) portal was attacked and inmate passes were created. Findings of bitcoin wallets, stripe accounts, bank accounts, and credit card accounts point toward possible identity fraud, along with other possible cyber-crimes.”

The prisoners involved knew what they were doing. From the interview with the inmate it seems the computers were set up as a remote desktop bridge between internal computers they were allowed to use and the wider internet. They would use a computer on the inmate network and use a remote desktop to access the illicit computers. These were running Kali Linux and there’s a list of “malicious tools” found on the machines. It’s pretty much what you’d expect to find on a Kali install but the most amusing one listed in the report is “Hand-Crafted Software”.

This seems crazy, but prisoners have always been coming up with new ideas to get one over on the guards — like building DIY tattoo guns, When you have a lot of time on your hands and little responsibility, crazy ideas don’t seem so crazy after all.

Q Has Nothing On Naomi Wu

We’re not so much fans of James Bond as we are of Q, the hacker who supplies him with such wonderful things. There is a challenger to Q’s crown, [Naomi Wu] — code name [SexyCyborg] — built an epic gadget called the Pi Palette which hides a Linux laptop inside of a cosmetics case.

You can see the covert mode of the Pi Palette below. It resembles a clamshell cosmetics case with the makeup and applicator in the base and a mirror on the underside of the flip-up lid. The mirror hides an LCD screen in the portrait orientation, as well as a Raspberry Pi 3 running Kali Linux.

The base of the case includes a portable battery beneath the wireless keyboard/touchpad — both of which are revealed when the cosmetics tray is removed. An inductive charger is connected to the battery and [Naomi] built a base station which the Pi Palette sits in for wireless charging.

She envisions this as a covert penetration testing. For that, the Pi Palette needs the ability to put the WiFi dongle into promiscuous mode. She wired in a dual dip-switch package and really went the extra mile to design it into the case. The fit and finish of that switch is just one tiny detail the illustrates the care taken with the entire project. With such a beautiful final project it’s no wonder she took to the streets to show it off. Check that out, as well as the build process, in the video after the break.

Continue reading “Q Has Nothing On Naomi Wu”

Why Aren’t We Arguing More About Mr Robot?

Editor’s note: Thar be spoilers below.

Showing any sort of ‘hacking’ on either the big screen or the small often ends in complete, abject failure. You only need to look at Hackers with its rollerblading PowerBooks, Independance Day where the aliens are also inexplicably using PowerBooks, or even the likes of Lawnmower Man with a VR sex scene we keep waiting for Oculus to introduce. By design, Mr Robot, a series that ended its first season on USA a month ago, bucks this trend. It does depressed, hoodie-wearing, opioid-dependant hackers right, while still managing to incorporate some interesting tidbits from the world of people who call themselves hackers.

Desktop Environments

In episode 0 of Mr Robot, we’re introduced to our hiro protagonist [Elliot], played by [Rami Malek], a tech at the security firm AllSafe. We are also introduced to the show’s Macbeth, [Tyrell Wellick], played by Martin Wallström]. When these characters are introduced to each other, [Tyrell] notices [Elliot] is using the Gnome desktop on his work computer while [Tyrell] says he’s, “actually on KDE myself. I know [Gnome] is supposed to be better, but you know what they say, old habits, they die hard.”

[Elliot], running Kali with Gnome
[Elliot], running Kali with Gnome
While this short exchange would appear to most as two techies talking shop, this is a scene with a surprisingly deep interpretation. Back in the 90s, when I didn’t care if kids stayed off my lawn or not, there was a great desktop environment war in the land of Linux. KDE was not free, it was claimed by the knights of GNU, and this resulted in the creation of the Gnome.

Subtle, yes, but in one short interaction between [Elliot] and [Tyrell], we see exactly where each is coming from. [Elliot] stands for freedom of software and of mind, [Tyrell] is simply toeing the company line. It’s been fifteen years since message boards have blown up over the Free Software Foundation’s concerns over KDE, but the sentiment is there.

Biohacking

There’s far more to a hacker ethos than having preferred Linux desktop environments. Hacking is everywhere, and this also includes biohacking, In the case of one Mr Robot character, this means genetic engineering.

In one episode of Mr Robot, the character Romero temporarily gives up his power in front of a keyboard and turns his mind to genetics. He “…figured out how to insert THC’s genetic information code into yeast cells.” Purely from a legal standpoint, this is an interesting situation; weed is illegal, yeast is not, and the possibilities for production are enormous. Yeast only requires simple sugars to divide and grow in a test tube, marijuana actually requires a lot of resources and an experienced staff to produce a good crop.

Life imitates art, but sometimes the reverse is true. Just a few weeks after this episode aired, researchers at  Hyasynth Bio announced they had genetically modified yeast cells to produce THC and cannabidiol.

The promise of simply genetically modifying yeast to produce THC is intriguing; a successful yeast-based grow room could outproduce any plant-based operation, with the only input being sugar. Alas, the reality of the situation isn’t quite that simple. Researchers at Hyasynth Bio have only engineered yeast to turn certain chemical precursors into THC. Making THC from yeast isn’t yet as simple as home brewing an IPA, but it’s getting close, and a great example of how Mr Robot is tapping into hacking, both new and old.

Why Aren’t We Arguing More About This?

The more we ruminate on this show, the more there is to enjoy about it. It’s the subtle background that’s the most fun; the ceiling of the chapel as it were. We’re thinking of turning out a series of posts that works through all the little delights that you might have missed. For those who watched and love the series, what do you think? Perhaps there are other shows worthy of this hacker drill-down, but we haven’t found them yet.