Scribd
Upload
52 views

Reverse Engineering of Automotive Firmware

This document discusses efficient techniques for reverse engineering automotive firmware. It describes obtaining firmware, challenges like complex platforms and lack of tools, and developing an emulator for the CPU architecture and peripherals. Dynamic analysis techniques like debugging, tracing, and fuzzing executions are covered. The document also explores hacking techniques like taint tracking and manipulating CAN messages and EEPROM contents. Overall it argues reverse engineering is possible with the right approach and tools.

Uploaded by

YNSAP DATA-2020
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
52 views

Reverse Engineering of Automotive Firmware

This document discusses efficient techniques for reverse engineering automotive firmware. It describes obtaining firmware, challenges like complex platforms and lack of tools, and developing an emulator for the CPU architecture and peripherals. Dynamic analysis techniques like debugging, tracing, and fuzzing executions are covered. The document also explores hacking techniques like taint tracking and manipulating CAN messages and EEPROM contents. Overall it argues reverse engineering is possible with the right approach and tools.

Uploaded by

YNSAP DATA-2020
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Efficient Reverse

Engineering of
Automotive Firmware
Alyssa Milburn
Security Analyst, Riscure
[email protected] / @noopwafel

(with Niek Timmers)

1
Reverse Engineering Tuning /
manipulation

IP
Getting Reverse
Understanding
Firmware Engineering
Hacking

???

Efficient Reverse Engineering of Automotive Firmware 2


Automotive Firmware?
3
Instrument Cluster
• Speedometer/gauges
• Display (screen)
• Speaker!
• Blinky lights!

• 32-bit CPU
• CAN bus
• I2C bus
• EEPROM

4
How can we get the firmware?

External Software
flash vulnerabilities

Leaks

Hardware
Debug attacks
interfaces

Efficient Reverse Engineering of Automotive Firmware 5


What makes this challenging?

• “Non-standard” platforms
• New concepts
• Complexity

Efficient Reverse Engineering of Automotive Firmware 6


7
What makes this challenging?

• Static analysis (disassembly): too complicated


• Dynamic analysis (emulation / debugging): no tools?

No tools?! Let’s make some!


Efficient Reverse Engineering of Automotive Firmware 8
What do we need?
• Processor (instruction set) emulator

• Timers, interrupts
• CAN controller
• I2C controller
• EEPROM
• Display controller
Efficient Reverse Engineering of Automotive Firmware 9
Emulating the CPU architecture

Efficient Reverse Engineering of Automotive Firmware 10


“Implementing” peripherals

Efficient Reverse Engineering of Automotive Firmware 11


How difficult was it?

~ 1 man-week of work

~ 3000 lines of (terrible) code


(excluding support tooling)

Efficient Reverse Engineering of Automotive Firmware 12


Dynamic
analysis

13
Debugging gdb

gdb Break!
“stub”
Step!

Watch!

Efficient Reverse Engineering of Automotive Firmware 14


Debugging
(gdb) hbreak *0x11032
Hardware assisted breakpoint 1 at 0x11032

(gdb) c
Continuing.

0x00011032 in ?? ()
(gdb)

Efficient Reverse Engineering of Automotive Firmware 15


Execution tracing

Efficient Reverse Engineering of Automotive Firmware 16


Execution tracing

0x02920
0x02922 (jump)
0x02926
0x02928
0x0292c
0x02930

Efficient Reverse Engineering of Automotive Firmware 17


Execution tracing

0x02920
0x02922 (jump)
0x02926
0x02928
0x0292c
0x02930

Efficient Reverse Engineering of Automotive Firmware 18


Execution tracing

Efficient Reverse Engineering of Automotive Firmware 19


Execution tracing

Efficient Reverse Engineering of Automotive Firmware 20


Hacks!

Efficient Reverse Engineering of Automotive Firmware 21


Hacks!

Efficient Reverse Engineering of Automotive Firmware 22


State rewinding
Initial state
100ms boot time

Running (booted)

Send CAN message

Observe CAN response


Efficient Reverse Engineering of Automotive Firmware 23
Taint tracking
1 ?? Data[2] = CAN message
2 ??
CAN message CAN.read()
3 ??

4 ??
Data[7] =
5 ?? Data[2]
6 ??

7 ??
CAN message
8 ??
Data[7] == Y?

Efficient Reverse Engineering of Automotive Firmware 24


Fuzzing
CAN message
Memory

Memory[5] == 0xc7?

Path 1 Path 2

Efficient Reverse Engineering of Automotive Firmware 25


UDS

./cc.py dcm discovery

CARING CARIBOU v0.1


-------------------
Starting diagnostics service discovery
Found diagnostics at arbitration ID 0x????,
reply at 0x????

Efficient Reverse Engineering of Automotive Firmware 26


UDS: security access
Seed (challenge)

Random key ==
Random key
calculateKey(seed)?

We found calculateKey!

Efficient Reverse Engineering of Automotive Firmware 27


UDS: security access
sending requestSeed (0x3)
CAN0: RCV [id ####] 02 27 03 aa aa aa aa aa
CAN0: TRQ [id ####] 06 67 03 47 2e 8e 70 aa
sending sendKey
CAN0: RCV [id ####] 06 27 04 41 9b 35 42 aa

comparison at 0002f390 (419b3542 vs


419b3542) is tainted with 000000c0

CAN0: TRQ [id ####] 02 67 04 aa aa aa aa aa

Efficient Reverse Engineering of Automotive Firmware 28


EEPROM contents
Identification Features/ (UDS) security
(VIN) configuration state

Odometer 

Reverse engineering is hard work!


updateEEPROM(id, value)

Efficient Reverse Engineering of Automotive Firmware 29


Takeaways
• Reverse engineering is not so hard!
• Lots of other “tricks” to try:
• Symbolic execution
• Deobfuscation (if necessary)
• Smarter fuzzing
• You can’t hide secrets in firmware:
• Use asymmetric cryptography (i.e. public keys)
• Use the secure hardware inside modern processors

Efficient Reverse Engineering of Automotive Firmware 30


Thanks to…

Eloi Sanfelix Santiago Cordoba Ramiro Pareja

Efficient Reverse Engineering of Automotive Firmware 31


Efficient Reverse Engineering of
Automotive Firmware

Alyssa Milburn
Security Analyst, Riscure
[email protected] / @noopwafel Challenge your security
• Training
• Tools
• Services
icons8.com
32

You might also like