DOCSLIB.ORG

Adventures in Automotive Networks and Control Units

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Adventures in Automotive Networks and Control Units TECHNICAL WHITE PAPER Adventures in Automotive Networks and Control Units Chris Valasek, Director of Vehicle Security Research for IOActive [email protected] Charlie Miller, Security Researcher for Twitter [email protected] Executive Summary Previous research has shown that it is possible for an attacker to get remote code execution on the electronic control units (ECU) in automotive vehicles via various interfaces such as the Bluetooth interface and the telematics unit. This paper aims to expand on the ideas of what such an attacker could do to influence the behavior of the vehicle after that type of attack. In particular, we demonstrate how on two different vehicles that in some circumstances we are able to control the steering, braking, acceleration and display. We also propose a mechanism to detect these kinds of attacks. In this paper we release all technical information needed to reproduce and understand the issues involved including source code and a description of necessary hardware Copyright ©2014. All Rights Reserved.- 1 - Contents Executive Summary ............................................................................................................... 1 Introduction ............................................................................................................................ 4 Electronic Control Units .......................................................................................................... 5 Normal CAN Packets ............................................................................................................. 7 Diagnostic Packets................................................................................................................. 8 ISO-TP ................................................................................................................................... 9 ISO 14229, 14230 ................................................................................................................ 10 *ISO 14230 ....................................................................................................................... 11 DiagnosticSessionControl ................................................................................................ 11 SecurityAccess ................................................................................................................. 12 InputOutputControl ........................................................................................................... 12 InputOutputControlByLocalIdentifier ................................................................................. 12 RoutineControl ................................................................................................................. 13 RequestDownload (and Friends) ...................................................................................... 13 The Automobiles .................................................................................................................. 15 Ford Escape ..................................................................................................................... 16 Toyota Prius ..................................................................................................................... 18 Communicating with the CAN bus ....................................................................................... 21 EcomCat .............................................................................................................................. 24 Output ............................................................................................................................... 24 Input ................................................................................................................................. 24 Continuous Send .............................................................................................................. 24 Ecomcat_api ........................................................................................................................ 24 Normal CAN packets ........................................................................................................ 25 Diagnostic Packets ........................................................................................................... 26 PyEcom ............................................................................................................................ 26 Injecting CAN data ............................................................................................................... 26 Problems and Pitfalls ........................................................................................................ 27 Simple Example for the Ford Escape ............................................................................... 30 Simple Example for the Toyota Prius ............................................................................... 31 Attacks via the CAN bus – Normal packets .......................................................................... 32 Speedometer – Ford......................................................................................................... 32 Odometer – Ford .............................................................................................................. 34 On-board Navigation – Ford ............................................................................................. 34 Limited Steering – Ford .................................................................................................... 35 Copyright ©2014. IOActive, Inc. [2] Steering – Ford ................................................................................................................. 36 Speedometer – Toyota ..................................................................................................... 38 Braking – Toyota .............................................................................................................. 38 Acceleration – Toyota ....................................................................................................... 40 Steering – Toyota ............................................................................................................. 42 Attacks via the CAN bus - Diagnostic packets ..................................................................... 46 SecurityAccess – Ford ...................................................................................................... 46 Brakes Engaged – Ford .................................................................................................... 49 No Brakes – Ford ............................................................................................................. 50 Lights Out – Ford .............................................................................................................. 51 Kill Engine – Ford ............................................................................................................. 51 Lights Flashing – Ford ...................................................................................................... 52 Techstream – Toyota Techstream Utility .......................................................................... 52 SecurityAccess – Toyota .................................................................................................. 53 Braking – Toyota .............................................................................................................. 55 Kill Engine – Toyota.......................................................................................................... 56 Lights On/Off – Toyota ..................................................................................................... 57 Horn On/Off – Toyota ....................................................................................................... 58 Seat Belt Motor Engage – Toyota..................................................................................... 58 Doors Lock/Unlock – Toyota ............................................................................................ 58 Fuel Gauge – Toyota ........................................................................................................ 59 Ford Firmware Modification via the CAN bus ....................................................................... 60 Extracting Firmware on PAM ............................................................................................ 60 HC12X Assembly ............................................................................................................. 62 Firmware Highlights .......................................................................................................... 63 Understanding Code “Download” ..................................................................................... 65 Executing Code ................................................................................................................ 68 Toyota Reprogramming via the CAN bus ............................................................................. 72 Calibration Files ................................................................................................................ 73 Toyota Reprogramming – ECM ........................................................................................ 75 Detecting Attacks ................................................................................................................. 83 Conclusions
Load more

Recommended publications
  • 2018 Prius Ebrochure
    2018 Prius Led the revolution. Still a brilliant solution. The 2018 Toyota Prius. Since launching, the Toyota Prius has led by example on a global scale. Prius is everyone’s hybrid — a shining symbol of ingenuity, universality and, most of all, fun. This iconic ride has always stood for something important, and the 2018 Prius is no different. Prius owners everywhere can continue going more places in style and comfort while still thinking environmentally. Enjoy peace of mind with the standard suite of Toyota Safety Sense™ P (TSS-P)29 features, including Lane Departure Alert with Steering Assist (LDA w/SA).32 Stay focused on the road ahead and tuned in to the apps you need with an impressive, available 11.6-in. HD multimedia display, complete with familiar pinch, zoom and tap capabilities. The instantly recognizable aerodynamic design of Prius goes beyond sleek styling to offer you an exhilarating, reliable and efficient drive. It’s got nearly two decades of excellence in its rearview mirror; you can expect to have your expectations exceeded when you go places in a 2018 Toyota Prius. “With its breathtaking style, Prius fits in wherever it goes.” Four Touring shown in Hypersonic Red47 with available Premium Convenience Package. See numbered footnotes in Disclosures section. DESIGNED TO PERFORM The road ahead is full of twists and turns. Let the fun begin. Find more excitement around every corner. Prius is engineered to give you a comfortable and exhilarating ride. Its double-wishbone style multi-link rear suspension helps soak up the bumps and keeps Prius feeling sure-footed.
    [Show full text]
  • RAV4 Hybrid Gasoline-Electric Hybrid Synergy Drive
    RAV4 Hybrid Gasoline-Electric Hybrid Synergy Drive AVA4 2 /AVA4 4 S eries Foreword This guide was developed to educate and assist dismantlers in the safe handling of Toyota RAV4 Hybrid gasoline-electric hybrid vehicles. RAV4 Hybrid dismantling procedures are similar to other non-hybrid Toyota vehicles with the exception of the high voltage electrical system. It is important to recognize and understand the high voltage electrical system features and specifications of the Toyota RAV4 Hybrid, as they may not be familiar to dismantlers. High voltage electricity powers the A/C compressor, electric motors, generator, and inverter/converter. All other conventional automotive electrical devices such as the head lights, radio, and gauges are powered from a separate 12 V auxiliary battery. Numerous safeguards have been designed into the RAV4 Hybrid to help ensure the high voltage, approximately 244.8 V, Nickel Metal Hydride (NiMH) Hybrid Vehicle (HV) battery pack is kept safe and secure in an accident. The NiMH HV battery pack contains sealed batteries that are similar to rechargeable batteries used in some battery operated power tools and other consumer products. The electrolyte is absorbed in the cell plates and will not normally leak out even if the battery is cracked. In the unlikely event the electrolyte does leak, it can be easily neutralized with a dilute boric acid solution or vinegar. High voltage cables, identifiable by orange insulation and connectors, are isolated from the metal chassis of the vehicle. Additional topics contained in the guide include: • Toyota RAV4 Hybrid identification. • Major hybrid component locations and descriptions. By following the information in this guide, dismantlers will be able to handle RAV4 Hybrid hybrid- electric vehicles as safely as the dismantling of a conventional gasoline engine automobile.
    [Show full text]
  • DTC P0341 Camshaft Position (CMP) Sensor Performance
    1998 Chevrolet/Geo Malibu DTC P0341 Camshaft Position (CMP) Sensor Performance Circuit Description During cranking, the Ignition Control Module (ICM) monitors the 7X crankshaft position sensor signal. Once the ICM determines spark synchronization, 3X reference signals are sent to the PCM. The PCM will command all six injectors ON for one priming shot of fuel in all cylinders. After the priming, the injectors are left OFF for the next six fuel control reference signals (two crankshaft revolutions). This allow each cylinder a chance to use the fuel from the priming shot. During this waiting period, a cam pulse will have been received by the PCM. The PCM uses the Cam signal pulses to initiate sequential fuel injection. The PCM constantly monitors the number of pulses on the Cam signal circuit and compares the number of Cam pulses to the number of 24X reference pulses and the number of 3 X reference pulses being received. If the PCM receives an incorrect number of pulses on the Cam reference circuit, DTC P0341 will set and the PCM will initiate injector sequence without the Cam signal with a one in six chance that injector sequence is correct. The engine will continue to start and run normally, although the misfire diagnostic will be affected if a misfiring condition occurs. Conditions for Setting the DTC z The engine is running (3X reference pulses are being received). z CMP sensor reference pulse is not detected every engine cycle. Action Taken When the DTC Sets z The PCM will illuminate the malfunction indicator lamp (MIL) during the second consecuitive trip in which the diagnostic has been run and failed.
    [Show full text]
  • Toyota ID Number
    Safety Research & Strategies, Inc. 340 Anawan Street / Suite 200 Rehoboth, MA 02769 Ph. 508-252-2333, Fax 508-252-3137 www.safetyresearch.net Toyota Unintended Acceleration Incidents Occurring in Calendar Year 2011 Reported to NHTSA The attached document is comprised of Toyota UA incidents that occurred during calendar year 2011 that were reported to the NHTSA vehicle owner’s complaint database. Safety Research & Strategies defines unintended acceleration as any uncommanded torque to the wheels of a vehicle or incidents in which drivers report uncommanded engine RPMs increase while their vehicles transmissions are in the Park position. NHTSA ODI Number: 10383245 Date of Incident: 20110101 Vehicle: 2009 TOYOTA CAMRY Location of Incident: CHESTERFIELD, VA NTHSA Summary: TL*THE CONTACT OWNS A 2009 TOYOTA CAMRY. THE CONTACT STATED THAT SHE WAS EXPERIENCING PROBLEMS WITH HER VEHICLE AFTER NHTSA RECALL CAMPAIGN ID NUMBER: 10V017000, VEHICLE SPEED CONTROL ACCELERATOR PEDAL WAS REPAIRED. THE VEHICLE WOULD ACCELERATE SPORADICALLY, THE BRAKE PEDAL AND THE ENTIRE VEHICLE VIBRATED WHILE AT A STOP SIGN. THE VEHICLE WAS TAKEN TO THE DEALER WHO STATED THAT THE FAILURE WAS NORMAL. THE MANUFACTURER WAS NOT CONTACTED. THE VEHICLE WAS NOT REPAIRED. THE FAILURE AND CURRENT MILEAGE WAS 35,000. NHTSA ODI Number: 10373844 Date of Incident: 20110101 Vehicle: 2007 TOYOTA RAV4 Location of Incident: NORFORK, VA NTHSA Summary: TL* THE CONTACT OWNS A 2007 TOYOTA RAV4. THE CONTACT WAS APPROACHING A TRAFFIC STOP DRIVING 2 MPH WHEN THE VEHICLE ACCELERATED ABNORMALLY. THERE WAS AN UNUSUAL INCREASE IN ENGINE RPMS OF 7000. THE CONTACT ENGAGED THE BRAKE AND PLACED THE VEHICLE IN NEUTRAL.
    [Show full text]
  • PRIUS ZR in PURSUIT RED Changing the World, One Driveway at a Time
    PRIUS ZR IN PURSUIT RED Changing the world, one driveway at a time When it arrived on the world stage almost 20 years ago, the Prius redefined what was possible in an everyday passenger car. It signalled the beginning of a new movement; one that strove to combine performance and practicality with a greater emphasis on both economy and the environment. Today, after more than 8 million sales globally, the Prius remains Toyota’s hallmark hybrid car. Featuring a dynamic, cutting-edge exterior design, an impressive array of standard technology and a high level of comfort and convenience onboard, the Prius is also more fuel efficient and more fun to drive than ever before. Continuing to push the boundaries of development and design, the evolution of the Prius is a true technological adventure worth taking. Come with us and see for yourself. PRIUS ZR 1.8L PETROL / HYBRID ECVT Prius ZR The distinctive stance and technological prowess of the Prius ZR is accentuated by its dynamic, modern exterior looks. Dramatic LED headlights and taillights, high contrast alloy wheels and a smooth, low-slung silhouette create 1 a striking impression. The Prius ZR features a premium interior that combines practical space and versatility with cutting-edge technologies, such as Toyota’s intelligent S-Flow air conditioning system and the Qi wireless charging tray for compatible devices. The stylish wrap-around dashboard, centrally housed instrumentation, colour Head-Up Display information 3 4 system and supportive seats all serve to improve visibility, ease-of-use and driver and passenger comfort. There remains nothing quite like a Prius, where form 5 meets function with a dash of fashion.
    [Show full text]
  • Gasoline-Electric Hybrid Synergy Drive
    Gasoline-Electric Hybrid Synergy Drive AHV40 Series Foreword In March 2006, Toyota released the Toyota CAMRY gasoline-electric hybrid vehicle in North America. Except where noted in this guide, basic vehicle systems and features for the CAMRY hybrid are the same as those on the conventional, non-hybrid, Toyota CAMRY. To educate and assist emergency responders in the safe handling of the CAMRY hybrid technology, Toyota published this CAMRY hybrid Emergency Response Guide. High voltage electricity powers the electric motor, generator, A/C compressor, and inverter/converter. All other automotive electrical devices such as the headlights, power steering, horn, radio, and gauges are powered from a separate 12 Volts battery. Numerous safeguards have been designed into the CAMRY to help ensure the high voltage, approximately 245 Volts, Nickel Metal Hydride (NiMH) Hybrid Vehicle (HV) battery pack is kept safe and secure in an accident. Additional topics contained in the guide include: N Toyota CAMRY identification. N Major hybrid component locations and descriptions. By following the information in this guide, dismantlers will be able to handle the CAMRY hybrid-electric vehicle as safely as the dismantling of a conventional gasoline engine automobile. ¤ 2006 Toyota Motor Corporation All rights reserved. This book may not be reproduced or copied, in whole or in part, without the written permission of Toyota Motor Corporation ii Table of Contents About the CAMRY.........................................................................................................................1
    [Show full text]
  • Oldsmobile Note: These Cams Use .000" Intake and Exhaust Valve Lash
    HYDRAULIC CAMSHAFTS Non Roller 1967-up 260 307 (5.0L) 350 (5.7L) 400 403 425 455 (39° bank angle) Oldsmobile Note: These cams use .000" intake and exhaust valve lash. X-TREME MILEAGE CAMS AVAILABLE! CONTACT CROWER TECHNICIANS FOR MORE INFO. Grind Advertised Duration Gross Lift Description C.I.D. Part Lobe Duration @ .050" 1.6 / 1.6 Rec Group Number Center Intake Exhaust Intake Exhaust Intake Exhaust Kit BAJA BEAST / PERFORMANCE LEVEL 2 - Low to mid-range torque 260 280H for daily drivability. Economical price. 56915 280° 289° 204° 214° .450" .474" 84057 350 112° RPM Power Range: 1500 to 4250 / Redline: 5500 plus. POWER BEAST / PERFORMANCE LEVEL 3 - Delivers impressive mid- 350 289H range and top end power. Healthy sound. Economical price. 56903 289° 300° 214° 224° .474" .498" 84057 425 112° RPM Power Range: 1750 to 4500 / Redline: 5750 plus. ULTRA BEAST / PERFORMANCE LEVEL 4 - Upper mid-range to top 455 304H end power. Emphasis on top end. 56919 304° 316° 234° 244° .520" .542" 84057 cid 112° RPM Power Range: 2000 to 4800 / Redline: 6200 plus. MILEAGE COMPU-PRO / Performance Level 1 - These cams are 400 250HDP designed to enhance throttle response and low-end torque in vans, 56258 250° 258° 192° 196° .429" .445" 84057 403 112° trucks and passenger cars while delivering fuel efficient motoring. High vacuum and smooth idle are characteristic of these profiles. Stock or small cfm carburetor, small diameter tube headers, dual 425 260HDP exhaust, and ignition rework are recommended for maximum 56260 260° 266° 203° 211° .448" .450" 84057 cid 112° benefit.
    [Show full text]
  • Plug-In Hybrid
    RAV4 Prime Plug-In Hybrid 2021 CLICK BELOW TO Contents NAVIGATE SECTIONS. Introduction Exterior Design Interior Styling Technology Performance Safety Specifications & Features XSE SE XSE TECHNOLOGY PACKAGE Accessories Warranty 2021 RAV4 PRIME INTRODUCING THE 2021 RAV4 PRIME The most electrifying RAV4 ever made. Experience the power of plugging in. Meet the first ever RAV4 plug-in-hybrid - our most powerful RAV4 yet, with an advanced plug-in hybrid powertrain that generates 302 net horsepower. Best of all, you can choose to plug it in, gas it up, or both. And with the added benefit of Electronic On-Demand All-Wheel Drive (AWD), this sporty SUV helps to give you the confidence you need to easily devour wide-open stretches of highway, your favourite dirt road, and everything in between. Click to Learn More 2021 RAV4 PRIME EXTERIOR DESIGN Bold meets beautiful. Distinctly bold and intelligently designed. The RAV4 Prime flaunts its bold, athletic attitude with a striking front grille that includes a unique front lower spoiler. Complementing its sporty styling are piano black exterior accents and available features such as vertical LED accent lights, 19-inch alloy wheels, two-tone exterior paint colours, and a panoramic moonroof. 2021 RAV4 PRIME INTERIOR STYLING Get in and go all out. Equipped and optimized for adventure. The RAV4 Prime’s premium interior surrounds you in comfort with heated front and rear seats, an 8-way power adjustable driver’s seat, a heated steering wheel, and ambient lighting to accentuate an already spirited ride. A host of intuitive features that include an 8-inch touch-screen display, available Qi wireless charging, a Bird’s-Eye-View Camera, and a Head-Up display help you to stay connected and focused on the road ahead.
    [Show full text]
  • Plug-In Hybrid Gasoline-Electric Hybrid Synergy Drive
    Plug-in Hybrid Gasoline-Electric Hybrid Synergy Drive ZVW35 Series Foreword This guide was developed to educate and assist dismantlers in the safe handling of Toyota Prius Plug-in gasoline-electric hybrid vehicles. Prius Plug-in hybrid dismantling procedures are similar to other non-hybrid Toyota vehicles with the exception of the high voltage electrical system. It is important to recognize and understand the high voltage electrical system features and specifications of the Toyota Prius Plug-in hybrid, as they may not be familiar to dismantlers. High voltage electricity powers the A/C compressor, electric motor, generator, and inverter/converter. All other conventional automotive electrical devices such as the headlights, radio, and gauges are powered from a separate 12 Volt auxiliary battery. Numerous safeguards have been designed into the Prius Plug-in hybrid to help ensure the high voltage, approximately 346*1 or 207.2*2 Volt, Lithium-ion (Li-ion) Hybrid Vehicle (HV) battery pack is kept safe and secure in an accident. The Li-ion HV battery pack contains sealed batteries that are similar to rechargeable batteries used in some battery operated power tools and other consumer products. The electrolyte is absorbed in the cell plates and will not normally leak out even if the battery is cracked. In the unlikely event the electrolyte does leak, it can be easily neutralized with a dilute boric acid solution or vinegar. High voltage cables, identifiable by orange insulation and connectors, are isolated from the metal chassis of the vehicle. *1: 2010 Model *2: 2012 Model Additional topics contained in the guide include: • Toyota Prius Plug-in hybrid identification.
    [Show full text]
  • 86124705404638720060E390fa
    Toll free 1-800-639-8696 or online at www.camelbacktoyota.com THE NAME THAT YOU HAVE TRUSTED FOR OVER 21 YEARS LOW FINANCE RATES or HUGE DISCOUNTS could mean more money in your pocket New 2009 TOYOTA New 2009 TOYOTA All remaining in-stock units Grade Regular Cab CAMRY 9 available to choose from TUNDRA 2WD V6 automatic Labor Day Weekend Price: Labor Day Weekend Price: $ Off $ Off MSRP 3,500 of the MSRP 4,5007 at this price Example model #2532 Camry LE 4-cyl. auto. / stock #97450 Example model #8202 Tundra Reg. Cab / stock #97219 MSRP $22,569 less $1,500 TMS Mfg. Rebate and $2,000 MSRP $23,971 less $2,500 TMS Mfg. Rebate and $2,000 CBToyota Discount, sale price $19,069. CBToyota Discount, sale price $19,471. Or 0.0% APR for 60 Months (2) Or 0.0% APR for 60 Months (2) New 2010 TOYOTA New 2010 TOYOTA New 2009 TOYOTA CAMRY LE COROLLA LE Model #2532 4-cylinder automatic Model #1838 4-cylinder automatic TACOMA Lease for only: Lease for only: Labor Day Weekend Price: Per Month (1) Per Month (1) Off $ 36 Months $ 36 Months $3,500 MSRP 299 259 ON ALL REMAINING IN-STOCK With $0 Total Due at Start With $0 Total Due at Start '09 TACOMA DOUBLE CABS Or qualified buyers could choose: Or qualified buyers could choose: Example: 2009 PreRunner Double Cab 4x2 V6 auto. model #7188 / Stock #95553 % APR financing (2) % APR financing (3) MSRP $28,809 less $1,000 TMS Mfg. 0.0 60 Months 2.9 60 Months Rebate and $2,500 CBToyota Discount, 86 AVAILABLE at THIS PRICE 53 AVAILABLE at THIS PRICE sale price $25,309.
    [Show full text]
  • Table of Contents Table of Contents
    Table of Contents Table of Contents.......................................................................... 1 Terms and Conditions .................................................................. 5 Direct Sales and Value Added Dealers........................................................................... 5 Warranty ......................................................................................................................... 5 Repairs and Returns ........................................................................................................ 5 Pricing Policies ............................................................................................................... 5 Legal Disclaimer............................................................................................................. 6 Forward ......................................................................................... 7 3 A. Installing the TEC System .................................................... 9 A.1. How it All Works: The Two Pages You Need to Read ......................................... 9 A.2. Pre-Installation Checklist..................................................................................... 11 A.3. Mounting the Main Computer and DFU.............................................................. 12 A.4. Trigger Wheel and Sensor Installation................................................................. 14 A.4.a. Crankshaft Trigger Installation for 60(-2) Tooth Wheel............................... 14 A.4.b. Magnetic
    [Show full text]
  • Prius V 2014
    Prius v 2014 Information Provided by: It’s the big one in the family, the one with the most space for people and things. 34.3 cu. ft. of cargo room1 means Prius v has more cargo space than most small SUVs,2 so it makes having a family, a hobby, or going on a mountain-biking weekend escape super easy. It’s everything you love about Prius plus the space to do even more. It encourages you to get out there and explore, but can also help you stay connected with the latest technology. And it’s big on efficiency, too, so you can focus more on filling it up with all your family’s gear, and less on filling up with fuel. The 2014 Toyota Prius v has the space for lots of fun and family adventure. Let’s go places. 1. Cargo and load capacity limited by weight and distribution. 2. Based on manufacturers’ data for cargo volume behind second-row seats; MY 2013 Small SUV segment. Information Provided by: Prius v Five shown in Clear Sky Metallic with available Advanced Technology Package. 2013 model shown. Information Provided by: Feel good inside. Driving a vehicle with the proven eco-sensitive technology of Hybrid Synergy Drive® may well give you a great deal of inner satisfaction. But being a good role model for your kids is only one of the benefits of driving Prius v. With its rich reclining seats, available Panoramic View Moonroof and many amenities, Prius v has a way of putting much more than just your conscience at ease.
    [Show full text]