How They Did It: an Analysis of Emission Defeat Devices in Modern Automobiles

Home , Defeat device, Diesel emissions scandal

How They Did It: An Analysis of Emission Defeat Devices in Modern Automobiles

Moritz Contag∗, Guo Li†, Andre Pawlowski∗, Felix Domke‡, Kirill Levchenko†, Thorsten Holz∗, and Stefan Savage†

∗ Ruhr-Universitat¨ Bochum, Germany, {moritz.contag, andre.pawlowski, thorsten.holz}@rub.de † University of California, San Diego, {gul027, klevchen, savage}@cs.ucsd.edu ‡ [email protected]

Abstract—Modern vehicles are required to comply with a determined that the vehicle was not under test, it would disable range of environmental regulations limiting the level of emissions certain emission control measures, in some cases leading the for various greenhouse gases, toxins and particulate matter. To vehicle to emit up to 40 times the allowed nitrogen oxides [15]. ensure compliance, regulators test vehicles in controlled settings and empirically measure their emissions at the tailpipe. However, Defeat devices like Volkswagen’s are possible because of the black box nature of this testing and the standardization how regulatory agencies test vehicles for compliance before of its forms have created an opportunity for evasion. Using they can be offered for sale. In most jurisdictions, including modern electronic engine controllers, manufacturers can pro- the US and Europe, emissions tests are performed on a chassis grammatically infer when a car is undergoing an emission test dynamometer, a fixture that holds the vehicle in place while and alter the behavior of the vehicle to comply with emission standards, while exceeding them during normal driving in favor allowing its tires to rotate freely. During the test, a vehicle of improved performance. While the use of such a defeat device is made to follow a precisely defined speed profile (i.e., by Volkswagen has brought the issue of emissions cheating to the vehicle speed as a function of time) that attempts to imitate public’s attention, there have been few details about the precise real driving conditions. The conditions of the test, including nature of the defeat device, how it came to be, and its effect on the speed profile, are both standardized and public, ensuring vehicle behavior. In this paper, we present our analysis of two families of that the testing can be performed in a transparent and fair software defeat devices for diesel engines: one used by the way by an independent party. However, knowing the precise Volkswagen Group to pass emissions tests in the US and Europe, conditions of the test also makes it possible for manufacturers and a second that we have found in Fiat Chrysler Automobiles. To to intentionally alter the behavior of their vehicles during the carry out this analysis, we developed new static analysis firmware test cycle, a practice colloquially called “cycle beating.” forensics techniques necessary to automatically identify known defeat devices and confirm their function. We tested about 900 While Volkswagen’s cheating was breathtaking in scope firmware images and were able to detect a potential defeat device (a dozen vehicle models spanning at least six years), it has in more than 400 firmware images spanning eight years. We also highlighted the difficulty of monitoring manufacturers’ describe the precise conditions used by the firmware to detect a emission compliance. Meeting modern emissions standards test cycle and how it affects engine behavior. This work frames is one of the main challenges faced by car manufactur- the technical challenges faced by regulators going forward and highlights the important research agenda in providing focused ers as emission standards become more stringent. In many software assurance in the presence of adversarial manufacturers. cases, technological limitations put compliance in conflict with consumer demands for performance, efficiency, or cost— creating a powerful incentive for car makers to evade the I.INTRODUCTION regulatory burden. At the same time, automobiles have grown On September 18, 2015, the US Environmental Protection in complexity: the modern automobile is a complex cyber- Agency (EPA) issued a notice of violation to the Volkswagen physical system made up of many electronic components, Group, accusing one of the world’s largest automakers of making it as much a software system as a mechanical one. circumventing the EPA’s emissions tests [18], setting into A premium-class automobile, for example, can contain more motion the most expensive emissions scandal in history. than 70 electronic control units and 100 million lines of At the heart of the scandal is Volkswagen’s use of a defeat code [4]. As a part of this trend, nearly all aspects of engine device, defined by the EPA as any device that “reduces the operation are controlled by an Engine Control Unit (ECU), effectiveness of the emission control system under conditions an embedded system creating a closed control loop between which may reasonably be expected to be encountered in engine sensors and actuators. This allows manufacturers to normal vehicle operation and use,” with exceptions for starting precisely control all aspects of engine operation and thus drive the engine, emergency vehicles, and to prevent accidents [19]. significant improvements in performance, reliability, and fuel The defeat device in Volkswagen vehicles used environ- economy. The ECU is also responsible for ensuring that the mental parameters, including time and distance traveled, to vehicle complies with the emissions requirements imposed by detect a standard emissions test cycle: if the engine control unit governmental regulatory bodies. Indeed, while some emission control measures, like the catalytic converter or particulate techniques to track the evolution of the defeat device across filters, are passive, many others require active control by hundreds of versions of vehicle firmware. More precisely, the ECU, which must sometimes sacrifice performance or we developed a static analysis system, called CURVEDIFF, efficiency for compliance. These tradeoffs are particularly to automatically discover the Volkswagen defeat device in a challenging for diesel engines, which in their simplest form are given firmware image and extract the parameters determining noisier and emit more particulates and nitrogen oxides (NOx) its operation. Overall, we analyzed 926 firmware images and than gasoline engines [3]. successfully identified 406 potential defeat devices inside these Electronic engine control has also made it easier to cir- images. Further, we automatically verified the effects on one cumvent emissions testing by implementing a defeat device particular subsystem. in software. The black box nature of emissions testing makes In summary, our contributions are as follows: it nearly impossible to discover such a software-based defeat O We provide a detailed technical analysis of defeat devices device during a test, forcing regulators to rely on heavy fines present in vehicles marketed by two independent automo- to discourage cheating. Unfortunately, as the Volkswagen case bile manufactures, Volkswagen Group and Fiat Chrysler illustrates, it can take many years to discover such a defeat Automobiles, whose effect is to circumvent emission tests device. Given the ultimate limitations of testing, we are led in the US and Europe. to consider whether we can detect defeat devices using soft- O We design and implement a static binary analysis tool ware verification techniques. Unfortunately, verifying complex called CURVEDIFF for identifying such defeat devices in software systems is a difficult problem in its own right, more a given firmware image, which enables us to track the so for a cyber-physical system like a modern automobile. In evolution and behavior of circumvention code across a our case, the setting is also adversarial—rather than trying large number of firmware images. to find bugs, we are looking for intentional attempts to alter a system’s behavior under test conditions. This paper aims O We use our tool to study the evolution of the defeat devices to be a first step in cyber-physical system verification in an and its effect on engine behavior across eight years and adversarial setting with two case studies of automobile defeat over a dozen vehicle models. devices and binary analysis techniques to identify verification- However, more than these detailed technical contributions, critical code elements across multiple software revisions. we believe the broader impact of our work is to articulate the We begin with two case studies of software defeat de- challenge of certifying regulatory compliance in the cyber- vices found in light diesel vehicles. The first set belongs physical environment. Today’s black box testing is costly and to automobiles produced by the Volkswagen Group, which time consuming and, as these cases show, can be easily cir- has publicly admitted to their use. The Volkswagen defeat cumvented by defeat device software that “tests for the tester.” device is arguably the most complex in automotive history. The gap between black box testing and modern software Unfortunately, there are few technical details available to the assurance approaches drives a critical research agenda going public about its operation, its effect on engine behavior, and forward that will only become more important as regulators are how its design evolved over time; our paper closes this gap and asked to oversee and evaluate increasingly complex vehicular we believe helps highlight the key challenges for regulators systems (e. g., autonomous driving). We believe that concrete going forward. Unfortunately, Volkswagen is not alone in examples, such as those we describe in this paper, are key to evading emissions testing. Fiat Chrysler Automobiles (FCA) is ground this discussion and make clear the realistic difficulties currently being investigated in Europe because recent road test faced by regulators. data showed significantly higher emissions than in regulatory The remainder of this paper is organized as follows. Sec- compliance tests [17]. In this paper, we identify and describe tion II provides the necessary technical background for the rest a timer-based defeat device used in the Fiat 500X automobile. of the paper, followed by a discussion of the available data sets We believe we are the first to publicly identify this defeat in Section III, and a detailed description of the defeat devices device. we found in Section IV. We explain how we implement this Both the Volkswagen and Fiat vehicles use the EDC17 detection at scale in Section V followed by a summary of diesel ECU manufactured by Bosch. Using a combination the results we find using this tool. Finally, we discuss the of manual reverse engineering of binary firmware images implications of our finding in Section VII and then conclude and insights obtained from manufacturer technical documen- with Section VIII. tation traded in the performance tuner community (i. e., car enthusiasts who modify their software systems to improve II.TECHNICAL BACKGROUND performance), we identify the defeat devices used, how they In the following, we provide a brief overview of the inferred when the vehicle was under test, and how that technical concepts needed to understand the rest of this paper. inference was used to change engine behavior. Notably, we find strong evidence that both defeat devices were created A. Diesel Engines by Bosch and then enabled by Volkswagen and Fiat for their The distinguishing difference between a gasoline and diesel respective vehicles. engine is the manner in which combustion is initiated. In To conduct a larger study, we used static code analysis a gasoline engine, a mixture of air and fuel is drawn into

2 the combustion cylinder and ignited by a spark. In a diesel engine, air is drawn into the combustion cylinder and, at a critical point in the compression cycle, fuel is injected into the cylinder, igniting in the compressed air. Thus, in a gasoline engine, fuel and air are mixed before being drawn into the cylinder and ignited, whereas in a diesel engine, fuel and air are mixed at the time of ignition, resulting in an imperfect and inhomogeneous mixture. This is responsible for many of the diesel engine’s distinctive characteristics, including the black smoke and heavy knocking sound known as “diesel knock.” The black smoke, made up of particulate matter, also called soot, results from the incomplete combustion of the fuel and is subject to strict limits in light-duty diesel vehicles. The second major pollutant in diesel exhaust are nitrogen oxides (NO and NO2, abbreviated NOx). Current emission standards impose tight limits on the amount of particulate matter and Fig. 1: FTP-75 (Federal Test Procedure) driving cycle depicting the speed NOx emitted and require special steps to limit their levels. The over time. Image taken from EPA [20]. vehicles that are the subject of this work rely on the following emission control devices to achieve regulatory conformance. EGR. Exhaust Gas Recirculation (EGR) is an emission control regenerate on its own. Unfortunately, these conditions may not scheme where exhaust gas is recirculated back into the engine arise in normal urban driving, requiring the ECU to perform intake. EGR significantly reduces the amount of NOx in the active regeneration. In this mode, the ECU adjusts engine exhaust [12], [16]. Unfortunately, EGR also increases the operation to increase exhaust temperature to regenerate the amount of particulate matter in the exhaust, leading to a trade- DPF; however, if the vehicle is only driven for short distances, off between NOx and particulate matter. such a temperature may never be reached. At sufficiently high NSC. A NOx Storage Catalyst (NSC), also called a Lean soot load, the vehicle will illuminate a special warning lamp, NOx Trap (LNT), works by oxidizing NO to NO2 and then prompting the driver to drive the vehicle at increased speed storing NO2 in the catalyst itself. The storage capacity of to allow active regeneration to take place. If this does not the catalyst is limited, lasting from 30 to 300 seconds, after happen, the DPF will require service [21]. Thus, while the which it must be regenerated. To regenerate the catalyst, the DPF is highly effective at reducing particulate emissions, it engine switches to a rich fuel-air mixture for 2 to 10 seconds. imposes a performance penalty and can become a hassle for During regeneration, the engine is less efficient, decreasing the owner who drives the vehicle for short distances. Moreover, fuel economy [16]. A rich fuel-air mixture also increases according to the New York Attorney General’s complaint [15], particulate matter production, again trading off NOx emissions at normal load Volkswagen’s DPF could only last 50,000 for particulate emissions. miles before needing replacement, far short of the 120,000 SCR. Selective Catalyst Reduction (SCR) is an alternative mile standard Volkswagen was required to meet, compelling to NSC for reducing NOx emissions that works by injecting Volkswagen to reduce wear on the DPF. urea into the exhaust stream. SCR is more effective than NSC (described above) and is usually used in 3-liter diesel engines B. Emission Test Cycles and Emission Standards and larger. The drawback of SCR is its increased complexity An emission test cycle defines a protocol that enables and the need to carry and replenish the urea fluid (als known repeatable and comparable measurements of exhaust emissions by its trademark name AdBlue). Several Volkswagen vehicles to evaluate emission compliance. The protocol specifies all implicated in the emission cheating scandal are reported to conditions under which the engine is tested, including lab limit urea injection levels outside of a test cycle. Except for temperature and vehicle conditions. Most importantly, the test results reported in Table II, this paper does not cover defeat cycle defines the speed and load over time that is used to devices that manipulate SCR. simulate a typical driving scenario. An example of a driving DPF. A Diesel Particulate Filter (DPF) traps particulates cycle is shown in Figure 1. This graph represents the FTP-75 (soot), greatly reducing the amount of black smoke leaving (Federal Test Procedure) cycle that has been created by the the tailpipe. While the DPF is highly effective at trapping EPA and is used for emission certification and fuel economy particulates, as the amount of particulates accumulates, the testing of light-duty vehicles in the US [7]. The cycle simulates resistance to air flow increases also, increasing the load on an urban route with frequent stops, combined with both a cold the engine. To purge the DPF of accumulated deposits, it and a hot start transient phase. The cycle lasts 1,877 seconds must undergo a regeneration cycle approximately every 500 (about 31 min) and covers a distance of 11.04 miles (17.77 km, lasting 10 to 15 minutes. DPF regeneration requires high km) at an average speed of 21.2 mph (34.12 km/h). exhaust temperatures that are usually only achieved at full Table IV in the Appendix lists the main test cycles used load. If the vehicle is operated at full load, the DPF will for exhaust emission tests of light-duty vehicles in different

3 regions of the world. Besides urban test cycles such as FTP- status information about the ECU is sent via an interface such 75, there are also cycles that simulate driving patterns under as the On-Board-Diagnostics (OBD-II) system and the ECU different conditions. can also communicate with other control units via the CAN To assess conformance, several of these tests are carried out bus. on a chassis dynamometer, a fixture that holds a car in place while allowing its drive wheel to turn with varying resistance. D. Business Relationships Emissions are measured during the test and compared to an The EDC17 ECU is manufactured by Bosch and bought by emission standard that defines the maximum pollutant levels automakers, including Volkswagen and Fiat, to control their that can be released during such a test. In the US, emissions diesel engines. The exact details of the business relationship standards are managed on a national level by the EPA. In between Bosch and its customers is not public; however, media addition, California has its own emissions standards defined reports, court filings [15], and the documentation we have and enforced by the California Air Resources Board (CARB). obtained indicates the following basic structure: Bosch builds California standards are also used by a number of other states, the ECU hardware and develops the software running on the together with California covering a significant fraction of the ECU. Manufacturers then specialize an ECU for each vehicle US market, making them a de facto second national standard. model by calibrating characteristic firmware constants whose In Europe, the emission standards are called Euro 1 through semantics are explained in the ECU documentation. We have Euro 6, where Euro 6 is the most recent standard in effect found no evidence that automobile manufacturers write any of since September 2014. the code running on the ECU. All code we analyzed in this work was documented in documents copyrighted by Bosch C. Electronic Engine Control and identified automakers as the intended customers. In a typical modern car, there are 70-100 electronic control units [4], [8] that are responsible for tasks such as the human- E. Related Work machine interface as part of the infotainment system, a speed Unfortunately, there is little technical documentation about control unit, a telematic control unit, or brake control modules. defeat devices that is publicly available. Domke and Lange Among these is the Engine Control Unit (ECU), which is were the first to present several technical insights into the responsible for the operation of the engine. The subject of defeat device used in a Volkswagen Sharan [9], [10]. We lever- this work is the Bosch EDC17 ECU used in many diesel age these analysis results and adopted a similar methodology light passenger vehicles, and in all of the vehicles implicated to identify defeat devices. The New York Attorney General’s in the Volkswagen diesel emissions scandal. At its core, the compaint against Volkswagen AG [15] contains several general ECU implements a closed control loop by periodically reading insights into defeat devices, but does not provide any technical sensor values, evaluating a control function, and controlling details. Fiat Chrysler Automobiles (FCA) is currently being actuators based on the control signal. investigated in Europe [17] and to the best of our knowledge, Sensors. To control engine behavior, the ECU relies on a we are the first to document how this defeat device is imple- multitude of sensors readings, including crankshaft position; mented. air pressure and temperature at several points in the intake; intake air mass; fuel, oil, and coolant temperature; vehicle III.DATASET speed; exhaust oxygen content (lambda probe); as well as In this paper, we focus on the EDC17 ECU manufactured by driver inputs such as the accelerator pedal position, brake pedal Bosch. This diesel engine ECU was used in the cars implicated position, cruise control setting, and selected gear. in the Volkswagen emission scandal as well as the Fiat 500X. Control functions. Based on the sensor inputs, the ECU We rely on three data sources for our analysis of ECUs and implements different functions to control and influence the affected vehicles which we describe below. combustion process by interpreting the input data. In a diesel engine, one of the most important control values is the fuel A. Function Sheets injection timing that defines when and for how long the fuel Function sheets (called Funktionsrahmen in German) doc- injectors remain open in the engine cycle. As noted earlier, ument the functional behavior of a particular release of the injection timing affects engine power, fuel consumption, and ECU firmware. The function sheets describe each software the composition of the exhaust gas. The ECU also determines functional unit of the ECU using a formal block diagram lan- how much of the exhaust gas should be recirculated and how guage that precisely specifies its input/output behavior, along much urea should be injected into the exhaust to catalyze with some additional explanatory text. The block diagram and nitrogen oxides. text documentation also names the variables and calibration Actuators. The ECU uses the computer control signals to constants used by the functional unit. Car makers tune the directly control several actuators, most notably the fuel injector behavior of the ECU by changing these calibration constants. valves and air system valves, including the EGR valve. In the Bosch function sheets, scalar calibration constants are Communication. The ECU also communicates with other sys- identified by the C suffix, one-dimensional array constants tems inside the car, for example to display the current engine by the CA suffix, and higher-dimensional arrays by the MAP speed RPM signal or light up diagnosis lamps. Furthermore, suffix. Further, curve definitions use the suffix CUR.

4 Function sheets are generally not available to the public, C. Firmware images however, many make their way into the automobile perfor- We also obtained firmware images from various sources. mance tuning community. All of the function sheets used in Similar to .a2l files, firmware images are also circulated this work have been obtained from such tuner sites. All figures in the car tuning community. We obtained several images throughout the paper are derived from these function sheets from the tuner community. We also obtained images from the that are already publicly available. erWin portal (“electronic repair and workshop information”), Authenticity. Since we did not obtain the function sheets a platform operated by Volkswagen that provides access to directly from the ECU manufacturer (Bosch), we cannot official firmware images for car repair shops. The portal be absolutely certain of their authenticity. Nevertheless, all provides archives containing firmware updates up to a certain function sheets used in this work bear a “Robert Bosch GmbH” date. Every image is named after its software part number and copyright and show no evidence of alteration by a third party. revision, allowing us to uniquely identify it. The timestamp is Indeed, we have not encountered any function sheets that roughly equivalent to the release date of the firmware. show any signs of content tampering in the wild. We have Unfortunately, the images contain no additional metadata also explicitly verified that key functional elements, like the such as the actual model in which the firmware is deployed. Volkswagen “acoustic condition” described in Section IV-A, We used online portals offered by aftermarket automobile part match the code in the firmware. vendors to determine which vehicles a firmware image was used on. B. A2L and OLS Files Authenticity. Firmware data for VW, Audi, Seat and Skoda is obtained from the erWin portal, operated by Volkswa- The automotive industry uses the ASAM MCD-2 MC [1] gen. The newest image is dated October 11, 2016. We also file format, commonly called A2L, to communicate elements obtained Volkswagen group images dated 2009–2010 from of a firmware image that a car manufacturer must modify in various online sources. We only included images for which the calibration process. Generally speaking, an .a2l file is Freigabeschein (street release certification) documents allowed comparable to a .map or .pdb file used by developers on the us to obtain information about both release date and car model. Linux or Windows platform, respectively. While all of these We obtained the Fiat 500X OLS file from a tuning site. It file types map debugging symbols to concrete addresses, .a2l was sold to us as an original (unmodified) image. Our main files can also give contextual information beyond mere symbol findings based on this OLS file align with the test results of names. The format is developed to “support . . . automotive- the German KBA [22]. specific processes and working methods” [1]. Consequently, additional metadata used to describe an address (i. e., an ECU IV. DEFEAT DEVICES variable) may include axis descriptions for lookup tables, A defeat device is a mechanism that causes a vehicle to information about the byte order, or unit conversion formulas. behave differently during an emission test than on the road.1 An example is given in Listing 1 in the Appendix. Conceptually, a defeat device has two components: Given that .a2l files contain lots of details and insights ◦ Monitor. Determine if observed conditions rule out an into a given ECU, they are typically only available for people emission test, and working on engine development, calibration, and maintenance. ◦ Modify. Alter vehicle behavior when not under test. However, car tuning enthusiasts also regularly get hold of these files and trade them at online forums. In order to understand Defeat devices rely on any number of external or internal the inner workings of certain ECU firmware images in more variables to detect that a test is taking place. From 1991 detail, we obtained access to such files. When we were not to 1995, for example, General Motors used the fact that air able to obtain a .a2l file for a given firmware image, we conditioning was turned on in its Cadillac automobiles to rule focused on binary code only and leveraged insights gained out a test cycle—at the time, emission testing was done with from similar ECUs to bootstrap our analysis. air conditioning turned off—making the air-fuel mixture richer In some cases, we relied on OLS files, an application format to address an engine stalling problem, but also exceeding CO used by the WinOLS software used to change configuration emission limits [14]. General Motors was fined $11 million values in firmware. The OLS format contains both a firmware and forced to recall all affected vehicles. image and elements of the A2L file annotating calibration As the Cadillac example suggests, the monitoring element constants. of a defeat device does not need to be perfect, so long as Authenticity. As with function sheets, we did not obtain A2L 1More precisely, the US Code of Federal Regulations defines a defeat device files used in this work from Bosch or the car maker, and as “an auxiliary emission control device (AECD) that reduces the effectiveness so cannot guarantee their authenticity with absolute certainty. of the emission control system under conditions which may reasonably be expected to be encountered in normal vehicle operation and use, unless: Each A2L file is paired with a specific firmware image; (1) Such conditions are substantially included in the Federal emission test we confirmed their match before using the A2L to extract procedure; (2) The need for the AECD is justified in terms of protecting the values from the image. We used A2L to identify variables and vehicle against damage or accident; (3) The AECD does not go beyond the requirements of engine starting; or (4) The AECD applies only for emergency constants in code extracted from the firmware. Examining the vehicles . . . ” (40 CFR § 86.1803-01). European regulations follow a very context in which a value thus served as a kind of sanity check. similar definition.

5 Min Max Unit Signal Description and temperature match the aforementioned boundaries, the −50 140 °C InjCrv tClntEngNs mp Coolant temperature function proceeds with the actual cycle checking. Otherwise, −50 140 °C FuelT t Fuel temperature the engine stays in the same mode. The effect of this is that −50 140 °C Oil tSwmp Oil temperature 795 — hPa EnvP p Atmospheric pressure the acoustic condition can only be set if coolant temperature, true StSys stStrt Engine starting fuel temperature, oil temperature, and atmospheric pressure are within the prescribed limits when the car starts . If any of TABLE I: Initial conditions activating the acoustic condition in the EDC17C54 firmware. parameters taken from firmware part number 03L906012F. If all the four parameters is outside the required range, an ongoing conditions hold, the set signal to the outer (topmost) flip-flop in Figure 2 is emissions test is ruled out and the acoustic condition is never asserted. activated. However, we note that these conditions are easily satisfied in both testing and real-world scenarios. If the acoustic condition is set at startup, it may be canceled its error is one-sided. Like the Cadillac device, the defeat by meeting several conditions that rule out a test. We call devices we found assume that the vehicle is under test unless these the deactivating conditions. If any of these conditions some internal or external variable allows it to rule out an are met, the inner flip-flop is set . The output of the inner ongoing test. Then, when the monitoring element signals that flip-flop asserts the reset signal of the outer flip-flop, setting the observed variables are not consistent with any known test the acoustic condition variable stNsCharCor to zero. There cycle, the vehicle can switch to an operating regime favored by are four deactivating conditions any one of which, if true, the manufacturer for real driving rather than the clean regime sets the inner flip-flop that in turn sets stNsCharCor to zero, necessary to pass the emission test. indicating the vehicle is in normal driving mode. In the remainder of this section, we describe the defeat Deactivating conditions. There are four deactivating con- devices used by Volkswagen and Fiat to circumvent emission ditions . The first deactivates the acoustic condition if testing and their effect on vehicle behavior. Our description is the engine has started and a configurable time period based on function sheets for the ECU, reverse engineering of InjCrv tiNsAppVal C has elapsed since the accelera- the firmware, and publicly available information, notably the tor pedal position first exceeded a configurable threshold Complaint filed by the State of New York against Volkswagen InjCrv rNsAppVal C. The second deactivates the acoustic and its US subsidiaries [15]. condition if the engine revolution counter exceeds a configurable threshold InjCrv ctNsStrtExtd C. The third de- A. The Volkswagen Device: Test Detection activation condition, if the acoustic condition is inhibited, is The Volkswagen defeat device is a continually evolving never triggered. family of devices. All instances are organized around a single Until about May 2007, there were only three deactiva- condition monitoring block that determines if the vehicle tion conditions, as described above. Of the firmware im- is undergoing testing and points throughout emission-related ages available to us, the fourth condition first appears in a ECU modules where the result of this determination can affect firmware image dated May 2007 for EDC17CP04 P 617. It the behavior of the module. The monitoring element of the starts by computing a time and distance measurement. The Volkswagen defeat device is encapsulated in a function block time measurement, call it t, is computed by measuring the that computes the status of the kundenspezifische Akustikbe- time since the vehicle first exceeded a configurable velocity dingung, which translates to “customer-specific acoustic con- InjCrv vThres C. The distance measurement is the dis- dition.” (Here, customer refers to the automaker, namely, tance in the current driving cycle, call it d. Volkswagen.) The outcome of the computation is represented Test cycle curves. The acoustic condition logic computes a by the signal/variable InjCrv stNsCharCor (stNsCharCor pair of points dlower and dupper using two linearly interpolated for short). This signal is then used at many points in the curves. These curves, which define a function of t using a ECU to alter the behavior of the engine. Figure 2 shows the small number of points, are configurable by the manufacturer. logic block responsible for computing the acoustic condition. In this case, there are seven pairs of curves, giving seven pairs (The Figure is taken from the function reference sheet created of values dlower and dupper computed for the current value t. by Bosch.) The value stNsCharCor = 0 means that the If d is ever less than dlower or greater than dupper, the flip- ECU considers itself to be in normal driving mode, while flop corresponding to the pair of curves is set and remains set stNsCharCor = 1 indicates testing (emmissions-compliant) indefinitely . mode. The output of this flip-flop indicates that the vehicle has Activating conditions. The state of the acoustic condition is strayed outside the prescribed time-distance profile defined by stored in the top flip-flop in the figure . The set signal to the the pair of curves. Hence, the curves describe an upper and flip-flop is true if all of a set of five conditions are true. These lower bound on the covered distance. The flip-flop allows the conditions are shown in Table I. Note that the last condition, logic to remember this, and at any given time, the state of engine starting, is only true when the engine is starting and is the flip-flops indicate whether the vehicle has so far stayed false during normal operations. If the engine runs in normal within the prescribed time-distance profile defined by the pair mode (i. e., has not recently been started), has exceeded a of curves. If all seven flip-flops are set, then the vehicle has velocity of, e. g., 9.5 km/h at some point, and pressure strayed outside the profile of each of the curves at least once

6 InjCrv_CoPiIRlsOpRng 2.5.0;3 3102/8771

Abbildung 1997 Freigabestruktur der Akustikbedingung [injcrv_copiirlsoprng_3]InjCr v _ t Ns Clnt Thr esMin_ C I njCr v _ t Ns Clnt Thr esMax_CCEng Ds T _ t I njCr v _ t Ns F lThr esMin_ C I njCr v _ t Ns FThr l esMax_CFuelT_ t I njCr v _ t Ns OilThr esMin_ C I njCr v _ t Ns OilThr esMax_COil_tSwmpInjCrv_pNsEnvThres_CEnvP_pStSys_stStrtAPP_ r I njCr v _ r Ns AppV a_CInj l Cr v _ t iNs AppVa l_C EpmCr s _ c t Re v St r t Ex tInj dCrv_ctNsRevStrtExtd_CInjCr v _ s t Ns Cha r CorVehV_ vI njCr v _ v T hr e s _Inj C Cr v _Ns l 1Up_ CUR I njCr v _Ns l 1Dwn_ CUR I njCr v _Ns l 2Up_ CUR I njCr v _Ns l 3Up_ CURI njCr v _Ns l 4Up_ CUR I njCr v _Ns l 5Up_ CUR I njCr v _Ns l 2Dwn_ CUR I njCr v _Ns l 3Dwn_ CUR I njCr v _Ns l 4Dwn_ CUR ASMod_ lSumVehAct I njCr v _ s wt Ns Re s e t On_ CI njCr v _ s t Ns Re s e t .0I njCr v _ s t Ns Re s e t1 .InjCr v _ s t Ns Re s e t .2InjCr v _ s t Ns Re s e t .3I njCr v _ s t Ns Re s e t .4InjCr v _ s t Ns Re s e t .5I njCr v _ s t Ns T iFr z_ mpInjCr v _ tNs i Run I NJ CRV_ RST NSCHARCOR_ SY ST SY S_ ST RDONE I njCr v _Ns l 5Dwn_ CUR I njCr v _Ns l 6Up_ CURI njCr v _Ns l 6Dwn_ CUR I njCr v _ s t Ns Re s e t6Inj . Cr v _Ns l 7Up_ CUR I njCr v _ s t Ns Re s e t .7I njCr v _Ns l 7Dwn_ CUR CoEng _ s t COENG_ RUNNI NG I njCr v _ t iNor malRedSt r t St opSwsVW _ bSt opAct v STSYS_ STRTSTSP_ SYCoEng_ t iNor malRed EngDa_ t FldI njCr v _ nu mEngTempSelNs _ C I njCr v _ t Clnt EngNs_ mp

& A < X B P 1 = s < l A 1 T h X e s M a x P < P & A < X B P 1 = s < l A 1 T h X e s M i A P < P E A g D a P 1 F & d

& A < X B P 1 < l A 1 E A g = s P m p A < X < B

& A < X B P A u m E A g T e m p S e l = s P < P " & A < X B P 1 = s F l T h X e s M a x P < P & A < X B P 1 = s F l T h X e s M i A P < P F u e l T P 1 A < X < B S T S P P S Y & A < X B P 1 = s O i l T h X e s M a x P < ! P & A < X B P s 1 = s < h a X < o X & A < X B P 1 = s O i l T h X e s M i A P < & O i l P 1 S w m p A < X < B S T S Y S P S T R T E A B P P p S 1 S y s P s 1 S 1 X 1 & A < X B P p = s E A B T h X e s P < P

S T S Y S P S T R T

S 1 S y s P s 1 S 1 X 1 & = J < R V P R S T = S < H A R < O R P S Y

& 0 F A L S E S 1 S y s P s 1 S 1 X 1 S w s V W P b S 1 o p A c 1 B & A < X B P 1 i = s A p p V a l P < S T S Y S P S T R D O = E [ 0 ] P A P P P X & $ & A < X B P X = s A p p V a l P < P T i m e X E p m < X s P c 1 R e B S 1 X 1 E x 1 d #

& A < X B P c 1 = s R e B S 1 X 1 E x 1 d P < > 1 P = F & d P & A < X B = s < h a X < o X . 5 = = 0

P % & A < X B P s 1 = s R e s e 1 . 1 => 1 & A < X B P l = s 1 U p P < U R P

V e h V P B & A < X B P s 1 = s T i F X z P m p & A < X B P s w 1 = s R e s e 1 O A P < & A < X B P B T h X e s P < P & A < X B P l = s 1 D w A P < U R P S T S P P S Y P 0

< o E A g P 1 i = o X m a l R e d & A < X B P s 1 = s R e s e 1 . 2 => 1 & A < X B P l = s 2 U p P < U R < o E A g P s 1 P & A < X B P 1 i = s R u A & A < X B P 1 i = o X m a l R e d S 1 X 1 S 1 o p < O E = G P R U = = & = G T i m e X & A < X B P l = s 2 D w A P < U R

P B e i K L 1 5 - E i A i A i 1 i a l i s i e X e A , f a l l s d i e s A i c h 1 o h A e h i A b e i b e i m S 1 e u e X g e X ä 1 e h o c h l a u f e X f o l g 1 & A < X B P s 1 = s R e s e 1 . 3 > 1 & A < X B P l = s 3 U p P < U R = P

& A < X B P s 1 = s R e s e 1 . 0 A S M o d P l S u m V e h A c 1 k m & A < X B P l = s 3 D w A P < U R

P 1 0 0 0 &

P & A < X B P s 1 = s R e s e 1 . 4 => 1 & A < X B P l = s 4 U p P < U R P

& A < X B P l = s 4 D w A P < U R P Fig. 2: Acoustic condition activation logic from function sheet EDC17C54 P 874 for, e. g., VW Passat, dated December& A 2009.< X B P s 1 = s R e s Thee 1 . 5 portion shaded light blue disables the so-called “customer-speciﬁc acoustic condition” if the distance traveled as a function of time=> falls1 outside of all 7 possible test cycle speed & A < X B P l = s 5 U p P < U R proﬁles. The highlighted portion does not appear in function sheets prior to EDC17C04 P 617,P dated May 2007. Copyright Robert Bosch GmbH. Diagram cut at fourth test curve, continues up to seven below. Blue shading and numbers through added by authors.

& A < X B P l = s 5 D w A P < U R P

& A < X B P s 1 = s R e s e 1 . 6 since start. If this happens, the acoustic condition is canceled. dlower and dupper as defined=> 1 by curves is shaded. If the com- & A < X B P l = s 6 U p P < U R In the firmware we examined, these curves are used to puted timeP and distance value (t, d) ever enters this gray area, define the precise time-distance profile of known emission the test is considered to be ruled out, and the corresponding & A < X B P l = s 6 D w A P < U R tests. In general, we note that the number of profiles has been flip-flop isP set. In addition to the boundaries, we have plotted increasing with time. As shown in Table II, the number of the test cycles of known emission& A tests < X B P s 1 = s R e givens e 1 . 7 in Table IV. Test => 1 & A < X B P l = s 7 U p P < U R curves checked has increased from 0 in EDC17CP04 P 531 cycles matchingP the profile are shown using heavy lines; all to 7 in EDC17CP44 P 859. others using light lines. As our results show, several of the Figure 3 shows several curve pairs found in the firmware configured& A < X B P l = s 7 D boundariesw A P < U R match a known test cycle quite closely. of an EDC17C54 ECU (software part number 03L906012, In particular, profile 1 matches the FTP-75 test cycle to within revision 7444; remaining curves found in Figure 14 in the 4.2 km and profile 5 the HWFET test cycle to within 16.1 km Appendix). The area outside of the upper and lower boundaries (not fully shown in the figure).

12.08.2009 | M1754VQC874 M5F13;2 | InjCrv_CoPiIRlsOpRng | 3.91 (2.3a) | © Alle Rechte bei Robert Bosch GmbH, auch für den Fall von Schutzrechtsanmeldungen. Jede Verfügungsbefugnis, wie Kopier- und Weitergaberecht, bei uns. 7 80187214, proﬁle 1 80187214, proﬁle 7 10 10 FTP-75 EUDC 9 9 EUDCL 8 8

7 7

6 6

5 5

km (total) 4 km (total) 4

3 3

2 2

1 1

0 0 0 200 400 600 800 1000 1200 1400 1600 1800 0 200 400 600 800 1000 1200 1400 1600 1800 seconds seconds 80187214, proﬁle 8 80187214, proﬁle 9 10 10 N N FTP-75 NEDC 9 9 CADC-RURAL ECE-15 8 IM240 8 JP10 WLTP-1 7 7 WLTP-2 6 6 WLTP-3 RTS-95 5 5 J1015 km (total) 4 km (total) 4 CADC-URBAN

3 3 LA92

2 2

1 1

0 0 0 200 400 600 800 1000 1200 1400 1600 1800 0 200 400 600 800 1000 1200 1400 1600 1800 seconds seconds Fig. 3: Selection of curve checks testing against various emissions test cycles in the ﬁrmware for a VW Passat, released 12/2014 (EDC17C54, software part number 03L906012, revision 7444). The area in which the software reports the driving proﬁle to match is colored white. As evident from the graphs, this area tends to follow a test cycle closely. The legend lists the known matching test cycles. ⊗ indicates an additional steering wheel check. Figure 14 in the Appendix depicts the remaining curves.

Steering wheel checks. Starting 2009, the EDC firmware used Unfortunately, we could not obtain a function sheet containing in Volkswagen automobiles increased the number of profiles this improved acoustic condition. The following code is our check from 7 to 10. As noted, the profiles shown in Figure 3 reconstruction of the logic used to determine if a steering were extracted from an EDC17C54 firmware image, VW part wheel angle deviation should cancel the acoustic condition. number 03L906012, that has 10 profiles, four of which are if (-20 /* deg */ < steeringWheelAngle && shown in the figure. (The acoustic condition illustrated in steeringWheelAngle < 20 /* deg */) { Figure 2, from an older EDC17C54 function sheet, shows only lastCheckTime = 0; 7 profiles.) cancelCondition = false; } else { Note that profiles 8 and 9 are considerably less precise than if (lastCheckTime < 1000000 /* microsec */) { lastCheckTime = lastCheckTime + dT; profiles 1 and 7. In fact, profile 9 matches a total of 10 known cancelCondition = false; emissions test cycles. In addition to checking the time-distance } else relation shown in Figure 3, profiles 8, 9, and 10 also included cancelCondition = true; } a steering wheel angle check: in addition to deviating from a prescribed time-distance profile, the flip-flop corresponding In the updated firmware, the signal cancelCondition to profiles 8, 9, and 10 would be reset if the steering wheel computed as above is applied as a third input to the ≥ 1 gates angle deviated by more than 20° from the neutral position. that lead into the flip-flops corresponding to each profile.

8 InjCrv_PiIAddCor 2.3.0;0 3155/8771

Abbildung 2034 InjCrv_PiIQntAddCorEOM [injcrv_piiaddcor_1]InjCr v _ nu mEngTempSelPiI1Qnt_C InjCr v _ nu mEngTempSelPiI2Qnt_CInjCr v _ t Eng PiI1Qnt_mpI njCr v _ t Eng PiI2Qnt_mpEngDa_ t Fld s t P i I R l s A c t

s t P r s

n u m E O M Berechnung zusatzlicher (kundenspeziﬁscher) Korrekturen fur i d x E O M = I N J C R V _ E O M 0 “ ¨ ¨ P P i i % die Voreinspritzungen” (Calculation of additional (customer- I n i C r v _ s t N s C h a r C o r speciﬁc) corrections for the pilot injections.). S T S Y S _ S T R T D O N E P C. The Volkswagen Device: Effect on EGR

q C o r As noted earlier, Exhaust Gas Recirculation (EGR) is a very I n j C r v _ s t I n j C h a r A c t V a l . I N J C R V _ P I I 2 = = 1 I n i C r v _ q N s P i I 1 A d d C o r 2 _ C effective means of reducing NOx levels in the exhaust gas.

P I n i C r v _ q N s P i I 1 A d d C o r 1 _ C Unfortunately, the beneﬁcial effect on NOx has the opposite P effect on particulate matter: decreasing NOx emissions by E p m _ n E n g P increasing the amount of exhaust gas recirculated increases I N J S Y S _ L E A D P A R S E T the amount of soot in the exhaust. This, in turn, increases I n j C r v _ q N s P i I 1 A d d C o r 2 _ M A P P i i 1 load on the Diesel Particulate Filter (DPF) used to reduce E p m _ n E n g P P i i 2 soot emissions. The acoustic condition can also be used to I N J S Y S _ L E A D P A R S E T q C o r

P i i 3 alter the amount of exhaust gas recirculated (see Figure 11 I n j C r v _ q N s P i I 1 A d d C o r 1 _ M A P q C o r in the Appendix). The logic block shown in the ﬁgure is

q C o r used to compute mDesVal1Cor, a correction value to the total I n i C r v _ q N s P i I 2 A d d C o r _ C desired air mass. The correction may be applied additively or multiplicatively, based on a conﬁgurable parameter, to the base amount to arrive at the desired air mass value (this calculation

E p m _ n E n g P is not shown in the ﬁgure).

I N J S Y S _ L E A D P A R S E T D. The Fiat 500X Device I n j C r v _ q N s P i I 2 A d d C o r _ M A P q C o r The Volkswagen emission scandal brought attention not

Fig.I n 4:j C r v Acoustic_ d q P i I 1 S t r t R m p . conditionN e g _ C (signals l o p e p InjCrvo s stNsCharCor) used to modify only to Volkswagen itself, but also to other automakers of the desired injection quantity corrections l o p e n e g qCor. From the EDC17C54 P 874 diesel vehicles. Among them was Fiat Chrysler Automobiles functionC o E n g _ sheet.s t < = C O E CopyrightN G _ S T S T A R T ( 0 x Robert0 2 ) Bosch GmbH. I n j C r v _ s t S t r t . I N J C R V _ Q P I I 1 S T R T = = 1 & (FCA), which on February 2, 2016 issued a press release I n j C r v _ s t I n j C h a r A c t V a l . I N J C R V _ P I I 2 = = 1 stating: “FCA diesel vehicles do not have a mechanism to IfE p them _ n E n g sophisticatedP test cycle detection logic encoded above either detect that they are undergoing a bench test in a I n j C r v _ t E n g P i I 1 Q n t _ m p laboratory or to activate a function to operate emission controls sets the acoustic condition to one, a numbers w p o s ofp a r a behaviorm M N q S e t changes take placeI n j C r v _ q P i I 1 B ina s 1 S t ther t _ M A P vehicle. These changesx a are ef- only under laboratory testing. [...] [W]hen tested following P y x b p o s fected by using the value of the acoustic conditiona c t i v e variable the only testing cycle prescribed by European law (NEDC) T 0 i s w stNsCharCor to switch between conﬁgurable variables or [FCA diesel vehicles] perform within the regulatory limits and I n j C r v _ q P i I 1 B a s 2 S t r t _ M A P parameters,q C o r allowing the vehicle to operate with one set of comply with the relevant regulatory requirements.” [11]. On I n j C r v _ d q P i I 2 S t r t R m p . P o s _ C calibration values in the normal driving mode andP i i % using February 9, 2016, a week after FCA issued the press release, it I n j C r v _ d q P i I 2 S t r t R m p . N e g _ C s l o p e p o s s l o p e n e g another set in testing mode, as if two distinct personalitiesP i i 1 was accused by German environmental protection organization C o E n g _ s t < = C O E N G _ S T S T A R T ( 0 x 0 2 ) P i i 2 Deutsche Umwelthilfe (DUH) of exceeding emission limits on tookI n j C turnsr v _ s t S t r t . I N J controllingC R V _ Q P I I 2 S T R T = = 1 the vehicle.& Next, we describe the two contrasting personalities that emerge depending on the state their Fiat 500X cross-over SUV equipped with a 2-liter Fiat E p m _ n E n g P of the acoustic condition. s w p o s p a r a m MultiJet II diesel engine. DUH used a chassis dynamometer I n j C r v _ t E n g P i I 2 Q n t _ m p x a y x b p o s for testing. As of this writing, FCA has not acknowledged that a c t i v e B. Theq C o r VolkswagenI n j C r v _ q P i I Device:2 B a s S t r t _ M A P Effect on InjectionT 0 i s w its car has a defeat device.

Asq M a describedx in Section II-A, the operation of a diesel Like other vehicles in this study, the diesel engine of the Fiat engineq B a s is controlled through fuel injection timing. The start 500X usesq B a thes Bosch EDC17 ECU. Its exhaust after-treatment and duration of injections not only affects engine power output system includes an NOx Storage Catalyst (NSC) and a Diesel E n g D a _ t F I d E n g D a _ t F I d but also exhaust emissions.I n j C r v _ t E Basedn g P i I 1 Q n t _ m p on its naming and first use,I n j C r v _Particulatet E n g P i I 2 Q n t _ m p Filter (DPF). To investigate the claim, we obtained the acoustic condition was introduced to alter engine injection a Fiat 500X function sheet (EDC17C69 P 1264) and firmware behavior [15]. We identified several points in the firmware we image (55265162). We examined both for the presence of the I n j C r v _ n u m E n g T e m p S e l P i 1 Q n t _ C I n j C r v _ n u m E n g T e m p S e l P i 2 Q n t _ C analyzedP manually where the acoustic conditionP can modify Volkswagen defeat device, but found neither mention of the fuel injection behavior. Here, we describe how the acoustic acoustic condition in the function sheet nor any evidence of condition can be used to adjust the quantity of injection. curve-checking logic in the firmware image. Figure 4 shows how the fuel injection quantity (additive) However, we found that Fiat 500X contained what amounts correction (qCor) is modified by the acoustic condition. If to a defeat device in the logic governing NSC regeneration. the acoustic condition is true (under test), qCor is modi- Unlike the Volkswagen defeat device, the FCA mechanism fied by adding a constant (InjCrv qNsPiI1AddCor{1,2} C relies on time only, reducing the frequency of NSC regener- or 12.08.2009InjCrv | M1754VQC874qNsPiI2AddCor M5F13;2 | InjCrv_PiIAddCorC). Otherwise, | 3.91qCor (2.3a) | ©is Alle mod- Rechte beiations Robert Bosch 26 minutes GmbH, auch 40 für secondsden Fall von after Schutzrechtsanmeldunge engine start.n.Recall Jede that Verfügungsbefugnis, wie Kopier- und Weitergaberecht, bei uns. ified by adding a value computed based on engine speed the primary role of the NSC (Section II-A) is to reduce NOx (Epm nEng). The function sheet describes this logic block as emissions by trapping NO2 in the catalyst during the loading

9 NSCRgn_RlsLogic 14.1.0;0 7917/12547

L Fuel Consumption in current driving cycle FlSys_volFlConsDrvCyc is less than or equal to the threshold NSCRgn_volFlConsMaxHmlg_C

L Engine Temperature (selected from the temperature ﬁeld EngDa_tFld using the calibration constant NSCRgn_numEngTempRls_C) or Coolant Temperature CEngDsT_t is between the thresholds NSCRgn_tMinDNOxHmlg_C and NSCRgn_tMaxDNOxHmlg_C. Which of the temperature is selected depends on the calibration parameter NSCRgn_swtTempDNOxHmlg_C

L Time since last DeNOx event NSCRgn_tiNoNSCRgn is above or equal to the threshold NSCRgn_tiNoNSCRgnHmlg_C.

This condition will be ignored for the next DNOx event (NSCRgn_stTiNoNSCRgnHmlg_mp set to False) if the engine speed Epm_nEng falls below the threshold NSCRgn_nEngMinHmlg_C. If a regeneration of the NSC catalyst is ﬁnished and hence the next "NoNSCRegeneration state" starts (NSCRgn_stNSC.25 becomes True) the condition will be reactivated for the following DNOx event (_swtTiNoNSCHmlg is set to True).

In addition, the following conditions have to be fulﬁlled always to set the status of NSCRgn_stRlsDNOxHmlgAct_mp:

L DINH_stFId.FId_NSCRgnDNOxHmlg is released

L Number of DNOx events in current driving cycle NSCRgn_ctRgnSnceEngStrt_mp is below or equal to the threshold NSCRgn_cntrRgnMax- Hmlg_C. For calculation of the number of NSC regenerations in the current driving cycle, the total number of regenerations NSCMon_ctRgn is stored in the measuring point NSCRgn_ctRgnEngStrt_mp during ECU initialization. In order to calculate the current number NSCRgn_ct- RgnSnceEngStrt_mp, this value is subtracted from the total number.

The release status for a DNOx-regeneration during homologation cycle could be delayed by the time NSCRgn_tiDlyRlsDNOxHmlg_C.

Fig. 5: NOx regeneration release logic combining the start and release signals from the homologation and real driving logic to compute the single regeneration release signal stRlsDNOx. Demand and release conditions are computed separatelyHint forIf one the of homologation the four independent and real conditions driving logic is fulfilled,. The the output status of for the the DNOx release is always set (until the number of regenerations is Kind of Request block is non-zero if either of the homologation or real driving signalsreached is ortrue FId is inhibited).. The final To release avoid signal permanentstRlsDNOx DNOx regenerationsis only asserted the demand status in FC NSCRgn_Dem has to be set accordingly. if either the homologation or real driving release signals is true. Blue numbers through added by authors. From function sheet EDC17C69 P 1264 for Fiat 500X. Copyright Robert Bosch GmbH. Figure 5445 NSCRgn_RlsLogic/NSCRgnRlsLogic/RegenerationReleaseLogic/ReleaseLogicDNOx/DNOx_during_Homologation/RlsRunngTi [NSCRgn_RlsLo- gic.NSCRgnRlsLogic.RegenerationReleaseLogic.ReleaseLogicDNOx.DNOx_during_Homologation.RlsRunngTi] phase (lasting from 30 to 300 seconds) and purging it during NSCRgn_stTiCoEngHmlg_mp the regeneration phase (lasting 2 to 10 seconds). Regeneration tiSnceFrstRunngRed reduces fuel economy and increases the load on the DPF. By stTiCoEngHmlg NSCRgn_tiCoEngMaxHmlg_C reducing the frequency of NSC regeneration, a manufacturer can improve fuel economy and increase DPF service life, at Fig. 6: The stTiCoEngHmlg signal logic required to set stDNOxHmlg, allowingFigure 5446 NOx NSCRgn_RlsLogic/NSCRgnRlsLogic/RegenerationReleaseLogic/ReleaseLogicDNOx/DNOx_during_Homologation/RlsVolFlregeneration to proceed under the “homologation” sched- [NSCRgn_RlsLogic.- the cost of increased NOx emissions. ule. In theNSCRgnRlsLogic.RegenerationReleaseLogic.ReleaseLogicDNOx.DNOx_during_Homologation.RlsVolFl] 55265162 Fiat 500X firmware image we examined, In the Fiat 500X ECU, the logic controlling NSC regenera- NSCRgn tiCoEngMaxHmlg C is set to 1600 seconds. Copyright Robert Bosch GmbH. tion is divided into demand logic and release logic. The former volFlConsDrvCyc NSCRgn_stVolFlConsHmlg_mp determines when NSC regeneration should take place, while stvolFlConsHmlg the latter imposes constraints on when regeneration is allowed NSCRgn_volFlConsMaxHmlg_C to start. For regeneration to start, the demand logic must re- with the homologation demand signal, and likewise the real drivingFigure 5447 signal NSCRgn_RlsLogic/NSCRgnRlsLogic/RegenerationReleaseLogic/ReleaseLogicDNOx/DNOx_during_Homologation/RlsDNOxEve demand and release signals (marked in [NSCRgn_Rls- quest regeneration, asserting the NSCRgn stDNOxStrt signal Logic.NSCRgnRlsLogic.RegenerationReleaseLogic.ReleaseLogicDNOx.DNOx_during_Homologation.RlsDNOxEve] while the release signal NSCRgn stRlsDNOx must be asserted Figure 5). The homologation release signal is delayed by stHmlgOrRDDNOx NSCRgn tiDlyRlsDNOxHmlg C, which is set toS 300 seconds by the release logic. (DNOx refers to NSC regeneration, which 2 out in the 55265162 firmware image. The resultingR release signalNSCRgn_stRgnRnngHmlg_mp purges stored NOx from the catalyst.) In the EDC17C69 func- NSCRgn_tiWaitNoNSCRgnHmlg_C SrvB_RSFF_4 tion sheet we examined, both the demand and release logic was out ofNSCRGN_STNSC_NONSCRGN_BP the block is asserted if either the homologation or the real driving signal is true. duplicated into two parallel blocks. The first pair of demand stNSC NSCRgn_stWaitNoNSCRgnHmlg_mp and release blocks applies to a “homologation cycle” while The logic controlling the homologationTurnOnDelay_2 regeneration release the second pair to “real driving.” (Homologation refers to the signal is shown in Figure 12,compute and the corresponding logic CounterEnabled compute process or act of granting approval by an official body, for block for real driving in Figure 13 in the Appendix. The NSCRgn_ctRgnHmlg example, of a vehicle for sale in a particular jurisdiction. The important feature of the homologation release block is that reset terms “homologation” and “real driving” are taken from the all conditionsNSCRGN_END_SENS_BP defined by the blocks shown in the figure must true Edge_Rising_2 EDC17C69 function sheet.) Names of signals and logic blocks be met, because their outputs are AND-combined to produce used in the homologation logic contain Hmlg in their name, the output signal stDNOxHmlg. In particular, this means that NSCRGN_END_LOAD_BP while those used in the real driving logic contain Rd in the their the stTiCoEngHmlg output of the first sub-block must be stDNOxEveHmlg name. The demand logic for the homologation and real driving truestDem . The bottom of Figure 12 shows how this signal is NSCRgn_ctRgnMaxHmlg_C blocks are very similar, using the total estimated NOx load, computed: stTiCoEngHmlgNSCRGN_END_TIME_BP is set if the running time since S catalyst temperature, and other variables to determine when to engine start, tiSnceFrstRunngRed, is less than orout equal to NSCRgn_stDNOxEveHmlg_mp R NSCRgn_stRgnEndHmlg_mp trigger regeneration. The homologation and real driving logic, the constant NSCRgn tiCoEngMaxHmlg C. InSrvB_RSFF_5 the Fiat 500X however, uses different calibration parameters, allowing the firmwaretiDNOx image we examined, this constant was calibrated to manufacturer to supply completely different models for the 1600 seconds.NSCRgn_tiDNOxThreshHmlgRd_C Thus, the homologation regeneration release test cycle and real driving. signal stDNOxHmlg will be inhibited if the engine has been Both homologation and real driving logic blocks can request running longer than 1600 seconds. In addition, stDNOxHmlg a regeneration. Similarly, the release signal is also controlled also requires that the total driving cycle fuel consumption be by two parallel logic blocks. Figure 5 shows how the signals at2013-10-21 most NSCRgn | P1264_Fiat_DSvolFlConsMaxHmlg B05A_DOCUMENTATION;0 | NSCRgn_RlsLogicC, which is configured | 4.1.3b (2.13.2) | © Robert Bosch GmbH reserves all rights even in the event of industrial are joined. The homologation release signal is AND-combined toproperty 1.3 litersrights. We in reserve our firmware all rights of disposal image. such as copying and passing on to third parties.

10 This means that regeneration requested by the homologation static analysis enables us to obtain high code coverage by demand block will only be allowed to start a regeneration analyzing each function individually. Our analysis framework during the first 1600 seconds (26 minutes 40 seconds) of called CURVEDIFF is based on the IDA Pro 6.9 [13] dis- engine operation. After that, only NSC regeneration requested assembler, which includes support for the Infineon TriCore by the “real driving” logic will be allowed to start regeneration. processor used in Bosch’s EDC17 ECU. The framework is We note that this coincides with the runtime of standardized fully automated and takes a binary firmware image as input. emissions test cycles. When analyzing a firmware image, we perform the following The logic blocks described above include several switches steps: that may disable this dual path behavior. In the Fiat 500X 1) Generate and pre-process the IDA database, firmware image we examined, we found that both paths were 2) Build core structures and lift to static single assignment enabled (NSCRgn swt{Hmlg,Rd}HmlgActv C = true). The (SSA) form, homologation release delay NSCRgn tiDlyRlsDNOxHmlg C 3) Analyze curve function invocations, was set to 300 seconds, which limited the frequency of 4) Match curve checks against test cycles. homologation-requested regeneration to once every five min- In the following sections, we describe each step in more detail utes. We also examined the demand logic for homologation and provide information about implementation details. and real driving. C. Preliminaries V. DETECTING DEFEAT DEVICES The curve function SrvX IpoCurveS16 is a vital part of Based on the insights obtained in our case studies, we the defeat device used by Volkswagen. It is also a core function designed a static analysis tool that helps us to identify a defeat provided by the operating system itself and thus present in all device in a given firmware image. We implemented a prototype firmware images using the same OS. Further, we found that of this approach in a tool called CURVEDIFF for EDC17 ECUs it is widely used throughout the code of a firmware image. that enables us to track the evolution and behavior of such Basically, it returns the y coordinate for a given x coordinate a device across a large number of firmware images. In the on curve c, i. e., y ← SrvX IpoCurveS16(c, x). Since c following, we discuss design considerations and the general might be represented by a few data points only, the function workflow together with implementation details. interpolates linearly. Matching the current driving profile against predefined A. Design Considerations emissions test cycles is performed by posing two curve queries Our method aims to automatically identify potential defeat using SrvX IpoCurveS16: one yields the upper boundary on devices which actively try to detect an ongoing emissions test y corresponding to the given x value, whereas the other yields based on the car’s driving profile during the test cycle. More the lower boundary. Specifically, the boundaries fit a known specifically, we try to identify code regions in a given firmware test cycle that the real driving profile (seconds since engine image that attempt to determine if the car currently follows one startup x and covered distance y) is checked against. of the standardized test cycles and whose behavior influence the operation of the engine. We thus focus on the type of defeat D. Pre-Processing devices implemented by Volkswagen since they represent more For our analysis, in order to resolve memory accesses, we sophisticated defeat devices compared to the time-based ones need to obtain the small data regions (for global variables, implemented by FCA. via TriCore’s system global register a0) and literal data Our design decision to focus on test cycle detection is due to regions (for read-only data, via register a1) as well as the two important factors. First, this approach requires relatively function vector table (accessed via register a9), which stores little previous domain knowledge about firmware specifics and data associated with a certain function. The system global is thus rather unlikely to be subject to syntactical changes in registers are architecture and OS dependent and initialized the checking logic. In turn, this also means that we do not during startup, as all functions operate on them to access have to rely on additional data such as .a2l files, which may the specific memory regions. Further, we need to obtain the be hard to obtain for a given firmware image (even though address of the curve function, which can be easily detected by it would significantly simplify the analysis). Second, this matching on parts of the function semantics (namely, linear approach provides higher means of non-repudiation: Because interpolation of two curve points) and verifying the result using we do not rely on accurately determining ECU variables but its call graph. Since this function is not customer-dependent try to generically detect matches against well-known emissions but provided by the OS, it does not change significantly. test cycles, the fact that the software actively checks against Note that there are a few things we need to consider. the latter is hard to refute in general. As the curve function may be wrapped, we need to detect such instances to avoid having to perform inter-procedural B. General Workflow analyses later. In practice, wrappers can easily be detected We use static code analysis to implement our approach using the function’s call graph. In addition, we need to take because we cannot easily execute a given ECU firmware image peculiarities of the architecture into account: TriCore supports in an emulator to perform a dynamic analysis. Furthermore, scratch pad RAM (SPRAM for short), which mirrors parts

11 of the ﬁrmware’s code in faster memory. As this is done on phi d11_5 [d11_1 d11_4 d11_4 d11_4] startup (i. e., at runtime), we need to extract the mapping of d11_5 d11_5 d11_5 d11_5 d11_5 d11_5 d11_5 d11_5 mirrored regions, as we otherwise might miss calls targeting mov16 d4_17 d11_5 80187510 mov16 d4_5 d11_5 801875d8 mov16 d4_10 d11_5 80187688 mov16 d4_15 d11_5 80187544 mov16 d4_6 d11_5 d4_5 d4_10 d4_15 this memory area. 8018751c call32 re_5 #800b64f0 a4_2 d4_5 801875f0 call32 re_10 #800b64f0 a4_7 d4_10 80187694 call32 re_15 #800b64f0 a4_12 d4_15

E. Lifting to Static Single Assignment Form and Optimization Fig. 7: Excerpt of a data-flow graph used to verify property P-1. Curve calls can be grouped by the origin of input coordinate x (passed via register d4, In order to facilitate a robust static analysis suitable for originating from register d11). our task, we operate on an intermediate language (IL) in Static Single Assignment (SSA) form. SSA was introduced 801876be ld32.a a15_101 [a9_0]#9a4 by Cytron et al. in 1991 [6] and describes the property of an a15_101 a15_101 IL in which there is only one single definition for each variable 801876ca lea a4_13 [a15_101]#368 801876d4 lea a4_14 [a15_101]#3a6 and each definition dominates its uses. This, in turn, enables the design of efficient data-flow analysis algorithms. a4_13 a4_14 The TriCore assembly language is expressive enough to 801876ce call32 re_16 #800b64f0 a4_13 d4_16 801876de call32 re_17 #800b64f0 a4_14 d4_17 diminish the need for a full-fledged IL, e. g., side effects are Fig. 8: Example for data-flow graph for verifying property P-2. Both calls to rare and nearly all data flow is explicit. Hence, rather than the curve function are passed a different target curve via register a4. developing a new IL from scratch, we modify the assembly representation slightly in order to conform with requirements assumed when transforming to SSA form. More precisely, observation allows us to identify several important properties for instructions containing an operand that is both read and that must hold for two related curve queries: written, we duplicate the operand such that use and definition P-1 Both curve queries in a related check have to take the are properly distinguished. Similarly, for instructions defining same variable as query point x (parameter d4). This more than one variable, we add one single definition (a tem- requirement follows from the fact that both curves use porary register), and insert helper instructions that extract the the same axis. Concretely, x corresponds to the time since correct definition from the temporary register, and store them engine start. into the target variable. For example, calls may, amongst P-2 Both curve queries have to operate on distinct curves (pa- others, return results in both registers a2 and d2. As SSA rameter a4). This is because both curves encode multiple form does not allow multiple definitions for one instructions, possible driving profiles and allow for some deviation we introduce the temporary register re that stores the return from the exact test cycles due to potential imprecisions values of the call. Right after the call instruction, we add during the emission testing. artificial cconv.w instructions that read from re and store P-3 The results ylow, yhigh (register d2) of both curves have the corresponding part of the return value into a2 and d2, to be related in the sense that they implement a range respectively. Further, we encode other particularities of the check on the actual y value (i. e., the distance driven since TriCore calling convention explicitly. For example, we add engine start). uses of parameter-passing registers a4 and d4 to calls and, Properties P-1 and P-2. Effectively, property P-1 allows us to in a similar vein, uses of a2 and d2 to return instructions. We group several calls to the curve function together, based on the transform the resulting assembly into pruned SSA form [5] value provided for parameter x. In order to achieve this, for using liveness analysis. Finally, in order to coalesce memory each call, we backtrack register d4 and build a data-flow graph, access via system global registers a0, a1, and a9, we optimize where nodes are instructions and edges connect a variable’s each function using constant propagation. (necessarily unique) definition and its uses. An example for the resulting graph can be seen in Figure 7. Evidently, all F. Relating Curve Queries curve calls take d115 as parameter x. Similarly, we can Having transformed all functions into an intermediate rep- backtrack register a4 in order to find out the actual curves resentation, each function is analyzed separately in order to the functions operate on. Figure 8 visualizes this approach. construct a list of candidates potentially checking against Note that both leave nodes are connected via a15101, which emissions test cycles. To this end, we extract all invocations is the function vector entry holding all data associated with the of the curve function and try to group them into pairs of two, current function. However, both calls still operate on different where each call queries either the upper or lower boundary for curves with offsets 0x368 and 0x3a6, respectively. a given data point. This allows us to programmatically extract Property P-3. Property P-3 effectively states that the resulting the curves defining both boundaries and match them to well- ys of two distinct curve calls are related if they end up in the known cycles in a later step. We define two such calls to the same “meaningful” expression; an expression is meaningful, curve function as being related. for example, if it implements an interval check by comparing Section V-C explained how two calls to the curve function a given value with upper and lower boundaries as specified by SrvX IpoCurveS16 are made in order to match the current the curves. driving profile against predefined emissions test cycles. This In order to check P-3, we begin by building a forest

12 of data-flow graphs by tracking forwards the return values 11 matched of all curve calls that lie in the same group, according to 10 9 unmatched property P-2. Note that in the data-flow graphs, not all uses invalidated of an instruction are considered. Each connected component 8 then either corresponds to the data-flow graph arising from one 7 6 single curve call or it connects data-flow graphs of multiple 5 curve calls together. While the first case does not provide any #Profiles 4 useful information, the latter case tells us that both curve calls 3 are in fact related. Even though this fact already is useful as-is, 2 we can further inspect how two calls are related. 1 Intuitively, the type of relation between two curve calls 0 0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 is described by the node where the data flows for each #Images return value meet. We call these nodes (forward) join nodes. Fig. 9: Coverage of profiles in all firmware images in which a defeat device They can be computed by calculating the lowest common has been found. Matched profiles are highlighted using backward diagonal ancestor (LCA) [2] of the vertex-induced subgraph of every lines, unmatched ones use forward diagonal lines and invalidated curves are shaded gray. possible pair of curve calls. Figure 10 in the Appendix depicts a part of the (single) connected component that reveals the relations of all curve calls in the acoustic function. This form of two-dimensional data points, containing information statement implements an interval check that could further be about the elapsed time in seconds and the speed at this point confirmed by, e. g., symbolically executing the path up to the (given either in mph or km/h). In order to actually match test join node. Similarly, we can define (backward) join nodes as cycles to the boundaries extracted from the firmware images, the LCAs in the reverse data-flow graph (more precisely, in the both representations need to be normalized first. For the latter, subgraphs induced by all pairs of leafs). Figure 10 contains an we scale the y axis by factor 0.1 to obtain the distance in example for a backward join node, the phi node defining d93. kilometers, and the x axis by 6.25 to obtain the engine run- Unsurprisingly, this definition equals to the distance covered time since startup in seconds (corresponding to unit TimeRed so far. in the A2L file). As the test curves provide speed instead of the In order to cover cases where, e. g., the lower boundary covered distance, we integrate them and convert from mph to check is control-dependent on the upper boundary check (i. e., km/h, if applicable. Finally, to match a curve, each data point might not be executed based on the result of the other check) has to lie in the interval as defined by c> and c⊥, respectively. but not directly data-dependent, we enrich the data-flow graphs Still, some checks cut off the driving profile near the end of by control-dependency edges, i. e., build a reduced program a particular test cycle, where the emissions effects would most dependency graph. The introduced concepts, however, apply likely not be picked up by an ongoing emissions test any more. to this extension as well. The corresponding test cycle would not match by comparing all its data points due to the premature mode switch. To G. Matching Test Cycles account for this, we do not check the interval for the last Given two related curve calls, we can extract the curves 10% of a given test cycle. they operate on by backtracking the parameter register a4. Thus, we obtain a curve representing the upper boundary VI.EVALUATION of matched driving profiles c> and the lower boundary c⊥. Based on the prototype implementation of CURVEDIFF, Roughly speaking, a specific driving profile is matched if its we performed a larger study of Volkswagen firmware images data points lie within said boundaries. to investigate which of them contain a defeat device. In the Note that we can perform a sanity check of the extracted following, we present the evaluation results together with some curves before processing them further. Namely, we want a highlights we found. curve to be monotonically increasing because the covered dis- We analyzed 963 firmware images and configured the tance obviously cannot decrease. This requirement is relaxed analysis system with a timeout of seven minutes to avoid long- for the last data points of a boundary, as there are cases where running analysis tasks. 924 images were successfully analyzed c> drops below c⊥ to effectively reject all driving profiles according to the steps outlined in the previous section, while after this point. In a similar vein, we can detect what we call 20 tasks timed out and 19 tasks failed to be processed by invalidated checks. These are characterized by having all y IDA. In total, we found that 406 (44%) of the analyzed images values set to a constant value (0x7fff for c⊥ and 0 for c> in contained a defeat device, out of which 333 contained at least the firmware images we analyzed) such that the check rejects one active (i. e., non-invalidated) profile. any driving profile. Using this method, the manufacturer can Performance. The static analysis is fully automated and the parameterize a profile check such that it is not actually used. fastest analysis task finished after 55 seconds, while several The reference test cycles as used for emissions testing tasks also timed out (see above). The geometric mean for the are available either free of charge [20] or tied to a small analysis of all successful tasks is 105 seconds, hence we can subscription fee [7]. In most cases, the cycles are given in the analyze a given image on average in less than two minutes.

13 TABLE II: Acoustic condition logic and affected systems, based on function sheets. The Model column shows the ECU model (prefix EDC omitted). The where multiple model names were returned (due to varying Version column shows the ECU version for which the function sheet was model naming schemes in different regions), we chose the generated. The Date column gives the date given in the function sheet. Column European name, as most firmware images check for European N shows the number of profiles checked by the acoustic condition or “—” if the acoustic condition logic block was not included in the function sheet. emissions test cycles. In cases where multiple firmware images The Affected Subsystems column shows the subsystems where the acoustic in a month matched the same model, we denoted the number condition was referenced, extracted from the variable cross-reference table in of images analyzed for a specific model in parentheses. Finally, the function sheet. for all the images released in the same month, we took the Model Version Date N Affected Subsystems union of test cycles they check for to give an impression of 16CP P 397 A.V.0 2005-06-24 0 InjCrv, Rail the number and variety of matched cycles. Figure 9 depicts 17CP04 P 531 2.F.0 2005-10-28 0 InjCrv our coverage in terms of identified test cycles. For firmware 16CP P 397 A.V.9 2006-03-02 0 InjCrv, Rail images with 5 profiles, we were able to match a test cycle 17CP04 P 617 3.K.0 2006-11-06 0 InjCrv to each profile. However, for later images checking 5 and 7 17CP04 P 617 3.N.0 2006-12-22 0 InjCrv profiles, respectively, we were unable to find a matching test 17CP24 P 628 3.K.1 2007-03-29 —  cycle for some of the profiles.  17CP24 P 628 3.U.0 2007-05-02 —  Effects on EGR. Based on the results in Table III, we 17CP24 P 703 3.V.5 2007-07-12 —  InjCrv 17CP04 P 617 3.U.0 2007-05-14 5 automatically identified a lower bound of firmware images in  17CP14 P 531 3.U.0 2007-05-24 5  which the acoustic condition affects the AirCtl subsystem,  17CP14 P 617 3.U.5 2007-08-30 5 responsible for calculating the amount of recirculated exhaust 17CP24 P 628 3.W.5 2007-09-18 — AirCtl, InjCrv 17CP14 P 714 3.U.A 2007-10-12 5 InjCrv gas (EGR). We did not use A2L files for this, as we do not 17CP24 P 703 3.W.A 2007-11-05 — AirCtl, InjCrv have matching files for all firmware images. We found that in 17CP24 P 628 3.W.G 2008-02-12 5 AirCtl, PFlt, InjCrv at least 268 images (66%), the acoustic condition can affect 17CP24 P 703 3.W.G 2008-02-14 5 AirCtl, PFlt, InjCrv EGR. Based on the parameters we extracted, we can confirm 17CP24 P 628 3.W.H 2008-03-04 5 AirCtl, PFlt, InjCrv 17CP14 P 804 4.F.0 2008-03-26 5 InjCrv, Rail that in 247 (92%) of these images, the acoustic condition 17CP24 P 703 3.W.K 2008-04-23 5 AirCtl, PFlt, InjCrv actually influences the choice of parameters. Note that the 17CP24 P 628 3.W.L 2008-05-17 5 AirCtl, SCRFFC, PFlt, AirCtl detection can be improved upon as well as extended to InjCrv 17CP24 P 859 4.F.0 2008-05-30 5 AirCtl, PFlt, InjCrv, Rail other subsystems as listed in Table II to fully confirm further 17CP24 P 628 3.W.M 2008-06-27 5 AirCtl, SCRFFC, PFlt, defeat devices in Table III. InjCrv We also manually analyzed some of the defeat devices detected 17CP44 P 804 4.P.0 2008-08-05 — AFS, AirCtl, ASMod, InjCrv, PCR, Rail by CURVEDIFF to verify our results, and in the following we 17CP24 P 859 4.P.0 2008-09-18 — AFS, AirCtl, ASMod, InjCrv, highlight some of the findings. PCR, PFlt, Rail Steering wheel check. We found that the 2014’s EDC17C54 17CP44 P 930 4.P.5 2008-11-13 — AFS, AirCtl, ASMod, InjCrv, PCR, PFlt, PFltPOp, Rail P1169 firmware image with part number 03L906012DE and  AFS, AirCtl, ASMod, revision 8401 has started checking the steering wheel angle 17CP44 P 804 5.A.0 2009-01-22 7  InjCrv, InjSys, in addition to the time-distance profiles, as described in 17CP44 P 804 5.A.5 2009-02-04 7  PCR, PFltPOp, Section IV-A. An automatic scan for the steering wheel check Rail, SmkLim yielded three more images, namely 03L906012, revision 7444  AFS, AirCtl, ASMod, (depicted in Figure 3); 03L906012DD, revision 8400; and 17CP44 P 859 5.A.0 2009-03-16 7  InjCrv, InjSys, 03L906012BP, revision 7445. The images seemingly have 17CP44 P 859 5.F.5 2009-07-13 7  PCR, PFlt, PFltPOp, Rail, SmkLim been released on December 3, 2014, 22:55 and are used in VW Passat cars according to an online database. This refinement of the defeat device is noteworthy given that at that point in Compared to an analysis with a chassis dynamometer, such an time, the CARB had already started to investigate emission approach is at least two orders of magnitude faster. abnormalities in Volkswagen cars [15] (cf. facts 140, 141). Results. Table III shows the results of our analysis. Results As evident from Table III, these images are responsible for above the double line contain firmware from the dump ob- the largest set of test cycle matches across nearly 400 images, tained from the chiptuning scene (years 2009 and 2010). Dates further highlighting the necessity of the check. Other firmware and software part numbers are taken from the street release images released the same month (for Audi A4 and A6) do not certification next to the firmware images. Results below the contain this additional logic and only match a subset of the double line are based on firmware obtained via the erWin listed test cycles. portal, which provides official firmware images for car shops (years 2012 to 2016). Dates are taken from the firmware’s VII.DISCUSSION time stamp. For both data sources, the models have been Our empirical evaluation results demonstrate that our ap- matched by querying an online database for spare parts, which proach to detect Volkswagen-style defeat devices is viable yields metadata for a given part number (in this case, the part across a large number of firmware images. Nevertheless, there numbers specify the ECU). This mapping may not be 100% are certain open challenges and potential limitations of our accurate, as disclaimed by said sites as well. For part numbers approach that we discuss in the following.

14 TABLE III: Results for 363 of 406 firmware images in which CURVEDIFF detected a potential Volkswagen-style defeat device. For firmwares not listed in this table either the release date or the model are unknown. The number in parentheses depicts the number of firmware images analyzed for this model. The lower part of the table, below the double line, shows the result based on erWin data; the upper part is drawn from a chip tuning dump. Matched emissions test cycles are listed as the union of matched cycles in all firmware images in that row. The last column shows whether firmware images in this row were found to contain additional steering wheel checks that guard individual curves. The affected models in that row are printed in bold. Note that model data in this table is retrieved from external (non-VW) sources. Further conditions may affect the defeat device’s operation.

Rls. Date Models (number of images) Matched Cycles (upper bound) St.W. 2009-01 Golf, Passat (2) ECE-15, EUDC(L), NEDC 2009-07 A3 ECE-15, FTP-75, HWFET, LA92, NEDC, SC03, US06 2009-08 Passat Blue Motion ECE-15, EUDC(L), NEDC 2009-09 Golf (2), Passat (3) ECE-15, EUDC(L), NEDC 2009-10 Golf+, Passat ECE-15, EUDC(L), NEDC 2009-11 A3 (8), Golf Blue Motion, Golf (2), Passat ECE-15, EUDC(L), NEDC 2009-12 A3 (5), Golf Variant (2), Golf+ (2), Golf (7), Jetta (3), Passat (4) ECE-15, EUDC(L), FTP-75, HWFET, LA92, NEDC, SC03, US06 2010-01 Jetta, Passat (2) ECE-15, EUDC(L), NEDC 2010-03 A3 (2), Golf (3), Jetta, Passat (3), Q5 (4) ECE-15, EUDC(L), FTP-75, HWFET, LA92, NEDC, SC03, US06 2010-04 Jetta (2), Passat, Passat Coupe (4), Q5 ECE-15, EUDC(L), NEDC

2012-05 A3 (19), A4, A6, Alhambra (4), Altea, Eos (2), Golf, Ibiza (4), Leon, ECE-15, EUDC(L), FTP-75, HWFET, LA92, NEDC, SC03, Octavia (6), Q5 (2), Superb (2), TT, Tiguan, Yeti (4) US06 2012-06 Amarok (8), CC, Eos (2), Golf (2), Jetta (2), Octavia (3), Q5 (2), ECE-15, EUDC(L), NEDC Sharan (7), Tiguan, Touran (2) 2012-07 A1 (3), Alhambra (4), Caddy (2), Sharan (8) ECE-15, EUDC(L), NEDC 2012-09 Golf (2), Passat, Yeti (6) ECE-15, EUDC(L), FTP-75, HWFET, LA92, NEDC, SC03, US06 2012-10 A3, Alhambra (2), Tiguan, Yeti ECE-15, EUDC(L), FTP-75, HWFET, LA92, NEDC, SC03, US06 2012-12 Eos (2), Golf Cabriolet, Tiguan (7), Touran, Yeti ECE-15, NEDC 2013-01 Leon, Passat ECE-15, EUDC(L), FTP-75, HWFET, LA92, NEDC, SC03, US06 2013-04 Amarok (6) (deactivated) 2013-05 Amarok (4) ECE-15, EUDC(L), NEDC 2013-06 Amarok (5), Superb (3), Tiguan ECE-15, EUDC(L), NEDC 2013-07 Octavia ECE-15, EUDC(L), NEDC 2013-08 Yeti (3) ECE-15, NEDC 2013-11 Superb (3) ECE-15, EUDC(L), NEDC 2013-12 Superb (2), Yeti (4) ECE-15, EUDC(L), NEDC 2014-01 Caddy (4) ECE-15, NEDC 2014-03 Amarok (16), Eos, Tiguan, Yeti ECE-15, EUDC(L), NEDC 2014-04 Q5, Superb (2) ECE-15, EUDC(L), NEDC 2014-06 Amarok (6), Tiguan (4) ECE-15, EUDC(L), NEDC 2014-09 Alhambra ECE-15, EUDC(L), NEDC 2014-10 Sharan ECE-15, EUDC(L), NEDC 2014-12 A4 (3), A6, Passat (4) CADC-RURAL, CADC-URBAN, ECE-15, EUDC(L), FTP- 75, HWFET, IM240, J1015, JP10, LA92, NEDC, RTS-95, SC03, US06, WLTP-1, WLTP-2, WLTP-3 2015-01 Superb ECE-15, NEDC 2015-02 A3 (3) ECE-15, FTP-75, HWFET, LA92, NEDC, SC03, US06 2015-03 Alhambra (2) ECE-15, EUDC(L), NEDC 2015-05 Alhambra (6), Sharan (6) ECE-15, EUDC(L), NEDC 2015-07 Q3 (2) ECE-15, NEDC 2015-10 Altea (2), Yeti (3) ECE-15, EUDC(L), NEDC 2015-11 Superb ECE-15, EUDC(L), NEDC 2016-02 Altea ECE-15, NEDC 2016-03 A4, Exeo (4) ECE-15, NEDC 2016-04 A6, Exeo, Q3 ECE-15, NEDC 2016-06 Altea (3), CC (3), Jetta, Leon (2), Superb, Tiguan (2) ECE-15, EUDC(L), NEDC 2016-07 Amarok, CC, Golf, Superb ECE-15, NEDC 2016-08 CC (3), Golf Cabriolet, Golf (2), Passat (2), Scirocco, Touran (3) ECE-15, EUDC(L), NEDC 2016-09 CC (14), Octavia (2), Passat (2), Tiguan (7) ECE-15, EUDC(L), NEDC 2016-10 Eos ECE-15, NEDC

15 Generally speaking, there are two approaches to distinguish in the Bosch EDC17 ECU to circumvent US emission tests. regular street driving conditions from those (rather special) The first family of defeat devices was used by Volkswagen and conditions exhibited during emission tests: active and passive lies at the heart of the Volkswagen diesel emissions scandal. detection. Active detection techniques take characteristics of The second device appears in the diesel Fiat 500X automobile the car during emission tests into account and hence are able sold in Europe, and has not beed documented previously. We to target specific tests. Most notably, the Volkswagen defeat also presented and evaluated an automated approach to detect device covered in this paper is able to detect an ongoing defeat devices in a given firmware image based on the insights emission test based on the car’s driving profile and comparing we obtained from manually analyzing the Volkswagen defeat it to well-known test curves. Our approach is based on this device. insight and we propose a curve-agnostic method to detect that the firmware attempts to match a certain driving profile. ACKNOWLEDGMENTS CURVEDIFF can detect such defeat devices and we found Part of this work was supported by the European Research many instance of such devices. However, a car manufacturer Council (ERC) under the European Union’s Horizon 2020 could also implement other active evasion approaches, for research and innovation programme (grant agreement No example by matching on the profile of related parameters such 640110 – BASTION). This work was funded in part by the as speed or torque; another concrete example being the defeat National Science Foundation through grant NSF-1646493. device found in the Opel Zafira [9]. On the other hand, passive detection techniques cover test- REFERENCES agnostic methods that do not actively observe vehicle specifics [1] Association for Standardisation of Automation and Measuring Systems to detect an ongoing emission test, but rather target general (ASAM e.V.). ASAM MCD-2 MC. https://wiki.asam.net/ display/STANDARDS/ASAM+MCD-2+MC. peculiarities of those tests. For example, emission tests are [2] Michael A. Bender, Mart´ın Farach-Colton, Giridhar Pemmasani, Steven comparably short, which opens up the possibility to simply Skiena, and Pavel Sumazin. Lowest Common Ancestors in Trees and stay in a compliant mode for as long as the average emission Directed Acyclic Graphs. In Journal of Algorithms, 2005. test is carried out and switch to a more harmful emissions [3] Robert J. Blaszczak. EPA Technical Bulletin: Nitrogen Oxides (NOx) – Why and How They are Controlled. https://www3.epa.gov/ policy afterwards. The Fiat defeat device we discussed earlier ttncatc1/cica/other7_e.html, 1999. belongs to this category. In principle, an ECU can leverage [4] Robert N. Charette. This Car Runs on Code. IEEE Spectrum, 46(3), all available sensors in an attempt to fingerprint the testing 2009. [5] Jong-Deok Choi, Ron Cytron, and Jeanne Ferrante. Automatic Con- environment, for example by measuring the temperature or the struction of Sparse Data Flow Evaluation Graphs. In ACM Symposium ambient pressure since both are also standardized. In addition on Principles of Programming Languages (POPL), 1991. to software-based methods, hardware-based approaches such [6] Ron Cytron, Jeanne Ferrante, Barry K. Rosen, Mark N. Wegman, and F. Kenneth Zadeck. Efficiently Computing Static Single Assignment as over-inflating tires for dynamometer tests also fall into Form and the Control Dependence Graph. In ACM Transactions on this category. Our coverage of such passive defeat devices is Programming Languages and Systems (TOPLAS), 1991. limited since we focus on curve-based defeat devices. This is [7] DieselNet. Emission Test Cycles. https://www.dieselnet.com/ standards/cycles. mostly due to the fact that the latter approach provides higher [8] Christof Ebert and Capers Jones. Embedded Software: Facts, Figures, means of confidentiality. Still, tracking the data flow in the and Future. Computer, 42(4), 2009. code and analyzing whether certain sensor conditions influence [9] Felix Domke. Software Defined Emissions, 33C3. https://media. ccc.de/v/33c3-7904-software_defined_emissions. the Exhaust Gas Recirculation (EGR) or other subsystems [10] Felix Domke and Daniel Lange. The exhaust emissions scandal related to emission control might enable the detection of such (“Dieselgate”), 32C3. https://media.ccc.de/v/32c3-7331-the_ passive devices. As part of future work, we plan to study the exhaust_emissions_scandal_dieselgate. [11] Fiat Chrysler Automobiles. FCA on Real Driving Emissions. https:// viability of such an approach and evaluate if we can detect www.fcagroup.com/en-US/media_center/fca_press_release/ Fiat’s defeat device in an automated manner. 2016/february/Pages/fca_on_real_driving_emissions.aspx, We implemented our approach in a tool called CURVEDIFF. 2016. [12] Ulrich Flaig, Wilhelm Polach, and Gerhard Ziegler. Common Rail Given that we perform an intra-procedural analysis, we might System (CR-System) for Passenger Car DI Diesel Engines; Experiences miss certain ways how a defeat device can be implemented with Applications for Series Production Projects. In SAE Technical and an inter-procedural analysis could enhance the soundness Paper. SAE International, 1999. [13] Hex-Rays SA. Product Page for the Interactive Disassembler. https: of our implementation. Furthermore, our analysis can be //www.hex-rays.com/products/ida. extended to take more primitive building blocks such as timers [14] Laura Myers. GM Forced to Recall Cadilacs with Emission ‘Defeat and multiplexers into account to deepen the knowledge about Device’. http://www.apnewsarchive.com/1995/GM-Forced- to-Recall-Cadillacs-With-Emission-Defeat-Device-/id- the relation of various components in the detection logic. 4b030c7601a14dcc8208fcc1d1bd30cc, 1995. [15] New York State Office of the Attorney General. NY A.G. Schneiderman, VIII.CONCLUSION Massachusetts A.G. Healey, Maryland A.G. Frosh Announce Suits Against Volkswagen, Audi And Porsche Alleging They Knowingly As software control becomes a pervasive feature of complex Sold Over 53,000 Illegally Polluting Cars And Suvs, Violating State systems, regulators in the automotive domain (as well as many Environmental Laws. http://www.ag.ny.gov/press-release/ny- others) will be faced with certifying software systems whose ag-schneiderman-massachusetts-ag-healey-maryland-ag- frosh-announce-suits-against, 2016. manufacturers have an immense financial incentive to cheat. [16] Robert Bosch GmbH. Diesel Engine Management. John Wiley & Sons In this paper, we described two families of defeat devices used Ltd., fourth edition, 2005.

16 801875f0 call32 re_10 #800b64f0 a4_7 d4_10 80187600 call32 re_11 #800b64f0 a4_8 d4_11 8018755c call32 re_6 #800b64f0 a4_3 d4_6 8018756c call32 re_7 #800b64f0 a4_4 d4_7 8018750c call32 re_4 #800b64f0 a4_1 d4_4 8018751c call32 re_5 #800b64f0 a4_2 d4_5 801875a6 call32 re_8 #800b64f0 a4_5 d4_8 801875b6 call32 re_9 #800b64f0 a4_6 d4_9 8018763a call32 re_12 #800b64f0 a4_9 d4_12 8018764a call32 re_13 #800b64f0 a4_10 d4_13 80187694 call32 re_15 #800b64f0 a4_12 d4_15 80187684 call32 re_14 #800b64f0 a4_11 d4_14 801876de call32 re_17 #800b64f0 a4_14 d4_17 801876ce call32 re_16 #800b64f0 a4_13 d4_16 8018788a call32 re_23 #800b64f0 a4_20 d4_23 8018787a call32 re_22 #800b64f0 a4_19 d4_22 801877fc call32 re_21 #800b64f0 a4_18 d4_21 801877ec call32 re_20 #800b64f0 a4_17 d4_20 8018776e call32 re_19 #800b64f0 a4_16 d4_19 8018775e call32 re_18 #800b64f0 a4_15 d4_18 re_10 re_11 re_6 re_7 re_4 re_5 re_8 re_9 re_12 re_13 re_15 re_14 re_17 re_16 re_23 re_22 re_21 re_20 re_19 re_18

801875f0 cconv.w d2_21 re_10 80187600 cconv.w d2_22 re_11 8018755c cconv.w d2_11 re_6 8018756c cconv.w d2_12 re_7 8018750c cconv.w d2_6 re_4 8018751c cconv.w d2_7 re_5 801875a6 cconv.w d2_16 re_8 801875b6 cconv.w d2_17 re_9 8018763a cconv.w d2_26 re_12 8018764a cconv.w d2_27 re_13 phi d9_3 [d9_1 d9_2 d9_2 d9_2] 80187694 cconv.w d2_32 re_15 80187684 cconv.w d2_31 re_14 801876de cconv.w d2_37 re_17 801876ce cconv.w d2_36 re_16 8018788a cconv.w d2_54 re_23 8018787a cconv.w d2_53 re_22 801877fc cconv.w d2_48 re_21 801877ec cconv.w d2_47 re_20 8018776e cconv.w d2_42 re_19 8018775e cconv.w d2_41 re_18 d2_21 d2_22 d9_3 d2_11 d2_12 d9_3 d2_6 d2_7 d9_3 d2_16 d2_17 d9_3 d2_26 d2_27 d9_3 d9_3 d2_32 d9_3 d2_31 d2_37 d9_3 d2_36 d2_54 d9_3 d2_53 d2_48 d9_3 d2_47 d2_42 d2_41

801875fa mov16 d15_96 d2_21 80187604 ge d2_23 d2_22 d9_3 80187566 mov16 d15_78 d2_11 d9_3 80187570 ge d2_13 d2_12 d9_3 80187516 mov16 d15_71 d2_6 d9_3 80187526 ge d2_8 d2_7 d9_3 801875b0 mov16 d15_87 d2_16 d9_3 801875ba ge d2_18 d2_17 d9_3 80187644 mov16 d15_105 d2_26 d9_3 8018764e ge d2_28 d2_27 d9_3 d9_3 80187698 ge d2_33 d2_32 d9_3 d9_3 d9_3 8018768e mov16 d15_114 d2_31 801876e2 ge d2_38 d2_37 d9_3 d9_3 801876d8 mov16 d15_123 d2_36 8018788e ge d2_55 d2_54 d9_3 d9_3 80187884 mov16 d15_177 d2_53 80187800 ge d2_49 d2_48 d9_3 d9_3 801877f6 mov16 d15_159 d2_47 80187772 ge d2_43 d2_42 d9_3 80187768 mov16 d15_141 d2_41 d15_96 d2_23 d15_78 d2_13 d15_71 d2_8 d15_87 d2_18 d15_105 d2_28 d2_33 d15_114 d2_38 d15_123 d2_55 d15_177 d2_49 d15_159 d2_43 d15_141

8018760c and.ge d2_24 d2_23 d9_3 d15_96 80187578 and.ge d2_14 d2_13 d9_3 d15_78 8018752e and.ge d2_9 d2_8 d9_3 d15_71 801875c2 and.ge d2_19 d2_18 d9_3 d15_87 80187656 and.ge d2_29 d2_28 d9_3 d15_105 801876a0 and.ge d2_34 d2_33 d9_3 d15_114 801876ea and.ge d2_39 d2_38 d9_3 d15_123 80187892 and.ge d2_56 d2_55 d9_3 d15_177 80187804 and.ge d2_50 d2_49 d9_3 d15_159 80187776 and.ge d2_44 d2_43 d9_3 d15_141 d2_24 d2_14 d2_9 d2_19 d2_29 d2_34 d2_39 d2_56 d2_50 d2_44

80187612 xor32 d2_25 d2_24 #1 8018757e xor32 d2_15 d2_14 #1 80187534 xor32 d2_10 d2_9 #1 801875c8 xor32 d2_20 d2_19 #1 8018765c xor32 d2_30 d2_29 #1 801876a6 xor32 d2_35 d2_34 #1 801876f0 xor32 d2_40 d2_39 #1 phi d8_20 [d8_17 d8_19] 80187898 xor32 d2_57 d2_56 #1 phi d8_16 [d8_13 d8_15] 8018780a xor32 d2_51 d2_50 #1 phi d8_12 [d8_9 d8_11] 8018777c xor32 d2_45 d2_44 #1 d2_25 d2_15 d2_10 d2_20 d2_30 d2_35 d2_40 d8_20 d2_57 d8_16 d2_51 d8_12 d2_45

8018761c jz16 d2_25 #80187622 80187588 jz16 d2_15 #8018758e 8018753e jz16 d2_10 #80187544 801875d2 jz16 d2_20 #801875d8 80187666 jz16 d2_30 #8018766c 801876b0 jz16 d2_35 #801876b6 801876fa jz16 d2_40 #80187700 8018789c or16 d2_58 d2_57 d8_20 8018780e or16 d2_52 d2_51 d8_16 80187780 or16 d2_46 d2_45 d8_12

d2_58 d2_52 d2_46 Fig. 10: A part of a connected component in the data-flow forest of the defeat device. It can be seen how the boundaries obtained via two calls to the SrvX IpoCurveS16 (at 0x800b64f0) are compared against the covered distance (in d93). Specifically, following the two leftmost curve calls (at 0x8018763a 801878a4 jz16 d2_58 #801878aa 80187816 jz16 d2_52 #8018781c 80187788 jz16 d2_46 #8018778e and 0x8018764a), we end up with the forward join node at 0x80187656 (and.ge d2, d2, d9, d15), implementing the interval check. Similarly, the φ node defining d93 is a backward join node, whose definition equals to the distance covered so far. Continuous lines represent data flow of the labeled variable, whereas dotted lines show control dependencies.

TABLE IV: Overview of various test cycles used for emissions testing. The first segment details tests following US EPA and CARB legislation, the second APPENDIX segment is relevant to EU law, and the last segment shows international /begin MEASUREMENT standards. Information follows [7], [20]. InjCrv stNsCharCor "Status der Akustikbedingung" Abbreviation Full Name UBYTE EPA IM-240 Inspection and Maintenance OneToOne FTP-75, EPA-75 Federal Test Procedure 1 EPA HWFET Highway Fuel Economy Driving Schedule 100 SFTP SC03 Speed Correction Driving Schedule, SC03 SFTP 0 .00 CARB LA92 “Unified” Dynamometer Driving Schedule, Unified 255 .0 Cycle FORMAT "%5.1" CADC-RURAL Common Artemis Driving Cycles, Rural Road Cycle ECU_ADDRESS 0xC0000CDD CADC-URBAN Common Artemis Driving Cycles, Urban Cycle / end MEASUREMENT UN/ECE 15 ECE Elementary Urban Cycle UN/EUDC ECE Extra-Urban Driving Cycle /begin CHARACTERISTIC UN/EUDCL ECE Extra-Urban Driving Cycle for Low-Powered AirCtl numInjChar CA Vehicles "Abgasstrategie fÃ r AirCtl und VswCtl" NEDC New European Driving Cycle MAP WLTP Worldwide Harmonized Light Vehicles Test Proce- 0 x801C5A34 dure Map_Xu8Yu8Wu8 255 .0 OneToOne 0 .00 255 .0 [17] The Telegraph. Diesel emissions scandal: Fiat under investigation. http://www.telegraph.co.uk/cars/news/diesel- FORMAT "%5.1" emissions-scandal-fiat-under-investigation, 2016. EXTENDED_LIMITS 0.00 255.0 [18] United States Environmental Protection Agency. Notice of Vio- lation. https://www.epa.gov/sites/production/files/2015- /begin AXIS_DESCR 10/documents/vw-nov-caa-09-18-15.pdf, 2015. STD_AXIS [19] US Code of Federal Regulations. 40 CFR §86. InjCrv_stNsCharCor [20] US Environmental Protection Agency (EPA). Dynamometer OneToOne Drive Schedules. https://www.epa.gov/vehicle-and-fuel- ... emissions-testing/dynamometer-drive-schedules. [21] Volkswagen of America, Inc. Self Study Program 826803: 2.0 Liter TDI Listing 1: Excerpt from an A2L file, depicting metadata given for Common Rail BIN5 ULEV Engine. http://www.natef.org/natef/ the acoustic condition InjCrv stNsCharCor as well as the array media/natefmedia/vw\%20files/2-0-tdi-ssp.pdf, 2008. AirCtl numInjChar CA. In the latter case, it is evident how the x axis [22] WirtschaftsWoche Online. Kommt der zweite Abgasskandal aus Italien? is indexed by the acoustic condition. Akin to regular symbol files, the http://www.wiwo.de/unternehmen/auto/fiat-500x-doblo- ECU ADDRRESS entry identifies the address of the variable in the firmware und-jeep-renegade-kommt-der-zweite-abgasskandal-aus- image. italien/14483066.html, 2016.

17 AirCtl_DesValCalc 2.7.0;3 816/8771

Korrekturen für den Basiswert - Block VarDesVal1Cor (Inl3) [VarDesVal1Cor]

Abbildung 540 [airctl_desvalcalc_21]AirCtl_stI njSel AirCtl_mDe s Ba s PiI1HiAltd_MAP Env P_ pAirCtl_trqDesValAirCtl_mDe s I n t Mnf DsCor _ CURAirCtl_mDe s Ba s PiI3HiAltd_MAP AirCtl_mDe s Ba s PiI1_MAP AirCtl_facEnvPresCorPiI1_CURAirCtl_mDe s V a l1_ mpAirCtl_mDe s Ba s PiIHiAltd_mpAirCtl_facEnvPresCorPiI3_CURAirCtl_qDesValAirCtl_mDe s Ba s PiI_mpAirCtl_facEnvPresCorPiI_mpAirCtl_qMonDesBas_ mpASMod_ t I nt Mnf DsAirCtl_mDe s Ba s PiI3_MAP AirCtl_mDe s Ba s PiI2_MAP AirCtl_MinTr mVal_C AirCtl_mDe s V a1Cor l _ mpAirCtl_facEnvPresCorPiI2_CURAirCtl_TrmVal_mpAirCtl_MaxTr mVal_C AirCtl_numPiI3_CAirCtl_numPos I njCha r I njCr v _ s t I njCha r Ac t V aAi lrCtl_stDesSelInjCha r _ CAirCtl_numPiI1_CAirCtl_numInjCha r _ CA I njCr v _ s t Ns Cha r CorAirCtl_numDe s Ba s MAP AirCtl_numInjCha r _ mpAirCtl_numPiI2_CAirCtl_tiDe s I n jCha r Chng Dly_C AirCtl_stDesI njCha r Chng _ mp

!"#$%&'(%6-(,-&)*+$J4#'$. !"#$%&'%"6-()*+$J4#$J*H6&7'$. !"#$%&'(%6-()*+$J4#$J*H'=L. )*+,7('X-%)*+$J4#!P% G-&47Q"=- ("H*4& 59% 6% )*+$#:'(%)*+$J4#!P%84& ,#:';"%W"(-!S6. 6-&4784&9-. ,#:'Q#*REE6&7. GQ.

6-&4784&9-. !"#$%&'*9=6-(;4(3!/. /")0./")1./")2..34"*../5)0../5)1../5)2 /5("%"5*.2...... >...... >...... >...... 2...... >...... >...... > /5("%"5*.1...... >...... >...... 2...... 2...... >...... >...... > 0 /5("%"5*.0...... >...... 2...... 2...... 2...... >...... >...... > /5("%"5*.?...... 2...... 2...... 2...... 2...... >...... >...... > )*+$#:'(%S($J4#$5#. /5("%"5*.@...... >...... >...... >...... 2...... 2...... >...... > ,#:'KGH-;"L5&. /5("%"5*.A...... >...... >...... 2...... 2...... 2...... >...... > 1 /5("%"5*.B...... >...... 2...... 2...... 2...... 2...... >...... > /5("%"5*.C...... 2...... 2...... 2...... 2...... 2...... >...... > !"#$%&'*9=)*+$J4#'$!.YS$. ,#:'KGH-;"L5&. /5("%"5*.D...... >...... >...... >...... 2...... 2...... 2...... > 2 /5("%"5*.2>.....>...... >...... 2...... 2...... 2...... 2...... > /5("%"5*.22.....>...... 2...... 2...... 2...... 2...... 2...... > ,#:'KGH-;"L5&. > /5("%"5*.21.....2...... 2...... 2...... 2...... 2...... 2...... > /5("%"5*.20.....>...... >...... >...... 2...... 2...... 2...... 2 !"#$%&'*9=/5()*+$J4#. !"#$%&'*9=)*+$J4#'=L. !"#$%&'(%)*+,-&. /5("%"5*.2?.....>...... >...... 2...... 2...... 2...... 2...... 2 !"#$%&'*9=/")2'$. /5("%"5*.2@.....>...... 2...... 2...... 2...... 2...... 2...... 2 *9=)*+$J4# /5("%"5*.2A.....2...... 2...... 2...... 2...... 2...... 2...... 2 /5("%"5*.2B.....2...... >...... 2...... 2...... >...... >...... > !"#$%&'*9=/")1'$. /5("%"5*.2C.....2...... >...... >...... 2...... >...... >...... > /5("%"5*.2D...... 6-E49&% !"#$%&'*9=/")0'$.

!"#$%&'=6-(84&2'=L. =6-(84&2 !"#$%&'=6-(;4(/")F"!&%G'=L.

%#4*("%"5*'E"&%-#"*H !"#$%&'=6-(;4(/")2F"!&%G'3!/. (%$J*H (%$J*H =6-(;4(I&% !"#$%&'*K*H>. !"#$%&'=6-(;4(/")'=L. =6-(;4( !"#$%&'=6-(;4(/")2'3!/.

K*:/'L. !"#$%&'E4PK*:/#-($5#/")'=L. !"#$%&'E4PK*:/#-($5#/")2'$NO. !"#$%&'=6-(;4(/")F"!&%G'=L.

!)O$Q<',KQ/R)SQ$!<$'QOT;!,K6',U. !"#$%&'=6-(;4(/")1F"!&%G'3!/.

!"#$%&'=6-(;4(/")'=L. !"#$%&'=6-(;4(/")1'3!/.

!"#$%&'E4PK*:/#-($5#/")'=L. !"#$%&'E4PK*:/#-($5#/")1'$NO. !"#$%&'=6-(;4(/")F"!&%G'=L.

!"#$%&'M35*6-(;4('=L. !"#$%&'=6-(;4(/")0F"!&%G'3!/. !"#$%&'M6-(84&. !"#$%&'=6-(;4(/")'=L. !"#$%&'%#M6-(84&. !"#$%&'=6-(;4(/")0'3!/.

!)O$Q<'36K,KK/$RO',U. !"#$%&'E4PK*:/#-($5#/")'=L. !"#$%&'E4PK*:/#-($5#/")0'$NO.

!"#$%&'=6-(84&2$5#'=L. !,35G'%)*%3*E6(. !"#$%&'=6-()*%3*E6($5#'$NO. =6-(84&2$5# !"#$%&'34VQ#=84&'$.

!"#$%&'3"*Q#=84&'$. !"#$%&'Q#=84&'=L.

KK/OR3'84&9-. ,#:;'<"="% Fig. 11: Acoustic condition (signal InjCrv stNsCharCor) used to modify the desired air mass correction mDesVal1Cor, which modiﬁes the desired air massMitunter from whichtreten the die amount Wechsel of airder recirculated Einspritzstrategie is computed. für nurAirCtl wenigenumInjChar AbtastschritteCA is auf. a two-dimensional In diesem Fall array. braucht The die acoustic Luftmassenregelung condition is used togar select nicht eitherangepasst row. From zu werden. the EDC17C54 Deshalb P wird 874 function die Umschaltung sheet. Shading des addedLuftmassensollwertes by the authors. Copyright über die Robert einstellbare Bosch GmbH. Zeitdauer AirCtl_tiDesInjCharChng- Dly_C noch zusätzlich verzögert.

Die Einspritzcharakteristik liegt als Statusbotschaft vor, in der jeder aktiven Vor-, Haupt- und Nacheinspritzung ein Bit zugeordnet ist. Abhängig von den Werten AirCtl_stInjSel und InjCrv_stNsCharCor,überdieMatrixAirCtl_numInjChar_CA,wirddasKennfeldAirCtl_m- DesBasPiI1_MAP / AirCtl_mDesBasPiI2_ MAP / AirCtl_mDesBasPiI3_MAP oder mDesVal1 verwendet und die zugehörigen Messpunkte AirCtl_mDesBasPiIHiAltd_mp / AirCtl_mDesBasPiI_mp / AirCtl_facEnvPresCorPiI_mp beschrieben. Damit die Steuerung in Air- Ctl_CtlValCalc und VswCtl gleichzeitig dazu angepasst werden kann, wird der Wert von AirCtl_stInjSel mit der Schnittstelle AirCt- l_stInjSel weitergeleitet. Um Einspritzmengen, auf die man nicht unterschiedlich reagieren will, ausblenden zu können, wird die Einspritzcha- rakteristik mit der Maske AirCtl_stDesSelInjChar_C noch zusätzlich verknüpft.

Abhängig von der Einspritzcharakteristik kann applikative über AirCtl_numPiI1_C - AirCtl_numPiI3_C die Schalterstellung für die Motor- temperaturkorrektur des Luftmassensollwertes vorgegeben werden. Der Wert von AirCtl_numPosInjChar wird die verwendete kennfelder (0 bis 3) zeigen. 18 Tabelle 479 Anzahl der Voreinspritzungen

Einspritzcharakteristik ( AirCtl_numDesBasMAP) numInjChar / AirCtl_numInjChar_mp

12.08.2009 | M1754VQC874 M5F13;2 | AirCtl_DesValCalc | 3.91 (2.3a) | © Alle Rechte bei Robert Bosch GmbH, auch für den Fall von Schutzrechtsanmeldungen. Jede Verfügungsbefugnis, wie Kopier- und Weitergaberecht, bei uns. NSCRgn_RlsLogic 14.1.0;0 7916/12547

For the regeneration of the NOx storage catalyst to be effective, the air mass deviation must lie within a deﬁned range. The DeNOx regeneration abortion due to an air mass deviation from the target value takes place as follows:

The static air mass deviation AirCtl_rGovDvtNrmAirStat or dynamic air mass deviation AirCtl_rGovDvtNrmAirDyn which can be selected by NSCRgn_swtRGovDvtNrmAirIntr_C should not lie within the time limits of the curves NSCRgn_rMADTDNOxMin_CUR and NSCRgn_r- MADTDNOxMax_CUR depending on DeNOx time NSCRgn_tiDNOx. Furthermore, the condition that a DeNOx regeneration is pending at all must be met. This is ensured via a query with the mask NSCRgn_stDNOxMsk_C from the status word of the operating-modes coordinator CoEOM_- stOpModeAct. The measuring point NSCRgn_stDNOxActv_mp displays the status of a DNOx regeneration. If NSCRgn_stIntrMADDNOx_mp= TRUE, the DeNOx regeneration is aborted.

Activation conditions to trigger the DeNOx event during homologation cycle

Figure 5444 NSCRgn_RlsLogic/NSCRgnRlsLogic/RegenerationReleaseLogic/ReleaseLogicDNOx/DNOx_during_Homologation [NSCRgn_RlsLogic.NSCRgn- RlsLogic.RegenerationReleaseLogic.ReleaseLogicDNOx.DNOx_during_Homologation]

tiSnceFrstRunngRed CoEng_tiSnceFrstRunngRed stTiCoEngHmlg

RlsRunngTi

volFlConsDrvCyc FlSys_volFlConsDrvCyc stvolFlConsHmlg

RlsVolFl

stHmlgOrRDDNOx stHmlgOrRDDNOx NSCRgn_stNSC stNSC NSCRgn_stDem stDem stDNOxEveHmlg NSCRgn_tiDNOx tiDNOx RlsDNOxEve NSCRgn_tEngRls1_mp tEng

EngDa_tFld stEngTHmlg

NSCRgn_numEngTempRls1_C RlsEngT

tClnt

EngDa_tFld stCltTHmlg

RlsClntT NSCRgn_numClntTempRls_C stNSC Epm_nEng nEng stTiNoNSCRgnHmlg stDNOxHmlg NSCRgn_tiNoNSCRgn tiNoNSCRgn Fig. 12: Part of the NOx regeneration release logic “during homologation cycle” from function sheet EDC17C69 P 1264 for Fiat 500X. The homologation releaseNSCRgn_RlsLogic signal requires multiple 14.1.0;0 signals to be asserted, including stTiCoEngHmlgRlsTiNoNSCRgn(Section IV-D). It is only asserted if engineNSCRgn_stDNOxHmlg_mp running time does7921/12547 not exceed NSCRgn tiCoEngMaxHmlg C, set to 1600 seconds in the 55265162 Fiat 500X ﬁrmware image. Copyright Robert Bosch GmbH. NSCRgn_tEngRls2_mp nEng tEng stRlsnEngHmlg EngDa_tFld RlsNEng FigureNSCRgn_numEngTempRls2_C 5456 NSCRgn_RlsLogic/NSCRgnRlsLogic/RegenerationReleaseLogic/ReleaseLogicDNOx/DNOx_during_real_driving [NSCRgn_RlsLogic.NSCRgnRls- Logic.RegenerationReleaseLogic.ReleaseLogicDNOx.DNOx_during_real_driving] VehV_v v stHmlgOrRDDNOx tEng S 0 stRlsvHmlgout R NSCRgn_stRgnRnngRd_mp NSCRgn_tiWaitNoNSCRgnRd_C RlsVehVSrvB_RSFF_4 NSCRGN_STNSC_NONSCRGN_BP compute qSetUnBal InjCtl_qSetUnBal nEng NSCRgn_stNSC stRlsInjQntyHmlg NSCRgn_stWaitNoNSCRgnRd_mp TurnOnDelay_2tEng CounterEnabled RlsInjQnty compute tAir NSCRgn_ctRgnRd NSCRGN_END_SENS_BP AirSys_tFld stAirTHmlg reset true NSCRgn_numAirTempRls_C RlsAirT Edge_Rising_2 NSCRGN_END_LOAD_BP tStrt EngDa_tStrt NSCRgn_stDem stDNOxStrtTHmlg NSCRGN_END_TIME_BP RlstStrt stDNOxRd

S NSCRgn_ctRgnMaxRd_C The DNOx-regeneration during homologation cycle is triggered if one of the followingout four conditions is fullﬁlled: R NSCRgn_stRgnEndRd_mp SrvB_RSFF_6 L Engine Running Time in current driving cycle CoEng_tiSnceFrstRunngRed is less than or equal to the threshold NSCRgn_tiCoEngMax-NSCRgn_stDNOxEveRd_mp Hmlg_C NSCRgn_tiDNOx

NSCRgn_tiDNOxThresh1Rd_C

2013-10-21 | P1264_Fiat_DSNSCRgn_tiDNOxThreshHmlgRd_C B05A_DOCUMENTATION;0 | NSCRgn_RlsLogic | 4.1.3b (2.13.2) | © Robert Bosch GmbH reserves all rights even in the event of industrial Fig.property 13: Part rights. of Wethe reserve NOx regeneration all rights of releasedisposal logic such “during as copyingreal anddriving” passing from on to function third parties. sheet EDC17C69 P 1264 for Fiat 500X. First element controls release based on engine running time. A parallel logic block controls release “during real driving.” Copyright Robert Bosch GmbH.

NSCRgn_swtHmlgMon_C false DSM_DFCType DSM_GetCheckStatus DSM_GetSFCTst 19 DFC_id DFC_NSCSlip2SplyRat SFC_id

Figure 5457 NSCRgn_RlsLogic/NSCRgnRlsLogic/RegenerationReleaseLogic/ReleaseLogicDNOx/Kind_Of_Request [NSCRgn_RlsLogic.NSCRgnRlsLogic.Re- generationReleaseLogic.ReleaseLogicDNOx.Kind_Of_Request]

stDNOxRqHmlg 2 NSCRgn_stHmlgOrRdDNOx

0 NSCRgn_stHmlgOrRdDNOx

stDNOxRqRd 1 NSCRgn_stHmlgOrRdDNOx

stHmlgOrRdDNOX NSCRgn_stHmlgOrRdDNOx

Calculation of the DeNOx regeneration release status word and the DeNOx regeneration abortion status word [St- WdRlsLogicDNOx]

The bit words for the regeneration release NSCRgn_stRlsDNOxWd_mp and for the long NSCRgn_stIntrLonDNOxWd_mp as well as for the short NSCRgn_stIntrShrtDNOxWd_mpDeNOx regeneration abortion, are formed depending on the individual regeneration release and abort conditions, which are included as status bits. The result of the evaluation of the bit words is represented in NSCRgn_stRlsLogic.0 und NSCRgn_stRlsLogic.16, NSCRgn_stRlsLogic.17, and NSCRgn_stRlsLogic.18. Using the two masks NSCRgn_stIntrShrtDNOxMsk2_C and NSCRgn_stIntrLonDNOxMsk2_C it is also possible to deﬁne whether a DeNOx regeneration is to be aborted directly, i.e. stepwise, or via the ramp function. Additionally, it is also possible to determine the operating mode and the sublevels, where a ramp-shaped abortion is to be

2013-10-21 | P1264_Fiat_DS B05A_DOCUMENTATION;0 | NSCRgn_RlsLogic | 4.1.3b (2.13.2) | © Robert Bosch GmbH reserves all rights even in the event of industrial property rights. We reserve all rights of disposal such as copying and passing on to third parties. 80187214, proﬁle 2 80187214, proﬁle 3 10 10 LA92 US06 9 9

8 8

7 7

6 6

5 5

km (total) 4 km (total) 4

3 3

2 2

1 1

0 0 0 200 400 600 800 1000 1200 1400 1600 1800 0 200 400 600 800 1000 1200 1400 1600 1800 seconds seconds 80187214, proﬁle 4 80187214, proﬁle 5 10 10 SC03 HWFET 9 9

8 8

7 7

6 6

5 5

km (total) 4 km (total) 4

3 3

2 2

1 1

0 0 0 200 400 600 800 1000 1200 1400 1600 1800 0 200 400 600 800 1000 1200 1400 1600 1800 seconds seconds 80187214, proﬁle 6 80187214, proﬁle 10 10 10 N ECE-15 CADC-RURAL 9 9 SC03 8 8

7 7

6 6

5 5

km (total) 4 km (total) 4

3 3

2 2

1 1

0 0 0 200 400 600 800 1000 1200 1400 1600 1800 0 200 400 600 800 1000 1200 1400 1600 1800 seconds seconds Fig. 14: Remaining curve checks testing against various emissions test cycles in the ﬁrmware for a VW Passat, released 12/2014 (EDC17C54, software part number 03L906012, revision 7444), completing Figure 3. The area in which the software reports the driving proﬁle to match is colored white. The legend lists the known matching test cycles, ⊗ indicates an additional steering wheel check.