Dan Maloney
Hello, everyone, welcome to the Hack Chat! I'm Dan, I'll be moderating today along with Dusan for Matthew Alt as we talk about reverse engineering in all its many forms!
@wrongbaud - Did I see you online already? I think I did...
Hi everyone!
\o
Hi Dule!
Yup!
Hello Dan!
Hey Dan
Hey there, wlecome aboard!
Drat these fat fingers...
Anyway, welcome - I think most of us know a little about you, but maybe you can fill us in on your background a bit?
@Dan Maloney Normally i plame autocorrect
"It's a poor craftsman what blames his tools," as AvE would say ;-)
Sure! my name is Matt Alt (@wrongbaud) - I am a reverse engineer who focuses on embedded systems. My RE journey began at an ECU tuning shop in college where my job was to reverse engineer various automotive controllers. You can find some examples of my work on my personal blog: https://wrongbaud.github.io and my consulting blog: https://voidstarsec.com/blog
If you are interested in learning more about reverse engineering, check out our hackaday course that we put together here: https://hackaday.io/course/172292-introduction-to-reverse-engineering-with-ghidra
A few things before we kick off - I won't answer any questions regarding "hacking" facebook, instagram or other social media sites. I am happy to talk firmware extraction and analysis, low level interfaces, glitching, assembly languages and everything in between!
Excellent point -- we often get those requests here, sometimes mid-chat.
Funny you mention ECU hacking -- a friend recently had an emergency situation while driving where the car shut down because he needed to back up fast. He'd love a hack to prevent the anti-collision sensors from shutting the damn car off.
Not asking for specific help, mind you -- just thought it would be an interesting case to talk about.
Definitely, I worked in the space from 2012-2016 and we mostly focused on engine controllers, our end goal was usually to reflash the engine controller with modified software for performance benefits.
I imagine that we are going to see a lot of cool security research in the coming years with these "assistance" features, they seem like a good target
what do you think about the future of reverse engineering given the increasing role of security tech (secure boot, measured software, encrypted firmware etc). Is it same old same old or qualitative change?
I think that there is always going to be low hanging fruit for people to learn with, but for more hardened targets I imagine we are going to see a lot more in the realm of fault injection techniques
I assume when you hacked the ECU's you downloaded the code and found the fuel maps, tweaked them, and flashed it back? I doubt you were reinventing the wheel . . . no pun intended.
wrt ECUs do you have to glitch the MCU, to be able to extract the firmware?
How significant were the performance benefits vs the time spent engineering it?
Correct, remapping, occasionally removing features that were considered detrimental for race times or instrumenting them further
RE: Glitching ECUs, it depends on the specific MCU in use, sometimes yes, sometimes no
How can I turn off the feature that shuts the damn car off everytime I'm at a red light?
@Mark J Hughes - I flippin' hate that! You're just a sitting duck if something happens!
RE: Performance benefits, it would depend a lot on the car, for a turbocharged car sometimes we could squeeze anywhere between 25-50HP, for NA vehicles it was most about changing things like throttle response, etc to make the car drive more aggressively
Here is a review of what the company is doing now: https://www.onlyrevo.com/blog/evo-magazine-revo-golf-r-stage-1-review/
On hybrids, it doesn't affect reaction time---electric drive is always-on, right? I got used to the ICU starting at random times.
@Dan Maloney I know! There's a button I can press to shut it off -- but it resets every time. I know there's some CANbus command I can issue -- but then I have to plug in. And let's face it -- If I can't be bothered to press a little button, I'm not creating a custom CAN bus interface.
small world @wrongbaud
BTW, do you know if hybrids have 2 separate ECU or one for both engines?
I don't, I'm not very familiar with hybrid vehicle ECUs
@charliex do you currently work in the tuning industry? I've been out of it for some time now!
Don't want to get hung up on ECUs, but a question about logistics: If you're glitching an ECU, do you do it on the car? Or can you pull it out and glitch it on the bench?
@wrongbaud started doing RE work of ECU's in about 2005 for lotus/EFI, then did lambo/ferrari, tricores /bosch, genesis and so on, wrote tuning software, and a lot of dyno tuning work too ! :) i stopped doing it around 2011 since i just got burned out with it , but i know revo, did a lot of stuff via turboxs/jermaine if you know him. still do some occasionally to help out or interesting stuff but yeah not so much,
Hello. Any tips as far as how-tos, books, etc. on reverse engineering RF signals? I'd like to give my neighbor's weather station a shot. Those things are expensive to buy!
Very cool! They are a great group of folks, I started with them when STASIS was still around - they had an office at a racetrack in West Virginia near my college
@murrij I'm not extremely well versed in the space and have limited experience, but this lecture helped me a ton:
@murrij -- Funny, the next Hack Chat (Oct 12) will be about RF hacking!
yeah we did some work with them, always fun to work with talented folks. . anyway dont want to derail :)
are you liking ghidra over idapro ?i haven't really switched
@wrongbaud Thank you. Black Hills Security is good people. I hadn't seen that presentation.
@Dan Maloney Thank you. I'll be there for that Hack Chat.
Definitely - there are some things that I prefer IDA for, but for flat memory maps, bespoke processors and scripting I really like Ghidra
PCode emulation is extremely powerful as well, and since all processor modules are written in SLEIGH you can emulate _almost_ anything with a little elbow grease ;)
yeah i tried it a few times last year, but it was a little clunky, seems like its really coming along. just stuck on the devil you know. i might give it another try
You should! Like anything I don't think there is a right or wrong answer I use a combination of both, but I prefer Ghidra for embedded stuff and IDA for windows stuff/c++
I have a blog post here about PCode emulation where I use it to brute force all of the possible passwords for a Game Boy Advance game: https://wrongbaud.github.io/posts/kong-vs-ghidra/
yeah, i usually use the the lauterbach ice since its pretty much what oems use, but its also clunky. and he keeps playing around with the licensing :)
gba's are great, make awesome tuning tools too !
Very nice! I have actually never used those tools before on any automotive targets, how much is the license for those tools if you don't mind me asking?
i always buy my lauterbach units off ebay and hteyre licensed to the hardware, you can use their sim/emulation software for free though if youre not doing hw ice . there is always some silicon valley company going out of business, and of course with any new startup they rush out and buy all the best gear.. some of the stuff we do is mil so they just pay for it, so we get nice bits thru them
trace32 etc
otoh they're about 12K
I remembered looking at them once and having a customer laugh at the price tag, never thought to check ebay for them though, that is a good idea
yeah there are loads on there too, just looked
but the software is free to download and run, so its only when you do the hardware ice obv, then it's ebay for all your RE needs
For folks that are looking to get started in the RE space, OpenSecurityTraining is an excellent place to start:
From there you can branch out to things like our Ghidra course we have here and other CTFs/wargames
FYI, I'll post a transcript right after the Chat in case you need to refer back to links, etc.
Joe Grand teaches courses too.
I used to think that if I was good enough at Reverse Engineering, I could take any device and use it for a different purpose, as long as it had the right peripherals. It seems it is way more complicated than that.
yeah i'm looking at the spotify car thing, they just arrived
@Nathan Harvey And time consuming. You're missing time consuming
There are a lot of great paid courses available, Joe Grand (http://www.grandideastudio.com/hardware-hacking-training/) , Joe Fitzpatrick (https://securinghardware.com) and myself (https://voidstarsec.com/training) are some examples for folks who want to learn more about hardware hacking and have a budget
@Nathan Harvey I think it depends heavily on the device you're looking at
@wrongbaud I hope you all charge a lot of money.
You spent a lot of time and effort developing those skillsets.
colin o'flynn (newae) as well, if youre into hardware hackery, he just brought out a co authored book a few months ago too.
What tools exist to help in reverse engineering today that weren't around 5 years ago?
I think that the prices are all about the same, I'm launching a remote self directed version of mine next year and have 5 public remote offerings per year. It's cheaper than the standard conference training price.
REL Tools - Ghidra is a huge one, there have also been a lot of advances in fault injection tooling and resources via things like the ChipWhisperer that make that kind of work much more approachable
@Mark J Hughes absoluely, I wasted so much time before, only to find out I had the wrong board entirely.
I'd pay a lot to avoid bricking my car!
Besides, every time I have the car serviced, the dealer "upgrades" the software.
which would probably wipe out any changes
yeah, a lot of folks have the "do not flash" obd ii cover
lol mine isn't covered at all
which of course the dealer tries to say means no warranty, but then you roll out magnusson moss act
best to buy ecu's off ebay to tinker with its an interest
need a sensor emulation suite...
youd be surprised about little external hardware older ecus need to run, and they have a lot of little test devices that simulate the basics that are cheap and cheerful
Depending on the ECU sometimes you just need +12V and a little CAN traffic to get them working
start with a pinout?
yeah, find one thats well understood, subaru/fords etc
I expose my total ignorance
also there is this, which is super fun https://github.com/ange-yaghi/engine-sim
entirely different, theres also the arduino ecu platorm that has sim inputs too, it'll teach you the basics of how engine tuning works
and like how not to tune til the engine detonates which makes me cringe every time i see a tuner do that on road/track or dyno.
amazing. thanks, I'll stop with the noob basics...
@wrongbaud will check out ghidra again then, thanks for the recommend
It's about time to wrap up now, so I'll just say thanks to Matt for his time today and to everyone else too for the discussion. Thanks all!
Hey Folks, I've got to run to another meeting but I'll be checking back here for any other questions that people have, feel free to DM me on here or reach out via twitter if anyonte has other questions https://twitter.com/wrongbaud
And like I said, transcript coming up.
thanks !!
great timing!
Thanks Matt!
Thanks folks, have a good rest of your day!
Thanks everyone!
@djl don't worry about starter questions, we all have to start somewhere and we were all new to something sometime, and still are.. ask away. thats the thing about RE work, it never stops being something new to learn
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.