discovering invisible electronic tampering -...
TRANSCRIPT
Overview 1. Drew Tech
2. What is Tampering
3. Common methods of tampering
4. Exploring the OBD2 Simulator
5. Detecting Simulators
6. Flash Reprogramming
7. Summary
Drew Technologies Background• Located in Ann Arbor, Michigan
• Focused in vehicle networks, OBD2, and ECU communications since 1994
• Reprogramming tools for OEM engineering, end of line, car dealerships, and repair shop reprogramming tools for the past 15 years
• Core focus on vehicle communications
• Involved with developing many SAE standards
What is Tampering?§Tampering allows shops and vehicle owners to circumvent OBD emissions testing
§Prior to OBD systems, an emissions test station could circumvent an inspection by running a clean vehicle on the dyno and tailpipe tester
§Many programs are now moving to OBD testing because of cost, time savings, and simplicity.
§Most electronic and OBD tampering is currently invisible to IM programs
§Before IM programs start mining data to detect tampering, we need to understand more about how electronic tampering can occur so we know what data to look for
Types of Electronic Tampering
In most cases, invisible if the reflash utilizes the same CVN
-ECU Reflash•Owner or repair shop reprograms the ECU with a different calibration•In most cases, this is done to increase performance, towing, or fuel economy•Some aftermarket calibrations are emissions approved (CARB EO), others are not.
Can be detected some cases by having technician verify electronic readings
-Modified sensors•Catalytic converter delete•MAF sensor “resistor mod” change reported air temp by 10-50 degrees•IMRC deletes•EGR delete
Depends on the sophistication of the simulator
-Inline “OBD2 Simulator” device•Cheat on inspection•Could be used by test stations for clean pipe
Detection LevelMethod
OBD2 Simulator Challenge
Mechanical Design•Y cable or inline device•Can be enabled or disabled via BUS message (i.3. 3 horn beeps < 1 sec)•Can be hidden in the dash with standard J1962 mount
Device hardware•Two independent sets of OBD2 protocols•One protocol set to talk to the vehicle•One protocol set to talk to the test equipment
Design an advanced tampering device, then learn how to detect it
OBD2 Simulator - Continued
Capture vehicle specific info•Which OBD2 protocols are present•How many ECUs are present and all details of each ECU (addresses, etc)•Which J1979 modes and PIDs are supported by each ECU•VIN of the vehicle•All CALIDs, CVNs for each ECU•How each ECU responds to improper requests
Records a clean configuration•User can drive their car in a clean configuration and save all data •User can access a saved these configurations from another person that has a similar year, make, model, and engine vehicle
Error Handling•User can pick what is simulated and what is passed thru•Device can be configured to let all unknown requests pass thru while simulating known requests•Some OBD2 networks like J1850VPW J1850PWM and CAN have background messages that are not related to OBD2 requests. The user may configure the device to pass these messages through or it may be configured to block them•Device can respond to unknown requests in the same way the ECU does
OBD2 Simulator - Continued
User Configurable•Pick which DTC’s to report•Pick which PIDs to report•User assignable remapping and scaling functions. IE change speed from 0-100 to 0-70•Multiple data items can be combined to maintain plausible relationships between items like RPM and vehicle speed•Monitoring and modification of non OBD2 messages observed on the OBD2 network•The device also contains a feature that continually extinguishes the check engine light, or MIL, off by periodically sending the J1979 mode 0x04 command to the vehicle. By rapidly turning the MIL off it will appear to not be illuminated. This feature can be enabled or disabled by the user•Configure VIN•Configure CVN
Advanced Features•Allows user to wire up analog sensors and make a non-OBD2 engine act like a OBD2 system.•Allow users to save their configuration, share it with others•Tampering device captures all requests from IM station, allowing it to learn how the IM software is profiling the vehicle.
Detecting our simulator
Physical Check• Look under dash, attempt to locate (Doesn’t work if IM station is cheating)
Vehicle Timings• Perform repeated requests for a list of data from the ECU• Capture message timings and store results by YMME• Compare message timings for tested vehicle vs database of all similar vehicles• A simulator that is modifying messages on the fly will not be able to keep up with expected
vehicle timings all of the time• There will also be a variation in message timing for data items that are passed thru the
simulator to the vehicle versus items the simulator is providing directly.
Enhanced Modes• Use enhanced scantool modes not known by most hacks• For example, if the vehicle is a Ford, try Rapid Packet mode
Tampering with Sensors
Sometimes car owners or performance shops modify the vehicle’s electronics or emissions parts to improve performance
Locate EGR and verify that it is still connectedEGR Delete
Read the air temperature from IAT1 and have the technician compare it to the shop temperature. There is no reason it should be colder under the hood than in the shop.
Add resistor to IAT to register lower air temperature and increase timing
Log the rear O2 data and compare it with similar data from a known good vehicle to look for variations
Replace rear O2 sensors with non-working ones that output good signal to the ECU
DetectionTampering
ECU Reflashing
• Over 1,000,000 flash programmers in the aftermarket
• Most are for small performance gains and probably do not have a substantial impact on emissions
• Some of these programmers even have CARB EO
• Turbo, Supercharged, and Diesel vehicles can have a greater impact because of potential for increased boost and emission delete equipment
The following changes can be made in ECU software• disable emission equipment in the software (I.E. Turn EGR off,
but leave hardware intact)• disable the check engine light and all trouble codes• disable monitors or change criteria in which monitors report
ready• fake CVNs after a calibration has been modified
ECU Reflashing
How can we detect reprogramming?
Method 1: Binary Image compare- Download the binary image from the ECU and compare it to the stock image- By comparing the images, we know with 100% certainty if the ECU has an aftermarket
calibration- This method would require industry collaboration. Currently all OEMs support ECU upload using SAE J2534, but none support ECU download.
Method 2: Flash Counter validation- Most ECU’s have flash counters- Some OEMs keep track of every time a vehicle is flashed- When present in the ECU software, the IM software could read the flash counter - compare it to what the OEM expected the flash count to be
Both of these methods would require working with the OEMs. The scope of this could be narrowed by make/model to vehicles that are most likely to have reprogramming that has a negative impact on emissions
Final Thoughts• Visual Check is the easiest “First step”
• ECU Simulators are probably the highest risk for clean pipe testing
• Detecting ECU simulators requires collecting and analyzing what is happening at the message and timing level
• As ECU simulator’s advance, the IM test software will need to adapt