[{"data":1,"prerenderedAt":619},["Reactive",2],{"kb-chapters":3,"kb-doc:/knowledge-base/existing-research/ev-charging/":169},[4,11,17,23,29,35,41,47,53,59,65,71,77,83,89,96,102,108,114,120,126,132,138,144,151,157,163],{"_path":5,"title":6,"description":7,"part":8,"_file":9,"chapterNumber":10},"/knowledge-base/networks/introduction","Introduction","Overview of the communication networks used in modern vehicles, from LIN to Automotive Ethernet.","Vehicle Networks & Protocols","7.knowledge-base/1.networks/1.introduction.md",1,{"_path":12,"title":13,"description":14,"part":8,"_file":15,"chapterNumber":16},"/knowledge-base/networks/vehicle-documentation","Vehicle Documentation","Where to find manufacturer wiring diagrams, J2534 passthrough devices, and the different types of diagrams that are useful when researching a vehicle.","7.knowledge-base/1.networks/2.vehicle-documentation.md",2,{"_path":18,"title":19,"description":20,"part":8,"_file":21,"chapterNumber":22},"/knowledge-base/networks/lin-bus","Local Interconnect Network (LIN)","Local Interconnect Network — a single-wire low-speed bus used as a low-cost alternative to CAN for non-critical body electronics.","7.knowledge-base/1.networks/3.lin-bus.md",3,{"_path":24,"title":25,"description":26,"part":8,"_file":27,"chapterNumber":28},"/knowledge-base/networks/controller-area-network","Controller Area Network (CAN)","ISO 11898 — the differential bus that became the backbone of automotive networking. Frames, bit timing, errors, CAN FD, message contents, and practical attacks.","7.knowledge-base/1.networks/4.controller-area-network.md",4,{"_path":30,"title":31,"description":32,"part":8,"_file":33,"chapterNumber":34},"/knowledge-base/networks/secure-onboard-communication","Secure Onboard Communication (SecOC)","AUTOSAR's standard for cryptographic message authentication on in-vehicle networks — freshness values, MAC computation and key management.","7.knowledge-base/1.networks/5.secure-onboard-communication.md",5,{"_path":36,"title":37,"description":38,"part":8,"_file":39,"chapterNumber":40},"/knowledge-base/networks/flexray","FlexRay","Time-triggered, deterministic automotive bus standardized as ISO 17458, designed for higher speeds and drive-by-wire systems.","7.knowledge-base/1.networks/6.flexray.md",6,{"_path":42,"title":43,"description":44,"part":8,"_file":45,"chapterNumber":46},"/knowledge-base/networks/automotive-ethernet","Automotive Ethernet","Automotive variants of Ethernet — 100BASE-T1, 1000BASE-T1, and 10BASE-T1S — built around single twisted-pair cabling and strict EMC requirements.","7.knowledge-base/1.networks/7.automotive-ethernet.md",7,{"_path":48,"title":6,"description":49,"part":50,"_file":51,"chapterNumber":52},"/knowledge-base/diagnostics/introduction","Overview of automotive diagnostic protocols — ISO-TP, OBD-II, UDS, CCP and XCP — and how they layer on top of CAN.","Diagnostic Protocols","7.knowledge-base/2.diagnostics/1.introduction.md",8,{"_path":54,"title":55,"description":56,"part":50,"_file":57,"chapterNumber":58},"/knowledge-base/diagnostics/iso-tp","ISO 15765-2 (ISO-TP)","ISO 15765-2 transport layer for sending diagnostic payloads larger than 8 bytes over CAN — single, first, consecutive and flow-control frames.","7.knowledge-base/2.diagnostics/2.iso-tp.md",9,{"_path":60,"title":61,"description":62,"part":50,"_file":63,"chapterNumber":64},"/knowledge-base/diagnostics/vw-tp20","VW Transport Protocol 2.0 (TP 2.0)","Volkswagen's pre-ISO-TP transport layer for KWP2000 over CAN — channel setup, parameter negotiation, and the data exchange counter scheme.","7.knowledge-base/2.diagnostics/3.vw-tp20.md",10,{"_path":66,"title":67,"description":68,"part":50,"_file":69,"chapterNumber":70},"/knowledge-base/diagnostics/obd-ii","On-board diagnostics (OBD-II)","On-Board Diagnostics II — the J1962 connector, signal protocols, service IDs, parameter IDs, and DTC encoding.","7.knowledge-base/2.diagnostics/4.obd-ii.md",11,{"_path":72,"title":73,"description":74,"part":50,"_file":75,"chapterNumber":76},"/knowledge-base/diagnostics/uds","Unified Diagnostic Services (UDS)","ISO 14229-1 — the modern diagnostic protocol for sessions, Read/Write DID, Security Access, Routine Control and firmware Request Download / Upload.","7.knowledge-base/2.diagnostics/6.uds.md",12,{"_path":78,"title":79,"description":80,"part":50,"_file":81,"chapterNumber":82},"/knowledge-base/diagnostics/ccp","CAN Calibration Protocol (CCP)","A low-level debug/calibration protocol over CAN — Command Receive Object, Data Transfer Object, and the commands used to read and write ECU memory.","7.knowledge-base/2.diagnostics/7.ccp.md",13,{"_path":84,"title":85,"description":86,"part":50,"_file":87,"chapterNumber":88},"/knowledge-base/diagnostics/xcp","Universal Measurement and Calibration Protocol (XCP)","ASAM XCP — successor to CCP supporting CAN, CAN FD, FlexRay, and Ethernet, with synchronous data acquisition, stimulation, and calibration.","7.knowledge-base/2.diagnostics/8.xcp.md",14,{"_path":90,"title":91,"description":92,"part":93,"_file":94,"chapterNumber":95},"/knowledge-base/reverse-engineering/ecu-flashing","ECU Flashing","How a control unit is reprogrammed over the wire with UDS, walked through step by step, why the sequence is staged the way it is, and how the SecurityAccess seed/key gate works, from weak proprietary LFSR ciphers to the Volkswagen SA2 script.","Reverse Engineering","7.knowledge-base/3.reverse-engineering/1.ecu-flashing.md",15,{"_path":97,"title":98,"description":99,"part":93,"_file":100,"chapterNumber":101},"/knowledge-base/reverse-engineering/oem-update-files","OEM Update Files","Where to find official ECU firmware, why OEMs ship it, and how the major manufacturer update container formats (VW FRF/ODX, Toyota CUW, Ford VBF, BMW psdzdata, Tesla BHX) are structured, decrypted, and unpacked.","7.knowledge-base/3.reverse-engineering/2.oem-update-files.md",16,{"_path":103,"title":6,"description":104,"part":105,"_file":106,"chapterNumber":107},"/knowledge-base/existing-research/introduction","Landmark papers from 2010 to 2016 that defined automotive security research and demonstrated the first complete remote exploit chain against a production vehicle.","Existing Research","7.knowledge-base/4.existing-research/1.introduction.md",17,{"_path":109,"title":110,"description":111,"part":105,"_file":112,"chapterNumber":113},"/knowledge-base/existing-research/engine-control-units","Engine Control Units","Public reverse-engineering work on engine ECUs, focusing on bri3d's documented exploit chains for the Volkswagen Group Simos 18 ECU and its Infineon TriCore TC1791 processor.","7.knowledge-base/4.existing-research/2.engine-control-units.md",18,{"_path":115,"title":116,"description":117,"part":105,"_file":118,"chapterNumber":119},"/knowledge-base/existing-research/ev-charging","EV Charging","Research covering two distinct attack surfaces introduced by electric vehicle charging, the HomePlug Green PHY powerline data layer used by the Combined Charging System, and the AC charger as a peer device with its own firmware and bidirectional communications.","7.knowledge-base/4.existing-research/3.ev-charging.md",19,{"_path":121,"title":122,"description":123,"part":105,"_file":124,"chapterNumber":125},"/knowledge-base/existing-research/fault-injection","Fault Injection","Published fault injection research relevant to automotive microcontrollers, covering voltage glitching, EMFI, debug access, and secure-boot bypasses on Renesas, Infineon, NXP/Freescale, and Tesla compute platforms.","7.knowledge-base/4.existing-research/4.fault-injection.md",20,{"_path":127,"title":128,"description":129,"part":105,"_file":130,"chapterNumber":131},"/knowledge-base/existing-research/infotainment-telematics","Infotainment & Telematics","Sixteen published research entries covering remote exploitation of infotainment and telematics systems across Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan vehicles, plus a cross-industry web API survey.","7.knowledge-base/4.existing-research/5.infotainment-telematics.md",21,{"_path":133,"title":134,"description":135,"part":105,"_file":136,"chapterNumber":137},"/knowledge-base/existing-research/sensors-and-radios","Other Wireless Attack Surfaces","Research covering wireless attack surfaces beyond the primary CAN and telematics interfaces, including tire pressure sensors and DAB radio receivers, both of which accept untrusted RF input and have historically performed no authentication or input validation.","7.knowledge-base/4.existing-research/6.sensors-and-radios.md",22,{"_path":139,"title":140,"description":141,"part":105,"_file":142,"chapterNumber":143},"/knowledge-base/existing-research/remote-keyless-entry","Remote Keyless Entry and Immobilisers","Research on cryptographic attacks against passive keyless entry systems, transponder-based immobilisers, rolling-code RKE, and the CAN-injection theft chain.","7.knowledge-base/4.existing-research/7.remote-keyless-entry.md",23,{"_path":145,"title":146,"description":147,"part":148,"_file":149,"chapterNumber":150},"/knowledge-base/tools/can-adapters","CAN Adapters","USB-to-CAN adapters — comma.ai red panda and PEAK-System PCAN — and the standard DB-9 pinout for CAN.","Tools","7.knowledge-base/5.tools/1.can-adapters.md",24,{"_path":152,"title":153,"description":154,"part":148,"_file":155,"chapterNumber":156},"/knowledge-base/tools/can-analysis","CAN Analysis","Tools for analysing and reverse-engineering CAN traffic — comma.ai cabana, SavyCAN, VehicleSpy, and Wireshark.","7.knowledge-base/5.tools/2.can-analysis.md",25,{"_path":158,"title":159,"description":160,"part":148,"_file":161,"chapterNumber":162},"/knowledge-base/tools/scripting","Scripting","Python libraries and CLI tools for talking to a CAN bus — comma.ai panda, SocketCAN can-utils, python-can, and Scapy with ISO-TP and UDS examples.","7.knowledge-base/5.tools/3.scripting.md",26,{"_path":164,"title":165,"description":166,"part":148,"_file":167,"chapterNumber":168},"/knowledge-base/tools/dbc-files","DBC Files","The DBC file format used to describe the contents of CAN messages — nodes, messages, signals, comments, and value tables.","7.knowledge-base/5.tools/4.dbc-files.md",27,{"_path":115,"_dir":170,"_draft":171,"_partial":171,"_locale":172,"title":116,"description":117,"part":105,"references":173,"body":224,"_type":615,"_id":616,"_source":617,"_file":118,"_extension":618},"existing-research",false,"",[174,181,188,194,201,208,213,219],{"id":175,"authors":176,"title":177,"publisher":178,"year":179,"url":180},"dudek-homeplugav","Dudek, Sébastien","HomePlugAV PLC: Practical Attacks and Backdooring","NoSuchCon 2014 (NSC2014); August 2015 paper",2015,"https://penthertz.com/resources/NSC2014-HomePlugAV_attacks-Sebastien_Dudek.pdf",{"id":182,"authors":183,"title":184,"publisher":185,"year":186,"url":187},"dudek-v2g-injector","Dudek, Sébastien; Delaunay, Jean-Christophe; Fargues, Vincent","V2G Injector: Whispering to Cars and Charging Units Through the Power-Line","SSTIC 2019",2019,"https://www.sstic.org/2019/presentation/v2g_injector_playing_with_electric_cars_and_charging_stations_via_powerline/",{"id":189,"authors":190,"title":191,"publisher":192,"year":186,"url":193},"baker-2019","Baker, Martinovic","Losing the Car Keys: Wireless PHY-Layer Insecurity in EV Charging","USENIX Security Symposium 2019","https://www.usenix.org/conference/usenixsecurity19/presentation/baker",{"id":195,"authors":196,"title":197,"publisher":198,"year":199,"url":200},"brokenwire-2023","Köhler, Baker, Strohmeier, Martinovic","Brokenwire: Wireless Disruption of CCS Electric Vehicle Charging","NDSS Symposium 2023",2023,"https://www.ndss-symposium.org/ndss-paper/brokenwire-wireless-disruption-of-ccs-electric-vehicle-charging/",{"id":202,"authors":203,"title":204,"publisher":205,"year":206,"url":207},"current-affairs-2025","Szakály, Köhler, Martinovic","Current Affairs: A Security Measurement Study of CCS EV Charging Deployments","USENIX Security Symposium 2025",2025,"https://www.usenix.org/conference/usenixsecurity25/presentation/szakaly",{"id":209,"authors":203,"title":210,"publisher":211,"year":206,"url":212},"pibuster-2025","Short: PIBuster — Exploiting a Common Misconfiguration in CCS EV Chargers","USENIX Symposium on Vehicle Security and Privacy (VehicleSec) 2025","https://www.usenix.org/conference/vehiclesec25/presentation/szakaly",{"id":214,"authors":215,"title":216,"publisher":217,"year":206,"url":218},"synacktiv-part1-2025","David Berard (Synacktiv)","Exploiting the Tesla Wall Connector from its Charge Port Connector","Synacktiv blog","https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector",{"id":220,"authors":215,"title":221,"publisher":217,"year":222,"url":223},"synacktiv-part2-2026","Exploiting the Tesla Wall Connector from its Charge Port Connector — Part 2: Bypassing the Anti-Downgrade",2026,"https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector-part-2-bypassing",{"type":225,"children":226,"toc":600},"root",[227,235,241,248,254,269,274,279,291,307,312,322,327,332,341,346,358,363,368,373,381,386,398,403,408,413,421,429,434,446,451,456,461,467,479,484,489,497,503,508,520,525,530,538,544,555,569,582,590,596],{"type":228,"tag":229,"props":230,"children":232},"element","h1",{"id":231},"ev-charging",[233],{"type":234,"value":116},"text",{"type":228,"tag":236,"props":237,"children":238},"p",{},[239],{"type":234,"value":240},"Electric vehicles introduce two attack surfaces absent from conventional cars. DC fast-charging via the Combined Charging System (CCS) runs an IP stack over the Control Pilot wire using HomePlug Green PHY (HPGP) powerline communication, and the physical-layer design leaks that signal wirelessly. Smart AC chargers such as the Tesla Wall Connector carry independent firmware, network stacks, and bidirectional protocol communication with the vehicle. The Oxford group (Martinovic, Baker, Köhler, Szakály) has systematically documented the CCS PHY side from 2019 through 2025; Synacktiv researcher David Berard produced a two-part Wall Connector analysis in 2025 and 2026.",{"type":228,"tag":242,"props":243,"children":245},"h2",{"id":244},"ccs-plc-layer-and-phy",[246],{"type":234,"value":247},"CCS PLC Layer and PHY",{"type":228,"tag":249,"props":250,"children":252},"h3",{"id":251},"homeplugav-plc-practical-attacks-and-backdooring",[253],{"type":234,"value":177},{"type":228,"tag":236,"props":255,"children":256},{},[257,263,265],{"type":228,"tag":258,"props":259,"children":260},"em",{},[261],{"type":234,"value":262},"Dudek (Synacktiv), NoSuchCon 2014",{"type":234,"value":264}," ",{"type":228,"tag":266,"props":267,"children":268},"citation",{"id":175},[],{"type":228,"tag":236,"props":270,"children":271},{},[272],{"type":234,"value":273},"Background for the EV-charging research below. HomePlugAV is the OFDM-over-mains powerline standard whose HomePlug Green PHY variant is reused inside CCS charging. Dudek showed that the Network Membership Key (NMK) used to encrypt traffic is exposed in cleartext over the local Ethernet interface during pairing, that the Direct Access Key passphrase used to set the NMK is a deterministic function of the device MAC for Qualcomm Atheros parts, and that the same management channel exposes arbitrary memory read and write on the PLC modem. The Qualcomm QCA7000 modem family later appears in most CCS stations surveyed by Szakály et al.",{"type":228,"tag":249,"props":275,"children":277},{"id":276},"v2g-injector-whispering-to-cars-and-charging-units-through-the-power-line",[278],{"type":234,"value":184},{"type":228,"tag":236,"props":280,"children":281},{},[282,287,288],{"type":228,"tag":258,"props":283,"children":284},{},[285],{"type":234,"value":286},"Dudek, Delaunay, Fargues (Synacktiv), SSTIC 2019",{"type":234,"value":264},{"type":228,"tag":266,"props":289,"children":290},{"id":182},[],{"type":228,"tag":236,"props":292,"children":293},{},[294,296,305],{"type":234,"value":295},"V2G Injector is the first open-source tool for packet capture and injection on the HomePlug Green PHY layer used by CCS electric vehicle charging. Before this work, no publicly available equipment could interface with V2G powerline traffic; commercial analysis tools cost thousands of euros and captured only a limited packet count. The tool is open source at ",{"type":228,"tag":297,"props":298,"children":302},"a",{"href":299,"rel":300},"https://github.com/FlUxIuS/V2GInjector",[301],"nofollow",[303],{"type":234,"value":304},"github.com/FlUxIuS/V2GInjector",{"type":234,"value":306},".",{"type":228,"tag":236,"props":308,"children":309},{},[310],{"type":234,"value":311},"The hardware setup centres on a Devolo HomePlug GP development kit based on the Qualcomm QCA7000 modem, acquired for approximately 200 euros, with the QCA7000's SPI/Ethernet interface exposed so custom firmware and Scapy layers can control it directly. The team implemented missing Scapy protocol layers for HPGP, the SECC Discovery Protocol, and V2GTP, and built a fuzzy EXI decoder that tries multiple XML Schema grammars to recover V2G message content without context state.",{"type":228,"tag":236,"props":313,"children":314},{},[315,317,320],{"type":234,"value":316},"Building on the HomePlugAV NMK-sniffing technique from Dudek's 2014 work ",{"type":228,"tag":266,"props":318,"children":319},{"id":175},[],{"type":234,"value":321},", the paper shows that a device in PEV mode can passively receive the CM_SLAC_MATCH.CNF from any nearby EVSE and extract the NMK in cleartext, because SLAC management messages are broadcast unencrypted over the powerline.",{"type":228,"tag":236,"props":323,"children":324},{},[325],{"type":234,"value":326},"Once inside the AV Logical Network (AVLN), injection is possible either via ICMPv6 neighbour spoofing or by racing the SECC procedure, sending a crafted SECC response that redirects the vehicle's traffic to an attacker-controlled IPv6 endpoint.",{"type":228,"tag":236,"props":328,"children":329},{},[330],{"type":234,"value":331},"The paper also identifies a weakness in the SDP SecurityProtocol field that can downgrade the session from TLS to cleartext. V2G Injector set the stage for the Oxford group's academic follow-on, with Baker 2019 citing the SLAC NMK-capture approach and building a purpose-built SDR receiver around the same fundamental flaw.",{"type":228,"tag":236,"props":333,"children":334},{},[335],{"type":228,"tag":336,"props":337,"children":340},"img",{"alt":338,"src":339},"Devolo dLAN Green PHY eval board (EU II), the HomePlug Green PHY development kit based on the Qualcomm QCA7000 modem used by V2G Injector. Product photo: Codico.","/images/knowledge-base/existing-research/ev-charging/dudek-v2g-injector-2019-1.jpg",[],{"type":228,"tag":249,"props":342,"children":344},{"id":343},"losing-the-car-keys-wireless-phy-layer-insecurity-in-ev-charging",[345],{"type":234,"value":191},{"type":228,"tag":236,"props":347,"children":348},{},[349,354,355],{"type":228,"tag":258,"props":350,"children":351},{},[352],{"type":234,"value":353},"Baker, Martinovic, USENIX Security 2019",{"type":234,"value":264},{"type":228,"tag":266,"props":356,"children":357},{"id":189},[],{"type":228,"tag":236,"props":359,"children":360},{},[361],{"type":234,"value":362},"The first complete picture of the wireless side-channel in CCS. HomePlug Green PHY delivers an IP stack over the Control Pilot and Protective Earth lines; unlike a CAN square wave, an OFDM waveform is nearly unchanged when it couples from the cable to air, making passive interception practical with off-the-shelf SDR hardware.",{"type":228,"tag":236,"props":364,"children":365},{},[366],{"type":234,"value":367},"The CCS session opens with the SLAC handshake, in which the vehicle sends sounding messages and the charger reports attenuation to prove physical connection. At the end of SLAC, the charger transmits the Network Membership Key (NMK) to the vehicle in the CM_SLAC_MATCH.CNF message, in plaintext, with no confidentiality option. An attacker who captures this exchange can join the HPGP network and decrypt all subsequent MAC-layer traffic.",{"type":228,"tag":236,"props":369,"children":370},{},[371],{"type":234,"value":372},"The authors built the first wireless eavesdropping tool for HomePlug GreenPHY, covering the full software receiver path from frame detection through OFDM demodulation, turbo-code FEC, and CRC validation. Over 54 sessions at public chargers with three production EVs, it recovered 91.8% of packets with valid CRC32 checksums from an adjacent parking bay 4.2 m away. No TLS was observed in any session. Long-term vehicle identifiers appeared in 76% of sessions, enabling user tracking and, where AutoCharge billing is deployed, free charging on another account. The paper proposed an optional ECDH step in the SLAC handshake as a confidentiality fallback.",{"type":228,"tag":236,"props":374,"children":375},{},[376],{"type":228,"tag":336,"props":377,"children":380},{"alt":378,"src":379},"Field eavesdropping setups: (Figure 7) capturing from the adjacent parking bay with the antenna more than 4 metres from the charging cable, and (Figure 8) sitting between two simultaneously charging vehicles to capture NMK key establishment for both. Figure from Baker, Martinovic, 2019 (Losing the Car Keys).","/images/knowledge-base/existing-research/ev-charging/baker-1.png",[],{"type":228,"tag":249,"props":382,"children":384},{"id":383},"brokenwire-wireless-disruption-of-ccs-electric-vehicle-charging",[385],{"type":234,"value":197},{"type":228,"tag":236,"props":387,"children":388},{},[389,394,395],{"type":228,"tag":258,"props":390,"children":391},{},[392],{"type":234,"value":393},"Köhler, Baker, Strohmeier, Martinovic, NDSS 2023",{"type":234,"value":264},{"type":228,"tag":266,"props":396,"children":397},{"id":195},[],{"type":228,"tag":236,"props":399,"children":400},{},[401],{"type":234,"value":402},"The same PHY properties exploited for passive eavesdropping also support an active disruption attack.",{"type":228,"tag":236,"props":404,"children":405},{},[406],{"type":234,"value":407},"HPGP mandates Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA): any node that detects an ongoing transmission backs off. Brokenwire exploits this by transmitting a continuous stream of HPGP preamble symbols. Both ends of the charging session see a permanently busy channel and cannot transmit; after roughly two seconds the ISO 15118 message timeout expires and the session aborts. The standard then requires manual intervention (unplug and replug) before a new session can begin.",{"type":228,"tag":236,"props":409,"children":410},{},[411],{"type":234,"value":412},"The attack requires a 1 W amplifier, a commodity LimeSDR tuned to 17 MHz, and a 7 m dipole antenna, totalling under $1,000. This outperforms broadband noise jamming by three orders of magnitude because it exploits the protocol's own CSMA/CA logic rather than trying to overwhelm HPGP's noise resistance. Real-world testing covered eight vehicles and twenty chargers across several European public deployments, succeeding in every tested combination, with maximum effective range of 47 m. Because the exploited behaviour is required by HomePlug Green PHY, DIN 70121, and ISO 15118, every conforming implementation is vulnerable, including fleet vehicles, electric buses, and ferries relying on overnight CCS charging.",{"type":228,"tag":236,"props":414,"children":415},{},[416],{"type":228,"tag":336,"props":417,"children":420},{"alt":418,"src":419},"Five attack scenarios tested in the real-world evaluation, from single-vehicle drive-by disruption (Scenario 1) to multi-vehicle fleet denial from across the street (Scenario 5), with the attacker remaining inside their own vehicle. Figure from Köhler et al., 2023 (Brokenwire).","/images/knowledge-base/existing-research/ev-charging/brokenwire-2.png",[],{"type":228,"tag":236,"props":422,"children":423},{},[424],{"type":228,"tag":336,"props":425,"children":428},{"alt":426,"src":427},"Aerial distance measurement for Scenario 5, showing the 47.39 m range between the attacker vehicle and the target charging bay across a street intersection. Figure from Köhler et al., 2023 (Brokenwire).","/images/knowledge-base/existing-research/ev-charging/brokenwire-1.png",[],{"type":228,"tag":249,"props":430,"children":432},{"id":431},"current-affairs-a-security-measurement-study-of-ccs-ev-charging-deployments",[433],{"type":234,"value":204},{"type":228,"tag":236,"props":435,"children":436},{},[437,442,443],{"type":228,"tag":258,"props":438,"children":439},{},[440],{"type":234,"value":441},"Szakály, Köhler, Martinovic, USENIX Security 2025",{"type":234,"value":264},{"type":228,"tag":266,"props":444,"children":445},{"id":202},[],{"type":228,"tag":236,"props":447,"children":448},{},[449],{"type":234,"value":450},"This paper answers the practical follow-up question: given documented CCS security problems since 2019, how many deployed chargers have actually fixed them?",{"type":228,"tag":236,"props":452,"children":453},{},[454],{"type":234,"value":455},"The team built an EV emulator that steps through the full CCS sequence (CP/PE signalling, SLAC, SDP, TLS negotiation, V2G protocol negotiation) with relay-controlled automatic reconnection, enabling unattended data collection at scale. The dataset covers 325 chargers from 26 manufacturers across four European countries, manufactured between 2013 and mid-2023. 88% implement no TLS whatsoever. ISO 15118-2 support (optional TLS) reached only 47% overall; no charger had deployed ISO 15118-20, which mandates mutual TLS.",{"type":228,"tag":236,"props":457,"children":458},{},[459],{"type":234,"value":460},"Separately, 78% of chargers used the Qualcomm QCA7000 modem, and most ran firmware from 2013 to 2015, none dated after the 2022 Brokenwire disclosure. In some manufacturer implementations the NMK could be derived directly from the publicly broadcast Network Identifier.",{"type":228,"tag":249,"props":462,"children":464},{"id":463},"short-pibuster-exploiting-a-common-misconfiguration-in-ccs-ev-chargers",[465],{"type":234,"value":466},"Short: PIBuster - Exploiting a Common Misconfiguration in CCS EV Chargers",{"type":228,"tag":236,"props":468,"children":469},{},[470,475,476],{"type":228,"tag":258,"props":471,"children":472},{},[473],{"type":234,"value":474},"Szakály, Köhler, Martinovic, USENIX VehicleSec 2025",{"type":234,"value":264},{"type":228,"tag":266,"props":477,"children":478},{"id":209},[],{"type":228,"tag":236,"props":480,"children":481},{},[482],{"type":234,"value":483},"Presented at VehicleSec 2025, this short paper operationalises a finding from \"Current Affairs\": the Qualcomm HPGP modem in CCS chargers stores all configuration in a binary Parameter Information Block (PIB), and many chargers leave the PIB remotely readable and writable over the PLC interface.",{"type":228,"tag":236,"props":485,"children":486},{},[487],{"type":234,"value":488},"Through binary analysis and controlled experiments the researchers established that a single byte at offset 0x1F8C controls remote PIB access. When it is zero (the apparent factory default), any device that has completed SLAC can overwrite the modem's entire configuration. Testing at 69 CCS connectors at California public stations found 41 with the vulnerable setting. Writable fields include the NMK, the SLAC mode byte, and the SPI interface enable bit; disabling SPI severs the only connection between the PLC modem and the charger's host processor, producing a persistent denial of service recoverable only by hardware replacement. Qualcomm acknowledged the issue, issued a CVE, and committed to flipping the default in future firmware.",{"type":228,"tag":236,"props":490,"children":491},{},[492],{"type":228,"tag":336,"props":493,"children":496},{"alt":494,"src":495},"PIB binary layout showing the first 0x80 bytes with colour-coded fields: MAC address, HFID manufacturer string, NMK, and security control byte at 0x1F8C. Figure from Szakály et al., 2025 (PIBuster).","/images/knowledge-base/existing-research/ev-charging/pibuster-1.png",[],{"type":228,"tag":242,"props":498,"children":500},{"id":499},"level-1-and-2-chargers",[501],{"type":234,"value":502},"Level 1 and 2 Chargers",{"type":228,"tag":249,"props":504,"children":506},{"id":505},"exploiting-the-tesla-wall-connector-from-its-charge-port-connector",[507],{"type":234,"value":216},{"type":228,"tag":236,"props":509,"children":510},{},[511,516,517],{"type":228,"tag":258,"props":512,"children":513},{},[514],{"type":234,"value":515},"Berard (Synacktiv), Pwn2Own Automotive 2025",{"type":234,"value":264},{"type":228,"tag":266,"props":518,"children":519},{"id":214},[],{"type":228,"tag":236,"props":521,"children":522},{},[523],{"type":234,"value":524},"This Pwn2Own Automotive 2025 entry targets the charging cable as the entry point. The Tesla Wall Connector Gen 3 uses a Marvell 88MW300 (ARM Cortex-M4) on an AW-CU300 connectivity card and an STM32 co-processor for relay control; it does not use HPGP. After standard CP/PE signalling, the charger switches to a proprietary Single-Wire CAN (SWCAN) protocol at 33.3 kbps on the Control Pilot line, a detail identified by oscilloscope inspection with no public documentation.",{"type":228,"tag":236,"props":526,"children":527},{},[528],{"type":234,"value":529},"The AW-CU300 firmware exposes a full UDS stack over SWCAN via CAN ID 0x604. Security access at level 5 requires only XORing each byte of the 16-byte challenge with 0x35. A debug firmware build (0.8.58), sourced from a 2020 Tesla infotainment dump, adds two features absent from release: a UDS ReadDataByIdentifier command that returns the Wi-Fi PSK, and a TCP debug shell over the charger's setup AP. At the time of the competition, no anti-downgrade check blocked uploading older images via the standard 0x34/0x36/0x37 sequence. Synacktiv downgraded to 0.8.58 over SWCAN (~15 minutes at 33.3 kbps), read the PSK via UDS, connected to the AP, and reached the debug shell. Code execution followed from a global buffer overflow in the shell's argument parser: a 17th argument overwrites the adjacent function-pointer table in a region mapped RWX. Tesla patched by adding anti-downgrade protection.",{"type":228,"tag":236,"props":531,"children":532},{},[533],{"type":228,"tag":336,"props":534,"children":537},{"alt":535,"src":536},"Single-Wire CAN protocol exchange captured on the Control Pilot line during a Tesla Wall Connector session. Figure from Berard (Synacktiv), 2025 (Exploiting the Tesla Wall Connector).","/images/knowledge-base/existing-research/ev-charging/synacktiv-part1-1.png",[],{"type":228,"tag":249,"props":539,"children":541},{"id":540},"exploiting-the-tesla-wall-connector-from-its-charge-port-connector-part-2-bypassing-the-anti-downgrade",[542],{"type":234,"value":543},"Exploiting the Tesla Wall Connector from its Charge Port Connector - Part 2: Bypassing the Anti-Downgrade",{"type":228,"tag":236,"props":545,"children":546},{},[547,551,552],{"type":228,"tag":258,"props":548,"children":549},{},[550],{"type":234,"value":515},{"type":234,"value":264},{"type":228,"tag":266,"props":553,"children":554},{"id":220},[],{"type":228,"tag":236,"props":556,"children":557},{},[558,560,567],{"type":234,"value":559},"Tesla's patch introduced a ratchet integer in each firmware image; routine 0x201 (",{"type":228,"tag":561,"props":562,"children":564},"code",{"className":563},[],[565],{"type":234,"value":566},"switch_to_new_firmware",{"type":234,"value":568},") reads the current ratchet from persistent storage and rejects any image with a lower value.",{"type":228,"tag":236,"props":570,"children":571},{},[572,574,580],{"type":234,"value":573},"The bypass exploits an ordering bug between two routines. Routine 0x201 commits the partition layout and bumps the generation counter of the validated slot; the bootloader picks the slot with the highest counter and checks CRC and RSA signature, but not the ratchet. Routine 0xFF00 (",{"type":228,"tag":561,"props":575,"children":577},{"className":576},[],[578],{"type":234,"value":579},"prepare_passive_slot",{"type":234,"value":581},") selects the physical slot to erase using a boot flag set once at startup and never updated mid-session. The sequence: (1) upload a current signed image and call 0x201, passing the ratchet check and setting that slot's generation counter to highest; (2) call 0xFF00 without rebooting so the same physical slot is selected as passive and erased; (3) upload old firmware 0.8.58 into the now-empty slot; (4) call 0x202 to reboot, bypassing 0x201 entirely. The bootloader finds the slot with the highest counter, verifies the legitimately signed old image, and executes it. Two firmware transfers raise the total attack time to around 30 minutes. Tesla issued a fix after disclosure.",{"type":228,"tag":236,"props":583,"children":584},{},[585],{"type":228,"tag":336,"props":586,"children":589},{"alt":587,"src":588},"Main board of the Tesla Wall Connector Gen 3 showing the AW-CU300 connectivity card (Marvell 88MW300, ARM Cortex-M4), the STM32 co-processor, and the absent Qualcomm PLC chipset footprint. Figure from Berard (Synacktiv), 2025 (Exploiting the Tesla Wall Connector).","/images/knowledge-base/existing-research/ev-charging/synacktiv-part2-1.png",[],{"type":228,"tag":242,"props":591,"children":593},{"id":592},"references",[594],{"type":234,"value":595},"References",{"type":228,"tag":597,"props":598,"children":599},"chapter-references",{},[],{"title":172,"searchDepth":16,"depth":16,"links":601},[602,610,614],{"id":244,"depth":16,"text":247,"children":603},[604,605,606,607,608,609],{"id":251,"depth":22,"text":177},{"id":276,"depth":22,"text":184},{"id":343,"depth":22,"text":191},{"id":383,"depth":22,"text":197},{"id":431,"depth":22,"text":204},{"id":463,"depth":22,"text":466},{"id":499,"depth":16,"text":502,"children":611},[612,613],{"id":505,"depth":22,"text":216},{"id":540,"depth":22,"text":543},{"id":592,"depth":16,"text":595},"markdown","content:7.knowledge-base:4.existing-research:3.ev-charging.md","content","md",1779543672138]