[{"data":1,"prerenderedAt":420},["Reactive",2],{"kb-chapters":3,"kb-doc:/knowledge-base/existing-research/sensors-and-radios/":169},[4,11,17,23,29,35,41,47,53,59,65,71,77,83,89,96,102,108,114,120,126,132,138,144,151,157,163],{"_path":5,"title":6,"description":7,"part":8,"_file":9,"chapterNumber":10},"/knowledge-base/networks/introduction","Introduction","Overview of the communication networks used in modern vehicles, from LIN to Automotive Ethernet.","Vehicle Networks & Protocols","7.knowledge-base/1.networks/1.introduction.md",1,{"_path":12,"title":13,"description":14,"part":8,"_file":15,"chapterNumber":16},"/knowledge-base/networks/vehicle-documentation","Vehicle Documentation","Where to find manufacturer wiring diagrams, J2534 passthrough devices, and the different types of diagrams that are useful when researching a vehicle.","7.knowledge-base/1.networks/2.vehicle-documentation.md",2,{"_path":18,"title":19,"description":20,"part":8,"_file":21,"chapterNumber":22},"/knowledge-base/networks/lin-bus","Local Interconnect Network (LIN)","Local Interconnect Network — a single-wire low-speed bus used as a low-cost alternative to CAN for non-critical body electronics.","7.knowledge-base/1.networks/3.lin-bus.md",3,{"_path":24,"title":25,"description":26,"part":8,"_file":27,"chapterNumber":28},"/knowledge-base/networks/controller-area-network","Controller Area Network (CAN)","ISO 11898 — the differential bus that became the backbone of automotive networking. Frames, bit timing, errors, CAN FD, message contents, and practical attacks.","7.knowledge-base/1.networks/4.controller-area-network.md",4,{"_path":30,"title":31,"description":32,"part":8,"_file":33,"chapterNumber":34},"/knowledge-base/networks/secure-onboard-communication","Secure Onboard Communication (SecOC)","AUTOSAR's standard for cryptographic message authentication on in-vehicle networks — freshness values, MAC computation and key management.","7.knowledge-base/1.networks/5.secure-onboard-communication.md",5,{"_path":36,"title":37,"description":38,"part":8,"_file":39,"chapterNumber":40},"/knowledge-base/networks/flexray","FlexRay","Time-triggered, deterministic automotive bus standardized as ISO 17458, designed for higher speeds and drive-by-wire systems.","7.knowledge-base/1.networks/6.flexray.md",6,{"_path":42,"title":43,"description":44,"part":8,"_file":45,"chapterNumber":46},"/knowledge-base/networks/automotive-ethernet","Automotive Ethernet","Automotive variants of Ethernet — 100BASE-T1, 1000BASE-T1, and 10BASE-T1S — built around single twisted-pair cabling and strict EMC requirements.","7.knowledge-base/1.networks/7.automotive-ethernet.md",7,{"_path":48,"title":6,"description":49,"part":50,"_file":51,"chapterNumber":52},"/knowledge-base/diagnostics/introduction","Overview of automotive diagnostic protocols — ISO-TP, OBD-II, UDS, CCP and XCP — and how they layer on top of CAN.","Diagnostic Protocols","7.knowledge-base/2.diagnostics/1.introduction.md",8,{"_path":54,"title":55,"description":56,"part":50,"_file":57,"chapterNumber":58},"/knowledge-base/diagnostics/iso-tp","ISO 15765-2 (ISO-TP)","ISO 15765-2 transport layer for sending diagnostic payloads larger than 8 bytes over CAN — single, first, consecutive and flow-control frames.","7.knowledge-base/2.diagnostics/2.iso-tp.md",9,{"_path":60,"title":61,"description":62,"part":50,"_file":63,"chapterNumber":64},"/knowledge-base/diagnostics/vw-tp20","VW Transport Protocol 2.0 (TP 2.0)","Volkswagen's pre-ISO-TP transport layer for KWP2000 over CAN — channel setup, parameter negotiation, and the data exchange counter scheme.","7.knowledge-base/2.diagnostics/3.vw-tp20.md",10,{"_path":66,"title":67,"description":68,"part":50,"_file":69,"chapterNumber":70},"/knowledge-base/diagnostics/obd-ii","On-board diagnostics (OBD-II)","On-Board Diagnostics II — the J1962 connector, signal protocols, service IDs, parameter IDs, and DTC encoding.","7.knowledge-base/2.diagnostics/4.obd-ii.md",11,{"_path":72,"title":73,"description":74,"part":50,"_file":75,"chapterNumber":76},"/knowledge-base/diagnostics/uds","Unified Diagnostic Services (UDS)","ISO 14229-1 — the modern diagnostic protocol for sessions, Read/Write DID, Security Access, Routine Control and firmware Request Download / Upload.","7.knowledge-base/2.diagnostics/6.uds.md",12,{"_path":78,"title":79,"description":80,"part":50,"_file":81,"chapterNumber":82},"/knowledge-base/diagnostics/ccp","CAN Calibration Protocol (CCP)","A low-level debug/calibration protocol over CAN — Command Receive Object, Data Transfer Object, and the commands used to read and write ECU memory.","7.knowledge-base/2.diagnostics/7.ccp.md",13,{"_path":84,"title":85,"description":86,"part":50,"_file":87,"chapterNumber":88},"/knowledge-base/diagnostics/xcp","Universal Measurement and Calibration Protocol (XCP)","ASAM XCP — successor to CCP supporting CAN, CAN FD, FlexRay, and Ethernet, with synchronous data acquisition, stimulation, and calibration.","7.knowledge-base/2.diagnostics/8.xcp.md",14,{"_path":90,"title":91,"description":92,"part":93,"_file":94,"chapterNumber":95},"/knowledge-base/reverse-engineering/ecu-flashing","ECU Flashing","How a control unit is reprogrammed over the wire with UDS, walked through step by step, why the sequence is staged the way it is, and how the SecurityAccess seed/key gate works, from weak proprietary LFSR ciphers to the Volkswagen SA2 script.","Reverse Engineering","7.knowledge-base/3.reverse-engineering/1.ecu-flashing.md",15,{"_path":97,"title":98,"description":99,"part":93,"_file":100,"chapterNumber":101},"/knowledge-base/reverse-engineering/oem-update-files","OEM Update Files","Where to find official ECU firmware, why OEMs ship it, and how the major manufacturer update container formats (VW FRF/ODX, Toyota CUW, Ford VBF, BMW psdzdata, Tesla BHX) are structured, decrypted, and unpacked.","7.knowledge-base/3.reverse-engineering/2.oem-update-files.md",16,{"_path":103,"title":6,"description":104,"part":105,"_file":106,"chapterNumber":107},"/knowledge-base/existing-research/introduction","Landmark papers from 2010 to 2016 that defined automotive security research and demonstrated the first complete remote exploit chain against a production vehicle.","Existing Research","7.knowledge-base/4.existing-research/1.introduction.md",17,{"_path":109,"title":110,"description":111,"part":105,"_file":112,"chapterNumber":113},"/knowledge-base/existing-research/engine-control-units","Engine Control Units","Public reverse-engineering work on engine ECUs, focusing on bri3d's documented exploit chains for the Volkswagen Group Simos 18 ECU and its Infineon TriCore TC1791 processor.","7.knowledge-base/4.existing-research/2.engine-control-units.md",18,{"_path":115,"title":116,"description":117,"part":105,"_file":118,"chapterNumber":119},"/knowledge-base/existing-research/ev-charging","EV Charging","Research covering two distinct attack surfaces introduced by electric vehicle charging, the HomePlug Green PHY powerline data layer used by the Combined Charging System, and the AC charger as a peer device with its own firmware and bidirectional communications.","7.knowledge-base/4.existing-research/3.ev-charging.md",19,{"_path":121,"title":122,"description":123,"part":105,"_file":124,"chapterNumber":125},"/knowledge-base/existing-research/fault-injection","Fault Injection","Published fault injection research relevant to automotive microcontrollers, covering voltage glitching, EMFI, debug access, and secure-boot bypasses on Renesas, Infineon, NXP/Freescale, and Tesla compute platforms.","7.knowledge-base/4.existing-research/4.fault-injection.md",20,{"_path":127,"title":128,"description":129,"part":105,"_file":130,"chapterNumber":131},"/knowledge-base/existing-research/infotainment-telematics","Infotainment & Telematics","Sixteen published research entries covering remote exploitation of infotainment and telematics systems across Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan vehicles, plus a cross-industry web API survey.","7.knowledge-base/4.existing-research/5.infotainment-telematics.md",21,{"_path":133,"title":134,"description":135,"part":105,"_file":136,"chapterNumber":137},"/knowledge-base/existing-research/sensors-and-radios","Other Wireless Attack Surfaces","Research covering wireless attack surfaces beyond the primary CAN and telematics interfaces, including tire pressure sensors and DAB radio receivers, both of which accept untrusted RF input and have historically performed no authentication or input validation.","7.knowledge-base/4.existing-research/6.sensors-and-radios.md",22,{"_path":139,"title":140,"description":141,"part":105,"_file":142,"chapterNumber":143},"/knowledge-base/existing-research/remote-keyless-entry","Remote Keyless Entry and Immobilisers","Research on cryptographic attacks against passive keyless entry systems, transponder-based immobilisers, rolling-code RKE, and the CAN-injection theft chain.","7.knowledge-base/4.existing-research/7.remote-keyless-entry.md",23,{"_path":145,"title":146,"description":147,"part":148,"_file":149,"chapterNumber":150},"/knowledge-base/tools/can-adapters","CAN Adapters","USB-to-CAN adapters — comma.ai red panda and PEAK-System PCAN — and the standard DB-9 pinout for CAN.","Tools","7.knowledge-base/5.tools/1.can-adapters.md",24,{"_path":152,"title":153,"description":154,"part":148,"_file":155,"chapterNumber":156},"/knowledge-base/tools/can-analysis","CAN Analysis","Tools for analysing and reverse-engineering CAN traffic — comma.ai cabana, SavyCAN, VehicleSpy, and Wireshark.","7.knowledge-base/5.tools/2.can-analysis.md",25,{"_path":158,"title":159,"description":160,"part":148,"_file":161,"chapterNumber":162},"/knowledge-base/tools/scripting","Scripting","Python libraries and CLI tools for talking to a CAN bus — comma.ai panda, SocketCAN can-utils, python-can, and Scapy with ISO-TP and UDS examples.","7.knowledge-base/5.tools/3.scripting.md",26,{"_path":164,"title":165,"description":166,"part":148,"_file":167,"chapterNumber":168},"/knowledge-base/tools/dbc-files","DBC Files","The DBC file format used to describe the contents of CAN messages — nodes, messages, signals, comments, and value tables.","7.knowledge-base/5.tools/4.dbc-files.md",27,{"_path":133,"_dir":170,"_draft":171,"_partial":171,"_locale":172,"title":134,"description":135,"part":105,"references":173,"body":195,"_type":416,"_id":417,"_source":418,"_file":136,"_extension":419},"existing-research",false,"",[174,181,188],{"id":175,"authors":176,"title":177,"publisher":178,"year":179,"url":180},"rouf-tpms","Rouf, Miller, Mustafa, Taylor, Oh, Xu, Gruteser, Trappe, Seskar","Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study","USENIX Security Symposium 2010",2010,"https://www.usenix.org/legacy/event/sec10/tech/full_papers/Rouf.pdf",{"id":182,"authors":183,"title":184,"publisher":185,"year":186,"url":187},"davis-dab","Andy Davis (NCC Group)","Broadcasting Your Attack: Security Testing DAB Radio in Cars","TROOPERS 2015 / Black Hat USA 2015",2015,"https://www.nccgroup.com/globalassets/our-research/uk/whitepapers/2015/broadcasting-your-attack-security-testing-dab-radio-in-cars.pdf",{"id":189,"authors":190,"title":191,"publisher":192,"year":193,"url":194},"tpms-2024","Berard, Imbert, Dehors","0-Click RCE on Tesla Model 3 Through TPMS Sensors","Hexacon 2024 / Pwn2Own Vancouver 2024",2024,"https://www.synacktiv.com/sites/default/files/2024-10/hexacon_0_click_rce_on_tesla_model_3_through_tpms_sensors_light.pdf",{"type":196,"children":197,"toc":406},"root",[198,206,212,219,226,241,246,251,256,261,270,275,287,292,337,345,351,356,368,373,378,383,388,396,402],{"type":199,"tag":200,"props":201,"children":203},"element","h1",{"id":202},"other-wireless-attack-surfaces",[204],{"type":205,"value":134},"text",{"type":199,"tag":207,"props":208,"children":209},"p",{},[210],{"type":205,"value":211},"Tire pressure sensors and in-car DAB radios share a property that makes them attractive attack surfaces: both accept untrusted RF input from the environment and feed parsed data into ECUs or head units with no authentication. Research on each has produced practical, wireless, drive-by attacks well before any defensive countermeasures were in place.",{"type":199,"tag":213,"props":214,"children":216},"h2",{"id":215},"tire-pressure-monitoring-systems-tpms",[217],{"type":205,"value":218},"Tire Pressure Monitoring Systems (TPMS)",{"type":199,"tag":220,"props":221,"children":223},"h3",{"id":222},"security-and-privacy-vulnerabilities-of-in-car-wireless-networks-a-tpms-case-study",[224],{"type":205,"value":225},"Security and Privacy Vulnerabilities of In-Car Wireless Networks: A TPMS Case Study",{"type":199,"tag":207,"props":227,"children":228},{},[229,235,237],{"type":199,"tag":230,"props":231,"children":232},"em",{},[233],{"type":205,"value":234},"Rouf, Miller, Mustafa, Taylor, Oh, Xu, Gruteser, Trappe, Seskar, USENIX Security 2010",{"type":205,"value":236}," ",{"type":199,"tag":238,"props":239,"children":240},"citation",{"id":175},[],{"type":199,"tag":207,"props":242,"children":243},{},[244],{"type":205,"value":245},"One of the first papers to demonstrate a practical wireless attack against a federally mandated, already-deployed automotive system. NHTSA had required TPMS fitment on all US vehicles sold after 2008, so the vulnerable surface was already at scale when the research appeared.",{"type":199,"tag":207,"props":247,"children":248},{},[249],{"type":205,"value":250},"The team selected two representative sensors (TPS-A and TPS-B) covering high US market share. Both broadcast Manchester-encoded frames in the 315/433 MHz ISM band. Using a USRP with a TVRX daughterboard, GNU Radio, and a commodity ATEQ VT55 trigger tool, they captured I/Q recordings, varied temperature and pressure in a controlled setting, and correlated the resulting bit patterns with sensor IDs printed on each unit. The recovered packet layout included a 28 or 32-bit sensor ID, pressure, temperature, flag bits, and a CRC; neither sensor used encryption or a message authentication code.",{"type":199,"tag":207,"props":252,"children":253},{},[254],{"type":205,"value":255},"Two consequences follow. First, static sensor IDs enable passive vehicle tracking: a roadside receiver with a low-noise amplifier can read sensor broadcasts at up to 40 meters, with no line of sight required. Second, the ECU accepts any packet with a matching sensor ID, so spoofed frames trigger real warnings. The team drove a second vehicle alongside the target on Interstate I-26 and triggered both the low-pressure and general-warning lights on the dashboard. One extended spoofing run permanently corrupted the target TPMS ECU, requiring dealer replacement.",{"type":199,"tag":207,"props":257,"children":258},{},[259],{"type":205,"value":260},"The authors proposed ID re-randomisation on tire changes; that recommendation remains largely unimplemented in production. The Synacktiv 2024 entry below shows what TPMS spoofing can become when combined with a vulnerable parser stack in a downstream ECU.",{"type":199,"tag":207,"props":262,"children":263},{},[264],{"type":199,"tag":265,"props":266,"children":269},"img",{"alt":267,"src":268},"Dashboard snapshots during the spoofing demonstration: left front tire shown at 0 PSI with the low-pressure warning illuminated (a), and the general warning light triggered approximately two seconds later (b). Figure from Rouf et al., 2010 (Security and Privacy Vulnerabilities of In-Car Wireless Networks).","/images/knowledge-base/existing-research/sensors-and-radios/rouf-tpms-2.png",[],{"type":199,"tag":220,"props":271,"children":273},{"id":272},"_0-click-rce-on-tesla-model-3-through-tpms-sensors",[274],{"type":205,"value":191},{"type":199,"tag":207,"props":276,"children":277},{},[278,283,284],{"type":199,"tag":230,"props":279,"children":280},{},[281],{"type":205,"value":282},"Berard, Imbert, Dehors (Synacktiv), Hexacon 2024",{"type":205,"value":236},{"type":199,"tag":238,"props":285,"children":286},{"id":189},[],{"type":199,"tag":207,"props":288,"children":289},{},[290],{"type":205,"value":291},"This Pwn2Own Vancouver 2024 entry uses forged BLE TPMS advertisements processed by the Tesla VCSEC ECU (PowerPC SPC56, FreeRTOS, VLE mode) as its entry point; the primary impact is arbitrary CAN write on the vehicle bus.",{"type":199,"tag":207,"props":293,"children":294},{},[295,297,304,306,312,314,320,322,327,329,335],{"type":205,"value":296},"VCSEC supports a sensor enrollment flow that activates when the car has been moving for 90 seconds at over 25 km/h and a previously enrolled sensor is absent. An integer overflow in the X.509 certificate reassembly function provides the bug: ",{"type":199,"tag":298,"props":299,"children":301},"code",{"className":300},[],[302],{"type":205,"value":303},"startIndex",{"type":205,"value":305}," is a ",{"type":199,"tag":298,"props":307,"children":309},{"className":308},[],[310],{"type":205,"value":311},"uint32_t",{"type":205,"value":313},", and the bound check ",{"type":199,"tag":298,"props":315,"children":317},{"className":316},[],[318],{"type":205,"value":319},"(startIndex + data_size) \u003C= 512",{"type":205,"value":321}," overflows when ",{"type":199,"tag":298,"props":323,"children":325},{"className":324},[],[326],{"type":205,"value":303},{"type":205,"value":328}," is near ",{"type":199,"tag":298,"props":330,"children":332},{"className":331},[],[333],{"type":205,"value":334},"UINT32_MAX",{"type":205,"value":336},", writing out of bounds into global memory before the 512-byte certificate buffer. A struct pointer containing a function pointer sits immediately before that buffer; overwriting it and triggering certificate validation redirects execution to shellcode, with no ASLR, CFI, or stack canaries on this target. Two ESP32 modules implement the attack: one races VCSEC to the real sensor to prevent enrollment, the second simulates a sensor that VCSEC then adopts and delivers the malformed certificate.",{"type":199,"tag":207,"props":338,"children":339},{},[340],{"type":199,"tag":265,"props":341,"children":344},{"alt":342,"src":343},"BLE attack chain for the TPMS exploit: the Racer ESP32 blocks VCSEC from enrolling the real sensor, forcing VCSEC into auto-learn mode where it connects to the Simulator ESP32 and triggers the certificate reassembly overflow. Figure from Berard, Imbert, Dehors, 2024 (TPMS Hexacon 2024).","/images/knowledge-base/existing-research/sensors-and-radios/synacktiv-tpms-2024-1.png",[],{"type":199,"tag":213,"props":346,"children":348},{"id":347},"digital-audio-broadcasting-dab",[349],{"type":205,"value":350},"Digital Audio Broadcasting (DAB)",{"type":199,"tag":220,"props":352,"children":354},{"id":353},"broadcasting-your-attack-security-testing-dab-radio-in-cars",[355],{"type":205,"value":184},{"type":199,"tag":207,"props":357,"children":358},{},[359,364,365],{"type":199,"tag":230,"props":360,"children":361},{},[362],{"type":205,"value":363},"Andy Davis (NCC Group), TROOPERS 2015 / Black Hat USA 2015",{"type":205,"value":236},{"type":199,"tag":238,"props":366,"children":367},{"id":182},[],{"type":199,"tag":207,"props":369,"children":370},{},[371],{"type":205,"value":372},"Factory-fitted DAB radios are standard on most new vehicles, and the head unit processing broadcast data typically connects to the CAN bus. Because DAB is a broadcast medium, a single attacker transmission reaches every receiver in range simultaneously.",{"type":199,"tag":207,"props":374,"children":375},{},[376],{"type":205,"value":377},"DAB carries multiple data layers above the audio, each a distinct parsing surface. The Fast Information Channel (FIC) delivers ensemble and service metadata as Fast Information Groups (FIGs). The Multimedia Object Transfer (MOT) protocol carries JPEG and PNG slideshow images rendered on the head unit display. Programme Associated Data (PAD) carries Dynamic Label Segment (DLS) text displayed as station or track information. FIG 0/6 service linking records and FIG 0/22 transmitter databases are fetched over the air and stored locally, with fixed-size allocation in some implementations.",{"type":199,"tag":207,"props":379,"children":380},{},[381],{"type":205,"value":382},"Davis built a custom DAB transmitter from OpenDigitalRadio components and a USRP B200, then extended it into a fuzzer covering every protocol layer without touching the radio modulation. Testing against in-vehicle head units from multiple manufacturers produced code execution via a malformed JPEG or PNG through MOT, format-string conditions in DLS and ensemble label fields, SQL injection candidates where ensemble metadata is stored in a local database, and buffer overflow candidates in FIG database parsers. In some architectures, D-Bus interfaces on the head unit were bound to all network interfaces and exposed CAN access, enabling ADAS feature manipulation after gaining code execution.",{"type":199,"tag":207,"props":384,"children":385},{},[386],{"type":205,"value":387},"A single low-power transmitter on an unused DAB frequency can reach every compatible receiver driving through the coverage area, with no per-vehicle targeting required.",{"type":199,"tag":207,"props":389,"children":390},{},[391],{"type":199,"tag":265,"props":392,"children":395},{"alt":393,"src":394},"DAB attack surface diagram listing the protocol layers and media types that form the receiver's parsing exposure: FIG data within the ETI stream, MOT, DLS labels, and media formats including images and video. Figure from Andy Davis (NCC Group), 2015 (Broadcasting Your Attack).","/images/knowledge-base/existing-research/sensors-and-radios/davis-dab-1.png",[],{"type":199,"tag":213,"props":397,"children":399},{"id":398},"references",[400],{"type":205,"value":401},"References",{"type":199,"tag":403,"props":404,"children":405},"chapter-references",{},[],{"title":172,"searchDepth":16,"depth":16,"links":407},[408,412,415],{"id":215,"depth":16,"text":218,"children":409},[410,411],{"id":222,"depth":22,"text":225},{"id":272,"depth":22,"text":191},{"id":347,"depth":16,"text":350,"children":413},[414],{"id":353,"depth":22,"text":184},{"id":398,"depth":16,"text":401},"markdown","content:7.knowledge-base:4.existing-research:6.sensors-and-radios.md","content","md",1779543672144]