Training

We provide a three day hands-on training, see details below. Please contact us for more information.

Private offerings

This training can be offered privately for groups of five or more. Training is given on-site at your company location, so you don't have to worry about traveling. Trainings can be tailored to your wishes. Prices start at €3000 per student for a three day course.

Public offerings

Currently there are no public offerings for 2023. This page will be updated when new public course become available. To stay up to date with any public trainings, you can sign up to our mailing list.

What to expect | Key learning objectives:

Interested in opening up a car hacker's toolbox and applying these tools and techniques hands-on? Then this training is the best fit for you!

In this course, the participant will become familiar with the theory and practice around numerous techniques in automotive security. This allows the participant to see what’s in a car hacker’s toolbox, and how to mitigate possible security vulnerabilities.

The trainee will learn how to leverage open source tools to perform an analysis of various aspects of the modern car. Everything from attacks on the physical layer and diagnostic protocols to the reverse engineering of firmware will be covered.

Various simulated networks and real Electronic Control Units (ECUs) will be available to practice on. Based on experience level, different ECUs and challenges will be available. A USB to CAN adapter will be provided, to be brought home by the participant to apply their new skills on their own targets.

Training overview:

  • Attacks on the communication networks found in cars, such as spoofing, DOS and MITM and their mitigations.
  • Overview of diagnostic protocols such as UDS and CCP/XCP and their security features.
  • Various methods to obtain firmware files, and how these files can be protected.
  • Reverse engineering of automotive firmware. Learn how to quickly identify the relevant part of an ECUs firmware.

Training Detailed description:

Day 1 - Introduction

Day 1 of the training will be used to become familiar with the standards used for the communication between Electronic Control Units (ECUs) in a vehicle. Attacks on the physical and link layer will be discussed, and their possible detection and mitigation.

In the second part of the day, we will look at hardware used to interact with the vehicle’s network, and implement our first attack.

Theory:

  • Introduction to a typical modern car network layout and gateways found within.
  • Physical and link layer standards such as CAN, CAN-FD, LIN, FlexRay and Automotive Ethernet.
  • Hardware attacks on these networks and possible mitigation strategies.
  • Diagnostic protocols such as OBD-II, KWP2000 (ISO 14230-3), Unified Diagnostic Services (UDS, ISO 14229-1) and Can Calibration Protocol (CCP/XCP).
  • Real world examples of CAN traffic including integrity checks such as counters and checksums
  • Recent developments in cryptography for automotive networks (SecOC).
  • Hardware used to interact with the vehicle’s network.

Hands-On:

  • Introduction to analyzing CAN traffic using Wireshark and cabana.
  • Find signals on CAN bus and create a DBC file.
  • Connect to a CAN bus using your computer, and perform an attack on the physical layer (DOS or MITM).
  • Reverse engineer a checksum algorithm and spoof a message.

Day 2 - Hardware and tool development

On the second day of the training, we will dive into the the actual hardware of a car and its ECUs. You’ll learn how to find the schematics of a certain car, and identify the best points to connect to the different networks. We will look at software provided to repair shops by the manufacturer. Different firmware update files and their protections will be discussed. We will also look at the inside of an ECU and ways to extract its firmware.

In the second part of the day, we will focus on writing scripts to find and interact with the different diagnostics protocols supported by the ECU. Software libraries to quickly build these tools are discussed. A software attack on an actual ECU will be performed to brute force the authentication and extract the firmware over CAN.

Theory:

  • Where to find schematics and how to interpret them, look at available OEM software for repair shops.
  • Extract firmware from manufacturer update file.
  • Discuss different micro-controller architectures commonly used in ECUs.
  • PCB reverse engineering, extract firmware from ECU using debug probe.
  • Fault injection attacks against automotive micro-controllers.
  • Software libraries to write own scripts to interact with the CAN bus.

Hands-On:

  • Perform a DOS attack on a real CAN bus.
  • Implement a scanner to identify available UDS endpoints.
  • Perform a brute force attack for the UDS Security Access endpoint.
  • Find and communicate possible CCP/XCP endpoints.
  • Choose your own adventure, extract firmware using a method of your choosing. Update file, CAN logs, JTAG/debug probe, UDS or CCP/XCP.

Day 3 - Reverse engineering and obtaining code execution

We will conclude the training by reverse engineering the firmware that was obtained on day 2. During the theory session, a quick introduction to Ghidra will be given. An ECU firmware file consists of up to millions of lines of code which would take a long time to fully reverse engineer. Tips and tricks will be taught to quickly identify parts of the firmware that are of interest. Then, we will modify the firmware, and flash it back to the ECU in order to obtain execution of our custom code.

Theory:

  • Introduction to Ghidra.
  • Identify processor architecture and load firmware into Ghidra.
  • Apply memory map and find relevant base/register addresses.
  • Common patterns used in automotive firmware.
  • UDS update/flashing procedures.
  • Firmware integrity checks: checksums and secure boot.

Hands-On:

  • Reverse engineer the security access algorithm.
  • Reverse engineer the flashing procedure.
  • Apply modifications to the firmware, ensure signature checks pass.
  • Write your own tool to flash the modified firmware onto the ECU.

Who Should attend? | Target Audience:

  • Security researchers interested in automotive
  • Engineers interested in developing aftermarket automotive products
  • Automotive engineers/suppliers
  • Hackers interested in learning more about their own car

What to bring? | Hardware:

  • Laptop with Wi-Fi and at least two USB-A port (or USB-C to USB-A adapter).
  • Laptop with Linux (Ubuntu 20.04 or newer), MacOS (Ventura) or Windows (10 or newer).
  • VirtualBox or VMWare to run provided virtual machine. USB pass-through required.

What to bring? | Knowledge:

  • Basic programming knowledge (Python or Rust)
  • Experience with Linux
  • Basic reverse engineering knowledge preferred, but not mandatory

Resources provided at the training:

  • Each trainee will get a chance to work on multiple real ECUs.
  • A test bench simulating a complete vehicle’s network used to practice different diagnostics protocols.
  • A virtual machine with all the tools needed during the training.
  • A USB to CAN adapter which can be taken home after the training.
  • Handout/lecture slides, to be taken home.

About the trainer

Willem Melching (https://twitter.com/PD0WM) is an independent security researcher. He has over 5 years of experience working on automotive security and reverse engineering. During his time at comma.ai he worked on providing open source tools to help the community reverse and interact with a wide variety of cars. Check out his blog (https://blog.willemmelching.nl/) for recent work.