Saving My Car By Hacking It: A Tale of Joy and Woe

[Applause] hello everybody you hear me okay all right thanks for coming this is saving my car by hacking it say hello Joanne whoa as you've no doubt gathered from that title this talk is different from the other talks a lot of the other talks here today most talks are by experts in their field discussing or debating a topic a topic in the industry where we're going and why that kind of thing this talks though is about a guy stumbling around try to fix something he most certainly does not understand so there are two goals of this talk one is to entertain you with the insane effort that went into fixing my car and the other is to hopefully motivate or

inspire you to go to the go to insane links to accomplish something because in my experience you know that the crazier it is and the crazy people tell you that you are to attempt to the better off you'll be if you just go ahead and do it so let me just ask show of hands how many people in here know anything at all about car hacking darn because you probably know more than me because I knew absolutely nothing when I started this so I apologize in advance if I say anything stupid is made something around see what I could figure out so by the end of this talk you might say I might be able to I still don't know anything

that will see I'd never seen a talking car acting before and never done any reading on it nothing just about a stop me in over my head starting to try to hack this thing at square one from square one so let's get way do not hack your car at least not the car that you actually drive I mean I cannot stress that enough we have to keep in mind here that we are potentially messing with the code that decides whether the car is going to respond to your turn in the steering wheel or applying the brakes or pressing on the gas pedal I mean if you flip the wrong bit in the firmware then something

like you find you a flip you know in your car and are now in a ditch so don't be crazy please be careful so having said that meet the manual transmission 1997 chevrolet cavalier this guy has been a part of my life for the better part of three hundred and fifteen thousand miles and it's all in the original clutch believe it or not but one day I got into takeoff I got an to take off somewhere and it just would not start now let me just say when it comes to cars I know basically nothing I I know how to start a car but know that I that's a random picture I got off the internet

that is not actually my car but it is it is a 97 go yeah so I know how to start a car I know how to drive a car I know it's a gas in a car I could oil in a car but am I an expert on repairing cars not at all not in the slightest so before I could even begin to understand why the car wouldn't start I had to do a lot of reading to understand the basics on how the car runs because every car is different so here's what I came up with on an overview of the basic components so this of this car in the steering column behind the steering

wheel you have two components physically locked into each other the ignition lock cylinder which is the green box and the ignition switch which is the blue box and so the first thing that happens is you put your key in the ignition lock cylinder and then when you turn the key you're physically rotating the key inside the ignition lock cylinder which is also locked into the ignition switch so when you turn the key you're also turning that ignition switch and the ignition switch has a sort of kill switch which is the clutch safety switch the red box in the picture and assuming the clutch pedal is depressed which activates the clutch safety switch the turning of the ignition switch

supplies power from the battery to everywhere I needs to go for the car to start which is why you have to have the clutch pressed in on a manual transmission before to start so the engine turning over is not the end of the story there's still the any theft system to deal with and on this car it's it's something called the past lock security system and essentially if the engine is running but the computer can't detect that the car was started legitimate ly with the original key then it disables the fuel injectors which causes the car to die and since the ignition switch physically turning and supplying battery power to the right places what makes the car start all you

have to do is detach that ignition switch take a screwdriver in there and physically turn it the same way you turn the key and it will fire right up that's the good way to steal a car by the way if you if you know it doesn't have a security system but so the path lock system needs to prevent that from working somehow and the way it does that is it starts with the ignition lock cylinder which is the green box and inside there is a resistor of a certain resistance which is different from car to car and that resistance is known by the instrument panel cluster II which is the yellow box and when you physically

turn the cylinder it applies that certain resistance to a wire connected to the instrument panel cluster so when you turn the key a signal is sent to that instrument panel cluster and then it knows whether that resistance is correct and if and only if the resistance is correct it sends a password whatever that is over to the PCM also known as the powertrain control module or the main computer and if the engine is started but the PCM hasn't received that password from the incident panel clusters and it makes the decision to disable the fuel injectors and then illuminates the check engine and security lights on the on the cluster with and then it set the trouble code to

engage the security system disabled a car so an awful lot of stuff has to be working correctly in order for the PCM to have what it needs to not disable the fuel injectors so that you've got the ignition lock cylinder the instrument panel and the wiring that connects all those to each other that's sorry good

not that I'm aware of

well there is actually a relearned procedure that you can do that and that relearned procedure is what tells the interment cluster to start paying attention to that new resistance so you can you actually can and I'll get into that you can actually bypass it by just putting any any resistor in there

yeah you you scare me because you know a lot more than I do but so the initial lock cylinder the incident panel and the wiring that connects those to each other and the PCM all has to be correct or the card can't start so what's wrong with my car well the engine does turn over and then a second later it dies and the security warning light on the entry panel cluster lights up so something in this whole chain of the past lock system is not functioning as it should so naturally start replacing parts and see what happens the first thing I thought was that the ignition lock cylinder might be bad so I looked up various guides online but

how to bypass the basilar system and people do that by putting their own resistor on that instrument panel cluster or the wire that leads to it then they triggered that relearn procedure so that it'll accept that new resistor value which is how all remote start kids work and by the way that relearn procedure takes 30 minutes so that's intentional so they were trying to steal the car you got to wait 30 minutes where you going to steal it so that's why they do that so I thought I did that it didn't help so then I decided to buy a brand new initial lock cylinder put that in that's still uno so then I thought maybe the ignition switch

is bad we're kind of a long shot but I try to put one end that also didn't help then I thought maybe the clubs safety switch had gone bad so I checked with multimeter to make sure the clutch pedal was properly making that switch connection which it was so than that if you look under behind the the clutch pedal you can see a switch in there and there are wires that come out of it so just check to make sure it's good all the way up to the ignition switch so so then I thought maybe the computer had somehow gone bad and maybe depends on it had corroded or something I mean who knows anything could be causing it to

not send that password for an instrument cluster to the computer so but there is a problem with replacing that component and that is that your VIN number your vehicle identification number which is unique to your car is stored in the PCM and not only that but the the password that flies around between the instrument cluster and the PCM is generated from the VIN number so the PCM and instant panel cluster are kind of married to each other you know if you replace if you so if you replaced one of them it needs to have the matching VIN number in it or you'll cause exactly problems so fortunately you can buy replacement PCs on eBay and the seller

well I should preflight it for you with the VIN number that you specify so I did that I've bought one a fee-based left in the car and it still didn't work so just to recap replace ignition lock cylinder a replace the ignition switch I've replaced the computer itself and still nothing so that just leaves the instrument panel cluster which is prohibitively expensive to get a new one with the right VIN number in it I don't even want to think about it this is not practical don't like I said don't do this so this is just yeah exactly so it's either the internal cluster which is way too expensive to replace or it's the wiring that connects all these

components together now there are dozens upon dozens upon dozens of wires connecting all this stuff together and usually when there's a loose connection somewhere people just give up and junk the whole cards these bad connections are almost impossible to track down and even worse I have no idea how to do that so I returned all this replacement parts cloud boss didn't actually spend any money at that point except for the PCM from eBay and tried to think about what to do next so at this point I have a spare PCM that only works with my car's VIN number and I know that the PCM disables the fuel injectors whenever it detects an unauthorised engine starred

meaning it didn't get that password from the instrument panel cluster and I also know that the PCM contains firmware that implements this detection and I know the dealership so great just from where all the time so if that's the case what's to stop us from modifying the firmware and removing that check that's when I started reading about a community of people called the tuners that who modify the firmware in their cars computers to tweak engine performance and other stuff just get them generally get the most out of their cars they also actually disable the security system in the firmware so that they can take the engine and the computer and Transplant it into the body

of another car and it'll keep working which is exactly what I want to do I wanted to say well that feature entirely so that the computer doesn't care what's going on outside of it as long as the engine turns over and runs so there you go sounds like a project all I want to do is just do what they do so if they can do it so can I so next question I've to ask myself is how do other people disable this check well according to the internet people tune their cars by loading up the firmware image and an application called oddly enough tuner pro free application then they load what's called an x DF

file or a definition file which defines the memory addresses for configuration flags for all sorts of things including of course the enabling disabling of that any set functionality so then all they have to do is tell trainer pro hey turn this off and it knows which bits or bytes the change from that xcf file and then it saves the firmware image back out and the tuners to write that firmware image back to the car sounds easy right well it depends on the kind of car you have most tuners and car dealerships will update the firmware through the obd2 diagnostic port out of steering column which is on every car manufactured after ninety ninety six which is good for us because we have 97

that we're trying to deal with unfortunately though each car manufacturer uses different protocols and different tools to actually connect to and use that diagnostic port for example General Motors which is what we have to deal with for our car has a specific device called a Tec to scan tool which is kind of a fancy code reader that you plug into the obd2 port which you know of course it's capable of more than just reading diagnostic codes though it can it can upload and download firmware in the PCM there's one problem with this thing though and that is that it is ridiculously expensive this thing runs anywhere from a few hundred you want the cheap Chinese clone to several

thousands of dollars which you know fine maybe the protocol that it uses is documented somewhere online so maybe we can just implement it ourselves with something else so I do some googling and no no that's not the case in fact it uses some sort of proprietary obfuscated algorithm so you've got to unlock the PCM before you can read from the right to it GM really doesn't want you doing yourself what this thing does unfortunately so even worse it seems there's no xdf file for our particular car so we're gonna have to find these memory addresses ourselves so now what do we do well first things first we need to get at the firmware and if we can't simply

plug in and read or write the firmware we're gonna have to get physical so by unplug and remove the PCM from the car and unscrew the top cover this is what I see I'm not a hardware guy so I can only make educated guesses as to what's going on inside this thing but one thing I do know is that the bottom are the connectors for attaching the PCM to the car on the left and right sides appear to be some kind of heat sinks or something and then in the middle is a whole mess of chips and circuitry and the square chip just to the left of center near the top looks to be the most

complicated longer it's got the most pins and I'd be willing to bet more than likely that that is probably the main processor this thing so and I've taken apart enough things to know that's probably what it is it's probably the brain of this whole thing and the majority of these smaller chips probably serve some specific purpose something that the main processor wouldn't have time to do itself like handled the communication over the obd2 diagnostic order so the big question here is where is the firmware stored based on what little information I can gather is probably stored in one or two places you want either one it's stored inside that square custom chip which means we're

screwed because we'll never figure out what it does or what all those pins do or it's stored in a separate standard memory chip so why do we do we start googling every number we find printed on this one just on every chip on this board when we do one in particular stands out which is that rectangular you probably know that rectangular chip at the top which is a flash memory chip capable holding buffer and twelve kilobytes of data and for an embedded device like this that's a fairly significant chunk of memory more than enough to hold the code it controls this thing so it's alright it's fairly safe to say this is probably the thing that

we want so now that we've identified the merits if we want to dump how do we dump it well even though I'm not a hardware guy I have physically extracted chips like this before so I happen to already have an old willem EEPROM programmer which this picture here which is capable of reading from and writing to all sorts of memory chips through adapters that you plug into that big green rectangular connector but of course I don't have the adapter for this particular port for pin chip so I had to wait for one to get here from China three big but after six to eight weeks later eventually you want the big it here I had everything I

needed to physically desolder the chip and drop it into this nice load after plug the adapter into the programmer hook it up to an old piece of crap you see this still has a parallel for which this thing uses and dump it right well the problem is this adapter sucks the whole programmer sucks to be honest it's something right out of the late 90s which I realize the irony of that same X I'm trying to fix a car from the late 90s but that's neither here another the reason the doctor sucks is that the zero insertion force socket isn't capable making good contact until the pins on the sides of the chip and because of that I just can't get a good

reliable consistent dump of the chip so I have no choice but to remove the zero insertion force socket and restarted the flash chip right onto the adapter like I did in that picture there once I did this though I was able to consistently dump the entire 512 kilobytes of that chip so yeah thankfully Google has come to the rest of you and presented me with a series of forum posts that tell me how to interpret this firmware Dom these seven or eight-year-old posts are pretty much the only only hope I could find on the subject so I had to decipher this one guy's notes and just do the best good apparently the processor in this PCM and

others of its era is a Motorola it's called a motorola 68020 hu zé's the CPU 32 instruction set and here's what I've lucked out because because I just so happen to have a history with Motorola 6800 since high school as you know iris mentioned I'm messing with basic in assembly program protects a sense from its graphing calculators some of which have Motorola six decades view and I enjoy collecting tinkering with old game consoles which is good because the Sega Genesis just so happens to have Motorola 60 K CPU and like you said I did that cure so our talk couple years ago about dumping that wrong so I am no stranger to this processor or so I think find out

so anyway it sure would be nice to be able to confirm in some way if this file really was dumped correctly and this really is Motorola 6800 more being executed by this PCM and so well one thing I do know about tomorrow 60 K is that there should be a vector table at the beginning of memory and what is a vector table has a the table of addresses that the Moto 68k CPU uses in response to certain events for example when the CPU first gets power it has to start executing from somewhere right so if figures I were to do that by looking at memory address for which holds what is called the reset vector

because that's for the address to start executing code from on reset is stored so if I look at that address what I see is 0 0 0 0 for T 0 4 ok so if I fire up a distance number 90 a pro look at address 4004 and if it's C to start analyzing code there I get total garbage which is strange for what to do about that so we start looking for human readable strings so I do a quick scan and I find just a couple of strings and one of them appeared to be a 17 character VIN number except it's not a bit remember the actual VIN number and this is just an example it isn't really

my real number it looks like what's on the slide there so I stared at this for a minute until I realized that if you swap every two characters or bytes in the actual event number you see the resulting string in the file so it turns out that the files will jumble up and I found out later this is called byte swabs because every two bytes are actually swiped that's how they're actually physically stored on the chip but that's not what we want we want to see how it's actually being executed by the processor so we whip up a little script to swap every two bytes in the file and write it back out and now we

have the file we really want so if we go back to looking at address for we don't see 4004 we see Oh 440 so if we go there an ID a pro and start analyzing we see an explosion of readable code in fact you see a beautiful graphs of how cleanly this file is assembled it's almost scary how clean it is which is a rare thing so that's great we have a complete firmware dump it disassembles cleanly and nadie pro now what we do at this point this all just appears as fire and total kilobytes of pure nonsense because it would take years to properly and truly understand all this code so let's remember our goal which is to

disable the check on whether we've received a password or not from the instrument panel cluster the problem is we have absolutely no idea where and the firmware that check is and it doesn't seem to exist the next as I mentioned there doesn't seem to be exist in xdf file for our 97 cavalier but and this is the key maybe one does exist for a similar car so if we know the memory just we want to change in somebody else's firmware image maybe that will give us clues to finding the memory address in our own image so after doing lots and lots and lots and lots of googling the closest firmware much I could find which had a matching xdf ah

was the 2001 Pontiac trans-am so if you load up this firmware image 90 a pro along with corresponding xdf file we hopefully can get it to tell us what controls this any theft feature when I do I notice the particular setting called option byte for C vehicle theft deterrent which sounds promising and it gives me the memory address of 185 CC so if I fire up ID a pro and go against that 2001 panic Trans Am image and go to that memory address it puts me in the middle of a bunch of bytes that are referenced all over the place in the code it turns out - this area is some sort of configuration area which controls all

the features of the cars computer all the flags all the things that control what the firm was going to do are all stored in there so if I were to change that bite and tuner Pro and save the firmer it will update two things one it'll update that option by it at 25 CC and it'll also update a checksum word or 2 bytes that protects the configuration area from corruption or tampering so to turn off the iniative system all we have to do is flip a bit update the check zones right those changes back to the car and voila we're done sounds simple so all we have to do is find the same code that uses that byte

I didn't that transitions didn't work I was going to show one modified so it's not refining five designs at all it's always who's financing code that uses that byte from the 2001 Pontiac trans-am image in our own 97 cavalier firmware image so the code being displayed here is just one of several places where the any theft flag is used according to a pro but this code in particular in particular is the only time where there's a small subroutine that looks at the value of that flag and then returns it to something else and this subroutine gets called all over the place way too many places to track down but that just tells us that it's an

important flag so theoretically now all we have to do is find similar looking code to this and our own firmware image and give me one know what's change so we simply look in our own firmware for these exact instructions except the references to that memory just that FF ba v5 and see if we can find it and did we find it no so of course that's a really simplistic check so let's try to be a little bit smarter let's look for any comparison to bit 2 of a particular bike anywhere anything did we find it no of course not so we look for the just those SME and neg instructions against register D 0 and then handy anytime where that's

happening and being handed with something else do we find it no so let's look for those instructions next to each other anywhere in the firmware image do we find it no so there are plenty of eeeh Slee there are plenty of reasons why the code would be a little different you've got compiler optimizations and all kinds of things that's fine we just have to get more creative I thought it would be really simple to simply look for the same or similar code pattern in our own form or inventions we'd have no trouble finding it but apparently not so that begs the question these tuner Pro xdf definition files have to get created by somebody right so how do they find all these

memory addresses that they're interested in so they can build these xdf files well according to the foreign posts I found they look for a particular piece of functionality and firmware and this functionality they look for is the code that handles all the scan tool requests and schedules just another name for an obd2 code reader which is the device you plug into the port under your steering wheel and read diagnostic codes one of your check engine lights on so the computer here the PCM here it's what's responsible for receiving the commands from that code reader device it it generates a response and then sends it back over the obdd du port to your code reader tool so that means it's somewhere

in this five or enfold kilobyte mess is all the code handles all these requests and more importantly these tools are capable you know as I said receiving boards as those codes they can upload and download firmware but they can also retrieve all sorts of real-time engine information telling you exactly what the computer is doing and how well it's doing it and most importantly it also can return the anti-theft system status and in order for us to do that it has to look at our options flag to determine whether it's even enabled so that means if we can understand this obd2 communication code we can find our way to the option flag in the 2001 Pontiac

trans-am firmware and if we can navigate our way to the flag from there then we can just apply that same logic to our firmware and then find it that way so how do we find the code to handle these requests well if we consult our PCM hacking 101 guide we start by looking for the code that actually interacts with the obd2 port so how does the motorola 60th the youth with that obd2 port or any hardware it uses something called memory mapped i/o which is that basically means that the hardware is wired in such a way that when you read from a right to a particular memory address you accessing bytes in the firmware on the

+4 in RAM you're manipulating actual hardware so now in any given device there is usually a range of address space dedicated just interacting with Hardware not always but usually and we know it has to be outside the range of where the firmware exists and we know it has to be outside the range where the RAM exists now we know how big the firmware is and since we disassembled so cleanly we know it starts out at address 0 but that's where we started disassembling it so that means the firmware goes from address 0 all the way up to 7 ffff and we also know from poking around in the disassembly that the RAM starts at FF zeroes or 0 but we

don't know how big it is or we don't know where it is now this is kind of nutty but I was in a hurry so basically what you can do is just use ID a pro to export ASM file which contains all the all the code for it all the instructions decoded and then use regular expressions to rip out the memory address is accessed by certain instructions and to just sort that list of memory addresses which will tell us every memory address to get access in this firmware maybe not everything but the vast majority of it so when we do that we discover that Ram axes accesses only go up to a certain point and then

things start getting weird so we start we start looking at memory at the value that the memory dresses beyond that we start seeing loops on the value contained at those certain memory addresses which you know it wouldn't make sense to keep reading the same area over and over in a loop unless expecting something to change unless that address represents a piece of hardware that can change externally so when you see code like that you know you're dealing with memory mapped i/o so we don't have a complete memory map just yet but we know where the hardware accesses are likely to be so consulting our forum guys again we learned that one of these chips on

the PCM circuit board is responsible for handling all the obd2 port communication and by that I don't mean it generates the request or the responses I mean it deals with the work of interpreting the raw signals from the obd2 port spins and translating that into a series of bytes going back and forth between the firmware and whatever device you have plugged in to the ot2 port so all it does is till the firmware Hey something sent 5 bytes to us here they are just tell me what you want me to send back and the firmware deals with the logic of actually figuring out what those bytes will be and this shift has a name it's

called the MC 68 HD 58 data-link controller and lucky for us there is documentation out there on the internet for us to look at about this chip it's fairly comprehensive occupation about anything and everything you ever wanted to know about how to interact with this controller and it even tells us the hardware registers meaning the memory mapped i/o that the firmware uses to communicate with it tells us everything but the actual number the actual memory address that the firmware is using to interact with it which is going to be up to us to figure out so after you printing out that documentation for the chip and some sleepless nights reading it I figured out that some bytes in the firmware must

be writing to certain registers otherwise the chip can work the chip has to be initialized by writing certain values to it so that has to exist somewhere in the firmware so I started hunting down where these rights were in the firmware and sure enough I found them starting at address FFF 6 0 0 so that is the start of the range that you can read from and write to to manipulate the data link controller chip so now that we found the code that receives a command I always look for references to that address by the way we'll find code that deals with it so now that we've found the code that receives the command from and obd2 code reader it should be

really easy to read the disassembly and get from there to the code that accesses our options like well know according to our forum guide apparently it isn't that simple the firmware actually buffers these requests and RAM and then it DQ's them from that buffer later on when it's able to get to it and then after it's acted on that request and calculated a response for it it buffers that for whenever the firmware is able to get around to sending it back to the device it's plugged into the obd2 port so basically you have something of a kind of a multi-threaded environment going on here for lack of a better term which makes perfect sense I mean the computer has to

focus on keeping the engine running smoothly you can't get tied up with requests on how well the engine is performing it's got to focus on the engine so it makes sense but that makes it a freaking nightmare to try and disassemble you just can't I mean the forum guide does its best to explain it but unfortunately it's information doesn't apply a hundred percent to our firmware and it's just too difficult to extrapolate what we need in order to find it so it's just too darn complicated to disassemble and get anywhere so we're just screwed all right well your growth starts getting really nutty if heat by the way if you read the abstract for this talk that is a

reference to descending into madness welcome to the madness if we can't read the disassembly of the code and understand it then our only option is to execute and debug it so how in the world do we do that apparently there are people out there that actually do this they pull the PCM out of the car and put it on a workbench and attach a bunch of equipment to it and debug the code in real time to see what it's doing but I have absolutely no clue how to do that I mean we don't have the pin outs for the PCM so even if we did know what we were doing we wouldn't know how to interface

with this specific PCM so we don't know anything about the hardware we don't know anything about the software all we know is the CPU it's running in the basics of a memory map for it well that's one thing we do have going for it is at least an extremely similar if it's a CPU extremely similar to others with other well-known ones which is guaranteed to have dozens of emulators out there for it for Sega Genesis and other things so all we need the firmware to do is just is boot just well enough that we can send these scam tool requests to it and see what code gets executed when we do that it doesn't actually have to keep an engine running

we just need to see how to get from point A which is the data link control our code to point B which is the memory access of that option flag so this is an absolutely insane idea which is of course why we're going to do it so if we're going to seriously consider this we have to think about what language you're going to do this in now I think live breeze and dream c-sharp for my day job so that is firmly ingrained into my brain so if we really going to do this I'm going to have to hack the crap out of an existing emulator I need to be able to gut hardware access code to be

able to add it right back and to gut it again and add it back with great efficiency I need to I need to be able to it quickly so what I want to do is find a motorola 68000 and you'd think that wouldn't exist but believe it or not thank goodness it actually does there is actually an old a Capcom arcade system called the CPS one or Capcom play system one know if you've heard of that I hadn't had to google it and if so if you if you ever played Street Fighter 2 in an arcade you may very well have been played this thing or you have used it somebody actually went to the trouble and created an emulator

in c-sharp for this thing with a full-featured debugger it could we play the games with smoothes video and sound and you can get it right now in co-project repair clinic we really lucked out because this thing not only emulates the motorola 6800 emulates the Z lagers dialogue the 80 CPU because it used that as a sound processor so all we have to do is hack the crap out of the simulator totally gut all the video related code and display Hardware all the timers and other stuff unique to the CPS one and just trash it so I spent a not insignificant amount of time refactoring these obligations it was just so it was just the motor oil 60 Hz

PU core and with the ability to extend it with details about our PCM hardware so now that I have this moto six-decade letter in c-sharp it's time to get it to boot the 2001 finding a TransAm image for lag boot for lack of a better word so I fired up and I find that it immediately encounters an illegal instruction and say I'm very surprised were insane that were even trying this but let's take a look at what that's that memory address and ID a pro and see what's going on and when I look at that address I saw something I didn't expect to see I see a TBL new instruction what in the world is that I have no idea

never seen it before I've never seen in any Sega Genesis disassembly that I've ever dealt with but I da Pro knew how to display to me so that tells me it's not actually an illegal instruction somebody somewhere knows what this is so I go hunt down the Motorola 6830 32 user manual and look up the TV Lu instruction now I won't get into the weeds on this but basically this instruction performs a table lookup and calculates a value based on how precisely how precisely how far into the table you go utilizes both hole and fraction of components it's kind of nutty that an instruction like that exists but so why in the world would a

CPU need an instruction that does this it's actually really useful in exactly this type of automotive application because it lets the PCM store complex tables of engine information and it can quickly derive a precise value when communicating with various pieces of hardware so you don't have to store massive tables you can just store approximations of the data and it can figure it out from there it's all very fascinating but we don't care we just want the emulator to not crash so we put a halfway-decent implementation of that instruction into the c-sharp emulator based on my before understanding of what does and just move on which was painful but getting into the weeds on Motorola 6800 ting enabled me to fix all sorts of

bugs that were in the SI ps1 emulator that which weren't a problem for the games it was emulating but it was a big problem for me so even though I wasn't sorting from scratch there's still a lot of Unicode instruction decoding stuff that I had to figure out so now that we're past the instructions that the emulator didn't yet have support for we now we're on to the next route of the next problem the emulator is running no crashes or anything but now it's stuck in an infinite loop hopefully hopefully you can see that but it basically keeps testing bits 7 the memory address fffc 1f over and over and over and it keeps on doing this until that bit is set the

problem is that bits never set because our we're emulating Ram and had that address and we're just assuming that it's 0 because we don't know what else to put there so the bits are reset and it when it goes to act instead it's checking to see if it said it's obviously never set so it gets stuck and if it'll loop normally this code would make no sense since there doesn't appear to be anything that would make that body change but since fffc 1f is within the range that we think is memory mapped i/o this probably represents some hardware register what does code does I have no idea why we're waiting up this 7-year I have no idea but now that we have an

emulator where we control every aspect of what it's doing we don't have to care one bit unintended there so we fix this by tweaking the emulator to always say the bits are set when this memory address is accessed and then we just happily move on well today accurate we do this a few dozen more times with other dresses and then we happily move on so now we found the gun to the point that the firmware has entered its main what we believe is its main loop and we're ready to begin adding code that emulates the behavior of the data link control lordship since we now know what memory addresses represent the hardware registers of the data link controller we

simply add code that pretends there is no scan tool request to receive until we start clicking buttons on our own to simulate a request so we have your emulator all set up so we can just type in two bytes that make up a scan tool request hit a button and it will prepare it for the firmware to receive it and then act generator response and send it back to us so I click the button to do that and nothing happens so we have another problem to solve I scratched my head on this one for a long time but then I finally remembered something from that PCM hacking 101 guide it says the routines that handle

OBD messages or scandal requests are executed by main scheduling routines but schedule is kind of a funny word to use here so I started thinking if the processing of messages is on a scheduled and then implies some sort of hardware timer a crystal timer to be exact and that means the firmware must be keeping track of the number of accurate ticks that pass over time and the only time Motorola stik-tek code can be notified as something as if it's being interrupted and so we know that's done to defective tables so if we check the vector table where the handlers for all interrupts are defined we find a routine that looks very suspicious this routine whenever a specific

interrupt fires will set a flag to 1 and then it increments a counter a very large counter by one as it turns out this counter is checked within the main loop so this is actually the number of ticks since the firmware is booted and this cancel request handling which means only fire when a certain number of ticks have occurred so all we have to do is to simulate the triggering of this interrupt periodically say every few milliseconds and it'll work the way it's supposed to we don't know or care what the real number of milliseconds is we just need it to be kind of close so when we do this we find that the firmware

suddenly starts sending our simulated data link controller responses back to us so now finally we have an emulator for this car computer and we could simulate scan tool request by sending them to it and get the responses back from them so now that we've finally gotten to that point we just simply write some code to brute-force through all the possible scans we'll request and then just set a breakpoint on the code that accesses our option flag so the emulator just sits there and spins its wheels forever until it gets to the point where it's going to access the flag that we know controls any threats the any test status and then we'll know what we're supposed to be sending to it

in order to get to that so many hours or days later we have it so now that we have an actual request to look at we can just some googling and see what this is and this is known as mode 22 which is where GM stuffs their non-standard scan tool request stuff to stuff that changes potentially over time and across models even within GM so requests 1102 seems to return our options like among other things so now that we found this cancel request in the 2001 Pontiac trans-am image we can execute our own firmware image and send the same request to it so once we see where the code Texas we find the memory address of the option flag for our 97

Cavalier image modify that byte appropriately recalculate the checksum fix that reflash the chip and our programmer desolder resolder a back into the PCM reassemble it reattach it to the car hop in turn the key and see what happens so you think it worked yeah it this is all one a sense I just think I know where they dresses this is all one of them so yeah no no it doesn't work force I was met with failure met with failure so why was this who knows a whole bunch of reasons why it didn't work the most plausible explanations are that I just screwed it up I just screwed up the dissenter the desoldering and resolder ring I mean I flashed it spins

only have some money they kind of take so much abuse you can only saw our indie sovereign restore them so many times or two we discover that the NFF status is returned be a non-standard scan to request which is why my googling for a standard one didn't turn up any results so that since we know it's non-standard that request might just do something different between the two versions it probably doesn't bode well the two firmwares are so different that I couldn't find any code patterns between the two of them so that could be it I mean this Cavalier came out 1997 when ov2 was pretty much brand new so it's entirely possible that the firmware in

it is older than when GM thought to even put that request in the firmware and then three it's always possible I just screwed up the checksum calculation who knows so what do we do now give up buying a car you know we did our best keeper a bitter best what you going to do so in conclusion if I hadn't bought a new car and could do it over again I would study that form or image I dumped and find out exactly how to reflash over obd2 it I think it's ridiculous that the knowledge of how to do that might only rest in the hands of a few people we really need to crack that open but so

ain't you know if I did we would have been I would have been free to try reflashing over and over again until I was sure that I got it right I mean when you have to desolder resolder chip half a dozen times for one attempt potential for catastrophe is just really high so anyway if you take anything away from this I hope you take away this if you're face for the problem and you want to solve it and you come up with a really crazy thought like riding an emulator for your car computer so you can disable the neetha status don't be afraid to try it you might be surprised it just might actually work and you might actually get

something out of it it might not have worked for me this time but it has in the past more often than not ins the philosophies worked for me very well and we got a functioning car computer emulator out of it so I may not it may not have succeeded but I did succeed in finding a way to get to the information that I wanted by creating that emulator and that is a victory in itself but anyway if the idea seems crazy to you or more importantly if somebody's told you that your idea is crazy then you definitely need to try it why because no one else is going to try it those types of niche projects where you know we can

work but everyone's telling you not to bother that's your time to shine because one you won't have any competition and two you might actually succeed it might actually work and another thing if everyone's complaint and lecture idea is somebody will just do it a simpler way so why bother well I can just tell you it's not about what you do it's how you go about doing it I mean if you succeed it doesn't matter if somebody beat you to it or knows more than you do I I mean if nothing else to get you speaking spot up here in front of you guys so that makes it worth it so thanks again for listening if you want to contact me my

information is on the screen there or online have a nice day [Applause] also questions anybody has lots and lots of googling there is a fee CMO 411 PCM that which that is and I don't I couldn't find any evidence that that's what mine is but it looks pretty darn similar and when I started disassembling I actually I had to disable a whole bunch of different ones that one but as I was looking I started seeing the same io ranges like that one that controls that data link control ership when I start finding firmware that uses exactly the same addresses it's probably the same circuit board or close to the same hardware that and plus I couldn't just I

just couldn't get any closer in 1997 and 2001 nope I still have it actually it's online it's them this is in my graveyard of stuff so I can come back to it someday yeah

yeah if you've ever looked at an emulator like for a game console like a Sega Genesis emulator there's all kind it's really a mess every emulator code bringing me like I've ever looked that is a mess always a mess it but it always has to it always has to have a processor core it has to simulate all of the individual instructions and then it also has to access obviously it has to access RAM and external chip external memory in that kind of thing but it also has to access hardware that's unique or different to every device that it's in so you know the second genesis for example hasn't forget you because it's a game system is there's always a lot of

display processing a lot of display Hardware display Hardware not kind of stuff in it I don't care about any of that so if I saw anything even closely related to that I just ripped it out deleted it because it's always more fun to delete code than to add it so I just found something I did everything I thought I need to do and more and just rip it out so and then you start fixing bugs from there so a lot of trial and error weather too much probably months

yes that I mentioned the being able to reflash the firmware over the obd2 port I really it really really bothers me that you have to go buy spend thousands of dollars just to buy a thing that does this and just for GM cars you can buy like for super for whatever any other car you've there are much easier ways to do this you can just build a little cable slaughter together put it in there and there you go hook it up to your computer there you go but GM you can't do that and that's that's ridiculous we should be better about that so if I were going to revisit it I would do that I

would I would find a way to make that work so that way I wouldn't what's it yeah there are lots of products out there but they all they're all also really expensive ed so it just really should be free and open source I think so exactly yeah they really I yeah I cars the car to me I don't care I mean I'm I'm emotionally attached to this one which is what I was trying to order to fix it but other than that I just go get a car doesn't matter so he else

in tuner Pro you the tuner Pro is all about that you see specify an XD F file and a firmware image and then it goes and makes the changes for you so if you want to know what it's doing just go make a change and see what it changed you just do a diff between the binary file that generated versus the one I had originally and when you do that you see there are two things that change one is that flag and two is a checksum that plus a bunch of googling about what other people do you find just all sorts of check sums and no no cryptographic signatures or anything like that it's not protected in any way because why

would you need to do that especially 1997 but so that it looks like

[Applause]