Dieselgate: an analysis of VW's cheating firmware

[Read the post]

1 Like

I know it means 32nd but every time I read ā€œthirty secondā€ I think the video will last 30 seconds. This is made worse by the actual length of the video, I mean, this stuff really fascinates me but a hour+ long talk by hackers about the software in a car, that is really longā€¦ Ok, I guess Iā€™ll give it a go :smile:

3 Likes

Is there a text version of this anywhere? An hour long video is far too long for something like this in my opinion, iā€™m not that bored :wink:

2 Likes

Iā€™d rather have a condensed, edited version of around 30mins. I watched like the first 2 minutes and decided i just didnā€™t want to sit through the whole hour, even though i genuinely think that the talk is interesting.

1 Like

While weā€™re making requests, please replace the teaser ā€œThey also reveal that theyā€™ve discovered other cars that use VWā€™s techniques to cheat on testsā€ with a list of the cars they discovered.

2 Likes

Just finished. The teaser is 100% wrong - they didnā€™t identify any other cars that use the techniques. They did point out that BMW (back in 2000) used a similar cheat on a motorcycle (which as far as I know isnā€™t a car) - was caught right away (within a year) and it wasnā€™t a huge issue.

The talk itself is fascinating. In a nutshell:

  • ECU of the car has 2 emissions modes that it uses - because the more complex and emissions efficient model doesnā€™t work in some operating ranges of the engine a simpler model is available to allow ā€˜someā€™ emissions reduction.
  • The two models are setup with a flag that essentially makes it impossible for the car to use the more complex model
  • There is an additional check that watches the driving cycle and actually will use the complex model if it matches one of three driving curves (which match the testing methods)
  • On a dyno watching the variables in real time you can see the amount of ā€˜ad-blueā€™ (urea) injected into the exhaust and the model the car is using - when following a testing cycle you can see large amounts of ā€˜ad-blueā€™ injected and as soon as you exit the cycle it switches models and almost none is added.
  • Because of how cars operate itā€™s possible that cars in different markets have different code and or variables that affect these operations - the test was done on a German market diesel.

There is also quite a bit of talk about the number of people involved, and the way VW handles development, attempting to show that there is no way this was a rogue engineer. A statement was made at one point that the company that supplied the software to VW (Bosch) indicated that they informed VW of itā€™s illegality - however Iā€™ll be honest the point was murky and I didnā€™t see anything to back that up.

11 Likes

Wait, I thought the DMCA made this exact kind of analysis a felony?

4 Likes

From the talk I donā€™t believe they ever de-encrypted anything - the security here is based on the software being on a proprietary chip. He did use an exploit to be able to copy the software off the flash - but depending on what he did it may or may not have violated the DMCA.

*edit DMCA - stupid acronym.

1 Like

excellent presentation - very worthwhile - if you donā€™t have time for the whole thing, just watch the second guy (dark shirt) - heā€™s a systematic and careful engineer, puzzling out these illogical parameters - the applause when he overlays the two graphs was thoroughly deserved - VW is so screwed

2 Likes

Be really careful when hacking the program. I used the console on my Volkswagen (with whatever-German-for-the-tilde-key is) and, instead of God Mode, accidentally enabled infinite emissions. Global Warming is my fault. My apologies.

6 Likes

Skip to the 35 minute markā€¦ the 1st half is more about regulations, how engineering work, etc.

I was under the impression that the VWā€™s affected in the US didnā€™t use urea injection. This was one of the main reasons this engine was being tested in the first placeā€¦

The best CCC talks are infectious. One moment youā€™re minding your own business, and the next, youā€™re digging out your hexeditor, your disassembler, and your debugger and deciding that clauses such as

ā€œYou must not reverse engineer, decompile, or disassemble the the Software.ā€

are essentially meaningless.

Woohoo. Now I have a Python library that makes this program so much more useful.

3 Likes

Itā€™s on youtube, which offers variable speed playback. Running talks at 125 or 150% is often helpful. 200% tends to be way too fast so no 30 min version for you.

ā€œIllegalā€ doesnā€™t mean ā€œimpossibleā€, nor ā€œshouldnā€™t be doneā€.

1 Like

I laughed at thisā€¦

5 Likes

may I suggest the video speed controller extension? You can process language faster than people can speak it.

1 Like

Iā€™m not sure if thatā€™s true but the DMCA only applies in America anyway.

2 Likes

Iā€™m streaming the talks on a second monitor while working.

in Germany itā€™s the UrhG, here probably 69e (decompilation is allowed to achieve interoperability) and 95e (breaking copy-protection is verboten [if I remember correctly a court said that CSS is an ā€œeffective technological measures to protect a workā€])

decompiling the firmware was not really done for interop reasons and using a HW 0-day is not really a copy-protection but lawyers are flexible and creative :slightly_smiling:

1 Like

Second monitors are great for this sort of thing. Even though I have a iMac 5K, the extra bit of screen space is still useful as a place to dump data thatā€™s of secondary importance.