Dieselgate: an analysis of VW's cheating firmware


#1

[Read the post]


#2

I know it means 32nd but every time I read “thirty second” I think the video will last 30 seconds. This is made worse by the actual length of the video, I mean, this stuff really fascinates me but a hour+ long talk by hackers about the software in a car, that is really long… Ok, I guess I’ll give it a go :smile:


#3

Is there a text version of this anywhere? An hour long video is far too long for something like this in my opinion, i’m not that bored :wink:


#4

I’d rather have a condensed, edited version of around 30mins. I watched like the first 2 minutes and decided i just didn’t want to sit through the whole hour, even though i genuinely think that the talk is interesting.


#5

While we’re making requests, please replace the teaser “They also reveal that they’ve discovered other cars that use VW’s techniques to cheat on tests” with a list of the cars they discovered.


#6

Just finished. The teaser is 100% wrong - they didn’t identify any other cars that use the techniques. They did point out that BMW (back in 2000) used a similar cheat on a motorcycle (which as far as I know isn’t a car) - was caught right away (within a year) and it wasn’t a huge issue.

The talk itself is fascinating. In a nutshell:

  • ECU of the car has 2 emissions modes that it uses - because the more complex and emissions efficient model doesn’t work in some operating ranges of the engine a simpler model is available to allow ‘some’ emissions reduction.
  • The two models are setup with a flag that essentially makes it impossible for the car to use the more complex model
  • There is an additional check that watches the driving cycle and actually will use the complex model if it matches one of three driving curves (which match the testing methods)
  • On a dyno watching the variables in real time you can see the amount of ‘ad-blue’ (urea) injected into the exhaust and the model the car is using - when following a testing cycle you can see large amounts of ‘ad-blue’ injected and as soon as you exit the cycle it switches models and almost none is added.
  • Because of how cars operate it’s possible that cars in different markets have different code and or variables that affect these operations - the test was done on a German market diesel.

There is also quite a bit of talk about the number of people involved, and the way VW handles development, attempting to show that there is no way this was a rogue engineer. A statement was made at one point that the company that supplied the software to VW (Bosch) indicated that they informed VW of it’s illegality - however I’ll be honest the point was murky and I didn’t see anything to back that up.


#7

Wait, I thought the DMCA made this exact kind of analysis a felony?


#8

From the talk I don’t believe they ever de-encrypted anything - the security here is based on the software being on a proprietary chip. He did use an exploit to be able to copy the software off the flash - but depending on what he did it may or may not have violated the DMCA.

*edit DMCA - stupid acronym.


#9

excellent presentation - very worthwhile - if you don’t have time for the whole thing, just watch the second guy (dark shirt) - he’s a systematic and careful engineer, puzzling out these illogical parameters - the applause when he overlays the two graphs was thoroughly deserved - VW is so screwed


#10

Be really careful when hacking the program. I used the console on my Volkswagen (with whatever-German-for-the-tilde-key is) and, instead of God Mode, accidentally enabled infinite emissions. Global Warming is my fault. My apologies.


#11

Skip to the 35 minute mark… the 1st half is more about regulations, how engineering work, etc.


#12

I was under the impression that the VW’s affected in the US didn’t use urea injection. This was one of the main reasons this engine was being tested in the first place…


#13

The best CCC talks are infectious. One moment you’re minding your own business, and the next, you’re digging out your hexeditor, your disassembler, and your debugger and deciding that clauses such as

“You must not reverse engineer, decompile, or disassemble the the Software.”

are essentially meaningless.

Woohoo. Now I have a Python library that makes this program so much more useful.


#14

It’s on youtube, which offers variable speed playback. Running talks at 125 or 150% is often helpful. 200% tends to be way too fast so no 30 min version for you.

“Illegal” doesn’t mean “impossible”, nor “shouldn’t be done”.


#15

I laughed at this…


#16

may I suggest the video speed controller extension? You can process language faster than people can speak it.


#17

I’m not sure if that’s true but the DMCA only applies in America anyway.


#18

I’m streaming the talks on a second monitor while working.


#19

in Germany it’s the UrhG, here probably 69e (decompilation is allowed to achieve interoperability) and 95e (breaking copy-protection is verboten [if I remember correctly a court said that CSS is an “effective technological measures to protect a work”])

decompiling the firmware was not really done for interop reasons and using a HW 0-day is not really a copy-protection but lawyers are flexible and creative :slightly_smiling:


#20

Second monitors are great for this sort of thing. Even though I have a iMac 5K, the extra bit of screen space is still useful as a place to dump data that’s of secondary importance.