Remote intrusion into original passenger car (below)

Remote intrusion into original passenger car (below)

0x01 complete exploitation chain

So far, we have discussed many aspects to illustrate how to remotely exploit this jeep and similar models. So far, this information is sufficient for you to make full use of vulnerabilities, but we want to summarize how the vulnerability chain plays a role from beginning to end.

Recognition target

You need the IP address of the vehicle. You can select one or write a worm to intrude into all vehicles. If you know VIN or GPS of a car, you can scan its IP address range based on the location of the car you know until the corresponding VIN or GPS is found. Because the device speed on the Sprint network is very slow, this method is feasible. You may need a lot of devices to perform parallel scanning, which may require hundreds of devices at most.

Use the OMAP chip in the header Unit

Once you obtain the IP address of a vulnerable vehicle, you can run the code using the appropriate D-Bus Service Execution method. The simplest is to upload an SSH public key and configuration file, and then start the SSH service. In this case, you can SSH to the target vehicle and run commands on the remote terminal.

Uconnect System Control

If you only want to control radio broadcast, HVAC, Get GPS information, or other attacks that do not involve CAN, you only need to use the LUA script mentioned above. In fact, using D-Bus can achieve most of the functions without executing code, just by using the D-Bus service we provide. If you want to control other aspects of the car, continue reading...

Fl the tampered firmware in V850.

Prepare a modified V850 firmware, which can be easily flushed into the V850 according to the requirements mentioned earlier. In this process, the system needs to be automatically restarted, and an alarm may be sent to the driver, prompting that the operation is in progress. If this step gets worse, the header Unit will become brick and need to be replaced.

Perform physical operations over the network

The modified firmware is sent to the V850 chip through the OMAP chip using the tampered firmware to send appropriate CAN information to operate the vehicle. This process requires similar research knowledge in the 2013 Article.

Understand the physical structure of an automobile through the network

Now, after the remote attack, we will start to send the CAN information. To understand which information CAN be sent, we need to find out the unique features of the information sent by jezino. This process requires constant attempts and mistakes, reverse mechanical tools, and reverse ECU firmware. In this chapter, we need to complete these tasks.

Mechanical tools

Like all security research, appropriate tools are important to get twice the result with half the effort. Not surprisingly, we need mechanical tools to handle this jeep. These mechanical tools CAN interact with ecus through CAN at a low level. These tools contain security access keys and diagnostic test functions that attackers may be interested in.

However, we found that these devices are not J2534 standard pass-through devices with software functions, but specialized software/hardware systems generated by wiTECH at a price over $6700.00 (about RMB 42513.51, more than 1800 USD per year for Tech Authority subscription ).

Figure-quote wiTECH

Although some research may be performed without diagnostic devices, many active tests and ECU unlocking require analysis of these mechanical tools. After selling the blood for a few weeks, we finally purchased the system needed to diagnose this jeep Chino (and other fiat-Chrysler models.

Summary

The wiTECH tool is very easy to use and may have been redesigned. You can observe all aspects of the car, or even use graphs to represent the network architecture of the jeep, which we could not find before using wiTECH devices.

Figure-WiTech's jepcino for 2014

WiTECH differs from other diagnostic programs we have seen before. The wiTECH system is written in Java rather than C/C ++. In this way, reverse engineering is easier because of its friendly name and the ability to decompile byte code into a Java source.

Figure-important wiTECH files

A Method preset by the manufacturer makes it difficult to decompile, that is, to use string obfuscation, which seems to be generated by the Allatori obfuscator. As follows, searching for output strings in java code does not produce any good results, because these codes are "encrypted" and can only be "decrypted" at runtime ".

Figure-string obfuscation of wiTECH

When we first analyzed some java byte code, we found that the simplest method is to import the required wiTECH JARs into a java application and decrypt it using the functions in the library. The following is the decrypted string and printed result, which is exactly "flash engine is invalidated" (The flash engine is invalid ).

Figure-de-obfuscation text output by Eclipse

Secure Access

Although the wiTECH device is used to collect information about active tests, such as the CAN information used to start the wiper, the most attractive thing is to understand its Secure Access Algorithm Through analysis software, it is used to "unlock" an ECU for re-programming or other permission operations.

Again, unlike any diagnostic software we have previously studied, wiTECH does not seem to contain any actual code that generates a key based on the seeds used to unlock the ECU. Finally, in the file 'jcanflash/Chrysler/dcx/securityunlock/', we find that some unlock functions are called, depending on the ECU type to be replayed.

At the end of static analysis, we found some codes '/ngst/com/dcx/NGST/vehicle/services/security/SecurityUnlockManagerImp. java ', the following code is from this location:

localObject = new ScriptedSecurityAlgorithm(newEncryptedSecurityU(((ScriptedSecurityMetaData)paramSecurityLevelMetaData.getScript()));

However, after checking 'encryptedsecurityunlock', we did not find