Electronic Tampering

Overview 1.Drew Tech 2.What is Tampering 3.Common methods of tampering 4.Exploring the OBD2 Simulator 5.Detecting Simulators 6.Flash Reprogramming 7.Summary

Drew Technologies Background Located in Ann Arbor, Michigan Focused in vehicle networks, OBD2, and ECU communications since 1994 Reprogramming tools for OEM engineering, end of line, car dealerships, and repair shop reprogramming tools for the past 15 years Core focus on vehicle communications Involved with developing many SAE standards

What is Tampering?  Tampering allows shops and vehicle owners to circumvent OBD emissions testing  Prior to OBD systems, an emissions test station could circumvent an inspection by running a clean vehicle on the dyno and tailpipe tester  Many programs are now moving to OBD testing because of cost, time savings, and simplicity.  Most electronic and OBD tampering is currently invisible to IM programs  Before IM programs start mining data to detect tampering, we need to understand more about how electronic tampering can occur so we know what data to look for

Types of Electronic Tampering MethodDetection Level -Inline “OBD2 Simulator” device Cheat on inspection Could be used by test stations for clean pipe Depends on the sophistication of the simulator -Modified sensors Catalytic converter delete MAF sensor “resistor mod” change reported air temp by degrees IMRC deletes EGR delete Can be detected some cases by having technician verify electronic readings -ECU Reflash Owner or repair shop reprograms the ECU with a different calibration In most cases, this is done to increase performance, towing, or fuel economy Some aftermarket calibrations are emissions approved (CARB EO), others are not. In most cases, invisible if the reflash utilizes the same CVN

OBD2 Simulator Challenge Mechanical Design Y cable or inline device Can be enabled or disabled via BUS message (i.3. 3 horn beeps < 1 sec) Can be hidden in the dash with standard J1962 mount Device hardware Two independent sets of OBD2 protocols One protocol set to talk to the vehicle One protocol set to talk to the test equipment Design an advanced tampering device, then learn how to detect it

OBD2 Simulator - Continued Capture vehicle specific info Which OBD2 protocols are present How many ECUs are present and all details of each ECU (addresses, etc) Which J1979 modes and PIDs are supported by each ECU VIN of the vehicle All CALIDs, CVNs for each ECU How each ECU responds to improper requests Records a clean configuration User can drive their car in a clean configuration and save all data User can access a saved these configurations from another person that has a similar year, make, model, and engine vehicle Error Handling User can pick what is simulated and what is passed thru Device can be configured to let all unknown requests pass thru while simulating known requests Some OBD2 networks like J1850VPW J1850PWM and CAN have background messages that are not related to OBD2 requests. The user may configure the device to pass these messages through or it may be configured to block them Device can respond to unknown requests in the same way the ECU does

OBD2 Simulator - Continued User Configurable Pick which DTC’s to report Pick which PIDs to report User assignable remapping and scaling functions. IE change speed from to 0-70 Multiple data items can be combined to maintain plausible relationships between items like RPM and vehicle speed Monitoring and modification of non OBD2 messages observed on the OBD2 network The device also contains a feature that continually extinguishes the check engine light, or MIL, off by periodically sending the J1979 mode 0x04 command to the vehicle. By rapidly turning the MIL off it will appear to not be illuminated. This feature can be enabled or disabled by the user Configure VIN Configure CVN Advanced Features Allows user to wire up analog sensors and make a non-OBD2 engine act like a OBD2 system. Allow users to save their configuration, share it with others Tampering device captures all requests from IM station, allowing it to learn how the IM software is profiling the vehicle.

Detecting our simulator Physical Check Look under dash, attempt to locate (Doesn’t work if IM station is cheating) Vehicle Timings Perform repeated requests for a list of data from the ECU Capture message timings and store results by YMME Compare message timings for tested vehicle vs database of all similar vehicles A simulator that is modifying messages on the fly will not be able to keep up with expected vehicle timings all of the time There will also be a variation in message timing for data items that are passed thru the simulator to the vehicle versus items the simulator is providing directly. Enhanced Modes Use enhanced scantool modes not known by most hacks For example, if the vehicle is a Ford, try Rapid Packet mode

Tampering with Sensors Sometimes car owners or performance shops modify the vehicle’s electronics or emissions parts to improve performance TamperingDetection Add resistor to IAT to register lower air temperature and increase timing Read the air temperature from IAT1 and have the technician compare it to the shop temperature. There is no reason it should be colder under the hood than in the shop. EGR DeleteLocate EGR and verify that it is still connected Replace rear O2 sensors with non-working ones that output good signal to the ECU Log the rear O2 data and compare it with similar data from a known good vehicle to look for variations

ECU Reflashing Over 1,000,000 flash programmers in the aftermarket Most are for small performance gains and probably do not have a substantial impact on emissions Some of these programmers even have CARB EO Turbo, Supercharged, and Diesel vehicles can have a greater impact because of potential for increased boost and emission delete equipment The following changes can be made in ECU software disable emission equipment in the software (I.E. Turn EGR off, but leave hardware intact) disable the check engine light and all trouble codes disable monitors or change criteria in which monitors report ready fake CVNs after a calibration has been modified

ECU Reflashing How can we detect reprogramming? Method 1: Binary Image compare - Download the binary image from the ECU and compare it to the stock image - By comparing the images, we know with 100% certainty if the ECU has an aftermarket calibration - This method would require industry collaboration. Currently all OEMs support ECU upload using SAE J2534, but none support ECU download. Method 2: Flash Counter validation - Most ECU’s have flash counters - Some OEMs keep track of every time a vehicle is flashed - When present in the ECU software, the IM software could read the flash counter - compare it to what the OEM expected the flash count to be Both of these methods would require working with the OEMs. The scope of this could be narrowed by make/model to vehicles that are most likely to have reprogramming that has a negative impact on emissions

Final Thoughts Visual Check is the easiest “First step” ECU Simulators are probably the highest risk for clean pipe testing Detecting ECU simulators requires collecting and analyzing what is happening at the message and timing level As ECU simulator’s advance, the IM test software will need to adapt