Hacking a mileage manipulator CAN bus filter device

I have read an article on the teardown of a dashboard mileage manipulator dongle on Hackaday. A “CAN bus filter” device was found in a vehicle, connected to the back of its instrument cluster. When it was removed and the original connections were restored, the odometer immediately showed 40 000 kilometers more than before. The author made a quick teardown and analysis on the device but because it was supposed to be locked (according to the article), the firmware was not extracted, leaving the big question unanswered:
What it does and how it does it?

Mileage manipulation is illegal in many countries and one could easily go to jail if kept doing it. Still, this is quite common practice on the used car market and mileage manipulator devices could be easily purchased by anyone. The main purpose of these “greyish” tools is to mislead and to fool the buyers. Considering this, I was happy to extend my “to be hacked” list with them, and I also wanted to see how they work and if there is anything to do against the “attack”. Everything was set for a cool project combining car hacking, hardware hacking and reverse engineering. Due to the nature of the topic, I expect readers with less relevant technical knowledge as well, so I tried to provide a bit more details and explanation, to make sure everyone can follow along.

These boards can be found on eBay for $15-25, e.g. by searching for “18 in 1 Universal CAN Filter“. Several sellers are providing them under different fantasy names and with some variance in their supported vehicle list. I decided to order two type of CAN filters from two different sellers. They had the same functionalities, but their PCB looked a bit different. Both CAN filter devices support a bunch of car models from two major German OEMs (just look for the description in the eBay product pages). After one makes the mileage manipulation, this device will prevent the odometer’s sync and increase, by manipulating the relevant communication. For easier reference, I am calling them as #blue CAN filter and #green CAN filter in the following sections.

Continue reading

Reverse Engineering & Hacking Hardware Training at Hacktivity2019

Hacktivity is the biggest event of its kind in Central & Eastern Europe. About 1000 visitors are coming from all around the globe every year to learn more about the latest trends of cybersecurity, get inspired by people with similar interest and develop themselves via comprehensive workshops and training sessions”.

Since many years, this hacker conference is a stable point in the year for me as a visitor, or sometimes as a presenter. This year was special, because instead of presenting and giving a talk I decided to go there with a training.

Hardware hacking is a topic that is for some reason not that much addressed in our region by professionals. As this is both a hobby and a profession for me, I was happy to provide the Reverse Engineering & Hacking Hardware training to people who wanted to step into this area.

Continue reading

eMMC data recovery from damaged smartphone

Recently I have received a request to check data recovery possibilities from a damaged Sony Xperia Z5 Premium smartphone. The phone was dropped and it stopped working. No screen, no charging, no communication on any interfaces, no sign of life, it was nothing more than a brick. Well, a brick, with tons of useful data on it without any cloud synchronisation or offline backup. Needless to say how important was for the owner to get his priceless information back from the device.

Some damage identification and recovery probes were already conducted by other professional parties, even a new screen was ordered and tried, but none of the activities provided any promising result. After the failed attempts the owner almost gave up the hope, but fortunately, we had a common acquaintance and this is how I came to the picture.  Due to the previous investigations the phone arrived to me partially dismantled, without a battery and with some metal shields already removed.

Continue reading

PCB UV exposure scanner

In the past years I always had some DIY electronics related projects, which I tried to make somehow at home. For prototyping the breadboards are fine, but as soon as you have to make the next steps to create a stable and final hardware, you should work with PCBs. I do not count with pre-made prototype PCBs, which have their structured and distributed pads and traces across the board. These are not so good for SMD parts, moreover, the overall look with them will be most probably just simply disgusting not professional.

So, if you would like to work with your own designed and nice PCBs, then you can chose from several PCB manufacturers who support hobbyists with low cost and low quantity PCB production. However, for early prototyping there are some issues with them:

  • You have to wait 1-2 weeks or even more before you get your boards, or you should pay much more for fast production/delivery.
  • HW development is pretty much the same as SW development. In case of a complex project, there is a big chance to have some issues with your first (and second, and third…) board. So you have to pay for every variants and wait much more for the production/delivery.

If you make PCBs often, it is definitely worth to create your own “PCB fab” at home, to be able to prototype your own PCBs quickly. Then, if it is still necessary, you can order the final version from a professional manufacturer.

I am not a big fan of the toner transfer and other alternate methods and as I used to make projects in the school by photoresist PCBs, I decided to create an UV exposure “tool” for this purpose.

Plenty of DIY PCB UV exposure tool building posts are available on the internet with total different approaches. I also designed my own, to fulfill my needs: it should be relative small and portable and the hacking/modding should be fun. 🙂 Flat bed scanners were found as possibly good target. Compared to most of the other scanner mods, which use LED arrays or fluorescent tubes across the whole scanner bed area, my plan was to use the scanner carriage with only few LEDs and control its movement (and brightness) under the given PCB.

After a quick search on the local second hand portal I found a nice old Mustek 1200CP for about 4 EUR. I made the investment 🙂 and started the work.

Continue reading