Hardware Reverse Engineering 101#
Introduction to JTAG#
JTAG (Joint Test Action Group) is a standard interface used to test and debug integrated circuits, including microprocessors, microcontrollers, and other digital devices. While JTAG was originally designed for testing and debugging purposes, it has also become a potential attack vector for hardware attacks.
One reason JTAG can be exploited for hardware attacks is that it provides low-level access to a device’s circuitry, including its memory, registers, and other internal components. This access can be used by attackers to extract sensitive data, modify firmware, or inject malicious code into a device.
Additionally, JTAG can be used to bypass other security measures, such as secure boot or encryption, by allowing an attacker to directly access a device’s memory and modify its contents. This can enable the attacker to gain privileged access and execute arbitrary code on the device.
Overall, JTAG can be a powerful tool for attackers looking to exploit hardware vulnerabilities. As such, it is important for hardware designers and security professionals to understand the potential risks and implement appropriate security measures to protect against JTAG-based attacks.
At First Glance#
Power Supply Circuitry#
The power supply circuitry is usually identifiable by the large capacitors or inductors.
Most ECU don’t use linear regulators, instead, they use DC-DC buck regulators.
Often, the power regulation is managed by the system basis chip.
It is important to know the location of the power circuitry to find the pins where to connect power to the PCB, in case you bought an ECU from eBay and you don’t have the schematics or the rest of the car to connect to it.
Transformers of different kinds are easily visible on the PCB. Finding transformers used in communications is useful to trace which pins the relative interfaces must be connected to.
The most common type of transformer you’ll find on an ECU is the Common-mode choke, a 4-pin transformer with an equal number of turns on the two sides. It is used for rejecting noise in protocols with differential signals, such as CAN, FlexRay, and Automotive Ethernet.
Sometimes you’ll also find normal Ethernet transformers on the PCB. These are not automotive Ethernet, but instead standard IEEE 802.3 Ethernet, usually found connected to the OBD connector.
Identifying Integrated Circuits (IC)#
Search Google for the printed part number, and try all the printed strings individually.
If the part number of a Microcontroller (MCU) is not printed, you might be able to find one of the printed strings on an errata and figure out the part that way.
Some automotive components are customized by car manufacturers, and no public data sheet is available. Typically, this is the case for MCUs and System Basis Chips.
One easy way to find transceivers is to follow the traces connected to the common-mode chokes, the two traces of a differential signal are kept close together.
CAN transceivers translate between the logic level CAN signals (RX, TX) to the differential signal on the bus (High, Low)?
Some common CAN transceivers:
Microchip MCP2551: 8-pin High-Speed CAN Transceiver found in many old ECUs and Arduino/Raspberry Pi CAN shields. Up to 1Mbps baud rate.
TJA1441: CAN FD (Flexible Data rate) transceiver, supports baud rates up to 5 Mbps. The pinout is the same as the MCP2551.
NXP TJA1059: Twp CAN transceivers in the same 14-pin package, found in most German ECUs.
Transceivers for other protocols commonly found in cars:
Automotive Ethernet: identical to Ethernet on the MAC layer, but with a different physical interface with only 2 wires for increased reliability. Speeds up to 1000 Mbps in either half-duplex or full-duplex, depending on the configuration.
FlexRay: differential protocol meant to replace CAN, in reality, it just complements it in applications where some extra speed is required. Speed is up to 10 Mbps.
LIN: single line bus protocol, usually used by simple sensors and actuators. Extremely similar to UART on the logic-level side. Speed is around 20 Kbps.
SWCAN: single wire, slower version of CAN, found mostly in GM cars. Speed is usually 33.3 Kbps. A special SWCAN transceiver can send 12V spikes to wake up ECUs. Other than that, a normal CAN transceiver can be used for communicating SWCAN (CAN Low is connected to the ground signal, and CAN High is connected to the bus).
NAND flash memories are sometimes found on some modern ECUs to store the firmware for some Systems on Chip (SoC). Typically, this is done in high-power processors which run multi-user operating systems such as Android or QNX. These are easy to dump by soldering some wires to the board and using the SDIO protocol.
EEPROM memories offer less storage but more write cycles and reliability than NAND flash memories. These are typically used for storing configurations of ECUs or logging data (also the odometer value). Sometimes it is fun to fuzz the data in the EEPROM to see how the ECU reacts.
System Basis Chips (SBC)#
SBCs offer a variety of features useful in the automotive industry packaged in a single chip.
Power management (DC-DC regulation, Voltage regulation for low power domain, multiple power domains…)
LIN, CAN transceivers
Hardware-Watchdog (Reset the MCU if it is behaving incorrectly)
Sometimes they are off-the-shelf components such as TLE9461ES, other times they are custom ASICs made to customer specifications.