

Car Hacker's Handbook - MichaelAza
http://opengarages.org/handbook/

======
alexggordon
Looks like the website is having some trouble with all the HN traffic.
Rehosted the ebook downloads on GDrive to save him some traffic. I'll remove
them when the post leaves the HN front page.

Just FYI, this book literally teaches you how to identify security
vulnerabilities in modern cars and exploit them.

You can purchase it from Amazon here[0], or download the book for free in
EPUB[1] or PDF[2].

[0] [http://www.amazon.com/2014-Hackers-Manual-Craig-
Smith/dp/099...](http://www.amazon.com/2014-Hackers-Manual-Craig-
Smith/dp/0990490106/ref=sr_1_1?ie=UTF8&qid=1405445024&sr=8-1&keywords=2014+car+hacker%27s+manual)

[1] [https://drive.google.com/file/d/0Bzxo-UKxFmN-
bDlNSi1IT1JLdHM...](https://drive.google.com/file/d/0Bzxo-UKxFmN-
bDlNSi1IT1JLdHM/view?usp=sharing)

[2] [https://drive.google.com/file/d/0Bzxo-UKxFmN-
WFVjcEVVX3B5azg...](https://drive.google.com/file/d/0Bzxo-UKxFmN-
WFVjcEVVX3B5azg/view?usp=sharing)

~~~
alexggordon
I've now removed these file mirrors!

------
akallio9000
This is especially heinous given that car manufacturers are trying to keep you
from repairing your own car, claiming that the computer systems are
copyrighted.

[http://www.theverge.com/2015/4/24/8490359/general-motors-
eff...](http://www.theverge.com/2015/4/24/8490359/general-motors-eff-
copyright-fight-dmca)

~~~
kw71
Here in the USA the carmakers are bound by law to not act in a way that
prevents you from repairing your own car.

The article that you cited does not seem to advance the argument in your
comment, even though it opens with a story of a company getting sued for
actual copyright infringement. (Ford has not sued the "ForSCAN" team.)

The carmakers are bound by law to implement the OBD2 application with an
acceptable OBD2 PHY. They are also bound by law to provide their dealer system
for flash-programming and for operations that cannot be carried out using the
OBD2 application. Anyone can obtain a J2534 gateway to use these tools, and
anyone can obtain access to these tools.

This is necessary to resolve antitrust issues and because a broken car is a
potential emissions problem.

The carmakers have not stopped thirdparty diagnostic providers from reverse
engineering the carmakers' tools to develop their own tools for sale.
Autoenginuity, Launch X431, Snap-On are examples of companies that do this and
who have no connections to the vehicle manufacturer supply chain the way that
Bosch, Actia, and Continental do.

~~~
njloof
Ok, but go ahead and try to DIY your Tesla.

~~~
fnordfnordfnord
Have you heard of the Stretchla? [http://insideevs.com/video-update-diy-
stretchla-project-tesl...](http://insideevs.com/video-update-diy-stretchla-
project-tesla-model-s-to-underpin-stretched-volkswagen-vanagon-body-battery-
evaluation-and-removal/)

~~~
qbrass
[http://cafeelectric.com/stretchla/](http://cafeelectric.com/stretchla/)

“Due to the salvage status of your Model S , I have been instructed to cease
providing you with parts. Tesla is very concerned about vehicles with salvaged
titles being improperly repaired. Going forward, all salvaged vehicles must be
inspected by us or our approved body shop, Precision Auto Body. If declared a
candidate for proper repair, reconstruction must be completed by a Tesla-
Certified Body Shop.”

~~~
fnordfnordfnord
Yeah, looks like he's still stalled.

------
titomc
I worked for one of those car manufacturers for the telematics unit like
putting specific frames on the CAN bus to make the car do remote operations
like start/stop engine and also read values from ECUs for DTC codes. We used
to teraterm into the unit with a serial cable & a trivial password. The
security measure we had during that time was that "we do not give cables to
customers so that they cant teraterm into the telematics unit. It might have
changed now with the recent CAN Bus hacks.

~~~
kw71
Ha, Harman tried that with a recent project of theirs that is in serial
production now for a big carmaker. I identified the strange connector and
asked for a free sample of it, from there it took me ten minutes to disable
the firewall and enable SSH access from the ethernet.

~~~
titomc
I didn't want to give specifics of the hardware. Now that you know , yes its
Harman with QNX on Chryslers. Now you need to figure out the remote execution
codes to put on the CANBus frames :) . There is a catch though , without the
original car keys , you can't move the car or can you ?

In another news , access to the terminal is now based on an "authentication
key" , root access is not enough. For development purposes , Harman provides
these keys and they expire after a certain period of time. I am not sure those
"fixed" telematic models are out there on the market currently.

~~~
kw71
I attacked a Harman QNX device done for a different carmaker. When I got
access to the serial console I was able to look deeper. I found a script to
take down the firewall, and that a series of canbus messages will run the
script to enable this debug or development mode (very easy with one of the
carmaker's leaked engineering tools), so now we know how to break into the
device without taking the car apart to gain access to the connector.

The box is really cool, it would be neat to develop our own applets, but
mostly people are only interested in changing the splash screen. We found some
really neat things about it too, for instance if a second device appears on
the ethernet it can be a 'slave' to the first one and access its media.

We have seen demonstrations of the keyless cars from this automaker being
started and driven without the actual rfid-key device. Someone apparently used
some hardware to bruteforce the private key of the security controller so that
the authorised rfid-key information can be read and modified. This is
apparently becoming a problem in Europe where a car thief can simply drive
east for a while and be out of reach of the law.

------
gandalfu
Site overwhelmed. Archive links to the site, pdf and epub from 2015:

[https://web.archive.org/web/20150628210322/http://opengarage...](https://web.archive.org/web/20150628210322/http://opengarages.org/handbook/)

[https://web.archive.org/web/20150525100844/http://opengarage...](https://web.archive.org/web/20150525100844/http://opengarages.org/handbook/2014_car_hackers_handbook_compressed.pdf)

[https://web.archive.org/web/20150628210322/http://opengarage...](https://web.archive.org/web/20150628210322/http://opengarages.org/handbook/2014_car_hackers_handbook.epub)

------
AceJohnny2
Some very interesting stuff in there... that's bound to make some
manufacturers very unhappy. I remember a couple years ago when some Tesla
forum geeks got access to the Linux system running the infotainment dashboard
of the model ... and got a nice (seriously) message from Tesla engineers to
the amount of "good job... but please stop there".

Many folks have mentioned how the Tesla Model S at least is more of a
supercomputing cluster on wheels than a car with some ECUs. I don't know how
armored their CAN bus(es) are, but I'm sure the "Attacking ECUs and other
embedded systems" is giving some safety engineers white hair.

(of course, everything I've said about Tesla is just about equally applicable
to other high-end vehicles. It's just that Tesla are a bit more connected to
the traditional software world)

~~~
shiggerino
>I'm sure the "Attacking ECUs and other embedded systems" is giving some
safety engineers white hairs.

If the systems were properly documented for the owners I seriously doubt there
would be a problem. Give people a USB stick with docs, sources and signing
keys and those who can make sense of them are probably smart enough to hack
responsibly.

~~~
kw71
No way. The carmaker cannot guarantee emissions, safety or its operation if
tampering is permitted. I think they should stop at voiding the warranty,
though, and not move on to making threats or legal actions.

~~~
jandrese
If someone can make a Tesla Roadster fail emissions with a software patch I
will be impressed.

~~~
HeyLaughingBoy
Brake non-driving wheels and apply power to at least one drive wheel. Result:
lots of smoke!

------
csours
Looks awesome, hope this will be updated for V2X (Vehicle to Vehicle and
Vehicle to Infrastructure) / DSRC / Wave

I would have bought the Kindle e-book for sure - Does Amazon allow pay-what-
you-want?

------
TaylorGood
On the enduser side, this a big leap towards maintenance transparency:
[https://www.automatic.com](https://www.automatic.com) \+ being tethered to
YourMechanic is brilliant.

