Guillaume Heilles
Emma Benoit

Practical Car Hacking

11th - 12th September 2018 | 2 Days


Guillaume Heilles & Emma Benoit


In the last few years, we have seen many new attacks on cars, but this environment is still hard to get into mainly because the tools are different from classical reversing or hacking tools.

In this training, the car hacking tools will be presented along with many practical sessions to make sure the attendees will be able to redo the attacks later on. We will provide the necessary CAN tools and perform the attacks on real cars. We will also cover the basic theory about the CAN bus, so that the attendees can understand what is going on.

*Special gift: attendees will be given a CAN transceiver / controller and an OBD cable to be able to replay the attacks using any microcontroller, as soon as they come back. They will need to bring a microcontroller board of their choice during the training to connect to their free CAN transceiver / controller. Any SPI enabled microcontroller should be compatible, but the faster the better! The microcontroller may or may not have a CAN interface, we will handle both cases.

Course Outline

  • Introduction to Car Hacking
    • Overview of this training
  • Locating the CAN bus
    • What is the OBD-2 port, locating it
    • Finding a CAN bus right on the ECUs inside the car
    • Practice: using a diagnostic device
  • CAN bus overview
    • Architecture of a car: multiple CAN busses
    • The gateway, a CAN firewall
    • Electrical implementation of the CAN bus
    • OSI Layer architecture
    • CAN messages: understanding the format
    • ISO-TP
    • UDS
    • Practice: Reading the Vehicle Identification Number, reading the DTCs, clearing the DTCs
  • Architecture of an ECU
    • Hardware: identifying the main components
    • Software
      • Autosar: what is it, where does it come from ? Presentation of its architecture
      • The security modes of an ECU
        • Normal
        • Security session
        • Factory session
    • Practice session: understanding an ECU's PCB
  • Breaking into security sessions
    • Brute force
    • Side channel attacks
    • Reverse engineering
      • of the ECU's firmware
      • of a diagnostic software
    • Practice session: write a brute-forcer
  • Discovery of CAN messages for your car
    • Understanding UDS standard messages
    • Discovering proprietary messages
    • Practice session: capturing CAN messages from a professionnal diagnostic device
  • Replay attacks
    • Replaying CAN messages
    • Practice session: open the doors of your car
  • CAN spoofing
    • Is there a message integrity?
    • What are message counters
    • Practice session: modify the speedometer
  • CAN fuzzing
    • Disclaimer
    • Analyzing captured messages
    • Custom fuzzer
    • Practice session: fuzzing a specific ECU
  • ECU reprogramming
    • Dumping the firmware
      • Flash resoldering
    • Quick analysis of a firmware
    • Reprogramming the firmware
    • Practice session: dumping a firmware
  • ECU firmware reverse engineering
    • Architecture of a legacy firmware
    • Architecture of an Autosar firmware
    • Finding the right entry points
    • Practice session: reversing a firmware
  • Opensource tools and references
    • Candump
    • Canmonitor
    • Where to find other tools
  • Other busses
    • LIN
    • FlexRay
    • Ethernet
    • WiFi
    • USB
    • 3G

Who should attend

  • Security researchers
  • Car equipments designers
  • Hackers interrested in cars

Prerequisite knowledge

  • Basic knowledge of programming (C, python)
  • Basic knowledge of Linux
  • Basic knowledge of firmware reversing is a plus, but not required

Hardware / Software Requirements

  • Laptop with WiFi
  • SSH client
  • A reverse engineering software is a plus
  • A smartphone with Torque Free installed


Guillaume Heilles is a security engineer at Quarkslab. He's mainly focused on hardware attack s on IoT devices, but also on reverse engineering and exploitation. He has presented the hardware CTF at in 2017 & a talk on How to drift with any car at 3r4th CCC 2017.

Emma Benoit Emma is a hardware hacker and security researcher at Quarkslab. She graduated with an MSc in computer science in 2014. She learned about reverse engineering through the Blackhoodie workshop before discovering a passion for hardware hacking.

She gave talks with a focus on hardware and helped to run the hardware CTF at Nullcon in 2018. She likes exotic architectures, (de)soldering stuff, dumping memories and (de)constructing PCBs.