image image

 Willem Melching

Hands-On Car Hacking  calender

Trainer: Willem Melching

Date: 28th to 30th May 2024

Time: 9:00am to 5:00pm PDT

Venue: Santa Clara Marriott

Training Level: Intermediate to Advanced

Training Objectives:

Interested in opening up a car hacker's toolbox and applying these tools and techniques hands-on? Then this training is the best fit for you!

In this course, the participant will become familiar with the theory and practice around numerous techniques in automotive security. This allows the participant to see what is in a car hacker's toolbox, and how to mitigate possible security vulnerabilities. We will cover a variety of attacks on communication networks found in cars, such as spoofing, DoS and MITM.

The trainee will learn how to leverage open source tools to perform an analysis of various aspects of the modern car. Everything from attacks on the physical layer and diagnostic protocols to the reverse engineering of firmware will be covered. The trainee will learn how to quickly build custom tools to interact with any custom protocol you might encounter.

We will look at a variety of diagnostics protocols to talk to ECUs and extract their firmware, such as UDS, CCP and XCP. Other methods of obtaining firmware such as extracting proprietary update files, JTAG and Fault Injection will be shown.

Various simulated networks and real Electronic Control Units (ECUs) will be available to practice on. Based on experience level, different ECUs and challenges will be available.

What to Expect? | Key Learning Objectives:

  • Learn how a vehicle is designed, so you understand how to attack it
  • Understand standard diagnostic protocols used to communicate with most ECUs
  • Extract and reverse engineer firmware from ECUs
  • Learn how to write your own scripts to interact with a vehicle's networks

Training Detailed Description:

Day 1 - Vehicle Networks and Tools

Day 1 of the training will be used to become familiar with the standards used for the communication between Electronic Control Units (ECUs) in a vehicle. Attacks on the physical and link layer will be discussed, and their possible detection and mitigation.

In the second part of the day, we will look at hardware used to interact with the vehicle's network, and implement our first attack.


  • Introduction to a typical modern car network layout and gateways found within.
  • Physical and link layer standards such as CAN, CAN-FD, LIN, FlexRay and Automotive Ethernet.
  • Where to find schematics and how to interpret them, look at available OEM software for repair shops.
  • Hardware attacks on these networks and possible mitigation strategies.
  • Real world examples of CAN traffic including integrity checks such as counters and checksums
  • Recent developments in cryptography for automotive networks (SecOC).
  • Hardware used to interact with the vehicle's network.


  • Introduction to analyzing CAN traffic using Wireshark and cabana.
  • Find signals on CAN bus and create a DBC file.
  • Connect to a CAN bus using your computer, and perform an attack on the physical layer.
  • Reverse engineer a checksum algorithm and spoof a message

    • Day 2 - Diagnostic Protocols and Hardware

      On the second day of the training, we will dive into the actual hardware of a car and its ECUs. You'll learn how to find the schematics of a certain car, and identify the best points to connect to the different networks. We will look at software provided to repair shops by the manufacturer


      • Diagnostic protocols such as OBD-II, KWP2000 (ISO 14230-3), Unified Diagnostic Services (UDS, ISO 14229-1) and Can Calibration Protocol (CCP/XCP).
      • Discuss different microcontroller architectures commonly used in ECUs.
      • PCB reverse engineering, extract firmware from ECU using debug probe.
      • Fault injection attacks against automotive microcontrollers.


      • Implement a scanner to identify available UDS endpoints.
      • Find and communicate with CCP/XCP endpoints.
      • Communicate using Diagnostics over IP (DoIP)
      • Extract ECU firmware using various methods

      Day 3 - Reverse Engineering

      Different firmware update files and their protections will be discussed. We will also look at the inside of an ECU and ways to extract its firmware. A quick introduction to Ghidra will be given.

      An ECU firmware file consists of up to millions of lines of code which would take a long time to fully reverse engineer. Tips and tricks will be taught to quickly identify parts of the firmware that are of interest. After reverse engineering the security access algorithm we can flash the firmware back to the ECU.


      • Extract firmware from manufacturer update file.
      • UDS update/flashing procedures.
      • Fault injection techniques
      • Introduction to Ghidra.
      • Identify processor architecture and load firmware into Ghidra.
      • Common patterns used in automotive firmware.
      • Firmware integrity checks: checksums and secure boot.


      • Reverse engineer an ECUs security access algorithm.
      • Write your own tool to flash the firmware onto an ECU.

      Who Should Attend? | Target Audience:

      • Security researchers interested in automotive
      • Engineers interested in developing aftermarket automotive products
      • Automotive engineers/suppliers
      • Hackers interested in learning more about their own car

      What to Bring? | Software and Hardware Requirements:

      All hands-on exercises will be done on a Raspberry Pi running Jupyter Notebooks.

      Required hardware:

      • Laptop with functional ethernet port. If your laptop does not have a built-in ethernet port, make sure to bring your own USB adapter.
      • Latest version of Ghidra Installed (including required Java JDK)
      • Windows/MacOS/Linux are all fine

      What to Bring? | Prerequisite Knowledge and Skills:

      • Familiarity with basic Python scripting
      • Some experience with microcontrollers and protocols like UART
      • Experience with Linux
      • Basic reverse engineering knowledge preferred, but not mandatory

      Resources Provided at the Training | Deliverables:

      Participants will be provided with a syllabus that contains information covered during the course, and can serve as a reference during the hands-on exercises or at home. The hands-on exercises are based on a Jupyter notebook, solutions will be provided at the end of the course.


      Willem Melching is an independent security researcher. He has over 5 years of experience working on automotive security and reverse engineering. During his time at he worked on reverse engineering cars to allow drive by wire from a third party system. As head of openpilot he led the development of an open source driver assist/lane keep system.



      Podcasts: unnamedre