Efficient Reverse-Engineering of Automotive Firmware
白皮书
The firmware executed by components found in a car provides a starting point for adversaries to obtain confidential information and discover potential vulnerabilities. However, the process of reverse-engineering a specific component is a complex and time-consuming task.
In this paper, we discuss several techniques we used to increase the efficiency of reverse-engineering the firmware of an instrument cluster. Using this example target, we demonstrate it is easy to implement an emulator which can emulate the target's firmware without the need for the original hardware, including many essential components of the target, such as the EEPROM, display controller, and CAN bus.
Our implementation allows standard Linux tooling to be used to send CAN messages to the target. Using this emulator, we efficiently understood the target's functionality, recovered secrets (for example, UDS keys), and performed fuzzing to identify vulnerabilities.