Tbox, also known as TCU, is the equipment unit responsible for accessing the network in the car. You can understand it as a small operating system + SIM card. Tbox is the intermediary of communication between the car and TSP (depot management system).
The more common functions of Tbox include collecting vehicle information. Upload to TSP, TSP will push the message to your mailbox or mobile App. Also, when you open the engine or door remotely through the App, TSP will convert your operation into a command and send it to Tbox, and Tbox will parse the command to execute the corresponding operation.
Tbox is a very sensitive and important device. It is also the most important point of attack in remote contactless attacks.
However, Tbox also hasPre-installation and After-installation. Pre-installation refers to the equipment brought by the factory. Generally, the equipment is prepared by the manufacturer in advance and is directly included when purchasing the vehicle. After-installation refers to some manufacturers on the market, in order to help vehicles that do not have the network function, realize the monitoring and management of the vehicles, and then install them on the vehicles later. The Loulan box for Audi is common on the market, as well as various other car boxes. Those who are interested can find it by themselves.
Everyone knows that although the car is produced by a certain manufacturer, most of the equipment and software he uses are not produced by the car manufacturer itself. All parts are purchased from suppliers. Tier 1 suppliers can become tier1, that is, suppliers who supply directly to car manufacturers. There are some similar situations, tier1 also needs to purchase different modules for assembly. Tbox can be understood as a product produced by the car manufacturer tier1, but Tbox manufacturers also have some suppliers, such as providing software systems and hardware production. There are also some big tier1, which take care of most of the links by themselves, only purchasing or external modules.
Collection of information
Like regular penetration testing, it is necessary to do some information gathering first.
Our goal is a tram. First go to collect information, such as Tbox model. The way to collect information about cars is actually related to penetration testing. Give some of the methods and approaches I often use:
- 1. Original information: including but not limited to various management software. For example, volvo’s VIDS, Volkswagen’s ODIS, etc. It will contain some important information.
2. Play the car forum. Many players with strong hands-on skills will throw some information out, and sometimes it will be of great help to us. Such as WIFI information.
3. Security forum.
5. Repair shop.
6. Official website. Some companies support car owners to update the system, and the official website will provide firmware downloads including car machines and Tbox.
One of the barriers to getting into a car is that you need to have target equipment, but it doesn’t mean you need a whole car.
Generally, you may not know how to start equipment procurement, but it is not that difficult. For example, the universal amazon, you can search for a lot of Tbox information.
However, I do not recommend buying a brand new device. The old device means it has been running for a while. There are some useful logs and usage traces in it, which will be of great help when we analyze the system and applications. Therefore, it is better to buy so-called scrap parts. Many scrap parts will also be equipped with wiring harnesses, so that buyers at least mark the USB and power cords for you, so that you can easily check them later. The most important thing is that the price is right and save money.
The target device we got was used for a while. You can start it up by buying a 12V power supply yourself.
Tbox’s attack analysis is similar to the attack analysis of the whole vehicle, but because we need to analyze first and then find vulnerabilities, some non-remote or non-contact aspects will also be included in the laboratory environment. For example, the usb interface of Tbox, even if you can touch the car, you have to remove the glove box to see the Tbox. In the attack combing of the whole vehicle, we generally do not put the usb of Tbox into the attack point. Our goal in the laboratory environment is to break the Tbox, so we will also put usb into our attack point.
Through analysis, the attack points of our Tbox are roughly as follows:
- Tbox attack point
- 1. wifi
- 2. usb
- 3. GSM/4G
Some Tboxes will have a Bluetooth module, which is used as a Bluetooth key for mobile phones. My Tbox does not have this function.
For the analysis of similar Iot devices, there are roughly two ideas:
1. First, getshell locally to debug and analyze the live device. 2. Directly find a way to obtain the system firmware, restore the file system, and perform static analysis. 3. Read through the disassembly of the storage device of the equipment.
But considering that the Tbox update in the car is a low-frequency operation, Method 2 is basically useless. Method 3 costs money and requires you to have a certain hardware operation capability. Therefore, we directly use method 1.
Start Tbox and you will find a wifi with a name similar to tbox-xxxxxxxx. Use 1234567890 as the password to connect to this wifi, it will automatically obtain an IP address starting with 192. 1234567890 is currently the default password for the more common hostapd service, and most of them are not modified.
After accessing the Tbox subnet, you can do some regular port scanning. Some of the more common ports are also open. Such as 23, 53, 3490. The system is recognized as linux/oelinux.
23, 53 will not say, 3490 may not be common.
3490 is an open tcp port of an open source application called dlt. The full name of dlt is Diagnostic Log and Trace. It is a project under GENIVI. Used for system diagnosis, mainly used for application and system log collection and sorting, similar to syslog. github address
53 is dnsmasq 2.8.x, so I don’t read it. The newer version has no vulnerabilities that can be exploited remotely.
23 Direct telnet display:
It can be judged that the chip of Qualcomm mdm96xx system is used.
The previous scanning system was identified as oelinux, try the default oelinux root password, oelinux123, and it went in.
You can continue testing after entering the system.
For some devices, such as Loulan box, USB access will also enter an internal subnet, and telnet can also enter.
There are quite a few services in oelinux, but we will not analyze them one by one here. Under normal circumstances, an unfamiliar system needs to be analyzed from the start, so that you can analyze which services are the core, which are pulled up, and what is done.
ls / Found that there is an app directory under the root directory, which contains some binary and configuration files starting with ds such as DSxxxx. ps, found that some of the started services are also in this directory, it can be basically concluded that this is the main service directory of tbox. It is the business implementation that tier1 is responsible for, such as remote vehicle control.
Under the app/log directory, many log files were found. Among them, tspConnect.log contains the logs of command processing issued by the server. This is the advantage of using the equipment I mentioned earlier.
The main business logic is not complicated (after several hours of analysis):
tspConnect is responsible for interacting with tsp and obtaining instructions from the server. Analyze the instructions and perform corresponding operations according to the execution. When encountering the instruction to control the car, it will send a broadcast.
Monitor the broadcast dsvCom service and transform it into a specific can signal.
The can signal is passed to the mcuCom service and sent to CAN.
Complete the door opening or closing operation, and send the result back to tsp.
It can be seen that the business logic entrance of this remote control is in tspConnect. Although there is some information in the log, it belongs to the unpacking process, which can help us restore the command unpacking process. The specific process still needs us to reverse tspConnect to know.
However, before doing this, one thing needs to be confirmed, that is, whether this transmission process is encrypted, and whether we can restore the encryption logic.
Restore encryption process
Put a compiled tcpdump of arm into Tbox and it runs smoothly.
Note: It’s not too good to capture the original business traffic here. Because we took an independent device, not in the original available business chain. But we can forge a tsp by modifying the DNS resolution address, After the network of the test environment is connected, data packet capture and analysis can be carried out.
Through the log analysis of tspConnect.log, it can be known that the transmitted data is fixed-length, which means that it may be a combination of data in a certain format with fixed-length data length.
It is confirmed by capturing packets that the data transmission process is not encrypted, which is a common socket. Well, the rest is to reverse the analysis of the data packet disassembly logic in tspConnect, clear the logic, and then you can realize the forgery of the tsp instruction.
The process of analyzing tspConnect by ida is omitted here.
Finally restore the command format
The data content is encrypted, using AES encryption, what about the key? You must have thought of it too, in tspConnect.
After analysis and confirmation, the key inside is the key generated by changing the vin frame number. Although each time is a dynamic calculation process, the key is actually the same every time. Here, combined with tspConnect.log, we can perfectly restore the process of issuing vehicle control commands.
Here we have not passed the complete GSM hijacking test. Because we do not have ready-made hijacking tools. Therefore, we use the method of modifying the hosts file. The server Python fakes a tsp server. When tbox is connected, the fake server issues a vehicle control command. The tspConnect.log log shows that our command was successfully parsed. It shows that remote unlocking has been realized.
In fact, there are other places we haven’t started to analyze, such as the business logic of mobile apps.
However, the actual analysis process is far more than the part described above. In fact, the whole process still took a lot of time.