Willem Melching

@mietekHiding It’s using PyMuPDF under the hood

@PD0WM nice. datasheet tables are the worst — multi-column layouts and rotated headers break every generic PDF parser I've tried. what are you using under the hood, pdfplumber?

I built an MCP server so Claude can properly read PDF datasheets. Not just pdf-to-text, but proper table of contents, search and viewing pages as both text and image. This way it can properly see diagrams and tables. Check it out: github.com/I-CAN-hack/pdf…

@FlUxIuS Don't forget this research into ID code glitching! jerinsunny.github.io/blogs/2024/02/… Also check out Renesas update TN-RH8-B0463A/E, which allows "Prohibition of [...] programmer" and "ID authentication" at the same time. I've seen this in the field, and requires two glitches to bypass.

5 years of RH850 fault injection research in one post 🧵 From a DIY RP2040 + hot-glued N-FETs to a €40 Pico Glitcher v3 bypassing Renesas ID Code protection. Just got my Pico Glitcher v3 and the timing couldn't be better 👇 🔗 community.penthertz.com/t/the-evolutio… #FaultInjection #Automotive #RH850 #Renesas #HardwareSecurity #ECU #Pico

Just released version 0.3.0 of the automotive crate with Vector support and some bug fixes! Check it out: docs.rs/automotive/0.3…

This blog post ended up being a bit more industry-focused than I would have liked, but I wanted to do the research because I was curious what the adoption of bug bounty programs looked like in automotive! hakstuff.net/blog/car-hacki…

@Mankaran32 They have it on their website as “standard” assembly: jlcpcb.com/partdetail/Ras… But for a production run I would probably just put an RP2354A directly on the PCB.

@PD0WM Does jlc do this type of pcba? Borad over board

I created a small PCB that simulates an EV charger connection (IEC 61851) by generating the required ±12V PWM signals. Let me know if this is something you would like to buy from my store!

@Mankaran32 Yes, for sake of prototyping speed this is all hand soldered. If I would sell the boards I would have JLC do PCBA.

@PD0WM Wow. Do you hand solder the picos?

@jbx81 The goal of the project is to also support PPC-VLE, RH850 and maybe some other weird architectures. Those are unfortunately not supported by QEMU. It’s also a fun exercise to write the emulator from scratch, and hopefully it will have some more benefits down the road.

@PD0WM Have you tried the QEMU cpu? I did a small instrumentation framework in rust using Unicorn and wasn't super bad, I think it is not under the latest Tricore ISA because that should be closed.

I'm 2 weeks into writing a custom emulator for some automotive fuzzing experiments. The designers of the Tricore ISA thought it necessary to define four variants of “reg ≥ imm9 → XOR into LSB of reg.” Who asked for this nonsense?

Inspired by @FraktalCyber's Laser Fault Injection rig, I got an xTool F1. I probably need to use some HNO3 to take off the last bit of packaging. The chips no longer work if I go too far, and the die also looks visually damaged.

Congratulations to @_stephandb_ for being the first to solve all the challenges! He also provided an excellent write-up: icanhack.nl/ctf_writeup.pdf. The CTF will stay up for a few more weeks, so don't worry if you haven't been able to finish all the challenges yet.

@NDagestad My bad! Added the attachment a couple hours ago.

I created a small automotive themed CTF! The first person to solve all the challenges will get a free CAN Bus Throwing Star. Check it out at ctf-teaser.icanhack.nl

@loosenedspirit Just get one of those yellow "E-NET" cables for that. They are compatible with all DoIP Option 1 pinouts, and contain the resistor. amazon.nl/OBD2-kabel-F-s…

@PD0WM that's missing one feature i'd buy in a heartbeat. bmw enables an ethernet port in the obd2 port if you bridge 8 & 16 with a 510ohm 1/4w resistor

I have opened a hardware shop! Check it out at shop.icanhack.nl The first product is the CAN Bus Throwing star, an easy to use converter to connect to all things CAN bus. Let me know what other products you’d like to see next!

@_MG_ You can also try dumping over CAN using UDS $23 (Read memory by address), XCP or CCP. However then you still need to figure out the flashing protocol to get the firmware onto the other EPS.

@_MG_ I have looked at quite a few EPSes, but not Mazda. RH850, PPC and Tricore can all be dumped with inexpensive tools. Besides proprietary JTAG there is usually a UART/CAN bootloader. However, from what I’ve heard they contain a per unit calibration. That might not be compatible.

Auto hackers: has anyone dumped/replaced the firmware on the EPS (power steering motor) in a Mazda? I’m curious if it’s even possible. If so, what tooling is needed. It’s pretty expensive to even start trying, so I’d like to figure out what progress others have made before I start. I haven’t been able to find any info though. My immediate desire is pretty simple: dump the firmware on the EPS from a CX5 made in 2022 or later, then load it onto a pre 2022 EPS.

@rce_trent They quietly changed the chipset inside, so it no longer works for reading in-circuit.

@PD0WM Question why replace rdf5k if it works?

Did anyone find a worthy replacement of the Transcend RDF5K to read EMMC In-Circuit in 1 bit mode without spending $$$? Bought a bunch of cheap SD card readers from Amazon to test with, but none show up as mmcblk.