Imagine you are driving your car on a highway, suddenly when you tried to increase the speed, your throttle doesn’t respond as you thought it would and then you realized the Engine warning light on the dashboard, what happens at that moment is that your vehicle has experienced some fault and it has stored the information regarding that fault and trigger the Engine Warning light also known as ‘Malfunction Indicator Lamp’.
So this diagnostic-related problem is handled by the vehicle primary ECU and PCM (Powertrain Control Module) unit, a PCM can be made up of several ECU’s. So in this article, we are going to understand what is DTC and how to read and Erase DTCs, and specifically how an attacker with malicious intent can target vehicle DTC.
DIAGNOSTIC TROUBLE CODES
The PCM unit stores the fault codes as the diagnostic trouble code (DTC). Faults are classified as either hard faults or soft faults. This broad classification depends upon the persistence of the faults, soft faults are generally intermittent issues, whereas hard faults required a mechanic or expert intervention to go away.
These fault codes are stored in different places, the memory-based DTC is stored in PCM’s RAM, which means they are temporary and will be deleted once the power from the battery is lost, more important DTCs stored in a place that can survive a power failure.
DETERMINING HARD FAULT AND SOFT FAULT
To determine Whether a fault is hard or soft, a mechanic clears the DTC and simply drives the vehicle, if the fault reappears then it is classified as a hard fault, a soft fault could simply be caused by a loose gas cap.
FOUR CLASSES OF FAULT
- Class A: It signals the gross emission failure and will light the MIL(Malfunction Indicator Lamp) right away.
- Class B: These faults don’t affect the vehicle emission system and store the first time they are triggered as a pending fault. The PCM waits to record several of the same faults before triggering the MIL.
- Class C: These faults often trigger the “service engine soon” message and will hardly trigger the MIL.
- Class D: They don’t trigger the MIL at all.
FREEZE FRAME DATA
All the relevant engine and component information is stored by PCM as a snapshot, during the storage of DTC. Some vehicle systems store only high-priority snapshots while other store multiple ones. These snapshots are known as ‘Freeze Frame Data’. These freeze frames are typically recorded about five seconds after DTC is triggered.
This snapshot includes:
- Engine Load
- Engine temperature
- Fuel trim
- Vehicle speed
- Manifold air pressure/mass airflow (MAP/MAF) values
- DTC Involved
- Operating Mode (open/close loop)
DTC is a five-character alphanumeric code. For instance code, P0477 represents exhaust pressure control value low.
The below image will showcase the functionality and components of each code.
READING AND ERASING DTCs
Devices used for reading and scanning DTC are quite expensive, they cost around $3000. For a cheap option, one can get an ELM327 device for around $10. These are the dongles that require additional software.
DTCs are designed in such a way that, they erase automatically when the faults don’t appear during conditions similar to when the faults were first found.
Generally, the MIL lights are turned off and DTCs get erased, when PCM finds no faults after three checks. The soft faults can be erased using a scanning tool or by disconnecting the battery, whereas hard or permanent DTCs are stored in NVRAM and only get erased once the PCM finds the faultless condition.
NOTE: The reason behind this is to prevent mechanics from manually turning off the MIL and clearing the DTCs, while the problem is still persistent.
POSSIBLE ATTACK ON DTC
So an attacker may target vehicle DTC and freeze frame data to hide malicious activity and intent.
For an instance, let us assume an attacker wants to target a vehicle and he develops an exploit for that, to succeed and remove his traces he needs to take advantage of only a brief temporary condition when the DTC is triggered because of the exploit. A vehicle freeze frame data will most likely miss the event as there are delays in recording, and the captured snapshots are designed in such a way that they rarely show any information regarding what causes the anomaly, that is whether the DTC was triggered maliciously or not.
While fuzzing vehicle system, an attacker might be interested in the fired DTC and the component that was affected. This is usually the research phase of an attack, where the attacker tries to understand which component gets hit due to randomly generated packets.
An attacker can access and fuzz the manufacturer-specific PIDs, simply by flashing the firmware or using mod 0x08. This could result in breaking into those proprietary interfaces that are initially designed to keep as a secret by the manufacturer.