Symbol Recovery for Engine Control Unit Firmware

Allgemein

Betreuer: Moritz Contag

Beginn: as soon as possible

Dauer: 6 months

Weitere Details: [A2L] [Infineon TriCore] [32c3 Talk]

Beschreibung

Similar to .map or .pdb files that hold symbol information such as variable names for common computer programs on, e.g., Windows and Linux, .a2l files are used to the same effect in the automotive industry. These files contain descriptive names for internal variables of the firmware as well as units and conversion formulas, amongst others. As such, they significantly aid in reverse engineering of the firmware itself, as they give the necessary context for the various computations. The format is standardized as ASAM MCD-2 MC and used widely by various vendors. More interesting applications enabled by knowledge of internal symbols are, e.g., the analysis of defeat devices as implemented in the recent emissions cheating scandal.

However, just as regular .pdb files, .a2l files are not easily available for every firmware. We focus on the scenario in which an older firmware image and the corresponding .a2l file is available to the reverse engineer, who tries to map the known symbols to a newer firmware image.

This thesis aims to yield a prototype capable of porting symbols of an older firmware version to a newer one for which no matching .a2l file is available. To this end, the student should implement and evaluate methods that fingerprint the context in which a variable is used in the older firmware image and use these to re-discover the variable in the newer image with high confidence.

Tasks that are to be solved include:

  • Familiarizing with .a2l files and the Infineon TriCore processor/assembly,
  • Researching the analyses used for fingerprinting the variable's context (e.g., control-flow and data-flow analysis, data structure reconstruction),
  • Developing novel methods to fingerprint a variable's context,
  • Automating the fingerprinting and symbol recovery phase, and
  • Evaluating the prototype on a wide range of ECU firmware images.

Voraussetzungen

The student is expected to be comfortable in reading assembly code as well as programming in a language suited for the task (e.g., C/C++, Python). Knowledge of IDA Pro is a plus.