Scribd
Upload
63 views78 pages

V2 GEvil

Twin System Model using advanced tools

Uploaded by

Muntu33
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
63 views78 pages

V2 GEvil

Twin System Model using advanced tools

Uploaded by

Muntu33
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 78

V 2 GEvil

2
GoAls of tHis taLk

3
Kapitola 1
IntroduCtion to vEhiclE Cyber SecurIty
The State of aUtomotive CyBer Security

5
The State of aUtomotive CyBer Security

6
Introduction to EV
EVCC ECU 1..n BMS

V
A
V
CAN

IMD
HV-Bat

7
Introduction to EV

8
Kapitola 2
Charging
Charging Basics I

10
Charging Basics II

11
Charging Basics III

12
Charging Basics III - AC Type 2

CP PP

AC Neutral AC Phase 1

AC Phase 3 AC Phase 2

PE

13
Charging Basics III - CCS Type 2
CP PP

PE

DC+ DC-

14
Charging Basics IV
EV EVSE

Communication

DC + -
Charging Power
ECU Electronics

Onboard
Charger

15
Charging communication I

16
Charging communication II

17
Charging communication III

18
Kapitola 3
Low Level Communication
Low Level Communication I

Voltage State Description


+12V State A No coupler engagement, no EV is connected to EVSE
+9V (1kHz PWM) State B Coupler engagement detected (EV is connected to the EVSE), but EV not
ready for charging. EVSE does not supply energy.
+6V (1kHz PWM) State C EV is connected and ready for charging. EVSE supplies energy.
+3V (1kHz PWM) State D EV is connected and ready for charging. EVSE supplies energy.
Ventilation is required.
0V State E Short of CP to PE on the EVSE, no power supply.
-12V State F Charging station is not available.

20
Low Level Communication II

Duty Cycle Description


Duty cycle > 97% Charging is not allowed.
96% < duty cycle 97% Maximum current consumption for AC charging is 80 A.
85% < duty cycle 96% Available current = (dutycycle - 64) * 2A.
10% duty cycle 85% Available current = dutycycle * 0.6A.
8% duty cycle < 10% Maximum current consumption for AC charging is 6 A.
7% < duty cycle < 8% Charging is not allowed.
3% duty cycle 7% Force use of high-level communication protocol (ISO 15118
or DIN 70121). If pilot function wire is used for digital
communication, then the duty cycle 5 % shall be used.
Duty cycle < 3% Charging is not allowed.

21
Low Level Communication III

22
Kapitola 4
High Level Communication
High Level Communication I

24
High Level Communication II

25
ISO 15118 I

26
ISO 15118 vs IEC 61851
Application layer messages (V2G message)
SDP (SECC Discovery Proto.)

EXI

V2GTP

UDP, TCP, TLS

IP

HomePlug GreenPHY
PWM Resistive Signaling

27
ISO 15118 II

28
ISO 15118 III

29
IEC 61851

V2G Comm. Flow

V2GTP
messages

30
V2GTP Message - PDU

31
V2GTP Message - header
Protocol Version

Inverse Protocol
Version
Header
Payload Type Payload Length
Field

32
V2G PDU Payload Types

33
V2G Comm. Flow - SDP

SDP Request
Security,
Transport Proto.

34
SDP request

0x9000

Security Transport Protocol


• 0x00 == TLS • 0x00 == TCP
• 0x10 == No TSL • 0x10 == Reserved for UDP
35 • Rest == Reserved • Rest == Reserved
V2G Comm. Flow - SDP

SDP Request
Security,
Transport Proto.

SDP Response IP address,


Port,
Security,
Transport Proto.

36
SDP response

0x9001

IPv6 Address Transport


Port Security
Proto.
37
V2G Comm. Flow - SDP

SDP Request
Security,
Transport Proto.

SDP Response IP address,


Port,
Security,
Transport Proto.

V2G EXI messages

38
EXI encoded V2G Message

39
EXI encoded V2G Message concept
Shared
Knowledge
ISO 15118
Schema-Informed
EXI EXI Grammars EXI
Grammars Grammars

Data
EXI Structure Structures
Structure
Coding Coding
Data
DOM
Structures

Content Content
Coding Coding XML doc.

EVCC SECC
40
EXI encoded V2G Message Example
Plain XML representation of a SessionSetupRes

EXI data stream representation of the SessionSetupRes


80 98 02 0C 0C 4C 8C CD 0D 4D 8D D1 E0 00 39 19 49 04 C8 CD 14 D0 D5 08 DC E1 0C 80

41
V2G application layer protocol handshake

AppProtocol, supportedAppProtocolReq
ProtocolNamespace,
VersionNumberMajor, SchemaID,
VersionNumberMinor, supportedAppProtocolRes Priority
SchemaID,
Priority

42
V2G application layer protocol handshake

43
V2G application layer messages

44
V2G application layer messages

45
Kapitola 5
Testing Environment
V2G Board Setup I
dLAN® Green PHY Module

47
V2G Board Setup II

48
V2G Board Setup III

49
V2G Board Setup III

50
V2G Testing Environment

51
Kapitola 6
V2GEvil Intro
V2GEvil - Architecture

53
V2GEvil - Functionality I

54
V2GEvil - Functionality II

55
V2GEvil - Functionality III

56
V2GEvil - Functionality IV

57
Kapitola 6
DEMO TIME
V2GEvil Sniffer
60
Sniffer module I

61
Sniffer module II

62
V2GEvil Enumerator
64
Enumerator module

65
V2GEvil Fuzzer
67
Fuzzer module

68
Fuzzer module

69
Fuzzer module

70
Fuzzer module

71
Fuzzer module

72
Fuzzer module

73
Fuzzer module

74
Kapitola 7
The eNd
Further enhancements

76
Conclusion

77
To be released after DEFCON32

Thank yoU FoR Your Attention

Pavel Khunt Thomas Sermpinis

You might also like