A pair of German hackers gave a talk at 32C3 last week, regarding the Bosch ECU’s used in VW’s TDI models equipped with AdBlue. Being a software engineer by trade, I was interested in their findings and how they did it, so I sat down last night and watched the 65 minute presentation.
The first half of the talk is a bit dry, as it is a crash course in cost-benefit analysis in the automotive market, but it still provides some useful information behind why this ever happened at VW. The real action is the second half of the lecture.
The second presenter, Felix, bought a spare Bosch ECU [intended to be used for an EA189 motor] from eBay, and used a firmware bug to dump the raw binary, which he then parsed through with a disassembler. He found documentation online that figure out how the ECU’s variables correlated with memory addresses reverse engineered from the binary. Once he had an idea as to how the cheat was working, he was able to verify it with real-world tests on his own cheater-TDI equipped VW.
The interesting parts of the talk is a description of how the Bosch ECU works:
- The ECU contains a simulated model of the engine.
- It is almost completely data driven, with very little logic flow. Change a variable (one of 20,000 that can be changed), and the ECU calculates the altered output immediately.
- In regards to emissions, the ECU controls AdBlue dosage used during Selective Catalytic Reduction. It turns out that AdBlue dosage requires precise calculation: too little and you don’t burn off much NOx, too much and your exhaust is mostly ammonia. The trick is to maximize NOx burn-off while minimizing Ammonia leakage.
- In order to calculate AdBlue dosage, the ECU has two dosage models calculated side by side at all times: A main model which is to be used most of the time, and an alternate model for the edge conditions that the main model cannot account for. At any given point, the ECU will choose which model to use based on various inputs.
- So what are those various inputs? Felix tracked it down to a table that represented distance traveled over a given period of time...there are three tables, each with an upper and lower bounds. When compared with EU emissions test procedures (Travel at x km/h per hour for y minutes, etc...) Felix found that when the curves for the test procedure are integrated over time (giving him a graph of distance travelled), the resulting curve fits exactly between the upper and lower bounds for inputs required to trigger the regular dosage model.
This alternate dosage model uses almost no AdBlue at all, and was being triggered most of the time, except for when the calculated distance over time input fell within the narrowly defined upper and lower bounds.
Felix verified this in the real world....when he stuck to the bounds of the emissions test the AdBlue injection signal behaved as it should, but when he went out of bounds, AdBlue injection dropped to zero and stayed there.
So this means that it was very easy for VW to circumvent any emissions test it was subjected to. Just change a few variables to account for the distance traveled during a very strictly defined testing procedure, and its cars will look squeaky clean.
Since this is only related to AdBlue equipped cars (like my 2015 GSW TDI), the cheat found in the 2009-2014 likely uses an entirely different cheat, but likely still based on tweaking the model of the engine located in the ECU.