In a previous blog, we took a look at the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, dive in with even greater detail on all of the EV Chargers targeted in the upcoming Pwn2Own Automotive competition. This isn’t meant to be a detailed exploitation guide. However, we hope these high-resolution images will inspire some of the research we hope to see on display in Tokyo.
在之前的博客中,我们介绍了 ChargePoint Home Flex EV 充电器——即将到来的 Pwn2Own Automotive 竞赛的目标之一。在这篇文章中,将更详细地介绍即将到来的 Pwn2Own 汽车竞赛中针对的所有电动汽车充电器。这并不是详细的漏洞利用指南。然而,我们希望这些高分辨率图像能够激发我们希望在东京展出的一些研究。
This post provides detailed imagery of the target EV chargers we are including in the upcoming Pwn2Own Automotive contest. Our intention is to help contestants understand the component hardware included in the EV chargers for the competition. But first, a safety reminder:
这篇文章提供了我们在即将到来的 Pwn2Own 汽车竞赛中包含的目标电动汽车充电器的详细图像。我们的目的是帮助参赛者了解比赛的电动汽车充电器中包含的组件硬件。但首先,安全提醒:
EV Chargers contain high voltages. Use extreme caution when working with them. Never touch interior components when powered on. If you are unable to determine the safe vs unsafe regions within the device, seek qualified assistance before proceeding. An open enclosure can be a deadly enclosure. Modifications to charging devices should not be made if there is an intent to ever plug the device into a vehicle or use the charging cable power or signal conductors as part of the experimentation. If there is such an intent, the EV charger should not be modified, and the appropriate connections should be made per the manufacturer’s instructions.
电动汽车充电器包含高电压。使用它们时要格外小心。 切勿在通电时触摸内部组件。 如果您无法确定设备中的安全与不安全区域,请在继续操作之前寻求合格的帮助。 开放式外壳可能是致命的外壳。如果打算将充电设备插入车辆或使用充电电缆电源或信号导体作为实验的一部分,则不应对充电设备进行修改。如果有这样的意图,则不应修改 EV 充电器,并应按照制造商的说明进行适当的连接。
With that out of the way, let’s move on to the images.
说完这些,让我们继续讨论图像。
Autel Maxi EV Charger Autel Maxi EV 充电器
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Autel Maxi EV Charger.
以下列表总结了趋势科技研究部已确定为 Autel Maxi EV 充电器中值得注意的组件和/或潜在攻击面的组件。
· ST Micro STM32F407ZGT6
· ST Micro STM32F407ZGT6
· Renergy RN830(B) · 瑞能RN830(B)
· Barrot BR8051A01 bluetooth radio
· Barrot BR8051A01蓝牙收音机
· Quectel EC25-AFX · 移远通信EC25-AFX
· GigaDevices GD32F407
· 兆易创新GD32F407
· Espressif ESP32-WROOM-32D
· 乐鑫 ESP32-WROOM-32D
· Winbond 128Mbit Flash device
· 华邦 128Mbit 闪存设备
· ISSI IS62WV10248EALL/BLL
· ISSI IS62WV10248EALL/BLL
The Autel Maxi comprises multiple boards. One board is dedicated to the display, one board is a metrology board for power measurement and distribution, one is a mobile communication module board, and, finally, there’s a CPU board.
Autel Maxi 由多块板组成。一块板子专用于显示器,一块板子是用于功率测量和分配的计量板,一块是移动通信模块板,最后是一块CPU板。
ChargePoint Home Flex ChargePoint 家庭 Flex
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the ChargePoint Home Flex EV charger.
以下列表总结了趋势科技研究部已确定为 ChargePoint Home Flex EV 充电器中值得注意的组件和/或潜在攻击面的组件。
· Atmel AT91SAM9N12
· Atmel AT91SAM9N12
· Micron MT47H64M16NF-25E IT:M – 1GB DRAM
· 美光 MT47H64M16NF-25E IT:M – 1GB DRAM
· Micron MT29F4G08ABBDAH4-IT:D – 4GB NAND flash
· 美光 MT29F4G08ABBDAH4-IT:D – 4GB NAND 闪存
· Inventek ISM43340 Wi-Fi Bluetooth SIP Module
· Inventek ISM43340 Wi-Fi 蓝牙 SIP 模块
The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board. The CPU board hosts an Atmel ARM CPU, a Wi-Fi radio, and a Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings. Also, the unpopulated debug header labeled CN1 exposes the JTAG debugging interface of the Atmel AT91SAM9N12.
ChargePoint Home Flex 在设备外壳内包含两块电路板。这些板是计量板和 CPU 板。CPU 板包含一个 Atmel ARM CPU、一个 Wi-Fi 无线电和一个蓝牙 LE 无线电。CPU板在PCB丝印标记上标有CPH-50 CPU。此外,标记为 CN1 的未填充调试标头公开了 Atmel AT91SAM9N12的 JTAG 调试接口。
The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply. It also terminates the charging cable that end users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silk screen markings.
计量板包含一个 MSP430 微控制器。它终止与电源的电源连接。它还终止了最终用户连接到电动汽车的充电电缆。计量板还通过计量板右上方的堆叠 PCB 连接器为 CPU 板供电。测量板在PCB丝印标记上标有标识符Panda AC 50。
Emporia Smart Home EV Charger
Emporia 智能家居电动汽车充电器
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Emporia Smart Home EV charger.
以下列表总结了趋势科技研究部已确定为 Emporia 智能家居 EV 充电器中值得注意的组件和/或潜在攻击面的组件。
· Espressif ESP32-WROVER-IB
· 乐鑫 ESP32-WROVER-IB
· TI MSP430F6736A · TI MSP430F6736A
The device is built around the Espressif ESP32-WROVER-IB Wi-Fi and Bluetooth module. It is marked on the board as U1. The serial interface of the ESP32 is connected to the vias located directly next to the module labeled H3-H10. Identifying the pinout is an exercise for the reader.
该设备围绕乐鑫 ESP32-WROVER-IB Wi-Fi 和蓝牙模块构建。它在板上标记为 U1。ESP32 的串行接口连接到标有 H3-H10 的模块旁边的过孔。识别引脚排列是读者的一项练习。
The Emporia Smart Home EV charger uses a TI MSP430F6736A microcontroller for the metrology function.
Emporia 智能家居 EV 充电器使用 TI MSP430F6736A 微控制器来实现计量功能。
Enel X Way Juicebox 40 EV Charger
Enel X Way Juicebox 40 EV 充电器
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Enel X Way Juicebox EV charger.
以下列表总结了趋势科技研究部在 Enel X Way Juicebox EV 充电器中确定为值得注意的组件和/或潜在攻击面的组件。
· Silicon Labs WGM160PX22KGA3
· Silicon Labs WGM160PX22KGA3
· Silicon Labs MGM13S SiP Module
· Silicon Labs MGM13S SiP 模块
· Atmel ATmega328P · Atmel ATmega328P
· Atmel M90E36A Metering IC
· Atmel M90E36A计量 IC
The following image shows an overview of most of the main PCB. The Silicon Labs WGM160PX22KGA3 is toward the top-left of the following image and is marked U3. The Silicon Labs MGM13S SiP Module is toward the lower left of the following image and is labeled U11. The Atmel ATmega328P is located left-of-center in the following image and is labeled U14.
下图显示了大多数主 PCB 的概述。Silicon Labs WGM160PX22KGA3位于下图的左上角,标记为 U3。Silicon Labs MGM13S SiP 模块位于下图的左下角,标记为 U11。Atmel ATmega328P 位于下图中的中心左侧,标记为 U14。
The following image shows the right-hand side of the board. This is where the Atmel M90E36A Metering IC is located. It is located on the right-hand side of the board and is marked U25.
下图显示了电路板的右侧。这就是 Atmel M90E36A Metering IC 所在的位置。它位于棋盘的右侧,标记为 U25。
Phoenix Contact CHARX SEC 3100
菲尼克斯电气 CHARX SEC 3100
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Phoenix Contact CHARX SEC 3100 EV charge controller.
以下列表总结了趋势科技研究部在菲尼克斯电气 CHARX SEC 3100 EV 充电控制器中确定为值得注意的组件和/或潜在攻击面的组件。
· NXP MCIMX6G2CVM05AB – i.MX 6UltraLite Processor
· NXP MCIMX6G2CVM05AB – i.MX 6UltraLite 处理器
· Infineon OPTIGATM TPM SLB 9670 TPM2.0
· 英飞凌 OPTIGATM TPM SLB 9670 TPM2.0
· Micron MT41K256M16TW-107 IT:P – 4gb DDR3 memory module
· 美光 MT41K256M16TW-107 IT:P – 4GB DDR3 内存模块
· Micron MTFC8GAKAJCN-4M IT – 64 Gbit MMC NAND flash
· 美光 MTFC8GAKAJCN-4M IT – 64 Gbit MMC NAND 闪存
· Sierra Wireless RC7620-1
· Sierra 无线 RC7620-1
· STM32F303 Arm microcontroller
· STM32F303 Arm 微控制器
The Phoenix Contact CHARX SEC 3100 is an EV charging controller. The device is typically mounted on a DIN rail. The enclosure contains two PCBs interconnected via a bus at the rear of the enclosure. In this document, we refer to one PCB as the CPU Board, and the other as the Metrology Board.
菲尼克斯电气CHARX SEC 3100是一款电动汽车充电控制器。该器件通常安装在DIN导轨上。机柜包含两个 PCB,通过机柜后部的总线互连。在本文档中,我们将一个 PCB 称为 CPU 板,另一个称为计量板。
The CPU Board hosts the NXP MCIMX6G2CVM05AB ARM Cortex A7 CPU along with its associated DDR3 and NAND flash components. Additionally, the CPU Board comprises two Ethernet interfaces, one USB C interface, a micro SD card reader, a micro SIM card slot, and a Sierra Wireless RC7620 cellular modem.
CPU板托管恩智浦MCIMX6G2CVM05AB ARM Cortex A7 CPU及其相关的DDR3和NAND闪存组件。此外,CPU 板包括两个以太网接口、一个 USB C 接口、一个 micro SD 读卡器、一个 micro SIM 卡插槽和一个 Sierra Wireless RC7620 蜂窝调制解调器。
The Phoenix Contact CHARX SEC 3100 runs Linux, and the manufacturer provides access via a preexisting user account on the system.
菲尼克斯电气的CHARX SEC 3100运行Linux,制造商通过系统上预先存在的用户帐户提供访问权限。
The Metrology Board hosts the STM32F303 Arm microcontroller.
计量委员会托管 STM32F303 Arm 微控制器。
Ubiquity EV Station 无处不在的电动汽车站
The following list summarizes the components Trend Micro research has identified as notable components and/or potential attack surfaces in the Ubiquity EV Station.
以下列表总结了趋势科技研究确定为 Ubiquity EV Station 中值得注意的组件和/或潜在攻击面的组件。
· Qualcomm APQ8053 SoC
· 高通APQ8053 SoC
· Nuvoton M482LGCAE (ARM)
· 新唐M482LGCAE (ARM)
· Samsung KMQX60013A-B419 DRAM / NAND
· 三星 KMQX60013A-B419 DRAM / NAND
· Realtek RTL8153-BI Ethernet controller
· Realtek RTL8153-BI 以太网控制器
· Qualcomm WCN3680B (Wi-Fi)
· 高通WCN3680B (Wi-Fi)
· NXP PN71501 (NFC)
· 恩智浦PN71501 (NFC)
· TI USB 4 Port Hub – TUSB2046BI
· TI USB 4 端口集线器 – TUSB2046BI
· Qualcomm PMI8952 (PMIC)
· 高通PMI8952 (PMIC)
· Qualcomm PM8953 (PMIC)
· 高通PM8953 (PMIC)
· UART DEBUG port · UART 调试端口
· USB C port · USB C 端口
The following is an overview image of the main CPU board of the Ubiquity EV Station. The board has several collections of highly integrated components, each isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.
以下是 Ubiquity EV Station 主 CPU 板的概览图。该板具有多个高度集成的组件集合,每个组件都隔离在电路板上自己的专用封装内。PCB 的每个区域似乎都专用于分立功能,例如带 RAM 和闪存的 CPU、Wi-Fi、NFC、以太网、USB 和显示器。
In the center of the board sits the Qualcom APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.
电路板中央是高通APQ8053和三星KMQX60013A-B419组合DRAM和NAND控制器。它们代表设备的主要应用处理器,以及设备的 RAM 和闪存。它们在 PCB 丝印上标记为 U5。
Just beneath this section of the PCB lie three connectors. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquity EV Station upon boot. In the center is a USB C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.
在PCB的这一部分正下方有三个连接器。标记为 JDB2 和 UART DEBUG 的连接器在启动时从 Ubiquity EV Station 发出启动消息。中间是一个标有 J20 的 USB C 连接器。右边是一个标有 J28 的两针连接器。此连接器的功能尚不清楚。
In the top center of the following image is an unpopulated component marked U20. It’s possible this is an unpopulated footprint for a cellular communication module.
下图的顶部中心是一个标记为 U20 的未填充组件。这可能是蜂窝通信模块的未填充占用空间。
The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquity EV Station:
下图显示了 Ubiquity EV Station 内的 Qualcomm CPU 以及相关的 RAM 和 NAND 闪存芯片:
In the following image, the PCB shows a stencil marked “J23.” Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.
在下图中,PCB 显示了标有“J23”的模板。趋势科技研究人员努力发现此标头的连接位置。他们推测,J23中的过孔可能连接到电路板上的调试接口。经过进一步检查,他们确定 J23 上的过孔连接到标记为 U20 的未填充设备。
Conclusion 结论
We hope this imagery will inspire you to take a deeper look at the EV chargers to be targeted at Pwn2Own Automotive. Time is running out to register, with the deadline being January 18, 2024. As always, we recommend using basic electrical safety handling procedures whenever working with electrical devices. Potentially lethal voltages will be present within the unit, especially when powered from a 230VAC source. We hope to see both you and your exploits in Tokyo.
我们希望这张图片能激发您更深入地了解针对 Pwn2Own Automotive 的电动汽车充电器。注册时间不多了,截止日期为 2024 年 1 月 18 日。与往常一样,我们建议在使用电气设备时使用基本的电气安全处理程序。潜在的致命电压tages 将存在于设备内,尤其是当由 230VAC 电源供电时。我们希望在东京看到你和你的功绩。
Until then, stay tuned to this blog for attack surface reviews and how-to guides for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
在此之前,请继续关注此博客,了解其他设备的攻击面评论和操作指南,如果您好奇,您可以查看比赛中包含的所有设备。在此之前,请在 Twitter、Mastodon、LinkedIn 或 Instagram 上关注该团队,了解最新的漏洞利用技术和安全补丁。
原文始发于Todd Manning:A DETAILED LOOK AT PWN2OWN AUTOMOTIVE EV CHARGER HARDWARE
转载请注明:A DETAILED LOOK AT PWN2OWN AUTOMOTIVE EV CHARGER HARDWARE | CTF导航