The presentation evolves around the Mercedes-Benz immobilizer ECU—a fortress of custom silicon, locked debug ports, and layers of cryptographic defenses, all engineered to protect one of the vehicle security features. All initial attempts to bypass the locked JTAG interface proved futile; every known trick was met with hardware-level protections and tightly sealed fuse bits. The usual “quick hacks” were dead on arrival.

The next steps were to meticulously map the PCB, identify hidden test points, and probing the microcontroller for any telltale signs of vulnerability. After countless hours and false starts, a subtle glitch opportunity in the system’s startup phase was finally discovered—just enough to coax the ECU into briefly enabling JTAG. Though the immobilizer’s functionality remained disabled in this glitched state, it allowed to extract precious fragments of firmware data, offering glimpses into Mercedes-Benz’ robust anti-tamper measures and the internal workings of its Hardware Security Module (HSM).

Upon discovering this vulnerability, Mercedes-Benz was promptly informed. Mercedes-Benz immediately began analyzing the findings to understand the impact.

This talk guides you step-by-step through the technical journey: from reverse-engineering the proprietary PCB to executing a carefully timed voltage glitch on the MCU. Along the way, we’ll explore the advanced mitigation strategies—voltage and clock monitors, sealed fuse bits, and active memory protection—that elevated this immobilizer’s resilience. By sharing successes, dead ends, and the engineering lessons learned, we aim to highlight why, even with partial breakthroughs, Mercedes-Benz’ immobilizer truly earns its reputation as a “Best-in-Class” security device. Attendees will leave with a deeper understanding of the complexities behind hardware glitching, secure MCU architectures, and the layered defenses that protect today’s automotive systems.

Agenda

1. Automotive OEM Insights
2. Hardware Analysis and Reverse Engineering
3. Mitigation 1: Custom BGA Pinout
4. MCU Analysis and Vulnerability Identification
5. Mitigation 2: Custom MCU for Mercedes
6. Glitching and Firmware Extraction
7. Firmware Analysis
8. Mitigation 3: Scrambled Peripheral Memory
9. Reverse Engineering via JTAG
10. Flash Memory and Security-Relevant Peripherals
11. Attempting Persistent Backdoor via Flash Memory
12. Mitigation 4: Hardware W^X via HSM
13. Deep Dive into the Security Architecture
14. Analysis of Mercedes-Benz Findings
15. Conclusions & Key Takeaways