Thursday, May 26, 2011

Disabling vehicle Event Data Recorders

NOTE: This is a discussion of the technology used for event data recorders (EDRs), and is not specific to any vehicle.

Doing any modifications to an EDR may void your product warranty. It may also affect your insurance (higher rates). And it could lead to prosecution if it is found to be vandalized or disabled when "the authorities" want access to it.

Some people in the United States still have this silly notion that citizens are supposed to be free from illegal search or seizure, free from constant governmental monitoring, and free to carry out their lives without some electronic bogeyman constantly spying on them and monitoring their every move, ready to "squeal" at a moment's notice.

Since the exact details of what is or isn't recorded is not required to be specified anywhere, there really is no way to know what all is being recorded with EDR's.

What with in-car integrated cellphone capabilities like OnStar, there really is nothing to prevent vehicle EDR's from also including a digitized audio recording of everything going on inside your vehicle several minutes prior to the crash, so that too can be part of the EDR "crash analysis" information.

So, if you want to put an end to this monitoring of your private activities and damn the consequences, then this is where your search will need to start.

1. Flash Memory

Flash memory cells wear out after thousands of writes. For an Event Data Recorder (EDR) to constantly track your vehicle's status, the information must be constantly updated.

Just updating the vehicle status info once a second (never know when a crash may occur), means that over the course of 10,000 miles at an average of 50 mph, that is 200 hrs of driving, or 720,000 seconds. That right there will damage most any flash memory cells used repeatedly.

However, flash could work if the EDR manufacturer is willing to buy high capacity memory chips and implement wear-leveling. This way although cells will progressively wear out and become unreliable, the damage will be distributed across millions of individual cells over time.

Assume an average of 4096 bytes of event data recorded per second. If 1 gigabyte of flash is available, then it takes 262,144 writes to record data to all cells a single time, in round-robin fashion. For the above 10,000 mile example, all cells would only have been used 3 times with 1 gig of flash storage. If the car were to last up to 300,000 miles, all cells would only have been written 90 times in the vehicle's lifetime.

Increasing the data written to 40 kilobytes per second still only means 900 writes to all cells in 300,000 miles for 1 gigabyte of flash. (Hmm, making a live audio recording of the vehicle cabin doesn't look too difficult to achieve.)

If your vehicle uses flash in its EDR, your only real options are to disable or destroy the memory chips. But the system probably has a way to detect a malfunctioning EDR memory unit since it is an essential part of the recording mechanism.

2. Static RAM

Static RAM is a very low-power memory that can be written an unlimited number of times, and can be powered by a tiny trickle of voltage.

As with flash memory, the system probably has a way to detect a malfunctioning or missing static EDR memory, and will report a "check engine" error code.

If the EDR uses static-RAM, then it most likely contains a small power source to keep data alive, in the event that the main battery is disconnected (like in an accident).

3. Lithium clock/memory batteries

Lithium batteries in home computers have a typical lifespan of about five years before they must be replaced and your computer's clock stops working. Since these batteries need to be replaced periodically, the dealer probably knows where the battery is and how to replace it.

If you were to remove the battery, the EDR would still function, but if the main battery terminals are disconnected, the EDR is instantly erased. Note, removing the battery may show up as a "Check Engine" error code, since that is how dealers would know to replace it.

4. Supercapacitors

An alternate way of retaining data is with a supercapacitor. This is a special high capacity device, which stores energy from the car battery and can be used as an emergency power source for computer memory if power is disconnected.

Supercapacitors effectively have an unlimited lifespan because they recharge almost instantly when power is applied to the device, and power is almost always available in a vehicle with a good battery.

Temporarily clearing the supercap can probably be accomplished by disconnecting the cables to your car battery, and then touching the two power cables together for about a minute. This will discharge any supercaps in the circuit, though it won't do anything if there is a diode in the supercap circuit to prevent draining this way.

The alternate method is to find the supercap and remove it from your vehicle (probably mounted on a circuit board right next to the EDR's memory). The EDR will still function normally with the car battery connected, but data will be instantly lost if the battery cables are disconnected.

5. Dummy / Modified EDR's

This is an advanced hacking project for a digital electronics expert. Basically you have to build a device or circuit which pretends to be an EDR but just discards all data sent to it.

Someone with sufficient knowledge of digital memory could also simply cut off the write signal wire on the memory chip(s) on the EDR circuit board, so that the system tries to send data into it, and nothing happens.

Also, the error monitoring could itself be hacked, so that the EDR cannot report there is a problem to the engine computer. Any request for system status is replied with "Oh yeah everything is fine over here!" while it continues to not store anything.

All of this is difficult to do without detailed knowledge of how the standard EDR or its bus signalling works, and none of this information is going to be available from the vehicle manufacturers.

1 comment:

  1. couldnt u just apply excess voltage to it and fry it without leaving a trace of tamper