#39c3 Hacking washing machines
#Hacking #washingmachines
Almost everyone has a household appliance at home, whether it's a washing machine, dishwasher, or dryer. Despite their ubiquity, little is publicly documented about how these devices actually work or how their internal components communicate. This talk takes a closer look at proprietary bus systems, hidden diagnostic interfaces, and approaches to cloud-less integration of appliances from two well-known manufacturers into modern home automation systems.
Modern home appliances may seem simple from the outside, but inside they contain complex electronic systems, proprietary communication protocols, and diagnostic interfaces rarely documented outside the manufacturer. In this talk, we'll explore the challenges of reverse-engineering these systems: from analyzing appliance control boards and internal communication buses to decompiling and modifying firmware to better understand device functionality.
We'll also look at the security mechanisms designed to protect diagnostic access and firmware readout, and how these protections can be bypassed to enable deeper insight into device operation. Finally, this talk will demonstrate how the results of this research can be used to integrate even legacy home appliances into popular home automation platforms.
This session combines examples and insights from the reverse-engineering of B/S/H/ and Miele household appliances.
Licensed to the public under http://creativecommons.org/licenses/by/4.0
#39C3,
#PowerCycles,
#WashingMachineHacking,
#ReverseEngineering,
#HardwareHacking,
#EmbeddedSystems,
#IOTSecurity,
#SmartHomeHacking,
#Firmware,
#Exploit,
#RightToRepair,
#ElectronicWaste,
#Sustainability,
#ApplianceHacking,
#CyberSecurity,
#Hacking,
#WhiteHat,
#CCC,
#ChaosComputerClub,
#Microcontroller,
#CircuitBoard,
#Debug,
#TechAnalysis,
#OpenHardware,
#SmartAppliance,
#SecurityResearch,
#HardwareSecurity,
#InternetOfThings,
#Connectivity,
#LogicAnalyzer,
#IndustrialDesign,
#HackerCulture,
#HomeAutomation,
#DigitalSovereignty,
39c3-2405-eng-deu-por-Hacking_washing_machines_sd
#Hacking #washingmachines
Almost everyone has a household appliance at home, whether it's a washing machine, dishwasher, or dryer. Despite their ubiquity, little is publicly documented about how these devices actually work or how their internal components communicate. This talk takes a closer look at proprietary bus systems, hidden diagnostic interfaces, and approaches to cloud-less integration of appliances from two well-known manufacturers into modern home automation systems.
Modern home appliances may seem simple from the outside, but inside they contain complex electronic systems, proprietary communication protocols, and diagnostic interfaces rarely documented outside the manufacturer. In this talk, we'll explore the challenges of reverse-engineering these systems: from analyzing appliance control boards and internal communication buses to decompiling and modifying firmware to better understand device functionality.
We'll also look at the security mechanisms designed to protect diagnostic access and firmware readout, and how these protections can be bypassed to enable deeper insight into device operation. Finally, this talk will demonstrate how the results of this research can be used to integrate even legacy home appliances into popular home automation platforms.
This session combines examples and insights from the reverse-engineering of B/S/H/ and Miele household appliances.
Licensed to the public under http://creativecommons.org/licenses/by/4.0
#39C3,
#PowerCycles,
#WashingMachineHacking,
#ReverseEngineering,
#HardwareHacking,
#EmbeddedSystems,
#IOTSecurity,
#SmartHomeHacking,
#Firmware,
#Exploit,
#RightToRepair,
#ElectronicWaste,
#Sustainability,
#ApplianceHacking,
#CyberSecurity,
#Hacking,
#WhiteHat,
#CCC,
#ChaosComputerClub,
#Microcontroller,
#CircuitBoard,
#Debug,
#TechAnalysis,
#OpenHardware,
#SmartAppliance,
#SecurityResearch,
#HardwareSecurity,
#InternetOfThings,
#Connectivity,
#LogicAnalyzer,
#IndustrialDesign,
#HackerCulture,
#HomeAutomation,
#DigitalSovereignty,
39c3-2405-eng-deu-por-Hacking_washing_machines_sd
Category
🤖
TechTranscript
00:00thank you for the nice introduction and welcome to our talk about washing machines and other
00:26household appliances just to be clear when we say household appliances we are
00:32not just talking about washing machines we mean dryers dishwashers ovens
00:37microwaves coffee machines and all these things millions of these appliances are
00:43sold every year and almost everybody has one eye of them at home but at least to
00:49our knowledge nobody has done research on these machines but that's exactly what
00:56we want to change today to do research on these machines in many cases you need to
01:04open them up that's actually pretty easy you just undo two screws at the top and
01:10slide the cover off it's very similar to open a PC case and once once you look
01:17inside it's quite different here here on the front side you see the display module
01:25and on the right side you see what's called the power module and then they are
01:31quite a lot of cables and of course a lot of mechanical parts as well but now that
01:39you can see this we want to point out our first warning these devices contain high
01:45voltages everywhere usually without isolation sometimes there are low voltages cable but
01:53even those may or might not be given galvanically isolated from earth so if you are working on
02:00these machines you must take proper safety precautions like using optical plus or isolating
02:08transformers and the like and one thing you should never do connect your computer directly to such an
02:14appliance very important you will kill yourself the second thing is what's also
02:25very different from working with the PC case is that household devices is usually
02:30have water in them they generate heat and steam they shake and they vibrate and
02:36they have rotating parts and here in this short movie Severin shows in a truly brave experience what
02:47what what what happens if you disable all the security bits and the firmware so you can you can
02:54definitely flood your house credits to severin for this truly brave experiment
03:05and the third warning and that's the last warning but probably the most important warning the household
03:14appliances are usually actively used by family members reverse engineering these machines can temporarily make them
03:23unusable and that can lead to serious problems with your family I can tell you from my own expertise
03:33so it's definitely a good idea to start with some spare time parts taken from broken devices this is what I call my first lab setup
03:44a very professional lab setup as you see and in the end I ended with something like this I call it a dishwasher in a box that's that's all the important non mechanical parts of a dishwasher all the cabling and power module and so I will tell you later
04:06so after this warning we can have fun with the details and Severin starts with the Miele research
04:17well thank you Haju so I did some research on Miele appliances and this research started with a very old washing machine from my parents which suddenly started with my
04:36it stopped working after 20 years of operation now after doing some regular maintenance on that machine it seemingly started to work again but the machine would always stop before the final spin cycle which is very annoying
04:48now I did some online research and I found out that there's a little sensor inside this machine which measures the water level and if this sensor gives false readings the machine won't start spinning
05:00now a potential fix for this problem is to calibrate the sensor but unfortunately calibration cannot be done through the integrated service menu of this machine but it requires a special software from Miele which is known as the Miele Diagnostic Utility or MDU for short
05:18now this is a proprietary tool which requires a license from Miele and can only be used by service technicians
05:24now I found this nice screenshot in a forum post so let's take a closer look at what this software can do
05:31so we can see in this screenshot we are connected to a washing machine which with a certain software ID and we have access to a bunch of different properties
05:39so for example we can take a look at the sensor values of the machine like the water level temperature motor speed and also the set points for these values
05:48we have access to the operational state the relay state of the machine the program settings and we are also able to make corrections to the built-in washing programs in addition to being able to calibrate the internal sensors of this machine
06:07now how does the MDU actually work well we obviously need some kind of diagnostic port on the appliance side but as we've already heard in the introduction
06:17the electronics inside these machines are often not galvanically isolated from mains voltage but Miele has a solution for this which they call the optical interface
06:28and in fact it can be found on the front panel of this washing machine right here next to the inlet fault indicator
06:36now this is actually a bidirectional optical port
06:40now this optical interface
06:47this optical interface is not specific to washing machines
06:51in fact it's present on almost all Miele appliances since 1996
06:55so you have this on dishwashers, on dryers, on stoves, on kitchen hoods, on fridges
07:01and as I recently learned even on wine cabinets for some reason
07:05now on older appliances it's quite easy to find because it's most often next to a small program correction or PC label
07:15on newer appliances as you can see it's often times very hard to find
07:19now this interface is not only used for the customer service but also during device development at Miele
07:25and during end of line testing in manufacturing
07:28now to communicate with this interface you need some special hardware for service technicians
07:34and this hardware consists of this interface box which connects to your PC using USB
07:39and a head unit which is attached to the front panel of your machine with a little suction cup mechanism
07:46and right next to that suction cup you can see an optical transceiver
07:49now little is known about this optical interface if you do some online research
07:55so I decided well let's see if we can hack this optical interface
08:00now because working on real appliances is pretty dangerous
08:03I decided to go on eBay and buy myself a control board from an early 2000s Miele washing machine
08:09now the cool thing about this specific board is that the power electronics are actually separate
08:14which means it's pretty safe to work with
08:16and we also have some technical documentation available for these older boards
08:20so the connector printouts for example can be found online
08:25now the main components of this board are a Miele branded microcontroller
08:29which actually turns out to be made by Mitsubishi
08:32and it has an instruction set very similar to the famous 6502
08:37or the successor the 65CO2
08:39now normally I would just go ahead dump the flash memory and start reverse engineering from here
08:45but unfortunately it turns out this chip is from the 1980s
08:49and it contains a mask rom instead of flash
08:52which means to get access to this mask rom we would have to physically take this chip apart
08:57which I didn't want to do
08:58so we have to continue without access to the firmware
09:01now the optical interface
09:04you can see that one in the bottom right corner
09:07right next to one of the regular indicator LEDs
09:10you can see it looks a bit different because it contains not only a red LED
09:15but also an infrared receiver in the same package
09:19now this optical interface then communicates with the microcontroller using UART
09:25but unfortunately nothing is sent on this interface on its own
09:30so we cannot really figure out the baud rate
09:33we don't know what kind of protocol it uses
09:35and nobody as far as I know has ever attempted to reverse engineer it yet
09:39so I started doing some research again
09:42and I found a project that was initially like completely unrelated to this
09:47it's about Miele at home
09:49which is the official solution for remote appliance control for Miele
09:53and it works by using this communication module
09:57that you can attach to your appliance
09:59and it communicates with UART
10:01now this Miele at home thing was reverse engineered by a guy called Michael Schorze
10:07and he posted about his findings online
10:10and it turns out the protocol used by Miele at home
10:14generally looks like this
10:16so you have very simple five byte frames
10:19with a command byte, two parameters, a length and a checksum
10:23and the UART is configured for 2400 baud with no parity
10:28so I thought well this sounds like something that might have been developed in the 1990s
10:33and it might even be the diagnostic protocol we are looking at
10:36so I decided to just send this frame that we saw here to our DPW board
10:42and unfortunately got no response
10:44now I played around with the UART settings a bit
10:48and found out that it actually requires even parity
10:51and then we actually get a response from the board
10:54which includes the software ID
10:56so now we know how the frames are generally structured
11:00we can just try out every single command that is available to us
11:04and see if we get a response from the board
11:07now we already saw the command hex 11
11:10which queries the software ID
11:12and the interesting thing is this command 20
11:15can only be sent after we queried the software ID
11:19so it might be used to unlock further diagnostic commands
11:23just like in automotive diagnostic protocols
11:27for example you have like a security key that you have to enter
11:31before you get access to all the different kinds of diagnostic commands
11:36so command 20 is for unlock interface
11:39command 10 is to lock the interface
11:43but apparently we need to find some kind of specific set of parameters
11:48to actually be able to unlock the interface
11:51but since we don't have access to the firmware
11:54let's see if we can find some kind of side channel on this microcontroller
11:58now it turns out this microcontroller has some extra pins
12:02for the so-called microprocessor mode with external memory
12:06and these pins are unused in our case
12:09but they're still active
12:11and one of these pins is especially interesting
12:13that's the sync pin
12:15which is always high when the microcontroller fetches an instruction from its internal ROM
12:20and figuring out the exact instructions that the microprocessor is running
12:24would be pretty hard
12:26but we might be able to use this for a timing attack
12:30so let's see what the sync trace looks like
12:33if we send a valid diagnostic command
12:35and if we send an unknown diagnostic command
12:38and as we can see the length of this response is completely different
12:44now the unlock command on the firmware side
12:48is probably implemented something like this
12:51so we are dealing with an 8-bit microcontroller
12:54which means these two parameters are checked sequentially
12:58and if the first value is guessed correctly
13:01the execution time of this subroutine will change
13:05and we are able to measure the execution time difference
13:08by taking a look at the sync pin
13:10now another advantage of this timing attack
13:13is that we only need like at most 512 iterations
13:17to find the secret key
13:19so this is exactly what I did
13:22I wrote a quick python script
13:24which just tries out every single value for the first parameter
13:27and as we can see the response we get on the sync trace
13:31is in almost all cases identical
13:34but there's one case where it is slightly longer
13:37and this is exactly the kind of parameter value that we are looking for
13:42now we can repeat the same procedure for the second parameter
13:45and once we do this we have the correct parameter values
13:49to unlock the diagnostic interface
13:52now I decided to call this specific set of parameters
13:56the diagnostic key
13:58if we unlock the interface
14:00we suddenly have access to two more commands
14:03one of these is used to read from EEPROM
14:05and the other one is used to read from memory
14:07and both of these accept a 16-bit address
14:11now it turns out this read memory command
14:14is not only limited to reading from RAM
14:17but we also have access to the mask ROM
14:20which means we are able to dump the full firmware from the device
14:23which is exactly what I did
14:25I just hooked up a USB UART adapter
14:28as you can see the interface is flashing
14:30and in around 30 minutes we are able to dump the full firmware from the device
14:34now that we have the firmware we can take a look at the full command set of the diagnostic protocol
14:49because it turns out there is not only one security level
14:52but actually two levels
14:54and we can unlock the second level using another unlock command with a different key
14:59now this gives us access to another set of commands
15:02that can for example be used to write to memory or EEPROM
15:06we can jump to arbitrary subroutines
15:08we can put the device into an infinite loop using the hold command
15:12and we can increase the baud rate
15:14so this interface basically gives us like full debug capabilities
15:20now that we tried this on a control board
15:24let's see if this also works on a real appliance
15:27now to do this we need some kind of optical communication adapter
15:31which is relatively easy to build
15:33we need an ESP32
15:35a special optical transceiver from OSRAM
15:37and two resistors wired up like this
15:40and then you end up with something like this
15:43which costs like less than 10 euros to make
15:45now we can stick this adapter to a washing machine
15:49this is the one that we saw in the beginning
15:52and the first step is now to find out the diagnostic keys for this device
15:56because it turns out these keys are not identical
15:59they are in fact model specific
16:02but since we know how the protocol works
16:04we can use a simple brute force search
16:06and we get two keys in like 30 minutes
16:10now let's see if we can also dump the firmware
16:13but well unfortunately the reading process always stops at a certain address
16:18which turns out to be exactly where the firmware section starts
16:22so the firmware basically has like a ROM readout protection built in
16:27now it's pretty easy to bypass this ROM readout protection
16:31because we essentially have like read, write and execute access to memory
16:36with the diagnostic protocol
16:39which means we can just write our own dump subroutine
16:42and it works like this
16:43so we hold the firmware execution
16:46we write the subroutine into an unused part of the RAM
16:49and then we just jump to the subroutine
16:52and what the subroutine does
16:54it just goes through memory
16:55and just writes out the memory contents to UART
16:58and UART is connected to the optical interface
17:01and we get a full firmware dump
17:03now let's take a look at how this ROM readout protection is actually implemented
17:15it's pretty simple
17:17it just checks the read address if you send a read command
17:20but as we can see
17:22before doing that there's a flag that can be set
17:25the protection disabled flag
17:27and if we set the first bit of that
17:29this readout protection is completely disabled
17:32so we can just dump the memory the usual way
17:35now let's take a look at a different example
17:40this time a Miele dishwasher
17:43let's see if we can find the diagnostic keys
17:46there they are
17:47now I decided to put these diagnostic keys in decimal form on this slide
17:53now does any one of you know what these two values might be in hexadecimal format?
17:58like any guess?
18:01so the first value turns out to be hex1234
18:08and the second value is 5678
18:20so yeah really creative
18:22okay next step dumping memory
18:25same as before ROM protection
18:27can be disabled again by setting this flag to the value 2
18:33now I decided to turn this research into an open source diagnostic tool for Miele appliances
18:40which I call FreeMDU
18:42now FreeMDU is basically a collection of different tools
18:46so we have a protocol library
18:48a terminal UI application
18:50and some experimental smart home integration for Miele appliances
18:54now this FreeMDU library is basically just a simple implementation of the diagnostic protocol
18:59with simple appliance wrappers for the different washing machine models
19:05now if we want to read these diagnostic properties
19:09like the program phase, water level, temperature and so on
19:12we basically need a memory map to know where these properties are stored in memory
19:17because these memory locations are different for different models of Miele devices
19:24and using this library we can build ourselves a very simple terminal UI application
19:30it's cross-platform
19:32and it essentially provides almost the exact same functionality as the official MDU software
19:38so we can take a look at the sensor state, the failure information, operating state
19:44and we are also able to trigger actions on these devices
19:47so for example we can start washing programs
19:50we can set program options
19:52but please be careful here
19:54because for example if you set program options
19:57the machine does not perform any validation on these options
20:00so you could for example choose the drain program
20:04and enable the water plus option
20:06which makes no sense at all but it's possible
20:09but please don't try this
20:11I also wrote an experimental smart home integration with an ESP32
20:27which is also pretty simple to use
20:29it requires like no configuration at all
20:32because it supports Home Assistant's auto-discovery protocol
20:36and you can simply integrate your washing machine
20:39or your dishwasher into Home Assistant
20:41you have access to all the operational state of the machine
20:45and you can also trigger actions like starting the washing program on machines
20:51so now we only have a few final questions left
20:54like we haven't talked about how program corrections work yet
20:58I would appreciate some help on that
21:00I'm still working on that
21:01but if any one of you is interested in that
21:03please contact me
21:05now what about more recent appliances
21:07well unfortunately it turns out they use a new diagnostic protocol
21:11but they still have the optical interface
21:13and this new protocol uses a challenge response authentication
21:19with XOR and a static key that is identical for every Miele appliance out there
21:25which seems kind of pointless to me but I digress
21:29now final question
21:31did I actually manage to calibrate the water level sensor
21:35on my parents washing machine
21:37well the answer is no
21:39but the washing machine is working again for some reason
21:41thank you
21:53so Harjo is going to tell you a bit more about BSH devices now
21:57thanks Erin for your great insights
22:01as you said I've been focusing on BSH devices
22:08BSH is one of the biggest producers of household appliances worldwide
22:13but many people might not immediately recognize the name
22:17because BSH is better known through its brand names
22:21Bosch, Siemens, Gaggenau, Neff and many others
22:25when I first started digging into these devices
22:29I came across a patent describing how the individual modules inside an appliance
22:35communicate over a bus system called D-BUS or D-BUS2
22:41but because it's a proprietary bus there's no public documentation available anywhere
22:49so once you know that there's a D-BUS or D-BUS2 somewhere inside the machine
22:56the question is where is it exactly
22:59here you see the power module extracted from a dishwasher
23:03and at first you are basically lost lots of colourful wires
23:07different connector types and absolutely no labels or anything else that could help you
23:15it turns out that the connectors in household appliances are usually so called RAST connectors
23:23this type of connector is used by pretty much every appliance manufacturer at least in Europe
23:29and D-BUS connectors are often three or four pin RAST connectors
23:35but beware not every three or four pin RAST connector is a D-BUS connector
23:41it's more like a higher chance
23:45a very helpful tip is to look at the slots on the main board
23:49they usually have coding lugs
23:51and if you see two or three slots with the same coding side by side
23:56that's a strong hint that it could be a D-BUS
23:59because with the bus it generally doesn't matter which slot you plug into
24:07but there's no strict rule you always have to double check
24:11and the D-BUS connector has at least three wires
24:15that's ground data and bus voltage
24:17but the order is important on the power boards
24:20the sequence is ground data and bus voltage
24:23but on all the connectors connected sensors or control components
24:27it's reverse that's bus voltage data in ground
24:30and the bus voltage is 9 volts in washing machine
24:34and 13.5 volts in dishwashers and dryers
24:37and the data pin carries a 5 volt signal
24:40and when you know all this you can verify quite reliably
24:45whether you are dealing with the D-BUS or some other random cabling
24:52so now let's take a look at what the D-BUS is actually used for inside household appliances
25:02for example in a washing machine
25:04at least the control board is connected to the D-BUS
25:07as well as the user interface
25:09that's probably how BSH started introducing the D-BUS
25:13in the early 2000s
25:16but over the years they added more components
25:18first the unbalanced sensor
25:20then in newer machines the motor controller
25:22and in the latest generation even the WiFi connection module
25:27and for dishwasher it looks quite similar
25:30again the control board and the user interface on the D-BUS
25:34but also the timeline module
25:36that's a little projector that shines the remaining time onto the floor
25:41and of course the WiFi connection module as well
25:46it is quite important to mention that many components are not on the D-BUS
25:51things like the door sensor or the heating elements, the pumps and the wells
25:55are still wired in a more traditional way directly to the power board
26:02to make the flow of D-BUS messages a little bit easier to understand
26:07let's walk through a simple example
26:10imagine a washing machine where we only look at the two components
26:13the user interface panel and the power module
26:16and when you press the temperature button on the user interface
26:20the panel sends a frame to the power module
26:23this frame contains here a command is 1004
26:27which translates to something like set temperature
26:30and it has an argument of 4 which corresponds to 60 degrees in this case
26:37then the power module processes this frame
26:40recalculates things like the new total program time
26:43and sends back updated information to the control panel
26:47the response is a packet with command 1600
26:51and the argument is hex 60 which represents 1 hour and 63 minutes
27:01of course you can also manually send these things like you can see here
27:08on the bus and the display will just display it
27:12second example is this time involving the power module and the unbalance sensor
27:22the unbalance sensor is really important for a washing machine
27:26if your clothes aren't evenly distributed in the drum
27:30and it spins at 1000 RPM the whole machine could start hopping around the room
27:37you surely do not want that to happen
27:40so when the power module starts spinning the drum
27:43it first sends the frame to the unbalance sensor
27:46which this time a common 4002
27:49which is something like start measurement
27:51and one of the argument is 19 hex
27:54which is like 25 seconds measurement duration
27:58and then the unbalance sensor receives this frame
28:01and immediately starts to measure the drums behavior
28:04it sends back the results with common 4010
28:08which contains three signed integers representing the directions
28:13and the magnitude of the unbalance
28:16and as the unbalance is too high
28:18the drum speed is reduced
28:20and the laundry is redistributed using a clever algorithm
28:24so to sum it up here are some comments we have observed
28:29to the washing control unit
28:32something like set temperature
28:34set wash program set spin speed
28:36and options like wrinkle free or free wash
28:39which are encoded as feature bits
28:42and then from the control unit to the display
28:45to set the remaining wash time
28:48or the door status and program status and other things
28:52and then also the comments I showed you before
28:56between the unbalance sensor and the control unit
29:00but how is data actually transmitted on the D-Bus
29:04the D-Bus is a multi-master serial bus
29:07that operates at 9600 baud
29:10and uses standard UART data framing
29:13and each frame follows a simple structure
29:16it starts with a length byte
29:18then an address byte
29:20in the upper nibble
29:22it encodes the target device address
29:25and in the lower nibble
29:27it encodes the subsystem within the target
29:30and then a variable number of data bytes follows
29:35and in the end we have a two byte checksum
29:38and when you dig a bit deeper into these frames
29:44you will notice that the first two bytes of the message
29:48have a special meaning
29:49I call it the command word
29:51and it basically defines what actions the target
29:54should perform when it receives this frame
29:57so to sum it up
29:59this frame here
30:01can be translated to process command 4002
30:05on subsystem 7 of node 4 with a payload of 1780-90
30:10and when the destination node successfully receives this frame
30:15from the D-Bus
30:16it acknowledges this frame
30:19by sending back a single acknowledgement byte
30:23which is calculated with the destination address
30:28and the upper nibble
30:29and in the lower nibble
30:31it's always the letter A
30:32which probably just stands for acknowledgement I think
30:35so once you know all this
30:39it's tempting to sniff the bus
30:43and feed the data into your home automation system
30:46without any cloud involvement
30:49but of course you need some hardware for that
30:52so I started with this something
30:55which is just an ESP chip and a simple DC-DC converter
30:59it works but it's not recommended to use
31:03and then I started with a second generation thing
31:08which added an open drain level shifter
31:11that has the advantage to allow proper bus writing as well
31:16but it's still ugly and experimental
31:19so obviously as you can see I'm not an electrical engineer
31:24so if you have PCB design skills
31:26so please help me to build a better thing here
31:30and so on the software side
31:34I built an ESP home extensions
31:37that's really easy to use
31:39you simply define a set of sensors
31:43that react to specific destination addresses
31:46and commands on the bus
31:48and in this example you can see
31:52how the x-axis value of the unbalanced sensor
31:55is assigned to a sensor value in a home assistant
32:00so this is what it looks in the end
32:03you get all the standard information
32:06but you also get diagnostic details
32:09you normally wouldn't see on the control panel
32:12for example the unbalanced sensor readings
32:16or which internal program module
32:19is currently handling the washing program
32:21and on newer washing machines
32:23you can even see the exact drum rotation speed in real time
32:38So to sum it up
32:40if you want to integrate your own appliance
32:42into your home automation
32:44there is one key rule
32:46each appliance type
32:47has its own set of DBUS commands
32:49so dishwashers, microwaves, fridges, wine coolers, coffee machines
32:54and they all seem to use the DBUS
32:56but the commands and the arguments
32:58and the request response logic
33:01strongly will arise
33:03I think that every department at BSH
33:09has its own creative way to craft new commands
33:12for the devices they build
33:14but I don't know
33:16it's when you look at the bus it seems so
33:19but fortunately some users have contributed their findings
33:24from appliances they own
33:26and feel free to add more to my github repo if you want
33:32so
33:35we have done the home automation thing
33:37but what's next
33:39so one user noticed
33:42that the power board of a dishwasher
33:44has a six pin header in the lower left corner
33:47that's worth investigating
33:49and it turns to be out an ST-Link connector
33:52which you can hook up using a cheap ST-Link dongle
33:57and even better the MCU isn't RDP protected
34:03so with OpenOCD you can just dump the firmware
34:07you can step through the code
34:08it's more like working with a dev board
34:10it's pretty good from a reverse engineering side
34:14and if you have the firmware at hand
34:18you will notice some tables
34:22that match exactly the DBUS commands you observed on the DBUS
34:28and the bytes that follow
34:31look very much like internal firmware addresses
34:35and if you
34:37it turns out that these lists are part of a way bigger structure
34:42and this structure is describing the subsystems
34:46and all the incoming and outgoing commands
34:49I'll just link to them
34:52and if you write a simple script
34:55you can build a full list of all subsystems
35:00for an appliance
35:01including every incoming and outgoing command
35:04and the argument length
35:06and the handler functions they map to
35:08and so if you're using a disassembler
35:11you can then just quickly jump to the exact location
35:15you want to analyze
35:16and that's of course
35:19from a reverse engineering perspective
35:22very nice as well
35:24and when you go to the list of subsystems
35:30you will notice the subsystem zero
35:33which behaves slightly different from the others
35:37as its comments are usually never seen on the DBUS
35:42so you definitely have to look at
35:46definitely have to look at this subsystem zero
35:51you notice that two commands
35:54F000 and F001
35:57use the same handler function
35:59and F200 and F201 as well
36:04so it's probably best to reverse engineer them first
36:09and if you look at the decompiled function
36:14you will see that the first function accepts a 16-bit address
36:21at argument byte 2 and 3
36:23and while the second command accepts a 32-bit address
36:28at bytes 2 to 5
36:30and the rest of the function is essentially the same for the both commands
36:35and if you decompile the rest of the function
36:41it reveals something quite useful
36:44these commands allow you to read and write all memory locations on the module
36:49directly over the DBUS
36:51regardless if the MCU is RDP protected or something else
36:55and writing directly to the MCU memory is also nice
37:02and you can do things like this as well
37:08and the nice thing is
37:11subsystem zero is available on all the components
37:16in all devices I've seen so far
37:19so it's quite easy to connect to the DBUS
37:26and dump all the firmware from all components
37:29you can find in all the machines
37:32so let's try this
37:36try to dump the firmware of the timeline module
37:40as I said in the beginning
37:42that's a little projector in dishwashers
37:44that shines the remaining program time onto the floor
37:50and that's probably a perfect candidate for firmware bedumping
37:55and the first step is always to explore the firmware
38:01with a simple visual inspection
38:05I use a fantastic tool for this
38:07which is called BingslView
38:09and if you load the binary with a pixel width of 8
38:16you will immediately spot the font used to project the remaining time
38:20it's on the right side there
38:22if you increase the width a little bit more
38:25you see a Siemens logo
38:27a little bit more a Gaggenau logo
38:30and then you think on the left side
38:33there might be some graphic but the width is not right again
38:37now you have to increase it a little bit more
38:41that could be a graphic
38:43ah, ok
38:45I think they have fun working at
39:03must be fun working at BSH
39:05so the challenge for you is
39:10find the dbus command to project these graphics onto the floor
39:14I didn't manage so far
39:16if you know how to do it
39:19please contact me
39:20so we have the home automation
39:25we have the firmware dump
39:26what's next
39:28of course BSH also offers a cloud service for its product
39:33it's called Home Connect
39:36and this service is implemented
39:38via a communication module
39:42inside the machine
39:43it's a small black box
39:45that connects to the two worlds
39:47it connects on the dbus on the other
39:50on one side
39:51and to the wifi network on the other side
39:53and just to say to you
39:58for the BSH cloud
39:59there's an official developer API
40:01which is really great
40:02I suggest you have a look at it
40:05but since we are at the CCC
40:08we want to know if there's some kind of unofficial API
40:12for the comm module as well
40:15so this communication module
40:19it uses the dbus address of B
40:25and it communicates with the power module at address A
40:29and maybe you noticed the control module usually has address 1
40:37but especially for the comm module they added a second dbus address A
40:45just for the communication with the comm module
40:48and then the control module maintains a parameter list
40:56that stores all the possible settings and status values
41:00and that means that the comm module of course does not need to sniff the bus
41:06it just asks the control module at address A
41:09to send the parameter table
41:12and then it knows the overall status of the appliance
41:18there's also a set of commands for that
41:20it allows the control module to export the table structure
41:24and it values to the comm module
41:26and in addition there are many other commands
41:29that lets the comm module read or modify individual values via the cloud
41:35after observing all this I ended up writing a dbus stack
41:44I call it open dbus that handles the entire handshake with the comm module
41:49and this way the module happily thinks that it's talking to a dishwasher rather to an ESP32
41:57and it connects itself to the cloud
41:59and here you see the full handshake
42:04and in the end you see the comm module is correctly initialized
42:09and I will probably publish the stack tomorrow
42:12so
42:23so now we have the home automation the firmware dumps the comm module
42:26the open dbus stack
42:27but in the end we have the question
42:29when Savarin and I met
42:31why are we doing all these things
42:36and then the idea came up
42:40Miele is a great company with great products
42:44and BSH is a great company with great products
42:48but they are competitors
42:51but wouldn't it be great
42:53but wouldn't it be great
42:54if these two wonderful companies
42:56joined forces
42:58and formed an even stronger
43:00laugh filled corporation
43:06so we decided to kick off this wonderful corporation
43:09we took a Miele washing machine
43:12we added Savarin 3MDU protocol library
43:15then we built an AMBCL
43:22that's an advanced
43:33that's an advanced Miele BSH compatibility layer
43:37and we call it advanced
43:39because it was completely generated by AI
43:42and not biased too
43:45and on the top of that
43:46we added the open dbus stack
43:48plus the comm one module
43:50and then the BSH home connect app
44:02so we have two words connected
44:07so if you open the BSH app
44:10you see correctly
44:16the Miele device there
44:18unfortunately
44:20if I send Miele as a vendor string
44:24to the comm module
44:25the app crashes
44:27I think
44:28no it does not crash
44:31it just does not work
44:32I think
44:34BSH does not know
44:37of this new corporation yet
44:39because
44:41we just invented it yesterday
44:43when
44:44on our train ride to Hamburg
44:46but
44:49it's possible to start
44:51the machine
44:52the Miele machine
44:53via this app
44:54and
44:55it chose the correct
44:57serial number
44:58from Savarin Sport
44:59Miele
45:01BSH
45:03now Miele does not have
45:05the concept of an FD number
45:07so we had to fill in some
45:09default value there
45:10I hope you recognize it
45:12and
45:13yeah we cannot change
45:15the model number
45:17because then the app also stops working
45:20because it cannot load the manuals
45:22and other description
45:23so
45:25I hope Miele and BSH will connect together
45:28and
45:29then they will create an update for the app
45:32so
45:33thank you so much
45:34all right
45:49all right
45:51thank you for this amazing talk
45:53we now have a few minutes for questions
45:55and they're already
45:56here we go
45:57so
45:58microphone number two
45:59let's take it
46:00so
46:01I've reverse-engineered the CMN's
46:03home connect app
46:05to be able to produce a
46:06local only
46:07an offline
46:08home connect module
46:10and
46:11in doing so
46:12the one part
46:13I wasn't able to figure out
46:14was how the pre-shared key
46:16is generated
46:17that
46:18my
46:19Python library requires
46:20that you
46:21use Frida to extract it
46:22from the app
46:23I'm wondering if you
46:25in
46:26reverse-engineering
46:27the
46:28the connect module
46:29if you
46:30found where those keys
46:31are generated
46:32and how they are
46:33how they're maintained
46:35sorry I
46:38did not get it from
46:40acoustic
46:41perfect
46:42maybe you can
46:43yes sorry
46:44can you repeat the question
46:45very briefly
46:46did you find
46:48where the keys
46:49the pre-shared keys
46:51are used
46:53for communication
46:54between the
46:55the home connect app
46:56the home connect app
46:57and the
46:58the
46:59the
47:00Wi-Fi module
47:01maybe we have to talk about this later
47:06the only thing I can
47:07tell you
47:08the
47:09comm module has
47:10every comm module has
47:11an own set of
47:13own keys
47:14which could
47:15use it uses to connect to the cloud
47:17which is from a security perspective
47:20a really good decision I think
47:22maybe we can talk about this later
47:26because
47:27I
47:28I didn't understand you from
47:29just from acoustic
47:31sorry
47:32we'll talk later about it
47:33I've
47:34reverse-engineered
47:35the
47:36the
47:37home connect app side of it
47:38ah
47:39so we should
47:40we should talk about how to
47:41connect that
47:42yeah
47:43very yeah
47:44okay we're gonna continue with a question from the internet
47:45it
47:46the internet wants to know
47:52with all the knowledge you got about the software
47:55can you use this to modify the programs to define your own washing programs to
48:01adapt the wine cooler's temperature depending on the weather station outside
48:06yeah so that should be possible theoretically but like so for me I only looked at older
48:16Miele washing machines and and dishwashers so these have like very limited possibilities in terms of
48:24of making changes to to the washing programs so but I think that would be possible yeah
48:30all right microphone number four please second hi thanks for the talk so did you report to BSH customer support about their app not working with your Miele
48:44actually we got contacted by BSH and meet both by Miele and BSH when they read about this talk and we had to
48:58we had a really good talk with them they were quite open no pressure or anything they just wanted to know if everything is safe and I'm pretty sure that they are watching this talk and maybe they can do an update for the app yes
49:17another question from the internet yes another person on the internet was worried about planned obsolescence on those devices and whether you can use your knowledge on the hardware as well as the software to fix those kind of issues before they occur
49:44so I'm not sure like about what specific planned obsolescence things you're asking about but
49:55I guess on the Miele side I haven't discovered anything that that points it to that direction based on the look I had at the firmware so
50:04yeah
50:11right microphone number one yes with the MDU protocol can you start cycles on washing machines they are not supposed to support like if you have a cheap washer it may not support some cycles but can you start them manually using the diagnostic interface
50:27I guess that might be possible because the firmware images are not different they like different devices use the same kind of firmware but they have certain features toggled off or on the base based on the device model so
50:50yeah I guess it should be possible to mod your washing machine to execute some kind of washing program that is not officially supported
51:00yeah
51:05all right we have about five more minutes to go but given that there oh there's one on mic four now
51:12thank you for the talk how long did the whole research take take you how much time did you spend on the research
51:21so maybe you want to answer first
51:24I think I started roughly one year ago
51:28but I just do it for fun in my spare time it's for just for recreation
51:35and I think I started like flight of five to six weeks in a row and then maybe five or six months doing nothing because the weather was good and then
51:51yeah
51:53yeah so for me I started working on this in May I think this year but I spent like a lot of time working on this
52:02so yeah
52:05all right microphone number three
52:07maybe I can answer the questions the gentleman over there had about how the app gets a key
52:15as far as I know
52:17it at one time connects via TLS
52:21then exchanges the key and the initiation value
52:26and then it uses this for proprietary crypto directly connect to the device
52:31so
52:33all right
52:36I haven't seen any proprietary crypto on the com module
52:41it's all standard and I think good stuff
52:45it's only used between
52:46it's only used between the app and the module in local mode
52:51all right
52:52all right
52:53I did not do research on that
52:54yeah
52:55I'm sorry I would like to continue with microphone number three
52:58please
52:59yes
53:00were the temperatures pre-configured
53:03as in you'd have like 40, 60, 90
53:06and if so were you able to change those values
53:10so that you could run it at you know 120 degrees or something similar
53:14so for Miele devices there's like a table hard coded in firmware where those temperatures are stored for the specific washing programs
53:28so I guess it should be possible to change the set point value for the temperature control
53:35so that it heats up to I don't know 120 degrees
53:39I think that should be possible yeah
53:41I think for BSH at least with the standard debus commands it's not possible
53:47but since you can write directly into memory you can perhaps do anything just turn on the heater or the motor wire GPIO
53:56I did not try it
53:59all right microphone number six
54:04hey
54:05is it possible to upload a custom melody for the program finish song
54:11I don't know I haven't seen I haven't done research on this
54:27yeah
54:28thank you
54:29I actually wanted to upload a custom picture to the timeline projector to have some funny pictures for the kids on the floor
54:37but yeah that's work to do
54:41so maybe next congress we can talk about funny pictures and sounds and stuff like that
54:48yeah
54:49would be definitely an update
54:51all right and then there is an
54:54there's another quick question from the internet
54:59yes the internet got a final question which is how many washing machines were harmed or saved in the process of this research
55:10yeah you have to be a bit careful with that if you are visiting friends and you tell them can I open your washing machine or dishwasher
55:20that's usually not amused by this question
55:25so I only worked with the machines we have at home and also the things we found on the curb from broken devices
55:35but would be interesting to have access to more of the modules and more of the machines
55:41because that's always a problem to get to the hardware for research
55:46it's it's big and heavy and
55:49yeah
55:52all right we have one minute
55:54number two
55:56did you find any evidence of plant obsolescence in the firmware
56:02devices
56:04no
56:05no
56:06no
56:07no
56:08okay
56:09from what I've seen
56:10I can only say for BSH it's
56:13good engineering on the hardware and on the software side
56:18I would buy them again
56:21yeah
56:23all right and I think with that that's it
56:29no more questions from here or the internet
56:31let's thank our great speakers again
56:34Gavin
Comments