Identifying hacked devices from DDD files

[rimutaka]

I was approached by someone claiming to be tachograph calibrator. He was wondering if it is possible to identify hacked devices by looking at the DDD files, probably by spotting some anomalies. I thought this may be of interest to others, so I re-posting it here with his permission.

Original email thread

Hello, I saw your post on github about a tachograph reader and I would like to ask you about something. First of all, I have little to no experience in the world of coding, software engineering and such. My line of work is tachograph calibration, so I work in a tachograph workshop. Based on your program I guess you have a general idea of what a tachograph is and what it does, and that people tried successfully to "beat the system " and come up with ways to make the tachograph record rest while the driver is actually driving. In the past this was done by manipulating the tachograph speed sensor ( kitas sensor ) in all sorts of ways but this method is now very old and can be easily detected, for example I am now able to detect about 80%- 90% of these.
The latest method of manipulation is directly into the tachograph's software, what they do is somehow modify the software so that when you enter a pin code by pressing a specific sequence of buttons on the tachograph and then pressing simultaneously two buttons at once the display will blink and the tachograph will record rest even if you are driving. Obviously to someone who doesn't know anything about software this method is close to impossible to find, I found a few patterns that might indicate that the device is manipulated or not but its not 100% sure.
What i would like to ask you if maybe you know of a way to find this manipulation or any information at all that might help me get to the end of this, i have been trying to find a way to detect these for more than 1 year now, since i basically found out they exist but with my little experience in this field i was not able advance very far, i have a couple of informations that i gathered in my search for this that might help someone with experience in this field find a way to do this...word of mouth goes that someone who worked in software engineering was able to find a way to do this, even find out what the pin code was and they say he was able to even delete it from the tachograph all together but i can't find a way to find that person.

Any information at all about this subject, will help.

PS: I have one of these tachographs but i dont know the pin code, someone decided to stop using it and gave it to me
...
From what i've seen there are two stages or this manipulation, at least for VDO tachograph. First of all you need to enter the pin code and then to active it you need to press the ok button and left arrow at the same time, the screen will flash and the tacho will stop recording. The guy who installed the hack would always tell the users that after entering the pin code to never press any other key or do anything other than press those two keys when they wanted to stop the tacho.What many drivers would do is enter the pin code and leave it in this state for a long time, do printouts and fiddle with it, when they do this the tachograph will report error 25 on the screen and !15 on the events printout, Data memory error. Because of a DTCO 1381 data memory error data security is no longer guaranteed. This is a clue that might lead someone to believe there is software or firmware manipulation but its not 100% sure.
What i discovered recently is that for VDO tachographs the manufacturer provides some firmware upgrades, for example a VDO tachograph version 2.0 can be upgraded to version 2.1 or 2.2. What hacker would do is use this "door' to upload their own firmware with the hack...

Anyways, i only have two questions, do you think its possible to find this manipulation from the DDD files or im guessing you somehow need to read the firmware and compare it to a original one ?
...
This is all the data that I managed to download from it. The tachograph is no longer in use, when the error !15 appeared on the printout he came to do inspection and we changed the tacho because in our country we are not allowed to do tacho inspection with error !15 on the events printout. From what I've seen on the printouts the "hack" I believe was done somewhere between 22.12.2018 and and 11.01.2019 ( that is when a high period of current interruption was done and after that in 11.01.2019 he registered the truck on himself and did tacho calibration, and then the error 15 appeared in 09.08.2019.

Im really curious if you can find something, thanks for taking your time and looking at this, if you need any compensation please let me know what can i do for you

Sample DDD: https://drive.google.com/file/d/1eICK9xpMTULKSyvZ7sud4dbQ3ZMIAk5E/view?usp=sharing

It is not known how widespread the problem is and the best course of action is probably to talk to the manufacturers.

He can be reached on suvalf at gmail