Create articles from any YouTube video or use our API to get YouTube transcriptions
Start for freeIn an astonishing display of technical prowess and investigative hacking, a team comprising Redford, Kufri K, and Mr. TI, not Trick, embarked on a journey to unravel the mysteries behind the DRM in Polish trains. This saga began in 2016 when Kon, a local Polish train operator, purchased 11 Impulse trains. As these trains started accumulating mileage, reaching the 1 million kilometer mark necessitated significant maintenance. This is where our story takes an intriguing turn, leading to the discovery of a DRM system that prevented trains from starting after servicing, attracting widespread attention and media coverage in Poland. The team's journey involved reverse engineering, technical analysis, and a race against time to unlock the trains and bring this issue to light. Here's how they did it, step by step, unraveling the mystery behind the locked trains and exposing a potentially unethical DRM practice by the manufacturer.
The Mystery Unfolds
The saga began when SPS, an independent train workshop in Poland, won a tender to service these trains. However, post-maintenance, the trains refused to start. The issue was not isolated to SPS alone; another workshop servicing trains for a different operator faced the same predicament. This pattern raised suspicions about the manufacturer's involvement. As the problem gained media attention, the manufacturer asserted interference with the security system without elaborating, leaving more questions than answers.
The Hackers Step In
In a desperate bid for answers, SPS turned to the internet, searching for 'Polish hackers,' which led them to Redford and his team. With access to the trains and their service and maintenance documentation, the team dove into the technical depths of the trains' systems. Their exploration revealed a complex network involving PLCs (Programmable Logic Controllers), power converters, compressors, inverters, and an intricate CAN (Controller Area Network) system facilitating communication between these components.
Cracking the DRM
The team discovered that the inverter, a crucial component for the train's movement, received different messages from the PLC in locked trains compared to those in operational ones. Instead of receiving a command to run, the inverter was instructed not to, with power set to zero. This anomaly pointed them towards the PLC, the brain behind the operation and the probable culprit.
Delving into PLCs
PLCs are essentially industrial computers that control the train's functions, programmed not in conventional programming languages but a specialized standard called IC 61131-3. Through meticulous analysis, the team discovered that the PLC was indeed at the heart of the DRM system. By reverse engineering the software running on the PLC and comparing the differences between the software of locked and operational trains, they identified specific bits in the PLC's nonvolatile memory that, when flipped, would unlock the trains.
Unraveling the Lock Mechanisms
The team identified several mechanisms that could lock the trains, including tampering with the secondary compressor operation, an idle timer that locked trains if they didn't move for a certain period, and geofencing that locked trains if they remained within specific geographic locations. They also noted that each train had a unique set of these lock mechanisms, making the unlocking process more complex.
The Unlocking
After identifying the bits responsible for the lock, the team successfully unlocked the first train, a major breakthrough. However, they aimed to understand the mechanisms fully before declaring victory. This involved dissecting the code further to comprehend the conditions triggering the locks and the technical rationale behind each lock mechanism.
The Aftermath and Ethical Considerations
The team's findings raised serious questions about the ethical implications of such DRM practices in critical infrastructure like public transportation. They highlighted the potential safety risks and the undue power it grants manufacturers over public transport operators. Following their investigation, the team prepared to release a comprehensive technical report and engaged with legal and regulatory bodies to address the issue.
This remarkable journey through the intricacies of train systems and DRM not only showcased the hackers' technical skills but also underscored the importance of transparency, ethical practices, and the right to repair in the increasingly digital and interconnected world of public infrastructure.
For more details on the technical aspects and the team's full presentation, you can watch their talk here.
