Quarkslab's blog - OSINThttp://blog.quarkslab.com/2026-04-09T00:00:00+02:00Tearing down a car telematic unit (and finding an accident on Facebook)2026-04-09T00:00:00+02:002026-04-09T00:00:00+02:00Romain Marchandtag:blog.quarkslab.com,2026-04-09:/tearing-down-a-car-telematic-unit-and-finding-an-accident-on-facebook.html<p>From hardware analysis to OSINT: how we retrieved information about a BYD car crash by analyzing the TCU embedded memory.</p><h2 id="introduction">Introduction</h2> <p>Modern cars are highly connected electronic systems. Over the last decade, vehicles have seen a rapid increase in connectivity, with multiple ECUs communicating internally but also with external networks. Telematic units (TCUs) play a key role in this evolution, enabling cellular communication and emergency calls (eCall).</p> <p>This rise in connectivity has been accompanied by changes in vehicle electronic architectures, moving from simple, isolated ECUs to complex, centralized or domain-based architectures. Such changes also introduce new security and privacy requirements. European regulations like UNECE R155 and R156 now push manufacturers to implement secure systems that can be updated remotely Over-The-Air updates (OTA) to address vulnerabilities and ensure safety compliance.</p> <p>In this blog, we explain how we analyzed a TCU from a Chinese manufacturer (BYD), extracted its firmware, explored its stored data, and combined it with publicly available information. This story highlights how modern connected vehicles generate rich datasets and how combining embedded forensics with Open Source Intelligence (OSINT) can reveal unexpected insights.</p> <h2 id="device-acquisition">Device acquisition</h2> <p>Acquiring a TCU can be done in several ways:</p> <ul> <li>Directly from the car manufacturer or Tier 1 suppliers;</li> <li>From a salvage yard, which requires patience, technical skills, and proper tools;</li> <li>From online second-hand marketplaces, which are often the most efficient.</li> </ul> <p>For this investigation, we selected a TCU from a BYD vehicle, a Chinese manufacturer. Some Chinese vehicles have raised security concerns; for instance, Poland has banned certain models from its military bases.</p> <p>The device was obtained second-hand, providing an opportunity to explore its firmware, configuration, and logs, and to understand how these units operate in real-world conditions.</p> <h2 id="teardown">Teardown</h2> <p>We were interested in analyzing a BYD Seal telematic unit, which is composed with the following main components :</p> <ul> <li>S32K144U MCU (for CAN communication)</li> <li>Flairmicro FLC-MCM63XG composed with:<ul> <li>Qualcomm MDM9628 from the Snapdragon X5 LTE Modem series: Modem CPU + Application CPU</li> <li>Micron MCP MT29AZ5A3CHHTB: Nand flash + LPDRAM</li> </ul> </li> </ul> <p><a href="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU_main_components.png"> <img class="align-center" src="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU_main_components.png" width="80%"/> </a></p> <h5 align="center"><i>TCU Main Components</i></h5> <p><br/></p> <p>In such a device, the system on chip usually stores a Linux-based filesystem which manages core functions. It often relies on a multiple chip package (MCP) memory, combining RAM and ROM in a single package. We decided to perform a chip off of the Micron MCP in order to obtain the full filesystem and to look for any interesting forensic data.</p> <h2 id="dumping-the-flash">Dumping the flash</h2> <p>We removed the MCP memory chip from the board and dumped its content externally. As we did not have any adapter to handle the specific BGA 162package of the MCP memory, we used the <a href="https://www.embeddedcomputers.net/products/FlashcatUSB_Mach1/">Flashcat USB Mach1</a> along with a custom made adapter.</p> <p>Without a dedicated NAND adapter, we used micro-soldering to attach thin wires directly to the chip&rsquo;s pads. In this approach, we only connected to the essential NAND signals, such as CE, ALE, CLE, WE, RE, and I/O lines, which are sufficient to interface with the memory and perform a full dump.</p> <p>Handling the micro-wires is delicate, and soldering them onto the landing pad matrix is particularly challenging due to their small size and fragility. </p> <p><a href="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU-MCP_process_dumping.png"> <img class="align-center" src="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU-MCP_process_dumping.png" width="80%"/> </a></p> <h5 align="center"><i>MCP Dump processing</i></h5> <p><br/></p> <p>Once the micro-wiring was completed, the chip was connected to the reader. Multiple read attempts were performed to ensure data consistency, which is especially important when working with NAND memory. After verification, we obtained a complete and reliable dump of the flash memory, ready for further analysis.</p> <h2 id="data-analysis">Data analysis</h2> <h3 id="binary-reconstruction">Binary reconstruction</h3> <p>Before looking at partitions or filesystems, we need to handle the raw NAND dump correctly. NAND memory is not just a sequence of bytes, it&rsquo;s organized in pages, each containing data blocks and OOB (Out-Of-Band) metadata. On Qualcomm platforms, the OOB contains:</p> <ul> <li>ECC (BCH) for error detection and correction;</li> <li>Padding (always 0xFF);</li> <li>Additionally, each page ends with extra 0xFF bytes to ensure block alignment and maintain the page size.</li> </ul> <p>A single page layout can be represented as:</p> <div class="text-center font-monospace fs-6"> <span class="text-primary">[Data block]</span> <span class="text-danger">|Padding|</span> <span class="text-primary">[Data block]</span> <span class="text-warning">|ECC]</span> <span> </span> <span class="text-primary">[Data block]</span> <span class="text-danger">|Padding|</span> <span class="text-primary">[Data block]</span> <span class="text-warning">|ECC]</span> ... <span class="text-danger">[Padding 0xFF]</span> </div> <p>The ECC is used to correct errors in each data block, while the padding must be ignored during extraction. Handling both correctly is essential: without ECC correction and padding removal, the extracted binary would be corrupted or unusable.</p> <p>Our reconstruction process consists of:</p> <ul> <li>Identifying the data block layout;</li> <li>Correcting each data block using its ECC;</li> <li>Extracting only the data portions, ignoring the padding.</li> </ul> <p>This produces a linear binary that matches what the system actually reads, ready for partition analysis and filesystem extraction.</p> <p><a href="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU-MCP_dump_reconstrution.png"> <img class="align-center" src="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU-MCP_dump_reconstrution.png" width="80%"/> </a></p> <h5 align="center"><i>From binary to complete file system</i></h5> <p><br/></p> <p>From there, we could identify the Qualcomm Partition Table:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>python3<span class="w"> </span>parser_qualcomm.py<span class="w"> </span> SMEM<span class="w"> </span>table<span class="w"> </span>find<span class="w"> </span>at<span class="w"> </span>offset<span class="w"> </span>0x00281000<span class="w"> </span><span class="nv">version</span><span class="o">=</span><span class="m">4</span><span class="w"> </span><span class="nv">numparts</span><span class="o">=</span><span class="m">16</span> Name<span class="w"> </span>Offset<span class="o">(</span>blocs<span class="o">)</span><span class="w"> </span>Offset<span class="o">(</span>bytes<span class="o">)</span><span class="w"> </span>Size<span class="o">(</span>blocs<span class="o">)</span><span class="w"> </span>SIze<span class="o">(</span>bytes<span class="o">)</span> ------------------------------------------------------------------------------------------ <span class="m">0</span>:0:SBL<span class="w"> </span><span class="m">0</span><span class="w"> </span>blocs<span class="w"> </span>0x00000000<span class="w"> </span><span class="m">10</span><span class="w"> </span>blocs<span class="w"> </span>0x00280000 <span class="m">0</span>:0:MIBIB<span class="w"> </span><span class="m">10</span><span class="w"> </span>blocs<span class="w"> </span>0x00280000<span class="w"> </span><span class="m">10</span><span class="w"> </span>blocs<span class="w"> </span>0x00280000 <span class="m">0</span>:0:EFSG<span class="w"> </span><span class="m">20</span><span class="w"> </span>blocs<span class="w"> </span>0x00500000<span class="w"> </span><span class="m">48</span><span class="w"> </span>blocs<span class="w"> </span>0x00c00000 <span class="m">0</span>:0:EFS2<span class="w"> </span><span class="m">68</span><span class="w"> </span>blocs<span class="w"> </span>0x01100000<span class="w"> </span><span class="m">48</span><span class="w"> </span>blocs<span class="w"> </span>0x00c00000 <span class="m">0</span>:0:TZ<span class="w"> </span><span class="m">116</span><span class="w"> </span>blocs<span class="w"> </span>0x01d00000<span class="w"> </span><span class="m">4</span><span class="w"> </span>blocs<span class="w"> </span>0x00100000 <span class="m">0</span>:0:RPM<span class="w"> </span><span class="m">120</span><span class="w"> </span>blocs<span class="w"> </span>0x01e00000<span class="w"> </span><span class="m">2</span><span class="w"> </span>blocs<span class="w"> </span>0x00080000 <span class="m">0</span>:0:aboot<span class="w"> </span><span class="m">122</span><span class="w"> </span>blocs<span class="w"> </span>0x01e80000<span class="w"> </span><span class="m">3</span><span class="w"> </span>blocs<span class="w"> </span>0x000c0000 <span class="m">0</span>:0:boot<span class="w"> </span><span class="m">125</span><span class="w"> </span>blocs<span class="w"> </span>0x01f40000<span class="w"> </span><span class="m">32</span><span class="w"> </span>blocs<span class="w"> </span>0x00800000 <span class="m">0</span>:0:boot1<span class="w"> </span><span class="m">157</span><span class="w"> </span>blocs<span class="w"> </span>0x02740000<span class="w"> </span><span class="m">32</span><span class="w"> </span>blocs<span class="w"> </span>0x00800000 <span class="m">0</span>:0:SCRUB<span class="w"> </span><span class="m">189</span><span class="w"> </span>blocs<span class="w"> </span>0x02f40000<span class="w"> </span><span class="m">48</span><span class="w"> </span>blocs<span class="w"> </span>0x00c00000 <span class="m">0</span>:0:modem<span class="w"> </span><span class="m">237</span><span class="w"> </span>blocs<span class="w"> </span>0x03b40000<span class="w"> </span><span class="m">403</span><span class="w"> </span>blocs<span class="w"> </span>0x064c0000 <span class="m">0</span>:0:misc<span class="w"> </span><span class="m">640</span><span class="w"> </span>blocs<span class="w"> </span>0x0a000000<span class="w"> </span><span class="m">6</span><span class="w"> </span>blocs<span class="w"> </span>0x00180000 <span class="m">0</span>:0:fota<span class="w"> </span><span class="m">646</span><span class="w"> </span>blocs<span class="w"> </span>0x0a180000<span class="w"> </span><span class="m">6</span><span class="w"> </span>blocs<span class="w"> </span>0x00180000 <span class="m">0</span>:0:sec<span class="w"> </span><span class="m">652</span><span class="w"> </span>blocs<span class="w"> </span>0x0a300000<span class="w"> </span><span class="m">2</span><span class="w"> </span>blocs<span class="w"> </span>0x00080000 <span class="m">0</span>:0:custapp<span class="w"> </span><span class="m">654</span><span class="w"> </span>blocs<span class="w"> </span>0x0a380000<span class="w"> </span><span class="m">257</span><span class="w"> </span>blocs<span class="w"> </span>0x04040000 <span class="m">0</span>:0:system<span class="w"> </span><span class="m">911</span><span class="w"> </span>blocs<span class="w"> </span>0x0e3c0000<span class="w"> </span><span class="m">1137</span><span class="w"> </span>blocs<span class="w"> </span>0x11c40000 ------------------------------------------------------------------------------------------ TOTAL<span class="w"> </span><span class="m">2048</span><span class="w"> </span>blocs<span class="w"> </span><span class="o">(</span><span class="m">512</span><span class="w"> </span>MB<span class="o">)</span><span class="w"> </span>&checkmark;<span class="w"> </span><span class="o">=</span><span class="w"> </span>TOTAL_BLOCKS </code></pre></div> <p>Using <code>binwalk</code>, we determined that the UBI erase count header at 0x3B40000 marked the beginning of the modem partition. Extracting it was straightforward with <code>dd</code>:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>dd<span class="w"> </span><span class="k">if</span><span class="o">=</span>nand_nand.bin<span class="w"> </span><span class="nv">of</span><span class="o">=</span>nand.ubi<span class="w"> </span><span class="nv">bs</span><span class="o">=</span><span class="m">62128128</span><span class="w"> </span><span class="nv">skip</span><span class="o">=</span><span class="m">1</span> <span class="m">7</span>+1<span class="w">&nbsp;</span>enregistrements<span class="w"> </span>lus <span class="m">7</span>+1<span class="w">&nbsp;</span>enregistrements<span class="w"> </span>&eacute;crits <span class="m">474742784</span><span class="w">&nbsp;</span>octets<span class="w"> </span><span class="o">(</span><span class="m">475</span><span class="w"> </span>MB,<span class="w"> </span><span class="m">453</span><span class="w"> </span>MiB<span class="o">)</span><span class="w"> </span>copi&eacute;s,<span class="w"> </span><span class="m">0</span>,3833<span class="w"> </span>s,<span class="w"> </span><span class="m">1</span>,2<span class="w"> </span>GB/s </code></pre></div> <p>From there, the ubireader tool allowed us to obtain the full filesystem for the <code>modem</code>, <code>custapp</code>, and <code>system</code> partitions:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>ubireader_extract_files<span class="w"> </span>-iw<span class="w"> </span>nand.ubi<span class="w"> </span>-o<span class="w"> </span>extracted_FFS_Nand/ .... $<span class="w"> </span>tree<span class="w"> </span>extracted_FFS_Nand/ .... <span class="m">555</span><span class="w"> </span>directories,<span class="w"> </span><span class="m">5444</span><span class="w"> </span>files </code></pre></div> <p>With the files extracted, we could focus our attention on the root filesystem (rootfs) and user space (usrfs) to look for interesting or hidden artifacts.</p> <p>This stage marked the start of digging deeper into the TCU&rsquo;s internals, where logs, configuration files, and traces of user activity could reveal interesting information.</p> <h3 id="file-system-analysis">File system analysis</h3> <p>We first analyzed the configuration files to better understand the boot process and identify potential security issues.</p> <p>This initial review quickly revealed several obvious sensitive elements, including:</p> <ul> <li>Wi-Fi credentials stored in cleartext</li> </ul> <div class="highlight"><pre><span></span><code>c$<span class="w"> </span>cat<span class="w"> </span>conf_fix/network.conf<span class="w"> </span> ... <span class="nv">APSSID</span><span class="o">=</span>q*******_wifi <span class="nv">APKEY</span><span class="o">=</span><span class="m">8</span>******1 </code></pre></div> <ul> <li>User access available without authentication:</li> </ul> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>cat<span class="w"> </span>passwd<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>guest<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>cat<span class="w"> </span>shadow<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>guest guest:x:2000:2000:default<span class="w"> </span>guest:/home/guest:/bin/sh guest:*:19461:0:99999:7::: </code></pre></div> <ul> <li>Root password is stored as a SHA-256 hash. While this makes it hard to recover, its presence on the device shows that privileged credentials are accessible:</li> </ul> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>cat<span class="w"> </span>shadow<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>root root:<span class="nv">$5$D0nfIV</span>.JMhXbvCNa<span class="nv">$n8lsXs</span>***************17RWXvjrVHMDjVTKMdSpDA:19461:0:99999:7::: </code></pre></div> <ul> <li>Configuration steps enabling services such as ADB, TCP, and Telnet</li> </ul> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>cat<span class="w"> </span>conf_fix/ex_interface.conf<span class="w"> </span> <span class="nv">EX_LTE</span><span class="o">=</span><span class="m">1</span> <span class="nv">EX_TBOX</span><span class="o">=</span><span class="m">0</span> <span class="nv">FTPD_IFEN</span><span class="o">=</span><span class="m">0</span> <span class="nv">TELNETD_IFEN</span><span class="o">=</span><span class="m">0</span> <span class="nv">ADB_IFEN</span><span class="o">=</span><span class="m">0</span> </code></pre></div> <p>We then shifted our focus to forensic data, by exploring all available log files. Among them, GNSS logs quickly stood out as particularly valuable.</p> <h3 id="forensic-analysis">Forensic analysis</h3> <p>By parsing the GNSS logs, we reconstructed the full life of the vehicle from its production in a factory in China, through its operational life in the United Kingdom, to its final dismantling in Poland. Every movement and stop along the way is captured in the logs, giving a complete picture of the vehicle's journey.</p> <p>We extracted precise GPS positions over time:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>cat<span class="w"> </span>fmc_gnss_srv.nmea.log<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="m">2025</span>-05-24_16:26 <span class="m">2025</span>-05-24_16:26:00<span class="w"> </span>Nmea:250524162558,<span class="o">(</span><span class="m">1</span>,2<span class="o">)</span>,<span class="o">(</span><span class="m">5</span>*******,1******,85<span class="o">)</span>,<span class="o">(</span><span class="m">23170</span>,0<span class="o">)</span>,<span class="o">(</span><span class="m">13</span>,10<span class="o">)</span>,<span class="o">(</span><span class="m">8</span>,5,6<span class="o">)[</span><span class="m">0</span><span class="o">]</span> <span class="m">2025</span>-05-24_16:26:00<span class="w"> </span>Sv1/4:<span class="o">{</span><span class="m">1</span>,28,135,30,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">3</span>,52,74,43,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">4</span>,68,154,29,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">6</span>,37,303,31,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:00<span class="w"> </span>Sv2/4:<span class="o">{</span><span class="m">9</span>,39,203,33,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">11</span>,5,307,29,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">12</span>,2,327,22,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">17</span>,33,227,39,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:00<span class="w"> </span>Sv3/4:<span class="o">{</span><span class="m">19</span>,41,261,40,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">28</span>,12,32,41,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">31</span>,23,57,41,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">2</span>,2,137,0,0<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:00<span class="w"> </span>Sv4/4:<span class="o">{</span><span class="m">25</span>,0,358,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:01<span class="w"> </span>Nmea:250524162559,<span class="o">(</span><span class="m">1</span>,2<span class="o">)</span>,<span class="o">(</span><span class="m">5</span>*******,1******,85<span class="o">)</span>,<span class="o">(</span><span class="m">23170</span>,92<span class="o">)</span>,<span class="o">(</span><span class="m">13</span>,10<span class="o">)</span>,<span class="o">(</span><span class="m">8</span>,5,6<span class="o">)[</span><span class="m">0</span><span class="o">]</span> <span class="m">2025</span>-05-24_16:26:01<span class="w"> </span>Sv1/4:<span class="o">{</span><span class="m">1</span>,28,135,31,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">3</span>,52,74,45,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">4</span>,68,154,33,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">6</span>,37,303,43,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:01<span class="w"> </span>Sv2/4:<span class="o">{</span><span class="m">9</span>,39,203,34,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">11</span>,5,307,35,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">12</span>,2,327,30,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">17</span>,33,227,39,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:01<span class="w"> </span>Sv3/4:<span class="o">{</span><span class="m">19</span>,41,261,38,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">28</span>,12,32,40,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">31</span>,23,57,41,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">2</span>,2,137,0,0<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:01<span class="w"> </span>Sv4/4:<span class="o">{</span><span class="m">25</span>,0,358,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:02<span class="w"> </span>Nmea:250524162600,<span class="o">(</span><span class="m">1</span>,2<span class="o">)</span>,<span class="o">(</span><span class="m">5</span>*******,1******,84<span class="o">)</span>,<span class="o">(</span><span class="m">23170</span>,0<span class="o">)</span>,<span class="o">(</span><span class="m">13</span>,10<span class="o">)</span>,<span class="o">(</span><span class="m">8</span>,5,6<span class="o">)[</span><span class="m">0</span><span class="o">]</span> <span class="m">2025</span>-05-24_16:26:02<span class="w"> </span>Sv1/4:<span class="o">{</span><span class="m">1</span>,28,135,33,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">3</span>,52,74,44,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">4</span>,68,154,35,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">6</span>,37,303,46,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:02<span class="w"> </span>Sv2/4:<span class="o">{</span><span class="m">9</span>,39,203,33,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">11</span>,5,307,40,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">12</span>,2,327,30,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">17</span>,33,227,40,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:02<span class="w"> </span>Sv3/4:<span class="o">{</span><span class="m">19</span>,41,261,41,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">28</span>,12,32,43,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">31</span>,23,57,41,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">2</span>,2,137,0,0<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:02<span class="w"> </span>Sv4/4:<span class="o">{</span><span class="m">25</span>,0,358,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:03<span class="w"> </span>Nmea:250524162601,<span class="o">(</span><span class="m">1</span>,2<span class="o">)</span>,<span class="o">(</span><span class="m">5</span>*******,1******,84<span class="o">)</span>,<span class="o">(</span><span class="m">23170</span>,0<span class="o">)</span>,<span class="o">(</span><span class="m">13</span>,10<span class="o">)</span>,<span class="o">(</span><span class="m">8</span>,5,6<span class="o">)[</span><span class="m">0</span><span class="o">]</span> <span class="m">2025</span>-05-24_16:26:03<span class="w"> </span>Sv1/4:<span class="o">{</span><span class="m">1</span>,28,135,32,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">3</span>,52,74,44,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">4</span>,68,154,35,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">6</span>,37,303,44,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:03<span class="w"> </span>Sv2/4:<span class="o">{</span><span class="m">9</span>,39,203,35,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">11</span>,5,307,42,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">12</span>,2,327,31,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">17</span>,33,227,42,1<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:03<span class="w"> </span>Sv3/4:<span class="o">{</span><span class="m">19</span>,41,261,42,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">28</span>,12,32,39,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">31</span>,23,57,43,1<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">2</span>,2,137,0,0<span class="o">}</span> <span class="m">2025</span>-05-24_16:26:03<span class="w"> </span>Sv4/4:<span class="o">{</span><span class="m">25</span>,0,358,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span><span class="p">;</span><span class="o">{</span><span class="m">0</span>,0,0,0,0<span class="o">}</span> </code></pre></div> <p><a href="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU_mapping.png"> <img class="align-center" src="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU_mapping.png" width="80%"/> </a></p> <h5 align="center"><i>Vehicle journey highlighting UK activity</i></h5> <p><br/></p> <p>Mapping these coordinates highlights the vehicle's full journey across countries. While most movements follow expected routes, during its time in the UK we observed a cluster of GPS points at a single location, standing out from the usual travel patterns. This anomaly suggested a significant event in the vehicle&rsquo;s lifecycle.</p> <p>To investigate further, we performed a simple OSINT search using the <a href="https://www.google.com/search?client=ubuntu-sn&amp;channel=fs&amp;q=car+accident+sturry+road+24%2F05%2F2025">location and date</a>. This led us to a public Facebook post showing a car accident at the exact same location and date. The images and context perfectly matched the GNSS data, explaining why multiple GPS points were recorded at the same position.</p> <p><a href="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU-OSINT.png"> <img class="align-center" src="resources/2026-04-09_tearing-down-a-car-telematics-unit-and-finding-an-accident-on-facebook/TCU-OSINT.png" width="80%"/> </a></p> <h5 align="center"><i>Forensic data to real car accident</i></h5> <p><br/></p> <h2 id="conclusion_1">Conclusion</h2> <p>What started as a simple hardware check, a firmware dump, and a first security review quickly became a full forensic and cybersecurity investigation.</p> <p>The telematics unit was more than a device, it was a data archive. Even after a vehicle is sold, damaged, or dismantled, logs and system events can remain accessible.</p> <p>By combining forensic analysis and reverse engineering, raw technical data became real-world insights. GPS logs allowed us to reconstruct the vehicle&rsquo;s journey and link it to a real accident. At the same time, reviewing configuration files and system logs highlighted security weaknesses.</p> <p>Lessons Learned:</p> <ul> <li>Sensitive data can remain in ECUs after accidents or resale;</li> <li>Reverse engineering + OSINT can uncover real-world events;</li> <li>Embedded automotive systems often have overlooked security issues.</li> </ul> <p>This work reflects what Quarkslab does in automotive and embedded security. We help companies investigate devices, extract forensic evidence, and assess system security:</p> <ul> <li><strong>Need forensic analysis on automotive or embedded systems? Contact us.</strong></li> <li><strong>Want to improve the cybersecurity of your automotive products? We support you from investigation and analysis to full technical assessment.</strong></li> </ul>