I take things apart. Sometimes I put them back together. Consulting & Trainings: icanhack.nl
Joined June 2009
- Tweets 142
- Following 650
- Followers 2,923
- Likes 449
48 Photos and videos
Apr 7
Check out the Saleae FlexRay decoder plugin I wrote this weekend. I was debugging a tricky bug, so it was time to build some proper tooling. Unfortunately, the previous plugin by @robbederks wasn't compatible with Logic 2. github.com/I-CAN-hack/flexra… also includes prebuilt files.
1
6
27
1,725
Mar 15
I built an MCP server so Claude can properly read PDF datasheets. Not just pdf-to-text, but proper table of contents, search and viewing pages as both text and image. This way it can properly see diagrams and tables. Check it out: github.com/I-CAN-hack/pdf-mc…
1
3
45
3,080
Feb 11
Just released version 0.3.0 of the automotive crate with Vector support and some bug fixes! Check it out: docs.rs/automotive/0.3.0/aut…
1
14
3,115
This blog post ended up being a bit more industry-focused than I would have liked, but I wanted to do the research because I was curious what the adoption of bug bounty programs looked like in automotive!
hakstuff.net/blog/car-hackin…
2
2
564
7 Nov 2025
I created a small PCB that simulates an EV charger connection (IEC 61851) by generating the required ±12V PWM signals. Let me know if this is something you would like to buy from my store!
4
1
39
2,438
8 Sep 2025
I'm 2 weeks into writing a custom emulator for some automotive fuzzing experiments. The designers of the Tricore ISA thought it necessary to define four variants of “reg ≥ imm9 → XOR into LSB of reg.” Who asked for this nonsense?
ALT Calculate the logical XOR of D[c][0] and the Boolean result of the GE or GE.U operation on the contents of data register D[a] and either data register D[b] (instruction format RR) or const9 (instruction format RC). Put the result in D[c][0]. All other bits in D[c] are unchanged. D[a] and D[b] are treated as 32-bit signed (XOR.GE) or unsigned (XOR.GE.U) integers. The value const9 is sign-extended (XOR.GE) or zero-extended (XOR.GE.U).
2
1
21
1,835
28 Jul 2025
Inspired by @FraktalCyber's Laser Fault Injection rig, I got an xTool F1. I probably need to use some HNO3 to take off the last bit of packaging. The chips no longer work if I go too far, and the die also looks visually damaged.
3
34
2,130
7 Apr 2025
Congratulations to @_stephandb_ for being the first to solve all the challenges! He also provided an excellent write-up: icanhack.nl/ctf_writeup.pdf.
The CTF will stay up for a few more weeks, so don't worry if you haven't been able to finish all the challenges yet.
1 Apr 2025
I created a small automotive themed CTF! The first person to solve all the challenges will get a free CAN Bus Throwing Star. Check it out at ctf-teaser.icanhack.nl
1
12
1,381
1 Apr 2025
I created a small automotive themed CTF! The first person to solve all the challenges will get a free CAN Bus Throwing Star. Check it out at ctf-teaser.icanhack.nl
2
49
226
19,969
3 Feb 2025
I have opened a hardware shop! Check it out at shop.icanhack.nl/ The first product is the CAN Bus Throwing star, an easy to use converter to connect to all things CAN bus. Let me know what other products you’d like to see next!
5
13
64
4,883
3 Feb 2025
What products would you like to see in the store next? Choose in the poll, or comment below!
40%
ECU simulator & CTF
13%
CAN Adapters
13%
CAN io (e.g. relay)
33%
FlexRay Tools
30 votes • Final results
3
5
778
22 Nov 2024
Did anyone find a worthy replacement of the Transcend RDF5K to read EMMC In-Circuit in 1 bit mode without spending $$$? Bought a bunch of cheap SD card readers from Amazon to test with, but none show up as mmcblk.
9
14
2,941
22 Nov 2024
So far the Hama (B001SLCC7Y), Kiwibird (B01B0YFWO8) and Mogood (B0CB43XHNS) at least show the user partition as a standard sdX device.
The Hama is based on an Alcor AU6479 (058f:6459), the Kiwibird/Mogood are based on a Genesys GL823K (05e3:0751)
1
7
901
16 Sep 2024
So you want to build some shellcode for an ECU? I made a collection of Dockerfiles to set up gcc for V850, PowerPC-VLE and TriCore.
It compiles binutils and gcc based on the GPL sources/patches from the proprietary compilers such as S32DS and HighTec C.
github.com/I-CAN-hack/automo…
5
19
98
6,973
12 Aug 2024
We did it again!!! We got 1st place in the #defcon32 @CarHackVillage CTF. This year we won a Tesla Model 3, and the whole team has their own Black Badge now 😎. @gregjhogan @robbederks
7
6
125
9,337
Willem Melching retweeted
17 Jul 2024
An interesting talk at #hw_ioUSA2024 🚗 👨💻 that allows uploading a payload to RAM and getting the ECU to execute it. Using this exploit, @PD0WM and @gregjhogan could extract the SecOC keys.
YouTube Link: youtu.be/8958gH3KD3Y?si=DSD5…
#carhacking #secoc #reverseengieering
3
19
1,849
Willem Melching retweeted
16 May 2024
Check out my new blog, coauthored with @js0n37 Learn how we unlocked Renesas RH850 security by breaking 16-byte ID code authentication using Voltage Glitching to extract firmware on Automotive ECUs.
Read the full article here: lnkd.in/d3zqKE6a
#AutomotiveSecurity
4
20
43
5,738
Willem Melching retweeted
30 Apr 2024
Fast and Curious: Emulating Renesas RH850 System-on-Chip using Unicorn Engine
Brought to you by @virtualabs and @Phil_BARR3TT to make your automotive vulnerability research easier
blog.quarkslab.com/emulating…
36
79
6,980
Willem Melching retweeted
21 Mar 2024
In 2022 we found vulnerabilities in dormakaba Saflok hotel locks. Reading one RFID card enables us to forge a pair of cards that open any door in that hotel! Dormakaba is currently working with its customers to fix the 3 million affected locks. wired.com/story/saflok-hotel…
1
38
140
38,427
2 Mar 2024
New blog post is out! Extracting the SecOC keys used for securing the CAN Bus on the 2021 RAV4 Prime. icanhack.nl/blog/secoc-key-e…
Research started all the way in 2022, but took many evenings of reverse engineering to get code execution.
PoC: github.com/I-CAN-hack/secoc
8
88
312
39,172