This document details the prototype AcCCS system used in the Electric Vehicle Infrastructure Lab (EVIL) at Idaho National Laboratory. This system was created with the intent of being an inexpensive and flexible platform to enable cybersecurity research into the CCS communications as well as the network security implemented in Electric Vehicle Supply Equipment (EVSE) and Electric Vehicles (EVs).
One of the design goals was to use as many off the shelf components as possible and leverage other open source projects that are also working in this space. The AcCCS project is thus a collection of various other projects compiled into one place to provide a flexible platform to test EVSE and EVs.
All of the AcCCS hardware is mounted to a backing plate inside a plastic enclosure. This allows for easy transportation and connectivity. The intention is to contain all of the communications gear inside the enclosure and then use a research laptop to connect to the Raspberry Pi using SSH. All of the communications are then generated by the Raspberry Pi and sent to/from the Devolo boards via USB Ethernet interfaces (one for PEV, one for EVSE).
A full list of the hardware components is found in the README file.
To emulate an EVSE, it is necessary to generate a +/-12vdc Pulse-Width Modulated signal for the embedded HomePlug GreenPHY CCS communications. We were unable to locate an off the shelf component to generate this signal, so we created a custom circuit board to accomplish this task.
This is the full schematic of the PWM signal generation:
And this is an image of the board layout we used to print the custom circuit board (PCB) to generate the PWM:
The schematic and the board layout files were generated using KiCad, and the project files are located in the resources folder of the AcCCS project. The PCB were printed by a regional company Circuitboard.com.
SPECIAL NOTE: This PWM circuit board is capable of simulating the EVSE cordset being removed and replugged by simulating pressing the button on the handle. If this functionality is desired, you will need (1) a modified EVSE cordset in which you remove the 150 Ohm resistor tied to the button, and (2) populate the R12 pad on the circuit board with a 150 Ohm resistor. If you are using an unmodified EVSE cordset and will manually unplug and replug the cordset to reset the EVSE to EV connection, leave R12 unpopulated.
The enclosure wiring follows this pattern:
- +12vdc (blue)
- -12vdc (magenta)
- +5vdc (red)
- Power ground (black)
- Signal ground (black)
- Signals (green)
The Raspberry Pi in the AcCCS enclosure has three network interfaces. The built-in interface (eth0) is used for communications with a research laptop. This interface is connected to a RJ-45 connector on the side of the enclosure. One USB network interface (eth1) is used to connect to the EVSE Devolo board, and a second USB interface (eth2) is used to connect to the PEV Devolo board.
Settings on the Raspberry Pi were updated to enable a few features. This is done using raspi-config. Predictable network names was enabled as well as the I2C interface.
The eth0 interface is configured with a static IPv4 address 10.10.10.10. The eth1 and eth2 interfaces are not directly configured as Raspbian defaults to a configuration of DHCP for IPv4 and Link-Local for IPv6.
The Raspbian OS was configured to assign the eth1 and eth2 interface names to the USB network interfaces using the MAC address of the interface. There are several ways to make this assignment in Linux, but what we found to work most consistently was to create a couple of files in /etc/systemd/network/.
#/etc/systemd/network/09-eth1.link
[Match]
MACAddress=11:22:33:44:55:66 # Update with your MAC
[Link]
Name=eth1
#/etc/systemd/network/10-eth2.link
[Match]
MACAddress=11:22:33:44:55:66 # Update with your MAC
[Link]
Name=eth2
Note: Even after using several methods to configure a MAC address to match an interface name (e.g. eth1), we found Raspbian still seems to chose the name based on which USB port the interface is plugged into. This is very odd behavior and we have not yet determined the cause or a solution.
A single AcCCS enclosure can be used to emulate an EVSE and/or EV by connecting the enclosure to a proper EVSE charge cable or vehicle inlet port. We use BNC connectors on the side of the AcCCS enclosure to make these connections. HUGE Safety Note: Make sure you isolate and thoroughly insulate the DC power cables on the inlet port and EVSE cordset as the vehicle or EVSE may present HIGH voltage at any time. You have been warned.
The Raspberry Pi communicates with the PWM circuit board using I2C. Ensure I2C is enabled in raspi-config, and then check the board connection using i2c-detect.
~$ sudo i2cdetect -y 1
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: 20 -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
........
The PWM circuit board should appear at the I2C address 0x20 as shown above.
The EVSE cordset we are using is a CCS Type 1 cord from Phoenix Contact: (https://www.mouser.com/ProductDetail/Phoenix-Contact/1236563?qs=Jslch3jnSjl2upE49erPRA%3D%3D)
The EV inlet port is also CCS Type 1 from Phoenix Contact: (https://www.mouser.com/ProductDetail/Phoenix-Contact/1210900?qs=T94vaHKWudRqtRNWYLAGvg%3D%3D)
BNC connectors were added to the cordset and inlet port so that they are easily connected to the AcCCS enclosure.
NOTE: If you want the PWM circuit to automatically disconnect and reconnect the EVSE emulator from a target EV, you will need to modify the cordset and the PWM circuit. This functionality may be desired if you are performing long NMap scans of a target EV and the EV frequently resets the network connection. See the SPECIAL NOTE found in the PWM Generation Circuit section.
Connect a research laptop to the RJ-45 connector on the side of the AcCCS enclosure. Configure the network interface on the research laptop to use a static IP address in the 10.10.10.0/24 address space. Just don't use the same address you used for the static IP address on the Raspberry Pi. You do not need to change any of the IPv6 settings on the research laptop.
Connect to the Raspberry Pi using SSH.
user@laptop:~$ ssh [email protected]
[email protected] password:
pi@raspberry:~$
You can now emulate either an EVSE or an EV by running the proper script found in the AcCCS source code. For example:
pi@raspberry:~$ cd src/AcCCS/
pi@raspberry:~/src/AcCCS/$ sudo python3 EVSE.py
The emulators are run using sudo because of the need to generate and send raw Ethernet packets.
You can monitor all of the traffic between the Raspberry Pi and the EVSE or EV Devolo boards by using the SSH capture capabilities of Wireshark.
On the research laptop, configure Wireshark to connect to the Raspberry Pi in the AcCCS enclosure and sniff the network traffic to/from the EVSE (eth1) or to/from the EV (eth2).
The emulator scripts EVSE.py and PEV.py include some basic functionality for port scanning the EVSE SECC or the EV EVCC. This option can be selected as a command-line argument. Results of the port scan are displayed along with the progress of the scan.
Unfortunately the only method we have readily available to encode/decode the XML communications between the EV and EVSE is by reusing the Java webserver from the V2Gdecoder project. We patched the jar file to fix a few bugs we found in the latest release, and it is included in the java_decoder folder along with a couple of schema folders.
The primary CCS schema we are using is DIN Spec 70121. This has been the most stable schema, and it is also accepted by most every EV and EVSE. We also included a copy of ISO 15118-2:2010 in the schemas folder if you chose to use it instead. We are not currently trying to exercise all of the latest protocol features, but rather using the old DIN spec to simply establish a network connection so that we can perform other cyber activities (e.g. port scanning).
- V2GInjector
- CODICO Devolo dLAN Green Phy Eval Boards
- Green Phy Module SDK
- QCA700 Configuration
- OpenEVSE project
- V2Gdecoder
- RISE-V2G
- HomePlugPWN