I am a man in flip-flops, a long-term automotive electronics engineer in the magic city.
As usual, I will share a piece of text I like to avoid becoming an engineer with high knowledge but low culture:
After taking a shower on the weekend and changing into a new outfit, I went out but didn’t know where to go or who to find, wandering aimlessly. Perhaps this is the deepest loneliness of adulthood!Old friends don’t know my current situation, and new friends don’t know my past. My current situation shouldn’t be known by old friends, and my past shouldn’t be told to new friends. No matter how many people you meet, there is no one quite like me.
Time has unknowingly brought us to a new year. 2025 begins a new busy period. As an adult, I also don’t know where to spend my soul, so typing some words alone serves as a record of this time.

1. Background Information
Today, I will detail various cybersecurity techniques applied to microcontroller units (MCUs). Although automotive MCUs are typically not directly connected to the internet via wired or wireless networks, once hackers successfully breach the vehicle’s wireless communication systems (such as Wi-Fi, Bluetooth, etc.), they may access and control the MCU through the Controller Area Network (CAN), posing a serious threat to vehicle safety. Therefore, deploying cybersecurity measures on MCUs is particularly necessary and urgent.
Among these, secure boot technology is a crucial security measure that primarily checks and ensures the integrity and reliability of the Bootloader. As the first step in system startup, the Bootloader is responsible for loading and verifying the subsequent software code. If the Bootloader is tampered with, the entire system’s security will be at risk. Through secure boot technology, we can strictly verify the Bootloader at the beginning of the system startup. If any anomalies or signs of tampering are detected, the system startup will be immediately halted, effectively preventing the intrusion and execution of malicious software.
The following is a schematic diagram that vividly illustrates how specific mechanisms are used to detect and prevent tampering with the Bootloader, ensuring that the MCU is in a secure and controllable state from the very start.

When the MCU is powered on, its built-in CSE module (Cryptographic Services Engine) immediately comes into play, securely reading the bootloader program code from the Code Flash storage area. This process is a key initial step of the secure boot mechanism, aimed at ensuring that the system is protected from the outset.
Next, the CSE module uses a pre-stored boot key, combined with the advanced AES-128 encryption algorithm, to carefully calculate a MAC (Message Authentication Code) value for the read bootloader. This MAC value acts as the bootloader’s “digital fingerprint,” unique and unforgeable, serving as an important basis for verifying the integrity and authenticity of the bootloader.
The CSE module performs a crucial comparison: it carefully compares the just-calculated MAC value with the MAC value pre-stored in the CSE dedicated register. This MAC value stored in the register was written and locked during the initial flashing or updating of the bootloader, serving as a benchmark for subsequent verification.
If the comparison shows that the two MAC values are identical, congratulations, the secure boot authentication is successful! At this point, the system will set a data bit indicating successful secure boot and unlock it to allow the execution of subsequent programs. As indicated by the black arrow in the diagram, once the secure boot authentication passes, the MCU will immediately begin executing the bootloader program, laying a solid foundation for the normal operation of the system.
This series of precise and rigorous operations forms a solid defense line for the MCU’s secure boot, effectively resisting potential security threats and ensuring that the system is in a secure and controllable state from the very start.
2. Secure Communication
The following diagram vividly presents how to effectively prevent the sending of illegal messages, ensuring communication security. In the diagram, the left side represents the main ECU (Electronic Control Unit), and the right side represents the sensor ECU, which together build a communication bridge through the CAN (Controller Area Network).
When the communication process starts, the CSE module of the main ECU first generates a random number, which serves as a temporary key for this communication, and then sends it to the sensor ECU. This step lays the foundation for subsequent encrypted communication, ensuring the uniqueness and unpredictability of each communication.
Upon receiving the random number, the sensor ECU reads the real-time values from the sensor and inputs the sensor values, the random number received from the main ECU, and the pre-shared key #x into the AES-128 encryption algorithm for encryption processing. AES-128, as a widely recognized symmetric encryption algorithm, ensures the confidentiality and integrity of messages during transmission.
After encryption, the sensor ECU sends the encrypted message back to the main ECU. The CSE module of the main ECU, upon receiving the encrypted message, uses the same key #x to decrypt the message, restoring the original sensor values and random number.
To verify the legitimacy of the message, the main ECU compares the decrypted random number with the random number it initially sent to the sensor ECU. If the two random numbers are identical, the main ECU can be confident that the message originated from a legitimate sensor ECU and has not been tampered with during transmission, thus considering the message legitimate. Conversely, if the random numbers do not match, the main ECU will determine that the message is illegal and immediately discard it to ensure the system’s security and stability.
This series of precise and rigorous operations forms a solid barrier for secure communication between MCUs, effectively resisting the intrusion and tampering of illegal messages, providing strong assurance for the reliable operation of intelligent systems.
3. Component Protection
In automotive electronic systems, the ECU (Electronic Control Unit) is a core component, and its uniqueness directly affects the safety and stable operation of the entire system. Once the ECU is replaced or tampered with, its inherent unique ID or encryption key may undergo unpredictable changes, posing a serious threat to system security. The following will analyze how this risk is precisely identified and effectively controlled through a specific example.

At the beginning of the communication process, the main ECU randomly generates a unique random number and sends it to the ECU to be tested. This random number serves as a temporary key for this identity verification, laying a secure foundation for subsequent encrypted communication.
Upon receiving the random number, the ECU immediately combines it with its unique ID and uses the pre-shared key #x to encrypt the combined data using advanced encryption algorithms. After encryption, the ECU sends the encrypted message back to the main ECU, awaiting further verification.
Upon receiving the encrypted message, the main ECU uses the same key #x to decrypt the message, restoring the original random number and ID. The main ECU then performs two critical comparisons: first, it checks whether the decrypted random number matches the random number it initially sent; second, it verifies whether the decrypted ID matches the locally stored ECU ID.
If both comparison results are consistent, the main ECU can be confident that the ECU’s identity is legitimate and has not been tampered with, allowing the system to continue operating normally. Conversely, if either comparison result shows a discrepancy, the main ECU will immediately determine that the ECU may have been illegally replaced or tampered with and will trigger corresponding security response mechanisms, such as limiting its functionality, issuing alerts, or notifying maintenance personnel, to ensure the overall security and stability of the system are not compromised.
This precise and rigorous component protection mechanism acts as an indestructible security barrier for automotive electronic systems, effectively resisting the risks of illegal replacement and tampering, safeguarding the safety of intelligent mobility.

