Rooting Your Ride: Jailbreaking A Subaru QNX

A modern car still drives in the same way as the one you would have bought thirty years ago, it still has a steering wheel and all the other controls. What has changed in the cabin lies mostly beneath the dash, where enough computing power to launch several Moon shots takes care of everything from air-conditioning to entertainment. As you might expect these systems attract the curiosity of security researchers, and through their work we gain an insight into their operation.

[Scott Gayou] has a Subaru, a car that has an all-in-one entertainment system head unit that is typical of what you’d find across a host of manufacturers. His account of jailbreaking it is a lengthy essay and a fascinating read for anyone. He starts with a serial port, then an SSH prompt for a root password, and a bit of searching to find it was made by Harman and that it runs the closed-source realtime OS QNX. From there he finds an official Subaru update, from which he can slowly peel away the layers and deduce the security mechanism. The write-up lays bare his techniques, for example at one point isolating the ARM assembler for a particular function and transplanting it bodily into his own code for investigation.

Eventually he could penetrate the filesystem of the update, and from there he could find that while the root user had a password there were two other accounts that while heavily locked down, had none. The discovery came that files on USB drives plugged into the system were given user-level execute permissions, at which point under the locked-down user he could execute arbitrary code from USB drives. He could then create and modify copies of the device’s filesystem which he could flash onto it, and thus place a modified password validation function into it and gain root access.

Some Hackaday readers will be accomplished in security work such as this, but many of us are hardware specialists for whom it remains something of a dark art. A comprehensive and accessible write-up such as this one is therefore invaluable, because it gives us an insight into the techniques used and perhaps more importantly, into some of the security pitfalls a hardware engineer might unwittingly introduce into their creations.

QNX is a real-time operating system with a long history of appearances in industrial and automotive applications. Readers with long memories may recall their demo floppies from the 1990s which packed a fully functional GUI, Internet connectivity, and modern (for the time) web browser onto a single 1.44Mb floppy disk. We’ve talked about it in the past in a little detail, as when someone made a desktop OS using it.

17 thoughts on “Rooting Your Ride: Jailbreaking A Subaru QNX

  1. How can the 2 other accounts be “heavily locked down” and not have passwords?
    (I am curious, it seems like that could only happen in some deep passageway of the NSA, where you’d need to go through a multitude of checkpoints first.)

    1. He means that the users don’t have many privileges on the system. The article states:

      “Unfortunately, nearly ever [sic] binary is locked down to the root user. We can only navigate around via cd and dump directory contents with echo *.”

      He couldn’t even run ‘ls’ from that user.

  2. Can someone do this for the Toyota Entune suite. From my digging on an update package I know that it is a QNX shell, but they’ve got it locked out so unless you’ve got a key that works against whatever is in the radio, it won’t take an upgrade. I also couldn’t dig into the main program screens, only files for images and such.

    My goal is to customize the app screen, I use maybe 3 and they’re all over the place.

    1. I would also be interested in carplay android auto, the newer lexus cars offer this and it doesn’t seem like the hardware changed much. I find entune to be useless and I would love to use my phone instead.

  3. You can find a lot of dead newer Subaru headunits for experiemtns. Subaru backlogged for headunit replacements. For whatever reason Outback headunits fail more than from other models. Possibly for overheating reason.

  4. The ‘dumb’ issue we have is the display will ‘un-blank’ for no reason in our Crosstrek. We rarely use the module, so like to keep the display turned off. Be nice to have a ‘simple’ radio and cd player and plenty of handy USB ports would be nice… All this built in infotainment/big brother ‘features’ is just silly…. In my opinion!

    Thanks for the article. We never did use QNX in our business. I recall we did check into it back when, … But never used it.

  5. Makes me wonder if the best option is to buy the car with the basic “dumb” radio, then replace it with a made to fit unit from China running Android? Then you can hack and update the map… do whatever. Just no integration with the car.

    1. I have Ford Sync 1 in my Taurus SHO with the 8″ nav screen. I’ve contemplated this more than once. I could complain for days about sometimes it connects to my phone and plays fine, sometimes it connects but all volume is mute. Integrating an amp/subwoofer was a nightmare due to not having the ports that a $100 JBL headunit has. And then the stereo’s DSP is horrible. I can never get the right sound from the 12 factory speakers or the sub. And I won’t even talk about the outdated nav or lack of Android Auto.

      If I could make a Nexus 7 tablet fit in the hole and integrate with the rest of the car I would.

    2. My 2017 Toyota Aqua came with a dumb radio, as in no external coms and no integration into the rest of the car. It receives commands from buttons on the steering wheel, but it can’t change anything else. It’s got bluetooth for your phone, but no cellular junk that can disable your ECU.
      It’s good enough for me, but if I don’t like it I can just yank the thing and put in something else, still without loosing any functionality from the controls on the steering wheel.
      I don’t see why anyone would want anything else, having a head unit that’s outdated the day it rolls off the factory as an integral part of your cars operation seems utterly idiotic to me.

  6. QNX is microkernel RTOS that is entirely proprietary. It’s not even remotely UNIX/POSIX but they made a compatibility layer for it which is a wreck. I would suggest making some Linux or BSD drivers and nuking QNX completely.

Leave a Reply to Josh Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.