Two images side by side. One shows a laptop opened to a map view with a vehicle model showing a vehicles location. A transparent overlay shows various blue-ish buttons for sending commands to the vehicle. The image on the right is of the interior of a Nissan Leaf. Visible are the very edge of the steering wheel, the center dash including the infotainment display, vents, and shifter, and part of the right side of the dash. Passenger and driver legs are just barely visible at the bottom of the image.

Hack Turns Nissan Leaf Into Giant RC Car

June 24, 2025 by Navarre Bartz 29 Comments

As cars increasingly become computers on wheels, the attack surface for digital malfeasance increases. The [PCAutomotive] group shared their exploit for turning the 2020 Nissan Leaf into 1600 kg RC car at Black Hat Asia 2025.

Starting with some scavenged infotainment systems and wiring harnesses, the group built test benches able to tear into vulnerabilities in the system. An exploit was found in the infotainment system’s Bluetooth implementation, and they used this to gain access to the rest of the system. By jamming the 2.4 GHz spectrum, the attacker can nudge the driver to open the Bluetooth connection menu on the vehicle to see why their phone isn’t connecting. If this menu is open, pairing can be completed without further user interaction.

Once the attacker gains access, they can control many vehicle functions, such as steering, braking, windshield wipers, and mirrors. It also allows remote monitoring of the vehicle through GPS and recording audio in the cabin. The vulnerabilities were all disclosed to Nissan before public release, so be sure to keep your infotainment system up-to-date!

If this feels familiar, we featured a similar hack on Tesla infotainment systems. If you’d like to hack your Leaf for the better, we’ve also covered how to fix some of the vehicle’s charging flaws, but we can’t help you with the loss of app support for early models.

Continue reading “Hack Turns Nissan Leaf Into Giant RC Car” →

Game boy with custom cartridge mounted on car dashboard

A Game Boy Speedometer, Just Because You Can

January 15, 2025 by Heidi Ulrich 10 Comments

From a practical standpoint, [John] may be correct that his recent creation is the “world’s worst digital dash”, but we’re still oddly enamored with the idea of using a Nintendo Game Boy as a digital speedometer. Pulling it off meant interfacing the handheld with the vehicle’s CAN bus system, so whether you’re into retro gaming or car hacking, this project has something to offer.

Showing real-time vehicle speed on the Game Boy sounds like it should be relatively easy, but the iconic game system wasn’t exactly built for such a task. Its 2 MHz CPU and 160×144 pixel dot-matrix screen were every kid’s dream in 1989, but using it as a car dashboard is pushing it. To bridge that gap, [John] designed two custom circuit boards. One interfaces with the Game Boy, intercepting its memory requests and feeding it data from a microcontroller. The other processes the CAN bus signals, translating speed information into a form the Game Boy can display. [John] used inexpensive tools and software to read the CAN bus data, and used GBDK-2020 to write the software in C. His video goes in great detail on how to do this.

Months of work have gone into decoding the Game Boy’s data bus and creating a schematic for the interface board. Tricking the Game Boy into thinking it was loading a game, while actually displaying incoming speed data. The screen’s low resolution and slow refresh rate rendered it barely readable in a moving vehicle. But [John]’s goal wasn’t practicality — it was just proving it could be done.

Want to dive deep into the Game Boy? Have you seen the Ultimate Game Boy talk?

Continue reading “A Game Boy Speedometer, Just Because You Can” →

Extracting SecOC Keys From A 2021 Toyota RAV4 Prime

March 8, 2024 by Maya Posch 7 Comments

With the recently introduced SecOC (Secure Onboard Communication) standard, car manufacturers seek to make the CAN bus networks that form the backbone of modern day cars more secure. This standard adds a MAC (message authentication code) to the CAN messages, which can be used to validate that these messages come from a genuine part of the car, and not from a car thief or some third-party peripheral.

To check that it isn’t possible to circumvent SecOC, [Willem Melching] and [Greg Hogan] got their hands on the power steering (EPS) unit of a Toyota RAV4 Prime, as one of the first cars to implement this new security standard.

As noted by [Willem], the ultimate goal is to be able to run the open source driver assistance system openpilot on these SecOC-enabled cars, which would require either breaking SecOC, or following the official method of ‘rekeying’ the SecOC gateway.

After dumping the firmware of the EPS Renesas RH850/P1M-E MCU via a voltage fault injection, the AES-based encryption routines were identified, but no easy exploits found in the main application. This left the bootloader as the next target.

Ultimately they managed to reverse-engineer the bootloader to determine how the update procedure works, which enabled them to upload shellcode. This script then enabled them to extract the SecOC keys from RAM and send these over the CAN bus. With these keys the path is thus opened to allow any device to generate CAN messages with valid SecOC MACs, effectively breaking encryption. Naturally, there are many caveats with this discovery.

Continue reading “Extracting SecOC Keys From A 2021 Toyota RAV4 Prime” →

A gray 3d-printed box with RV-bridge embossed on it, and a connector-terminated bundle of wires coming out of it.

RV-Bridge Takes HomeKit To The Open Road

March 9, 2023 by Arya Voronova 20 Comments

In the world of proprietary protocol darkness, it’s comforting to see that the RV realm (Recreational Vehicle, also known as a motorhome) has mostly settled on RV-C, an open protocol that lets various devices and systems inside an RV talk to each other over CAN. The undeniable openness of RV-C is surprising, but we haven’t seen many hobbyists tinker with it — yet.

Now, [Randy Ubillos] sets an example — his gift to us is an ESP32 firmware called RV-Bridge and it lets you control your RV’s RV-C network from HomeKit. After all, your motorhome could benefit from home automation, too!

The RV-C network in [Randy]’s family RV already had a factory-provided front-end and an iOS app, but naturally, it had a limited set of features. Having looked around online he found that both RV-C and HomeKit had open libraries for them, and set out to join these worlds together.

Now he’s released the first revision of RV-Bridge, fully-featured enough for comfortable day-to-day use, and with a setup guide for those who want to try it out! When it comes to hardware, you’ll want an ESP32 board with CAN support — [Randy] has found a perfect board for sale, and made it even more fitting by designing a 3D printed case for RV use; as usual, files are on GitHub!

Making your stock RV more comfy through hacker methods is exactly what we expect to grace our tips line! The kinds of RV projects we’ve seen so far, are also outstandingly cool, yet of different kind – things like building your own RVs out of something not meant to be an RV, whether it’s an abandoned airliner, a school bus, or a jet engine! Oh, and if your hackerspace owns a RV, you can always convert it to something else, be it a mobile hackerspace or a spaceship simulator.

This ESP32 CAN!

October 10, 2022 by Jenny List 15 Comments

Since modern cars use the CAN bus for so many of their functions, it’s unsurprising that it’s a frequent object of interest for those in our community. Some people go no further than commercial plug-in analysers, while others build their own CAN devices. This is what [Magnus Thomé] has done, with his RejsaCAN microcontroller board.

It’s a small PCB with an onboard CAN interface from an ESP32-S3 and a car-friendly power supply circuit, and perhaps most importantly, it has an auto-shutdown feature to prevent battery drain. Software-wise it’s a blank piece of paper for the user to roll their own application, but since the ESP32 is supported by the Arduino ecosystem, there are libraries that make talking CAN as easy as it can be.

[Magnus] has a list of potential applications for the board, many of which take advantage of the ESP’s wireless capabilities. So far, [Magnus] has hooked it up to an LCD display, but we can see so many other useful things coming out powered by something like this.

You haven’t tried playing with your car’s CAN bus yet? Maybe you should read this to whet your appetite.

UART Can’t? Arduino CANSerial Can!

July 4, 2022 by Elliot Williams 11 Comments

[Jacob Geigle] had a problem. A GPS unit and a Bluetooth-to-serial were tying up all the hardware UARTs on an AVR Arduino project. “Software serial”, I hear you say. But what if I told you [Jacob] already had the board in question sending out data over CAN bus?

[Jacob]’s sweet hack creates an arbitrary number of CAN “devices” inside the Arduino code, and can treat each one of them as its own serial data channel. The “N” in CAN stands for network, after all. The trick is to create a device ID for each desired CANSerial interface, which is done in his library using the usual Arduino setup step. A buffer takes care of storing all the different channels until they can be pushed out over the hardware CAN peripheral. On the big-computer side of things, some software listens for the different “device” enumeration IDs and assigns each a virtual serial port.

While this was a hack born of necessity, we can see it as a clever opportunity to segregate information coming from the microcontroller into different streams. Maybe a debug channel, a command channel, and a data channel? They’re virtual devices, so go nuts!

While we usually see CANbus in its native habitat – inside your car – it’s also cool to think of the uses we could put it to. For instance, controlling a 3D printer. Need a CAN refresher? We’ve got just the ticket.

[Bus photo: Malta Bus; The terminus, Valletta by John Haslam. Can photo: Paint Cans by Daniel R. Blume. Horrible visual pun: I’m afraid that’s on us. You try finding images for CANbus code!]

Hacking A Proper Dash Into The Tesla Model 3

January 28, 2022 by Lewin Day 60 Comments

The Tesla Model 3 and Model Y are popular electric vehicles that dispense with some of the usual provisions you’d expect in a typical car. Namely, there’s no dash cluster in front of the driver; instead, all information is solely displayed on the center console screen. [Nick Nguyen] wasn’t a fan of this setup, and decided to hack together a dash cluster of his own.

The CANdash works in a simple fashion, snooping the Tesla’s CAN bus for all the information relevant to the vehicle’s operation. It’s capable of displaying everything from speed to the remaining range in the battery, while also allowing the user to keep an eye on things like coolant temperatures and whether the Tesla Autopilot system is currently available.

The build relies on a CANserver, an ESP32-based device specifically built for hooking up to the CAN bus on Tesla vehicles and sharing the data externally. The data can then be piped wirelessly to an Android phone running CANdash to display all the desired information. With the help of an aftermarket dash clip or a 3D printed custom mount, the phone can then be placed behind the steering wheel to display data in the usual location.

It’s a simple, straightforward hack that gives Tesla owners a useful feature that they’re otherwise missing from the factory. The US automakers cars are proving to be fertile ground for hackers and DIYers, with one man recently saving thousands on a battery swap with a simple mod. Video after the break.

Continue reading “Hacking A Proper Dash Into The Tesla Model 3” →