[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.
In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.
This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.
When a government decides to take a look at your particular field of experimentation, it’s never necessarily a cause for rejoicing, as British motor vehicle enthusiasts are finding out through a UK Government consultation. Titled “Future of transport regulatory review: modernising vehicle standards“, the document explains that it is part of the process of re-adopting under UK law areas which have previously been governed by the European Union. Of particular interest is the section “Tackling tampering”, which promises a new set of offences for “tampering with a system, part or component of a vehicle intended or adapted to be used on a road“.
They go into detail as to the nature of the offences, which seem to relate to the production of devices designed to negate the safety or environmental features of the car. They’re at pains to say that they have no wish to target the legitimate car modification world, for example in motorsport or restoration, but it’s easy to see how a car hacker might inadvertently fall foul of any new rules. It’s worried the enthusiasts enough that a petition has been launched on the UK parliamentary petition site, making the point that the existing yearly MOT roadworthiness test should fulfill the function of taking any illegal vehicles off the road.
We’re always wary when governments wander into our purview, and given where this is being written it’s fair to say that British governments have had their fair share of ill-considered laws in their time. But before we call doom upon the future of car hacking for Brits, it’s worth remarking that they don’t always make a mess in this arena. The rules for the Individual Vehicle Approval test for putting a home-built car on the road are far from a bureaucratic nightmare for example, instead being a relatively sensible primer in building a safe motor vehicle.
So we’d suggest not to panic just yet, but perhaps any British readers might like to respond appropriately to the consultation and the petition in the interests of nudging them in the right direction.
[Voltlog] has been hacking away at the CAN bus console of his VW Golf for quite some time now. Presumably, for his projects, the available CAN bus interface boards are lacking in some ways, either technically and/or price. So [Voltlog] designed his own wireless CAN bus hacking and development module called the ESP32 CanLite (see the video below the break). The board was tailored to meet the needs of his project and he claims it is not a universal tool. Nevertheless we think many folks will find the features he selected for this module will be a good fit for their projects as well.
In his introduction of the design, he walks through the various design decisions he faced. As the project name suggests, he’s using the ESP32 as the main controller due to it’s wireless radios and built-in CAN controller. The board is powered from the car’s +12V power, so it uses a wide input range ( 4 to 40 V ) switching regulator. One feature he added was the ability to switch automotive accessories using the ST VN750PC, a nifty high-side driver in an SO-8 package with integrated safety provisions.
The project is published as open source and the files can be pulled from his GitHub repository. We noticed the debug connector labeled VOLTLINK on the schematic, and found his description of this custom interface interesting. Basically, he was not satisfied with the quality and performance of the various USB-to-serial adapters on the market and decided to make his own. Could this be a common theme among [Voltlog]’s projects?
A word of warning if you want to build the ESP32 CanLite yourself. While [Voltlog] had intentionally selected parts that were common and easy to purchase when the project began, several key chips have since become nearly impossible to obtain these days due to the global parts shortage issue (it’s even out of stock on his Tindie page).
As cars have become more sophisticated electronically, understanding the CAN bus that forms the backbone of automotive digital systems has become more and more important for hacking cars. Inexpensive microcontroller CAN interfaces have made obtaining the raw CAN bus traffic trivial, but interpreting that traffic can be pretty challenging. In order to more easily visualize CAN traffic, [TJ Bruno] has developed CanoPy, a Python tool for visualizing CAN messages in real time.
A basic PC CAN interface simply dumps the bus’s message traffic into the terminal, while more sophisticated tools organize messages by the address of their intended recipients. Both of these approaches digitally lift the hood and let you examine what your car is thinking, but the wall-of-numbers approach makes finding the patterns that hold the keys to reverse engineering difficult. Automatically plotting the data with CanoPy makes finding correlations much easier, after which the text-based tools can be used to focus in on a few specific addresses.
[Florian] and his engineering team at Munich-based bmc::labs has developed a clever set of prototyping boards for vehicle hacking and rapid product development, collectively called the bmc::board or bmc::mini. These stackable development boards were initially designed for in-house use. The team took a general purpose approach to the design so the boards could be used across a wide range of projects, and they should be useful to anyone in the field. [Florian] decided to release the boards to the community as open-source and certified by OSHWA (Open Source Hardware Association).
There are four boards currently defined, with several more in the works:
mini::base — Main microcontroller board, STM32F103-based
mini::out — I/O board with CAN bus, JTAG, etc.
mini:: grid — RF board providing GPS and GSM capability
mini::pit — local wireless connectivity, WiFi and Bluetooth, and 2nd CAN bus
At 54 x 42.5 mm, these boards are pretty small; a form-factor they describe as “exactly half a credit card”. We like the Wurth WR-MM family of stacking connectors they are using, and the symmetrical pinout means you can rotate the cards as needed. But at first glance, these thru-hole connectors seem to limit the stack to just two boards, although maybe they plan move to an SMT flavor of the connector in future designs permitting taller stacks.
If you’re into vehicle electronics and/or vehicle hacking, definitely take a look at these. You can check out [Florian]’s bmc::board Hackaday.io project page and the team’s GitHub repository for more details. Here’s another project by team member [Sebastian] using one of the future bmc::bike modules to eavesdrop on ECU communications, where he sensibly advises the reader “First, pull over and get off the bike. Never hack a two-wheeled vehicle while riding it!”.
Nestled in a custom laser-cut housing is a touch screen LCD module that connects directly to the GPIO header of a Pi Zero. Combined with some Python code, this provides a very slick multipurpose interface for pretty much anything [Ryan] wants. Right now he’s got it hooked up to a GPS receiver so he can figure out things like speed and acceleration, but the only real limit on what this little drop-in upgrade can do is how much code you want to sit down and write.
[Ryan] says he’s also working on some code to better integrate the Pi into the vehicle’s systems by way of a Bluetooth OBD2 adapter. In the most basic application that would allow you to throw various bits of engine data up on the screen, but on more modern cars, you could potentially tap into the CAN bus and bend it to your will.
While the physical size and shape of this particular modification is clearly focused on this model and year of BMW, the general concepts could be applied to any car on the road. [Ryan] has recently started a GitHub repository for the project and hopes to connect with others who are interested in adding a little modern complexity convenience to their classic rides.
Now for those of us who are a more interested in how this whole process works, [ea] was kind of enough to provide a very detailed account of how the exploit was discovered. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run.
The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. The first step was to locate the board’s serial port and connect it to the computer. From there, [ea] was able to change the kernel parameters in the bootloader to spawn an interactive shell. To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. With full access to the system, the search for exploits could begin.
After some poking, [ea] discovered the script designed to mount USB storage devices had a potential flaw in it. The script was written in such a way that the filesystem label of the device would be used to create the mount point, but there were no checks in place to prevent a directory traversal attack. By crafting a label that read ../../usr/bin/ and placing a Bash script on the drive, it’s possible to run arbitrary commands on the head unit. The provided script permanently adds SSHd to the startup process, so when the system reboots, you’ll be able to log in and explore.
So what does [ea] want to do with this new-found exploit? It looks like the goal is to eventually come up with some custom programs that extend the functionality of the in-dash Linux system. As it seems like these “infotainment” systems are now an inescapable feature of modern automobiles, we’re certainly excited to see projects that aim to keep them under the consumer’s control.