A black PCB with a cellular modem board piggy backed on top. It has a micro-USB and DB-type connector on the end facing the camera.

Open Vehicle Monitoring System Is The Window To Your EV’s Soul

Electric cars have more widgets than ever, but manufacturers would rather you don’t have direct access to them. The Open Vehicle Monitoring System intends to change that for the user. [via Transport Evolved]

As car manufacturers hoover up user data and require subscriptions for basic features, it can be a frustrating time to make such a big purchase. Begun in 2011, OVMS now interfaces with over a dozen different EVs and gives you access to (or helps you reverse engineer) all the data you could want from your vehicle. Depending on the vehicle, any number of functions can be accessed including remote climate start or cell-level battery statistics.

The hardware connects to your car’s OBDII port and uses an ESP32 microcontroller connected to a  SIMCOM SIM7600G modem (including GPS) to provide support for 3 CAN buses as well as Wi-Fi and Bluetooth connections. This can be particularly useful for remote access to data for vehicles that can no longer phone home via their originally included cellular modems as older networks shut down.

Do you wish EVs weren’t so complicated? Read our Minimal Motoring Manifesto.

Keeping A Mazda’s Radio On After The Engine Shuts Off

Have you ever pulled into a car park with your favorite song blaring, only to lament the fact that the music cut out when you stopped the engine? Some modern cars are smart enough to keep the radio on until you open the door. [ssh16] decided to hack that very functionality into their Mazda MX-5.

The device uses a microcontroller to read the CAN bus of the vehicle. The microcontroller also has the ability to keep the vehicle’s ACC (accessory) relay energized at will. Thus, when the engine is turned off, the microcontroller keeps the ACC relay on, maintaining power to the stereo and infotainment system. Then, after ten minutes, or when it receives a CAN message that the driver’s door has been opened, it cuts power to the relay, shutting the accessories off. It’s a simple build, but one that [ssh16] executed cleanly. By putting the microcontroller on a neat PCB with a harness that can clip into the stock Mazda one, it’s possible to install the hack without needing to cut any wires. Plus, with a small modification, it was even possible to use the same hack with a Mazda CX-5.

Whether you’re jamming out to a cool song, or you just want to finish a phone call over Bluetooth, it’s a nifty feature to have in a vehicle. We’ve seen some other neat infotainment hacks before, too. Video after the break.

Continue reading “Keeping A Mazda’s Radio On After The Engine Shuts Off”

Jailbreaking Tesla Infotainment Systems

With newer cars being computers on wheels, some manufacturers are using software to put features behind a paywall or thwarting DIY repairs. Industrious hackers security researchers have taken it upon themselves to set these features free by hacking a Tesla infotainment system. (via Electrek)

The researchers from TU Berlin found that by using a voltage fault injection attack against the AMD Secure Processor (ASP) at the heart of current Tesla models, they could run arbitrary code on the infotainment system. The hack opens up the double-edged sword of an attacker gaining access to encrypted PII or a shadetree mechanic “extracting a TPM-protected attestation key Tesla uses to authenticate the car. This enables migrating a car’s identity to another car computer without Tesla’s help whatsoever, easing certain repairing efforts.” We can see this being handy for certain other unsanctioned hacks as well.

The attack is purported as being “unpatchable” and giving root access that survives reboots and updates of the system. Since AMD is a vendor to multiple vehicle companies, the question arises as to how widely applicable this hack is to other vehicles suffering from AaaS (Automotive as a Service).

Longing for a modern drivetrain with the simplicity of yesteryear? Read our Minimal Motoring Manifesto.

Get MOST Into Your Pi

When looking the modify a passenger vehicle, the Controller Area Network (CAN) bus is a pretty easy target. In modern vehicles it has access to most of the on-board systems — everything from the climate control to the instrument cluster and often even the throttle, braking, and steering systems. With as versatile as the CAN bus is, though, it’s not the right tool for every job. There’s also the Media Oriented Systems Transport (MOST) bus which is increasingly found in automotive systems to handle multimedia such as streaming music to the stereo. To access that system you’ll need to approach it slightly differently as [Rhys] demonstrates.

[Rhys] has been working on replacing the dated head unit in his Jaguar, and began by investigating the CAN bus. He got almost everything working with replacement hardware except the stereo, which is where the MOST bus comes into play. It provides a much higher bandwidth than the CAN bus can accommodate but with almost no documentation it was difficult to interact with at first. With the help of a Raspberry Pi and a lot of testing he is able to get the stereo working again with a much more modern-looking touchscreen for control. It is also able to do things like change CDs in the car’s CD player, gather song information from the CD to display on the panel, and can perform other functions of the infotainment center.

For more detailed information on the MOST bus, [Rhys] also maintains a website where he puts his discoveries and other information he finds about this system. Unfortunately car stereo systems in modern vehicles can get pretty complicated these days, but adapting car stereos in older vehicles to modern technology carries some interesting challenges as well.

Continue reading “Get MOST Into Your Pi”

Hyundai Is Doomed: Porting The 1993 Classic To A Hyundai Head Unit

In the natural order of the world, porting DOOM to any newly unlocked computing system is an absolute given. This a rule which [greenluigi1] understands all too well, leading to presumably the first Hyundai to be equipped with this all-time classic on its infotainment system. This follows hot on the trail of re-hacking said infotainment system and a gaggle of basic apps being developed for and run on said head unit (being the part of the infotainment system on the front dashboard). Although it is a Linux-based system, this doesn’t mean that you can just recompile DOOM for it, mostly because of the rather proprietary system environment.

To make life easy, [greenluigi1] picked doomgeneric as the version to port. The main selling point of this project is that it only requires the developer to implement five functions to support a new platform, which then ‘just’ left figuring out how to do this on a head unit. Two of these (DG_SleepMs() and DG_GetTicksMS()) could be copied verbatim from the X11/xlib port, but the remaining three required a bit of sleuthing.

Where things go sideways is with keeping the head unit’s Helix window manager happy, and stick to the limited ways a GUI application can be launched, including the way arguments are passed. For the PoC, it was decided to just hardcode these arguments and only register the game with Helix using an .appconf configuration file. When it came to drawing pretty graphics on the screen, this was decidedly easier since the system uses Qt5 and thus offers the usual ways to draw to a QPixmap, which in this case maps to the framebuffer.

After a few playful sessions with the head unit’s watchdog timer, [greenluigi1] found himself staring at a blank screen, despite everything appearing to work. This turned out to be due to the alpha channel value of 0 that was being set by default, along with the need for an explicit refresh of the QPixmap. Up popped DOOM, which left just the implementation of the controls.

In order to start the game, you have to literally buckle up, and the steering wheel plus media control buttons are your inputs, which makes for a creative way to play, and perhaps wear some bald spots onto your tires if you’re not careful. If you’d like to give it a shot on your own ride, you can get the project files on GitHub.

Continue reading “Hyundai Is Doomed: Porting The 1993 Classic To A Hyundai Head Unit”

Photo of the head unit , with "Hacked by greenluigi1" in the center of the UI

Hacking A Hyundai Ioniq’s Infotainment System Again After Security Fixes

These days modern cars are nothing if not a grouping of networked software held together by bits of hardware. This is reflected not only in the rapidly increasing number of ECUs, but also infotainment systems and all-glass cockpits. For better or worse, this offers many exciting hacking possibilities, which [greenluigi1] was more than happy to explore with their new 2021 Hyundai Ioniq SEL last year. Naturally, Hyundai then proceeded to ‘fix’ these vulnerabilities, offering the exciting chance to test the Hyundai engineers’ homework, and proceed to bypass it again.

When we last left off in [greenluigi1]’s adventures, the Hyundai D-Audio 2V Linux-based infotainment system (formally called in-vehicle entertainment, or IVI) in question had been convinced to run custom applications after a fair bit of effort to get root access via the Engineering Menu and some firmware image hacking. Joyous hacking and exploration of the car’s CAN network and RPC messaging system ensued. Then Hyundai released a new firmware image, after months of silence and all old firmware images pulled from the download page.

In this new firmware image, big changes were visible right off the bat, with two different ZIP files instead of the single one from before. One of these ZIP files also couldn’t be decrypted any more with the old key. Unfortunately for Hyundai, the curse of backwards compatibility with older IVIs meant that the ZIP targeting headunits running the older firmware also contained the key for the new ZIP file.

Other changes included some further obfuscation to this key and the public key used for firmware hash verification, which also involved using a Micom RPC call via the CAN bus to obtain some vehicle specific information. Unfortunately, this is where Hyundai’s engineers seemed to have stopped copying reference code samples, and used a unique RSA private key to sign firmware images with. Fortunately, they did not bother to check whether the updater actually always verifies the signature, allowing for unsigned code to be installed.

All in all, a fascinating bit of reverse-engineering and sheer stubborn persistence, just so that the IVI that’s in your car can run the applications which you developed. We’re looking forward to the next installments in this series as the ball is once again firmly in Hyundai’s court.

Hackaday Links Column Banner

Hackaday Links: March 19, 2023

We get results! Well, sort of. You may recall that in this space last week we discussed Ford’s plans to exclude AM reception on the infotainment systems of certain of their cars starting in 2024. We decried the decision, not for the loss of the sweet, sweet content that AM stations tend to carry — although we always enjoyed “Traffic on the 8s” back in our dismal days of daily commuting — but rather as a safety concern, because AM radio can reach almost the entire US population with emergency information using just 75 stations. To our way of thinking, this makes AM radio critical infrastructure, and eliminating it from motor vehicles is likely to have unintended consequences. Now it seems like there’s some agreement with that position, as former administrators of FEMA (Federal Emergency Management Administration; and no, not FEDRA) have gotten together to warn about the dangers of deleting AM from cars. Manufacturers seem to be leaning into the excuse that EVs emit a lot of radio frequency interference, rendering static-sensitive AM receivers less useful than other, more profitable less susceptible modes, like digital satellite radio. That seems like a red herring to us, but then again, the most advanced infotainment option in any car we’ve ever owned is a CD player, so it’s hard for us to judge.

Continue reading “Hackaday Links: March 19, 2023”