We get results! Well, sort of. You may recall that in this space last week we discussed Ford’s plans to exclude AM reception on the infotainment systems of certain of their cars starting in 2024. We decried the decision, not for the loss of the sweet, sweet content that AM stations tend to carry — although we always enjoyed “Traffic on the 8s” back in our dismal days of daily commuting — but rather as a safety concern, because AM radio can reach almost the entire US population with emergency information using just 75 stations. To our way of thinking, this makes AM radio critical infrastructure, and eliminating it from motor vehicles is likely to have unintended consequences. Now it seems like there’s some agreement with that position, as former administrators of FEMA (Federal Emergency Management Administration; and no, not FEDRA) have gotten together to warn about the dangers of deleting AM from cars. Manufacturers seem to be leaning into the excuse that EVs emit a lot of radio frequency interference, rendering static-sensitive AM receivers less useful than other, more profitable less susceptible modes, like digital satellite radio. That seems like a red herring to us, but then again, the most advanced infotainment option in any car we’ve ever owned is a CD player, so it’s hard for us to judge.
With a long history of nearly universal hate for their products, you’d think printer manufacturers would by now have found ways to back off from the policies that only seem to keep aggravating customers. But rather than make it a financially wiser decision to throw out a printer and buy a new one than to buy new ink cartridges or toners, manufacturers keep coming up with new and devious ways to piss customers off. Case in point: Hewlett-Packard now seems to be bricking printers with third-party ink cartridges. Reports from users say that a new error message has popped up on screens of printers with non-HP cartridges installed warning that further use of the printer has been blocked. Previously, printers just warned about potential quality issues from non-HP consumables, but now they’re essentially bricked until you cough up the money for legit HP cartridges. Users who have contacted HP support say that they were told the change occurred because of a recent firmware update sent to the printer, so that’s comforting.
Well, we guess it had to happen eventually — Ford is putting plans in place to make its vehicles capable of self-repossession. At least it seems so from a patent application that was published last week, which reads like something written by someone who fancies themselves an evil genius but is just really, really annoying. Like most patent applications, it covers a lot of ground; aside from the obvious capability of a self-driving car to drive itself back to the dealership, Ford lists a number of steps that its proposed system could take before or instead of driving the car away from someone who’s behind on payments.
Examples include selective disabling conveniences in the vehicle, like the HVAC or infotainment systems, or even locking the doors and effectively bricking the vehicle. Ford graciously makes allowance for using the repossessed vehicle in an emergency, and makes mention of using cameras in the vehicle and a “neural network” to verify that the locked-out user is indeed having, say, a medical emergency. What could possibly go wrong?
[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.
In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.
This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.
Now for those of us who are a more interested in how this whole process works, [ea] was kind of enough to provide a very detailed account of how the exploit was discovered. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run.
The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. The first step was to locate the board’s serial port and connect it to the computer. From there, [ea] was able to change the kernel parameters in the bootloader to spawn an interactive shell. To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. With full access to the system, the search for exploits could begin.
After some poking, [ea] discovered the script designed to mount USB storage devices had a potential flaw in it. The script was written in such a way that the filesystem label of the device would be used to create the mount point, but there were no checks in place to prevent a directory traversal attack. By crafting a label that read ../../usr/bin/ and placing a Bash script on the drive, it’s possible to run arbitrary commands on the head unit. The provided script permanently adds SSHd to the startup process, so when the system reboots, you’ll be able to log in and explore.
So what does [ea] want to do with this new-found exploit? It looks like the goal is to eventually come up with some custom programs that extend the functionality of the in-dash Linux system. As it seems like these “infotainment” systems are now an inescapable feature of modern automobiles, we’re certainly excited to see projects that aim to keep them under the consumer’s control.
Part of the fun of watching action movies is imagining yourself as the main character, always going on exciting adventures and, of course, being accompanied by the perfect soundtrack to score the excitement and drama of your life. While having an orchestra follow you around might not always be practical, [P1kachu] at least figured out how to get some musical orchestration to sync up with how he drives his car, Fast-and-Furious style.
The idea is pretty straightforward: when [P1kachu] drives his car calmly and slowly, the music that the infotainment system plays is cool and reserved. But when he drops the hammer, the music changes to something more aggressive and in line with the new driving style. While first iterations of his project used the CAN bus, he moved to Japan and bought an old Subaru that doesn’t have CAN. The new project works on something similar called Subaru Select Monitor v1 (SSM1), but still gets the job done pretty well.
The hardware uses an Asus Tinkerboard and a Raspberry Pi with the 7″ screen, and a shield that can interface with CAN (and later with SSM1). The new music is selected by sensing pedal position, allowing him to more easily trigger the aggressive mode that his previous iterations did. Those were done using vehicle speed as a trigger, which proved to be ineffective at producing the desired results. Of course, there are many other things that you can do with CAN bus besides switching up the music in your car.
Pioneer’s flagship AVIC line of in-car multimedia systems is compatible with both Android Auto and Apple Car Play, and offers all manner of multimedia features to the driver of today. What’s more, these in-dash wonders have spawned their own community, dedicated to hacking the units. The ultimate infotainment hack is to develop custom ROMs for these devices.
What this means is that owners of Pioneer AVIC units will eventually be able to flash a custom ROM onto their in-car device, allowing it to operate more like any other generic Android tablet on the market. The potential is there for installing custom applications, extra hardware (such as OBD II readers), or pretty much anything else you can do with an Android device.
The hack involves a whole lot of delicate steps, beginning with using a USB stick with a special image to boot the device into a test mode. This allows the internal SD card to be backed up, then overwritten with a new image itself.
Mostly, the hack has been used to allow map files to be updated on the internal SD card — inability to update maps has been a long festering thorn in the side of in-dash navigation systems. Users have been customizing this to suit their requirements, also adding speed camera locations and other features. But overall this hack is a great example of hacking something to get full control over the things you own. At the least, this will allow drivers to ditch the phones suction-cupped to the windshield and run common apps like Waze, Uber, and Lyft directly on the infotainment screen (assuming you can rig up an Internet connection).