[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.
In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.
This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.
Now for those of us who are a more interested in how this whole process works, [ea] was kind of enough to provide a very detailed account of how the exploit was discovered. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run.
The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. The first step was to locate the board’s serial port and connect it to the computer. From there, [ea] was able to change the kernel parameters in the bootloader to spawn an interactive shell. To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. With full access to the system, the search for exploits could begin.
After some poking, [ea] discovered the script designed to mount USB storage devices had a potential flaw in it. The script was written in such a way that the filesystem label of the device would be used to create the mount point, but there were no checks in place to prevent a directory traversal attack. By crafting a label that read ../../usr/bin/ and placing a Bash script on the drive, it’s possible to run arbitrary commands on the head unit. The provided script permanently adds SSHd to the startup process, so when the system reboots, you’ll be able to log in and explore.
So what does [ea] want to do with this new-found exploit? It looks like the goal is to eventually come up with some custom programs that extend the functionality of the in-dash Linux system. As it seems like these “infotainment” systems are now an inescapable feature of modern automobiles, we’re certainly excited to see projects that aim to keep them under the consumer’s control.
Part of the fun of watching action movies is imagining yourself as the main character, always going on exciting adventures and, of course, being accompanied by the perfect soundtrack to score the excitement and drama of your life. While having an orchestra follow you around might not always be practical, [P1kachu] at least figured out how to get some musical orchestration to sync up with how he drives his car, Fast-and-Furious style.
The idea is pretty straightforward: when [P1kachu] drives his car calmly and slowly, the music that the infotainment system plays is cool and reserved. But when he drops the hammer, the music changes to something more aggressive and in line with the new driving style. While first iterations of his project used the CAN bus, he moved to Japan and bought an old Subaru that doesn’t have CAN. The new project works on something similar called Subaru Select Monitor v1 (SSM1), but still gets the job done pretty well.
The hardware uses an Asus Tinkerboard and a Raspberry Pi with the 7″ screen, and a shield that can interface with CAN (and later with SSM1). The new music is selected by sensing pedal position, allowing him to more easily trigger the aggressive mode that his previous iterations did. Those were done using vehicle speed as a trigger, which proved to be ineffective at producing the desired results. Of course, there are many other things that you can do with CAN bus besides switching up the music in your car.
Pioneer’s flagship AVIC line of in-car multimedia systems is compatible with both Android Auto and Apple Car Play, and offers all manner of multimedia features to the driver of today. What’s more, these in-dash wonders have spawned their own community, dedicated to hacking the units. The ultimate infotainment hack is to develop custom ROMs for these devices.
What this means is that owners of Pioneer AVIC units will eventually be able to flash a custom ROM onto their in-car device, allowing it to operate more like any other generic Android tablet on the market. The potential is there for installing custom applications, extra hardware (such as OBD II readers), or pretty much anything else you can do with an Android device.
The hack involves a whole lot of delicate steps, beginning with using a USB stick with a special image to boot the device into a test mode. This allows the internal SD card to be backed up, then overwritten with a new image itself.
Mostly, the hack has been used to allow map files to be updated on the internal SD card — inability to update maps has been a long festering thorn in the side of in-dash navigation systems. Users have been customizing this to suit their requirements, also adding speed camera locations and other features. But overall this hack is a great example of hacking something to get full control over the things you own. At the least, this will allow drivers to ditch the phones suction-cupped to the windshield and run common apps like Waze, Uber, and Lyft directly on the infotainment screen (assuming you can rig up an Internet connection).
You’d figure a luxury car like a Jaguar would have a high-end infotainment system. [RichTatham]’s Jag did, but the trouble was that it was a high-end system when a cassette deck and trunk-mounted CD changer were big deals. So naturally, he saw this as a great reason to modernize the system by grafting a netbook into the Jag’s dash. The results are fantastic!
Even though the Jag’s original system didn’t have much left that made it into the final project — the navigation system, CD changer, phone and even the amps ended up on the scrap heap — at least the dashboard instrument cluster proved to be very amenable to his mods. By substituting a climate control cluster from another model into his car, he was able to free up tons of space for the netbook’s 8″ display. A custom bezel and some clever brackets completed the head-end of the new system, and the look is as close to a factory install as you’re likely to find in an aftermarket mod. With the netbook stashed in the bay vacated by the OEM system, a GPS dongle, and a USB sound card connected to a 5.1 amp using the original speakers this jag is ready to bump. We bet that the system sounds as good as it looks, and with the added functionality of a Windows PC to boot.