Hyundai Is Doomed: Porting The 1993 Classic To A Hyundai Head Unit

In the natural order of the world, porting DOOM to any newly unlocked computing system is an absolute given. This a rule which [greenluigi1] understands all too well, leading to presumably the first Hyundai to be equipped with this all-time classic on its infotainment system. This follows hot on the trail of re-hacking said infotainment system and a gaggle of basic apps being developed for and run on said head unit (being the part of the infotainment system on the front dashboard). Although it is a Linux-based system, this doesn’t mean that you can just recompile DOOM for it, mostly because of the rather proprietary system environment.

To make life easy, [greenluigi1] picked doomgeneric as the version to port. The main selling point of this project is that it only requires the developer to implement five functions to support a new platform, which then ‘just’ left figuring out how to do this on a head unit. Two of these (DG_SleepMs() and DG_GetTicksMS()) could be copied verbatim from the X11/xlib port, but the remaining three required a bit of sleuthing.

Where things go sideways is with keeping the head unit’s Helix window manager happy, and stick to the limited ways a GUI application can be launched, including the way arguments are passed. For the PoC, it was decided to just hardcode these arguments and only register the game with Helix using an .appconf configuration file. When it came to drawing pretty graphics on the screen, this was decidedly easier since the system uses Qt5 and thus offers the usual ways to draw to a QPixmap, which in this case maps to the framebuffer.

After a few playful sessions with the head unit’s watchdog timer, [greenluigi1] found himself staring at a blank screen, despite everything appearing to work. This turned out to be due to the alpha channel value of 0 that was being set by default, along with the need for an explicit refresh of the QPixmap. Up popped DOOM, which left just the implementation of the controls.

In order to start the game, you have to literally buckle up, and the steering wheel plus media control buttons are your inputs, which makes for a creative way to play, and perhaps wear some bald spots onto your tires if you’re not careful. If you’d like to give it a shot on your own ride, you can get the project files on GitHub.

Continue reading “Hyundai Is Doomed: Porting The 1993 Classic To A Hyundai Head Unit”

Photo of the head unit , with "Hacked by greenluigi1" in the center of the UI

Hacking A Hyundai Ioniq’s Infotainment System Again After Security Fixes

These days modern cars are nothing if not a grouping of networked software held together by bits of hardware. This is reflected not only in the rapidly increasing number of ECUs, but also infotainment systems and all-glass cockpits. For better or worse, this offers many exciting hacking possibilities, which [greenluigi1] was more than happy to explore with their new 2021 Hyundai Ioniq SEL last year. Naturally, Hyundai then proceeded to ‘fix’ these vulnerabilities, offering the exciting chance to test the Hyundai engineers’ homework, and proceed to bypass it again.

When we last left off in [greenluigi1]’s adventures, the Hyundai D-Audio 2V Linux-based infotainment system (formally called in-vehicle entertainment, or IVI) in question had been convinced to run custom applications after a fair bit of effort to get root access via the Engineering Menu and some firmware image hacking. Joyous hacking and exploration of the car’s CAN network and RPC messaging system ensued. Then Hyundai released a new firmware image, after months of silence and all old firmware images pulled from the download page.

In this new firmware image, big changes were visible right off the bat, with two different ZIP files instead of the single one from before. One of these ZIP files also couldn’t be decrypted any more with the old key. Unfortunately for Hyundai, the curse of backwards compatibility with older IVIs meant that the ZIP targeting headunits running the older firmware also contained the key for the new ZIP file.

Other changes included some further obfuscation to this key and the public key used for firmware hash verification, which also involved using a Micom RPC call via the CAN bus to obtain some vehicle specific information. Unfortunately, this is where Hyundai’s engineers seemed to have stopped copying reference code samples, and used a unique RSA private key to sign firmware images with. Fortunately, they did not bother to check whether the updater actually always verifies the signature, allowing for unsigned code to be installed.

All in all, a fascinating bit of reverse-engineering and sheer stubborn persistence, just so that the IVI that’s in your car can run the applications which you developed. We’re looking forward to the next installments in this series as the ball is once again firmly in Hyundai’s court.

Hackaday Links Column Banner

Hackaday Links: March 19, 2023

We get results! Well, sort of. You may recall that in this space last week we discussed Ford’s plans to exclude AM reception on the infotainment systems of certain of their cars starting in 2024. We decried the decision, not for the loss of the sweet, sweet content that AM stations tend to carry — although we always enjoyed “Traffic on the 8s” back in our dismal days of daily commuting — but rather as a safety concern, because AM radio can reach almost the entire US population with emergency information using just 75 stations. To our way of thinking, this makes AM radio critical infrastructure, and eliminating it from motor vehicles is likely to have unintended consequences. Now it seems like there’s some agreement with that position, as former administrators of FEMA (Federal Emergency Management Administration; and no, not FEDRA) have gotten together to warn about the dangers of deleting AM from cars. Manufacturers seem to be leaning into the excuse that EVs emit a lot of radio frequency interference, rendering static-sensitive AM receivers less useful than other, more profitable less susceptible modes, like digital satellite radio. That seems like a red herring to us, but then again, the most advanced infotainment option in any car we’ve ever owned is a CD player, so it’s hard for us to judge.

Continue reading “Hackaday Links: March 19, 2023”

Hackaday Links Column Banner

Hackaday Links: March 12, 2023

With a long history of nearly universal hate for their products, you’d think printer manufacturers would by now have found ways to back off from the policies that only seem to keep aggravating customers. But rather than make it a financially wiser decision to throw out a printer and buy a new one than to buy new ink cartridges or toners, manufacturers keep coming up with new and devious ways to piss customers off. Case in point: Hewlett-Packard now seems to be bricking printers with third-party ink cartridges. Reports from users say that a new error message has popped up on screens of printers with non-HP cartridges installed warning that further use of the printer has been blocked. Previously, printers just warned about potential quality issues from non-HP consumables, but now they’re essentially bricked until you cough up the money for legit HP cartridges. Users who have contacted HP support say that they were told the change occurred because of a recent firmware update sent to the printer, so that’s comforting.

Continue reading “Hackaday Links: March 12, 2023”

Hackaday Links Column Banner

Hackaday Links: March 5, 2023

Well, we guess it had to happen eventually — Ford is putting plans in place to make its vehicles capable of self-repossession. At least it seems so from a patent application that was published last week, which reads like something written by someone who fancies themselves an evil genius but is just really, really annoying. Like most patent applications, it covers a lot of ground; aside from the obvious capability of a self-driving car to drive itself back to the dealership, Ford lists a number of steps that its proposed system could take before or instead of driving the car away from someone who’s behind on payments.

Examples include selective disabling conveniences in the vehicle, like the HVAC or infotainment systems, or even locking the doors and effectively bricking the vehicle. Ford graciously makes allowance for using the repossessed vehicle in an emergency, and makes mention of using cameras in the vehicle and a “neural network” to verify that the locked-out user is indeed having, say, a medical emergency. What could possibly go wrong?

Continue reading “Hackaday Links: March 5, 2023”

Photo of the head unit , with "Hacked by greenluigi1" in the center of the UI

Hacker Liberates Hyundai Head Unit, Writes Custom Apps

[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.

In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.

This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.

Nissan Gives Up Root Shell Thanks To Hacked USB Drive

For the impatient Nissan owners who may be joining us from Google, a hacker by the name of [ea] has figured out how to get a root shell on the Bosch LCN2kai head unit of their 2015 Xterra, and it looks like the process should be the same for other vehicles in the Nissan family such as the Rogue, Sentra, Altima, and Frontier. If you want to play along at home, all you have to do is write the provided image to a USB flash drive and insert it.

Now for those of us who are a more interested in how this whole process works, [ea] was kind of enough to provide a very detailed account of how the exploit was discovered. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run.

The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. The first step was to locate the board’s serial port and connect it to the computer. From there, [ea] was able to change the kernel parameters in the bootloader to spawn an interactive shell. To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. With full access to the system, the search for exploits could begin.

A simple script on the flash drive enables the SSH server.

After some poking, [ea] discovered the script designed to mount USB storage devices had a potential flaw in it. The script was written in such a way that the filesystem label of the device would be used to create the mount point, but there were no checks in place to prevent a directory traversal attack. By crafting a label that read ../../usr/bin/ and placing a Bash script on the drive, it’s possible to run arbitrary commands on the head unit. The provided script permanently adds SSHd to the startup process, so when the system reboots, you’ll be able to log in and explore.

So what does [ea] want to do with this new-found exploit? It looks like the goal is to eventually come up with some custom programs that extend the functionality of the in-dash Linux system. As it seems like these “infotainment” systems are now an inescapable feature of modern automobiles, we’re certainly excited to see projects that aim to keep them under the consumer’s control.