Rooting Your Ride: Jailbreaking A Subaru QNX

A modern car still drives in the same way as the one you would have bought thirty years ago, it still has a steering wheel and all the other controls. What has changed in the cabin lies mostly beneath the dash, where enough computing power to launch several Moon shots takes care of everything from air-conditioning to entertainment. As you might expect these systems attract the curiosity of security researchers, and through their work we gain an insight into their operation.

[Scott Gayou] has a Subaru, a car that has an all-in-one entertainment system head unit that is typical of what you’d find across a host of manufacturers. His account of jailbreaking it is a lengthy essay and a fascinating read for anyone. He starts with a serial port, then an SSH prompt for a root password, and a bit of searching to find it was made by Harman and that it runs the closed-source realtime OS QNX. From there he finds an official Subaru update, from which he can slowly peel away the layers and deduce the security mechanism. The write-up lays bare his techniques, for example at one point isolating the ARM assembler for a particular function and transplanting it bodily into his own code for investigation.

Eventually he could penetrate the filesystem of the update, and from there he could find that while the root user had a password there were two other accounts that while heavily locked down, had none. The discovery came that files on USB drives plugged into the system were given user-level execute permissions, at which point under the locked-down user he could execute arbitrary code from USB drives. He could then create and modify copies of the device’s filesystem which he could flash onto it, and thus place a modified password validation function into it and gain root access.

Some Hackaday readers will be accomplished in security work such as this, but many of us are hardware specialists for whom it remains something of a dark art. A comprehensive and accessible write-up such as this one is therefore invaluable, because it gives us an insight into the techniques used and perhaps more importantly, into some of the security pitfalls a hardware engineer might unwittingly introduce into their creations.

QNX is a real-time operating system with a long history of appearances in industrial and automotive applications. Readers with long memories may recall their demo floppies from the 1990s which packed a fully functional GUI, Internet connectivity, and modern (for the time) web browser onto a single 1.44Mb floppy disk. We’ve talked about it in the past in a little detail, as when someone made a desktop OS using it.

Hacking a 20 Year Old Subaru

While cars are slowing becoming completely computer-controlled, road vehicles have been relying on computers since the 1970’s. The first automotive use of computers was in engine control units (ECUs) which came along as fuel injection systems started to replace carburetors.

[P1kachu]’s 1997 Subaru Impreza STi, like most cars of this vintage, uses an ECU and provides a diagnostic connector for external communications. [P1kachu]’s Subaru hacking project includes building a diagnostic interface device, dumping the ECU’s firmware, and reverse engineering the binary to understand and disable the speed limiter. If this looks familiar, it’s because we just covered the infotainment hacks in this car on Saturday. But he added information about the communications protocols is definitely worth another look.

This era of Subaru uses a non-standard diagnostics protocol called SSM1, which is essentially a 5 volt TTL serial line running at 1953 bits per second. The custom interface consists of a Teensy and a 3.3V to 5V level shifter. Once connected, commands can be sent directly to the ECU. Fortunately, the protocol has been quite well documented in the past. By issuing the “Read data from ECU address” command repeatedly, the full firmware can be dumped.

[P1kachu] goes on to locate the various engine tuning maps and discover the inner workings of the speed limiter. With cars getting more computerized, it’s nice to see folks are still able to tune their rides, even if it means using Teensys instead of wrenches.

Adaptive Infotainment Plays Tunes To Match Your Dangerous Driving

Part of the fun of watching action movies is imagining yourself as the main character, always going on exciting adventures and, of course, being accompanied by the perfect soundtrack to score the excitement and drama of your life. While having an orchestra follow you around might not always be practical, [P1kachu] at least figured out how to get some musical orchestration to sync up with how he drives his car, Fast-and-Furious style.

The idea is pretty straightforward: when [P1kachu] drives his car calmly and slowly, the music that the infotainment system plays is cool and reserved. But when he drops the hammer, the music changes to something more aggressive and in line with the new driving style. While first iterations of his project used the CAN bus, he moved to Japan and bought an old Subaru that doesn’t have CAN. The new project works on something similar called Subaru Select Monitor v1 (SSM1), but still gets the job done pretty well.

The hardware uses an Asus Tinkerboard and a Raspberry Pi with the 7″ screen, and a shield that can interface with CAN (and later with SSM1). The new music is selected by sensing pedal position, allowing him to more easily trigger the aggressive mode that his previous iterations did. Those were done using vehicle speed as a trigger, which proved to be ineffective at producing the desired results. Of course, there are many other things that you can do with CAN bus besides switching up the music in your car.

Continue reading “Adaptive Infotainment Plays Tunes To Match Your Dangerous Driving”

3D Printed Dashboard CB Mount is Convoy Ready

Some may be surprised to hear that CB radio is alive and well in the 21st century. From disaster response to operating in areas without reliable communication infrastructure, there are plenty of reasons people are still reaching for their radio and not their smartphone. Unfortunately, modern automotive interior design doesn’t have such an enlightened view. It’s hard enough to get decent cup holders in some cars, let alone a spot to hang your microphone.

When presented with this problem in his Subaru Forester, [Alex Loizou] did what any modern hacker would, he 3D printed a mount that snaps into the stock dash. No drilling was required to attach his radio mount, it simply replaces a decorative trim piece that wasn’t doing anything anyway. Obviously this particular mount would only really work on the same year and make of vehicle as [Alex] has, but this is a good demonstration of how 3D printing can be used to adapt to existing hardware.

As is often the case when trying to print something to match perfectly with an existing object, there was a fair amount of trial and error required. It took a few attempts before [Alex] got the proper shape, and things weren’t made any easier by the fact he was doing his designing in TinkerCAD. While we appreciate the fact that TinkerCAD provides a web-based CAD tool that is easy enough for anyone to use, using a parametric design tool like OpenSCAD is generally preferred when you need to make slight adjustments to your model.

Software limitations aside, [Alex] managed to come up with a mount that not only holds his CB microphone, but also his handheld transmitter. All while looking about as close to stock hardware as something like this could. We especially like that he switched to a darker filament color for his final version to blend it into the dashes color scheme a bit better.

If your radio interest is a little full-fat for CB, take a look at what keeps ham radio alive and well in 2017, and if you’re a radio amateur with a hankering for the CB days we’ve got you covered.

Exploiting Weak Crypto on Car Key Fobs

[tomwimmenhove] has found a vulnerability in the cryptographic algorithm that is used by certain Subaru key fobs and he has open-sourced the software that drives this exploit. All you need to open your Subaru is a RasPi and a DVB-T dongle, so you could complain that sharing this software equates to giving out master keys to potential car thieves. On the other hand, this only works for a limited number of older models from a single manufacturer — it’s lacking in compatibility and affordability when compared to the proverbial brick.

This hack is much more useful as a case study than a brick is, however, and [tomwimmenhove]’s work points out some bad design on the manufacturer’s side and as such can help you to avoid these kind of mistakes. The problem of predictable keys got great treatment in the comments of our post about an encryption scheme for devices low in power and memory, for instance.

Those of you interested in digital signal processing may also want to take a look at his code, where he implements filtering, demodulation and decoding of the key fob’s signal. The transmission side is handled by rpitx and attacks against unencrypted communications with this kind of setup have been shown here before. There’s a lot going on here that’s much more interesting than stealing cars.

[Via Bleeping Computer]

Continue reading “Exploiting Weak Crypto on Car Key Fobs”

Homemade Subaru Head Unit is Hidden Masterpiece

The Subaru BRZ (also produced for Toyota as the GT86) is a snappy sportster but [megahercas6]’s old US version had many navigation and entertainment system features which weren’t useful or wouldn’t work in his native Lithuania. He could have swapped out the built in screen for a large 4G Android tablet/phone, but there’s limited adventure in that. Instead, he went ahead and built his own homemade Navigation system by designing and integrating a whole bunch of hardware modules resulting in one “hack” of an upgrade.

The system is built around a Lenovo 4G phone-tablet running android and supporting GPS, GLONASS as well as the Chinese BeiDou satellite navigation systems. He removed the original daughter board handling the USB OTG connection on the tablet, and replaced it with his version so he could connect it to his external USB board via a flat ribbon cable. The USB board contains a Cypress 4-port USB hub. One port is used as the USB HID device to allow external buttons for system control — Power, Volume Up/Down, Fwd/Rev, Play/Pause, and Phone Answer/Hangup. The second port is used as a regular USB input to allow connecting external devices such as flash drives. The third one goes to a reversing camera while the fourth port goes to a USB DAC.

The USB DAC is another hardware board by itself and also includes a Bluetooth module which integrates his phone’s audio and control functions with the on-board system. There’s also an audio mixer which allows him to use the phone audio without having to miss out on the navigation prompts from the tablet. Both boards also contain several peripheral circuits such as amplifiers and DC power supplies. Audio to the speakers is routed through six LM3886 based power amplifier boards. And the GPS module receives its own special low-noise amplifier board to ensure extremely strong reception at all times. That’s a total of ten boards custom built for this project. He’s also managed to source all the original harness connectors so his system is literally a snap in replacement. The final assembly looks pretty dashing.

For some strange reason, the Lenovo tablet uses 4.35V as the ‘fully charged” value for its LiPo instead of the more common 4.20V, so even with the whole system connected to a hefty 12V lead acid battery from which he’s deriving the 4.20V charging voltage for the tablet, it still complains about “low battery” — and he’s looking for advice on how he can resolve that issue short of blowing up the LiPo by using the higher charge voltage. Besides that, he’s (obviously a kickass) hardware designer and a little bit rusty on the software and programming side of things, for which he’s looking for inputs from the community. His introductory video is almost 30 minutes long, but the shorter demo video after the break shows the system after installation in his car. He’s posted all of his Altium hardware source files on the project page, but until he shares PDF versions, it would be difficult for most of us to look at his work.

Continue reading “Homemade Subaru Head Unit is Hidden Masterpiece”

Adapting the Nexus 7 for a double DIN car dashboard opening

It turns out that the Nexus 7 Android tablet is the perfect size to fit in a double DIN opening. DIN is the form factor of a single CD head unit for an automobile. Many models have room for a double DIN, which is defined as 4″ high by 7″ wide. Once [Meta James] figured out that the dashboard bezel for his Subaru framed the Nexus 7 perfectly he set out to fabricate the mounting system for an in-dash tablet installation.

Unlike a lot of these dashboard tablet installs, [James] didn’t need any Bondo, sanding, or painting to get things to look right. Like we mentioned, the bezel is a perfect fit so his alterations are hidden behind the tablet itself. He removed the stock head unit and ordered a DIN adapter kit to get the black bracket plate seen above. He built an acrylic box the same size as a double DIN head unit, then mounted the plates to the sides and a Nexus 7 case to the front. This holds the tablet in firmly, lets him mount the entire assembly using the factory mounting points, and leaves plenty of room for the cabling that connects the device to the car. Since he already had a hands-free phone system he just uses that to amplify the audio fed to it via Bluetooth.

[via Reddit]