I really appreciate that the author took the time to put a summary near the end:
> I used a Raspberry Pi in USB gadget mode to simulate an Android device connected to the head unit. The head unit thinks it's accepting a navigation maps update from the "phone", but because the update protocol allows for arbitrary file changes, I can issue commands to modify a specific file and inject a call to a bash script that gets run as root.
Could you have used ssh? It might have been as easy as using nftp to upload a new /root/.ssh/authorized_keys file. Or not, depending on how they have ssh configured.
> The core OS appears to be from GENIVI/COVESA (GitHub: GENIVI/COVESA). I'm not familiar with these systems at all. They have a fair bit of open-source stuff that will probably explore in the future.
In a prior role I got to engage on a number of GENIVI projects. GENIVI was/is a consortium of Auto makers and 1st-tier companies that determine standards for automotive IVI (In-Vehicle Infotainment). I got to work on some demonstration projects that were proof-of-concept for the standards. IIRC, we were implementing them on the Automotive-Grade Linux distribution. It was a really exciting time. I legitimately thought that there might be a future for a standard (or at least a couple of standard) infotainment systems.
Fun stuff. FWIW, I sort of thought of GENIVI as the European standards group, whereas AGL seemed largely funded and driven by the Asian Automakers. But that's my narrow viewpoint.
I found the Automotive Grade Linux booth at CES last month and indeed, they had a bunch of infotainment demos set up, along with at least four Raspberry Pis running demos or displays out in the open.
I also had a talk with a couple people at the booth, for example Igalia works upstream with Vulkan and Chromium a bunch. Would love to see more Linux on the dashboard in the future, some cars have pretty substantial chips powering their infotainment systems these days. Could be nice to add that as a node to a homelab Kubernetes cluster when it's parked idle in the garage :)
Good job! DLT logs are pretty standard in the infotainment industry, the format specification is openly available. I recommend you to download DLTViewer from GitHub and open the log files (if they are not encrypted). You may find good stuff there!
Author here. Yes, there is some good stuff in the logs, I found the Wi-Fi password there, that was useful. At the time I used some VSCode plugin to read the .dlt files (they are not encrypted), but later I did find that dlt-viewer on COVESA's GitHub.
Awesome post! When will we be able to operate our car without it spying on us? Will we eventually be able to turn off the "phoning home" function/part?
The hard part about this nobody is willing to experiment with their $30k+ vehicle and risk bricking it. If you want a car that doesn’t spy on you you’re gonna have to look back a decade or so.
If you wait long enough, the problem will fix itself.
My 2012 Nissan Leaf is equipped with a 3G cellular modem (upgraded from the 2G that it originally shipped with). Since the providers all shut down their 3G networks, it's been effectively offline.
Thankfully, the telematics module is separate on most vehicles. You can pull the power from the module with no consequences on most vehicles. If you don't like what happens when you remove power from that module, plug it back in. On some cars you may have to start the car up to 6 times before any errors show up (if at all). This is because some cars only do a full scan of the vehicle bus every so many starts.
Fairly recent Hondas and Acura base infotainment systems have needless >1 second Bluetooth audio lag. I wish someone with the knowledge would do something similar for these.
Don't all cars have this? I've driven lots of different cars from all kinds of manufacturers and they all have Bluetooth lag, sucks if you want to watch YouTube just sitting in the car waiting for something.
Too mad that we have to hack our car to customize it.
We can reinstall computers very easy, choose the OS you like. But cannot do something on our car.
Old cars, you can modify everything, grap your tools, and you can do what you want.
Modern cars are too closed, you are too depend on the factory what they allow you can do.
Also are modern cars too complex with too many gadgets.
Please keep it simple, it is a car, not an entertainment device.
I think it's good to separate the drivetrain from the infotainment in these discussions. Hacking the infotainment is a world of difference in a tesla where you have basically software impacting driving a lot; the tesla doesn't deliver all the power, it's too much. There have been people who have gotten service mode access and disabled traction control etc, many wrecks resulted from spinouts.
On the other hand, the infotainment can be rebooted even while driving. The drive train is much more protected and controlled, for a reason.
Interesting read! I got a Toyota bus and the infotainment system sucks. As someone else wrote here, Bluetooth support is deadly slow and as soon as you stop the car the system will also shut down. It’s like someone created this system without considering real life scenarios, like being on a phone call, listening to a podcast or just listening to music.
But since you can also interact with the car, like turning on and off drive assistant systems, I would not dare to hack my car. How about insurance, when there is an accident?
>> How about insurance, when there is an accident?
The insurance company would need to demonstrate that you've had an accident because of your modification. Just them being present doesn't invalidate anything.
However, in the real world, you can bet that they would try - you'd probably win in the court of law, but it's a risk.
That was really interesting, using so much more energy (16x) than usual. They've really tuned their power delivery to deliver good range so we don't constantly race around. And a tesla still has that great instant torque even with that.
Note that this is just for the infotainment head unit, sort of your wall thermostat, not the "entire car". A car is like a lunchbox, there is in fact no "core".
Author here. Yes, gadget mode is nice. I was kind of lucky that the serial port "function" worked (not without that small kernel patch). But if they had implemented AOA properly on the head unit, it wouldn't be so easy (they allow a device already in AOA mode, without the "handshake"). I would have to write more kernel code or use Google's "accessory" gadget implementation.
Well, in most sane countries "surprise bills" are illegal.
If I bring my car for maintenance and we agree on checking brake fluid and air filters, they cannot decide "Oh, the profiles of the tires are off, we'll change them". No one would need to pay them for this, as it was not agreed upon and is therefore not part of a contract.
So your case makes no sense at all.
Except that perhaps you life in an insane country, or are not well versed in basic contract law :-)
If I'm hacking something I own, it's also highly likely that I am capable of fixing it and doing any needed maintenance. Part of the hacker mindset is not letting the fear of voiding a warranty stop you from truly owning the product you paid for.
What would the bill be for? "Changing stuff you own"? When did we wholly give ourselves up to the idea that the manufacturer owns the stuff we bought, and they can penalize us for messing with their things?
Surprise bill for at best "the checksum didn't match so we gave ourselves another paid workorder to investigate the filesystem of your headunit"?
It's more likely that you get it back with a new software (and all your modifications wiped), because as part of the routine maintenance some blue-collar technician connects a USB-dongle and blindly upgrades the firmware.
Unless of course, the modification is so popular that searching for it becomes part of the vendors routine maintenance protocol...
Complete nonsense. The fact I disabled OnStar on my vehicles, for example, is an interesting point of conversation only when I bring them in for an oil change. They happily show me the diagnostic codes it produces and could not care less about it, nor could I.
otikik|2 years ago
> I used a Raspberry Pi in USB gadget mode to simulate an Android device connected to the head unit. The head unit thinks it's accepting a navigation maps update from the "phone", but because the update protocol allows for arbitrary file changes, I can issue commands to modify a specific file and inject a call to a bash script that gets run as root.
goncalomb|2 years ago
Inspired by another post here on HN: https://news.ycombinator.com/item?id=32447650
mlrtime|2 years ago
https://github.com/Mr-MIBonk/M.I.B._More-Incredible-Bash
mdp2021|2 years ago
In more parts posted in distant times, the last of which (one year after that post) is -
the author (greenluigi1) made Doom work on the Hyundai (Ioniq SEL).
https://programmingwithstyle.com/posts/myhackedcarisdoomed/
https://www.youtube.com/watch?v=snKx3k5Qfm0
dn3500|2 years ago
yetanotherone24|2 years ago
sircastor|2 years ago
In a prior role I got to engage on a number of GENIVI projects. GENIVI was/is a consortium of Auto makers and 1st-tier companies that determine standards for automotive IVI (In-Vehicle Infotainment). I got to work on some demonstration projects that were proof-of-concept for the standards. IIRC, we were implementing them on the Automotive-Grade Linux distribution. It was a really exciting time. I legitimately thought that there might be a future for a standard (or at least a couple of standard) infotainment systems.
Fun stuff. FWIW, I sort of thought of GENIVI as the European standards group, whereas AGL seemed largely funded and driven by the Asian Automakers. But that's my narrow viewpoint.
geerlingguy|2 years ago
I also had a talk with a couple people at the booth, for example Igalia works upstream with Vulkan and Chromium a bunch. Would love to see more Linux on the dashboard in the future, some cars have pretty substantial chips powering their infotainment systems these days. Could be nice to add that as a node to a homelab Kubernetes cluster when it's parked idle in the garage :)
fmntf|2 years ago
goncalomb|2 years ago
bloomingeek|2 years ago
Slurpuff|2 years ago
ThinkingGuy|2 years ago
My 2012 Nissan Leaf is equipped with a 3G cellular modem (upgraded from the 2G that it originally shipped with). Since the providers all shut down their 3G networks, it's been effectively offline.
nextlevelwizard|2 years ago
batch12|2 years ago
bonestamp2|2 years ago
speedgoose|2 years ago
enthdegree|2 years ago
gambiting|2 years ago
w3news|2 years ago
NotSammyHagar|2 years ago
On the other hand, the infotainment can be rebooted even while driving. The drive train is much more protected and controlled, for a reason.
ulf-77723|2 years ago
But since you can also interact with the car, like turning on and off drive assistant systems, I would not dare to hack my car. How about insurance, when there is an accident?
gambiting|2 years ago
The insurance company would need to demonstrate that you've had an accident because of your modification. Just them being present doesn't invalidate anything.
However, in the real world, you can bet that they would try - you'd probably win in the court of law, but it's a risk.
OptCohTomo|2 years ago
NotSammyHagar|2 years ago
numpad0|2 years ago
2rsf|2 years ago
fragmede|2 years ago
goncalomb|2 years ago
MaxikCZ|2 years ago
Just info: on my android phone with firefox the scrolling is atrociously slow (more than 1 sec lag during every scroll)
nmeofthestate|2 years ago
jvdvegt|2 years ago
anonymousd3vil|2 years ago
a_gnostic|2 years ago
bpoyner|2 years ago
pvaldes|2 years ago
holgerschurig|2 years ago
If I bring my car for maintenance and we agree on checking brake fluid and air filters, they cannot decide "Oh, the profiles of the tires are off, we'll change them". No one would need to pay them for this, as it was not agreed upon and is therefore not part of a contract.
So your case makes no sense at all.
Except that perhaps you life in an insane country, or are not well versed in basic contract law :-)
0xEF|2 years ago
stavros|2 years ago
rickdeckard|2 years ago
It's more likely that you get it back with a new software (and all your modifications wiped), because as part of the routine maintenance some blue-collar technician connects a USB-dongle and blindly upgrades the firmware.
Unless of course, the modification is so popular that searching for it becomes part of the vendors routine maintenance protocol...
nextlevelwizard|2 years ago
seagulls|2 years ago