I really appreciate that the author took the time to put a summary near the end:
> I used a Raspberry Pi in USB gadget mode to simulate an Android device connected to the head unit. The head unit thinks it's accepting a navigation maps update from the "phone", but because the update protocol allows for arbitrary file changes, I can issue commands to modify a specific file and inject a call to a bash script that gets run as root.
Could you have used ssh? It might have been as easy as using nftp to upload a new /root/.ssh/authorized_keys file. Or not, depending on how they have ssh configured.
Author here. I talk a little bit about SSH in the end, if I was successful in breaking the root password and if sshd is configured for root access (I'm not sure), I could have just used that. Otherwise, for me to change authorized_keys or some other file to run some code as root, it's the same work.
> The core OS appears to be from GENIVI/COVESA (GitHub: GENIVI/COVESA). I'm not familiar with these systems at all. They have a fair bit of open-source stuff that will probably explore in the future.
In a prior role I got to engage on a number of GENIVI projects. GENIVI was/is a consortium of Auto makers and 1st-tier companies that determine standards for automotive IVI (In-Vehicle Infotainment). I got to work on some demonstration projects that were proof-of-concept for the standards. IIRC, we were implementing them on the Automotive-Grade Linux distribution. It was a really exciting time. I legitimately thought that there might be a future for a standard (or at least a couple of standard) infotainment systems.
Fun stuff. FWIW, I sort of thought of GENIVI as the European standards group, whereas AGL seemed largely funded and driven by the Asian Automakers. But that's my narrow viewpoint.
I found the Automotive Grade Linux booth at CES last month and indeed, they had a bunch of infotainment demos set up, along with at least four Raspberry Pis running demos or displays out in the open.
I also had a talk with a couple people at the booth, for example Igalia works upstream with Vulkan and Chromium a bunch. Would love to see more Linux on the dashboard in the future, some cars have pretty substantial chips powering their infotainment systems these days. Could be nice to add that as a node to a homelab Kubernetes cluster when it's parked idle in the garage :)
Good job! DLT logs are pretty standard in the infotainment industry, the format specification is openly available. I recommend you to download DLTViewer from GitHub and open the log files (if they are not encrypted). You may find good stuff there!
Author here. Yes, there is some good stuff in the logs, I found the Wi-Fi password there, that was useful. At the time I used some VSCode plugin to read the .dlt files (they are not encrypted), but later I did find that dlt-viewer on COVESA's GitHub.
Awesome post! When will we be able to operate our car without it spying on us? Will we eventually be able to turn off the "phoning home" function/part?
The hard part about this nobody is willing to experiment with their $30k+ vehicle and risk bricking it. If you want a car that doesn’t spy on you you’re gonna have to look back a decade or so.
If you'd like to experiment with bricking the head unit on your new car you can shop around and find a totaled specimen.
If all you need is a working head unit you should be able to get that for <$1000.
It's still an investment, but nowhere near $30k.
The real reason nobody bothers with this is that it's just the infotainment, and if you really want a custom one you can just buy a new head unit, or glue a tablet where the existing one resides.
You won't get access to the engage electronics, emissions controls etc. Those are all other dedicated computers.
Context of the parent was buying a spare OEM unit from a junkyard for experimenting.
Third party can be a money pit also. Like a volume knob that controls the factory amp via canbus rather than the fixed output level head unit. And the amp is conveniently not close to the head unit. And, mentioned elsewhere, but additional stuff for steering wheel controls, car data that the OEM head unit displayed (mpg, trip meter, etc).
You can just turn off via breaker the lte modem inside a tesla. Original ones had a 3g modem, they were replaced eventually with an lte one. Spying is under your control at least overall. The insidious thing is there are so many useful things in the tesla ui, you want to use it. I have experimented with disabling the modem but it was just so useful to have maps and current and accurate traffic that I quickly put it back. Also using voice commands to play music. There's just nothing as good for the phone.
There is potential for someone to make an ipad app that did all these things and connected to say your phone's hotspot so you could control everything. Soon you would be remaking android auto though. I think there's no market for a "you control your privacy" type thing.
> Reminder that those who bought it, voted for it.
I truly loathe this argument. I've seen it for cars, seen it for laptops, seen it for mobile devices. For years. People like you really think not purchasing the bad will fix stuff like this?
Purchasing decisions let you pick between competitors. That is all. You can't pick the open-source car that does not exist, unless you want to start your own car company just to build one. If you don't buy any car at all, then you simply don't exist to them, and they don't care about you.
Nobody is going to quit locking down their software just because a rounding error doesn't like it that way. They don't do it because they need people's votes, they do it because the company simply wants the software locked down, they don't care what customers think about it. Even if nobody bought the car, and everybody told them directly to offer open access, they'd probably still refuse to provide it, until and unless something like a regulation is passed that mandates it.
Cars aren't spying on you because people are voting for the spying. Nobody who buys the car is voting for it to spy on them, unless I guess their hypothetical dystopian future insurance gives them a bonus/discount for allowing them to view the data from the vehicle and they're actually okay with that.
Just look, you have a limited number of choices. You can "vote" for anything that is currently on the market. That is all the choice you have. If you want a car from the current market, you're going to have to pick one to vote for. Odds are they're all going to have some sort of surveillance-state bullshit, or the ones that don't have it are just going to be less-nice vehicles in general.
Similar to how, before Framework, everyone concerned about open-source system firmware was most likely rocking a speedy 2004 ThinkPad with a couple gigabytes of RAM. They were unable to simply vote for an actually fast, modern machine, as all of them had proprietary blobs doing who-knows-what. So someone had to come out and actually build one, and now we have Framework.
I believe that for phones, we might have Purism sometime in the 2030s, once they work out the most basic issues with their software stack, probably caused by trying to use existing Linux userland.
For cars... I haven't heard anything yet. Nobody's come out and built an open-source car company yet. So we're currently in the phase where you simply can't vote for an open-source car. Now, do you still need a car anyway? Then I guess you vote in favor of a locked-down vehicle. Even if you're not actually trying to vote, and you just need a car right now.
So that's why I hate this argument. Just because you bought a car doesn't mean you should be on the hook for "voting" for every feature the car has. You voted for the car. Doesn't mean it's perfect.
> People like you really think not purchasing the bad will fix stuff like this?
Well yes, certainly. A market exists because it has buyers - without them, it withers. And a market exists because there is a need, that producers will ride. «if nobody bought the car», they would not produce it.
> If you don't buy any car at all, then you simply don't exist to them
So you misunderstood the proposed idea. It is not the individual that changes the market: a critical mass does. But the responsibility is individual.
> Cars aren't spying on you because people are voting for the spying
The statement is, "if people did not accept it it would not happen, and by financing it they accept it".
> If you want a car from the current market
If the «current market» only contained traps ("and you will give us rights to your grandson" etc.), why would one «want [an item] from the current market».
> Odds are they're all going to have some sort of surveillance-state bullshit, or the ones that don't have it are just going to be less-nice vehicles in general
This makes it sound like "some people will trade decency for items that they see as nicer". That is plain sinister.
> before Framework
There is a difference between suboptimal products - "optimal is not available yet" - and unacceptable products - "this service comes with jus primae noctis".
> do you still need a car anyway? Then I guess you vote in favor of a locked-down vehicle
Let us hope you won't, and find other solutions. But the problem is not about open-source: it is about reliability, security and privacy.
> for "voting" for every feature the car has. You voted for the car
By financing and simply purchasing a product you endorsed it, and with it all its implications. You are responsible. Sweatshop shoes? Responsible. You are given a faculty of awareness and an obligation to use it. Some implications are good, some are minor, some are immoral, some are bringer of dire social consequences.
There is plenty of blame to go around. From corporate owners, through captured regulators to end users. Between all those parties I think the ones that have to choose between grades of shit are the least to blame. This does not absolve consumers, but it does put into question the framing you presented.
> this does not absolve consumers, but it does put into question the framing you presented
Allow me: it extends the framework presented (we could also mentions faults in other parties, were we not addressing one specific part), but I do not see how it would «put it into question». As you say, it «does not absolve consumers».
«There is plenty of blame», which does not absolve John. And John gives signals that he is holding resistance against seeing it...
> This makes it sound like "some people will trade decency for items that they see as nicer". That is plain sinister.
I don't see how it's sinister at all to say that. I hate Windows, but I use it because I no longer have access to macOS, and nothing works on Linux. Am I sinister for "voting" for Windows even though it lacks decency? It is currently the least bad option for me, that is all. The value in having a working computer is greater than the value in perpetually stressing myself out over whether things are free and libre or not.
Ensuring the absolute purity of my personal supply chain is too much of a pathetic chore for me to want to care about. I really, really do not care if that nice Tesla I may buy in 10 years tracks my every move, receives random OTA updates, makes me pay a subscription fee to use the hardware that's already installed in the vehicle, and so on. What if I just wanted a nice EV and nobody else does it right?? What am I going to do, buy a Rivian instead?
> Nobody who buys the car is voting for it to spy on them, unless I guess their hypothetical dystopian future insurance gives them a bonus/discount for allowing them to view the data from the vehicle and they're actually okay with that.
Also, almost nobody cares that their car manufacturer can track their car’s location. They already accept that they have a mobile device on them that tracks them everywhere, and at least the mobile networks plus government knows where they are.
And they also use electronic payments everywhere with “loyalty” discounts so all the banks/payment networks know where they are, and so do merchants.
At least Progressive have an option for a device that connects to the ODB2 port. But either way, the system of discounts in exchange for more accurate driving data already exists. It is just a matter of a business deal working out between the automakers and insurance company to have it built in.
Although, I do not see it as necessary. Cars with cameras will automatically start having lower insurance premiums, and so you will see people opt to buy cars with cameras (eliminating the inconvenience of having to install a dash cam by yourself).
If you wait long enough, the problem will fix itself.
My 2012 Nissan Leaf is equipped with a 3G cellular modem (upgraded from the 2G that it originally shipped with). Since the providers all shut down their 3G networks, it's been effectively offline.
You can just turn off the breaker for the modem, why don't people just do that? Yes, you can remove the thing, but you can experiment today by doing that first step. There are tesla hackers, like this person https://twitter.com/greentheonly. They decompile the os releases and looks for new but disabled features.
Telematics units could be separate from IVI, could be hanging off elsewhere or could be independently procured and added at multiple different floors within a car company.
I envision a fun game for modern, tech-inclined car owners:
1. Turn the car on;
2. Scan the RF spectrum with SDR hooked up to a directional antenna, until you see something resembling digital TX in the waterfall graph. Note the frequency.
3. Dial in your microwave gun to that frequency, bathe the car in sweet sweet RF watts.
4. Confirm with SDR the signal is no longer there.
5. Repeat until you're reasonably confident you fried every transceiver that shouldn't be there.
(6. If the car doesn't start anymore, ask manufacturer for refund and suggest putting current protection circuits behind their radios.)
--
More seriously though, step 2 might be useful to locate more antennas to snip. Like a fox hunt, but in your garage.
Thankfully, the telematics module is separate on most vehicles. You can pull the power from the module with no consequences on most vehicles. If you don't like what happens when you remove power from that module, plug it back in. On some cars you may have to start the car up to 6 times before any errors show up (if at all). This is because some cars only do a full scan of the vehicle bus every so many starts.
That does not seem to be too different from having a visible, readable ID plate - the information spread is "individual at that reader at that time" (though yes, if unneeded it should not be there).
The issue is with more with recordings and with the principle of sending data around beyond the ID - and especially with the contract that would make such activity accepted.
Fairly recent Hondas and Acura base infotainment systems have needless >1 second Bluetooth audio lag. I wish someone with the knowledge would do something similar for these.
Don't all cars have this? I've driven lots of different cars from all kinds of manufacturers and they all have Bluetooth lag, sucks if you want to watch YouTube just sitting in the car waiting for something.
I blame this on crappy drivers. A lot of modern Infotainment systems are running Linux of some variety, and the very easiest thing to do to get technology support is to grab the open source proof-of-concept Bluetooth driver, plug it in, and call it good.
As a firmware developer who has also done client-side Bluetooth development on Android, iOS, Windows, and Linux, I can tell you with 100% confidence that this just isn't the case. BlueZ is the best Bluetooth driver on any major platform, and it's not even close. The Windows one crashes constantly, and the iOS one has arbitrary nonstandard limitations and it tries to be clever by initiating pairing when you don't tell it to. BlueZ is the only one that actually implements the by-the-book Bluetooth spec, and does it without randomly exploding.
No, the reason Hondas and Acuras have it is specifically because of (if I understand it correctly) a bug in the car’s Bluetooth handshake that sends audio streams as data. Someone found this by doing a Wireshark capture connecting a laptop’s Bluetooth to the car.
I have little hope for a fix. It seems likely that its easier to just replace the entire controller that drives the audio and screen, and that sounds really really hard.
Too mad that we have to hack our car to customize it.
We can reinstall computers very easy, choose the OS you like. But cannot do something on our car.
Old cars, you can modify everything, grap your tools, and you can do what you want.
Modern cars are too closed, you are too depend on the factory what they allow you can do.
Also are modern cars too complex with too many gadgets.
Please keep it simple, it is a car, not an entertainment device.
I think it's good to separate the drivetrain from the infotainment in these discussions. Hacking the infotainment is a world of difference in a tesla where you have basically software impacting driving a lot; the tesla doesn't deliver all the power, it's too much. There have been people who have gotten service mode access and disabled traction control etc, many wrecks resulted from spinouts.
On the other hand, the infotainment can be rebooted even while driving. The drive train is much more protected and controlled, for a reason.
Interesting read! I got a Toyota bus and the infotainment system sucks. As someone else wrote here, Bluetooth support is deadly slow and as soon as you stop the car the system will also shut down. It’s like someone created this system without considering real life scenarios, like being on a phone call, listening to a podcast or just listening to music.
But since you can also interact with the car, like turning on and off drive assistant systems, I would not dare to hack my car. How about insurance, when there is an accident?
>> How about insurance, when there is an accident?
The insurance company would need to demonstrate that you've had an accident because of your modification. Just them being present doesn't invalidate anything.
However, in the real world, you can bet that they would try - you'd probably win in the court of law, but it's a risk.
Do you really think any insurance "expert" would look for that?
From my experience unless the car has some kind of self driving stuff they just check with a mechanic the state of the car to see if it is totalled or can be repaired. Unless there are wires going out of the car there is no reason they would even check the os of the dashboard console[1]
[1] I refuse to use infotainment word, it is so unappropriate.
They don't need to look for a hack, just its trace.
If the accident is any serious, both insurance companies will routinely buy the info sent by default to the maker by that model; In particular speed and location info.
If the info is suspiciously absent (because somebody hacked their car to stop sending it), the insurance companies will enter in red-alert mode, and will find how to get themselves out of the problem.
Sent info can be used against you, but also could benefit your insurance company to win the case. Is not always white or black. The main goal of insurance companies will be to protect themselves, but the secondary goal will be to protect you, the client, from potentially serious legal consequences. If both insurance companies are the same, they could team against the vehicle with less clear data.
>>Do you really think any insurance "expert" would look for that?
"Probably not". Probably is the key word here. I've seen insurance companies go to absolutely ridiculous lengths to deny a claim, so I honestly wouldn't put anything past them.
That was really interesting, using so much more energy (16x) than usual. They've really tuned their power delivery to deliver good range so we don't constantly race around. And a tesla still has that great instant torque even with that.
Note that this is just for the infotainment head unit, sort of your wall thermostat, not the "entire car". A car is like a lunchbox, there is in fact no "core".
Author here. Yes, gadget mode is nice. I was kind of lucky that the serial port "function" worked (not without that small kernel patch). But if they had implemented AOA properly on the head unit, it wouldn't be so easy (they allow a device already in AOA mode, without the "handshake"). I would have to write more kernel code or use Google's "accessory" gadget implementation.
Well, in most sane countries "surprise bills" are illegal.
If I bring my car for maintenance and we agree on checking brake fluid and air filters, they cannot decide "Oh, the profiles of the tires are off, we'll change them". No one would need to pay them for this, as it was not agreed upon and is therefore not part of a contract.
So your case makes no sense at all.
Except that perhaps you life in an insane country, or are not well versed in basic contract law :-)
If I'm hacking something I own, it's also highly likely that I am capable of fixing it and doing any needed maintenance. Part of the hacker mindset is not letting the fear of voiding a warranty stop you from truly owning the product you paid for.
No. It doesn't matter. You can hack something you own as much as you want, and you're paying the manufacturer to do maintenance on it. If you want then to change the brakes, whether your infotainment system is hacked or not is exactly none of their business.
Hacking a linux box using USB tricks and maintaining the mechanics of a car - probably not a huge skills overlap there. But I doubt he's going to be in trouble when getting the car serviced. If he is worried he could roll back any changes before sending it in.
What would the bill be for? "Changing stuff you own"? When did we wholly give ourselves up to the idea that the manufacturer owns the stuff we bought, and they can penalize us for messing with their things?
They will see malware in the ECU. If a system is compromised by "obvious malware", other systems could be also. If there is a possible danger for your physical integrity any sensible worker will worry and take actions, specially before it evolves into a legal danger for them.
They will not hesitate to change the Electronic Control module and maybe the BSI also, just to be sure that your car don't fails in the worse moment and kills you. This could start at 1500 euro or much more depending on the brand. They will not understand your "right" to run Doom in your car.
Think also that currently some secondary car systems in many brands can be deactivated online, without creating a situation of danger for you, but making your driving experience really miserable if they want.
If you modify your car with an aftermarket part, and take it to the shop, they aren't going to yank out your aftermarket parts because they're "worried about liability." They're going to leave it there, because it's your car, not theirs. It's not their job to stupid-proof your vehicle, it's their job to fix it.
They will bill for the time lost chasing md5sums at least. You need to understand that cars are a bunch of computers now; but a laptop is not expected to kill you, and a car will. The risks associated with messing with the car are much higher.
And if you think that, lets say "BMW", will hesitate a second to block online your car heating in the middle of winter; think again. I had seen it before. Even if you could hack it, to reconfigure the system again is not always easy or obvious without some knowledge of what values you need to enter.
You're confusing how things are with how they should be, though. I'm legally liable for any modifications I made to the car, so the manufacturer or repair garage should leave my property well alone.
It's not up to the car's maker to in any way interfere with or dictate the way I use my car.
Surprise bill for at best "the checksum didn't match so we gave ourselves another paid workorder to investigate the filesystem of your headunit"?
It's more likely that you get it back with a new software (and all your modifications wiped), because as part of the routine maintenance some blue-collar technician connects a USB-dongle and blindly upgrades the firmware.
Unless of course, the modification is so popular that searching for it becomes part of the vendors routine maintenance protocol...
Such as guarantees, recalls, offers, campaigns, financing, leasing, standard maintenance, buying original parts, upgrading software, downloading GPS maps, resetting the addblue, refilling your particle filter liquid, changing belts, buying extra power for some time...
I thing that the term is pretty self-explainable. Every support that the customer could request from the brand after the sale. Some of this things can be provided by anybody, other only by the brand.
Most of these can be provided by any car shop (usually a lot cheaper than the manufacturer) and you don’t need to involve the manufacturer and rest are not things any normal person cares about.
But not all. I had never meet a single car owner that spend solid money in their new car and then decline the maker guarantee, but your definition of what is "normal people" may differ from mine.
Thinnest of fucking arguments. Sure if there is a mechanical fault and you get your shit replaced, but are you really arguing that you shouldn’t hack your infotainment fir the off chance that your car has manufacturing defect?
You definitely do not need to go to the manufacturer for oil change. If you can’t change your cars oil yourself you can go to literally any car shop to get it changed for pretty cheap
Complete nonsense. The fact I disabled OnStar on my vehicles, for example, is an interesting point of conversation only when I bring them in for an oil change. They happily show me the diagnostic codes it produces and could not care less about it, nor could I.
The idea of "Hacking" cars feels great until you realize that this cars are driving in the same road as you
Hobbyist car hackers is a group filled with overconfidence, and overconfidence can lead easily to a hell of pain and a million of ways to shoot yourself in the face. Because electronic sensors tend to be connected with other sensors, that are connected with many other unsuspected things, and those last things can be more important that it seems.
> I used a Raspberry Pi in USB gadget mode to simulate an Android device connected to the head unit. The head unit thinks it's accepting a navigation maps update from the "phone", but because the update protocol allows for arbitrary file changes, I can issue commands to modify a specific file and inject a call to a bash script that gets run as root.