On a related note, factory-installed Toyota display systems can sometimes be locked and require an "ERC" code to unlock. The display in my recently imported car was in Japanese and seemed to be stuck, as none of the buttons or rear camera worked. I learned from Google Translate that it was in some kind of anti-theft lock mode, and after going down the rabbit hole I found out that I could access a secret menu by holding radio power and turning the headlights on and off three times, which revealed a screen displaying the display's serial number and asking for an "ERC" code.
It turns out some fine Internet people have written C# (https://github.com/alexeyfadeev/erc-calculator) and Python (https://github.com/Berks/python_erc) packages to generate these codes. Was really cool to figure this out without having to pay some shady site in Bitcoins! The display is still in Japanese, but at least I can use Bluetooth and the rear camera! Hope that helps someone.
My Dacia makes it easy for me :). If you reboot the infotainment system with a USB drive formatted with FAT it will run any commands in the `autorun_bavn/autorun.sh` file with root permissions.
Some people are unlocking more maps in the navigation system by patching files which tell the infotainment application what options you purhased.
Have you tried the new electric dacia? Wondering if one can just up the torque since it's electric. Would be dangerous, but curious how much faster it can get.
For this to be even remotely possible, the infotainment unit would have to have direct access to the CAN bus which is certainly not the case (at least I hope). Most probably, the car expose some feature through an API to the infotainment unit but that would not include any direct control on the car driving operations.
I would expect the radio to have access to a CAN bus. The same diagnostics tool that uses can to read your engine should also be able to read the radio, and the infotainment should have all the ability to display all DTCs and what they mean.
I would expect all controllers with safety critical functions are carefully firewalled so that you cannot do bad things via CAN.
There are usually several can buses in the car. Entertainment (also includes power window buttons, etc I guess) and power-train with a gateway in between those if some of the PT-CAN messages are needed on the entertainment side.
I don't know how powerful the chip in the car is but I can see someone building quite a competent open source navigation system through Qt and some car APIs, assuming you can get some kind of map storage solution working
My experience (datapoint 1, working on ecocar in college a decade ago) was that they are exceedingly defensive revealing info about the CAN message format. It would likely require reverse engineering the protocol in order to make any apps that actually interface with the car somehow. Making a fully standalone app would be possible, but limited in usefulness.
That depends on what you want to do. OBDII diagnostics is legally mandated by law and so not hard to do across all cars. It is minimal information, but enough for most things. If you want anything else it different for each car (not just each manufacture, sometimes sometimes the same car model will have more than one variant).
The information you need isn't impossible to get: the manufactures make this available to third party scan tools, but they assume anyone wanting this information considers paying $100,000 a nominal cost and won't question it. In a previous job (I left in 2010) I had access to this information, but we still spent a lot of time reverse engineering things because the documents were too often wrong.
It depends what country you're in. My country, the Tesla does have an ODB II port, because it's a requirement for cars sold here. I don't believe that's the case in the US, although those have a CAN port.
It is only required for emissions diagnostics. Which is a small subset of total engine diagnostics, though the most common things to go wrong on an engine affect emissions so for practical purposes it is engine.
Quite a few people have already done this for the Ford Sync3 infotainment systems which are based on QNX6. You only need to connect a SD reader to the eMMC module on the daughterboard and mount the disk and install ssh. There are a few jigs around which you can buy to make this easier. The root password takes about 30 minutes with hashcat if you have an old model with broken signature checking so you can install a custom update package and install a ssh server that way (you do not need disk access for the digest, updates will get you there).
Depending on where you live, this might be illegal though.
> These values are actually the first AES 128bit CBC example key/iv listed in the NIST document SP800-38A.
I'd love to have a better insight into how exactly this happens. Not that it sounds like it would have been much of an issue even if properly generated keys and IVs were used.
At the end of the day, lack of competent security leadership at Hyundai. In my work with other auto OEM's, there is some kind of security officer assigned to a vehicle model or platform that specifies requirements and that requires formal attestations for things like private key material, SSL cipher suites, process isolation and so forth.
At the other OEM's I have worked with, private key material lives on an HSM controlled by the OEM and all signing/encryption is done by the OEM for production builds.
If they are using example keys from NIST and private keys from published tutorials, then I would not be surprised if they are also using defaults for TLS - for example: allowing TLS 1.0, allowing TLS 1.1, allowing weak cipher suites, etc.
My bet is either subcontracting the development to a lowest-bidder with no understanding of the concepts behind the code they're writing, or malicious compliance by an engineer that sees no reason to prevent people from installing custom firmware on their own car but still needed something that "looked" secure to get approved by management.
For some reasons, PC and iPhones are only class of devices that allows full system reimaging. Not even most Android devices have facilitations for that.
If you have to wait 6 months for someone two just suddenly show up and tell you to short TP12 to TP21 within 12 seconds from starting patched leaked tool on your PC, that just don't count on so many levels.
And that's not distributed via any of their official channels. That's a hack.
Edit: my intention was there is no official way of doing it, and conveniently forgot to say so in my original comment. That was unfair on my side, sorry.
I feel like I'd actually would value the blog author's car _more_ after the modifications. Well at the moment it would be either neutral or slightly positive (the author has demonstrated what's possible), but if any extra functionality would be added, I'd be a happy camper.
The author's car (where you presumably have some assurance the firmware on the device is what is claimed? Sure.
A random car from a 2nd hand car lot with a mystery custom firmware? Oh hellllllll no.
This only add value if you assume there are no bad actors. I'd bet $100 if this becomes common, 2nd hand car lots will sell access to install creepy tracking firmware on all cars that pass through their hands.
I agree I’d like to made aware of any such changes made by previous owners, but I pretty much consider the makers of the OEM Software as bad actors at this point.
You often connect your phone to this system though, via cable or Bluetooth, so I can see a pretty simple attack vector here to enable being way more nefarious than just GPS tracking…
Always wanted to do this on my wife's Kia. But the head unit is so slow and the touchscreens die after only a few years so I've got a box of 3 of these bad oems and finally installed an after market unit.
I don't speak about vendor's warranty, I'm speaking about road code.
As far as I know, many countries forbids meddling with breaks, lights, engine exhaust system and other systems related to road safety.
I understand, that infotaiment system is not the brakes, but still - many modern car allows to setup ABS and traction control modes via same interface, for example.
On a lot of cars the infotainment system explicitly doesn't do that because of the security implications. Our 2021 has a lot of non-critical settings in the touchscreen display, and all of the road behavior settings are set on the screen behind the wheel and configured with the arrow keys on the wheel.
Depends on the make. For my 2013 Volvo I can adjust some of the driving assistant configs (e.g. disable blind spot information) and switch the light to left-hand traffic. This won't explode the car, but might be enough control for some malware to cause an accident.
He's not loading custom firmware on the car - the title is clickbait. In fact, there is no "car" when it comes to firmware - there's not central computer that controls the "car".
There are separate modules that do well-defined tasks and only a few of them would ever be relevant in an insurance/accident scenario (engine/transmission controller, power steering and maybe ABS).
What he's done here is equivalent to installing an aftermarket head unit, something people have been doing for decades. But even editing firmware (or rather the data tables in there - also called "maps") from more "spicy" controllers such as the engine management controller is routinely done by auto tuning shops and in practice the worst that happens is blowing up your engine by pushing it beyond its limits.
After-market head units don’t seem to have access to the same data as this factory-installed one. Can after market head units read gas tank levels, battery voltage, door lock statuses (and lock/unlock doors with commands), probably interface with the climate control system, too.
The challenge with doing this with an aftermarket headunit is that you need to cover a meaningful number of different vehicles in order for the feature to be useful to your customer base.
With that said, yes, if you happen to have a suitably common vehicle (e.g. Ford F150).
Nothing prevents them from having access - it’s just a matter of reverse-engineering the messages transiting on the various CAN buses the radio has access to.
Zenec for example makes units that are able to display & control HVAC and parking radar on VAG Group (Volkswagen/Audi/Seat/Skoda) vehicles, pulling the data from the CAN bus.
In the authors case he’s reusing existing manufacturer-provided libraries that handle CAN message parsing but there’s no reason you couldn’t do it from scratch with enough effort.
yes... but insurance might be void when you have an accident, if this is discovered (I'd hope it will only matter if there is an electronic problem impacting the accident).
It turns out some fine Internet people have written C# (https://github.com/alexeyfadeev/erc-calculator) and Python (https://github.com/Berks/python_erc) packages to generate these codes. Was really cool to figure this out without having to pay some shady site in Bitcoins! The display is still in Japanese, but at least I can use Bluetooth and the rear camera! Hope that helps someone.