Hyundai Head Unit Hacking · random hacks
Within the previous post I’ve proven the best way to crack the official firmware for Hyundai Tucson 2020
and reverse engineer it. On the finish I used to be pondering that I can merely modify the replace package deal,
zip it once more with the identical password and push it to the automotive. Nevertheless it turned out it isn’t that straightforward.
The replace package deal is signed with an RSA key which corresponds to the daudio.x509.pem
certificates
and this signature is checked throughout the replace. That is a part of the Android OTA replace course of
which is getting used for updating the firmware of all the unit (not simply the automotive navigation).
Not like the RSA key for Ioniq 2021,
this key can’t be discovered on-line (not less than I haven’t discovered it).
How can we get entry to the top unit on this case? I used to be pondering both of those two choices:
- discover an exploitable bug in one of many purposes
- discover an exploitable bug within the Linux kernel; the top unit is working Linux 3.1.10, so this regarded possible
I had no luck with each of them. Fortuitously, I discovered some new data which allowed me to root the top unit.
New findings
Initially, I spotted that Hyundai is delivery the identical firmware to quite a lot of automobiles.
My automotive had the so known as “Commonplace-class Gen5 navigation” which seems to be like this:
They name it “navigation” however it’s principally the firmware of all the head unit.
The identical firmware is shipped on totally different Hyundai, KIA and Genesis fashions manufactured within the 2018-2021 time-frame.
The pinnacle unit is working on Telechips TCC893X SoC
and its SDK has been leaked on the web.
There’s a secret restoration mechanism which is triggered by holding the POWER button (left knob) and the MAP button upon begin:
I attempted it on my Hyundai Tucson 2020 and I acquired this good error on the automotive display:
Apparently the restoration mechanism is in search of some encrypted information on the USB drive.
A easy grep for these strings results in the lk.rom
file from the replace package deal which I’ve been ignoring till now.
Let’s load it in Ghidra and see what’s occurring.
Reversing lk.rom
LK stands for “little kernel”, a small open-source kernel which is utilized in many embedded platforms.
The pinnacle unit is loading lk.rom
at handle 0x82000000
. After setting the right begin handle in Ghidra, we will
simply determine printf
features which print loads of helpful debug information.
Tracing the message "[DEBUG] U-Boot Restoration Button pushed .... n"
results in:
Seems to be just like the restoration mechanism is a part of u-boot and its entry level is the perform at 0x820589a8
:
Utilizing the debug message at line 14, we will simply infer that this perform copies the u-boot code to 0x80000000
and begins it.
PTR_DAT_82058a38
is the start handle of u-boot and PTR_DAT_82058a3c
is the top handle:
Utilizing these addresses, we will “extract” the u-boot code from lk.rom
with the next command:
$ dd if=lk.rom skip=$((0x1055c)) rely=$((0x57894-0x1055c)) bs=1 of=uboot.rom
After which analyze uboot.rom
as a separate binary with begin handle 0x80000000
in Ghidra.
Reversing uboot.rom
(a part of lk.rom
)
There are once more many debug strings which assist rather a lot to know what’s occurring.
The restoration mechanism is in search of the next information on the USB drive:
security_force/encrypt_lk.rom
security_force/encrypt_boot.img
security_force/encrypt_system.img
security_force/encrypt_recovery.img
security_force/encrypt_splash.img
security_force/encrypt_partition.dat
There may be additionally security_force/file_info
which incorporates the identify, measurement and CRC32 checksum for every of the above information.
These information (except encrypt_partition.dat
) correspond to the information now we have discovered within the replace package deal:
They have to be encrypted with AES-128-CBC utilizing key=”)1Zorxo^fAhGlh$#” and IV=”aoAkfwk+#1.6G{dE”.
Solely system.ext4
have to be transformed to sparse picture earlier than the encryption.
Patching system.ext4
Assuming that we will flash no matter we wish with the restoration mechanism, what could be the minimal patch for the official firmware
which is able to give us some form of entry to the top unit? Whereas in search of exploitable bugs within the inventory purposes, I discovered
a hidden menu within the Engineering Mode which permits ADB:
The boolean flag mDispAdb
will be switched by tapping 5 occasions within the backside proper nook of the third web page of “Module Information”.
Nevertheless, if ADB_HIDE_FEATURE
is current this flag is ignored and visibility is all the time set to eight which implies GONE.
The ADB_HIDE
function is ready by default as we will see in system.ext4
:
$ cat /tmp/automotive/and so forth/permissions/com.hkmc.software program.engineermode.adb_hide.xml
<permissions>
<function identify="com.hkmc.software program.engineermode.adb_hide" />
</permissions>
Properly, let’s delete this function, create a restoration package deal and push it to the automotive. Lengthy story brief, that labored!
With this easy change now we have efficiently enabled ADB on Kia Stinger 2020 and related to it over USB!
Getting root shell
Now when now we have an ADB shell the best way to develop into root? Seems there’s a handy setuid binary known as “amossu” within the inventory firmware:
$ ls -la bin/amossu
-rwsr-sr-x 1 root root 37216 Oct 6 08:29 bin/amossu
It merely does:
setgid(0);
setuid(0);
execv("/system/bin/sh",__argv);
I’ve launched a small software and directions the best way to create customized firmware for automobiles with Gen5 navigation.
You will discover it here.
To this point now we have efficiently verified all the course of on Kia Stringer 2020 (because of Ali Al-Rawi).
Last ideas
I hope this hack will enable creating some attention-grabbing mods for Gen5 automobiles.
For instance, I’d like to see an app which information a video stream from the automotive’s digital camera and saves it on a USB stick.
After all, the last word purpose stays working Doom on the top display 🙂
You probably have any feedback or suggestions, you may go away them on Github.