Now Reading
Hyundai Head Unit Hacking · random hacks

Hyundai Head Unit Hacking · random hacks

2023-01-17 16:21:43

Within the previous post I’ve proven the best way to crack the official firmware for Hyundai Tucson 2020
and reverse engineer it. On the finish I used to be pondering that I can merely modify the replace package deal,
zip it once more with the identical password and push it to the automotive. Nevertheless it turned out it isn’t that straightforward.
The replace package deal is signed with an RSA key which corresponds to the daudio.x509.pem certificates
and this signature is checked throughout the replace. That is a part of the Android OTA replace course of
which is getting used for updating the firmware of all the unit (not simply the automotive navigation).
Not like the RSA key for Ioniq 2021,
this key can’t be discovered on-line (not less than I haven’t discovered it).
How can we get entry to the top unit on this case? I used to be pondering both of those two choices:

  • discover an exploitable bug in one of many purposes
  • discover an exploitable bug within the Linux kernel; the top unit is working Linux 3.1.10, so this regarded possible

I had no luck with each of them. Fortuitously, I discovered some new data which allowed me to root the top unit.

New findings

Initially, I spotted that Hyundai is delivery the identical firmware to quite a lot of automobiles.
My automotive had the so known as “Commonplace-class Gen5 navigation” which seems to be like this:

They name it “navigation” however it’s principally the firmware of all the head unit.
The identical firmware is shipped on totally different Hyundai, KIA and Genesis fashions manufactured within the 2018-2021 time-frame.

The pinnacle unit is working on Telechips TCC893X SoC
and its SDK has been leaked on the web.
There’s a secret restoration mechanism which is triggered by holding the POWER button (left knob) and the MAP button upon begin:

I attempted it on my Hyundai Tucson 2020 and I acquired this good error on the automotive display:

Apparently the restoration mechanism is in search of some encrypted information on the USB drive.
A easy grep for these strings results in the lk.rom file from the replace package deal which I’ve been ignoring till now.
Let’s load it in Ghidra and see what’s occurring.

Reversing lk.rom

LK stands for “little kernel”, a small open-source kernel which is utilized in many embedded platforms.
The pinnacle unit is loading lk.rom at handle 0x82000000. After setting the right begin handle in Ghidra, we will
simply determine printf features which print loads of helpful debug information.
Tracing the message "[DEBUG] U-Boot Restoration Button pushed .... n" results in:

Seems to be just like the restoration mechanism is a part of u-boot and its entry level is the perform at 0x820589a8:

Utilizing the debug message at line 14, we will simply infer that this perform copies the u-boot code to 0x80000000 and begins it.
PTR_DAT_82058a38 is the start handle of u-boot and PTR_DAT_82058a3c is the top handle:

Utilizing these addresses, we will “extract” the u-boot code from lk.rom with the next command:

$ dd if=lk.rom skip=$((0x1055c)) rely=$((0x57894-0x1055c)) bs=1 of=uboot.rom

After which analyze uboot.rom as a separate binary with begin handle 0x80000000 in Ghidra.

Reversing uboot.rom (a part of lk.rom)

There are once more many debug strings which assist rather a lot to know what’s occurring.
The restoration mechanism is in search of the next information on the USB drive:

  • security_force/encrypt_lk.rom
  • security_force/encrypt_boot.img
  • security_force/encrypt_system.img
  • security_force/encrypt_recovery.img
  • security_force/encrypt_splash.img
  • security_force/encrypt_partition.dat

There may be additionally security_force/file_info which incorporates the identify, measurement and CRC32 checksum for every of the above information.
These information (except encrypt_partition.dat) correspond to the information now we have discovered within the replace package deal:

See Also

They have to be encrypted with AES-128-CBC utilizing key=”)1Zorxo^fAhGlh$#” and IV=”aoAkfwk+#1.6G{dE”.
Solely system.ext4 have to be transformed to sparse picture earlier than the encryption.

Patching system.ext4

Assuming that we will flash no matter we wish with the restoration mechanism, what could be the minimal patch for the official firmware
which is able to give us some form of entry to the top unit? Whereas in search of exploitable bugs within the inventory purposes, I discovered
a hidden menu within the Engineering Mode which permits ADB:

The boolean flag mDispAdb will be switched by tapping 5 occasions within the backside proper nook of the third web page of “Module Information”.
Nevertheless, if ADB_HIDE_FEATURE is current this flag is ignored and visibility is all the time set to eight which implies GONE.
The ADB_HIDE function is ready by default as we will see in system.ext4:

$ cat /tmp/automotive/and so forth/permissions/com.hkmc.software program.engineermode.adb_hide.xml 
<permissions>
    <function identify="com.hkmc.software program.engineermode.adb_hide" />
</permissions>

Properly, let’s delete this function, create a restoration package deal and push it to the automotive. Lengthy story brief, that labored!
With this easy change now we have efficiently enabled ADB on Kia Stinger 2020 and related to it over USB!

Getting root shell

Now when now we have an ADB shell the best way to develop into root? Seems there’s a handy setuid binary known as “amossu” within the inventory firmware:

$ ls -la bin/amossu
-rwsr-sr-x 1 root root 37216 Oct  6 08:29 bin/amossu

It merely does:

setgid(0);
setuid(0);
execv("/system/bin/sh",__argv);

I’ve launched a small software and directions the best way to create customized firmware for automobiles with Gen5 navigation.
You will discover it here.
To this point now we have efficiently verified all the course of on Kia Stringer 2020 (because of Ali Al-Rawi).

Last ideas

I hope this hack will enable creating some attention-grabbing mods for Gen5 automobiles.
For instance, I’d like to see an app which information a video stream from the automotive’s digital camera and saves it on a USB stick.
After all, the last word purpose stays working Doom on the top display 🙂

You probably have any feedback or suggestions, you may go away them on Github.

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top