Hyundai head unit hacking

Hello everyone, I'm Rado. In this presentation I will tell you about some hacks for some models, Hyundai not only. I will briefly introduce myself with two words. For the second time I present on B-Sides. I work as a programmer in VMware. I deal with COVID-19 computing. I make a disclaimer again that I don't talk about these things in the name of VMware, I did everything in my free time. Almost everything is open source in GitHub. So, in the past, there was only one radio in the cars, with two buttons, one to change the frequency, the other to increase and decrease. In the current cars there is something similar to this picture, a display with buttons. And in fact, this thing, apart from the fact that we can listen to radio with it, there are many other features. There is navigation, we can watch multimedia, There is a lot of connections like Bluetooth, Wi-Fi, USB and in general it is a computer that runs some kind of software. In most cars, for example in Tesla, besides being able to watch multimedia, it can also drive a car. I will talk about Hyundai, I will not talk about Tesla. In the same week, there is a very popular competition called "Point to Own". and the reward for someone to do Tesla's work is 600 000 USD. So the factories are big. Most of the car manufacturers are using the same software for most of the car models. What I will talk about is its marketing. It is called Standard Gen 5 Navigation and this software is based on not only Hyundai, but also KIA and Genesis models, which I haven't heard of yet. These are cars produced in the period of 2017-2020. I don't know exactly how many, I couldn't find any public data, but I think it's about a million cars. I will show you how to to modify this software and install your own and in a word hack them. Last year there was a very interesting survey from the blog posts of GreenOIGNO which was titled "How I hacked my car" in which he talks about how he managed to make his applications and to launch them on Hyundai Ioniq 2021 and I won't tell you everything that was published, but the idea was that the software that was installed on the head unit used The keys for encryption and signing are publicly known, let's say, which are examples. For example, there is an AES key for encryption, which is given on the site as an example key. There is an RSA key, which is actually a copy-paste, they make the key from a tutorial on how to sign with RSS and OpenSSL. And as a whole, an epic fail. And actually, Then I wanted to try if these things work on my car, which is the 2020 Hyundai Tucson. It turned out that they don't work and they don't work because it uses the previous generation of software, which is its internal name - D-Audio, while in 2021 it is a newer version - D-Audio 2V. So I decided to try to do the things that Green Luigi had published about my car. The first target was the so-called Engineering Mode. What does this mean? These are hidden debug settings in the car, in the head unit, which are intended for diagnostics. There you can see different logs from the applications. and as a whole they give a lot of information and so BBW is an interesting vector for further head unit exploitation. So, he was... There were some calls on the internet that didn't work for me and after that I decided to see, to try to reverse engineer the software that runs. And for this purpose The way to install software updates for these cars is by using Navigation Updater, which allows you to download the next version of the software, save it on a flash drive and install it in the car. Here they call it Navigation Updater, but this is not just the navigation, this is the whole formula that runs on the head unit of this computer in the car, which includes bootloader, operating system and all applications. Yes, and they are all connected in one flash. And here in this Navigation Updater we can see for each model what software version for this game is Gen 5W Navigation. After I made an update I started to look what is inside it. It is 20 and some gigabytes because there is navigation for the whole Europe. The interesting part is that this is a file in the main directory, a listing with the described files with some checksum and very quickly we see that the most interesting file is called update-package.zip. When we try to open it, here it is. Inside it there are two zips Update Package ZIP is encrypted and it has two ZIPs inside. One is called assert.zip and probably has some certificates, it is small. The other ZIP file is update.zip, which is bigger, 227 MB. And now how does the encryption of ZIP files work? The password we use to encrypt a zip file is used to generate a pseudo-random stream. This stream is encrypted with plaintext and we get ciphertext. The key derivation of the password we use to derive the kills It generates 96 bits, which are used to initiate the stream. If we have them, we can generate them. In 2005, a paper was published with a relatively effective attack, which was given... If we know part of the plain text, we can decrypt the zip effectively. It is enough for at least 12 bytes of plaintext and it has a complexity of about 2/400 which is feasible for the current machines. And what I used as a tool is a program called BK Crack. It is in GitHub, open source implementation of this attack of Biham and Coher. For it, 12 bytes of plaintext are required, so at least 8 of them must be consistent. And the other important thing is that the zip file inside this update package zip, the zip entry in the update package zip are not compressed, because there is no special sense to compress already compressed files. which makes the attack relatively easier. Now we need 12 bytes of plain text from this zip. What would be the right candidate for plain text? Every time you enter a zip file, there is a so-called zip local file header. I have taken it out here. It starts with 4 bytes of magic. which are fixed, then there is a 2 byte version, then there are some files that say if the entry is encrypted or not and some other things. Then what compression method is used and finally we have time and date for last modification, when the entry is changed for the last time. And now here From this table it is clear that at least 10 bytes can be easily identified. The first 4 are fixed, the others are with slight variations. We can take 10 bytes very quickly and there are still 2. And for these 2 bytes that remain, we can use either the time or the date of this zip entry. So, for the time, the time, the time in the dose, is recorded in some kind of a side format, the seconds are divided into two and we have about 4,200 possibilities for these two bytes, as we calculate the date. For the date, if we assume that the file is, for example, from the last five years, we get less possibilities, around 1800. which is better to brute force the data. However, after we take these 12 bytes, one run of the attack takes about half an hour on a really good machine. And what I actually allowed here If we pay attention to this update package, both ZIPs have date April 21st, 2022 and what is the chance for example in this OTA-SERTS to have a ZIP entry that is also from April 21st, 2022. And in this way we launch this invocation that is cracking. With -C we enter the file, with -C we enter the entry and then we enter plaintext and with -X we show that on offset 12 there is byte width 95-54 which is encoded in 16th from this April 21, 2022. And in short, this thing works. and takes out the keys for this zip file. Not the password, but the keys that are derived from this password. With these keys we can unarchive the zip file and see what is in the other two zip files that are no longer encrypted. In Photoserts ZIP there is a X509 certificate. In Update/ZIP there is an Android image, you can see that it is actually an Android image. In Boot there is G, there is Kernel and RAMDisk. For Elk.ROM we will talk about that in a bit. Recovery, Splash and System.exe 4 is the whole file system of the device. And after we have the whole system file and we can view it, we can easily reverse the applications that are Android applications. We can mount this System X 4 on Linux. It's quite simple. All applications are in the app directory. And now, for example, if we want to reverse the engineering mode We see that there is an engineer mode, called Yodex. Yodex files are an optimized bytecode for... Yes, I mean, part of... Yodex is a application, and there is a tool called BugsMali, which can be used by Yodex to decompile it to .small and with the jadex decompiler we can see Java code if it is not obscured. And it turned out that it is not obscured, that is, it is quite straightforward. We find with a simple grab the function getKeyString, which What does it do? It takes the last date, the last number of the year, makes a switch and for each number there is a resource that says what the passcode is. Last year, 2022, it ended at 2, so the code is 2702. This year it ended at 3, the code is 2603. Now I have it everywhere, but when I was googling at the time, I didn't find these things anywhere. And in the same way we can understand what is the password of the ZIP. Because with this crack tool it gives us these 96 bits with which the key stream is initialized and we can archive it. But for the password itself we can reverse an application that makes this update on the car. It's an SV update. Again with some simple grips we get to the image file copy, get password and this get password, I haven't screenshot it, but it really concatenates some of the system properties and makes 6 512 there twice, takes some substring and this is the period. That is, The whole system, the whole process of updating the head unit depends on a cryptic zip with a fixed password. As it turned out later, these system properties do not change, so every next update has the same password. At least so far all the updates I've seen have one for each model. The password is the same as the different models, they have different properties and respectively different passwords. And now what are the next steps? For the moment, we can reverse all future updates. There is no mechanism with which they can do something. These are scripted ZIPs, There is no mechanism that can be easily changed and it is impossible to understand how the new thing works. And the next question is how we can actually get some access to the system, how we can take it. And it turned out that this file is signed with RSI key, which is there in the meta and in the directory. I was first confused, I just thought that it was enough to change the zip file, to archive it with the same password and install it. But it's not that way. It's using the Android OTA mechanism, which is Over-DR Update, and which reads signed artifacts. So, It's not that simple and unlike the next version of the software, this key is not leaked. At least I haven't found it. The RSA key with which the update is signed is not leaked. And here I started thinking about some kind of exploit that I can use to get Shell or some kind of access. I had different ideas. First I thought about, because it is relatively old Linux, Android 3.10, there are different USB exploits. For example, with BAT USB you can make a small USB device, which when you plug it in, with some use after free things, but these are very complex things and the essence is that unlike the next version of what is Green Widget 2021, here we don't have kernel logs. For most of these kernel attacks we need a kernel log, like an application leak. The other ones were to find a bug in the standard applications, because we can reverse them, or to find it in third-party libraries, but none of these things worked and I was completely rejected. Until the end, a little before the end of last year, a new information and that is that these cars have some kind of secret mechanism. And also that they use... There is information about hardware, namely about the head unit, which uses some kind of system chip of Telelink. And for this system chip there is an SDK which is leaked there by some torrents. And now this secret cracker mechanism, I tested it right away. It triggers in the last way. There is a power button and a map button and a contact is given. If the car is already launched, reset is triggered to restart the head unit. It is different for different models. This is on my car, it happens with power and map on some other, but with a combination of two buttons usually. something like this comes up. So here is a message about a mistake, a bootloader, something from USB, security force and some interesting strings, which when I grabbed them in the unpacking in DatZip, it came out that they come from lcat.rom, which I had previously ignored. LK means little kernel and this is a small kernel that is used in embedded platforms. My task is to initialize the hardware and to start the standard bolt loader. But the interesting thing here was that when I charged this ROM in a guide and tried to reverse it, and searched for these strings, the interesting thing was that they were not referred anywhere. For example, this Security Force and Clip Partition Data. And from these, it became clear that this ROM charges at 82.00 in the memory. and there is a U-Boot that is running, but when we follow the start of the U-Boot, we see that this LK ROM contains an U-Boot inside of itself, which is a very popular U-Boot loader. And there is this function, there is a copy function, This function copies the U-boot of an address a little higher in the memory of the 4th gigabyte, copies it there and then executes the code from there. That is, the U-boot starts with a load address of 8000. And this was actually Because if we remove the loop, as we know it is offset in LK ROM, when we remove it from it and when we enter the correct world address, the guide becomes much straightforward for decompiling and reversing. And all sorts of strings come, they become I managed to see each of the strings where it is referred and what it is used for. Long story short, a encryption is made with IS-128 and all these files that you saw in the update zip with this recovery mechanism we can force them and save them in the head unit flash without any other checks happening. Yes, and now we have a mechanism with which we can change the firmware, which can do whatever we want. And now the question is what is the minimum patch with which we can get some kind of access. And while I was in this engineering mode, I saw that there is a hidden ADB setting, which ADB is Android Debug Bridge. This is a tool with which we can open a shell, upload files, as a whole debug tool for Android devices. Actually, it exists, but it is only allowed for debug builds. In short, this array is checked, which makes this if hasSystemFeature.adbHeight. So it is hidden by default. And how can we release it? We can do it by editing the file system and these features come from a file that is in ETC permissions. By default it is released, there is this single red feature that is adbhide, we just delete it. We mounted System X4, edited the file and removed the feature that runs the ADB, unmounted it, encrypted it with this key, deployed it and it's not clear what happened. My car was and is still in warranty and I don't want to let these things on my car, although I'm sure that everything will work. But before that I had already published some of the things I told you, I had already published them on the Internet. And some people on Twitter wrote various things, they were already testing them and trying them. And one such fearless person said that he would try it. Super! There was a question about a Kia Stinger 2020. We made a USB drive with modified encrypted files, installed them and in engineering mode, ADB, USB and ADB-TCP appeared, which can't be released otherwise. So, from here, when you click on ADB USB enabled, you can plug a laptop into the head unit and you can get a shell. Which is not a road shell, but a shell with a phone. So, this shell is with some kind of a regular user. And now the next question was how to get a road shell. Assuming that we have control over the system file and we can actually flash what we want, of course it is not a problem to put some binary of ours, which is set to UID. It turned out that there are already such binaries. So in the bin directory I found a very suspicious binary - amosu. I don't know what kind of connection it has, it's super small, super suspicious and the guide says that it makes setGID 0, setUID 0 and it launches BNS Hashware, which is exactly... And actually, pay attention, there is setUID, that is, it can be launched with two users and we get a raw shell directly. I've put all of these things in my blocks and in the end I've made a small tool that automates all of this. A Python script that when you give it this file from the update package it can encrypt it and prepare Security Force, USB Drive with which you can charge your car. And what can we do with all these things? Like anything, it can be used for good and bad purposes. So, bad purposes Something that doesn't require any skill set is to be able to break this head unit very easily. If you just put some corrupted ROM through the USB, it becomes very fast. For example, a car can be easily broken with a small USB drive. And now some more dedicated people can do any kind of spyware, because the head unit has GPS, there is a microphone, which I think you can record without any problem what is being said in the car, you can record where it passes and all kinds of events. And especially rental cars are vulnerable to me because you can rent a car, install something and then collect some data. In Sofia there is a much more popular service for rental cars, I will not say, with which there are many cars that are vulnerable. And the last thing we think about is that you can connect your phone with Android Auto and with an iPhone. I think it's possible to do some kind of phishing because the user has the idea that what he's throwing at the car is okay. to exploit the trust that the users have towards the software that drives the car. And the other goals that are better-intentioned are to develop some third-party applications to run. On my project in GitHub, people gave different ideas. We can make an application that records from the cameras on the cars and we can make a dashcam, maybe some codes, we can launch large language models. It's already in the latest hype. But actually, what I want to do and what every hardware that is exploited The first thing people want to answer is: Will you run DOOM? DOOM is a port of a huge number of hardware, devices, stoves, refrigerators, calculators, temporary tests, Twitter, in general, some kind of portable code. And this is something that I hope one day I will have time to do this. Thank you for your attention.