[RightToMod-2021] Hacking Infotainment

[Trez]

Hi EFF,

Have I got a story for you!  I am Trevor aka Trezdog44, a hacker from 
So. Cal, 5 year EFF member and developer of the open source software 
MZD-AIO-TI <http://mazdatweaks.com>: The Mazda Connect Infotainment 
System All In One Tweaks Installer.  Feel free to use my name and any 
part of this story because I am very proud of what I have done with the 
help of a global community of talented hackers with one desire: to be 
able to modify and "tweak" the software that we use every day in our 
vehicles.  This is going to be long so strap in because it all starts in 
2014 before I even came into the scene...

Every Mazda model from 2014-2019 comes with the same infotainment 
system, the Mazda Connect 
<https://www.mazda.com/en/innovation/technology/connect/> system.  This 
system is basically Linux with a frame-less Opera full screen window 
running an intricate web app that controls Music, Navigation, and phone 
calling and texting functions.  It comes with certain limitations like 
when the car is driving (Speed > 0) the touchscreen is completely 
disabled forcing the user to use the control knob to control the system. 
This is what started it all because that was not OK for many users, so 
some hackers got together in forums and found a way to disable this 
"feature" and before long an exploit was found that would allow 
arbitrary code to run on the system essentially opening it up for any 
modification that a community of hackers could think of!  This drove 
someone to create a program that would give users a list of "tweaks" 
they could install including new user-made apps like a video player app, 
speedometer app and a community-made reverse-engineered version of 
Android Auto <https://github.com/gartnera/headunit/>.

Fast forward, 2016 held a personal milestone in my life, my first brand 
new car!  I researched a lot and decided on a Mazda 3 because I 
discovered that the infotainment system was hackable and I love that!  
That day I started messing with the tweaks and talked to the developer 
in Germany but he wasn't really a hacker, he was just a guy who liked 
computers winging it, so when I told him I wanted to rebuild the GUI and 
make the app more usable for everyday users he was happy to hand it off 
to me.  So I started building off his code with about 20 available 
tweaks to start and built it to include over 50 many of which I 
developed myself.  At first the exploit we used would allow modification 
to be done by anyone who wanted to do them with just a USB stick and the 
MZD-AIO app but then we started gaining notice from Mazda and some 
framed what we were doing as a dangerous security threat 
<https://github.com/shipcod3/mazda_getInfo>. This is what started the 
push-back.

Early on in the development of MZD-AIO on 02/17/2017 I (and a few 
others) experienced a DMCA Takedown 
<https://github.com/Trevelopment/MZD-AIO-TI> by NNG 
<https://github.com/github/dmca/blob/master/2017/2017-03-06-NNG.md> the 
company that makes the navigation software that they sell for a 
ridiculous price as an add on the the system.   I took out all the 
tweaks having to do with navigation and moved on but it opened my eyes 
to the importance of what I was doing.  Mazda never contacted me or 
anything like that but from then on I felt their presence in the forums 
and shadows watching me and calculating what my next move would be.

Over the last 4 years several articles 
<https://www.bleepingcomputer.com/news/security/you-can-hack-some-mazda-cars-with-a-usb-flash-drive/> 
name me personally as the developer of MZD-AIO but none of them ever 
mention it being used in a harmful way.  In fact, I still frequently get 
emails from people thanking me for greatly improving their driving 
experience with sometimes as little as just being able to change the 
background to the Video Player 
<https://github.com/Trevelopment/Mazda-Videoplayer> app that I greatly 
improved over the years (so their kids can watch a movie while they are 
driving).  First the exploit we used was removed in v59.00.502 of the 
firmware but that didn't stop us at all.  With the help of one of my 
good hacker friends from Thailand, only days before we had just found an 
autorun file that ran on every boot and was not erased or replaced in 
the update process.  I quickly put out an update and warning message 
urging users to install the "Autorun and Recovery" tweak that would 
spark recovery back to the open system we knew and loved and allow the 
installation of tweaks after the update to the newest FW.  For those who 
already updated there had to be a little more drastic measures taken so 
we turned to an exploit we had known about for years but didn't have to 
use, connecting directly to the serial port 
<https://mazdatweaks.com/serial/>.  This would become the method that 
anyone who purchased the car with FW > 59.00.502 would have to use to 
modify their system but it requires a good amount of technical 
knowledge, skill and confidence to pull off.

With each update of the FW they tried to close the exploits but given 
that they would take approximately 4-6 months to release, the global 
hackers and I would find new exploits within days causing their 
developers to scramble back and attempt to stop us again.  Eventually 
they made a FW that is un-hackable but it took them 4 years and by then 
the community was tired, not to mention a new Infotainment system was 
released by Mazda (MZD Connect II?) for 2020 models killing the 
motivation to continue with this project.  I still maintain and answer 
questions from users every day but will probably only make 1 more update 
at the most to the MZD-AIO app.

Let me know if you need any additional information since it is 
impossible to include everything in this one email but I tried to touch 
on all the most important points.

Thanks for reading, I hope you liked my story and it helps EFF in the 
fight for digital freedom!

-- 
Peace out,
~ ŦⓇḝź
------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/righttomod-2021/attachments/20201213/335075f6/attachment.html>