[RightToMod-2021] Hacking Infotainment
Trez
Trez at mazdatweaks.com
Sun Dec 13 09:54:14 PST 2020
Hi EFF,
Have I got a story for you! I am Trevor aka Trezdog44, a hacker from
So. Cal, 5 year EFF member and developer of the open source software
MZD-AIO-TI <http://mazdatweaks.com>: The Mazda Connect Infotainment
System All In One Tweaks Installer. Feel free to use my name and any
part of this story because I am very proud of what I have done with the
help of a global community of talented hackers with one desire: to be
able to modify and "tweak" the software that we use every day in our
vehicles. This is going to be long so strap in because it all starts in
2014 before I even came into the scene...
Every Mazda model from 2014-2019 comes with the same infotainment
system, the Mazda Connect
<https://www.mazda.com/en/innovation/technology/connect/> system. This
system is basically Linux with a frame-less Opera full screen window
running an intricate web app that controls Music, Navigation, and phone
calling and texting functions. It comes with certain limitations like
when the car is driving (Speed > 0) the touchscreen is completely
disabled forcing the user to use the control knob to control the system.
This is what started it all because that was not OK for many users, so
some hackers got together in forums and found a way to disable this
"feature" and before long an exploit was found that would allow
arbitrary code to run on the system essentially opening it up for any
modification that a community of hackers could think of! This drove
someone to create a program that would give users a list of "tweaks"
they could install including new user-made apps like a video player app,
speedometer app and a community-made reverse-engineered version of
Android Auto <https://github.com/gartnera/headunit/>.
Fast forward, 2016 held a personal milestone in my life, my first brand
new car! I researched a lot and decided on a Mazda 3 because I
discovered that the infotainment system was hackable and I love that!
That day I started messing with the tweaks and talked to the developer
in Germany but he wasn't really a hacker, he was just a guy who liked
computers winging it, so when I told him I wanted to rebuild the GUI and
make the app more usable for everyday users he was happy to hand it off
to me. So I started building off his code with about 20 available
tweaks to start and built it to include over 50 many of which I
developed myself. At first the exploit we used would allow modification
to be done by anyone who wanted to do them with just a USB stick and the
MZD-AIO app but then we started gaining notice from Mazda and some
framed what we were doing as a dangerous security threat
<https://github.com/shipcod3/mazda_getInfo>. This is what started the
push-back.
Early on in the development of MZD-AIO on 02/17/2017 I (and a few
others) experienced a DMCA Takedown
<https://github.com/Trevelopment/MZD-AIO-TI> by NNG
<https://github.com/github/dmca/blob/master/2017/2017-03-06-NNG.md> the
company that makes the navigation software that they sell for a
ridiculous price as an add on the the system. I took out all the
tweaks having to do with navigation and moved on but it opened my eyes
to the importance of what I was doing. Mazda never contacted me or
anything like that but from then on I felt their presence in the forums
and shadows watching me and calculating what my next move would be.
Over the last 4 years several articles
<https://www.bleepingcomputer.com/news/security/you-can-hack-some-mazda-cars-with-a-usb-flash-drive/>
name me personally as the developer of MZD-AIO but none of them ever
mention it being used in a harmful way. In fact, I still frequently get
emails from people thanking me for greatly improving their driving
experience with sometimes as little as just being able to change the
background to the Video Player
<https://github.com/Trevelopment/Mazda-Videoplayer> app that I greatly
improved over the years (so their kids can watch a movie while they are
driving). First the exploit we used was removed in v59.00.502 of the
firmware but that didn't stop us at all. With the help of one of my
good hacker friends from Thailand, only days before we had just found an
autorun file that ran on every boot and was not erased or replaced in
the update process. I quickly put out an update and warning message
urging users to install the "Autorun and Recovery" tweak that would
spark recovery back to the open system we knew and loved and allow the
installation of tweaks after the update to the newest FW. For those who
already updated there had to be a little more drastic measures taken so
we turned to an exploit we had known about for years but didn't have to
use, connecting directly to the serial port
<https://mazdatweaks.com/serial/>. This would become the method that
anyone who purchased the car with FW > 59.00.502 would have to use to
modify their system but it requires a good amount of technical
knowledge, skill and confidence to pull off.
With each update of the FW they tried to close the exploits but given
that they would take approximately 4-6 months to release, the global
hackers and I would find new exploits within days causing their
developers to scramble back and attempt to stop us again. Eventually
they made a FW that is un-hackable but it took them 4 years and by then
the community was tired, not to mention a new Infotainment system was
released by Mazda (MZD Connect II?) for 2020 models killing the
motivation to continue with this project. I still maintain and answer
questions from users every day but will probably only make 1 more update
at the most to the MZD-AIO app.
Let me know if you need any additional information since it is
impossible to include everything in this one email but I tried to touch
on all the most important points.
Thanks for reading, I hope you liked my story and it helps EFF in the
fight for digital freedom!
--
Peace out,
~ ŦⓇḝź
------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/righttomod-2021/attachments/20201213/335075f6/attachment.html>
More information about the Righttomod-2021
mailing list