[RightToMod-2021] Hacking Infotainment

kit kit at eff.org
Sun Dec 13 16:07:13 PST 2020 

Thanks so much, Trez! If you do ever hear from Mazda, please don't 
hesitate to reach out. Sounds like a great project!

On 2020-12-13 09:54, Trez wrote:
> Hi EFF,
> 
> Have I got a story for you!  I am Trevor aka Trezdog44, a hacker from
> So. Cal, 5 year EFF member and developer of the open source software
> MZD-AIO-TI [1]: The Mazda Connect Infotainment System All In One
> Tweaks Installer.  Feel free to use my name and any part of this story
> because I am very proud of what I have done with the help of a global
> community of talented hackers with one desire: to be able to modify
> and "tweak" the software that we use every day in our vehicles.  This
> is going to be long so strap in because it all starts in 2014 before I
> even came into the scene...
> 
> Every Mazda model from 2014-2019 comes with the same infotainment
> system, the Mazda Connect [2] system.  This system is basically Linux
> with a frame-less Opera full screen window running an intricate web
> app that controls Music, Navigation, and phone calling and texting
> functions.  It comes with certain limitations like when the car is
> driving (Speed > 0) the touchscreen is completely disabled forcing the
> user to use the control knob to control the system.  This is what
> started it all because that was not OK for many users, so some hackers
> got together in forums and found a way to disable this "feature" and
> before long an exploit was found that would allow arbitrary code to
> run on the system essentially opening it up for any modification that
> a community of hackers could think of!  This drove someone to create a
> program that would give users a list of "tweaks" they could install
> including new user-made apps like a video player app, speedometer app
> and a community-made reverse-engineered version of Android Auto [3].
> 
> Fast forward, 2016 held a personal milestone in my life, my first
> brand new car!  I researched a lot and decided on a Mazda 3 because I
> discovered that the infotainment system was hackable and I love that!
> That day I started messing with the tweaks and talked to the developer
> in Germany but he wasn't really a hacker, he was just a guy who liked
> computers winging it, so when I told him I wanted to rebuild the GUI
> and make the app more usable for everyday users he was happy to hand
> it off to me.  So I started building off his code with about 20
> available tweaks to start and built it to include over 50 many of
> which I developed myself.  At first the exploit we used would allow
> modification to be done by anyone who wanted to do them with just a
> USB stick and the MZD-AIO app but then we started gaining notice from
> Mazda and some framed what we were doing as a dangerous security
> threat [4]. This is what started the push-back.
> 
> Early on in the development of MZD-AIO on 02/17/2017 I (and a few
> others) experienced a DMCA Takedown [5] by NNG [6] the company that
> makes the navigation software that they sell for a ridiculous price as
> an add on the the system.   I took out all the tweaks having to do
> with navigation and moved on but it opened my eyes to the importance
> of what I was doing.  Mazda never contacted me or anything like that
> but from then on I felt their presence in the forums and shadows
> watching me and calculating what my next move would be.
> 
> Over the last 4 years several articles [7] name me personally as the
> developer of MZD-AIO but none of them ever mention it being used in a
> harmful way.  In fact, I still frequently get emails from people
> thanking me for greatly improving their driving experience with
> sometimes as little as just being able to change the background to the
> Video Player [8] app that I greatly improved over the years (so their
> kids can watch a movie while they are driving).  First the exploit we
> used was removed in v59.00.502 of the firmware but that didn't stop us
> at all.  With the help of one of my good hacker friends from Thailand,
> only days before we had just found an autorun file that ran on every
> boot and was not erased or replaced in the update process.  I quickly
> put out an update and warning message urging users to install the
> "Autorun and Recovery" tweak that would spark recovery back to the
> open system we knew and loved and allow the installation of tweaks
> after the update to the newest FW.  For those who already updated
> there had to be a little more drastic measures taken so we turned to
> an exploit we had known about for years but didn't have to use,
> connecting directly to the serial port [9].  This would become the
> method that anyone who purchased the car with FW > 59.00.502 would
> have to use to modify their system but it requires a good amount of
> technical knowledge, skill and confidence to pull off.
> 
> With each update of the FW they tried to close the exploits but given
> that they would take approximately 4-6 months to release, the global
> hackers and I would find new exploits within days causing their
> developers to scramble back and attempt to stop us again.  Eventually
> they made a FW that is un-hackable but it took them 4 years and by
> then the community was tired, not to mention a new Infotainment system
> was released by Mazda (MZD Connect II?) for 2020 models killing the
> motivation to continue with this project.  I still maintain and answer
> questions from users every day but will probably only make 1 more
> update at the most to the MZD-AIO app.
> 
> Let me know if you need any additional information since it is
> impossible to include everything in this one email but I tried to
> touch on all the most important points.
> 
> Thanks for reading, I hope you liked my story and it helps EFF in the
> fight for digital freedom!
> --
> Peace out,
> ~ ŦⓇḝź
> -------------------------
> 
> 
> Links:
> ------
> [1] http://mazdatweaks.com
> [2] https://www.mazda.com/en/innovation/technology/connect/
> [3] https://github.com/gartnera/headunit/
> [4] https://github.com/shipcod3/mazda_getInfo
> [5] https://github.com/Trevelopment/MZD-AIO-TI
> [6] https://github.com/github/dmca/blob/master/2017/2017-03-06-NNG.md
> [7]
> https://www.bleepingcomputer.com/news/security/you-can-hack-some-mazda-cars-with-a-usb-flash-drive/
> [8] https://github.com/Trevelopment/Mazda-Videoplayer
> [9] https://mazdatweaks.com/serial/
> _______________________________________________
> Righttomod-2021 mailing list
> Righttomod-2021 at lists.eff.org
> https://lists.eff.org/mailman/listinfo/righttomod-2021

More information about the Righttomod-2021 mailing list