librick
To update 10th-gen Honda Civics, Honda ships updates on
specially-formatted USB drives. They're essentially
Android 4.2.2rc1-era recovery packages with some
Honda-added version checks (which can be spoofed). The
packages are signed with the publicly-known AOSP test key,
so with physical access to the front USB port you can sign
and flash your own package for arbitrary code execution on
the headunit. This doesn't require root/su. I've run it
end-to-end on my own 2021 Civic and separately confirmed
an official EU update file carries the AOSP test-key
signature. Tooling and writeup in the post.
|
> vel0city
A number of other cars' infotainment systems are also
based on ASOP. I remember downloading updates for my
Hyundai which were also essentially Android images
|
> > hparadiz
The head units themselves are very dated and
simply could not run recent versions of Android. I
have a 2020 and I'm always eyeing up the after
market units which are all better in every way.
|
BobbyTables2
I've heard product managers proudly proclaim their
firmware was signed using the corporate internal signing
service (good).Of course, the question explicitly being
asked (related to internal mandate) was if the firmware
was signed - not if the firmware update process actually
checked the signature (it certainly did not).
|
> mschulkind
I'm surprised someone named BobbyTables2 wouldn't go
straight for the proper way to check email PGP
signatures...
|
hnav
Wonder how good the rest of the security is. The head unit
is likely hooked up to a CAN gateway, can it call into
telematics. Maybe find some novel way to abuse carplay/aa
to call home.
|
hankbond
Seeing more and more projects eschew code docs with the
idea that "well architected code can be queried by LLMs"
and stick to more functional runbook style docs. It really
is unlikely that at any given point all of the docs of a
project are up to date with the code.I'm generally aligned
with this, but it is predicated on the whole "well
architected" code part.
|
> jmalicki
I'd rather see unit tests as documentation.The test
can show intended use, show interesting corner cases,
and I know it is up to date because it is constantly
running and passing.I think that is a huge underrated
benefit of adding a lot more testing.If I think a
developer is going to ask a question of how something
works, or about a corner case, isn't that deserving of
a test, so they can just see proof of the answer to
their question immediately rather than trying to
re-derive it?
|
> > hankbond
You know what, you are right on the money with
that. I think if you expand to include
functional/smoke/e2e tests, that covers pretty
much everything documentation is supposed to
be.Just by running them you can measure if they
are in or out of sync with the code (well, if they
were written correctly).
|
> > EPWN3D
LLMs are great at writing unit tests.
|
t1234s
Could you use this to get a version of lineage OS running
on it?
|
> baby_souffle
Yes, but it'll still be using their kernel so not all
functionality from lineage might work.
|
> rootsudo
Yeah jealous he even got to name an attack surface.
Damn.
|
bri3d
Hyundai head units at one point used an RSA key you got by
googling "RSA key" (no joke:
https://programmingwithstyle.com/posts/howihackedmycar/ ),
an honestly even more amazing mistake since it required
effort rather than just a default.
|