How I Hacked my Car Guides: Creating Custom Firmware

Notice 注意 ⌗

Note: As of 2022/10/25 the information in this series is slightly outdated. See Part 5 for more up to date information.
注意:截至 2022 年 10 月 25 日,本系列中的信息略有过时。有关更多最新信息,请参阅第 5 部分。

I take no responsibility for any damages due to the information or steps provided on this site. The content is for educational purposes only.

You modify your own car’s firmware at your own risk.

None of this process is approved by Hyundai, Kia, or Hyundai Mobis.

Background 背景 ⌗

If you want to see how I got this far, check out the rest of my “How I Hacked my Car” series.

Creating Custom Firmware
创建自定义固件 ⌗

The non-navigation D-Audio 2V head units found in Hyundai and Kia vehicles run a fairly barebones version of Linux. Through my research and reverse engineering, I’ve been able to figure out the firmware update process down to a point where custom firmware can be developed for these systems.
现代和起亚汽车中的非导航 D-Audio 2V 主机运行相当准系统的 Linux 版本。通过我的研究和逆向工程,我已经能够弄清楚固件更新过程,可以为这些系统开发自定义固件。

In order for you to create your own firmware modifications, you need to verify a couple of things.

  1. Your vehicle’s head unit is running D-Audio. Specifically Display Audio Gen2V. In order to verify that your head unit is running the correct version, compare the images on Hyundai’s Site.
    您车辆的主机正在运行 D-Audio。特别是显示音频 Gen2V。为了验证您的主机是否运行正确的版本,请比较现代网站上的图像。

  2. A firmware update for your vehicle’s head unit should be available. The updates for Hyundai vehicles can be found here and the updates for Kia vehichle can be found here. Updates for D-Audio 2 system can be found under “Display Audio Software Update”.
    车辆主机的固件更新应该可用。现代汽车的更新可以在这里找到,起亚汽车的更新可以在这里找到。D-Audio 2 系统的更新可以在“显示音频软件更新”下找到。
    How I Hacked my Car Guides: Creating Custom Firmware

  3. Access to a Linux computer.
    访问 Linux 计算机。

You then need to download the firmware update for your vehicle which can be found under the update sites above. The update file should be a zip file which contains another zip file which is named “enc_system_package_{version}.zip”. Extract this inner zip file onto a Linux computer.
然后,您需要下载车辆的固件更新,该更新可在上面的更新站点下找到。更新文件应为包含另一个名为“enc_system_package_{version}.zip”的 zip 文件的 zip 文件。将此内部 zip 文件解压缩到 Linux 计算机上。

I have created a set of scripts which help automate the extraction and modification of these updates.

Download these scripts and extract them into an empty folder and copy your firmware file into the same folder.

The folder should look like this:
How I Hacked my Car Guides: Creating Custom Firmware

Modifying Settings (Optional)

Now the file can be optionally edited if you want to change what folders the scripts use. The directories will be automatically created so there is no need to make them yourself.How I Hacked my Car Guides: Creating Custom FirmwareThe available settings are as follows:
现在,如果要更改脚本使用的文件夹,可以选择编辑 文件。目录将自动创建,因此无需自己创建。可用设置如下:

    • The location of the text file which contains the ZIP password for the firmware update.
      包含固件更新的 ZIP 密码的文本文件的位置。
    • The location of the text file which contains the AES key which is used to unencrypt the encrypted files.
      包含用于解密加密文件的 AES 密钥的文本文件的位置。
    • The location of the text file which contains the AES IV which is used to unencrypt the encrypted files.
      包含用于解密加密文件的 AES IV 的文本文件的位置。
  • RSA_PRIVATE_SIGNING_KEY_FILE=keys/rsa_private.pri
    • The location of the RSA private key used to sign the firmware update.
      用于对固件更新进行签名的 RSA 私钥的位置。
    • The directory to mount the system image to.
    • The directory which holds the firmware files while they are being edited.
    • The directory which contains the Zip Password and encryption/signing files.
      包含 Zip 密码和加密/签名文件的目录。

All of the file locations in the settings file should be relative to the file.
设置文件中的所有文件位置都应相对于 文件。

Setup the Environment
设置环境 ⌗

Now run “./”, this will create the folders and file specified in the file.
现在运行“./”,这将创建 文件中指定的文件夹和文件。

After this file is run your setup should look something like this:
How I Hacked my Car Guides: Creating Custom Firmware

Now the keys in the KEY_DIR directory have to be filled. When entering these values make sure there is only one line in the file and that the file contains no extra spaces.
现在必须填写 KEY_DIR 目录中的键。输入这些值时,请确保文件中只有一行,并且文件不包含多余的空格。

  • zipPassword.txt should contain: “ahqltmTkrhk2018@@” (Without Quotes)

    • This password was found by going to Hyundai Mobis’s Open Sources site, downloading the “D-Audio2V R1” file from any vehicle that has itHow I Hacked my Car Guides: Creating Custom FirmwareThen extracting the “” zip and reading from the “scripts/” file where the “zip” command is being used with the “-P” (password) argument
      这个密码是通过访问现代摩比斯的开源网站,从任何拥有它的车辆下载“D-Audio2V R1”文件,然后提取“”zip并从“scripts/”文件中读取的,其中“zip”命令与“-P”(密码)参数一起使用
      How I Hacked my Car Guides: Creating Custom Firmware
  • aes_key.txt should contain: “2b7e151628aed2a6abf7158809cf4f3c”
  • aes_iv.txt should contain: “000102030405060708090a0b0c0d0e0f”

    • These values are from the same “” file that the zip was from, they can be found in the generate_aes128_encryption function.
      这些值来自 zip 所在的同一“”文件,可以在 generate_aes128_encryption 函数中找到它们。
    • These values are actually the first AES 128bit CBC example key/iv listed in the NIST document SP800-38A.
      这些值实际上是 NIST 文档 SP800-38A 中列出的第一个 AES 128 位 CBC 示例密钥/iv。
      How I Hacked my Car Guides: Creating Custom Firmware
  • rsa_private.pri can be downloaded here
    rsa_private.pri 可以在这里下载

    • I got this by decompiling and reverse engineering the updateAgent application from my head unit’s recovery image, then searching the public key on Google.
    • The public/private key Hyundai Mobis used is a very common test key :/ and can be found in many places

Extracting the Update
提取更新 ⌗

Once all of the keys and passwords are filled in the update file can be extracted by running ./ {Path to your update file}.
填写完所有密钥和密码后,可以通过运行 ./ {Path to your update file} 来提取更新文件。
How I Hacked my Car Guides: Creating Custom Firmware

This script will: 此脚本将:

  1. Clean up the UPDATE_EXTRACT_TEMP_DIR if it isn’t cleaned already.
  2. Extract the update file using the zip password file.
    使用 zip 密码文件提取更新文件。
  3. Mount the system.img file to the SYSTEM_IMAGE_MOUNT_DIR (This requires sudo/Entering your password)
    将 system.img 文件挂载到SYSTEM_IMAGE_MOUNT_DIR(这需要 sudo/输入密码)

Modifying the Firmware
修改固件 ⌗

Now the system image is mounted (By default to the system_image directory) and can be modified to your heart’s desire.
现在系统映像已挂载(默认为 system_image 目录),可以根据您的喜好进行修改。

You can see the backdoors I added to my system in Part 2
您可以在第 2 部分中看到我添加到系统中的后门

ADB Backdoor 亚行后门 ⌗

Another easy backdoor that can be added is enabling the adbd (Android Debug Bridge Daemon) TCP server by adding it as a systemd service. The Android Debug Bridge is a common way to debug android devices and allows for pulling and pushing files to the device as well was launching interactive shells. A version of the Android Debug Bridge Daemon is located on these non-Android head units and was probably used for debugging during development.
另一个可以添加的简单后门是通过将 adbd(Android 调试桥接守护进程)TCP 服务器添加为 systemd 服务来启用它。Android 调试桥是调试 Android 设备的常用方法,允许将文件拉取和推送到设备以及启动交互式 shell。Android Debug Bridge Daemon 的一个版本位于这些非 Android 主机上,可能在开发过程中用于调试。

To enable the Android Debug Bridge you can download this zip file and extract it to where your file is located. Then you can simply run: “sudo ./”.
要启用 Android 调试桥,您可以下载此 zip 文件并将其解压缩到 文件所在的位置。然后你可以简单地运行:“sudo ./”。

Note: The script requires sudo to access the systemd path inside the mounted system image. The added service will run the ADB server on port 5555 on the head unit on startup which can be connected to using Google’s adb command line utility while on the head unit’s network.
注意:该脚本需要 sudo 才能访问已挂载系统映像中的 systemd 路径。添加的服务将在启动时在主机上的端口 5555 上运行 ADB 服务器,该服务器可以在主机网络上使用 Google 的 adb 命令行实用程序连接到该端口。
How I Hacked my Car Guides: Creating Custom Firmware

For information on how to use the ADB backdoor once it is installed check out the Additional Information about ADB section.
有关如何在安装 ADB 后门后使用它的信息,请查看有关 ADB 的其他信息部分。

Compiling the Firmware
编译固件 ⌗

Once you have modified your system image, you can compile it using the ./ script
修改系统映像后,可以使用 ./ 脚本对其进行编译
How I Hacked my Car Guides: Creating Custom Firmware

This script can take a little bit to run due to the hashing involved. The script goes through the following steps:

  1. Runs sync to verify changes are saved to the mounted system image.
  2. Unmounts the system image.
  3. Calculates the new update file list for the update and generates a new hash for the modified system.img file.
    计算更新的新更新文件列表,并为修改后的 system.img 文件生成新的哈希。
  4. Signs the update file list with the RSA private key.
    使用 RSA 私钥对更新文件列表进行签名。
  5. Generates the update zip file.
    生成更新 zip 文件。

The file created will be named “” since I was too lazy to make it actually name correctly.

All you have to do is rename the created zip file to have the same name as the original firmware update zip and put it in the root of a FAT formatted flash drive.
您所要做的就是将创建的 zip 文件重命名为与原始固件更新 zip 同名,并将其放在 FAT 格式闪存驱动器的根目录中。

Then the flash drive can be inserted into your car and the normal installation steps can be followed.

Note: The update process can take a while.

Then Bingo! Your modified firmware has been installed in your car.

Additional Information about ADB
关于亚行的其他信息 ⌗

Once the ADBD TCP server service is running on your head unit you can connect to it.
一旦ADBD TCP服务器服务在主机上运行,您就可以连接到它。

In order to connect to it you must have a computer on your head unit’s network. There are a two ways to do this:

  • If your head unit has a Wi-Fi hotspot, connect to the W-Fi
    如果您的主机有 Wi-Fi 热点,请连接到 W-Fi
  • If your head unit has wireless Android Auto/Apple CarPlay you can dump the Wi-Fi password by following these steps:
    如果您的主机具有无线 Android Auto/Apple CarPlay,您可以按照以下步骤转储 Wi-Fi 密码:

    • Insert a flash drive into the head unit’s usb port.
      将闪存驱动器插入主机的 USB 端口。
    • Go into the Setup screen on the head unit
      How I Hacked my Car Guides: Creating Custom Firmware
    • How I Hacked my Car Guides: Creating Custom Firmware
    • Then Go into the Wi-Fi Settings and press the “Generate New Wi-Fi Passkey” button
      How I Hacked my Car Guides: Creating Custom Firmware
    • Dump the logs by either holding the physical “Radio” button down for 30 seconds or from the USB Settings in the Engineering Mode. In both cases a popup will appear which will allow you to copy the log to the USB drive.
      通过按住物理“无线电”按钮 30 秒或从工程模式下的 USB 设置转储日志。在这两种情况下,都会出现一个弹出窗口,允许您将日志复制到 USB 驱动器。
    • Extract the logs from the USB Drive and extract them.
      从 USB 驱动器中提取日志并提取它们。
    • Open the Logcat file and search for the term “passphrase” the log entry will look like:
      打开 Logcat 文件并搜索术语“密码”,日志条目将如下所示:
      How I Hacked my Car Guides: Creating Custom Firmware
    • Use the password to connect to the Wi-Fi
      使用密码连接到 Wi-Fi
  • Use an RTL8152/8153 usb to ethernet adapter to connect to the head unit
    使用 RTL8152/8153 USB 转以太网适配器连接到主机

    • The driver for RTL8152/8153 ethernet adapters is preinstalled. Adapters with USB hubs will not work. This adapter worked for me.
      预装了 RTL8152/8153 以太网适配器的驱动程序。带有 USB 集线器的适配器将无法工作。这个适配器对我有用。
    • Your computer will not be assigned an IPv4 address, so you will have to use a tool like Wireshark to find the head unit’s link-local IPv6 address.
      您的计算机不会被分配 IPv4 地址,因此您必须使用 Wireshark 等工具来查找主机的链路本地 IPv6 地址。

Once you are connected: Download the adb command line tool and connect to the head unit by running this:
连接后:下载 adb 命令行工具并通过运行以下命令连接到主机:

adb connect

If you are using the ethernet adapter you have to replace the with the head unit’s IPv6 address.
如果您使用的是以太网适配器,则必须将 替换为主机的 IPv6 地址。

Then you can launch a shell by using the command:
然后,您可以使用以下命令启动 shell:

原文始发于Programming With Style:How I Hacked my Car Guides: Creating Custom Firmware

版权声明:admin 发表于 2024年6月9日 上午9:46。
转载请注明:How I Hacked my Car Guides: Creating Custom Firmware | CTF导航