1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Hacking the Infotainment system, WIP thread (it runs Linux)

Discussion in 'Prime Accessories and Modifications' started by zorrobyte, Apr 5, 2019.

  1. zorrobyte

    zorrobyte New Member

    Joined:
    Apr 4, 2019
    21
    22
    0
    Location:
    Indiana
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    The only thing I dislike about my new Prime is the infotainment system. I'd post links, but I can't yet (any mods around? *wink*)

    From my research, it seems at least the 11" system runs Automotive Grade Linux which is nice, because the full source code is available, including UI examples, etc. Toyota is likely running an ARM CPU which would use your standard ext3/4 file storage.

    As the source code is available, finding exploits to reprogram via USB or something rather down the line would be much easier. For now, I bet you there's a JTAG connector somewhere on the board. At the least, the flash chips could be desoldered and installed in a chipreader to read/modify the filesystem.

    I don't have the full details and I'm hesitant to rip apart my brand new Prime to start reverse engineering, but what I can promise you is that I have experience with microcontrollers and reverse engineering. Maybe we can do more research as a community, pair up, get a gofundme or something together and buy a spare infotainment system to begin penetrating.

    --------
    The AGL Unified Code Base (UCB) is a Linux distribution built from the ground up through a joint effort by automakers and suppliers to deliver a modern in-vehicle infotainment and connected car experience for consumers.

    The goal of the UCB infotainment platform is to provide 70-80% of the starting point for a production project. This enables automakers and suppliers to focus their resources on customizing the other 20-30% to meet their unique product needs.

    Key features include:

    • AGL Application Framework
    • ConnMan network management for pairing multiple devices
    • Vehicle bus messaging with built-in security to prevent unwanted intrusions
    • Audio routing and mixing
    • Multiple display capability (front and rear seat)
    • IP Network Manager with WiFi and LTE
    • Linux Security Module
    • Linux-based distribution using Yocto Project
    • Device Profiles for Telematics, Instrument Cluster
    • Speech Recognition APIs
    The latest release, UCB 6.0 (Funky Flounder), is available for download here.

    [​IMG]

    ------
    EDIT, Lol.. Why is this underpowered ARM device $6k from Toyota? Looks like we need to find some wrecked Primes!

    Has there been anyone here that has taken their Infotainment apart and took photos? It'd be a good starting point.

     
    #1 zorrobyte, Apr 5, 2019
    Last edited: Apr 6, 2019
  2. will the engineer

    will the engineer Active Member

    Joined:
    Feb 13, 2019
    238
    119
    0
    Location:
    LA
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    you're doing gods work!

    There was a thread here that linked to a pdf that has instructions dismantling the dashboard


    Posted via the PriusChat mobile app.
     
    ManitobaDon and zorrobyte like this.
  3. will the engineer

    will the engineer Active Member

    Joined:
    Feb 13, 2019
    238
    119
    0
    Location:
    LA
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    zorrobyte likes this.
  4. zorrobyte

    zorrobyte New Member

    Joined:
    Apr 4, 2019
    21
    22
    0
    Location:
    Indiana
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    Praeluceo likes this.
  5. zorrobyte

    zorrobyte New Member

    Joined:
    Apr 4, 2019
    21
    22
    0
    Location:
    Indiana
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    will the engineer likes this.
  6. will the engineer

    will the engineer Active Member

    Joined:
    Feb 13, 2019
    238
    119
    0
    Location:
    LA
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
  7. zorrobyte

    zorrobyte New Member

    Joined:
    Apr 4, 2019
    21
    22
    0
    Location:
    Indiana
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    Did some more research.

    While Mazda's implementation is based on Linux, it doesn't seem to be AGL like Toyota is using. There's also a pretty tight security model, but it all comes down to what Toyota has implemented. Heck, there's even hardware security features of AGL to guard against physical attacks:

    "The board must store hardcoded cryptographic keys in order to verify among others the integrity of the bootloader. Manufacturers can use HSM and SHE to enhance the security of their board."

    AGL Developer Site - Introduction -
     
  8. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,132
    50,049
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    yep, labor of love. toyota does not want you in there
     
  9. thefranchise713

    thefranchise713 Junior Member

    Joined:
    Mar 11, 2019
    75
    52
    0
    Location:
    Buffalo, NY
    Vehicle:
    2018 Prius Prime
    Model:
    Prime Advanced
    This would be fantastic if pulled off... good luck!
     
  10. zorrobyte

    zorrobyte New Member

    Joined:
    Apr 4, 2019
    21
    22
    0
    Location:
    Indiana
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    I found the wiring diagrams for the Prius Prime:
    Toyota Prius PHV (Plug-in Hybrid Vehicle) / ZVW52L, ZVW52R (EM32E1E) Wiring Diagram | Free Download

    I found that our "infotainment" systems in the Prime do a heck of a lot more than just act as a radio. There are parking assist and other systems that wire into it. I'd go so far as to say that if you bricked your infotainment system, you'd lose important functionality in your car, or it wouldn't even run at all.

    With the media hype over the last several years of people "hacking" cars, and the very real possibility of a remote/physical attack to do something like hold down an accelerator, disable the brakes, or steer a car into something - it makes sense that Toyota, and AGL have things buttoned down to the extreme. Considering the radio has a CAN bus interface, the radio could be exploited to control the vehicle.

    I'm afraid that I'm going to have to pause research for now into exploiting the Prime's infotainment system publicly for the time being. If I get something wrong, it could have real-world safety consequences that I cannot afford to be liable for. Even if I were to do everything right, enabling the Wifi AP or exposing a root level shell over Bluetooth; someone could exploit this into the future, or a Toyota Entune update could brick your entire car. At the least, someone could use whatever exploits I find to brick/attack any car that uses AGL (which is several models).

    In the meantime, pick up a Qi wireless charging dock for your Prime and use it instead.
    Amazon Link

    I really like mine, I mounted it so my phone is just left of the HUD and I control it with raise to speak Apple Watch Siri activation or steering wheel input!

    Even if Toyota never updates existing Prime models, there will be a revision of the car to have it eventually. Yes, it'd be super shitty if Toyota didn't update previous models, and yes I know they've fecked owners of another car; but at the least, maybe swapping out the infotainment system could be a good avenue if you have deep pockets, if and when that time came.
     
  11. Salamander_King

    Salamander_King Senior Member

    Joined:
    Nov 8, 2015
    10,985
    8,886
    0
    Location:
    New England
    Vehicle:
    Other Hybrid
    Model:
    N/A
    I guess, security and convenience, they are mutually exclusive. Thanks for trying, although I'm one of PRIME owner who can live without any of that infotainment system. My request would be to totally bypass the 11.6 LED display and still have the car function normally.
     
  12. zorrobyte

    zorrobyte New Member

    Joined:
    Apr 4, 2019
    21
    22
    0
    Location:
    Indiana
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    I'm afraid that removal of the infotainment system would at the least disable Park Assist, possibly your gauge clusters, HUD, HVAC. If you have that much hate for it, you could use a mounting method to install an android tablet on top of the factory display and run Android Auto as a standalone app.

    Heck, it wasn't 15 years ago and I was building a laptop mount for my car out of pipe to run Microsoft MapPoint WITHOUT turn by turn navigation because I couldn't afford a GPS receiver. I used it for a year to deliver pizza. We really are spoiled asses in the scope of things, aren't we?

    [​IMG]

    Brings back memories :)
     
    will the engineer likes this.
  13. Salamander_King

    Salamander_King Senior Member

    Joined:
    Nov 8, 2015
    10,985
    8,886
    0
    Location:
    New England
    Vehicle:
    Other Hybrid
    Model:
    N/A
    I never liked the touch screen. I have no need for Android Auto or CarPlay, for I do not even use a smartphone with data enabled for most of the times. So far, I have managed to keep the 11.6 inch display off 99% of the time and still be able to control HVAC and Audio and charge schedule just with wheel buttons and MID. I use standalone Garmin for NAV with lifetime free map update, so I don't need in car NAV either. But still, from time to time, I have to turn on the display for a various reason.
     
    will the engineer likes this.
  14. thefranchise713

    thefranchise713 Junior Member

    Joined:
    Mar 11, 2019
    75
    52
    0
    Location:
    Buffalo, NY
    Vehicle:
    2018 Prius Prime
    Model:
    Prime Advanced
    Don't give up too easily. Are you sure that it's actually controlling those functions, or is it just a gateway module?

    In my last car, three modules served as bridges between HS1 HS2 and MS CAN busses. The infotainment system was one of them.
     
  15. will the engineer

    will the engineer Active Member

    Joined:
    Feb 13, 2019
    238
    119
    0
    Location:
    LA
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    "If I get something wrong, it could have real-world safety consequences that I cannot afford to be liable for"

    Don't worry, all jailbreaking or hacking comes with a risk. Just make sure the user HAS to check a box before proceeding. Super simple. if they click yes they lose right for law suits.


    But I don't believe we can force you to do anything
     
    #15 will the engineer, Apr 7, 2019
    Last edited: Apr 7, 2019
  16. zorrobyte

    zorrobyte New Member

    Joined:
    Apr 4, 2019
    21
    22
    0
    Location:
    Indiana
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    There's some interest ramping up in the Comma.ai Discord in #toyota-prius. I think if anyone has a shot over the mid term, it's us ;)
     
    Julio_E and Praeluceo like this.
  17. lllars

    lllars Junior Member

    Joined:
    Mar 26, 2019
    32
    14
    0
    Location:
    Southern Vermont
    Vehicle:
    2018 Prius Prime
    Model:
    Prime Plus
    Did you come across anything in your research about the 7" screen used in the plus models? It seems like a different beast. No HVAC, no parking assist, probably a different flavor of Linux. It must still have some connection to the CAN bus though, given that it can show energy usage info. It also is used for the backup camera.

    There's an update file available for it (.kwi extension). I wonder if that could be modified in any way. I looked into it a bit with a hex editor and tried to figure out how to extract it, but gave up pretty quick.
     
  18. will the engineer

    will the engineer Active Member

    Joined:
    Feb 13, 2019
    238
    119
    0
    Location:
    LA
    Vehicle:
    2019 Prius Prime
    Model:
    Plug-in Advanced
    My dude!

    I have joined

    IDK what I can contribute but I can add emoji to everyones comment
     
  19. alinica2001

    alinica2001 Member

    Joined:
    Jan 14, 2008
    94
    38
    0
    Location:
    Romania
    Vehicle:
    2017 Prius Prime
    Model:
    Prime Advanced
    Hello,
    Is there any progress on the this ? Did anyone managed to improve existing 11" screen unit ?
     
  20. root1one

    root1one New Member

    Joined:
    Jun 15, 2021
    1
    0
    0
    Location:
    Canada
    Vehicle:
    2018 Prius Prime
    Model:
    Technology
    I'm not sure if many have seen this yet. Its the source code for the FOSS software on both the gen 1(2017-2019) head units and the gen 2 (2020+) head units. Now, this isn't the entire OS but it definitely confirms the suspicions that both units are running AGL. It also gives us the versions of each piece of FOSS software running on them. This is a critical step in identifying a way into the system to sideload apple carplay or AA. If we can do that, I don't think we need to worry about code signing and encrypted boot images @zorrobyte, are you interested in revisiting this? I'm willing to help.
    Since I can't post links yet If you search "denso prius prime open source" in google you'll get the hit.
    There's another thread on here which also links to the source code but the op was approaching this from rewriting the entire UI which is a huge feat. If we could sideload AA and Apple Carplay it would be much easier than bypassing potential hardware security modules.


    I'm very interested in enabling apple carplay on my 2018 Prime at the very least.