Is it possible to jailbreak the infotainment system?

[astonius]

It seems all but certain the Rivian infotainment is built using QNX with an Android Automotive layer. That said, I wonder if it could be jailbroken to allow for homebrew applications. I used to jailbreak phones and game consoles, but I never really understood how the developers discovered the vulnerabilities that gave them root access to the underlying kernel. Does anyone here know how we might approach finding similar exploits in the Rivian infotainment system? I am a software dev by profession, but I have zero experience in this particular realm.

Sponsored

 

[MNLightning]

It seems all but certain the Rivian infotainment is built using QNX with an Android Automotive layer. That said, I wonder if it could be jailbroken to allow for homebrew applications. I used to jailbreak phones and game consoles, but I never really understood how the developers discovered the vulnerabilities that gave them root access to the underlying kernel. Does anyone here know how we might approach finding similar exploits in the Rivian infotainment system? I am a software dev by profession, but I have zero experience in this particular realm.

I vote for this to become a sticky

 

[Sgt Beavis]

I’m sure it can. It’s just a matter of someone taking the initiative.

Of course, that also means you‘re voiding a substantial part of the warranty.

 

[astonius]

I’m sure it can. It’s just a matter of someone taking the initiative.

Of course, that also means you‘re voiding a substantial part of the warranty.

I’d assume the guidance is similar to any hardware modification for warranty voiding wherein the manufacturer has to prove the modification caused an issue.

 

[miasm]

Not just voiding the warranty, but also taking on substantial liability. If there's a wreck or something goes wrong, and there's absolutely any suspicion that the jailbreak, and/or mods caused it, then all of your insurance companies are going to hang you out to dry and refuse to pay out or cover anything and you'll end up having to go to court to prove the counter and hire professional witnesses, etc.

Go ahead and jailbreak a phone, router, whatever, but a car is a whole 'nother level I won't get into. Too much low probability, high impact risks in doing so, imho.

 

[astonius]

Not just voiding the warranty, but also taking on substantial liability. If there's a wreck or something goes wrong, and there's absolutely any suspicion that the jailbreak, and/or mods caused it, then all of your insurance companies are going to hang you out to dry and refuse to pay out or cover anything and you'll end up having to go to court to prove the counter and hire professional witnesses, etc.

Go ahead and jailbreak a phone, router, whatever, but a car is a whole 'nother level I won't get into. Too much low probability, high impact risks in doing so, imho.

This fear is overblown, IMO. First of all, they would need to prove your mods caused the vehicle to become unsafe. Secondly, I’m purely talking about the infotainment portions of the vehicle, not the safety and drive components (which has been done on Teslas, btw). I understand they are interconnected, but the scope of what I would want to do is purely limited to infotainment.

 

[miasm]

This fear is overblown, IMO. First of all, they would need to prove your mods caused the vehicle to become unsafe. Secondly, I’m purely talking about the infotainment portions of the vehicle, not the safety and drive components (which has been done on Teslas, btw). I understand they are interconnected, but the scope of what I would want to do is purely limited to infotainment.

Easy to say, but a mod causing the interface between info and vehicle to lock up or clog or whatever or display the wrong info (or just even delay the showing of the correct info) etc would be very very easy for a professional witness to theorize as a potential issue on the insurance side, and then at $500/hr you'd have to pay someone to say the opposite in court.

It's easy to show that the bigger tires didn't cause the fuel pump to go out early, much less so with software, imho.

 

[Taycanfrank]

Good luck getting your Rivian serviced if you do this. Also tend to agree with the above, there's a difference between adding a physical modification to a vehicle and bypassing security features to mess with software.


It's a bad idea.

 

[astonius]

if you don’t agree, move on or ignore the thread folks. Your personal objections won’t prevent others from exploring the option, me or otherwise.

 

[godfodder0901]

if you don’t agree, move on or ignore the thread folks. Your personal objections won’t prevent others from exploring the option, me or otherwise.

Agree. I'm fairly certain that I would only do this if there were no longer official support for the vehicle, but I fully support others who work to open the system up. The potential positives for the community more than outweigh the potential drawbacks.

 

[sevengroove]

if you don’t agree, move on or ignore the thread folks. Your personal objections won’t prevent others from exploring the option, me or otherwise.

Just edit your OP to change "homebrew applications" to "CarPlay/AA" and you'll get the answers you need ?.

I also used to jailbreak and root all my phones and used xda-developers.com as my resource for everything. Doubt they will have Rivian-specific info though.

 

[lostpacket]

It seems all but certain the Rivian infotainment is built using QNX with an Android Automotive layer. That said, I wonder if it could be jailbroken to allow for homebrew applications. I used to jailbreak phones and game consoles, but I never really understood how the developers discovered the vulnerabilities that gave them root access to the underlying kernel. Does anyone here know how we might approach finding similar exploits in the Rivian infotainment system? I am a software dev by profession, but I have zero experience in this particular realm.

I've wondered this as well. In theory if you can get developer mode enabled on the Android layer you can enable adb (Android debug bridge) where Android will accept commands from the adb command line tool on a desktop/laptop and one of those commands is to install and run Android applications.

Getting full Linux root permissions would be another approach but phone companies can lock the boot loader to prevent this.

If we could get adb I don't think root is really needed but I'm not sure how to get either at the moment.

To enable developer mode on an Android phone you go to settings > about phone > click "build number" 10 times.

I don't have a truck yet, are there any screens that look like the equivalent to an about phone screen?

 

[astonius]

I don't have a truck yet, are there any screens that look like the equivalent to an about phone screen?

None that are immediately accessible. The only evidence of Android has been from network traffic and app OAuth requests (e.g. "Spotify for Android Automotive" would like to access your account).

 

[miasm]

So now that I've put my warnings out there about this being a quite bad idea (while Tesla has had some success doing this safely, you can't assume that all internal car systems for all cars are as simple. I've helped create jailbreaks for some tractors for example, and the scary shit that happened there absolutely positively keeps.me from doing it to a car that I'm putting on the road).

But, here's the first steps:

Hook up to the network and get to sniffing some traffic. Boot up, shut down, etc. Night find some good stuff, but likely not. Just get some data so that you can delineate what packets are normal/typical, versus ones that aren't so that you can hunt better.

Then, take the instructions that came out last week or whenever on how to enter that advanced diagnostics menu. That had a password, and some scary warnings, so it probably kicks you up a privilege level or two. Capture those comms, and you might have something. I'd also watch to see if maybe some traffic via WiFi gets fired off when you do that; I know for sure my systems phone home and log whenever someone enters an advanced diagnostics menu or escalate privileges. You might need to blackhole some Rivian domains to keep from getting flagged, that is unless it requires an auth response from the mothership, which could be an issue.

Then watch those packets for advanced diagnostics and start decoding them, matching data bits with display info, and figuring out what's in them, are they request/response, or streamed, what fields are being used, can I maybe request an ID up or down and get some new or other data. What's the difference between get and set commands, etc and just keep going.

But please if you're editing stuff, don't drive this on the interstate or a busy road right off. Get some confidence first that something unexpectedly wonky isn't happening. Things can get sideways quick if you're not dead sure what you're setting and why (and given the comments so far in this chain, it doesn't appear that anyone has significant expertise in doing this, so take it simple and slow and easy!!).

 

[electruck]

Disclaimer - what I'm about to say is not passing judgement or trying to sway intentions, I'm just providing food for thought.

Personally, I would encourage folks to explore with hopes that the end result is Rivian taking advantage of the lessons learned to tighten up vehicle security.

As for the risks involved (aside from the performance and stability concerns already raised), any user modification to any of the vehicle's software/network capabilities increases the risk of the introduction of new attack vectors that may not exist from the factory. This could in turn allow access to an attacker and lateral movement from infotainment into other systems depending on how good Rivian's segmentation is. This could result in a wide variety of attacks including, but certainly not limited to, access to the vehicle and its contents, remote control of the vehicle (including steering, braking, acceleration), the vehicle being disabled and held for ransom, etc. But wait, the possibilities are not limited to what someone can do to just your vehicle. If one vehcile is compromised, it may be possible to infect Rivian's servers and take down the entire Rivian fleet. While unlikely, when operating with a security mindset, you must assume things will happen and work to limit the blast radius.

Anyway, if you're going to tinker, please do keep security in mind.

Sponsored