Is it possible to jailbreak the infotainment system?

[MNLightning]

Some really goofy comments about safety. It would be very odd if hacking the infotainment system module would affect drivability and safety. We have been modifying ICE engine parameters without touching the BCM for years. It’s an assumption that there are parallels.

Sponsored

 

[electruck]

Some really goofy comments about safety. It would be very odd if hacking the infotainment system module would affect drivability and safety. We have been modifying ICE engine parameters without touching the BCM for years. It’s an assumption that there are parallels.

I'm not sure why you think that's such a stretch. I can easily imagine some bad code saturating the Ethernet backbone preventing transmission of vital sensor data, control signals, or just general communication between systems beyond infotainment.

 

[MNLightning]

I'm not sure why you think that's such a stretch. I can easily imagine some bad code saturating the Ethernet backbone preventing transmission of vital sensor data, control signals, or just general communication between systems beyond infotainment.

Entirely possible when referring to the "bad code" as the hack, and just like you I haven't seen the code so it's a SWAG at best at this point. And I just think less of the risk than you and some others obviously do. That said I did damage a couple of ICE engines on the dyno when we first started trying to figure out the LS1 tables (22 years ago lol) But our tools for snooping were very primitive then in comparison

 

[electruck]

Entirely possible when referring to the "bad code" as the hack, and just like you I haven't seen the code so it's a SWAG at best at this point. And I just think less of the risk than you and some others obviously do. That said I did damage a couple of ICE engines on the dyno when we first started trying to figure out the LS1 tables (22 years ago lol) But our tools for snooping were very primitive then in comparison

"Good code" can easily turn into "bad code" when you have no understanding of what things could possibly go wrong. And I haven't made any statements as to the likelihood of anything bad happening, just raising awareness of the possibilities. Evaluation of risk vs reward is a personal decision.

I will share that, over the course of my career, I've witnessed more than a few so called perfect storms. Just because something is unlikely doesn't mean it won't happen.

 

[flush]

This fear is overblown, IMO. First of all, they would need to prove your mods caused the vehicle to become unsafe. Secondly, I’m purely talking about the infotainment portions of the vehicle, not the safety and drive components (which has been done on Teslas, btw). I understand they are interconnected, but the scope of what I would want to do is purely limited to infotainment.

Who's to say that your mods did not impair the technical and safety performance of the vehicle and caused an accident? with fatalities? do you have the financial stamina to withstand years of litigation and expert testimonials?

Just mount an iPad and get your entertainment fix there.

 

[atebit]

Not saying that you should/should not do this, but IIRC we agreed to not “reverse engineer” the software in one of the purchase docs we signed before delivery.

 

[flush]

Some really goofy comments about safety. It would be very odd if hacking the infotainment system module would affect drivability and safety. We have been modifying ICE engine parameters without touching the BCM for years. It’s an assumption that there are parallels.

It's highly probable that the systems are separate, with QNX for RTOS requirements and aaos for other functions.

However, have you seen Android on other platforms? mobile, tv, etc? How stable and reliable are those platforms? What about apps on those respective platforms?
How reliable is Android Automotive in other vehicles? (Polestar comes to mind)
Can you sideload or install apps at will?

Like any car manufacturer, Rivian is highly motivated to maintain and secure their systems. Go ahead, brick your shiny new truck.

 

[MNLightning]

"Good code" can easily turn into "bad code" when you have no understanding of what things could possibly go wrong. And I haven't made any statements as to the likelihood of anything bad happening, just raising awareness of the possibilities. Evaluation of risk vs reward is a personal decision.

I will share that, over the course of my career, I've witnessed more than a few so called perfect storms. Just because something is unlikely doesn't mean it won't happen.

Lightning can strike you too

Who's to say that your mods did not impair the technical and safety performance of the vehicle and caused an accident? with fatalities? do you have the financial stamina to withstand years of litigation and expert testimonials?

Just mount an iPad and get your entertainment fix there.

I think "Who's to say" is full of Unicorn and Fairy Farts... Geez some of you guys go all Karen on this stuff. If the way it comes from the factory is what you want I'm not knocking it, glad your happy. Some people just like to mess with it for whatever reason, and it doesn't have to get to oh, oh, my what about fatalities or litigation lol. I own the truck and all that comes with it.

 

[electruck]

Lightning can strike you too

Yes but I work in cybersecurity, not lightning mitigation.

 

[miasm]

Some really goofy comments about safety. It would be very odd if hacking the infotainment system module would affect drivability and safety. We have been modifying ICE engine parameters without touching the BCM for years. It’s an assumption that there are parallels.

In BimmerCode, they ended up taking out a number of features and "expert mode" from their infotainment hacking unit specifically because you could end up making the car unsafe to drive. This isn't theoretical. Most hack/tune programs specifically don't implement / lock out some features for safety. Since we're talking about starting to make this from scratch, well, we're definitely going to hit those landmines in the discovery process. But everyone that wants to call me a Karen, I told you how to get started. Go do it. I'm just not going to do it for you. Y'all seem to be experts at this, so go knock it out, go decode those function calls and reverse engineer the setup. It's honestly not super hard, so go knock it out since you know so much.


It's not uncommon to hurt an engine or temporarily brick the system while creating the new tune parameters. Often they're just altering a couple of set points in a known code base. But finding those setpoints and parameter locations in a brand new code base is often is bit risky. We're not looking at just loading some custom parameters I to a tune chip. With some shit code with escalated privileges you can put quite a few vehicles into dangerous territory. Even if it is just the infotainment. Make the user think they're in reverse when they're not, for example, because you futzed something and the display doesn't update or shows the wrong values. Infotainment generally controls the locks and actuators, also. Maybe you accidentally open the hood while driving because you forgot to put that check in, and you're smashing low-level commands that don't have the proper guard code because they're not meant to be even developer-facing for internal Rivian employees, but that's the code entry point you found as used, and so on.

Also, I think infotainment and vehicle functions ride of the same network (obviously segregated), but that doesn't mean you can't saturate a switch and cause issues on the vehicle side, or request parameters from it too often/quickly, starting it and making the RTOS not meet timing and put the vehicle into emergency safety mode or something. Shit happens, from experience, lol


Like I said, I've jailbroken various vehicles before, and it's not all fun and games. We've had some scary and expensive situations. Just because often things have been simolified down for the end user enough to just load a chip, or run a script and it works 99.999% of the time, doesn't mean that the creation of those chips and scripts and tools is some error-free safe joyride. Quite the opposite often times until you get enough familiarity with the system.

 

[AdamUCF]

So now that I've put my warnings out there about this being a quite bad idea (while Tesla has had some success doing this safely, you can't assume that all internal car systems for all cars are as simple. I've helped create jailbreaks for some tractors for example, and the scary shit that happened there absolutely positively keeps.me from doing it to a car that I'm putting on the road).

But, here's the first steps:

Hook up to the network and get to sniffing some traffic. Boot up, shut down, etc. Night find some good stuff, but likely not. Just get some data so that you can delineate what packets are normal/typical, versus ones that aren't so that you can hunt better.

Then, take the instructions that came out last week or whenever on how to enter that advanced diagnostics menu. That had a password, and some scary warnings, so it probably kicks you up a privilege level or two. Capture those comms, and you might have something. I'd also watch to see if maybe some traffic via WiFi gets fired off when you do that; I know for sure my systems phone home and log whenever someone enters an advanced diagnostics menu or escalate privileges. You might need to blackhole some Rivian domains to keep from getting flagged, that is unless it requires an auth response from the mothership, which could be an issue.

Then watch those packets for advanced diagnostics and start decoding them, matching data bits with display info, and figuring out what's in them, are they request/response, or streamed, what fields are being used, can I maybe request an ID up or down and get some new or other data. What's the difference between get and set commands, etc and just keep going.

But please if you're editing stuff, don't drive this on the interstate or a busy road right off. Get some confidence first that something unexpectedly wonky isn't happening. Things can get sideways quick if you're not dead sure what you're setting and why (and given the comments so far in this chain, it doesn't appear that anyone has significant expertise in doing this, so take it simple and slow and easy!!).

I've done most of this. The problem is almost everything is TLS outside the truck so you can't feasibly "decode" it. The diagnostic menu doesn't seem to trigger additional network traffic. At this point the attack surface seems pretty narrow.

 

[miasm]

I've done most of this. The problem is almost everything is TLS outside the truck so you can't feasibly "decode" it. The diagnostic menu doesn't seem to trigger additional network traffic. At this point the attack surface seems pretty narrow.

That's just external network data, no? Glad to see it doesn't call home when the advanced menu is entered. But you were never going to get into the truck's internal network via your in home WiFi.

I'm talking an ODB-II to Ethernet adapter and watching traffic on the truck's internal network, which of course entering in that menu would have to cause traffic so that it can populate that screen.

 

[Arky]

I’d assume the guidance is similar to any hardware modification for warranty voiding wherein the manufacturer has to prove the modification caused an issue.

It's not quite that simple.

You make the modification, and apply for a warranty fix. They deny you, you have to sue them for performance to compel them to take an action, which they might fight you on. At the end of it it might cost you more to get your car serviced 'under warranty' than it would to just get a new car.

Any carmaker would be obviously interested in establishing the precedent here that modifying the computer is cause to deny a claim, and they're willing to pay more than you for that.

 

[AdamUCF]

That's just external network data, no? Glad to see it doesn't call home when the advanced menu is entered. But you were never going to get into the truck's internal network via your in home WiFi.

I'm talking an ODB-II to Ethernet adapter and watching traffic on the truck's internal network, which of course entering in that menu would have to cause traffic so that it can populate that screen.

Yes and yes. I took your "hook up to the network" and mention of WiFi to assume you meant external network. The fact that they're using Ethernet instead of CAN might make that easier but that's not something I've at all looked into yet.

 

[miasm]

Yes and yes. I took your "hook up to the network" and mention of WiFi to assume you meant external network. The fact that they're using Ethernet instead of CAN might make that easier but that's not something I've at all looked into yet.

It very well may be CAN on the inside (I dunno, haven't sniffed traffic), just the computer side facing piece is usually Ethernet/wifi/Bluetooth for easy connection to a laptop or diagnostics computer.

Sponsored