Is it possible to jailbreak the infotainment system?

[AdamUCF]

It very well may be CAN on the inside (I dunno, haven't sniffed traffic), just the computer side facing piece is usually Ethernet/wifi/Bluetooth for easy connection to a laptop or diagnostics computer.

Rivian has indicated that the internal networking is Ethernet. Though someone on another forum has done some digging and also apparently found signs of CAN. Perhaps Rivian intended on going all Ethernet but couldn't quite get there for certain components.

Sponsored

 

[svet-am]

I have experience in this field and while I agree that it's likely QNX with some kind of user experience on top, I think it's more than that. Most of the OEMs I know of are actually using QNX on top of the QNX hypervisor to keep the non-safety components isolated from the safety-critical components. So, jailbreaking this will likely involve not just jailbreaking the QNX hypervisor first and then _also_ jailbreaking the user experience side.

 

[AdamUCF]

I have experience in this field and while I agree that it's likely QNX with some kind of user experience on top, I think it's more than that. Most of the OEMs I know of are actually using QNX on top of the QNX hypervisor to keep the non-safety components isolated from the safety-critical components. So, jailbreaking this will likely involve not just jailbreaking the QNX hypervisor first and then _also_ jailbreaking the user experience side.

Fairly certain the infotainment is Android (Automotive?) running in a Hypervisor on top of QNX. I'm really only interested in getting into the Android infotainment. I'd rather not mess with the actual vehicle control systems but being able to add custom software to the infotainment screen is extremely intriguing.

 

[svet-am]

Fairly certain the infotainment is Android (Automotive?) running in a Hypervisor on top of QNX. I'm really only interested in getting into the Android infotainment. I'd rather not mess with the actual vehicle control systems but being able to add custom software to the infotainment screen is extremely intriguing.

There is only one vendor using Android Automotive at the moment and that's Volvo/Polestar. If Rivian was using it, they'd be making a big deal about it the way Volvo is (since it is part of the Google OEM licensing thing to co-brand).

QNX userspace is 100% capable of delivering the UI experience Rivian has. I know first-hand that Unity has been ported to QNX (that's what Rivian is using for the UI).

What are you picking up on that makes you think it's not QNX and is instead some stealth version of Android? Don't forget that QNX has long had the Android app compatibility mode. It debuted on the Z10 BlackBerry handset.

 

[CommodoreAmiga]

There is only one vendor using Android Automotive at the moment and that's Volvo/Polestar. If Rivian was using it, they'd be making a big deal about it the way Volvo is (since it is part of the Google OEM licensing thing to co-brand).

QNX userspace is 100% capable of delivering the UI experience Rivian has. I know first-hand that Unity has been ported to QNX (that's what Rivian is using for the UI).

What are you picking up on that makes you think it's not QNX and is instead some stealth version of Android? Don't forget that QNX has long had the Android app compatibility mode. It debuted on the Z10 BlackBerry handset.

There are other auto companies on Android Auromotive. GM is using it on new models, for example. Volvo wasn’t even the first to implement CarPlay on Android Automotive.

 

[lostpacket]

There is only one vendor using Android Automotive at the moment and that's Volvo/Polestar. If Rivian was using it, they'd be making a big deal about it the way Volvo is (since it is part of the Google OEM licensing thing to co-brand).

QNX userspace is 100% capable of delivering the UI experience Rivian has. I know first-hand that Unity has been ported to QNX (that's what Rivian is using for the UI).

What are you picking up on that makes you think it's not QNX and is instead some stealth version of Android? Don't forget that QNX has long had the Android app compatibility mode. It debuted on the Z10 BlackBerry handset.

As @CommodoreAmiga said there are a bunch of others. There are two kinds of AAOS, one with Google services (that Polestar and Volvo are using), and another without.

Wikipedia has a big list of who is using each: https://en.wikipedia.org/wiki/Android_Automotive

For sure Rivian is using it, we've confirmed this through user agent strings from network requests the truck is making and OAuth prompts that specifically mention Android

 

[MNLightning]

In BimmerCode, they ended up taking out a number of features and "expert mode" from their infotainment hacking unit specifically because you could end up making the car unsafe to drive. This isn't theoretical. Most hack/tune programs specifically don't implement / lock out some features for safety. Since we're talking about starting to make this from scratch, well, we're definitely going to hit those landmines in the discovery process. But everyone that wants to call me a Karen, I told you how to get started. Go do it. I'm just not going to do it for you. Y'all seem to be experts at this, so go knock it out, go decode those function calls and reverse engineer the setup. It's honestly not super hard, so go knock it out since you know so much.


It's not uncommon to hurt an engine or temporarily brick the system while creating the new tune parameters. Often they're just altering a couple of set points in a known code base. But finding those setpoints and parameter locations in a brand new code base is often is bit risky. We're not looking at just loading some custom parameters I to a tune chip. With some shit code with escalated privileges you can put quite a few vehicles into dangerous territory. Even if it is just the infotainment. Make the user think they're in reverse when they're not, for example, because you futzed something and the display doesn't update or shows the wrong values. Infotainment generally controls the locks and actuators, also. Maybe you accidentally open the hood while driving because you forgot to put that check in, and you're smashing low-level commands that don't have the proper guard code because they're not meant to be even developer-facing for internal Rivian employees, but that's the code entry point you found as used, and so on.

Also, I think infotainment and vehicle functions ride of the same network (obviously segregated), but that doesn't mean you can't saturate a switch and cause issues on the vehicle side, or request parameters from it too often/quickly, starting it and making the RTOS not meet timing and put the vehicle into emergency safety mode or something. Shit happens, from experience, lol


Like I said, I've jailbroken various vehicles before, and it's not all fun and games. We've had some scary and expensive situations. Just because often things have been simolified down for the end user enough to just load a chip, or run a script and it works 99.999% of the time, doesn't mean that the creation of those chips and scripts and tools is some error-free safe joyride. Quite the opposite often times until you get enough familiarity with the system.

Says the guy with an overclocked GPU and CPU? . And I don't think you are being serious when you say you know how to do it either. Because it is hard and very, very time consuming even the the tools currently available. Add to that, that you need the hardware from the truck and a truck. I also did catch anywhere in the thread where anyone was asking you to volunteer.

To each his own and I don't fault you for being the cautious type. But my life experience is that I've only heard of some of the dramatic situations you project as "probable" and have experienced bricking several ECM's and hurt a few motors along the way. And that's what makes it fun.. Like the guys in the link below who are probably up for charges for what? Vehicles going into reverse on the highway, hood flying open when changing radio stations,


https://electrek.co/2020/06/10/tesla-hacker-unlocks-performance-upgrade-acceleration-boost/

 

[C.R. Rivian]

It seems all but certain the Rivian infotainment is built using QNX with an Android Automotive layer. That said, I wonder if it could be jailbroken to allow for homebrew applications. I used to jailbreak phones and game consoles, but I never really understood how the developers discovered the vulnerabilities that gave them root access to the underlying kernel. Does anyone here know how we might approach finding similar exploits in the Rivian infotainment system? I am a software dev by profession, but I have zero experience in this particular realm.

Other than the joy of the challenge, why exactly do you want to do this, particularly in light of the announced updates forthcoming?

 

[astonius]

Other than the joy of the challenge, why exactly do you want to do this, particularly in light of the announced updates forthcoming?

I’m the guy that won’t shut up about CarPlay.

 

[C.R. Rivian]

I’m the guy that won’t shut up about CarPlay.

Boy howdy, I have a couple relatives in the legal profession, one who works at a pretty senior level in tech. I know they would advise against taking on the risk.

Beyond the legal risk, are you comfortable doing something that, through distraction, misdirection, or unanticipated interaction with the rest of the system might cause harm to yourself or others?

I've never used CarPlay so maybe I just don't know what I'm missing...

 

[astonius]

Boy howdy, I have a couple relatives in the legal profession, one who works at a pretty senior level in tech. I know they would advise against taking on the risk.

Beyond the legal risk, are you comfortable doing something that, through distraction, misdirection, or unanticipated interaction with the rest of the system might cause harm to yourself or others?

I've never used CarPlay so maybe I just don't know what I'm missing...

I suspect if Rivian is smart they have isolated the infotainment elements well enough from the safety and drive components of the system, for their own benefit. Rivian themselves wouldn’t want Spotify or navigation crashing to cause the truck to become unsafe. Couple that with the fact CarPlay is the one thing preventing me from being happy with my purchase, and yes, I am completely fine with assuming this risk.

 

[C.R. Rivian]

I suspect if Rivian is smart they have isolated the infotainment elements well enough from the safety and drive components of the system, for their own benefit. Rivian themselves wouldn’t want Spotify or navigation crashing to cause the truck to become unsafe. Couple that with the fact CarPlay is the one thing preventing me from being happy with my purchase, and yes, I am completely fine with assuming this risk.

For the 'unCarPlayed' amoung us (maybe I am the only one), what's the big deal? Not saying it isn't, just don't know...

The other thing is, even if Rivian is smart and has isolated the system, maybe one not thoroughly familiar might miss a step...easy enough to do. Look at how often systems have unanticipated bugs and security holes. Even if initial efforts are successful, with OTA updates, patching might be a forever job.

 

[astonius]

For the 'unCarPlayed' amoung us (maybe I am the only one), what's the big deal? Not saying it isn't, just don't know...

It’s been covered ad-nauseam in other threads. It provides access to apps and services which are already installed, signed in, and synchronized on your phone within your infotainment. Way more functional than Rivian’s current offering. Rivian will never compete with the breadth of app and service offerings CarPlay offers. It’s a “one-and-done” solution. The convenience of having everything powered from the phone also means you don’t have to setup different vehicles with your accounts and preferences. Your phone, which is already with you, powers it all.

 

[AdamUCF]

There is only one vendor using Android Automotive at the moment and that's Volvo/Polestar. If Rivian was using it, they'd be making a big deal about it the way Volvo is (since it is part of the Google OEM licensing thing to co-brand).

QNX userspace is 100% capable of delivering the UI experience Rivian has. I know first-hand that Unity has been ported to QNX (that's what Rivian is using for the UI).

What are you picking up on that makes you think it's not QNX and is instead some stealth version of Android? Don't forget that QNX has long had the Android app compatibility mode. It debuted on the Z10 BlackBerry handset.

They could easily be basing it on clean AOSP but I think it's the non-GAS version of Android Automotive.

See discussion in this thread as well as the network captures I've done over in this thread.

 

[svet-am]

With some of the replies, especially the one linking to the Android Automotive wikipedia page, it's obvious I have some more research to do. Do we have it confirmed from those OEMs that they are using it, or is it just that wikipedia page as the source of the information?

Sponsored