Second Generation 2015 Ultimate Nav Research

PMCErnie

Registered Member
3,538
108
63
Richmond, VA
Genesis Model Type
1G Genesis Sedan (2009-2014)
Wake me when you get to the part about rolling back the odometer to zero and launching paintball missiles at passing traffic offenders.
 

fireguy0306

Hasn't posted much yet...
6
0
0
As a fellow nerd, i truly appreciate the amount of work that went into this so far. I am also quite impressed. This is awesome.
______________________________
 

emulamer

Hasn't posted much yet...
10
5
0
Yeah, the way the masses are getting whipped up into a frenzy, it seems like somebody's probably going to pass some law that says "you're a terrorist if you attempt to do anything inter-computer-ey on your own car that you bought regardless of intent."

The guys with the jeep essentially did what I'm hoping to achieve with this car, they just unfortunately turned it into "fear porn" for the masses to get publicity.

I can't find a direct source that says it explicitly, but it is almost certain that they had physical access to the car and flashed a modified firmware while physically connected and that this is NOT a remote vulnerability. If you can gain physical access to the car's hardware, you can alter it, it is just a question of difficulty. If it also has the hardware to connect to the internet, then yeah, you can reprogram it to do things on the internet.
 

emulamer

Hasn't posted much yet...
10
5
0
Oh, also made a little more progress.

TL;DR: I got into full engineering mode and learned more about the way the software communicates internally (and it's in a way that warrants further investigation).

To be able to better interact with the running system, I switched to the meego user and used a script I found at http://ubuntuforums.org/showthread.php?t=1059023 (with a slight modification to include some of the DHAVN processes to the list of ones to look at) to find and set the session bus to the ssh session. For fully interacting with the xwindows session I also had to export XAUTHORITY = /home/meego/.Xauthority and export DISPLAY=:0. This lets me hook into the same dbus session, which let me use dbus-monitor to inspect the dbus messages going across the bus. Also, very helpfully, python and dbus-python are on this system, so I was able to launch the "dealer mode" by watching and recreating messages through dbus. By looking at the way the engineering app was invoked combined with some very rudimentary disassembly of the executable, I found that an additional command line argument is appended to lock it down into the dealer mode instead of engineering mode. I removed the extra argument and launched the command, and engineering mode popped up, along with an icon to switch to FULL engineering mode! The password was 0428 for that. Some neat stuff in there, but very sadly the button for ibox under dynamics did not work, and I was really hoping to be able to get over to the android side of things where the cell modem and wifi interface are.

Over the MOST bus between the android and meego platforms there is an IP network established which connects the two. I havent dug in too far yet, but initial looks at the parts of the two systems indicates that android is mapping some part of the file system over ssh using sshfs. Next, I'm going to look into this more, maybe also look further at the dbus messages and interfaces that the MOST bus manager service provides to the system.
 

RN2X

Been here awhile...
220
0
0
Not a clue what you are saying but it is cool nonetheless.
______________________________
 

OneFunGenesis

<- Runnin' on Empty
2,178
7
0
Rochester, NY
As a long-time ubuntu user, I think it's pretty cool that ssh is being used in the bus. Hmmmm...
This makes total sense as Android is built on linux shells and therefore should be able to be explored like a linux environment. That is why (I am assuming) Hyundai built their system on a linux shell.

Awesome work getting in there! Can't wait for more updates!
 

FLGen

Registered Member
17
0
0
Orlando, FL
Oh, also made a little more progress.

TL;DR: I got into full engineering mode and learned more about the way the software communicates internally (and it's in a way that warrants further investigation).

To be able to better interact with the running system, I switched to the meego user and used a script I found at http://ubuntuforums.org/showthread.php?t=1059023 (with a slight modification to include some of the DHAVN processes to the list of ones to look at) to find and set the session bus to the ssh session. For fully interacting with the xwindows session I also had to export XAUTHORITY = /home/meego/.Xauthority and export DISPLAY=:0. This lets me hook into the same dbus session, which let me use dbus-monitor to inspect the dbus messages going across the bus. Also, very helpfully, python and dbus-python are on this system, so I was able to launch the "dealer mode" by watching and recreating messages through dbus. By looking at the way the engineering app was invoked combined with some very rudimentary disassembly of the executable, I found that an additional command line argument is appended to lock it down into the dealer mode instead of engineering mode. I removed the extra argument and launched the command, and engineering mode popped up, along with an icon to switch to FULL engineering mode! The password was 0428 for that. Some neat stuff in there, but very sadly the button for ibox under dynamics did not work, and I was really hoping to be able to get over to the android side of things where the cell modem and wifi interface are.

Over the MOST bus between the android and meego platforms there is an IP network established which connects the two. I havent dug in too far yet, but initial looks at the parts of the two systems indicates that android is mapping some part of the file system over ssh using sshfs. Next, I'm going to look into this more, maybe also look further at the dbus messages and interfaces that the MOST bus manager service provides to the system.
Any recent updates?
 

tallLeRoy

Registered Member
Hi Emulamer,

Great work. Have you seen anywhere to lower the voice response microphone sensitivity?
Mine pegs when the air conditioning blower is above rest. I did not see the setting in the Dealer menus, but maybe I did not recognize the abbreviation / acronym.

Sounds like great fun.
______________________________
 

r_spec

Getting familiar with the group...
81
35
18
There is an easier way to get to the engineering mode (within the UI). It only takes a few seconds to gain full access but it's pretty impressive that OP managed to get the passcodes.

FYI, 8" unit does not require any PIN.
9.2" unit requires multiple PINs; PINS for "Simple" Engineering Mode and "Full" Engineering Mode, respectively.

TBH, there really isn't anything that you can change (or worth modifying)...
 
Last edited:

bkpatel

Hasn't posted much yet...
26
0
0
Hate to be that guy, but any updates? I am just wanting to get some more cool stuff out of my car. Also if anyone knows of anybody who has cracked the ecu to do a retune please let me know.
 
Your email address will not be publicly visible. We will only use it to contact you to confirm your post.
Top