2004 to 2016 Mazda 3 Forum and Mazdaspeed 3 Forums banner

1 - 20 of 6442 Posts

·
Registered
Joined
·
215 Posts
MOD EDIT 8/12/15:

INDEX FOR THE INFOTAINMENT PROECT can be found here:

http://mazda3revolution.com/forums/2014-mazda-3-skyactiv-audio-electronics/104730-index-infotainment-project.html

ONLY USE IT AS A REFERENCE. ALL QUESTIONS AND COMMENTS REGARDING THE INFOTAINMENT PROJECT SHOULD BE POSTED HERE.

----------------------------------------

So, the Infotainment system is great, but it has me thinking how much greater it could be. There's so much potential wasted right now, and I would like to untap some of that.

The original post: http://mazda3revolution.com/forums/2014-mazda-3-skyactiv-discussion/39650-infotainment-system-software-components.html.
This got me thinking. This is obviously a linux-based OS running on an ARM chip. This was seen on this post as well: http://mazda3revolution.com/forums/2014-mazda-3-skyactiv-audio-electronics/54722-accessing-infotainment-diagnostics-menu.html

I'm a software engineer, but don't have any experience dealing with low-level linux based systems. I would love to be able to either install custom, modified linux operating systems in the car or just be able to alter parts of the system to enable hidden or disabled parts of the system.

For instance, every european market has the ability to buy connected services (live traffic, weather, etc), and the Japanese market even can play DVD's and watch live TV!

This may at least give us the ability to upgrade our own systems without visiting the dealer, or use other applications through our phones such as Waze.

What I think may help here is getting the update code dump. This would be solved easiest if someone knows a dealer that can get the update software on a USB stick. If someone could upload that somewhere, we could then start analyzing the update procedure and the software and hopefully fine some way to hijack onto that process.
 

·
Registered
Joined
·
70 Posts
This is perfect. I was about to start a thread asking where/how I would begin installing after market stereo to replace the infotainment (because I want CarPlay THAT bad), but I know its damn near impossible.

I'm a System Administrator, but not smart enough to edit something even as simple as low-level linux code, but I'd like to contribute or help in any way for those that are!
 

·
Registered
Joined
·
41 Posts
Subscribed ! :) Wanting to find out more too.

Dumb question... but anyone wanna try plugging a USB keyboard and see if any Linux shortcut keys would bring out the system console/kernel/terminal ?

Not sure how sensitive those Linux OS would pick up PnP keyboards :)
 

·
Registered
Joined
·
153 Posts
Subscribed ! :) Wanting to find out more too.

Dumb question... but anyone wanna try plugging a USB keyboard and see if any Linux shortcut keys would bring out the system console/kernel/terminal ?

Not sure how sensitive those Linux OS would pick up PnP keyboards :)
I tried, didn't seem to be recognized by the kernel. Which shortcut keys did you wanted to try?
 

·
Registered
Joined
·
14 Posts
I tried, didn't seem to be recognized by the kernel. Which shortcut keys did you wanted to try?
Try these combos Ctrl+Alt+F1 , F2, F3, F4, F5, F6 and if any of these work than you should see a "comand promt" and than you can press Clrl+Alt+F7 than you should be back at youre user interface if this had no effect for the lulz of it try to press Alt+Ctl+Delete and see if it reboots than we know that the keybord is recognized;)
 

·
Registered
Joined
·
215 Posts
Discussion Starter #6
Through the software components post, there are people that have figured out that, via wifi, openssh is available. The problem is that nobody knows the root password. There is one person that did try to brute-force it with a dictionary attack, but after 10k tries or so gave up.

Maybe that may be a way to go about this too? That is, if someone has connections to find out that password or knows flaws in openssh to force a way in?
 

·
Registered
Joined
·
14 Posts
From what i can dig up about i without having the car in my hands i can see that it runs with a Freescale i.MX 6Q Processor an a Linux 3.0.35 Kernel.

If someone wants to try to ssh to the car, Useing the user "root" and som combos of the 4-8 last digits of there VIN#(That wil make the pwd a "unique" for that car and "known").
If there is no sucsess with that than try different usernames as fx. Mazda, mazda, M3, m3, Japan, japan and so on.:wink:

I can't wait to get a hold on my M3 when it arrives in Aug.
 

·
Registered
Joined
·
107 Posts
Without physical security there is no security

Through the software components post, there are people that have figured out that, via wifi, openssh is available. The problem is that nobody knows the root password. There is one person that did try to brute-force it with a dictionary attack, but after 10k tries or so gave up.

Maybe that may be a way to go about this too? That is, if someone has connections to find out that password or knows flaws in openssh to force a way in?
But I'm not willing to tear into the system, when dealers have the binary. I've patched binaries before, but only Intel op codes.
 

·
Registered
Joined
·
153 Posts
Try these combos Ctrl+Alt+F1 , F2, F3, F4, F5, F6 and if any of these work than you should see a "comand promt" and than you can press Clrl+Alt+F7 than you should be back at youre user interface if this had no effect for the lulz of it try to press Alt+Ctl+Delete and see if it reboots than we know that the keybord is recognized;)
Tried, still no effect.
 

·
Registered
Joined
·
153 Posts
From what i can dig up about i without having the car in my hands i can see that it runs with a Freescale i.MX 6Q Processor an a Linux 3.0.35 Kernel.

If someone wants to try to ssh to the car, Useing the user "root" and som combos of the 4-8 last digits of there VIN#(That wil make the pwd a "unique" for that car and "known").
If there is no sucsess with that than try different usernames as fx. Mazda, mazda, M3, m3, Japan, japan and so on.:wink:

I can't wait to get a hold on my M3 when it arrives in Aug.
Try all lucky guesses you want, afraid it is not that simple: my SSH string has no obvious relation with my VIN.
 

·
Registered
Joined
·
14 Posts
Try all lucky guesses you want, afraid it is not that simple: my SSH string has no obvious relation with my VIN.
Well as a "normal" safety measure root will not be allowed to login via. SSH. I can see that it is OpenSSH 5.9p1 that the system uses and it has some vulnerabilities that we can exploit:cheesy: But that said i'm happy that it was not just root 1234, That would have been a security issue since the system is deeply integrated in the car. When you have you'er keybord connected can you toggle the num lock led on the keybord?
 

·
Registered
Joined
·
215 Posts
Discussion Starter #12
Pages 9804+ of the service manual are potentially interesting if a future goal may include bypassing the CMU instead of trying to hack into the firmware. They cleverly made the TAU handle all of the audio processing (which I assume is also why you can hear audio from the radio before the system is booted), with command messages being passed between the TAU and the CMU to facilitate user interaction. Much of it is done via a serial connection.
 

·
... Is Watching.
Joined
·
384 Posts
Pages 9804+ of the service manual are potentially interesting if a future goal may include bypassing the CMU instead of trying to hack into the firmware. They cleverly made the TAU handle all of the audio processing (which I assume is also why you can hear audio from the radio before the system is booted), with command messages being passed between the TAU and the CMU to facilitate user interaction. Much of it is done via a serial connection.
Dude, why do all the hard work when the guys over at OpenCar are creating a platform for Devs to make real use of the cars hardware and stuff with apps/web applets via HTML5. You should really check them out ;)
 

·
Registered
Joined
·
39 Posts
Dude, why do all the hard work when the guys over at OpenCar are creating a platform for Devs to make real use of the cars hardware and stuff with apps/web applets via HTML5. You should really check them out ;)
Yeah, here are two articles about Mazda and OpenCar from back in January

Mazda and OpenCar Launch New Automotive App Platform at CES - Motor Trend WOT

OpenCar Launches First Connected Car App Platform to Support Both Developers and Integrators | Business Wire
 

·
Registered
Joined
·
215 Posts
Discussion Starter #16
I'm hoping that they release the opencar stuff on the 14, but I'm a little dubious. Car manufacturers arnt known for really supporting software much after the fact.

With that said, I'm more just trying to get a good of the options here and any quick wins people may get, such as if they have mechanic buddies that can get a hold of the firmware updates. I won't go so far as starting to figure out an override system or something until the 15 comes out at the least
 

·
Registered
Joined
·
16 Posts
Well as a "normal" safety measure root will not be allowed to login via. SSH. I can see that it is OpenSSH 5.9p1 that the system uses and it has some vulnerabilities that we can exploit:cheesy: But that said i'm happy that it was not just root 1234, That would have been a security issue since the system is deeply integrated in the car. When you have you'er keybord connected can you toggle the num lock led on the keybord?

You were able to get an SSH daemon running on yours? I've been checking mine for listening services and have come up empty. I'm determined to pop a shell on this sucker too.

Even getting a simple local shell would be helpful, then you could spawn a netcat instance for remote connectivity. But I'd love to take a peak at the shadow file. I do network penetration testing for a living.

I was holding out hope for a keyboard working too considering that HID device support is typically pretty low level, but it didn't even appear power was being sent to it when I tried the USB ports. Maybe a jtag or serial interface somewhere?
 

·
Registered
Joined
·
39 Posts
You were able to get an SSH daemon running on yours? I've been checking mine for listening services and have come up empty. I'm determined to pop a shell on this sucker too.

Even getting a simple local shell would be helpful, then you could spawn a netcat instance for remote connectivity. But I'd love to take a peak at the shadow file. I do network penetration testing for a living.

I was holding out hope for a keyboard working too considering that HID device support is typically pretty low level, but it didn't even appear power was being sent to it when I tried the USB ports. Maybe a jtag or serial interface somewhere?
Awesome work guys! I really hope you're successful at cracking the system.
 

·
Registered
Joined
·
14 Posts
You were able to get an SSH daemon running on yours? I've been checking mine for listening services and have come up empty. I'm determined to pop a shell on this sucker too.

Even getting a simple local shell would be helpful, then you could spawn a netcat instance for remote connectivity. But I'd love to take a peak at the shadow file. I do network penetration testing for a living.

I was holding out hope for a keyboard working too considering that HID device support is typically pretty low level, but it didn't even appear power was being sent to it when I tried the USB ports. Maybe a jtag or serial interface somewhere?
Well i haven't got my M3 yet, But should arrive in August (about 6 months waiting time in Denmark:devil:) But @PoP has had an SSH connection with the car.

The touch screen is uses a Microchip AR1010 or AR1100 chip a far as i can see from some documentation. This touch screen controller uses UART.
So what i know so far is the system consists of
CPU= Freescale i.MX6Q
Linux Kernel 3.0.35 for the i.MX6Q
Openssh 5.9p1
Wifi= TI WL127x or WL128x
Sound= ALSA
Display server protocol= Wayland
 
1 - 20 of 6442 Posts
About this Discussion
6.4K Replies
1K Participants
int3rnist
2004 to 2016 Mazda 3 Forum and Mazdaspeed 3 Forums
Come discuss all things Mazda 3 from the Mazda GT hatchback to Mazdaspeed, sedan and sport.
Full Forum Listing
Top