
Car Hacker's Handbook (2016) - rbanffy
http://opengarages.org/handbook/
======
computator
I would love it if somebody would make a guide to create a "privacy car":
disabling OnStar, shutting off all telematics that manufacturers put into the
navigation and infotainment systems, changing or disabling the serial numbers
in the tire-pressure monitoring system, and similar things. I imagine that
this would need to be model-specific, but I'm amenable to choosing a new car
based the availability of a privacy hack, the same as developers who choose
their computers/phones/routers based on availability of firmware replacement
and known jailbreaks.

~~~
bonestamp2
I agree that would be cool, although with 2018+ cars this is going to get very
difficult. Manufacturers are starting to encrypt bus traffic and add firewalls
that will prevent unauthorized communication between certain ECUs and from the
J1962 connector (aka "OBDII Port").

I work for an auto supplier that supplies vehicle communication software, so I
can confirm first hand that some 2018 vehicles currently on sale already have
these firewalls:

[http://www.bosch-mobility-solutions.com/en/products-and-
serv...](http://www.bosch-mobility-solutions.com/en/products-and-
services/passenger-cars-and-light-commercial-vehicles/connectivity-
solutions/central-gateway-cgw/)

~~~
StillBored
Which is to keep the evil hackers out, but has the additional benefit that
they can have a captive market for a $100 part that would normally be $1. The
aftermarket suppliers are locked out of the market because they don't have the
private keys to handshake on the bus.

(happily keeping my late 90's car running, although my most recent car
literally has gone 100k miles with _NOTHING_ but oil, tires and brake pads).
Its now at its first service interval and I'm wondering if I should just trade
it in before anything breaks.

~~~
sooper
Something which is already being seen in the farming market:
[https://motherboard.vice.com/en_us/article/xykkkd/why-
americ...](https://motherboard.vice.com/en_us/article/xykkkd/why-american-
farmers-are-hacking-their-tractors-with-ukrainian-firmware)

~~~
bonestamp2
Yes, the John Deere situation will likely drive change in the automotive world
too. There is already a pretty strong "right to repair" law in MA, and it will
likely inform the laws that are written in other states or maybe even at a
federal level. All automakers have to conform to the MA law already, but I'm
not sure if that law applies to farming/John Deere as well.

------
louthy
I would love it if I didn't have to click Accept on the touch-screen in my car
every time I start it up. I shouldn't have to accept the terms and conditions
every time - I already have agreed to abide by local laws - it's my driving
license.

Anybody know if it's possible to get into a these systems and do a bit of
tinkering? I guess my question is more: as someone who isn't really prepared
to spend weeks looking for buffer overrun exploits, is there usually a quick
("mechanic's view") backdoor to these things that's accessible with a bit of
cunning?

~~~
computator
> _have to click Accept on the touch-screen in my car every time I start it
> up_

Wow, that's just horrible. Even Windows doesn't make you accept Terms and
Conditions every time you reboot. May I ask what car you have?

~~~
louthy
Maserati Ghibli (2017) - the parent company is Fiat/Chrysler and they seem to
have a re-skinned Chrysler infotainment system. Which isn't too bad once you
get past the annoying warning. It doesn't stop me driving, just stops quick
access to things you want to set when you get in the car.

------
pantulis
This is a great primer on car hacking, but in my opinion it focuses a lot on
the "physical layer". My bet would be that the future is going to be based in
things like what Comma.ai is building upon what the book describes.

~~~
TeMPOraL
Wait. People keep mentioning Comma.AI. Didn't they die, after failing to go
all Uber on transportation safety, followed by the founder throwing a tantrum?

~~~
donclark
They are still around developing electronics or products for specific models
of autos. Is their goal to provide a low-end device that will do automatic
driving (at what level)? [https://comma.ai/](https://comma.ai/) Edit: spelling

~~~
asteli
it looks like they're targeting the hobbyist market -- the couple hundred
people worldwide who want to roll their own self-driving car.

------
synthmeat
Can anyone recommend a particular maker and/or model which are, from their own
experience, _hackable_ in the sense of the book?

~~~
ingenieroariel
Ford Fusion Titanium Plus 2017, better if you get the Hybrid version. (This
one I own)

Chevy Bolt/Volt. (This would be my first choice if I lived in the US)

Toyota Prius. (This would be my second choice if I lived in the US)

Honda Civic. (This one has a lot of information out there thanks to Comma AI)

~~~
chrisper
Are your choices based on hackability or something else?

~~~
ingenieroariel
The hackability comes with the car doing most of it's internal communication
via a CAN bus and having enough electrical power to power your custom
electronics.

Apart from that, the car needs to have Steering by wire, Gas/Brake by wire and
Shift by wire. Lane Keep Assist and Adaptive Criuse Control in those models
mean that the car can be ordered to steer or accelerate via the can bus
without additional actuators.

I have been learning about that topic for about a year and a half and the
reason I recommend those specific models is because I have seen autonomous
driving companies pick those specific ones _without_ official support from the
manufacturer.

~~~
dima586
Steering by wire --> none of the cars you listed have steer by wire. Nissan is
the only OEM who has steer by wire in production. Brake by wire --> does not
exist at all.

~~~
ingenieroariel
You are right in the formal sense, none of those cars officially have by-wire
functionality but in order to have LKAS, Park Assist and ACC work they need to
support steering via can bus messages and braking via can bus messages. I used
by-wire in an informal sense. Disclamer, I have never worked in the car
industry, that's why my terminology is a bit loose.

~~~
ShirsenduK
ingenieroariel is being humble here. He is one of the first (if not the first)
to do this with the Ford Fusion.

[https://github.com/commaai/openpilot/issues/1](https://github.com/commaai/openpilot/issues/1)

~~~
ingenieroariel
Work on the Lincoln MKZ / Ford Fusion was made popular thanks to Dataspeed /
Autonomoustuff, they open sourced a ROS module but most of their magic is
propietary / secret. It's expensive but a lot of startups use it.

The work that you point to is what we now know "openly", and yeah, there is
only a few of us and I am one of the firsts sharing their findings on that
specific model. There are a ton of people who know what we yet don't know but
they don't/can't share it publicly.

------
walshemj
Not sure if you can still do it but years ago at my first job one of my
coworkers (with a BSC and MSC in mech eng) got the full workshop manual for
his partners car so he could work on it.

I assume that he also did that for his Mustang which had been prepped for drag
racing (the top class that is legal to drive on the road)

~~~
StillBored
I've purchased (actual) shop manuals for my cars a couple times. The first
time was for a mustang. They are better than the chilton style manuals but
barely. I used to joke that the mustang manual was the most detailed choose
your own adventure guide I'd seen. Because that is what they are for, they are
a guide to diagnosing and replacing whatever part/module happens to be
malfunctioning. Which is why the first page was something like "Customer is
complaining of" followed by a long list of generic things, and the page to
turn to to start diagnosing the problem. The sections on
interpreting/diagnosing MIL codes are really where they shine, but the
sections on repairing things are frequently "use special service tool
$TOOLNUMBER" to remove part A from part B where as these days 10 mins on
youtube frequently will have a shade tree mechanic way to get around the
problem without spending $100 on some tool you will only use once.

So, you shouldn't imagine that the shop manuals detail the protocol between
differing components or whatever. While they frequently will have complete
wiring diagrams (with pinouts) between modules, I have yet to see a schematics
for any of the modules, even when disassembling them shows that they are
little more than a few passive components and a relay, motor, etc. That is
where the real savings/knowledge come in anyway, its rebuilding the $300
dealer only door lock with a $.50 motor from the electronics supply house that
has brushes that won't wear out in 5 years. Or swaping a good film cap for an
electrolytic in some part that costs hundreds of dollars.

Basically generic problem solving skills make using those manuals needless. I
have them for my late 90's car I keep around but I haven't opened them in
probably 10 years. I don't own any manuals for the more recent ones. I drive
toyotas now and they simply don't break regularly enough to need purchasing
manuals. I can usually quickly diagnose if I'm going to be able to repair the
problem myself in a couple hours at which point I proceed to do it, or just
take it to the dealer/wherever.

~~~
dfox
I had obtained shop manuals for every car I ever owned. Almost always I only
used them to find out how to disassemble something. Somewhat interesting
observation that before model year 1995 or something like that the shop
manuals generally included detailed mechanical drawings of various custom
tools and jigs (detailed enough that you could conceivably manufacture the
thing with dremel and lathe), since then you only get order numbers.

~~~
StillBored
Probably earlier that that. I purchased the mustang set in the early 90's for
a late 80's mustang. It definitely had a lot of special service tools usage.

(fox body, had no idea when I sold it for $500 in the late 90's they would be
considered so cool today).

------
punnerud
Already been posten 5 times before, one with enough votes to hit the
frontpage:
[https://news.ycombinator.com/from?site=opengarages.org](https://news.ycombinator.com/from?site=opengarages.org)

------
mandeepj
some may find this CAN Simulator useful -
[https://stackoverflow.com/questions/35607115/virtual-can-
bus...](https://stackoverflow.com/questions/35607115/virtual-can-bus-
simulator)

------
icantdrive55
I bought this book, and he graciously provides it online.

It's put together well. I just haven't read it throughly, buy it's a keeper.

I just opened the book, and happened to see a motherboard. It was a VW board,
and I saw this,

"In their paper, the researchers analyzed the algorithm and reported on the
vulnerabilities they found, though the actual exploit was apparently not
trivial and there were much easier ways to steal a car with a Megamos system.
Nevertheless, the research was placed under a gag order, and the findings
weren’t made public. Unfortunately, the problem with Megamos still exists, and
it’s still insecure—the gag order simply prevents vehicle owners from
determining their risk because the research isn’t publicly available. This is
a prime example of how the auto industry should not respond to security
research."

1\. Ironic the board is made by VW.

2\. We need to see all that information.

3\. This was just a paper of a few security bugs.

4\. My point is I don't want to be tied to a Dealership for the life of "my"
vechicle when it gets sick.. I don't want to pay $220/hr to Reflash "my"
vechicle.

5\. And their will be those that get this post here, but I know the general
public just cares about looks, and cup holders. As a kid, I knew most people
didn't care about double overhead cams, etc.

6\. A vechicle is a huge purchase for most of us. We shouldn't be locked out
of anything we own. Can trust wireless attacker with the information; don't
use wireless technology in your Vechicle.

7\. I really wish Toyota who start manufacturing late 70-80's, simple trucks,
and cars again. We want simplicity. Or, many of us want Simplicity.

8\. Rant over. Key in off position, and and in pocket. Can't loose it--a
replacement key is $350. I just don't get it. But then again I'm very unhappy
lately. I sometimes think I need to attach the Jumper cables to by temples,
and get a little shock. Amperage is not enough, or too high. Don't want to
know.

~~~
NegativeLatency
The chicken tax
([https://en.wikipedia.org/wiki/Chicken_tax](https://en.wikipedia.org/wiki/Chicken_tax))
is part of why there are no small simple trucks in the US.

I recently got back from a trip to Mexico, and I saw all kinds of new small
simple trucks. Nissan's small truck (not sure of the name) and the Toyota
Hilux seemed to be the most popular. There were all different kinds of bed
attachments people were using.

------
baxtr
_The world needs more hackers, and the world definitely needs more car
hackers. Vehicle technology is trending toward more complexity and more
connectivity. Combined, these trends will require a greater focus on
automotive security and more talented individuals to provide this focus._

Looking at recent “terror attacks”, where cars/trucks were used: it is
plausible to think that terrorists could pull an organized attack using a
coordinated fleet of hacked cars/trucks. Kind of scary...

~~~
rypskar
Seems like you are confusing what technical people call a hacker with what
journalist calls a hacker. The hacker used here is a person who thinkers and
makes changes, what journalists calls a hacker is called cracker in that
context. A car hack will be to make it work more the way you want it to, a car
crack will be to take control and damage it or others with it

------
WillReplyfFood
The problem here is the market distorting the incentives to the point that
car-manufacturers have a interest that thieves create artifical demand backed
by insurance money. Which the insurarers then transfer to the consumer, a
circle that amounts to a hidden price raise for cars via insurrance, and
contains nothing of value for the user of the product.

