For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the double DIN Kenwood DMX958XR. This unit offers a variety of functionality, such as wired and wireless Android Auto and Apple CarPlay, as well as USB media playback, wireless mirroring, and more.
This blog post presents internal photos of the DMX958XR boards and highlights each of the interesting components. A hidden debugging interface is also detailed which can be leveraged to obtain a root shell.
Internals
The DMX958XR is a compact unit that contains multiple interconnected boards. Fortunately, the most interesting board is at the top of the unit and can be easily accessed by removing a few screws and metal plates.
The topside of the main board contains a video processing IC, PMIC, NAND flash, and two DDR3 SDRAMs.
Carefully flipping the main board over reveals the SoC, radio module, eMMC, and more RAM. Be careful not to tear the ribbon cable that is attached to the underside of the board!
In the center of Figure 2 is a Murata radio module that handles Wi-Fi and Bluetooth operations. Searching around for the exact model number that is etched onto the shielding does not return much information, but the FCC documents for the DMX958XR state that this is the Murata LBEE6ZZ1WD-334. This module has no public datasheet available and isn’t listed on Murata’s site.
To the right of the radio module is the Telechips TCC8974 SoC, which is marketed as an “IVI and Cluster solution” that supports running Android, Linux, and QNX. The TCC8974 uses a 32-bit ARM core and has multimedia hardware acceleration capabilities. Off to the right of the SoC is the supporting SDRAM and eMMC that the TCC8974 requires.
For completeness, annotated photos of the other boards are provided below. These boards serve varying purposes, such as GPS and audio.
Debug Connector
Eagle-eyed readers may have noticed a suspicious-looking edge connector shown in Figure 1 that is slightly off to the right of the NAND flash. This exposes a Linux login prompt over UART at 115200bps. Logging in with the correct credentials will spawn a root shell.
Summary
Hopefully, this blog post provides enough information to kickstart vulnerability research against the DMX958XR. Keep an eye out for future posts that cover the threat landscape of the DMX958XR.
We are looking forward to Automotive Pwn2Own, again to be held in January 2025 at the Automotive World conference in Tokyo. We will see if IVI vendors have improved their product security. Do not wait until the last minute to ask questions or register! We hope to see you there.
You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the double DIN Kenwood DMX958XR. This unit offers a variety of functionality, such as wired and wireless Android Auto and Apple CarPlay, as well as USB media playback, wireless mirroring, and more.
This blog post presents internal photos of the DMX958XR boards and highlights each of the interesting components. A hidden debugging interface is also detailed which can be leveraged to obtain a root shell.
Internals
The DMX958XR is a compact unit that contains multiple interconnected boards. Fortunately, the most interesting board is at the top of the unit and can be easily accessed by removing a few screws and metal plates.
The topside of the main board contains a video processing IC, PMIC, NAND flash, and two DDR3 SDRAMs.
Carefully flipping the main board over reveals the SoC, radio module, eMMC, and more RAM. Be careful not to tear the ribbon cable that is attached to the underside of the board!
In the center of Figure 2 is a Murata radio module that handles Wi-Fi and Bluetooth operations. Searching around for the exact model number that is etched onto the shielding does not return much information, but the FCC documents for the DMX958XR state that this is the Murata LBEE6ZZ1WD-334. This module has no public datasheet available and isn’t listed on Murata’s site.
To the right of the radio module is the Telechips TCC8974 SoC, which is marketed as an “IVI and Cluster solution” that supports running Android, Linux, and QNX. The TCC8974 uses a 32-bit ARM core and has multimedia hardware acceleration capabilities. Off to the right of the SoC is the supporting SDRAM and eMMC that the TCC8974 requires.
For completeness, annotated photos of the other boards are provided below. These boards serve varying purposes, such as GPS and audio.
Debug Connector
Eagle-eyed readers may have noticed a suspicious-looking edge connector shown in Figure 1 that is slightly off to the right of the NAND flash. This exposes a Linux login prompt over UART at 115200bps. Logging in with the correct credentials will spawn a root shell.
Summary
Hopefully, this blog post provides enough information to kickstart vulnerability research against the DMX958XR. Keep an eye out for future posts that cover the threat landscape of the DMX958XR.
We are looking forward to Automotive Pwn2Own, again to be held in January 2025 at the Automotive World conference in Tokyo. We will see if IVI vendors have improved their product security. Do not wait until the last minute to ask questions or register! We hope to see you there.
You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.