Hacking My Mazda Infotainment - MZD-AIO and CASDK
How Does the 2014-2019 Mazda Connect Infotainment Work?
However, even beyond this secret menu, there was a secret menu in this secret menu. If rather than typing in a number, you held the "DEL" key for about 20 seconds, it would unlock "JCI TEST MODE", which would allow you to type in the number "11" and see the menu shown in the top image of this post. This was where all the fun stuff was. You could enable the WIFI Access Point (which had been disabled in software long ago in north american models), you could enable the touchscreen while driving, and you could access a terminal with root access! You would need to plug in a keyboard to use the terminal, but it allowed for many possibilities, including running scripts from the USB ports! The Mazda had been successfully jailbroken.
CASDK is a "micro framework" for building infotainment apps. It handles all of the low-level stuff like reading data from the car, adding apps to the infotainment's built-in app list, etc. It allows you to make an app with simple JavaScript, CSS and JQuery, and put it on the infotainment! A handful of apps have been put online, including games like Tetris, a dashboard app including speed, fuel level, and temperature, and a whole diagnostic menu letting you read ALL of the data from your car.
I tried to build a 0-60 acceleration timer, but as the CASDK apps only get new data from the car about once per second, automatically starting and stopping the timer had such a delay that it would often miss you beginning to drive or hitting 60. A friend of mine is building an app that will use your GPS to always point at the nearest Starbucks or McDonalds. I'm currently building a lap timer/cannonball timer app, complete with a timer (of course), current speed, average speed, RPM, and more. My apps (including WIP ones) can be found on my GitHub here.
The infotainment system in my 2015 Mazda 3 is incredibly strange. The entire infotainment "operating system" that you see is nothing more than the Opera web browser showing regular old HTML, JS, and CSS web pages. As strange as this solution is, this offers amazing possibilities that most other car infotainment systems don't allow for. Unlike my old Audi running QNX or something equally strange, the Mazda runs a regular version of Linux with a very normal web browser. In fact, it has become even easier to work with in recent year, due to the abundance of Arm-based phones and laptops, just like the Arm CPU in the Mazda Infotainment.
The infotainment system was made by a company called Johnson Controls International, or JCI rather than being made in-house by Mazda. JCI left a lot of development and debugging features even in the final versions of the OS that went out to consumer cars.
A Brief History of Hacking the Mazda Infotainment
JCI left a "test screen" (partly visible in the top image) in the infotainment system that could be accessed through either a button combination, or tapping and holding on the clock on the touchscreen in a certain page of the settings app. The test screen consisted of a keypad and small black display on the right side of the screen. Punching in a number and hitting enter would do some debug task.
However, even beyond this secret menu, there was a secret menu in this secret menu. If rather than typing in a number, you held the "DEL" key for about 20 seconds, it would unlock "JCI TEST MODE", which would allow you to type in the number "11" and see the menu shown in the top image of this post. This was where all the fun stuff was. You could enable the WIFI Access Point (which had been disabled in software long ago in north american models), you could enable the touchscreen while driving, and you could access a terminal with root access! You would need to plug in a keyboard to use the terminal, but it allowed for many possibilities, including running scripts from the USB ports! The Mazda had been successfully jailbroken.
Shortly after, Mazda realized people were accessing this menu, and disabled the JCI TEST MODE delete key shortcut. You could still enter the menu with the keypad and black display, but all the fun options were gone. With no terminal, you couldn't make any meaningful changes to the infotainment. However, if you were willing to remove the headunit from the dashboard, you could connect a serial cable and have the same effect.
After that, Mazda noticed again and disabled the serial console. It looked like all hacking possibility was lost. However, remember how the infotainment system was just a web browser? This meant that the infotainment system was open to all the web browser tricks that were available back in 2014 or so when this infotainment was developed. If you used the bluetooth connection from your phone to play a very specific MP3 file developed by SergSlim, when the Mazda would show the song name on the screen, it would execute that code. This worked by including HTML and JavaScript in the song title metadata, which would get executed when the car displayed it on-screen. This JavaScript code would enable the JCI TEST MODE, which hasn't been used for exploiting the Mazda Infotainment since the very beginning
As Mazda has stopped updating this infotainment system when they released their newest version in their 2019 cars, this exploit should remain available.
What Can We Do With This?
We have root access to the Mazda! Theoretically anything. More realistically though, there's some more steps to be done. We need to disable the Watchdog service, which is designed to reboot the infotainment automatically if it notices any errors. This is generally good, but if you are messing with the infotainment system, this will easily cause a boot loop as the Mazda. The car will notice you've edited a file, reboot, notice that file again, reboot again, etc. You can also enable SSH for easier modification, change the root password from a unique one to your car to something you know, and enable running tweaks from USB.
Tweaks?
During the heyday of the Mazda hacking, a site called MazdaTweaks was made, including all sorts of fun scripts, tricks, and most importantly: documentation! You could do simple quality-of-life stuff, like removing the warnings on startup of the car, reordering the audio sources so that car defaults to what YOU want instead of FM radio everytime, and more. You can add custom apps, including a speedometer and videoplayer. You can make your own apps using an SDK called CASDK!
CASDK?
CASDK is a "micro framework" for building infotainment apps. It handles all of the low-level stuff like reading data from the car, adding apps to the infotainment's built-in app list, etc. It allows you to make an app with simple JavaScript, CSS and JQuery, and put it on the infotainment! A handful of apps have been put online, including games like Tetris, a dashboard app including speed, fuel level, and temperature, and a whole diagnostic menu letting you read ALL of the data from your car.
I've been learning how to build apps with this, and learning its limitations. I built a silly fuel economy app using only the most obscure units as a joke with my friends, including miles per gallon, but also football fields per barrel of gasoline, or earth radii per olympic pool of gasoline, or even a unit my friend made up "bigs" used per furlong.
I tried to build a 0-60 acceleration timer, but as the CASDK apps only get new data from the car about once per second, automatically starting and stopping the timer had such a delay that it would often miss you beginning to drive or hitting 60. A friend of mine is building an app that will use your GPS to always point at the nearest Starbucks or McDonalds. I'm currently building a lap timer/cannonball timer app, complete with a timer (of course), current speed, average speed, RPM, and more. My apps (including WIP ones) can be found on my GitHub here.
What Are My Next Plans?
Running Doom. No, really. I worked for about a month trying to accomplish this on my last car, the Audi A4, but with the combination of the QNX operating system and a RISC-V cpu, the hardware and software was too weird to work with, and beyond that there was a real lack of documentation. However, Linux and Arm on the Mazda? I know both of those! I have an Arm Raspberry Pi running Linux I could use to compile with, plus my Arm64 MacBook that might be useful too.
I previously tried getting Doom to run in the web browser through hosting it on my website, but the browser was too old and had a ton of TLS and SSL errors, making it unable to load my site. While I could likely resolve those, it turns out a version of Opera that old can't run JSdos like I was trying to use anyway. I've tried compiling Doom for Arm Linux and had some struggles, so I've temporarily dropped that, but I could go back to that if need be.
My current plan is Java. Why? There's a build of Java that I have verified does run on my car. There is also a Java version of Doom that I have verified does run on my computer. I have yet to put two and two together, as last time I worked on my car I wound up draining the car battery by sitting with the infotainment on for too long. That was a bit of an embarrassing thing to explain to my friends. "Heyyy, I killed my car battery by trying to run Doom on my car. Can you come jump start me?".
Hopefully later this summer when I'm back in Seattle and have access to a garage with a car charger, I'll be able to get that working. If I do, rest assured I'll post it here immediately.
Gotta love Starbucks/McDonalds units.
ReplyDeletereal
Delete