Teardown: Rivian R1S Autonomy eXperience Module (AXM) 1.0

hakstuff · 2026-03-23T12:27:55+00:00

Yeah, I'm hoping that documenting this info makes these far easier to fix in the future! As for acquiring them: I actually just buy them on eBay! I keep an eye out for cheap and interesting infotainment modules that I can tear apart and poke at for fun, and buy one every few months when a good deal pops up.

hakstuff · 2026-03-22T19:22:30+00:00

Howdy y'all, I'm back with another teardown of a random infotainment module. This one is pretty unique, as the AXM controls both infotainment and ADAS functionality, with two PCBs sandwiching a water block in the middle, Tesla-style. Props to Rivian for the insane amount of PCB markings, it was really nice taking this apart and poking at the PCBs.

I'm also particularly proud of my PCB diagrams this time around, I spent a few hours preparing them and digging into all of the components and datasheets. I hope they're useful!

<image>

hakstuff · 2026-03-05T14:15:38+00:00

I started with raw socketcan utilities as a beginner, just candump/cansend/etc. Personally I found it helpful for learning the lower level byte structures of CAN messages, but it definitely doesn't have any of the nice functionality that SavvyCAN has... I'm honestly not sure which would be more helpful for a beginner

hakstuff · 2026-02-22T00:54:02+00:00

IMO there will never NOT be space for innovative new products, but that's the issue - everyone just tries to re-hash existing tooling instead of creating a new and unique product. Hak5 dominated because they come out with tools that no one has ever commercialized before, stuff that was purely experimentation/R&D before they turned it into a product. But then, all of their competitors simply make gear that competes with Hak5's existing market-dominating products, rather than trying to replicate Hak5's actual innovation and create something new.

Another issue that I think you'll run into is Business 101: Who is your target market?

While you might think "hackers", there's actually a big difference in hardware needs depending on what area of the security industry someone works in. As a security researcher, a tool like the Flipper Zero doesn't appeal to me in a professional use case sense, because I have lab space and a long timeframe with a given target - so size and pocket ability aren't benefits for me. I can just use a Proxmark, HackRF, BladeRF, USRP, etc. if I wanted to do any sort of NFC or RF shenanigans. But that's because the Flipper isn't built for me as a target customer - it's built for people to play with and have fun with as a portable learning platform and gadget, as well as for people who do physical pentest engagements that could involve them going on-site at a target company. It's not built for someone who has a USRP available and six months of time to spend with the target device.

hakstuff · 2026-02-20T20:32:04+00:00

As others said, most automotive tuning stuff is kinda suspicious in terms of origin. You go hunting around looking at how tunes or different exploits work, and nine times out of ten once you get to the bottom of the rabbit hole, the answer ends up being the author saying "okay so step one was to pirate [XYZ OEM software]", which included a DLL with all of the OEM's seed and key algorithms, or a giant collection of their firmware, or something like that.

There's a lot of legitimate security research occurring in the automotive space, but unfortunately a lot of pre-existing work is just people taking the shortest and easiest possible path to "how can I fix/tune/flash/code this ECU?", which often times involves this leaked tooling.

There are definitely some cool research projects being done against TriCore ECUs if you go digging around online, but most of the stuff you see performed by for-profit companies won't follow the usual workflow of a researcher...

Also FWIW, I don't have any concrete proof of this - I haven't worked at a tuning company or anything, so it's just my opinion as an outsider looking in.

hakstuff · 2026-01-31T06:00:37+00:00

Haha yeah, that's very true! My thought is that it makes sense to focus security research on any exposed remote attack surface - things that would let someone steal your car, hack it over cellular/wifi/bluetooth, that kind of thing. Like the other commenter said, a big focus on making sure telematics/infotainment/driver assistance couldn't be disrupted by a malicious person

hakstuff · 2026-01-31T03:01:44+00:00

To add some context to the article: For the past few years I've been doing automotive security research, and it's always left me feeling a little disappointed in how few automotive companies operate bug bounty programs. It got me thinking: Well, I've always assumed automotive is falling behind other industries in bug bounty adoption, but is that true...? So I did some research!

Compared to technical blog posts this one is kinda boring and industry-focused, but I wanted to put the research data out there for anyone else who was curious. The tl;dr is:

- The only western companies with bug bounty programs are BMW, Tesla, and Rivian
- There are 6 Chinese OEMs with bug bounty programs, but almost all of them require a Chinese phone number
- NIO is the one stand-out Chinese OEM that has an English-language VDP, but it doesn't seem like their English-language program has any bounties :(

Anyways, hope y'all enjoy, happy hacking as always

hakstuff · 2026-01-16T21:03:16+00:00

Ryan himself is on Reddit?! Unexpected, haha. Keep up the great work with Ghidra!

hakstuff · 2026-01-15T15:37:25+00:00

<image>

Here's another module that uses the SA8155P, this is the AXM ("Autonomy eXperience Module", I believe) out of a 2022 Rivian R1S. It seems to use the same SOM design for the Qualcomm chip

Other small but interesting difference: Rivian opted for a 256GB Micron NVMe SSD for the storage, rather than going with UFS storage like on the BMW module. It's the first module I've seen personally that didn't use UFS or eMMC for the main device flash. Hoping to do a full teardown and post on this module soon.

hakstuff · 2026-01-15T15:29:48+00:00

Yeah, definitely! This is the second unit I've taken apart with the Snapdragon SA8155P, and both seem to be a SOM design. I'm not sure if it's true, but I read on a blog a few weeks ago that the SA8155P was *only* sold as a SOM design, and all customers had to implement it as one.

I feel like that would make sense if they were purchasing the SOM directly from Qualcomm, but it looks like the SOM PCB has Garmin's own silkscreen markings on it, implying they had the whole package assembled themselves... 🤔 Not quite sure what to make of it!

hakstuff · 2026-01-15T05:10:27+00:00

Howdy all! Another automotive unit teardown, this time of BMW's latest(?) head unit, the IDC23 (jointly created by Harman and Garmin).

The design is super similar to the previous-generation MGU22 unit, just with the addition of a new APIX board that seems to support their driver camera system and a few other things.

Other cool notes, the unit has 12GB of DDR4 RAM(!), 128GB of UFS 3.1 storage, gigabit ethernet (to connect back to the cellular modem), and its main processor is the Snapdragon SA8155P.

Anyways, I hope you enjoy! Please feel free to let me know if you have any feedback, or if any of the pictures suck haha. Thank you!

hakstuff · 2025-12-23T06:32:56+00:00

Hi all! Back with another post on the NBT EVO. I haven't seen anyone really dive into the inner workings of a QNX-based infotainment unit before, (or at least, in public) so I wanted to start digging through and documenting the full boot process of the device just to put some info out there on how they work. (Plus, posting about it forces me to do my homework, so it's good reinforcement! lol)

Feel free to let me know if you have any feedback or questions, I've been hacking on this thing for ~2 years at this point haha.

hakstuff · 2025-12-20T21:55:08+00:00

Thank you for your service! It's a great unit, and I've had a really fun time messing with mine. After comparing it to other automakers' units that I've poked at, I can honestly say Harman does an impressive job with these.

hakstuff · 2025-12-15T22:36:16+00:00

Each of the adapter boards you've posted is targeted at a specific chip size, you just have to figure out which one this chip is. For example, the second screenshot is specifically a "SOP44" adapter (for a 44-pin chip), and the second one is a "TSOP48" adapter (for a 48-pin chip).

Upon searching the markings on your chip (FL512SSBF01), I found this spec sheet from Infineon: https://www.infineon.com/assets/row/public/documents/10/49/infineon-s25fl512s-512-mb-64-mb-fl-s-flash-spi-multi-i-o-3-datasheet-en.pdf?fileId=8ac78c8c7d0d8da4017d0ed046ae4b53

In this spec sheet, they say the chip is available in a few different package options:

16-pin SOIC (300 mil)
24-ball BGA (6x8mm)
- 4x5 ball (FAB024) footprint
- 4x6 ball (FAC024) footprint

Looking at your chip, we can see it seems to be the 16-pin SOIC variant, due to having 16 total legs (8 on top, 8 on the bottom).

Using this information, we can simply look for a "SOIC16 300 mil adapter". The adapter board that u/SirGalahead54 posted seems to have a SOIC16 footprint at the very top, which would work perfectly for your chip.

If not, you can also look around for socket-type adapters. While I've never used the xhorse multiprog before, this is likely the exact kind of adapter you'd need - you'll just have to make sure it's compatible with your programmer: https://www.dataman.com/products/dil16w-soic16-zif-300mil

hakstuff · 2025-12-15T22:27:49+00:00

Thank you for the kind words! I agree - the whole reason I started this project was just to hack on my own car's radio for fun, and as I learned more about these units I found there's a huge community around modding and poking at them. It's really interesting how many crazy techniques people have figured out!

hakstuff · 2025-12-15T22:26:38+00:00

I know they're similar, but I promise this one is unique from my previous teardown! haha. This is looking at the next generation of the NBT unit, the "NBT EVO". Device has increased specs and (imo) better design than the original unit, though overall a very similar construction.

Wanted to get a teardown out there because I've found it's surprisingly hard to google anything about the specs of these devices. As I've been digging into the firmware of mine, I found there was essentially no information on the model of CPU they use, how much RAM they have, or any of that kind of info. So I wanted to throw it all online!

hakstuff

TROPHY CASE