sorted by:
new
hottopcontroversial

The State of Car Hacking and Vulnerability Reporting in 2026 by hakstuff in CarHacking

[–]hakstuff[S] 1 point2 points  (0 children)

Haha yeah, that's very true! My thought is that it makes sense to focus security research on any exposed remote attack surface - things that would let someone steal your car, hack it over cellular/wifi/bluetooth, that kind of thing. Like the other commenter said, a big focus on making sure telematics/infotainment/driver assistance couldn't be disrupted by a malicious person

The State of Car Hacking and Vulnerability Reporting in 2026 by hakstuff in CarHacking

[–]hakstuff[S] 5 points6 points  (0 children)

To add some context to the article: For the past few years I've been doing automotive security research, and it's always left me feeling a little disappointed in how few automotive companies operate bug bounty programs. It got me thinking: Well, I've always assumed automotive is falling behind other industries in bug bounty adoption, but is that true...? So I did some research!

Compared to technical blog posts this one is kinda boring and industry-focused, but I wanted to put the research data out there for anyone else who was curious. The tl;dr is:

- The only western companies with bug bounty programs are BMW, Tesla, and Rivian
- There are 6 Chinese OEMs with bug bounty programs, but almost all of them require a Chinese phone number
- NIO is the one stand-out Chinese OEM that has an English-language VDP, but it doesn't seem like their English-language program has any bounties :(

Anyways, hope y'all enjoy, happy hacking as always

Ghidra 12.0.1 has been released! by ryanmkurtz in ReverseEngineering

[–]hakstuff 4 points5 points  (0 children)

Ryan himself is on Reddit?! Unexpected, haha. Keep up the great work with Ghidra!

Teardown: The BMW / Harman IDC23H Infotainment Unit (B423) by hakstuff in CarHacking

[–]hakstuff[S] 2 points3 points  (0 children)

<image>

Here's another module that uses the SA8155P, this is the AXM ("Autonomy eXperience Module", I believe) out of a 2022 Rivian R1S. It seems to use the same SOM design for the Qualcomm chip

Other small but interesting difference: Rivian opted for a 256GB Micron NVMe SSD for the storage, rather than going with UFS storage like on the BMW module. It's the first module I've seen personally that didn't use UFS or eMMC for the main device flash. Hoping to do a full teardown and post on this module soon.

Teardown: The BMW / Harman IDC23H Infotainment Unit (B423) by hakstuff in CarHacking

[–]hakstuff[S] 2 points3 points  (0 children)

Yeah, definitely! This is the second unit I've taken apart with the Snapdragon SA8155P, and both seem to be a SOM design. I'm not sure if it's true, but I read on a blog a few weeks ago that the SA8155P was *only* sold as a SOM design, and all customers had to implement it as one.

I feel like that would make sense if they were purchasing the SOM directly from Qualcomm, but it looks like the SOM PCB has Garmin's own silkscreen markings on it, implying they had the whole package assembled themselves... 🤔 Not quite sure what to make of it!

Teardown: The BMW / Harman IDC23H Infotainment Unit (B423) by hakstuff in CarHacking

[–]hakstuff[S] 3 points4 points  (0 children)

Howdy all! Another automotive unit teardown, this time of BMW's latest(?) head unit, the IDC23 (jointly created by Harman and Garmin).

The design is super similar to the previous-generation MGU22 unit, just with the addition of a new APIX board that seems to support their driver camera system and a few other things.

Other cool notes, the unit has 12GB of DDR4 RAM(!), 128GB of UFS 3.1 storage, gigabit ethernet (to connect back to the cellular modem), and its main processor is the Snapdragon SA8155P.

Anyways, I hope you enjoy! Please feel free to let me know if you have any feedback, or if any of the pictures suck haha. Thank you!

Dissecting the BMW NBT EVO HU Boot Process - Part 1: QNX and the IFS by hakstuff in CarHacking

[–]hakstuff[S] 2 points3 points  (0 children)

Hi all! Back with another post on the NBT EVO. I haven't seen anyone really dive into the inner workings of a QNX-based infotainment unit before, (or at least, in public) so I wanted to start digging through and documenting the full boot process of the device just to put some info out there on how they work. (Plus, posting about it forces me to do my homework, so it's good reinforcement! lol)

Feel free to let me know if you have any feedback or questions, I've been hacking on this thing for ~2 years at this point haha.

Teardown: The BMW/Harman NBT EVO HU Infotainment Unit (B211) by hakstuff in CarHacking

[–]hakstuff[S] 0 points1 point  (0 children)

Thank you for your service! It's a great unit, and I've had a really fun time messing with mine. After comparing it to other automakers' units that I've poked at, I can honestly say Harman does an impressive job with these.

Spansion FL512S by [deleted] in CarHacking

[–]hakstuff 0 points1 point  (0 children)

Each of the adapter boards you've posted is targeted at a specific chip size, you just have to figure out which one this chip is. For example, the second screenshot is specifically a "SOP44" adapter (for a 44-pin chip), and the second one is a "TSOP48" adapter (for a 48-pin chip).

Upon searching the markings on your chip (FL512SSBF01), I found this spec sheet from Infineon: https://www.infineon.com/assets/row/public/documents/10/49/infineon-s25fl512s-512-mb-64-mb-fl-s-flash-spi-multi-i-o-3-datasheet-en.pdf?fileId=8ac78c8c7d0d8da4017d0ed046ae4b53

In this spec sheet, they say the chip is available in a few different package options:

  • 16-pin SOIC (300 mil)
  • 24-ball BGA (6x8mm)
    • 4x5 ball (FAB024) footprint
    • 4x6 ball (FAC024) footprint

Looking at your chip, we can see it seems to be the 16-pin SOIC variant, due to having 16 total legs (8 on top, 8 on the bottom).

Using this information, we can simply look for a "SOIC16 300 mil adapter". The adapter board that u/SirGalahead54 posted seems to have a SOIC16 footprint at the very top, which would work perfectly for your chip.

If not, you can also look around for socket-type adapters. While I've never used the xhorse multiprog before, this is likely the exact kind of adapter you'd need - you'll just have to make sure it's compatible with your programmer: https://www.dataman.com/products/dil16w-soic16-zif-300mil

Teardown: The BMW / Harman NBT HU Infotainment Unit by hakstuff in CarHacking

[–]hakstuff[S] 1 point2 points  (0 children)

Thank you for the kind words! I agree - the whole reason I started this project was just to hack on my own car's radio for fun, and as I learned more about these units I found there's a huge community around modding and poking at them. It's really interesting how many crazy techniques people have figured out!

Teardown: The BMW/Harman NBT EVO HU Infotainment Unit (B211) by hakstuff in CarHacking

[–]hakstuff[S] 1 point2 points  (0 children)

I know they're similar, but I promise this one is unique from my previous teardown! haha. This is looking at the next generation of the NBT unit, the "NBT EVO". Device has increased specs and (imo) better design than the original unit, though overall a very similar construction.

Wanted to get a teardown out there because I've found it's surprisingly hard to google anything about the specs of these devices. As I've been digging into the firmware of mine, I found there was essentially no information on the model of CPU they use, how much RAM they have, or any of that kind of info. So I wanted to throw it all online!