We break Android. Russification of Chinese cars

Previously, I was engaged in servicing Tesla electric vehicles, and in my free time I developed my startup with robots. I tried my best to popularize Tesla, here are a couple of articles on how to fix it yourself. Working at the Tesla service center was fun and exciting. Over the course of my career, I have become a local expert in servicing these innovative vehicles.

We carried out regular maintenance, diagnostics and repairs on the vehicles to ensure they were running in perfect working order. This included checking electrical systems, batteries, electronics and other critical components. One of the special aspects of the work was updating the software of Tesla electric vehicles. Tesla regularly released updates that included new features and improvements, which made me happy as a user, but saddened me as a developer, closing all the holes.

Working in servicing Tesla electric vehicles gave me the opportunity to immerse myself in the world of the latest technologies and the advanced electric vehicle industry. I am sure that my experience with Tesla electric vehicles has given me valuable knowledge and skills that I can use in the future.

Tesla was the sole leader in innovative solutions in the auto industry, but this could not last forever.

The reality of car imports in the Russian Federation and the car boom in China

The vector of changes in external factors influencing the structure of imports in the Russian Federation and the vector of the boom in the development of the auto industry in China have come together at just the right time. According to various sources, up to 90% of new cars are imported into our country from the Middle Kingdom this year.

I was lucky enough to get acquainted with Chinese cars before it became a trend, and without hesitation, I sold all my Teslas. And it happened when I had the whole SEXY series from St. Ilona.

Android on Chinese cars

In Tesla, all the software is proprietary, there are binaries inside and you can’t really get around to it. Yes, I changed the configuration to make the car faster, generated maps for navigation. Activated full FSD autopilot. But it is impossible to significantly change the appearance of the software or add applications/functions.

In Chinese cars everything is completely different. Media systems run on Android. This provides enormous opportunities for customization. When I started doing this, I couldn’t find structured information, but it’s understandable. They are trying to close all known holes. First I Russified my Chinese car Zeekr, then a friend asked me. As a result, I started working in the Provolta team.

Hardware hacking tools

I’ll tell you about a set of tools that can make your way easier if you’re planning to customize Android. I don’t claim that my methods are the only ones, it’s just my way. First of all, I unsolder the memory and read all the partitions. At the same time, calling all the points for further work without desoldering.

What partitions are physically in Android memory?

There is a post on Habré about sections. The Android disk contains various partitions that include both system and user data. Below are some of the main partitions that you can find on an Android disk, although from machine to machine, or rather depending on the media unit, the partitions will vary:

1. System Partition: This partition contains the Android operating system, including all the main files and settings. Important components such as the operating system kernel, system applications, libraries, and settings are located here.

2. Data Partition: This partition stores user data, including installed applications, user settings, contacts, messages, media files and other personal information. This section also contains cache files and temporary files created by applications during their operation.

3. Cache Partition: This partition stores temporary files and application cache data. Cache files are used to access applications faster and save temporary data. Periodically clearing this partition can help free up disk space and improve device performance.

4. Recovery Partition: This partition contains important files and tools to recover your Android system in case of problems or crashes. The recovery partition allows you to install official operating system updates or reset the device to factory settings.

5. Boot Partition: This partition contains the Android operating system bootloader, which is responsible for the process of booting the device and starting the operating system. Files for system recovery and updating are also stored here.

It is important to note that the structure and names of sections may vary slightly depending on the device manufacturer and version of the Android operating system. The above sections are the main ones and are present on most Android devices.

MITM attack and access via internal network

Modern cars use the standard 1000BASE-T1 (802.3bp). Using the appropriate media converter and replacing the corresponding address in the car subnet, you can gain access to internal components, including ADB.

The OBD standard also includes LAN. The usual 100 Mbit and there is a lot of interesting things there. Using nmap we find the IP on the network. Next are the open ports. Using sniffers and Wireshark we read and analyze packets.

Hacking Software Tools

Once you have received the complete eMMC image, you can begin development. A little about how booting occurs on a Qualcomm processor: The built-in Qualcomm ROM bootloader (pbl – primary bootloader) loads the sbl1 (secondary bootloader) partition. sbl1 loads tz (trust zone), then aboot (android boot, little kernel, lk). Aboot in turn loads boot, recovery or fota.

If we want to change the system, but at the same time for everything to load, we need to remove the integrity check and signature verification; for this we need to patch boot. This can be done manually, but there is a tool called magisk.

Magisk is a powerful tool for managing root access on Android devices. It offers the user the ability to gain root privileges on their Android device and control various aspects of the system without changing core files and partitions. Magisk is especially popular among Android enthusiasts who want to customize and enhance their devices.

Instead of simply providing full access to system files like traditional root access does, Magisk is designed to bypass security checks associated with online banking apps and other apps that may not work on rooted devices due to security concerns.

Magisk also allows users to install modules, which are additional features and modifications to the device. These can be modules for theming, improving performance, customizing the user interface, and much more. Users can download and install modules from the Magisk Manager repository, which is included in the Magisk tool.

We load the modified boot, check the download and begin to change the system to suit ourselves. Custom ROMs that offer deeper and broader Android customization. Custom ROMs not only change the appearance of the device, but also add additional functions and settings that may not be in the official firmware.

There is a good post about how to use apktool and how to directly translate applications; I don’t see the point in repeating it.

FOTA

The next step towards mastery is to conquer FOTA – firmware over the air. As a rule, all firmware comes from the server with a signature and size to verify integrity. The problem is that we cannot get the private signature from the system.

Public signature is a cryptographic mechanism that is used for authentication and data integrity verification. When creating a public signature, a pair of cryptographic keys is used: a private key and a public key. The private key is secret and is stored only by the owner of the key, while the public key is distributed publicly. Signing data with a private key creates a digital signature, which can then be verified using the corresponding public key. If the signature verification is successful, it provides confidence that the data has not been changed and that the signature was made by the owner of the private key.

A private signature is, in contrast to a public signature, an authorization and authentication mechanism that uses a private key to create the signature rather than a public key. A private signature is used in systems or protocols where it is important to verify the authorship and identity of the sender, but does not require recipients to be able to verify the signature. An example would be a system in which the sender creates a private signature to prove that a certain message was created or processed by him, but does not necessarily provide a public key for verification.

We can modify the OTA packet check once, replace the server address with our own, and the machine will receive all further updates from our server.

For modification:

-Connect the machine to the Network with Wireshark configured;

-Find which IP machine to knock on to receive updates;

-In the dump we find through HEX the given address and the package that requests updates;

-We decompile the code and modify it, putting it back together.

Difficulty finding information on a topic

There is little information on this topic on the Internet. Zero-day vulnerabilities are especially valued, but even the basic principles and tools of security are not discussed, let’s fix that.

You can use various tools to extract APK (Android application packages) files. Here are some popular tools for extracting APK:

1. APKTool: APKTool is a command line tool that allows you to extract and build APK files. It allows you to analyze and modify resources, manifests, classes and other components of the APK. APKTool supports decompilation and recompilation of APK files.

2. JADX: JADX is a tool for decompiling and analyzing Android application code. It has the ability to extract Java source code from APK files, allowing users to view, analyze, and debug application source code and resources.

3. Androguard: Androguard is a powerful tool for analyzing Android applications. It can be used to extract and analyze APK files, extracting information about classes, methods, resources and other application components. Androguard also has static analysis capabilities and search for application vulnerabilities.

4. APK Editor Studio is a GUI for APKTool. It simplifies the process of extracting and recompiling APK files by providing an intuitive and user-friendly user interface to perform these operations. Apktool Studio also provides some additional features such as automatic APKTool updates and Git integration.

Apart from the tools listed above, there are other tools and programs that you can use to extract and analyze APK files depending on your needs and preferences.

Instead of output

If you are developing in this direction or planning and you are interested in real tasks write meI can provide hardware for testing or help with advice, I do this not only out of pure natural altruism, but also because it’s easier to study together.

Thank you for your attention. Vyacheslav Golitsyn, Provolta employee.