A simple script on the flash drive enables the SSH server.Īfter some poking, discovered the script designed to mount USB storage devices had a potential flaw in it. With full access to the system, the search for exploits could begin.
To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. From there, was able to change the kernel parameters in the bootloader to spawn an interactive shell. The first step was to locate the board’s serial port and connect it to the computer. The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run. Now for those of us who are a more interested in how this whole process works, was kind of enough to provide a very detailed account of how the exploit was discovered.
If you want to play along at home, all you have to do is write the provided image to a USB flash drive and insert it.
For the impatient Nissan owners who may be joining us from Google, a hacker by the name of has figured out how to get a root shell on the Bosch LCN2kai head unit of their 2015 Xterra, and it looks like the process should be the same for other vehicles in the Nissan family such as the Rogue, Sentra, Altima, and Frontier.