Hyundai owner Ioniq SEL has published a series of articles on how he managed to update the firmware used in the infotainment system (IVI) based on the D-Audio2V operating system used in Hyundai and Kia vehicles. It turned out that all the data necessary for decryption and verification is publicly available on the network and it took only a few requests to Google to determine them.
The firmware update offered by the manufacturer to the IVI system was delivered in a password-encrypted zip file, and the contents of the firmware itself were encrypted using the AES-CBC algorithm and digitally signed based on RSA keys. The password for the zip archive and the AES key for decrypting the updateboot.img image were found in the linux_envsetup.sh script, which was openly present in the system_package package with open components of the D-Audio2V OS distributed on the website of the IVI system manufacturer.
However, the firmware modification lacked the private key used for digital signature authentication. It is noteworthy that the RSA key helped to find the Google search engine. The researcher sent a search request specifying the previously found AES key and came across the fact that the key is not unique and is mentioned in the NIST document SP800-38A. Reasoning that the RSA key was borrowed in a similar way, the researcher found the public key in the code accompanying the firmware and tried to find information on it in Google. The query showed that the given public key is mentioned in an example from the OpenSSL tutorial, which also lists the private key.
Having received the necessary keys, the researcher was able to make changes to the firmware and add a backdoor that makes it possible to remotely connect to the program shell of the IVI device's system environment, as well as integrate additional applications into the firmware.
Source: opennet.ru