bert's blog

My car has a built-in navigation system with a couple of really annoying nanny features. It wants me to read an inane legal disclaimer and hit “I Agree” on the touch screen every time the car starts, and it won’t let me select new destinations, or dial a phone number, while driving. This is obviously not what customers want; it’s what car manufacturers put in to avoid being sued, and I dislike it.

So I thought I’d look into it, and see if it can be hacked in some way or another. I didn’t succeed, unfortunately, and it’s not really worth spending a huge amount of time on, but I thought I’d at least document what I did find out.

The DVD has a regular ISO9660 filesystem on it. On the file system are a bunch of .KWI files, and a directory called IDX. KWI stands for KIWI, which is an open standard that describes the format map media in car navigation systems. The standard is managed by a consortium called Kiwi-W, originally made up of Japanese car manufacturers but which now has a wider membership. The standard describing the KIWI file format(s) can be found here.

A couple of things to note:

• The map, routing and POI data on the DVD is not encrypted. You can just strings them and see places and such fly by.
• The firmware for the navigation system is also on the DVD, in the LOADING.KWI file.

Every KWI file on the DVD has its own binary format; other than a set of defined data types, they don’t really have much structure in common. The names are standard, however. Since we’re looking for the code that implements the nanny features, the LOADING.KWI file is what we need: that’s where all the code is. It’s essentially a container format, much like a ZIP file. It contains a series of modules with some metadata thrown in. I’ve written a tool (see below) to view or extract the modules from a LOADING.KWI file. This is what’s in my DVD’s LOADING.KWI file:

number of systems found: 1
System 1
    Manufacturer ID: 0f 56 a3 00 3c 3c 8a 00 07 00 01 66
    Number of modules in this system: 5
    Module 1:
	Name: V206
	Version: 100J
	Category: Program
	Valid from: 2006-07-17
	Address: 0x800
	Size: 15.2 MB

    Module 2:
	Name: V214
	Version: 100K
	Category: Program
	Valid from: 2006-07-17
	Address: 0xF3F000
	Size: 15.7 MB

    Module 3:
	Name: V308
	Version: 100E
	Category: Program
	Valid from: 2006-06-09
	Address: 0x1EE9000
	Size: 20.5 MB

    Module 4:
	Name: V309
	Version: 100E
	Category: Program
	Valid from: 2006-06-09
	Address: 0x336D000
	Size: 20.4 MB

    Module 5:
	Name: V312
	Version: 100E
	Category: Program
	Valid from: 2006-06-08
	Address: 0x47DC800
	Size: 18.9 MB

The manufacturer ID shown consists of a number of fields that describe the location, in latitude and longitude, of the navigation DVD’s manufacturer’s HQ. The 13th byte, 07, means they’re on the 7th floor of the building at that location. You can’t make this stuff up.

Anyway, if we look at a hexdump of the start of the first module, called V206, this is what we see:

00000000   2E 4C 44 52  0D 0A 56 32  30 36 31 30  30 4A 0D 0A  .LDR..V206100J..
00000010   4A 75 6C 20  31 34 20 32  30 30 36 00  00 00 0D 0A  Jul 14 2006.....
00000020   32 30 3A 33  35 3A 31 37  00 00 00 00  00 00 0D 0A  20:35:17........
00000030   41 49 53 49  4E 20 41 57  20 63 6F 2E  4C 54 44 00  AISIN AW co.LTD.
00000040   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................

So this is some kind of header, and Aisin AW Co Ltd. is clearly the bunch on the 7th floor that made this navigation DVD. They’re also a leading member of the Kiwi-W consortium. The modules contain other interesting stuff: there are icons in there, in regular BMP format. I extracted some (you can find them by looking for the letters BM — 42 4d in hex — in the modules). They were icons I’ve seen on the navigation display.

Some of the code in there was apparently compiled with symbols. There is also lots of text to be found: debug output, various strings — and then there’s this:

00891070   67 61 E7 E3  6F 2E 00 00  44 72 69 76  65 20 73 61  ga..o...Drive sa
00891080   66 65 6C 79  20 61 6E 64  20 6F 62 65  79 20 74 72  fely and obey tr
00891090   61 66 66 69  63 20 72 75  6C 65 73 2E  0A 57 61 74  affic rules..Wat
008910A0   63 68 69 6E  67 20 74 68  69 73 20 73  63 72 65 65  ching this scree
008910B0   6E 20 77 68  69 6C 65 20  76 65 68 69  63 6C 65 20  n while vehicle
008910C0   69 73 0A 69  6E 20 6D 6F  74 69 6F 6E  20 63 61 6E  is.in motion can
008910D0   20 6C 65 61  64 20 74 6F  20 61 20 73  65 72 69 6F   lead to a serio
008910E0   75 73 20 61  63 63 69 64  65 6E 74 2E  0A 4D 61 6B  us accident..Mak
008910F0   65 20 73 65  6C 65 63 74  69 6F 6E 73  20 6F 6E 6C  e selections onl
00891100   79 20 77 68  69 6C 65 20  73 74 6F 70  70 65 64 2E  y while stopped.

That’s the disclaimer, alright. The “I Agree” bit is there as well. So what you do to find the code that puts up the button and waits for the user to hit it, is note down where in the file that string is, and then look for code that references something at that location. And NOP it out.

Alas, it’s not that simple in this case: the module itself is clearly in some format I don’t know. It may well be an executable format, like ELF, or it may be a container format containing several executables and a bunch of icons. I’m not even sure what CPU the navigation system uses, so randomly looking for references isn’t going to do much good.

I don’t really have any more time to spend on this, and I really don’t want to rip the navigation unit out of the car to look at what CPU is on the motherboard. If anyone has more information, let me know. The car is a Lexus IS 220d, but other Toyota/Lexus models are likely to have the same unit.

The tool I wrote to view/extract modules from the LOADING.KWI file is called “kiwi”, and can be downloaded here. You’ll need python on your system.