DH.J
🗺️

💻 Research

How to HKMC Gen5W Firmware Decryption?

How to HKMC Gen5W Firmware Decryption?

Donghyeon Jeong··105 min read

Overview

Last year, a tool was released that allowed users to extract HKMC(Hyundai KIA Motors Group) Gen5W firmware. (@galaxy4public)

https://github.com/galaxy4public/hkmcavn-tools

This tool is made to work with the firmware of Head Unit products designed by LGE.

Available Target

- (AU) 2022-23 Sportage

- (AU) 2021-23 IONIQ5

- …

Download Navigation Updater

- https://oem-setup.map-care.com/update_program_download/nau_client/crossplatform/install/NavigationUpdaterInstaller_011.exe

image

Settings for Navigation Updater

By selecting the Hyundai or KIA brand from the main screen and entering a non-member login, you can view the settings screen below.

Settings for Navigation updater

Go back to the screen and select the type of car and the year that you would like to download.

[Figure 3] Settings for Vehicle Model

Select OK on the previous screen to advance to the next screen, where you can specify the path to download the firmware file.

This path can be set by you and can be any path that identify your location.

[Figure 4] Settings for Download Location

Once the path is selected, a /Nau directory is created and the selected firmware is downloaded into the directory.

The download time is approximately 1-3 minutes, but may vary depending on the network speed in your country.

[Figure 5] Downloading Firmware

Identifying firmware

When the firmware download is complete, a directory called Nau will be created in the path you specify, and within that directory will be a subdirectory

image
[Figure 6, 7] Downloaded Firmware

To verify that this firmware is encrypted, we used the binwalk tool and specified the file HU/firmware/update.tar.gz

The binwalk tool allows you to try entropy analysis and file system extraction, and the entropy analysis shows that it has a high entropy. so we can assume that this file is encrypted or compressed in some way.

Also, since it cannot be extracted normally via file system extraction, we know that the downloaded firmware file is encrypted.

[Figure 8] update.tar.gz
[Figure 9] Analysis File Entropy

Decryption & Extraction

This chapter targets the HKMC vehicle head unit developed by LGE. It uses the hkmcavn-tools decryption tool.

Code Analysis #1

Decryption functions are called in this order

perform_test → update_progress → read_in_chunks → process_block


metadata = perform_test(file)   # this extracts and populates IV
	if isinstance(metadata, int) and metadata != 0:
	    print(f'\r{file} is either unencrypted or damaged (use -v -t to see the details)')
	    return
file_size = metadata['size']
iv = bytes.fromhex(metadata['iv'])
param = ''

Code Analysis #2

python

# update_progress()
"""
This function was presumably created to simply check the current progress.
"""

def update_progress(file, size, block):
    count = 0
    while size > count * block:
        count += 1
        percent = (count * block * 100) / size
        # out block is bigger than actual data read
        percent = min(percent, 100.0)
        print_v(f'\r{file} .. {percent:3.0f}%', end='')
        yield percent
    yield 100   # this assures that we never run out of data for the progress

Code Analysis #3

python

# read_in_chunks()
"""
Reads and returns a chunk of the specified file object, chunk_size (default: 4*1024).
"""

def read_in_chunks(file_object, chunk_size=4*1024, limit = -1):
    """Lazy function (generator) to read a file piece by piece.
    Default chunk size: 1MB."""
    ptr = 0
    while True:
        data = file_object.read(chunk_size)
        if not data:
            #print(f'end of file, read {ptr} chunks of {chunk_size} with limit set to {limit}')
            break
        ptr = ptr + 1
        if limit > 0 and len(data) > limit - (ptr-1)*chunk_size:
            #print_v('processing truncated block')
            #print(f'read {ptr-1} chunks of {chunk_size} + {len(data)} with limit set to {limit}')
            #print(f'giving out {limit - (ptr-1)*chunk_size}')
            yield data[:limit - (ptr-1)*chunk_size]
            break
        yield data

Code Analysis #4

python

# process_block()
"""
Here we write the decrypted firmware file to the specified path using the process_block() function.
"""

1: file_out.write(process_block(mode, block, cipher, param))

2: def process_block(mode, block, cipher, param):
    return mode(block, cipher, param)

Decrypted Firmware

After unpacking the linux file system image, called mango_rootfs we can see the structure of the Linux file system(ext4), which shows that the decryption of the firmware has gone well.

You should now be able to do a reverse engineering analysis of the decrypted firmware.

[Figure 10] Decrypted HKMC Firmware

References

- https://github.com/galaxy4public/hkmcavn-tools

  • Automotive
  • Tools