Vulnerabilities in the bootloader made it possible to bypass the trust chain and get root access
Spotify discontinued its “Car Thing” accessory – a touchscreen control panel for playing Spotify content in the car – a few months ago. Although the device did get some extra features like hands-free calling before it was discontinued, Car Thing won’t be of much use some of the time as the operating system is very limited. As we criticize the planned obsolescence practices, we must commend the group of developers who have now been able to root Spotify Car Thing, and open up more possibilities for aftermarket development.
Together with security researcher Frédéric Basse, Nolen Johnson (also known as XDA-recognized developer npjohnson) has created the Car Thing Chain of Trust bypass. Under the hood, the little Spotify gadget is powered by the weak Amlogic S905D2 SoC, which turns out to be an excellent attack vector due to its inherent USB burning mode. Basse and Johnson have both exploited Amlogic-based hardware before, so avoiding the security measures of booting Car Thing through loopholes left by the SoC maker has become somewhat trivial for binary developers.
To achieve this feat, the researchers had to open the outer casing, revealing a handful of mounting points intended for patch or repair. Then, they combined some smart Amlogic USB mode commands and a modified USB connection parameter to end up with persistent ADB (root) access. Fortunately, rooting the device yourself is relatively easier, as the developers have been able to turn everything into a set of easy-to-implement scripts. All you need is a car without any USB password, a USB cable and a computer running Linux libusb-dev
The package is installed, and scripts to open superuser privileges.
Whether the effort is worth it is ultimately up to you, but potential mod opportunities may be useful to explore if you have something old Spotify Car walking around and want to make some modifications. Notably, the device (codenamed “superbird”) comes with around 500MB of RAM, which means that moving any modern version of Android would be a very difficult task.
You can find a full summary of the root guide, along with installation instructions and download links inside the Nolen Johnson book linked below.
source: Noleen Johnson