Show HN: Control your Hyundai car with Python
github.comI worked for a modern car rental company where you just need to download an app to drive a car. The tech was super interesting, there are vendors that sell a box with both gsm and ble interfaces and the cars are fitted with these.
You can send messages through ble or their cloud api / gsm. The app needed to first acquire a token to successfully establish a ble connection.
I'm not saying you can't buffer overflow through ble messages but at least the authentication was solid.
Zipcar? Or do they use Bluetooth?
Zipcar was hilariously easy to bypass/override with physical access. I had access to a local Volvo for almost 3 years until I stopped checking. I never drove the car because of gps and the proliferation of cameras, but I would store random things in the trunk when I was passing by the area
The fuck?
No, not Zipcar
I build this for a cron script that queries my car's odometer and then queries CarFax to log my cars price over time on YNAB[1], but it has many uses.
Been thinking - lately - to perhaps also use this package with Google Home, but haven't gotten around to it. Might come in handy fellow Hyundai owners.
Thank god we have normal cars as I have never understood the appeal of a smart car since everything a smart car can do can be done with a halfway decent smartphone.
* by smart car, I am not talking about self driving cars, I am talking about the gimmick of running some Android and iOS apps on one's car
> Thank god we have normal cars
A disconnected car is a requirement by any parameter of sanity given considerations of security including privacy, within a basic right of rejection of absurdity: but for how long will the "privilege" of avoiding lunacy will be granted?
In Europe already one has to have law-mandated (in terms of shipment) hardware modules removed (the "e-call"). For how long non-connected cars will be available on the market? It is even possible that some rogue legislating body will decide that some connected feature should be mandated...
The tragedy is that while it's no doubt possible to remove (or disable) all that tracking junk you don't want from your car, we're still carrying around phones that more often than not are full of tracking crap. And they're even extra useful in cars, since the car's navigation and entertainment systems tend to be crap compared to what phones have.
You can hack and customize a "phone" minicomputer, and I believe you can still find pure cellular telephones with basic OS in case you prefer to keep telephony and personal assistant separate; I am not informed that you can do the same with cars, and I very surely do not want an internet connected door, fridge, vehicle, wife to begin with.
The more reliable it has to be, the least possibly connected you want it.
I am not sure it is so possible to remove or disable the «junk you don't want from your car». Already for the mentioned 'e-call', that law mandated that it has to be installed and cannot be removed by the user - only by the manufacturer. And you will very probably have to struggle to get that done ("We cannot" // "Yes you must" etc). I suppose those vehicles will have a high degree of integration - you cannot just remove pieces.
If you do any sort of that you are instantly marking yourself as suspect
First of all: why should there be any doubt that one is strictly, radically unavailable for lunacies, abuse and undignified conditions. This should be very public, because the opposite is having the abuse proliferate.
Secondly: you may have given one State authority over some conditional monitoring, but we have not allowed any such power to any private party.
You're too late. You can't get a non-connected car since about 2016.
How do these cars handle network outages? It’s not too hard to cause a permanent network outage by removing/damaging the wireless interface.
In every country the world over? Do you have a source for that?
I don't follow the low end car market outside the US. It's entirely possible that developing countries still have "dumb" cars available, but due to their lack of adherence to US federal safety standards, importing one night as well be impossible for a normal consumer (aka anyone short of Jay Leno).
As far as a cite, here an article that claims 2006 was the tipping point, so even earlier than I remember.
I have a 2017 Hyundai Santa Fe. It has a cellular radio built-in to “phone home”. It is not a high-end car.
Well, than having a post-2016 car is ruled out then (I am not completely sure about this piece of info though: I will check, there may be exceptions, e.g. vans).
The issue will be about being able to use pre-2016 cars until civilization re-emerges.
They will price those cars out by putting very high taxes on gasoline. If synthetics ever catch up, maybe that's the only way to go forward. Right now, synthetics are like €8/€9 per liter (*) to manufacture, not sure if it's possible to buy them.
(*) According to overheard info from Toyota presenting the technology at the N24 race.
It isn't necessarily the case everywhere.
Built in navigation in cars is garbage. So is the built in music app. Letting me play what’s on my iPhone is leaps and bounds better than what a car manufacturer can give me.
I use Android auto all the time. Having Google maps on cars dashboard is very useful.
Still requires manufacturers to implement correctly which I found my 2022 Subaru Android auto is locked in landscape so it's essentially half-screen... No way to fix
I think that's generally an issue with android auto corrected in the latest version. Essentially android auto has a fixed aspect ratio so only part of the screen real estate is used unless it fits exactly. Latest version is supposed to allow fluid layout.
Suddenly feeling glad that I park my car in a garage with no mobile reception.
Can someone ELI5 how this works? I understand it's sending requests to some API on some server, but what I don't get is how the car receives these commands. What does the entire end-to-end network look like?
The same way your typical shitty IoT device works. There’s an internet-connected module that receives messages from the cloud and then emits the equivalent messages onto the CAN bus or some other bus connected to the BCM or whatever you want to control remotely.
A lot of new cars are sold with a gsm module that you don't control
If you get phished or something, can attackers use this to turn off the car while driving? Or something lesd harmful like keep it on while you're at work and drain gas.
Maybe. There was a vulnerability [1] with BlueLink and that could have been an attack vector, but the article mentions:
> The attack can’t be done at scale, because the local network that the vehicle owner is using would have to be infiltrated by the attacker.
Wikipedia says BlueLink uses Bluetooth [2]. So I'm not sure what connection is actually used, but if it's Bluetooth/local wifi and there are no further security bugs, then it would be unlikely that someone else could connect to the car in the first place.
[1] https://www.tomshardware.com/news/hyundai-blue-link-vulnerab... [2] https://en.wikipedia.org/wiki/Hyundai_Blue_Link
I can't speak on older BlueLink cars (article is from 2017), but my 2021 Elantra has GSM built-in and the commands are sent/received through the web - no bluetooth at all.
That sucks. Do you know if there is an option to limit it to wifi?
I've gone through every configuration menu the cars has and I've personally never seen the option to modify that.
Makes sense. I thought it was done over the internet when U saw login().
It reminds me of the slightly funny incident when my brother's boss got stuck midway on the road to his destination, because his Fiskar Karma was having a firmware update
I looked at a company in this space and was quite surprised they never thought to check whether the vehicle was in motion during OTA updates. So much for risk assessment...
He should have sued.
Anyone happen to know if Kia UVO's is based on Hyundai's Bluelink? I'd love to build a more user-friendly iOS app for controlling my Niro EV than Kia Connect :P
It is exactly the same. You have many modules for Home Assistant (through HACS, none is an official module yet) that will use a similar setup.
I use it mostly to track and keep a record of my Niro status.
Cool, thanks!
Ooooooo what I really hate about this is that a remote API is called to do this.
It would be considerably less terrifying if this was just canbus messages.
BIG YIKES
Having looked into this myself recently, why would I use this project over bluelinky?
I see some differences. The python one can enumerate all cars in the account, the node.js one doesn't have that....you have to specify a VIN. Python one has figured out how to enable specific seat heaters at start, node.js one says "Not sure?", etc.
Because you really want a Python API?
Because you’re using Python?
I haven’t studied these much but If your car doesn’t have Bluelink there are things like autopi and probably some others.
If you had to pick a single title to summarize the Hacker News ethos, this would be it.
This is cool (and terrifying)! :-)
Absolutely haha!
I remember being excited when I could remotely control the lights on my table from school (fun little arduino/rpie + led project).
Now we remotely control cars with REST... Indeed cool and terrifying!
To save you a click: this is not about being able to drive the car.
Hackernews: connected closed proprietary Tesla good. Also hackernews: connected open api Hyundai bad.
Hackernews: A community made up of many people with a wide variety of opinions.
Nah… if you are not lucky enough to be in a discussion early it’s just one side of the hivemind jerking it and the other side stfu because no one wants to get downvote abused :)
Typically, when people get downvoted, the downvotes are for the tone of the comment - ad hominem attacks, extremist conspiracy theories with lack of supporting data, unwilling to see different perspectives. But the downvoted then blame this mystical "hivemind" as the cause of their downvotes, rather than try to improve their style of engagement.
Tbf, I agree with you that a lot downvote whining is a lazy attempt to save a bad argument, but regarding this:
> Typically, when people get downvoted, the downvotes are for the tone of the comment - ad hominem attacks
Downvote and their purpose has come up a few times and generally the seems to be a consensus seems to be that downvote=disagree is 100%, legitimate, citing some quote by PG. And if you go to certain a threads (highly political ones), it's not uncommon to see some of the more reasonable comments greyed out if they even remotely challenge the zeitgeist of the current thread inhabitants.
This also works the other way around. You can be a complete dick and violate half the guidelines and end up highly upvoted if enough people agree with you. I know because it's happened to me.
Blinkenlights with Python! I wonder when we'll see "Crash your Tesla with Python". So far, Musk seems to disallow the untyped language based on modifiable nested dictionaries and weird name spaces.