UConnect Disable Cell Modem


Author: David Zimmer
Date: 06.21.19 - 5:53am



So the UConnect infotainment unit in my car has a built in cell modem.

I find this creepy. The vendor includes this feature for several reasons:
  • OTA - over the air updates for the unit itself (and maybe CAN device reflashing?)
  • UConnect Access subscription service which includes:
    • remote vehicle start
    • remote lock or unlock
    • locate your vehicle in a crowded parking lot
    • vehicle health report
    • driver rating
    • SOS (911) and assist buttons on rear view to dial out for help
The driver rating feature is worth including a clip from the company webpage:

"Drive Rating is a usage-based insurance program that provides eligible connected vehicle owners with an opportunity to receive feedback on their driving habits and possible car insurance discounts based on specific driving criteria. If enrolled, your driving data, such as speed, hard braking, fast acceleration and GPS coordinates are collected for 90 days."

Soo bottom line is we dont have control over our car anymore. It can be remotely controlled, located, tracked, taken (repo), and mined for diagnostic data and/or profile your driving by design.

Furthermore the cell modem will be making connections all the time to cell towers leaving a map of everywhere you drive in the cell phone tower logs similar to your cell phone, except you can not control it.

Finally, an embedded computer system in your car, with 0 tools to monitor it, which can take in remote data from the internet, and is hooked to your cars vital systems and include access to a microphone is always on in a private space where you have frank conversations with friends and family.

What could go wrong?

I find this a ridiculous feature set and nothing that I want to be a part of. I rely on this machine to operate safely without the chance of being manipulated remotely.

I do not accept having tools for spying, monitoring, remote vulnerabilities and location tracking features being built into my car. That is not what I paid for at all.

Now dont get me wrong, no one cares about me, but things like this being forced on the masses who are blind to its side effects is unacceptable and it will be abused.

Job boards for reverse engineers are full of posts looking for people who work embedded security and develop exploits for systems just like this. These car units are prime targets. Why is an iPhone exploit worth $100,000 ? because it gives select people access to your intimate details and thus power over you and your life.

This has bothered me for my last 3 vehicles, so finally I took the plunge and went inside the head unit and removed the modem.

If you are a journalist, judge, lawyer, senator, CEO limiting your exposure to un-detectable and un-auditable intrusion is just a fact of modern life. Essentially anyone who holds sensitive information which could be profited off of or who could be vulnerable to leverage should be thinking about these things these days.

See video below on how to remove the cell modem built into your car





The chip these use it is a Qualcomm 4G Sierra Wireless AirPrime card

Carrier: AT&T
Model: AR7552, hardware integration guide
MFG PN: 1103493
CUSTOMER PN: N5HZZ0000195
IC: 2417C-AR7552
FCC ID: N7NAR7552








If you are interested in privacy the following links will also be of interest:

Unfortunately in our current environment we have no reason to trust. Expectation of privacy has been severely eroded and in truth is almost non-existent.

"Anything viewable in public has no expectation of privacy" has been whimsically extended to justify blanked recording, and profiling of..well everyone. How is it not stalking to build an intimate map of everywhere a person goes and to know all kinds of things about them.

I havent even mentioned web tracking yet which in truth is the most intimate of them all.




Comments: (14)

On 09.26.19 - 6:49am Dave wrote:
I kind of bet the manufacturer keeps all of these cell modems paid and active for their own telematics and remote update capabilities. It would be freaking poetic to interface with these modems from your own microcontroller and have free cell service for all of your projects. )

On 12.23.19 - 9:04am Dave wrote:
So the Sierra Wireless card uses the Qualcomm MDM9615 chip same as used in the iPhone. I have not been able to find any hardware spec sheets on it yet. A youtube user has reported that cars with NAV lose GPS capabilities with the modem unplugged. This makes sense as the GPS chip looks to be embedded in the modem. Some research on these modems has been done. Check out page 25 of this pdf https//fahrplan.events.ccc.de/congress/2016/Fahrplan/system/event_attachments/attachments/000/003/151/original/Dissecting_modern_283G_4G29_cellular_modems.pdf

On 01.13.20 - 7:12pm Allen wrote:
I am very encouraged to find out that yanking the cell modem out of a youconnekt system is possible. Thank you sincerely for putting this information out there. Protecting your data these days is mindblowingly complicated. all I would like is decency, privacy, and control over the hardware I own. just wish more people shared the same sentiment. Million thanks again. This is very useful.

On 12.07.20 - 2:12am William Shaw wrote:
I have a 2019 Dodge Scatpack and receive emails from the dealer where I bought it, Nashville TN telling me how many miles are on my vehicle and when my next oil change is due, if my tire pressure is low. I paid cash for my vehicle and hate the fact they know my car is in my garage 100 miles away from Nashville! Do you know a easy way I can disable the tracking of my vehicle other that what you did I am not as savvy as you? Thanks

On 12.07.20 - 2:13am Dave wrote:
dzzie dzzie 6 minutes ago Wow that’s super intrusive ! I am kinda glad they did that though to reveal that it’s actually being used to spy on people and raise awareness. Unfortunately unplugging the antennas was not enough. I had to physically unplug the modem. If you show this video to a local stereo shop I am sure they can do it. If not just have them remove the head unit for you and bring a pc repair guy who could remove the modem. It sucks it has come to this! And this setup could be used for way more to screw us. I would not be surprised if govt used these cell modem records to track people or if they weren’t able to turn the on star microphone on remotely to listen fir high value targets. We are essentially treated like cattle by our rulers these days.

On 12.07.20 - 2:16am Dave wrote:
One of the youtube viewers found the manual for the airprime ar7558 modem

On 12.17.20 - 7:49pm Dustin wrote:
Does anyone know if all the Uconnect 8.4 systems have this cell modem in the same location? We want to upgrade to a newer Ram 3500 but are RF sensitive and can’t drive a vehicle that is constantly or intermittently transmitting.

On 02.05.21 - 3:54pm mikeSk wrote:
Great job on this. I want to disable the 4G on the 2021 Jeep I just bought. Wouldnt it have been just as effective to remove the other end of the cellular antenna, assuming its accessible? I would assume its on the roof. I dont relish the thought of digging into a brand-new dashboard on a $50k vehicle. I am starting a writeup of my experience here

On 03.17.21 - 2:43pm Dave wrote:
Cars transmit location on a near real time basis and the data is sold to data brokers who want to use it for military intel.

Ulysses can provide our clients with the ability to remotely geolocate vehicles in nearly every country except for North Korea and Cuba on a near real time basis

Currently, we can access over 15 billion vehicle locations

Aggregator companies also purchase or obtain this data, repackage it, and then sell that data

vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating

Ulysses has "existing access to bulk commercial telematics data."

We believe that this one attribute will dramatically enhance military intelligence and operational capabilities

Who the fuck ever thought this would even be a little bit ok? Data transmitted on a near constant real time basis... worse than even I suspected...

On 04.01.21 - 9:25am Jim wrote:
Do you know if the GPS still worked? Or did removing the cell modem just remove the tracking and 4g?

On 04.01.21 - 12:50pm Dave wrote:
I believe users reported that they have to use their phone with Apple car play or android auto for gps now. I don’t have built in gps but phone integration still works fine. Built in maps get out of date and dealer won’t update so I ditched built in

On 05.31.21 - 1:17pm Amauri wrote:
Thanks for this info. Im also bothered by the fact that I have no choice about this intrusion into my privacy, and after searching all over the web I found this page. I have a 2018 Ram 2500 and was able to easily remove the cell modem from my UConnect 8.4 All original functions still work perfectly including XM Sirius and Android Auto. I realize that Google tracks my where abouts, but at least I have the option of turning off my phone. Thanks and best regards

On 10.03.21 - 6:32pm Alfred wrote:
This GPS is embedded into the dash of the 7 inch vehicles. At least on 2021 model vehicles of Jeep line. This is a non-gps optioned vehicle as well. No reason to have gps embedded. I did not find an LTE module though. I am sure there may be one but have not located it yet. https//www.u-blox.com/en/product/ubx-m8030-series Ill let you know how the removal process goes. Contact me and I will share pictures.

On 10.18.21 - 10:44am Avarice wrote:
I removed the chip from a 2019 scat pack charger and it worked extremely well. The modules extremely easy to separate from the head unit within. Once you remove the six bolts or screws rather from the rear of the head unit it then just separates as each circuit board just unplug from one another. extremely easy job to do.

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 5 + 54 = ? followed by the letter: Q 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (year)
2021 (4)
     VB6 Hijacking
     rtcTypeName
     VB6 Gosub
     VB App object
2020 (8)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 (12)
     Yara WorkBench
     SafeArrayGetVartype
     vbdec dbg updates
     vb6 PCode NOP
     vb6 API and call backs
     how pcode works Pt1
     PrintFile
     ImpAdCallNonVirt
     Reversing PCode Args
     VB6 PCode Disassembly
     VB6 PCode Debugger
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (6)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
     packet reassembly
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation