Forensic analysis of a JVC KD-HDR receiver
I sought to discover what things of forensic interest can be extracted from a JVC KD-HDR50 automobile receiver. As the device has multiple inputs and a persistent storage mechanism, there should be useful data that can be obtained.
The JVC KD-HDR50 is an aftermarket model to replace stock manufacturer automobile units. It features FM/AM HD Radio, an auxiliary 1/8” audio input, Compact Disc player, and an USB 2.0 interface. The HD Radio features include a display that supports Program Service Data from participating stations. While a song is playing, the artist and song title is displayed. If you would like a copy of the song, this model has iTunes tagging. While the song is playing, press the “Tag” button on the faceplate, and PSD for the song is saved onto some sort of persistent storage mechanism. The PSD can be saved for up to 60 songs (Instructions, 2008). The next time an iPod or iPhone is connected, the PSD tags are transferred to the device. From the device, they will be transferred the next time a sync is performed via iTunes for later purchase through the iTunes Store. The USB port supports many types of iPods, iPhones, digital audio players, flash drives, and portable hard drives. Limitations are such that the FAT (32/16/12) family of file systems must be used; other formats are not supported (Instructions, 2008). Optional modules are available that enable Bluetooth, Sirius and XM Satellite radio, as well as a CD changer and a docking interface for iPods/iPhones (Instructions, 2008). For security purposes, it has a detachable faceplate. It also has an infrared remote control unit.
-USB 2.0 for iPods, iPhones, and digital audio players; FAT 32/16/12 formatted flash drives and hard drives
-1/8” audio cable
-Compact Disc, including Audio CDs and Data CDs with MP3 or WMA files on them
-Infrared remote control
After reviewing my options, the best hopes for success were the USB port or removing the dashboard unit from the car. Each method would require some additional preparation; I had no type of USB cable that would connect a computer to the USB port on the faceplate, and the “long handles” (also referred to as keys) to install/remove the dashboard unit were no longer in the box, as the installer had kept them. I acquired two different types of male to male USB cords, with one of them being a Windows Easy Transfer Cable. I also revisited the installer of the audio system. I explained to them the situation, and they gave me a replacement set of keys. However, since this unit is at least 4 years old, JVC has since changed the design of their keys. The technician advised me that the replacement set, JVC’s current keys, might be too short for my older model. The cables and the keys are pictured below.
On my first attempt at data acquisition, I booted up my Mac Book Pro laptop. I first tried the male to male cord. There was no response from the radio unit or the laptop. I tried both of the USB ports on the laptop, but got the same result.
Next, I tried the Easy Transfer Cable. This time, the radio responded, but eventually gave the message, “Can’t Play Device.” I got no visible output on the Mac in the finder, disk utility, or from the command line with the dmesg command. The red light on the cable did indicate there was a successful connection, however. I repeated the process of trying both USB ports on the laptop as before, but this was not successful. I also tried to see if the order of the connection made a difference, trying first to the radio, then the laptop. This made no difference.
Since the Easy Transfer Cable was designed with Windows in mind, I thought I might have better luck using boot discs on the Mac Book Pro. The next attempt was some bootable flash drives. My machine, an early 2008 model, doesn’t support booting from a flash drive, so these attempts were unfruitful.
I next tried bootable CDs and DVDs. I had some success with an Ultimate Boot CD, a boot disk containing a host of utilities and a robust set of drivers. I used the Linux-based utility Parted Magic to attempt to identify and connect to the JVC unit. I got an unusual result of a MAC address for the cable, as it showed up under network connections; I have not seen this cable perform in this manner for Windows. Ultimately, the results were the same as before: no usable connection between devices.
Next, I tried a boot disk of Kali Linux. From this point on, the Mac Book Pro refused to cooperate. The optical drive on the laptop is extremely sensitive, and it would not recognize a 64 bit DVD that worked fine on other machines. After burning another copy of the 64 bit version as well as a 32 bit version, I attempted to boot from each of the DVDs. I never got past the first screen of Kali Linux, as the Apple machine hung on the splash screen.
I tried another bootable CD called Clonezilla, an open source imaging software that runs on Linux. It also has a robust set of drivers, as it has never failed to identify a disk drive when I have used it. On the first attempt to use it, the laptop read the disk, but ejected it before booting from it. For the second attempt, the disk loaded to a certain point, then the machine crashed and completely shut down.
I tried one last boot disk: a Windows 7 Ultimate 64 bit DVD. This only resulted in a blinking cursor. At this point, I was out of options for boot disks as they kept failing.
My other option at this point was to pull the dashboard unit out. As noted previously, I had a set of incorrect keys for my particular model. Nevertheless, I made an attempt to pull the unit out of the dashboard. This consisted of inserting the handles into the left and right sides of the dashboard unit, catching them on the receiver, and then pulling outwards. After giving a good pull, the key inserted on the right hand side gave way, leaving a noticeable dent in the unit. For fear of further damaging the unit, I decided to abandon this method.
One of the issues faced was the lack of information about the device. There are no indications of what kind of memory it has, the type of operating system, internal diagrams, etc. There is nothing available online indicating any previous research for this device. Things such as jailbreaks, buffer overflows, or other software vulnerabilities do not exist.
Another difficulty faced was the limited amount of resources at my disposal. I was basically reduced to a Mac Book Pro Laptop and several USB cables to try to penetrate the USB interface. Apple is limited with its driver support in a manner such as this, and trying to work from a bootable flash drive or CD/DVD is problematic at best. I might have had better results with access to different machines or operating systems. Also, the nature of working in a car that must have the key in the ignition limits physical access to things like power outlets, desktop machines, and stable network connections.
Yet another issue was trying to remove the dashboard unit. The installation manual instructions were vague, the original set of keys was missing, the replacement ones didn’t work, and concern of damaging the usefulness of my radio kept that option to a single attempt (Installation Manual, 2008).
Although I was unsuccessful in my attempts to extract data from the car unit, there are several areas that should be pursued for further research. If one were to successfully remove the dashboard unit and disassemble it, there could be an opportunity for imaging from an interface inside the unit. There could also be the possibilities for techniques like Chip-Off or JTAG extraction. Since I do not own the Bluetooth module, this was an area I could not explore, but it is one that could prove fruitful provided the module can still be purchased. One other option is via the infrared receiver; there may be a way into the device through this input.
Victor Company of Japan, Limited. (2008.) KD-AHD59/KD-HDR50 instructions. Retrieved from: http://resources.jvc.com/Resources/00/01/14/LVT1942-001A.pdf
Victor Company of Japan, Limited. (2008.) KD-AH59/KD-HDR50 installation/connection manual. Retrieved from: http://resources.jvc.com/Resources/00/01/14/94.PDF