At long last, a true jailbreak technique for John Deere tractors exists. On Saturday, a hacker known as Sick Codes took the stage at the DefCon hacking conference in Las Vegas and broke into a John Deere tractor console. The first order of business? Running a farmer-themed version of Doom.
— Sick.Codes (@sickcodes) August 14, 2022
While running Doom is cool in a “for the memes” sort of way, Sick Codes’ hacking of John Deere systems represents a milestone in the “right to repair” race. Right-to-repair is the concept that owners and independent repair professionals should have access to everything needed to fix a piece of equipment, such as a mobile phone, a tractor, or a car. If you’re a car enthusiast, you should be interested in right-to-repair as it’s a principle that offers you the choice of an independent specialist over a dealer, and allows you to fix your own vehicles. Ongoing efforts are being made to turn right to repair into law, and I really hope they succeed.
So that’s right-to-repair in a nutshell, but you may be wondering what tractors have to do with cars. Well, embedded systems are present on just about every new car, and the nature of end-user license agreements means that you don’t actually own the embedded systems in your modern car. Preposterous, right? The same thing that’s happening to John Deere owners could eventually happen to car owners, which seems absolutely insane. If you own a car, you should own 100 percent of it, no matter what BMW thinks. Because John Deere doesn’t believe that its customers own 100 percent of their tractors and that customers license John Deere’s embedded software, the company has previously severely restricted who can repair John Deere products, to the point of costing farmers days of downtime while waiting for authorized repair professionals. So what justification does John Deere have in restricting access to repair tools? Well, John Deere made a statement to the Des Moines Register in March that doesn’t seem to hold up to scrutiny.
But the company added that it “does not support the right to modify embedded software due to risks associated with the safe operation of the equipment, emissions compliance and engine performance.” The company said less than 2% of required repairs involve those components.
That’s an incredibly small number of repairs involving emissions and safety equipment, and it’s important to note that these are genuine repairs. Farmers are looking to fix their tractors and restore factory functionality, but they don’t have full access to repair tools like diagnostic equipment. Sick Codes’ jailbreak attempts to correct that.
There is one caveat to getting into John Deere tractors: Wired reports that Sick Codes’ method requires modifying the touchscreen console’s circuit board. However, a bench procedure might not be the end of the world depending on where customers are located. Tractors used for agricultural purposes in climates that experience four full seasons may see enough idle time in the winter to justify a few days of downtime. In addition, farmers far from John Deere dealerships could justify the modification’s downtime based on how long it would take to simply get a tractor to and from a servicing center.
However, once the exploit is installed, farmers can pull up a terminal and gain access to what Wired reports to be more than 1.5 GB of logs. If you’ve ever had your car tuned remotely or attempted more advanced diagnostics on a modern car, you’ll know how valuable data logs are. Everything from fuel trims to ambient air temperature can be saved and analyzed, perfect for picking up unusual issues and narrowing down culprits from a simple code scan. In addition, this isn’t just some sort of diagnostics mode. Sick Codes’ method allows root access to the console. Speaking with Wired, Sick Codes seems to feel that this exploit is one that could actually last.
He’s unsure how comprehensively the company can patch the flaws without implementing full disk encryption, an addition that would mean a significant system overhaul in new tractor designs and likely wouldn’t be deployed in existing equipment.
Here’s to hoping that this method won’t be patched out soon, especially since it was time-consuming to develop. Sick Codes told Wired that the process took months of trial and error using multiple John Deere consoles. Sick Codes focused on the popular 2630 and 4240 display models, found in a wide variety of John Deere tractors. It’s worth noting that these consoles can be seriously pricey, with used 2630 systems clocking in around the $10,000 mark.
Sick Codes has jailbroken a John Deere, and this is just the beginning. Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems. pic.twitter.com/OLDBckluxr
— Kyle Wiens (@kwiens) August 14, 2022
Kyle Wiens, CEO of iFixit, was at DefCon and reports that John Deere’s systems run on a hideous mash of unpatched Linux and Windows CE hardware. Shitty Windows CE implementations aren’t exactly uncommon – the first generation of BMW’s iDrive used Windows CE – but they have all the security of the average Master Lock. Windows CE as an operating system reached end-of-life in 2018, meaning that years have passed without official support on the OS. Without regular updates, end-of-life operating systems rely on the same philosophy of security through obscurity as any cheap padlock, and things can only remain obscure for so long.
Tech journalist, author, and activist Cory Doctorow was also at DefCon and reports that not only does John Deere misuse open source software contrary to license agreements, he’s also claiming some shocking issues with John Deere’s information security.
Sickcodes discovered all kinds of security worst-practices in John Deere’s security – even in the parts of its security that were intended to secure the company’s profits from its own customers’ best interests. For example, at one point Sickcodes put the control unit into maintenance mode by repeatedly rebooting it, so that it refused to allow him to do anything until he brought it to a dealer. He discovered that all it took to convince the computer that he was a dealer was to create an empty text file on its hard-drive whose filename was something like “IAmADealer.txt” (I didn’t write down the exact filename, alas, but that’s not far off!).
Pretty absurd, though unsurprising given that John Deere has been staunchly anti-right-to-repair, parading around what seems like monopolistic greed under a thin paper mask of “security.” Politico reports that John Deere has gone so far as to restrict access to emissions system diagnostics, prompting a suit that claimed John Deere was in violation of the Clean Air Act. Restricting repair access only hurts farmers, which in turn hurts the public, as downtime can affect food supply. John Deere is slowly making some tools available, albeit not in a way that anyone can actually own. According to John Deere, access to technical manuals is on a license basis, which brings up concerning questions of down-the-road support.
I’m glad to see hackers sticking it to the man by offering solutions to make vehicle owners’ lives easier, even if these solutions aren’t necessarily the most law-abiding things out there. Would Sick Codes’ method of getting into a John Deere console violate the end-user license agreement? Most likely, but legality doesn’t always equal morality.