Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Your Rights Online

Right To Repair Battle Heats Up With Rooting of John Deere Equipment (wired.com) 79

Long-time Slashdot reader drinkypoo writes: John Deere, current and historic American producer of farming equipment, has long been maligned for their DRM-based lockdowns of said equipment which can make it impossible for farmers to perform their own service. Now a new security bypass has been discovered for some of their equipment, which has revealed that it is in general based on outdated versions of Linux and Windows CE.

Carried out by Sick Codes, the complete attack involves attaching hardware to the PCB inside a touchscreen controller, and ultimately produces a root terminal.

In the bargain and as a result, the question is being raised about JD's GPL compliance.

Sick Codes isn't sure how John Deere can eliminate this vulnerability (beyond overhauling designs to add full disk encryption to future models). But Wired also notes that "At the same time, though, vulnerabilities like the ones that Sick Codes found help farmers do what they need to do with their own equipment."

Although the first thing Sick Codes did was get the tractor running a farm-themed version of Doom.
This discussion has been archived. No new comments can be posted.

Right To Repair Battle Heats Up With Rooting of John Deere Equipment

Comments Filter:
  • by fahrbot-bot ( 874524 ) on Sunday August 14, 2022 @06:08PM (#62789624)

    Although the first thing Sick Codes did was get the tractor running a farm-themed version of Doom.

    I'm guessing the game centers around fighting bank loan-officers, giant agribusinesses like John Deere and Monsanto and, sure, bugs -- lots of bugs.

  • by wakeboarder ( 2695839 ) on Sunday August 14, 2022 @06:08PM (#62789626)
    On your tractor, then you should be able to, this is America
  • by gweihir ( 88907 ) on Sunday August 14, 2022 @06:09PM (#62789630)

    I think that calls for a bruning at the stake. Them ignoring the GPL is criminal commercial copyright infringement, nothing else.

    • I think that calls for a bruning at the stake. Them ignoring the GPL is criminal commercial copyright infringement, nothing else.

      Considering they could have likely used a BSD licensed OS in the affected hardware I would look at it as criminal incompetence. Deere IP Devs are clowns for missing that. Copyright infringement? That crap has been going on for a long time and the OSS just sit on their hands. Besides, Is there any really exciting code to be had in there. Ooow, plays Doom. BFD. Bruning is pretty harsh, maybe spill hot sauce on their ties.

      • by HiThere ( 15173 )

        The actual punishment SHOULD be a fine of several million dollars, and additionally quadruple damages awarded to the composers.

        • The actual punishment SHOULD be a fine of several million dollars, and additionally quadruple damages awarded to the composers.

          "Willard, pay the man from petty cash will you? And see if you can find out what this gee pee ell is, and whether we can assert patent rights over it".

        • by msauve ( 701917 )
          The actual punishment should be what's stated.Linux - GPL2 - a violation will "automatically terminate your rights under this License"

          That's it. You lose all rights to use the Linux kernel, now and forever.
      • "Ooow, plays Doom. BFD." It's spelled BFG.
    • by Richard_at_work ( 517087 ) on Sunday August 14, 2022 @09:43PM (#62790048)

      They include wording in the EULA which definitely complies with GPLv2, and probably complies with GPLv3 (depending on other factors) - there is a written offer for the source code in there.

      https://www.deere.com/assets/p... [deere.com]

      • by HiThere ( 15173 )

        You've got to do more than make an offer. You either need to distribute the source with the compiled code or make the source code publicly available for anyone to download. It was complex enough that I always distributed the source with the application. (I had no objection to making the source publicly available, but I didn't/don't have a web page.)

        IIRC, there's another way to satisfy the conditions, but it's not enough to just make an offer.

        • by sconeu ( 64226 )

          Noope, it's legit. See GPL v2, section 3.b

          3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

          a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

          • by HiThere ( 15173 )

            Mmm. It was probably that we didn't want to do version tracking tor each specific version released for 3 years.

        • Itâ(TM)s a common misconception that they need to make the source code freely avalaible to anyone. They only need to make it available to those to whom they distribute the binaries and there is no obligation to post it on a public webserver instead of either hiding it behind a customer account login or having it only available upon request.

          • It's a common misconception that they need to make the source code freely avalaible to anyone. They only need to make it available to those to whom they distribute the binaries

            Depends on how they offer the source code and the exact license it falls under..
            For GPL v2, if they distribute the source with the binaries they only have to give it to people they distributed the binaries to (section 3(a)). If they simply pass on raw unmodified binaries noncommercially they can just forward the offer from where the

      • > They include wording in the EULA which definitely complies with GPLv2, and probably complies with GPLv3 (depending on other factors) - there is a written offer for the source code in there

        A snippett from the ULA:

        If the Third Party Software contains copyrighted software that is licensed under the GPL/LGPL or other copyleft licenses, copies of those licenses are included in the Third Party Notices. You may obtain the complete corresponding source code for such Third Party Software from us for a per
      • They include wording in the EULA which definitely complies with GPLv2, and probably complies with GPLv3 (depending on other factors) - there is a written offer for the source code in there.

        https://www.deere.com/assets/p... [deere.com]

        Maybe I am a bit tired today due to a veeeery unnecessary stupid discussion with a doctor of my wife, but where do you see anything in the linked pdf that is compatible with the GPL in any version?

        "You may not reproduce, prepare derivative works, disclose, publish.... reverse engineer, decompile" and the list goes on and on. My interpretation of the GPL is a different one.

  • by OzPeter ( 195038 ) on Sunday August 14, 2022 @06:20PM (#62789662)

    Of the games they could have chosen, why aren't they playing Farmville??!?!

    ---

    Yeah, I know running Doom is a sort of rite of passage for low powered equipment.

  • "Your tractor's firmware has been updated! This patch includes: full disk encryption to protect YOU from cyberterrorism!"

    i'm kidding of course. in reality, they'll remotely disable your tractor and force you to come in to get it upgraded and re-enabled. i doubt they could just slipstream FDE into the current architecture.

  • by sphealey ( 2855 ) on Sunday August 14, 2022 @06:29PM (#62789684)

    Just a reminder that uncertified modifications to Federally-mandated emissions controls are a Federal crime, first sale doctrine or no. As several coal-rolling chippers have found to their dismay.

    • by MacMann ( 7518492 ) on Sunday August 14, 2022 @07:20PM (#62789828)

      It's these mandated controls that allowed John Deere to restrict right-to-repair in the first place. If US farmers are slowly seeing their tractors come to a stop because of a lack of parts out of China then this becomes a matter of national security. Russia exploited European emission standard to get them addicted to Russian natural gas, it is not beyond the realm of possibilities for China to make a similar move to keep the USA out of a battle over territory.

      This isn't an argument to dispense with government oversight on environmental protection. It is an argument for legislators to consider the broader implications of the laws they create. There's a balance to be found here. It's not like farmers go tinkering with a working tractor to "roll coal" at every opportunity. Don't make it a crime for a farmer just trying to keep food on their table, and food on your table.

      I agree that its a good idea to punish fools stinking up the place for the grins and giggles. Just don't cast such a wide net that it's putting farmers trying to do their jobs in handcuffs. Or allowing tractor manufacturers to lock-in farmers to giving them more money after the first sale.

      If there's a choice between seeing fewer tractor pull competitors "rolling coal", or seeing more farmers left out standing in their field with a dead tractor, then maybe the "rolling coal" option is the lesser evil here.

      • by PPH ( 736903 )

        I suspect that what farmers will do is to bypass the DEF failure limp home mode. A pump or sensor fails and the catalytic reduction system stops working. Or China cuts back on its DEF exports. EPA requires that engines shut down or switch to a "limp mode". Even though the engine will work just fine without the system.

        Oh the horrors of a tractor spewing out NO2 all over their fields instead of buying fertilizer from ADM.

        • The real irony is that the engines, when properly tuned for the use case, actually runner cleaner and waste less fuel when the DEF and DPF systems are removed. The DEF and DPF systems are so restricted that you need much higher charge pipe pressures coming off the turbo just to move the same amount of air through the engine at any given RPM. More air needs more fuel ( in addition to the extra fuel injected to burn the carbon out of the DPF).

          I've seen some semi trucks get 30-40% INCREASES in fuel economy wit

      • It's these mandated controls that allowed John Deere to restrict right-to-repair in the first place.

        Horseshit (or cowshit depending on the farm). That is only the excuse John Deere and car companies are using to lock down systems. No where does the law require this kind of lock down nor does it overlap with the right to repair. In fact it is the *tampering* which is illegal and the manufacturers are not held liable for the tampering of their customers (see also: Coal rolling).

    • That only means that the law is crap and needs ot be changed. Nothing else.

    • Just a reminder that uncertified modifications to Federally-mandated emissions controls are a Federal crime

      Yes officer. :-)

  • by MacMann ( 7518492 ) on Sunday August 14, 2022 @06:56PM (#62789770)

    Farmers in Ukraine are having difficulty getting things in and out of the country because of Putin's army breaking things. Instructions on bypassing John Deere's artificial limits for repairs will help relieve some of their supply problems going forward. It's already difficult to produce food when Russian tanks are burning down farmhouses and grain silos, then driving through the fields with their tanks and trucks once they are done killing people and breaking things. Not being able to start a tractor because the computer didn't get the right code after a repair only makes things worse.

    I recall reading somewhere that US military vehicles don't have engine electronics, or catalytic converters on the exhaust. It is clear why they do this, it simplifies the repairs. No doubt protection against EMP played into this choice of leaving out the electronics. I've seen diesel tractors pull started before because the electrical system was shot, no doubt the US military has a process written down on how to start a diesel truck in a similar manner and for a similar reason. These pull started tractors were built in the 1980s or earlier, this might not work on tractors that are overloaded with electronics.

    (By "pull start" I mean pulled by another tractor with a heavy chain to turn over the engine from the turning of the wheels. The fuel pumps are mechanical in these tractors and there's no spark plugs, diesel engines use compression ignition. At some point diesel tractors started to use electric fuel pumps more often, as did diesel cars and trucks. Not always a bad thing since electric fuel pumps can simplify repairs in their own way.)

    Before people get all upset about the US military destroying the environment by their choices of engines they need to realize that the military still has strict guidelines on fuel economy and emissions. Fuel is a precious commodity in war, they aren't going to waste it. Having your war fighters get sick from the engine exhaust would not be helping matters either. There's also enough tree huggers in the US Senate that to get funding for these military vehicles that someone is keeping an eye on what's what. The US Navy burns a lot of fuel oil in their ships, and they burn fuel far cleaner than any commercial cargo ship. The US Navy isn't using "bunker fuel", the high sulfur stuff that needs to be heated before it can be pumped into the engines, they use high grade diesel fuel. If the fit hits the shan then they can dump in crude oil straight out of the ground into the the fuel tanks of these ships and keep going. Not great for the engines but it is better than sitting in port. There's no computer from John Deere stopping them. The Navy used to have more nuclear powered ships, they didn't emit any exhaust. That ended when some senators decided nuclear power was worse than global warming. Well, how's that choice looking now? I say we should revisit that decision.

    How do senators feel about farmers in the USA needing circuits made in China to keep their tractors running? Maybe they should look into this. Russia and China aren't exactly the best of friends, Russia might start killing people and breaking things in China too. Putin just might be crazy enough to do it. This is a national security issue. In another "total war" situation like World War Two there's no parts coming in from overseas. We are on our own. This doesn't mean nothing should be imported, only that if we can't import anything then we can keep the nation fed and produce enough fuel for our military.

    • by DRJlaw ( 946416 ) on Sunday August 14, 2022 @07:37PM (#62789854)

      The Navy used to have more nuclear powered ships, they didn't emit any exhaust. That ended when some senators decided nuclear power was worse than global warming. Well, how's that choice looking now? I say we should revisit that decision.

      It's looking just fine because your explanation is bullshit [wikipedia.org]. The U.S. Navy uses nuclear where there is a need for nuclear - aircraft carriers (power/speed, jet fuel storage, and up until recently steam catapults) and submarines (power/speed and submersion endurance). The U.S. Navy got rid of nuclear cruisers because they were damn expensive and there was no pressing need for them versus gas turbine powered vessels that could burn a wide range of hydrocarbon fuels if the need arose, were less expensive, and required fewer crew to operate.

      • In other words you are saying Congress decided that nuclear power was worse than global warming. Because nuclear power costs more. Was the cost savings really worth the added CO2 emissions? That's what it comes down to on choosing global warming over nuclear power.

        Nuclear power costs money, and so does most any other effort to lower CO2 emissions. Congress chose the short term cost savings of nuclear power over the long term cost additions of global warming. You want to tell me that we shouldn't spend

        • Re: (Score:2, Insightful)

          by DRJlaw ( 946416 )

          In other words you are saying Congress decided that nuclear power was worse than global warming.

          No, that's what you're saying. Incorrectly.

          The decision to retire the Virginia class and all earlier-commissioned nuclear cruisers was made in the early 1990s, when virtually nobody sitting in Congress had even spared a brain cell to think about global warming, much less decide that nuclear power was "worse than global warming."

          Congress chose the short term cost savings of nuclear power over the long term cost ad

          • The first global warming bill was introduced in 1986 by then Senator and now President Biden. I can't find the text of the bill on the Congress website because at the time posting bills online was not yet common practice. I thought I'd get a search going and see what comes up from it later. Maybe someone reading this can find it before I do.

            I did a look for alien invasion bills and found some of those going back to 1798. So, that's been an issue for much longer. Was there something specific you wanted

            • by DRJlaw ( 946416 )

              The first global warming bill was introduced in 1986 by then Senator and now President Biden. I can't find the text of the bill on the Congress website because at the time posting bills online was not yet common practice. I thought I'd get a search going and see what comes up from it later. Maybe someone reading this can find it before I do.

              That's nice, but your claim is that Congress expressly considered and traded off between nuclear power and global warming in failing to refuel the existing nuclear cruis

        • No, but I'll come out and say something: You have really poor reading comprehension.

    • by caseih ( 160668 )

      Having tractors with these monitors in them I was very confused by the article and the summary. I don't think Wired understands what the monitors do and how they are integrated. In short this won't help Ukrainian farmers fix their equipment, nor will it help the Russian thieves who stole tractors and had John Deere subsequently disable them.

    • The best way to protect nature in a war is to make sure it's a short one. No matter the exhaust of your tank, if more CO gas means the tank can end the war sooner, it's better for the environment.

      • The best way to protect nature in a war is to make sure it's a short one. No matter the exhaust of your tank, if more CO gas means the tank can end the war sooner, it's better for the environment.

        I could replace "John Deere tractor" for "tank" in that sentence and have it still make sense.

        John Deere tractors build the highways to move material quickly and efficiently to the battlefield. Concerns over the movement of materials vital to winning a war is why the original interstate highway funds came out of defense spending. There's people dying and a war dragging on if trucks carrying food rations and ammunition are stuck in the mud outside Oklahoma City. If there's another war then we are going to

        • When you go to war, hit hard, hit fast, hit decisive. Don't try to make a war "humane" by using "soft" tools. The most humane you can get in a war is to get in, throw what you have against the enemy and end it quickly.

          That's the most humane a war can get for the civilian population. Anything that makes a war an hour shorter saves lives.

    • What you call "pull start" is what any manual transmission car can do. It isn't great for the engine, clutch, or transmission, but it has gotten me going more than a time or two and it was a way of life for friends of mine in the 70s and 80s.

      • What you call "pull start" is what any manual transmission car can do.

        I doubt a modern car could do that if the engine control unit doesn't like it. That's kind of the point. John Deere is rendering hardware useless because of their software. Can't pull start a tractor if the computer won't power up the electric fuel pump. Maybe this can bypass a busted starter but it's not helpful if the problem is a computer is between you and the fuel pump, and how many other devices in the way of making the tractor run. There's likely software running anti-lock brakes in these John D

        • Ignition switch must be in 'on/running' position. Not flipped all teh way over to drive the starter.

    • The "total war" scenario is something that the government needs to step in, and demand that all devices have a "master key", in some fashion, where DRM can be completely removed by a party other than the company that made it. Everything from EGR/DEF/DPF firmware to locking down tractors, even to game consoles, there needs to be a method where, in case of something happening, all these digital defunctioning can be yanked to ensure stuff can continue to run, even if links to China are completely cut off.

      Or e

  • by caseih ( 160668 ) on Sunday August 14, 2022 @07:31PM (#62789852)

    Nor am I sure how this helps us. On most of Deere's tractors the monitor is not required for the tractor to function. Certainly the engine does not rely on it. It doesn't have anything to do with the various ECMs, sensors, nor the problem with payload files. The monitor serves a few purposes. On recent tractors it does integrate all the cab functions into one display including air conditioning, the am/fm radio, and autosteer. It might include some diagnostic reporting. If you watch any youtube farmers you'll see many of them remove the John Deere monitor and GPS globe from their tractors and store them in a locked building over winter to prevent theft. The tractor itself runs just fine without the monitor plugged in.

    Years ago there was talk about using iPads as displays in John Deere tractors. Would have been a great leap forward in usability. But this was back about the time Apple was considering using ZFS in MacOS. Just like how Jobs canceled ZFS simply because Sun spilled the beans, I think Jobs may have canceled the John Deere partnership because Deere spilled the beans on the iPad idea. Other brands are now using Android to power their monitors, which would be a great idea for Deere as well. Instead we're stuck with rather old hardware.

    I can get "root" on my 2630 Greenstar displays quite easily, without any hardware hacking. I discovered years ago if I plug in a USB keyboard and mouse, if I press ALT-F4 I can close the window of the John Deere software which subsequently causes a crash and leaves me with a glorious 20 year old Windows CE interface screen complete with start menu, file browser, and command prompt. Not sure what you'd do with that, frankly. I suppose someone could hack the autosteer binary somehow. But there's no point to that. You can already add autosteer systems and monitors from any brand (for example Ag Leader) to your tractor in place of the John Deere one, and utilize the built-in hardware such as the steering valve, the activate button, steering angle sensor, and the steering wheel sensor.

    In fact some farmers are putting their own open-source AgOpenGPS steering system on tractors including John Deere.

    None of this addresses the right to repair. Wake me up when they've figured out how to replace the ECUs in Deeres (such as the armrest controller, hydraulic SCV controller) with repair-able, third-party replacements.

    • by caseih ( 160668 ) on Sunday August 14, 2022 @07:51PM (#62789868)

      In true Slashdot fashion, I read the article after posting. After reading the article, I'm very confused as to what Sick Codes thinks he is accomplishing, particularly with the 2630 monitor. Getting administrator access on the 2630 is easy like I said, but I fail to see anything useful you'd do with that. I suppose you could enable some paid features on the auto steer system, such as as enabling certain kinds of paths, but there's really not much there that's not on by default. RTK is not a function of the 2630, but rather the receiver itself, and it's already possible to replace a John Deere receiver with one based on a ZED-F9P RTK receiver. The 2630 is based on 20 year old technology and OS. The 4240 is much newer but still primitive compared to the latest iPad.

      Certainly hacking the 2630 will not do anything to circumvent machinery lockouts, and I'm very skeptical hacking the 4240 would either, although it might. The Russians who stole Ukrainian tractors probably hope so.

      But not much to see here, I'm afraid. At least if someone was hoping for something useful to come out of it, in terms of right to repair.

      • by kwiens ( 604321 )
        His research was only on the 4240, which he gained root access too. Right now, that access requires hardware disassembly. Making it practical for farmers without disassembly will require additional research. What, specifically, would you like to see done to a 4240 to make it useful for famers maintaining their equipment?
        • by caseih ( 160668 )

          Given that the issues we have are with the payload files in the ECUs, I don't see the 4240 being of much help there. But I suppose if the 4240 had a nice database of error codes in it, and give me full readouts on all the CAN messages when something does go wrong that would be useful. But I don't see how someone hacking on a 4240 does that. The diagnostic stuff is something only Deere can provide us. If a third party could do it well, we don't need to use the 4240 for that at all. A tablet plugged into

  • by hdyoung ( 5182939 ) on Sunday August 14, 2022 @08:29PM (#62789936)
    I fully support this, as long as rooting ALSO voids the warranty and fully negates company liability. When farmer jim turns himself into a pile of corncob-sized pieces because he tried to reach into the thresher mechanism without engaging all the safety lockouts, his widow and kids do NOT receive a payout and they bury him on their own dime.

    Right to repair? Yes. But that does NOT make companies liable for customer stupidity.
    • That should be a given.

      But in the end, the right to repair will eventually mean that the average garage without an adhesion contract to JD can fix your farm vehicle. Not that you'll do it yourself. You might be able to do minor stuff, but the big repairs will probably have to go to the garage anyway. Which is still fine, don't get me wrong, it's still leagues better than what we have today, but there will still be someone liable for it.

    • I fully support this, as long as rooting ALSO voids the warranty and fully negates company liability. When farmer jim turns himself into a pile of corncob-sized pieces because he tried to reach into the thresher mechanism without engaging all the safety lockouts, his widow and kids do NOT receive a payout and they bury him on their own dime. Right to repair? Yes. But that does NOT make companies liable for customer stupidity.

      Simple solution.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

    • by sjames ( 1099 )

      I work on my own lawnmower every single year. Because I'm not an idiot, in spite of your general sense of gloom and doom I have never been injured worse than a bruised knuckle from a wrench slip.

      • Don't you know that millions of Americans bruise their knuckles every year? Research shows that if *you* bruise your knuckles, there is a very high probability that your children will also bruise their knuckles!

    • When farmer jim turns himself into a pile of corncob-sized pieces because he tried to reach into the thresher mechanism ...

      You have a point there. According to an economics presentation at work a few years ago, agriculture is the most dangerous industry, followed by construction. The international survey did not include military service as an industry sector. I think it might actually be safer to be a soldier than a farmer, especially when you can blow shit up using drones, from the safety of your office thousands of miles away.

      Though it might seem a bit odd that a tractor could require a computerised brain, I came across an in

    • I have seen this as one of the Four Horsemen against the right to repair:

      "People are not engineers and don't know anywhere near as much as the makers of the item."

      "People would just hurt themselves and sue."

      "IP needs to be protected by digital locks, and repairing stuff breaks those and risks IP being divulged."

      "The DMCA prevents this."

      People are not dumb, and we have the Magnuson-Moss Warranty Act for a reason. If someone disables a guard on their thresher and gets threshed, it is obvious it isn't the tra

    • as long as rooting ALSO voids the warranty

      I can get behind the customer stupidity liability piece, but no, fuck off with this concept of a warranty being void for rooting. Warranties exist to protect from manufacturing faults and the onus is on a company to prove the rooting action directly caused a failure and thus voided the warranty. Rooting itself is not a failure mechanism.

      This by the way is codified in the Magnuson–Moss Warranty Act.

      • I actually read a bit of the wiki page on that act. I didn't parse it word for word, but it seemed to completely focus on consumer protection. That's all good stuff I can get behind, but I didn't see anything about limiting company liability when customer misuses/abuses a product. If you point out the spot in that act, I'd appreciate it. My current take is that law is largely irrelevant to this discussion.

        You don't like the idea of warranty voiding when a customer roots a system? Fine by me, but that
        • I didn't see anything about limiting company liability when customer misuses/abuses a product.

          I can only speak to its application to cars, but the MMWA effect in that case is that the manufacturer can't void your warranty just because you did your own repair or modification. They have to prove that a specific repair or modification caused an issue to be able to reject fixing it under warranty, which is entirely reasonable IMHO.

          Millions of people sue Google.

          Google is no more responsible if you get infected with malware than Microsoft, Red Hat, or Apple. And they cannot void the warranty on hardware failure unless they can prove

        • but I didn't see anything about limiting company liability when customer misuses/abuses a product.

          Liability limits for companies isn't part of the warranty act, that's the only part I was commenting on, but the reality is standard wavers and T&C applied to products already limit liability to companies for unintended / modified use. You don't need new laws for that.

          8. The lawyers send Google the bill for the legal work.

          Large companies do not work like this. a) the lawyers are on staff. b) even the largest fee a lawyer could ever dream up is petty cash from admin assistant's desk draw at Google, c) competition is still a thing, otherwise what's to stop Go

  • Is there a youtube of this ?
    I just checked and nothing came up.

  • Can it be used to keep the equipment on the farm and not on the Dutch highway? Thank you.
  • Mine the crypto coin of your choice when you are now plowing or fertilizing or harvesting or doing other productive farm work!

    sarcasm

  • for the article, no longer existeth. epitome: 404. not found.

To err is human, to moo bovine.

Working...