At DEF CON 30 on Saturday, an Australian who goes by the handle “Sick Codes” showed off a way to fully take control of some John Deere farming machine electronics to run first-person shooter Doom.
With some rather-involved hacking and the help of a New Zealand-based maker of Doom mods identified as @Skelegant on Twitter, Sick Codes managed to get a corn-themed version of the 1993 classic computer game to run on a John Deere tractor display.
Sick Codes, in a phone interview with The Register, described his work as more of a jailbreak than an exploit.
The project took months to develop, according to Sick Codes. It involved a John Deere tractor 4240 touchscreen controller with an Arm-compatible NXP I.MX 6 CPU running Wind River Linux 8. There were also devices running Windows CE.
“The main bug is that nothing’s encrypted or checksummed properly or anything like that,” he explained, adding that patching isn’t practical. In other words, it’s possible to run arbitrary code on the equipment. The fix, he suggested, is simply building new devices with proper security.
Sick Codes presided over a related session at 2021’s DEF CON 29 in which he attributed his interest in exploring agricultural equipment to the fact that no one else was doing so.
But after disclosing a number of vulnerabilities, John Deere patched them, blocking people from customizing or fixing their hardware. And Sick Codes said he’d been approached by people upset about helping the company close the holes in its systems. “It’s like anti-right-to-repair sometimes, if you consider it from a different angle,” he explained.
So this year, he said, he decided to focus on hardware and show the fragility of the food supply chain.
Oh Deere
Kyle Wiens, CEO of repair website iFixit and a right-to-repair advocate, attended the presentation and recounted the experience in a Twitter thread.
“Sick Codes has jailbroken a John Deere, and this is just the beginning,” he wrote. “Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems.”
Wiens suggested the tractor kit compromise will help make computerized agricultural equipment more accessible to those who use it.
“John Deere has repeatedly told regulators that farmers can’t be trusted to repair their own equipment,” Wiens said. “This foundational work will pave the path for farmers to retake control of the equipment that they own.”
And he also wondered aloud whether John Deere has complied with the terms of the GPL, now that it appears the company incorporates GPL code into its products without meeting its source code disclosure obligations.
Sick Codes confirmed that he believes John Deere failed to comply with its GPL obligations. “I’d love for them to come forward and explain how they are in compliance,” he said.
According to author and activist Cory Doctorow, organizations that undertake legal enforcement for open source licensing issues are now aware of John Deere’s alleged non-compliance.
John Deere has been a source of frustration for years among right-to-repair advocates, who object to the now-commonplace use of digital security controls to prevent product owners from repairing equipment they purchased. Recently, however, the right-to-repair legislation has made headway in various US states and has been endorsed by the Biden administration. The European Union and the UK have also shown more interest in protecting the repair rights of product buyers.
In January, two lawsuits were filed against John Deere, one in Illinois and the other in Alabama, over the company’s repair restrictions. The following month, US lawmakers in the House of Representatives and in the Senate introduced separate bills to guarantee the right to repair.
Then in March, two weeks after a dozen advocacy groups complained to the FTC about John Deere’s refusal to provide the software and technical data necessary to repair its equipment, the company said that it would make previously restricted technical resources available to customers and independent repair shops.
The Register asked John Deere to comment. We’ve not heard back. ®