• Breaking Down the Attack Surface of the Kenwood DNR1007XR - Part One For the upcoming Pwn2Own Automotive contest, a total of 3 head units have been selected. • One of these is the double DIN Kenwood DNR1007XR that offers a variety of functionality such as Android Auto, Apple CarPlay, USB media playback, wireless mirroring and more. • This blog post presents photos of the DNR1007XR including highlighting interesting internal components. • A hidden debugging interface is also detailed which can be leveraged to obtain a shell. • Figure 1: Kenwood DNR1007XR External Tucked away behind the screen is a full-sized SD card slot that can be accessed by tilting the screen downwards. • The SD card is used to play audio/video files as well as updating map data.

Article Summaries:

  • Summary

A new blog post details the attack surface of Kenwood’s double‑DIN DNR1007XR head unit, slated for the upcoming Pwn2Own Automotive contest. The article highlights external interfaces-an SD card slot behind the screen and a single USB port used for Android/Apple CarPlay and media playback-that could be exploited. Internally, the unit houses a Dolphin+ TCC8034 SoC running Linux, an eMMC firmware chip, a serial flash chip, and a Murata Wi‑Fi/Bluetooth module. Crucially, a debug UART connector on the main board provides a Linux login prompt at 115200 bps, enabling shell access with the correct credentials. The post aims to spur vulnerability research ahead of the January 2026 contest.

  • Breaking Down the Attack Surface of the Kenwood DNR1007XR - Part Two

The second Kenwood DNR1007XR blog post expands on the unit’s potential security weaknesses uncovered through reverse engineering. It catalogs the device’s main interfaces-USB 2.0, an SD card slot, Bluetooth 5, and software connections via Android Auto, Apple CarPlay, and Kenwood’s own apps. The USB port accepts a wide range of audio (MP3, AAC, FLAC, etc.) and video (MPEG, H.264, MKV, etc.) formats, while the SD card supports map updates and media playback. Bluetooth supports standard profiles (HFP, AVRCP, A2DP) and additional undocumented services (App0‑App3) that may expose further attack vectors. The post highlights parsing complexity and format handling as key research targets for vulnerability discovery.

Sources: