🚗 BYD Dolphin Head Unit — Research & Reverse Engineering Reverse engineering, documentation, and tooling for the BYD Dolphin 25/26 infotainment system (DiLink 3, Android 10).
Everything here was discovered through ADB exploration, APK decompilation, and CAN bus probing — no proprietary documentation was used.
⚠️ Disclaimer: Unofficial, community-driven project — no affiliation with BYD.
Reverse engineering of BYD's internal Android services for educational and interoperability purposes only .
Use at your own risk — modifying vehicle software may void your warranty or violate BYD's terms of service.
The authors assume no liability for any damage to your vehicle, software, or data.
Property
Value
Platform
DiLink 3.0
Android
10 (API 29)
SoC
Qualcomm QCM6125 (SM6125 Trinket)
Architecture
ARM64, 8 cores
RAM
~3.5 GB
Kernel
4.14.117-perf
ADB
WiFi, port 5555
Head Unit IP
192.168.10.10 (car WiFi)
Firmware
13.1.32.2507250.1 (Jul 25 2025)
MCU
13.5.5.2505300.2
Bootloader
Unlocked (ro.boot.flash.locked=0)
Verified boot
Orange (unlocked)
Instrument Cluster
Separate Qt/QML system (Qt 5.15.10 / 6.5.5)
Tested on firmware 13.1.32.2507250.1. Older versions likely work. Newer firmware updates from BYD may change or break things — no guarantees.
New here? Start with the Sideloading Guide to install apps on your BYD — no root needed.
For custom apps built on this research, see byd-apps .
adb connect 192.168.10.10:5555
USB method — drop APKs in Third Party Apps XX folder (country code suffix), plug into carMaster password — BYD6125F (universal across DiLink 3)APK requirements — ARM64, targetSdk ≤ 33, minSdk ≤ 29Country-specific restrictions — Kazakhstan (14-app whitelist), India (Mappls only), Europe/Japan/Australia (online verification)
Feature
Details
AC temperature reading getTemprature(zone) — zone 1/2 = set temp, zone 4 = outside/ambient
Full AC control 40+ getter + SET methods (start/stop, temp, fan, wind mode) via permission bypass
AC remote control hasFeature("ACRemoteControl") = 1, supports 10–30min timer
Permission bypass BydPermissionContext (ContextWrapper) auto-grants BYDAUTO_* permissions client-side
CAN bus read/write Via ADB using app_process + reflection
75+ BYD packages With CAN bus access, 100+ custom BYDAUTO_* permissions
Engine simulator sound CAN-writable — UI shows 3 presets but MCU accepts 1–255
AVAS preset selection CAN-writable — UI shows 2 but MCU accepts 0–5+
AVAH test tones Play on AVAS external speaker using factory diagnostic signals (0x6E970010)
Content providers Expose vehicle data (battery, tyre pressure, maintenance, trip consumption)
Sideloading USB drive or ADB — see guide
Browser blob download bypass fetch→blob→anchor.click silently drops files (including APKs) to /sdcard/Download/ — no user gesture needed (Chromium 113 bug)
Feature
Status
Door lock status Main doors return INVALID (0), child lock readable. No dedicated setDoorLockStatus() — needs generic set() with unknown feature IDs
360 camera BYDAutoPanoramaDevice enforced server-side, bypass fails. AVMCamera/NormalCamera exist in bmmcamera.jar but not loadable by third-party apps
Feature
Reason
Custom AVAS audio (Boombox) MCU firmware blocks I2S → AVAS routing
AVAS volume control Hardcoded in MCU, no CAN signal changes it
Custom lock/power-on sounds MCU firmware rejects the commands
Horn Hardware relay, not software controllable
Boot animation Needs root to replace (/system/media/)
Cabin/inside temperature No API found — exhaustive probing confirmed unavailable
Root is optional — most features work without it. Rooting Guide
Capability
Details
Direct SPI access
/dev/spidev_ivi — bypass 128-byte Java API limit (up to 247-byte SPI records)
ALSA mixer controls
Potential AVAS audio routing via tinymix
MCU config reset
Direct SPI commands to reset MCU state
System partition write
Modify /system/media/ (boot animation), install system apps
Kernel symbols
/proc/kallsyms access, dmesg
KernelSU
Not viable — requires GKI kernel 5.10+, device runs 4.14.117 (non-GKI)
Key security-relevant discoveries for researchers:
Finding
Impact
Bootloader unlocked ro.boot.flash.locked=0, orange verified boot — Magisk root viable via fastboot
Permission bypass BydPermissionContext overrides enforceCallingOrSelfPermission() — auto-grants all BYDAUTO_* permissions. Works for AC, DoorLock, Bodywork. Fails for Panorama (server-side IPC check)
upgrade_server — no permission check Binder service accepts calls from UID 2000 (shell) with no SecurityException. Firmware updates could be triggered from adb shell with a valid signed package
COTA auth cracked HMAC-SHA256 with character-shifted secret key. Area resolution API confirmed working (HTTP 200)
Browser blob bypass Chromium 113: fetch()→blob→anchor.click bypasses BYD's download block from any web page — remote exploit, no ADB needed. 52MB APK verified
Port 7000 (CarPlay) carplayserv runs as root , listens on 0.0.0.0 — network-exposed attack surface
IDD-IDPS monitoring Intrusion detection on localhost:12406, monitors wlan0/rmnet interfaces. Three root-UID clients
SPI unprotected Packet format [featureId_BE:4][dataLen:1][data:dataLen] — no CRC, no HMAC
Most BYDAUTO permissions protectionLevel=normal — any app can request them at install time
App → BYDAutoManager → Binder → DiCarServer (UID 1000) → auto.default.so → /dev/spidev_ivi → MCU
SoC → I2S → MCU DSP → A2B bus → Amplifiers / AVAS speaker
BYD App → HTTPS → BYD Cloud → MQTT → cloudmanager (native) → CAN bus
Path
Method
COTA Cloud OTA — com.byd.cota (app config/resource updates)
FOTA Firmware OTA — requires mutual TLS with IMEI-derived certs
OTG USB update — looks for msm8953_64 path (legacy, despite QCM6125 SoC)
Car WiFi: 192.168.10.x
Head Unit: 192.168.10.10
ADB: port 5555
CarPlay: port 7000 (root, 0.0.0.0)
IDD-IDPS: port 12406 (localhost)
Doc
Description
📱 Sideloading Guide
Install apps via USB or ADB — no root needed
🔬 Sideloading Internals
Browser exploit chain, blob download bypass, AftermarketInstallTool reverse engineering, country-specific whitelisting
🔓 Rooting Guide
Magisk root via fastboot — A/B slot safety, recovery procedures
Doc
Description
🖥️ System Overview
Hardware, partitions, services, network topology, open ports
🔌 BYD Auto API
100+ BYDAUTO_* permissions, device types, handler classes, protobuf schemas
📊 Content Providers
CarStatusProvider URIs, schemas, consumption telemetry data format
Doc
Description
❄️ AC & Climate Control
Temperature zones, AC state getters/setters, encoding quirks, permission bypass code
🔊 Sound & Themes
Audio hardware topology, 200+ CAN signal IDs, AVAS/AVAH analysis, MCU probe results
📷 Camera System
Dual camera API architecture, 360 view system, permission enforcement analysis
🔄 OTA System
COTA/FOTA/OTG reverse engineering, upgrade_server vulnerability, COTA auth analysis
All scripts run on-device via app_process. Push and execute:
adb push scripts/BydAudioQuery.java /data/local/tmp/
adb shell " cd /data/local/tmp && app_process -Djava.class.path=. / BydAudioQuery read 0x1B10003D"
Script
Purpose
BydAudioQuery.javaCAN bus read/write tool — direct signal access
BydAudioRoutingTest.javaAudio routing tests (I2S, AVAS paths)
BydNavAudioTest.javaNavigation audio channel testing
BydDeviceScan.javaMulti-device signal scanner
SysMix.javaSystem audio mixer queries
Script
Purpose
BydAvasPlayer.javaAVAS melody player (frequency control)
AvasRoute.javaAVAS audio routing experiments
AvasVolume.java / AvasVolume2.javaAVAS volume control attempts
AvahFreq.javaAVAH frequency sweep testing
AvahBare.javaMinimal AVAH test tone trigger
AvahCombo.javaAVAH combination signal testing
AvahCycle.javaAVAH cyclic test patterns
AvahIsolate.javaAVAH signal isolation tests
AvahStop.javaAVAH signal stop/cleanup
Script
Purpose
BydMcuProbe.javaMCU security probe — feature scanning, extreme values
BydBufferProbe.javaMCU buffer overflow / boundary testing
BydSpiDirect.javaDirect SPI communication (requires root)
BydDebugProbe.javaDebug interface / hidden feature discovery
BydLockSoundMonitor.javaDoor lock sound event monitoring
Script
Purpose
BydNfcKeyProbe.javaNFC digital key CAN bus scanner
BydCotaProbe.javaCOTA cloud API probe — area resolution, auth testing
BydUpgradeProbe.javaupgrade_server Binder service probe
car-telemetry.pyCar data polling and logging (Python)
Script
Purpose
flags_extract.py / flags_extract_all.pyExtract Chromium flags from head unit browser
flags_descriptions.pyMap flag names to descriptions
flags_verify.py / flags_verify2.py / flags_verify3.py / flags_verify_final.pyVerify flag states and behaviors
flags_full_list.pyComplete flag enumeration
flags_probe_dom.pyDOM-based flag probing
docs/ Guides and deep-dive documentation
scripts/ On-device tools (CAN bus, MCU probes, AVAS, Chromium)
tools/
browser-exploit/ Browser sideloading research
index.html Main test page — blob download bypass PoC
autodownload.html Auto-download trigger test
install.html APK install flow test
pwa.html PWA install behavior test
cdp_capability_audit.py CDP protocol capability audit
cdp_download_test.py CDP download trigger tests
cdp_audit_results.json Full CDP audit results
serve_https.py Local HTTPS server for testing
sideload-test.apk Mock APK for install chain testing
data/
apks/ Extracted system APKs (DiCarServer, CarSetting)
audio-config/ Audio platform XML configs (I2S, mixer paths)
car-status/ CarStatusProvider data dumps
native-libs/ Native shared libraries (auto.default.so, libbydauto.so)
packages/ Package lists and service dumps
permissions/ BYDAUTO permission definitions
system-properties/ System property dumps and Android settings
chromium_flags_*.json Chromium flag analysis data
mcu-probe-*.txt MCU probe scan results
apk-analysis/ Vehicle type mappings (VehicleCarType.json, vehicleType.json)
Custom Android apps (Door Sound, etc.) live in byd-apps .
MIT