Hackers Reconstruct a Totaled Car’s Entire Travel History Using a Single Telematics Module

Modern vehicles built in the past two decades include on-board data recorders—digital equivalents of an airplane’s black box—that can store granular tracking data for a vehicle’s entire lifetime. Many of these systems remain unencrypted, allowing anyone with physical access to reconstruct every trip the car has ever made.

How a Single Telematics Module Revealed a Totaled Car’s Full Journey

White-hat hackers purchased a used telematics module from a wrecked BYD Seal, a sedan sold globally. Because the module was removed from a wrecked vehicle, it contained customer data spanning the car’s operational life. A new module would have no logged trips.

The hackers lacked the correct adapter to read the module’s memory. To extract data, they built a custom wiring harness to connect the module to a USB flash tool—similar to a tuner used to modify fuel maps in a modified car, but without relying on the OBD-II interface.

“From there, the ubireader tool allowed us to obtain the full filesystem for the modem, custapp and system partitions,” the hackers reported. “With the files extracted, we could focus our attention on the root filesystem (rootfs) and user space (usrfs) to look for interesting or hidden artifacts.”

Because the data was unencrypted, extracting and analyzing the files was straightforward. By parsing the GNSS logs, the team reconstructed the vehicle’s entire travel history:

• Production in a factory in China
• Operational life in the United Kingdom
• Final dismantling in Poland

The logs captured every movement and stop, providing a complete picture of the vehicle’s journey. This reconstruction required only the data on the chip and public OSINT tools—no specialized equipment or access to private databases.

What Is OSINT and How Did It Help?

OSINT (Open-Source Intelligence) refers to publicly available information that can be gathered without cost or special access. In this case, the hackers used OSINT tools to cross-reference GPS coordinates with real-world events, linking anomalous data points to specific locations and activities.

This two-step approach—extracting unencrypted data from the module and mapping coordinates using OSINT—demonstrated how easily a wrecked car’s full travel history can be reconstructed with minimal resources.