Please enable JS and disable any ad blocker
10 interesting stories served every morning and every evening.
10 interesting stories served every morning and every evening.
Please enable JS and disable any ad blocker
Three years ago, I published my initial work to understand and reverse engineer my car, specifically the headunit of my 2021 Honda Civic.1
The initial response was incredibly encouraging. I’m writing to give a project update.
Keys to the Kingdom
The biggest progress has been made while mapping out the update process.
Honda supports updating the headunit via USB. There are a number of Honda-specific checks, but ultimately the USB drive contains a signed AOSP update file that gets staged and applied via Android recovery. The good news? They left the publicly-known AOSP test key in res/keys*, and, even though they modified the recovery binary, the verify_file signature logic matches stock AOSP.
So as long as you can properly format a USB drive and sign it with the publicly-known AOSP test key, you can install whatever you want to the headunit, without conventional root access (no need for su with setuid). This means that, as long as the headunit has power and an attacker has physical access to the front-most USB port, they have arbitrary code execution on the headunit via the update path.
This is an evil maid attack. Since it requires physical access to the cabin of the car rather than the hotel room, I call it an evil valet attack. Imagine a journalist drives to a hotel and leaves their car with the valet. The valet, who works for a three-letter agency, installs an update via USB. When the car is returned, the journalist doesn’t know the headunit has been modified. Since I want a cool vulnerability name, I’m calling this “EvilValet”.
This blog article is not intended as a technical writeup. If you want the gory details, see the technical docs.2
I’ve also published a new tool, ota-builder3, that allows people to easily prepare update files that will be accepted by the headunit. While in its early days, it should be trivial to now build an update file that, for example, installs an su binary with setuid set (i.e., to root the device).
*I have strong reason to believe that all updates are signed with the publicly-known AOSP test key, but I don’t have access to every possible official update file, nor access to every headunit variant and its filesystem. My headunit has the AOSP test key in res/keys, though I’ve also installed HondaHack, so it’s possible that it injected the key into the keystore. However, I’ve also confirmed that MRC_EU_SW_v12_4.zip, a publicly-available EU software update file, is test key signed. This file was downloaded from a public forum4 and was never modified by me. So it seems highly likely that all updates are signed with the AOSP test key. Contributors are welcome to help support or refute this hypothesis.
Building Tools
Beyond the update process, the most useful work has been on apk-rebuilder5. It has one very important job: take in a Honda Civic update file from the Internet, and produce a clean tree of output files that automates everything a reverse engineer would otherwise have to do manually, including:
Resolving resources
Reconstructing .smali code
Repacking APK files
Extracting the ramdisk
And more
This also serves an important role because we can’t publish actual Honda source code. We publish a function that takes in an update file (that we don’t host) and spits out Honda .smali code, image assets, etc. The resulting output follows a clear directory structure that can be referenced in documentation without actually uploading the sensitive files themselves.
Outstanding Work - A Call for Contributors
There are a few outstanding things that would be nice to have.
Known Versions
The update process is fragile and relies heavily on version numbers. This doesn’t limit the ability to run unsigned code, because the version numbers can be “spoofed” (see the technical docs). But in order to build an update file in the first place you need to know what versions your headunit expects. Further, any changes to the headunit software that don’t match my build could lead to unexpected behavior and recovery loops.
If you drive a 10th gen Honda Civic and are tech-savvy, I encourage you to contribute to the “Known Versions, Display Audio Software” section of the repo.6
If you’re feeling particularly brave, read through the ota-builder code and try and flash an update. But do so at your own risk; if your headunit differs from mine you could get stuck in a recovery loop and softbrick your device.
Toolchain
I have an experimental/work-in-progress toolchain on my local machine. It takes candidate .c code and compiles it for ARMv7, using the same compiler version and build flags as the original vendor binaries. This proved indispensable in my work to understand the update process. It makes heavy use of Docker. The current iteration is messy and largely specific to my workflow, but I’d like to publish a clean implementation.
Custom Themes
I explored this a bit while vibe-coding apk-renderer7. Custom themes are likely difficult to ship because they live in Mitsubishi’s fork of the AOSP framework, and the headunit apps are minified to expect hardcoded resource IDs. Any attempt to ship a custom theme would likely involve surgically editing the vendor framework (and writing a tool to do so automatically). None of this is trivial and probably isn’t worth the effort, but I welcome contributors.
Improve aidl-rebuilder
I started working on a tool to parse .smali files and generate/map out all AIDL interfaces on the headunit. This works but I haven’t reviewed it fully for accuracy. This opens up the door for custom apps such as virtual speedometers. Contributors welcome.
Thoughts on Documentation and LLMs
I’ve placed less emphasis on reference documentation and more on tooling. The idea is that if I can ship reliable, deterministic tools that map the headunit code to more digestible forms, then people can use LLMs to query those more digestible forms to answer whatever their specific questions are. This avoids having to maintain reference docs that can stray from the actual headunit code, because the headunit code is the source of truth.
For example, a user guide that explains how to connect to the headunit via ADB is still deemed useful. But a document explaining how some Java code works, when the Java code itself is available to an LLM, seems like a maintenance burden.
Wrapping up and Thanks
At this point, I’ve done most of the investigative work I intend to do on the headunit. This is one of those projects that I could toil endlessly on, but I’ll likely transition to other projects. That said, the repo is by no means abandoned. PRs are always welcome.
Special thanks to Tunas8 for the memories, and to Hackaday9 for covering my original work.
See everyone sometime down the road 🌱
Eric
McDonald, E. (2023). “Honda Reverse Engineering”. Juniperspring. Retrieved June 13, 2026. ↩︎
McDonald, E. (2023). “Honda Reverse Engineering”. Juniperspring. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “Display Audio Update Files”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “Display Audio Update Files”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “ota-builder”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “ota-builder”. GitHub. Retrieved June 13, 2026. ↩︎
felixlennart (September 22, 2022). “Install American firmware on European head unit”. 2016+ Honda Civic Forum (CivicX.com). Retrieved June 13, 2026. ↩︎
felixlennart (September 22, 2022). “Install American firmware on European head unit”. 2016+ Honda Civic Forum (CivicX.com). Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “apk-rebuilder”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “apk-rebuilder”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “Known Versions, Display Audio Software”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “Known Versions, Display Audio Software”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “apk-renderer”. GitHub. Retrieved June 13, 2026. ↩︎
McDonald, E. (n.d.). “apk-renderer”. GitHub. Retrieved June 13, 2026. ↩︎
Tunas. (n.d.). “Tunas1337”. GitHub. Retrieved June 13, 2026. ↩︎
Tunas. (n.d.). “Tunas1337”. GitHub. Retrieved June 13, 2026. ↩︎
Posch, M. (June 27, 2023). “Honda Headunit Reverse Engineering, And The Dismal State Of Infotainment Systems”. Hackaday. Retrieved June 13, 2026. ↩︎
Posch, M. (June 27, 2023). “Honda Headunit Reverse Engineering, And The Dismal State Of Infotainment Systems”. Hackaday. Retrieved June 13, 2026. ↩︎
SQL to ER Diagram — free online ERD generator: convert a SQL schema (CREATE TABLE statements) into an interactive entity-relationship diagram in your browser. Turn SQL into a diagram instantly, no signup.
SQL to ER Diagram
SQL schema
Paste SQL, see the schema.
Drop your CREATE TABLE statements on the left. Drag tables, scroll to zoom, double-click to rename, export when done.
100% local — your schema never leaves your browser. No accounts, no uploads.
SQL to ER Diagram is a free, open-source tool that converts a SQL schema into an interactive entity-relationship diagram (ERD) right in your browser. Paste your CREATE TABLE statements and instantly visualize tables, columns, primary keys, foreign keys and relationships. Works with PostgreSQL, MySQL, SQLite and SQL Server. Drag tables, auto-arrange the layout, add notes, and export to PNG or SVG. Nothing is uploaded — your schema stays on your machine.
Frequently asked questions
How do I create an ER diagram from SQL?
Paste your SQL CREATE TABLE statements into the editor and SQL to ER Diagram instantly renders an interactive entity-relationship diagram. Drag tables to arrange them, then export as PNG or SVG.
Which SQL dialects are supported?
It parses standard CREATE TABLE and ALTER TABLE DDL and works with PostgreSQL, MySQL, SQLite and SQL Server syntax, including primary keys, foreign keys, unique and not-null constraints.
Is it free?
Yes. SQL to ER Diagram is completely free and open source, with no account or sign-up required.
Is my data private? Does my SQL get uploaded?
Everything runs locally in your browser. Your SQL schema is never uploaded to or stored on any server.
Can I export the diagram?
Yes. You can export a high-resolution PNG or a vector SVG, save the full project as a file, or copy a shareable link that encodes the diagram in the URL.
Do I need to install anything?
No installation needed. It runs entirely in your web browser on both desktop and mobile.
Last year around this time The New York Times Magazine ran an A.I. issue with an introduction titled “Everyone Is Using A.I. for Everything. Is That Bad?” It’s an edited transcript from the Hard Fork podcast, which I think assumes two things are true that are turning out to be false.
Once you’ve tried AI, you use it “for everything.” No, in fact most people who’ve tried it are just occasional AI users.
Once you’ve tried AI, you use it “for everything.” No, in fact most people who’ve tried it are just occasional AI users.
AI has gotten so good that despite any misgivings, “everyone is using A.I.” No, in fact large chunks of the population aren’t using AI at all.
AI has gotten so good that despite any misgivings, “everyone is using A.I.” No, in fact large chunks of the population aren’t using AI at all.
(It isn’t really strictly defined in the article, but I’m taking AI to mean generative AI accessible via a chat interface.)
Take Gen Z, where AI awareness is the highest: in the last year, even though AI has supposedly gotten a lot better, Gen Z AI adoption has all but stalled, with a meaningful percentage of the Gen Z population still using AI rarely, if at all.
Here’s Gallup’s year-over-year (2025/2026) breakdown:
79/81% use AI at least rarely
79/81% use AI at least rarely
41/42% are anxious about AI
41/42% are anxious about AI
32/31% use AI only monthly/every few months
32/31% use AI only monthly/every few months
22/31% are angry about AI
22/31% are angry about AI
21/19% never use AI
21/19% never use AI
This tracks with Microsoft’s new United States AI Diffusion site, based on “anonymized, aggregated Microsoft telemetry.” Their associated blog reports “more than 30 percent of the US working-age population is using AI [meaning about 70% isn’t], an increase of 3 percentage points from the end of 2025.” The underlying academic paper specifies that usage is defined as “engagement with major AI services including ChatGPT, Google Gemini, Anthropic Claude, Microsoft Copilot, and others….with at least 90 minutes of usage time in a given month.”
The Microsoft data is brand new, and it mirrors another usage study from Datos from last year, also based on real-world usage data. The Datos study found similarly that, as of last June, only 21% of desktop devices visited “AI Tools” 10 or more times a month, 62% visited 0 times, and the remaining 17% in between.
Back on the survey side, a recent Searchlight Institute study found “58% report using or trying AI, specifically tools like ChatGPT or Claude, divided evenly between fairly regular users (30% use at least a few times a month) [roughly matching the Microsoft/Datos data] and more infrequent users (29% have used AI, but only once a month or less).” And finally a new survey from The Argument finds “most Americans use AI once a week or less.”
All of this triangulates to AI use in America at approximately one third actively using AI, one third occasionally using AI, and one third never using AI, with some movement depending on how you define those terms. In any case, this split is a far cry from “everyone is using AI for everything;” it’s much closer to “some people are using AI for some things.” AI use also hasn’t shifted that much in the past six months to a year. In fact, the only thing that has substantially changed is negative sentiment about AI has gone significantly up, for example the Gallup’s Gen Z poll reporting anger about AI jumping about 40% relative year over year.
I think it is a reasonable conclusion to draw from all of this data that a significant percentage of the population is actively limiting their AI usage. The Searchlight study examines a big reason why: real concerns people have with AI. The top three concerns found are “AI will replace jobs and cause unemployment” (42%), “AI will violate people’s privacy” (35%), and “AI will spread misinformation and lies” (33%).
This sentiment also matches a strong desire for safety/privacy AI regulation. A solid majority thinks “the government should prioritize creating safety/privacy rules for AI, even if that means the U.S. develops AI more slowly than countries like China.”
Another big reason is skepticism in AI usefulness. SearchLight asked about a range of technologies and to say “whether you believe the overall impact of each technology on society is positive or negative.” AI only has an +8% net positive rating right now, right next to +7% for social media, which were only greater than crypto at -17%. Meanwhile cell phones, the internet, and solar energy are at +68%, +67%, and +65%, respectively.
The Argument study broke this down further, asking about specific societal benefits from AI, finding broad skepticism and concluding “people aren’t really buying the bullish case for AI that CEOs and boosters alike are selling. In other words, the skepticism about AI’s effects is real and deep-running. And given how many people use it daily, this is not just an ill-informed set of opinions on something respondents have never seen before (like tariffs were before 2025).”
It is possible for people to have one view at a societal level and then act differently at an individual level, but that does not seem to be what we’re seeing here. The plurality occasional usage and large percentage of complete avoidance speaks to the fact that a lot of people seemingly aren’t yet finding enough individual value net of their concerns to justify daily or even weekly usage. The gap in media narrative (that everyone is using AI for everything) relative to the reality (that some people are using AI for some things) perhaps reflects a bubble around early-adopting knowledge workers that includes much of the tech press (and me for that matter, though I’m trying really hard to stay connected to reality).
It’s a mistake for companies, pundits, and policy makers to ignore how people are really feeling and acting about AI. It’s not all sunshine and rainbows. It’s also clearly not binary (all use or no use), but instead a continuum of AI opinions and use, with a lot of people in the middle.
I think there is an apt analogy to be made here to preferences around meat consumption. Another thing that seems to be everywhere right now is protein. Telling us how important protein is in our diet is analogous to telling us how useful AI is for productivity. And, meat being a primary source of protein is analogous to AI chat tools being a primary source of generative AI. And yet here’s how Americans break down in terms of their meat consumption preferences, based on a handful of U.S. studies from this decade:
95% eat meat (Gallup, 2023)
95% eat meat (Gallup, 2023)
70% report reducing red meat consumption (Rutgers, 2024)
70% report reducing red meat consumption (Rutgers, 2024)
30% eat (all) meat only rarely/occasionally (Gallup, 2020)
30% eat (all) meat only rarely/occasionally (Gallup, 2020)
12% don’t eat red meat (Nature, 2026)
12% don’t eat red meat (Nature, 2026)
4% don’t eat any meat, that is are vegetarian (Gallup, 2023)
4% don’t eat any meat, that is are vegetarian (Gallup, 2023)
1% don’t eat any animal products, that is are vegan (Gallup, 2023)
1% don’t eat any animal products, that is are vegan (Gallup, 2023)
That is, not everyone eats meat, a majority actively curbs their consumption of red meat, and a significant percentage don’t eat it at all. Different people have different (not mutually exclusive) reasons for limiting their meat consumption, including health, cost, environment, and ethics. Those are all also primary concerns for AI consumption!
The analogy also highlights market opportunities to appeal to people across the continuum, speaking to their feelings on AI and addressing their particular AI concerns. For example, we (at DuckDuckGo) make all AI features optional and one of those features, duck.ai, is a private chatbot alternative that helps address AI privacy concerns. To extend the analogy in this way, we’re a restaurant with a variety of options on the menu, from healthy meat dishes (private AI) to vegetarian (turn down AI) to vegan dishes (turn off AI), which most eaters across the spectrum can appreciate.
Does this mean about one third of the population is bound to use AI only rarely/occasionally forever? No. Unlike with meat, the AI technology landscape is changing so rapidly that it is very unclear both where AI products and regulations will end up. Product evolution could make AI more useful to the average person, and regulations could reduce concerns. However, we can say that, as of right now, a meaningful percentage of the population has tried the current state of AI and has decided to actively limit their use of it.
Share
June 2026
(This is based on a talk I gave at the Oxford Union.)
Since this is apparently the future prime ministers’ club, I’m going
to tell you about something it would be good if more politicians
understood: I’m going to tell you how people become billionaires.
I hope this will be useful to you even if you don’t plan to go into
politics. Those of you who don’t become prime minister can become
billionaires instead.
The reason I know about this topic is that 21 years ago Jessica and
I started something called Y Combinator. If you haven’t heard of Y
Combinator, it’s a cross between an investment firm and a school
for startup founders. Since we started it in 2005 we’ve funded about
6500 companies.
Starting a successful startup is the most
common way to become a
billionaire, so in effect I’ve spent the last 21 years training
people to become billionaires. So far about 30 of them have, but
there are many more in the pipeline.
So you can imagine how astonished I was last month when an American
politician said that it was impossible to earn a billion dollars.
I felt like a skating coach hearing someone say that it’s impossible
to do a triple axel. Of course it’s possible. It’s hard, but it’s
possible.
She wasn’t saying, of course, that it’s impossible to become a
billionaire. Obviously that’s possible. Nor was she talking about
the distinction between income and capital gains. She wasn’t making
a point about accounting. What she meant was that it’s impossible
to get that rich without doing something bad — without cheating
in some way.
A couple days later I was talking to the founder of a startup I’d
funded. I began by asking, as I usually do when I meet a founder,
what her growth rate was. 93% last month, she said. I pointed out
that this meant her net worth was also growing at 93% a month. She
was getting richer at a stupendously rapid rate. And yet she hadn’t
been doing anything bad. The reason her startup was growing so fast
was simply that users loved what she’d built. So she could feel
from her own experience how wrong that politician was. She wasn’t
exploiting anyone. Exactly the opposite in fact. The reason her
startup was growing so fast was that she and her cofounder had been
working their asses off to make their users happy, and as a result
the users had been telling their friends. And that gets you exponential
growth.
Later that day I was talking about her case online, and someone
replied that having a few million and growing at 93% a month was
radically different from being a billionaire.
I suspect many people would agree with this statement. But it turns
out not merely to be false, but false in a very illuminating way.
So I would like you all to do me a favor please. I would like you
to take out your phones and calculate a number. I know this may
seem contrived, but I promise it will be useful for you. I’m going
to have you do the most common kind of calculation I do as an
investor, and the experience will bring home to you what startups
are all about.
If we interpret his statement in the most conservative way and
assume that a few means 2, her company has to grow 500x for her to
become a billionaire. So we are going to calculate how many months
of 93% growth it takes for something to grow 500x.
To do this we want to calculate the log base 1.93 of 500. The easiest
way to do that is to go to Google search, which lets you do
calculations right in the search box. So go to Google search and
type log(500, 1.93). If you typed that right, the answer you get
is about 9.45.
That is how many months of 93% growth it takes to become a billionaire,
starting from 2 million. A couple million and 93% growth are not,
in fact, radically different from a billion. They’re nine and a
half months apart.
Now you see why, when I meet a founder, the first thing I ask about
is their growth rate.
But I don’t want anyone to accuse me of using unrealistic numbers,
so let’s take a more conservative growth rate. Let’s see what happens
at 15% a month. That’s not rare at all. I constantly encounter
startups growing at 15% a month.
If your revenues grow at 15% a month, how much more will you be
making 5 years from now? To calculate that, we need to find 1.15
to the 60th power (since 5 years is 60 months). So go to Google
again and this time type 1.15^60. The answer should be about 4384.
Meaning in 5 years your startup will be making 4384 times as much.
If you’re currently making ten thousand a month, in five years
you’ll be making about 44 million a month, or 526 million a year.
And at that point, if you own as much of the company as founders
typically do, you will be a billionaire.
In the real world, growth rates tend to slow down a bit. A very
successful startup will probably be growing faster than 15% a month
in year 1 and slower than 15% a month in year 4. But you end up in
about the same place. If you start a startup in your early twenties,
it’s definitely possible to be a billionare by the time you’re
thirty. Hard, but possible.
I wanted you to feel this by doing the calculation yourselves,
because now you understand one of the reasons people start startups.
Exponential growth is like magic. It generates outcomes that seem
impossible. And that’s why some politicians distrust it. They don’t
understand the math of exponential growth, so when they see people
becoming what seems to them impossibly rich, they assume they must
have cheated.
But now you at least understand, from having done the math yourselves,
that you don’t have to cheat to become a billionaire. You’ve seen
for yourselves that there are only two numbers in the calculation,
the growth rate and how long it continues. If it’s impossible to
make a billion dollars without cheating, which of those two numbers
is impossible? It’s certainly not impossible to grow at 15% a month
ReactOS, the open-source operating system working for binary compatibility with Microsoft Windows computer programs and drivers, has reached the milestone of being able to enjoy the classic game Half-Life running on this open-source platform.
ReactOS has been in development for 28 years now and today its developers are noting on X the ability to run the Windows version of Half-Life. Some years ago were reports of the Half-Life game at least initializing under ReactOS while given today’s X coverage, it seems to be the first time reported of the game successfully running on ReactOS and handling it in-game.
Granted, these days you can run Half-Life on Linux and it works well on other platforms via Wine, it’s fun seeing Half-Life now running on ReactOS at it continues persevering in its quest of Windows binary compatibility.
ReactOS user “Zombiedeth” got Half-Life running on a Dell OptiPlex system with a Core i5 2400 Sandy Bridge processor and NVIDIA GeForce 8400GS graphics.
Details on X for those interested.
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
Visit pancik.com for more.