Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to dump the shadow file #2

Open
jannikuhl opened this issue Mar 30, 2020 · 124 comments
Open

Add support to dump the shadow file #2

jannikuhl opened this issue Mar 30, 2020 · 124 comments
Labels
enhancement New feature or request

Comments

@jannikuhl
Copy link

Have you already had success reading the shadow file?

I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.

Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.

I am currently working on reverse engineering the FEC/SWaP system of Technisat.

@mattcabb mattcabb added the enhancement New feature or request label May 3, 2020
@mattcabb
Copy link
Owner

mattcabb commented May 3, 2020

Nothing yet. Due to lockdown I had to put most of things on hold for now. Hope to get back to the hack soon.

@flipidus
Copy link

flipidus commented May 6, 2020

Have you already had success reading the shadow file?

I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.

Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.

I am currently working on reverse engineering the FEC/SWaP system of Technisat.

Hello Jannik,

im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?

Best regards

@jannikuhl
Copy link
Author

Have you already had success reading the shadow file?
I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.
Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.
I am currently working on reverse engineering the FEC/SWaP system of Technisat.

Hello Jannik,

im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?

Best regards

The MIB2STD does not have Telnet enabled by default and currently the only way to enable it is writing on the bench. Either by soldering or using (what I prefer) BDM. You need to add the following line to the file /fs/hd1-qnx6/tsd/bin/system/startup
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys/sbin/tinit -f /tmp/ttys &

I never heard about a serial connection on the quadlock, do you have any sources?
It is also possible to inject patched binary files as a software update.

@mattcabb
Copy link
Owner

mattcabb commented May 6, 2020

Found this in test mode.
debug

"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)
mib2_wiring_b2edb871d27541030fbdd66275bc7a87993b16c3

@flipidus
Copy link

flipidus commented May 6, 2020

Found this in test mode.
debug

"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)
mib2_wiring_b2edb871d27541030fbdd66275bc7a87993b16c3

yes thats the serial connection i heard about it after a longer googeling about that stuff. But this PIN-Out in your picture is from a Label on a MIB2 HIGH Device, so i dont know if there is also a Serial Connection on a MIB2 STD device on this Pins 3 and 9. i also readed that you need pin 7 for the serial connection for the GND.

Do you know what the Pins 11 "ESO C3_TX" and 12 "ESO C3_RX" are on the A Part of the Quadlock Connector?

@jannikuhl
Copy link
Author

Where have you found that setting? It looks like mine doesn't have that.
What units are you guys exactly have?

I have a Skoda Technisat MST2Nav unit.

We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.

I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.

@flipidus
Copy link

flipidus commented May 6, 2020

Where have you found that setting? It looks like mine doesn't have that.
What units are you guys exactly have?

I have a Skoda Technisat MST2Nav unit.

We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.

I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.

you need to activate the developing mode (Entlicklermodus) on the MIB, it can be done with VCDS or OBDeleven. After that you need to hold the MENU Button a couple of seconds and you are in the Service Mode. Now after enabling the developing mode you need to see there a function called "Test mode" and there you have this Trace Functions

Yes the Delphi Units are different. I also heard that they are not so good for retrofitting and unlocking.

the MIB2 HIGH Units are also from Harman. So maybe they have the same Quadlock Pinout like the Porsche Units.

@jannikuhl
Copy link
Author

Found it, thanks. I was always looking in the green menu.

Porsche PCM and MIB2 HIGH are nearly the same. Both from Harman and can be patched the same way. So I think the pinout is also the same.

I'm currently not up-to-date: Is it possible to upload custom green menus already?
Anyone tried it the same way it works on MIB2 high?

@Vavulinalex
Copy link

Hello. I want to study the mib2std Technisat file system. I tried connecting via uart. Unsuccessfully. Technisat does not have a sequential shell. I want to try using telnet. Can you tell me what BDM is? I want to activate telnet.

@jannikuhl
Copy link
Author

You're right, Technisat does not have a serial shell. What you need to do is to read the EMMC chip, activate telnet and flash the whole system back to the chip. As described in this this guide: https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185

BDM can be used instead of soldering. You need BDM probes to connect directly to the circuit board. Here some pictures:

https://contestimg.wish.com/api/webimage/5dc6806fe362821086a79e51-0-large?cache_buster=66a2ba98886f0bf85989036c6d6fd5c8

https://www.dhresource.com/0x0s/f2-albu-g9-M00-38-BB-rBVaWFwHnM-AICmuAAFDktohDAA328.jpg

@Vavulinalex
Copy link

Thanks. If necessary, I can share the instructions for mib2 High. There are root passwords for different firmware and instructions on how to work with fec/swap

@yox2019
Copy link

yox2019 commented Jun 17, 2020

How did yoy active telnet ? ... inetd ?

@yox2019
Copy link

yox2019 commented Jun 17, 2020

... /etc/system/enum/devices/net ;)

device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version
device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version
device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version
device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version
device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter
waitfor(/dev/socket)
driver (mount -Tio-pkt -o "verbose,phy_check,busnum=$(busno),devnum=$(devno)" devnp-asix.so)
start/wait(if_up -p ax0)
start(ifconfig ax0 192.168.1.4)
requires(inetd,)
requires(qconn,)

device(usb)
echo("No match found for device ven=$(ven), dev=$(dev), class=$(class), busno=$(busno), devno=$(devno), cfg=$(cfg), iface=$(iface), msven=$(msven), mscomp=$(mscomp), mssubcomp=$(mssubcomp)" )

@flipidus
Copy link

device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version
device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version
device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version
device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version
device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter

Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?

@yox2019
Copy link

yox2019 commented Jun 18, 2020

device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version
device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version
device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version
device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version
device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter

Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?

... its from PQ unit you have to try it on MIB2 STD/HIGH I have any to test ;)
... have you telnet connection with "login" promt ?

@flipidus
Copy link

Okay, then i will look forward to buy one of these USB to LAN Adapters and then i can check if i can get a telnet promt. are there some special subnet and ip adress static settings i need to set for this network adapter? i dont think the MIB2 will host a DHCP

@jannikuhl
Copy link
Author

You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.

@yox2019
Copy link

yox2019 commented Jun 19, 2020

You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.

I am able to connect via D-Link (192.168.1.4) but only on few ports then I can see logs but connection on port 23 is refused, there is another network 10.X.x.x did you get "login" promt on 192.... or 10... ?

@flipidus
Copy link

Okay, thanks for the information, i will look in the GEM for that IP Settings and i ordered a D-Link DUB-E100 USB to LAN adapter, the smaller black version.

@jannikuhl
Copy link
Author

You need to connect to port 23 and need the following adapter settings:

  • IP: 192.168.1.100
  • Subnet: 255.255.255.0

By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.

@yox2019
Copy link

yox2019 commented Jun 20, 2020

You need to connect to port 23 and need the following adapter settings:

  • IP: 192.168.1.100
  • Subnet: 255.255.255.0

... sorry for the question are the D-Link settings or the ethernet card in the computer?

@yox2019
Copy link

yox2019 commented Jun 20, 2020

By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.

... you have to find the way tu put this unit in "emrgency mode" then reflash it with software already installed

@jannikuhl
Copy link
Author

On the ethernet card of the PC.

I don't think it will go into emergency mode as it is in a constant boot loop.

@yox2019
Copy link

yox2019 commented Jun 20, 2020

On the ethernet card of the PC.

Thanks, and you login on address displayed in green menu e.g in my unit 192.168.1.4 ?

I don't think it will go into emergency mode as it is in a constant boot loop.

it doesn't matter, you can always turn on emergency mode, even if the unit is working properly, you just need to know how...

@jannikuhl
Copy link
Author

Yes, exactly. Login is root and there is no password, just press enter.

@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.

@yox2019
Copy link

yox2019 commented Jun 21, 2020

Yes, exactly. Login is root and there is no password, just press enter.
... THX I will try but I afraid in PQ unit it won't working

@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.

... no, unfortunately but I think it have to be similar as Technisat any way you need terminal connection usb/uart and putty to be able put this unit in emergency mode

@jannikuhl
Copy link
Author

Do you talk about Technisat or Delphi?
uart does only work on Delphi and Harman units. Technisat does not have any serial port open, you need to read the emmc, e.g. using BDM. There is currently no other option. PQ is Technisat.

@flipidus
Copy link

you have ZR devices from Techniat (Preh) / Delphi / Harman and PQ devices from Technisat. I think the ZR devices from Technisat are to handle the same as the PQ devices. Im waiting for this USB to LAN Adapter from ebay, so i can also test the Telnet function on my Preh device

i heard the Delphi Devices are not so hacking-friendly but i cannot proove if this is true.

i have a productive Technisat/Preh MIB2 in my Car and a test-device from technisat (without Navigation) for testing purposes. but for my test desk i still need som wiring stuff to connect the MIB2 with the ABT (single wires, HSD cable, plugs, etc...)

does anyone know how the component protection is going ON, when you use a MIB2 without CAN communication? Running time? Boot counter?

@EvoSems
Copy link

EvoSems commented Dec 5, 2020

Having a problem with security on a polo gti 6C. With VCDS security code is S12345

I tried S12345 as well as 20103
But get error Key Refused RC 35 Key Incorrect.

I’ve tried this on 2 MIB units on the same car.

I am a little new to VCP. my process is as follows. (Let me know if this is correct.)

Load Program.
Select More. Manual. 5F Start
Select SE26X (defaults to my Car I guess?)
Select EOL VW
SEC.Access.
Enter Login either S12345/20103
Get error.

@fikaa73
Copy link

fikaa73 commented Dec 8, 2020

Having a problem with security on a polo gti 6C. With VCDS security code is S12345

I tried S12345 as well as 20103
But get error Key Refused RC 35 Key Incorrect.

I’ve tried this on 2 MIB units on the same car.

I am a little new to VCP. my process is as follows. (Let me know if this is correct.)

Load Program.
Select More. Manual. 5F Start
Select SE26X (defaults to my Car I guess?)
Select EOL VW
SEC.Access.
Enter Login either S12345/20103
Get error.

Did you try first security access then eol?

@mattcabb
Copy link
Owner

mattcabb commented Dec 8, 2020

Security Access S12345 is just for VCDS. It doesn't send the code to the 5F unit. Instead it changes VCDS diagnostic session to EOL developer mode.
If you are using VCDS then use SA S12345. If you have VCP or OBDeleven then just change diagnostic session.

@EvoSems
Copy link

EvoSems commented Dec 8, 2020

Oh I am using VCP.
I will try security access first tonight. But I have tried this a few times now. And it seems it doesn’t accept the key. Then I am locked out for maybe 30 mins before trying again.

Maybe I am doing the process wrong. I can’t seem to find any videos on using the vcp interface yet. So I’m a bit trial and error each time.

I’m assuming once the code is entered correct I can open EOL. If I select it now. Nothing happens.

Thanks for the guidance chaps.

@fikaa73
Copy link

fikaa73 commented Dec 20, 2020

@shadowswan check this out
C7CC1301-7F1C-4EFF-9925-D9935C62DE92

@shadowswan
Copy link

shadowswan commented Dec 20, 2020

That’s the wrong place, will look tomorrow but it’s something like transmit code, you put the code in and then You run the release which is the one you are in there

EDIT:

its under adaptation and is ‘transfer of release code for a swap function’ paste code in there and then go back to the one you had and change it to active.

@mattcabb
Copy link
Owner

@shadowswan so the procedure for OBDeleven is:
5F > Change service > EOL
5F > Adaptation > Transfer of release code for a SWaP Function > paste_the_code > save
5F > Basic Settings > Release of SWaP function > paste_the_code > set status to active
Reboot, long press MENU, check if code is valid.

Is that correct?

@shadowswan
Copy link

Almost, for the release of swap function you just change it to active and save that.

Obviously the swap file and the swdownload need to have been patched first for it to accept it

@mattcabb
Copy link
Owner

@shadowswan system.swap needs to be patched to ignore the signature.
Why system.swdownload needs to be patched as well?

@shadowswan
Copy link

shadowswan commented Dec 21, 2020

Sorry you are correct I was thinking of software update too.

@fikaa73 is it working now?

@fikaa73
Copy link

fikaa73 commented Dec 21, 2020

@shadowswan I don't have hands on my car now, but will look for it tomorrow. That one makes sense, I'm looking just now for VCP instructions and that's correct sequence of steps. Hope it will work :)
SWaP needs to be patched because this is forced way to push SWaP codes, just like you would do with VCP. If you take a look, SWaP from generator is same for every car, it just differs for VCRN and VIN, but I think some other part should be different, like signature or something.
In basic settings, "Release swap function" has placeholder 00-FF, you sure I just run it without any value?

@mattcabb thank you for looking into this too, and explaining how patches work :)
Thank you guys very much, I will inform you what have I done.

@shadowswan
Copy link

@shadowswan I don't have hands on my car now, but will look for it tomorrow. That one makes sense, I'm looking just now for VCP instructions and that's correct sequence of steps. Hope it will work :)
SWaP needs to be patched because this is forced way to push SWaP codes, just like you would do with VCP. If you take a look, SWaP from generator is same for every car, it just differs for VCRN and VIN, but I think some other part should be different, like signature or something.
In basic settings, "Release swap function" has placeholder 00-FF, you sure I just run it without any value?

VCP instructions are in the mega folder which I think you had?

It’s been a while since I’ve done the OBD11 but 99% that you just leave it place and choose active.

@fikaa73
Copy link

fikaa73 commented Dec 21, 2020

@shadowswan I don't have hands on my car now, but will look for it tomorrow. That one makes sense, I'm looking just now for VCP instructions and that's correct sequence of steps. Hope it will work :)
SWaP needs to be patched because this is forced way to push SWaP codes, just like you would do with VCP. If you take a look, SWaP from generator is same for every car, it just differs for VCRN and VIN, but I think some other part should be different, like signature or something.
In basic settings, "Release swap function" has placeholder 00-FF, you sure I just run it without any value?

VCP instructions are in the mega folder which I think you had?

It’s been a while since I’ve done the OBD11 but 99% that you just leave it place and choose active.

Yep, was in front of me whole time, just like when I was looking for signed_exception_list.txt for 10 days and accidentally discovered I had it in CP_OFF folder whole time 😂 I'm really surprising myself sometimes..
Can't wait to get in the car to try it

@shadowswan
Copy link

@fikaa73 enjoy!

@EvoSems
Copy link

EvoSems commented Jan 3, 2021

Security Access S12345 is just for VCDS. It doesn't send the code to the 5F unit. Instead it changes VCDS diagnostic session to EOL developer mode.
If you are using VCDS then use SA S12345. If you have VCP or OBDeleven then just change diagnostic session.

Guys I'm having such a headache with VCP. I have installed it on many a laptop now and it just doesn't seem to function as the solution guide shows.

I've tried this on my caddy 2013 and polo gti 2016. the options are just greyed out. I can find no real guide on how to use vcp so everything is just trial and error.

I load the VCP. I connect to car. (car running/car ignition on) I select more. type manually 5F and it opens up the 5F panel. now this screen is just wrong from any guide I see. the adaption button is greyed out for one.I can select EOL from the drop down it says changed session. but nothing happens and nothing changes. I have tried every sequence I can think of to get this functioning but nothing. none of the menus are populated with options etc.

Sec Access. just plain refuses any login.

I am literally going mad trying to figure this out.

"ASAM nOK" ? I have a feeling this maybe related but I cannot find any info how to fix or understand this issue.

any help would be much appreciated.

all I want to do is enable performance monitor.

HNY

IMG_0851

@alexprojectGH
Copy link

Here is not really the place for all these questions, VCRN can be found in the enabled codes menu by selecting one of the codes.
Have you got the mega link? You can find it easily online on mhh or CT forums and it answers all of this.

  • I don't have third option in menu where FEC codes should be, only update and hmi tails. And yeah, I got mega links, updated my unit, patched swap.
  • I ask so many questions because I really don't want to mess up anything, and also that info will 100% be useful for someone else.
  • I'm stuck with signed_exception_list.txt and what's content of that file
  • @mattcabb can you give me usable example of signed_exception_list.txt please?

Edit:Passing signed_exception_list.txt with just signatures and no FEC codes activates all codes available. Problem solved, CarPlay activated

@fikaa73 Did you unlock the CarPlay? Can you help do that?

@fikaa73
Copy link

fikaa73 commented Jan 17, 2021 via email

@alexprojectGH
Copy link

Hi, yes, give me your email please

My email: [email protected]

Srdačan pozdrav,
Filip Vukotić
FIST
20/106i


From: alexprojectGH [email protected]
Sent: Sunday, January 17, 2021 6:44:38 PM
To: mattcabb/mib2std-toolbox [email protected]
Cc: fikaa73 [email protected]; Mention [email protected]
Subject: Re: [mattcabb/mib2std-toolbox] Add support to dump the shadow file (#2)

Here is not really the place for all these questions, VCRN can be found in the enabled codes menu by selecting one of the codes.
Have you got the mega link? You can find it easily online on mhh or CT forums and it answers all of this.

  • I don't have third option in menu where FEC codes should be, only update and hmi tails. And yeah, I got mega links, updated my unit, patched swap.
  • I ask so many questions because I really don't want to mess up anything, and also that info will 100% be useful for someone else.
  • I'm stuck with signed_exception_list.txt and what's content of that file
  • @mattcabbhttps://github.com/mattcabb can you give me usable example of signed_exception_list.txt please?

Edit:Passing signed_exception_list.txt with just signatures and no FEC codes activates all codes available. Problem solved, CarPlay activated

@fikaa73https://github.com/fikaa73 Did you unlock the CarPlay? Can you help do that?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub#2 (comment), or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARHQPTF4C2H7UBXJPXBTJ5DS2MOYNANCNFSM4LW5EU2A.

@jado810301
Copy link

Hello

What do i need to create the Swap codes??? do anyone teach me or give a right direction to find it?? I would like to upload thios using ODIS, fpor Delphi modules.... thanks

@fikaa73
Copy link

fikaa73 commented Feb 8, 2021

Hello

What do i need to create the Swap codes??? do anyone teach me or give a right direction to find it?? I would like to upload thios using ODIS, fpor Delphi modules.... thanks

I think delphi uses modified feccontainer to activate fecs, but correct me if i'm wrong
You need to extract it from unit, edit it on pc using whatthefec and upload it again

@cuilh1016
Copy link

@dnoermann hello,my unit HW is 0359. According to what you said, I have modified these two places. The IP of my computer is set to 192.168.1.100, and green menu is also opened with ODIS. However, telnet can't connect to my computer. Where else do I need to set or modify? Thank you very much
pf conf
start

@dnoermann
Copy link

@cuilh1016 You need to modify startup to start telnetd

on -p 25 waitfor /net/J5
sleep 0.5

echo /net/J5/dev/ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
/usr/sbin/telnetd -debug 23 &

@osiak809
Copy link

part, my MIB2 unit stood on the update screen, does anyone have an idea to enter safe mode without a UART adapter
received_4343329822379522

@osiak809
Copy link

I have obd eleven, but when I try to enter software updates in the basic settings, it pops up that the boundary conditions have not been met

@cvjensen
Copy link

On the ethernet card of the PC.

I don't think it will go into emergency mode as it is in a constant boot loop.

Did you find a solution on this constant looping device ? I also have a ZR/Technisat that are looping.

@osiak809
Copy link

Yes

@osiak809
Copy link

i bought a usb UART and installed the firmware via emergency mode

@cvjensen
Copy link

i bought a usb UART and installed the firmware via emergency mode

Do you remember which MIB version you had?

@osiak809
Copy link

0245T I installed version 467 and wifi threw me I wanted to install the wifi driver and that's why it stopped and I had to go back to 245T

@cvjensen
Copy link

0245T I installed version 467 and wifi threw me I wanted to install the wifi driver and that's why it stopped and I had to go back to 245T

Can you remember which pins you used and which usb device for the serial connection?
I'm having a little trouble with som strangly looking outputs even though I've set the baud rate to 115200.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests