-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support to dump the shadow file #2
Comments
Nothing yet. Due to lockdown I had to put most of things on hold for now. Hope to get back to the hack soon. |
Hello Jannik, im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection? Best regards |
The MIB2STD does not have Telnet enabled by default and currently the only way to enable it is writing on the bench. Either by soldering or using (what I prefer) BDM. You need to add the following line to the file /fs/hd1-qnx6/tsd/bin/system/startup I never heard about a serial connection on the quadlock, do you have any sources? |
Where have you found that setting? It looks like mine doesn't have that. I have a Skoda Technisat MST2Nav unit. We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different. I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units. |
you need to activate the developing mode (Entlicklermodus) on the MIB, it can be done with VCDS or OBDeleven. After that you need to hold the MENU Button a couple of seconds and you are in the Service Mode. Now after enabling the developing mode you need to see there a function called "Test mode" and there you have this Trace Functions Yes the Delphi Units are different. I also heard that they are not so good for retrofitting and unlocking. the MIB2 HIGH Units are also from Harman. So maybe they have the same Quadlock Pinout like the Porsche Units. |
Found it, thanks. I was always looking in the green menu. Porsche PCM and MIB2 HIGH are nearly the same. Both from Harman and can be patched the same way. So I think the pinout is also the same. I'm currently not up-to-date: Is it possible to upload custom green menus already? |
Hello. I want to study the mib2std Technisat file system. I tried connecting via uart. Unsuccessfully. Technisat does not have a sequential shell. I want to try using telnet. Can you tell me what BDM is? I want to activate telnet. |
You're right, Technisat does not have a serial shell. What you need to do is to read the EMMC chip, activate telnet and flash the whole system back to the chip. As described in this this guide: https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185 BDM can be used instead of soldering. You need BDM probes to connect directly to the circuit board. Here some pictures: https://www.dhresource.com/0x0s/f2-albu-g9-M00-38-BB-rBVaWFwHnM-AICmuAAFDktohDAA328.jpg |
Thanks. If necessary, I can share the instructions for mib2 High. There are root passwords for different firmware and instructions on how to work with fec/swap |
How did yoy active telnet ? ... inetd ? |
... /etc/system/enum/devices/net ;) device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb) |
Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH? |
... its from PQ unit you have to try it on MIB2 STD/HIGH I have any to test ;) |
Okay, then i will look forward to buy one of these USB to LAN Adapters and then i can check if i can get a telnet promt. are there some special subnet and ip adress static settings i need to set for this network adapter? i dont think the MIB2 will host a DHCP |
You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu. |
I am able to connect via D-Link (192.168.1.4) but only on few ports then I can see logs but connection on port 23 is refused, there is another network 10.X.x.x did you get "login" promt on 192.... or 10... ? |
Okay, thanks for the information, i will look in the GEM for that IP Settings and i ordered a D-Link DUB-E100 USB to LAN adapter, the smaller black version. |
You need to connect to port 23 and need the following adapter settings:
By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File. |
... sorry for the question are the D-Link settings or the ethernet card in the computer? |
... you have to find the way tu put this unit in "emrgency mode" then reflash it with software already installed |
On the ethernet card of the PC. I don't think it will go into emergency mode as it is in a constant boot loop. |
Thanks, and you login on address displayed in green menu e.g in my unit 192.168.1.4 ?
it doesn't matter, you can always turn on emergency mode, even if the unit is working properly, you just need to know how... |
Yes, exactly. Login is root and there is no password, just press enter. @yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering. |
... no, unfortunately but I think it have to be similar as Technisat any way you need terminal connection usb/uart and putty to be able put this unit in emergency mode |
Do you talk about Technisat or Delphi? |
you have ZR devices from Techniat (Preh) / Delphi / Harman and PQ devices from Technisat. I think the ZR devices from Technisat are to handle the same as the PQ devices. Im waiting for this USB to LAN Adapter from ebay, so i can also test the Telnet function on my Preh device i heard the Delphi Devices are not so hacking-friendly but i cannot proove if this is true. i have a productive Technisat/Preh MIB2 in my Car and a test-device from technisat (without Navigation) for testing purposes. but for my test desk i still need som wiring stuff to connect the MIB2 with the ABT (single wires, HSD cable, plugs, etc...) does anyone know how the component protection is going ON, when you use a MIB2 without CAN communication? Running time? Boot counter? |
Having a problem with security on a polo gti 6C. With VCDS security code is S12345 I tried S12345 as well as 20103 I’ve tried this on 2 MIB units on the same car. I am a little new to VCP. my process is as follows. (Let me know if this is correct.) Load Program. |
Did you try first security access then eol? |
Security Access S12345 is just for VCDS. It doesn't send the code to the 5F unit. Instead it changes VCDS diagnostic session to |
Oh I am using VCP. Maybe I am doing the process wrong. I can’t seem to find any videos on using the vcp interface yet. So I’m a bit trial and error each time. I’m assuming once the code is entered correct I can open EOL. If I select it now. Nothing happens. Thanks for the guidance chaps. |
@shadowswan check this out |
That’s the wrong place, will look tomorrow but it’s something like transmit code, you put the code in and then You run the release which is the one you are in there EDIT: its under adaptation and is ‘transfer of release code for a swap function’ paste code in there and then go back to the one you had and change it to active. |
@shadowswan so the procedure for OBDeleven is: Is that correct? |
Almost, for the release of swap function you just change it to active and save that. Obviously the swap file and the swdownload need to have been patched first for it to accept it |
@shadowswan system.swap needs to be patched to ignore the signature. |
Sorry you are correct I was thinking of software update too. @fikaa73 is it working now? |
@shadowswan I don't have hands on my car now, but will look for it tomorrow. That one makes sense, I'm looking just now for VCP instructions and that's correct sequence of steps. Hope it will work :) @mattcabb thank you for looking into this too, and explaining how patches work :) |
VCP instructions are in the mega folder which I think you had? It’s been a while since I’ve done the OBD11 but 99% that you just leave it place and choose active. |
Yep, was in front of me whole time, just like when I was looking for signed_exception_list.txt for 10 days and accidentally discovered I had it in CP_OFF folder whole time 😂 I'm really surprising myself sometimes.. |
@fikaa73 enjoy! |
Guys I'm having such a headache with VCP. I have installed it on many a laptop now and it just doesn't seem to function as the solution guide shows. I've tried this on my caddy 2013 and polo gti 2016. the options are just greyed out. I can find no real guide on how to use vcp so everything is just trial and error. I load the VCP. I connect to car. (car running/car ignition on) I select more. type manually 5F and it opens up the 5F panel. now this screen is just wrong from any guide I see. the adaption button is greyed out for one.I can select EOL from the drop down it says changed session. but nothing happens and nothing changes. I have tried every sequence I can think of to get this functioning but nothing. none of the menus are populated with options etc. Sec Access. just plain refuses any login. I am literally going mad trying to figure this out. "ASAM nOK" ? I have a feeling this maybe related but I cannot find any info how to fix or understand this issue. any help would be much appreciated. all I want to do is enable performance monitor. HNY |
@fikaa73 Did you unlock the CarPlay? Can you help do that? |
Hi, yes, give me your email please
Srdačan pozdrav,
Filip Vukotić
FIST
20/106i
…________________________________
From: alexprojectGH <[email protected]>
Sent: Sunday, January 17, 2021 6:44:38 PM
To: mattcabb/mib2std-toolbox <[email protected]>
Cc: fikaa73 <[email protected]>; Mention <[email protected]>
Subject: Re: [mattcabb/mib2std-toolbox] Add support to dump the shadow file (#2)
Here is not really the place for all these questions, VCRN can be found in the enabled codes menu by selecting one of the codes.
Have you got the mega link? You can find it easily online on mhh or CT forums and it answers all of this.
* I don't have third option in menu where FEC codes should be, only update and hmi tails. And yeah, I got mega links, updated my unit, patched swap.
* I ask so many questions because I really don't want to mess up anything, and also that info will 100% be useful for someone else.
* I'm stuck with signed_exception_list.txt and what's content of that file
* @mattcabb<https://github.com/mattcabb> can you give me usable example of signed_exception_list.txt please?
Edit:Passing signed_exception_list.txt with just signatures and no FEC codes activates all codes available. Problem solved, CarPlay activated
@fikaa73<https://github.com/fikaa73> Did you unlock the CarPlay? Can you help do that?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#2 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ARHQPTF4C2H7UBXJPXBTJ5DS2MOYNANCNFSM4LW5EU2A>.
|
My email: [email protected]
|
Hello What do i need to create the Swap codes??? do anyone teach me or give a right direction to find it?? I would like to upload thios using ODIS, fpor Delphi modules.... thanks |
I think delphi uses modified feccontainer to activate fecs, but correct me if i'm wrong |
@dnoermann hello,my unit HW is 0359. According to what you said, I have modified these two places. The IP of my computer is set to 192.168.1.100, and green menu is also opened with ODIS. However, telnet can't connect to my computer. Where else do I need to set or modify? Thank you very much |
@cuilh1016 You need to modify startup to start telnetd on -p 25 waitfor /net/J5 echo /net/J5/dev/ser1 "/bin/login -f root" qansi-m on > /tmp/ttys |
I have obd eleven, but when I try to enter software updates in the basic settings, it pops up that the boundary conditions have not been met |
Did you find a solution on this constant looping device ? I also have a ZR/Technisat that are looping. |
Yes |
i bought a usb UART and installed the firmware via emergency mode |
Do you remember which MIB version you had? |
0245T I installed version 467 and wifi threw me I wanted to install the wifi driver and that's why it stopped and I had to go back to 245T |
Can you remember which pins you used and which usb device for the serial connection? |
Have you already had success reading the shadow file?
I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.
Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.
I am currently working on reverse engineering the FEC/SWaP system of Technisat.
The text was updated successfully, but these errors were encountered: