Open Forever-Young opened 3 years ago
Afaik they secured 367 pretty well so there is no sollution to gain access ATM. But there are no new features in comparison to 352, afaik. Just stay on 352! Sent you links via pm!
I'll try with 70.00.352B.
Meanwhile, I unzipped several versions I have.
56.00.513B, 70.00.352B, 70.00.367A - all those have a step passwdupdate
with the logic:
70x
# passwd needs updating everytime
cp /tmp/passwd /tmp/configtmp/passwd
but 56x:
if grep '^root:' /config-mfg/passwd ; then
# passwd needs updating
cp /tmp/passwd /tmp/configtmp/passwd
version 55x didn't have passwdupdate
(at least NA one, I don't have EU 55x)
56x has cmu
and user
in passwd file (which is being copied during the install)
70x only has cmu
user
cmu
hashes are all the same (56/70)
user
hash is much simpler, without the salt part, so I guess it's the jci
one.
Today, before the update (being on 56), I could log in as user
, and root
with pw jci
, didn't try the cmu
user.
I guess we could "lost" the password for root
even before 70, but password updating script was faulty.
Also, 70x updates has neutralizeid7
script:
LAST_MESSAGE='"ID7_Recovery_Scripts" is not found.'
TARGET_DIR="/mnt/data_persist/dev/bin"
CONF_FILE="autorun"
if [ -e "${TARGET_DIR}/${CONF_FILE}" ]; then
echo '"ID7_Recovery_Scripts" is found, so that getting them disabled...'
LAST_MESSAGE="completed."
fi
if [ -d ${TARGET_DIR} ] ; then
cd ${TARGET_DIR}
${DEBUG} rm -rf 00-*
${DEBUG} rm -rf 01-*
${DEBUG} rm -f adb
${DEBUG} rm -f 99-*.autorun
${DEBUG} rm -f ${CONF_FILE}
fi
echo ${LAST_MESSAGE}
echo ls -al ${TARGET_DIR} ; ls -al ${TARGET_DIR}
exit 0
Regarding the ability to run commands during the update (I'm not sure if I would have it if I downgrade 367 -> 352), not sure where this is being specified (in install package).
I started john the ripper on that cmu
hash, not sure if it has any sense.
from the console
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 SSE4.1 4x])
...
0g 0:00:39:37 3/3 0g/s 995.1p/s 995.1c/s 995.1C/s dwars2
I guess it means 995 passwords per seconds? (on macbook)
GPU (on some big AWS server) I guess would help, but I'm not sure if I'm using john in the right way.
Ah, and XX does password recovery (to jci
I guess) among other things..
Seeing neutralizeid7 script contents and contents of /mnt/data_persist/dev/bin
(headunit, websocketd)
I have a question (for ID7 solution author?) - autorun
is a required name?
Is it being run somewhere in the firmware by absolute path (/dev/bin/autorun
or something)? If not, maybe moving to sbin
would help).
Or hooking to those 2 binaries in dev/bin
- replacing with a script, starting autorun
(renamed) and then starting real binary.
I'm 75 and over the hill for developing but in my yoof it was common to gain unofficial access to Garmin Aviation Map updates. We used a hex editor to change a flag (licensed or not) and then needed to re-adjust the checksum value in the file header before saving..
It strikes me that we have password access to .up files and can decompress them. The 1.7Gb for a firmware update is just too large to get ones head around but what about the gracenote update files? They have permission to execute and if some extra payload was added to the gracenote.up - checksum recalculated and set - it might be possible to return a serial connection.
There is an execute.ini file that seem ripe for tampering:- [Settings]
[Instructions] Count = 4 1 = Execute,"echo ========== Start deleting Gracenote related files ==========" 2 = Execute,"rm -rf /tmp/media.db" 3 = Execute,"rm -rf /data/media.db" 4 = Execute,"rm -rf /data/natp/persistence/usbaudio_*"
@A-nglea but now it uses signatures to check the authenticity of the update..
Ok, I'll get my coat.
On Thu, 7 Oct 2021, 12:28 Anton Novosyolov, @.***> wrote:
@A-nglea https://github.com/A-nglea but now it uses signatures to check the authenticity of the update..
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-937703482, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANIE6OZTAIHLK3LKVKDCJQTUFV75LANCNFSM5EJGPF7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
@bmos emailed to you
Hi, I just tried to install it for the first time, seems I'm also on 70.00.367 EU already. Can't login. @Forever-Young have you figured out a way to login?
Or is there a way to downgrade to 352B?
@acidicX yeah, I just downgraded. I can email you the link
Got it, thank you :)
@Forever-Young do you maybe also have the manual on how to downgrade? Or is it just copy to a FAT32 USB drive and plug it in?
The same manual as upgrade, do you have it?
On Sat, Nov 13, 2021, 7:44 PM Carsten @.***> wrote:
@Forever-Young https://github.com/Forever-Young do you maybe also have the manual on how to downgrade? Or is it just copy to a FAT32 USB drive and plug it in?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-968097467, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVAD7EB3TAIU3S242M3UL2IX5ANCNFSM5EJGPF7A .
@Forever-Young sadly not, no
thanks again :)
Hi gents! Do you think - is it possible to unpack the firmware, chroot into it, just set new password for cmu user and pack it again? And then go ahead with setup?
Updates are signed, so unless somebody would have a secret key to resign it, no, it's not possible. Or, patch the library that is doing the update to skip signature check..
On Mon, Nov 15, 2021 at 2:40 PM Andrii Holovan @.***> wrote:
Hi gents! Do you think - is it possible to unpack the firmware, chroot into it, just set new password for cmu user and pack it again? And then go ahead with setup?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-968824736, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVBYGCFKUIPOX2QWW7DUMDWQ7ANCNFSM5EJGPF7A .
Hi everyone,
I have made an update the CMU to 70.00.367 EU and also interested how to solve that issue mentioned above?
The user
and cmu
doesn't work with the pswd jci
. In this case, the only way is to be downgraded to firmware 70.00.352B.
So, if somebody has a link for the mentioned firmware and a checksum, let me know, please.
Thanks a lot in advance!
@Nav1gatore send me an email
@Nav1gatore send me an email
@Forever-Young just have sent
Hmm, I didn't get anything around that time. @.***
On Sun, Nov 28, 2021, 1:43 AM Nav1gatore @.***> wrote:
@Nav1gatore https://github.com/Nav1gatore send me an email
@Forever-Young https://github.com/Forever-Young just have sent
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-980801627, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVC55DNIYOWLDQ3YYRTUOFNKJANCNFSM5EJGPF7A .
Ok, I managed to find one. But I've got a trouble with install. So, need an advice how to resolve the "Install Not Successful". I started the downgrade from FW 70.00.367 to 70.00.352 and used the same instruction as for FW...367. When the update had almost been finished, at the point 99%, I got the screen with the message like that Install Not Successful: System failure.
So, the system is trying to get a finish of the update process and doing that in a permanent cycle without success.
Also, I was connected through the serial port and used the putty's console. The log, attached bellow, has some errors like that
Jan 1 00:00:20 reflash_app: [000.00:00:20.643624670], REFLASH, 230, reflash_app, 230, Warn, reflash_ul.c, REFLASH_UL_WriteLog 496, Failed to flush the reflash log file "/mnt/data_persist/reflash/reflash.log", error = 28 (No space left on device)!
putty_log.txt
Also, a small video here about how it looks
Has somebody an idea how to resolve that issue or might be smd had the similar problem and knows how to fix it?
Thanks to all in advance!
So, the issue is fixed.
If briefly, it was necessary to clear the dumps folder using the next command:
# rm -rf ./tmp/mnt/data_persist/log/dumps/*
and than the update/downgrade process had been continued. All in all, the CMU wrote the message "Version 70.00.352 software install was successful".
By the next step the ID7_Recovery_XX scripts had been installed
# cp -r /mnt/sd*/XX/* /mnt/data_persist/dev/bin/
# chmod +x /mnt/data_persist/dev/bin/autorun
# /mnt/data_persist/dev/bin/autorun
So, the tweaks installs, the SSH works! The AndroidAuto (AA) is possible to install but it doesn't start after the connection of mobile. It's probably closed or well-secured for FW 70.00.XXX If somebody knows how to lunch the AA using the mentioned FW, let me know, please.
@Nav1gatore - did you ever find a fix for getting AA on version 70.00.352 EU N ? Or any recommendations?
@Nav1gatore - did you ever find a fix for getting AA on version 70.00.352 EU N ? Or any recommendations?
I tried to do that half year ago, but I didn't manage to find a fix for that time. So, probably, it could be available now.
Hi, my car was delivered with .352 installed (2019 model), running the files in XX won't work unfortunately. Seems I need to downgrade (or better said, re-install) 70.00.352 EU version. However, I can't find this anywhere (the one's for sale are either .367 or the 74.xx versions). Does anyone have a backup? Many thanks
@jwronken sent you an invite with a download link for 70.00.352 EU!
@konwin many many thanks!! Really appreciated
Hi all, same problem here. I am on version .367 and need to downgrade to 70.00.352 EU version. Can anyone provide this version? Many thanks
@farghc I bought the USB hub and didn't need to do the serial faff (Though installing the hub is still a bit of a faff...). The description on this AliExpress post contains a link to download the firmware too, which I've used in the past: https://a.aliexpress.com/_EJjvyOl
@alexhermon thank you very much. As i understand, i need to downgrade to 70.00.352 for using AIO Tweaks. The Version provided by AliExpress post (70.00.367) is already installed.
Can someone send me a 352 version compressed (shared password protected)? I can't find this version anywhere anymore.
Can someone send me a 352 version compressed (shared password protected)? I can't find this version anywhere anymore.
If you see my profile email, please write me.
Hello Before upgrading to 70, I checked the serial connection, and I could login using user/jci and root/jci Using https://mazdatweaks.com/id7/ manual, I started upgrading to 70.00.367 Assuming:
means after the update but not restarting
I tried that, but console at that point only shows that system is awaiting restart After the restart, only login is available, but
jci
password doesn't work anymore.Is there any other way to gain access (besides downgrading to 355 or whatever, right now I can only find firmware files for 100 and 367)?