Trevelopment / MZD-AIO

Desktop app for AIO
https://mazdatweaks.com
Other
585 stars 89 forks source link

Serial solution doesn't work for 70.00.367 EU #135

Open Forever-Young opened 3 years ago

Forever-Young commented 3 years ago

Hello Before upgrading to 70, I checked the serial connection, and I could login using user/jci and root/jci Using https://mazdatweaks.com/id7/ manual, I started upgrading to 70.00.367 Assuming:

When the update is finished the text will stop completely. After the update is complete, copy & paste this command:

means after the update but not restarting

I tried that, but console at that point only shows that system is awaiting restart After the restart, only login is available, but jci password doesn't work anymore.

Is there any other way to gain access (besides downgrading to 355 or whatever, right now I can only find firmware files for 100 and 367)?

konwin commented 3 years ago

Afaik they secured 367 pretty well so there is no sollution to gain access ATM. But there are no new features in comparison to 352, afaik. Just stay on 352! Sent you links via pm!

Forever-Young commented 3 years ago

I'll try with 70.00.352B.

Meanwhile, I unzipped several versions I have.

56.00.513B, 70.00.352B, 70.00.367A - all those have a step passwdupdate with the logic:

70x

# passwd needs updating everytime
cp /tmp/passwd /tmp/configtmp/passwd

but 56x:

if grep '^root:' /config-mfg/passwd ; then
    # passwd needs updating
    cp /tmp/passwd /tmp/configtmp/passwd

version 55x didn't have passwdupdate (at least NA one, I don't have EU 55x)

56x has cmu and user in passwd file (which is being copied during the install)

70x only has cmu user

cmu hashes are all the same (56/70)

user hash is much simpler, without the salt part, so I guess it's the jci one.

Today, before the update (being on 56), I could log in as user, and root with pw jci, didn't try the cmu user.

I guess we could "lost" the password for root even before 70, but password updating script was faulty.

Also, 70x updates has neutralizeid7 script:

LAST_MESSAGE='"ID7_Recovery_Scripts" is not found.'
TARGET_DIR="/mnt/data_persist/dev/bin"
CONF_FILE="autorun"

if [ -e "${TARGET_DIR}/${CONF_FILE}" ]; then
    echo '"ID7_Recovery_Scripts" is found, so that getting them disabled...'
    LAST_MESSAGE="completed."
fi

if [ -d ${TARGET_DIR} ] ; then
    cd ${TARGET_DIR}
    ${DEBUG} rm -rf 00-*
    ${DEBUG} rm -rf 01-*
    ${DEBUG} rm -f adb
    ${DEBUG} rm -f 99-*.autorun
    ${DEBUG} rm -f ${CONF_FILE}
fi

echo ${LAST_MESSAGE}
echo ls -al ${TARGET_DIR} ; ls -al ${TARGET_DIR}

exit 0

Regarding the ability to run commands during the update (I'm not sure if I would have it if I downgrade 367 -> 352), not sure where this is being specified (in install package).

Forever-Young commented 3 years ago

I started john the ripper on that cmu hash, not sure if it has any sense.

from the console

Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 SSE4.1 4x])
...
0g 0:00:39:37  3/3 0g/s 995.1p/s 995.1c/s 995.1C/s dwars2

I guess it means 995 passwords per seconds? (on macbook)

GPU (on some big AWS server) I guess would help, but I'm not sure if I'm using john in the right way.

Forever-Young commented 3 years ago

Ah, and XX does password recovery (to jci I guess) among other things..

Forever-Young commented 3 years ago

Seeing neutralizeid7 script contents and contents of /mnt/data_persist/dev/bin (headunit, websocketd)

I have a question (for ID7 solution author?) - autorun is a required name?

Is it being run somewhere in the firmware by absolute path (/dev/bin/autorun or something)? If not, maybe moving to sbin would help).

Or hooking to those 2 binaries in dev/bin - replacing with a script, starting autorun (renamed) and then starting real binary.

A-nglea commented 3 years ago

I'm 75 and over the hill for developing but in my yoof it was common to gain unofficial access to Garmin Aviation Map updates. We used a hex editor to change a flag (licensed or not) and then needed to re-adjust the checksum value in the file header before saving..

It strikes me that we have password access to .up files and can decompress them. The 1.7Gb for a firmware update is just too large to get ones head around but what about the gracenote update files? They have permission to execute and if some extra payload was added to the gracenote.up - checksum recalculated and set - it might be possible to return a serial connection.

There is an execute.ini file that seem ripe for tampering:- [Settings]

[Instructions] Count = 4 1 = Execute,"echo ========== Start deleting Gracenote related files ==========" 2 = Execute,"rm -rf /tmp/media.db" 3 = Execute,"rm -rf /data/media.db" 4 = Execute,"rm -rf /data/natp/persistence/usbaudio_*"

Forever-Young commented 3 years ago

@A-nglea but now it uses signatures to check the authenticity of the update..

A-nglea commented 3 years ago

Ok, I'll get my coat.

On Thu, 7 Oct 2021, 12:28 Anton Novosyolov, @.***> wrote:

@A-nglea https://github.com/A-nglea but now it uses signatures to check the authenticity of the update..

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-937703482, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANIE6OZTAIHLK3LKVKDCJQTUFV75LANCNFSM5EJGPF7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Forever-Young commented 3 years ago

@bmos emailed to you

acidicX commented 3 years ago

Hi, I just tried to install it for the first time, seems I'm also on 70.00.367 EU already. Can't login. @Forever-Young have you figured out a way to login?

Or is there a way to downgrade to 352B?

Forever-Young commented 3 years ago

@acidicX yeah, I just downgraded. I can email you the link

acidicX commented 3 years ago

Got it, thank you :)

acidicX commented 3 years ago

@Forever-Young do you maybe also have the manual on how to downgrade? Or is it just copy to a FAT32 USB drive and plug it in?

Forever-Young commented 3 years ago

The same manual as upgrade, do you have it?

On Sat, Nov 13, 2021, 7:44 PM Carsten @.***> wrote:

@Forever-Young https://github.com/Forever-Young do you maybe also have the manual on how to downgrade? Or is it just copy to a FAT32 USB drive and plug it in?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-968097467, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVAD7EB3TAIU3S242M3UL2IX5ANCNFSM5EJGPF7A .

acidicX commented 3 years ago

@Forever-Young sadly not, no

acidicX commented 3 years ago

thanks again :)

aholovan commented 3 years ago

Hi gents! Do you think - is it possible to unpack the firmware, chroot into it, just set new password for cmu user and pack it again? And then go ahead with setup?

Forever-Young commented 3 years ago

Updates are signed, so unless somebody would have a secret key to resign it, no, it's not possible. Or, patch the library that is doing the update to skip signature check..

On Mon, Nov 15, 2021 at 2:40 PM Andrii Holovan @.***> wrote:

Hi gents! Do you think - is it possible to unpack the firmware, chroot into it, just set new password for cmu user and pack it again? And then go ahead with setup?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-968824736, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVBYGCFKUIPOX2QWW7DUMDWQ7ANCNFSM5EJGPF7A .

Nav1gatore commented 3 years ago

Hi everyone, I have made an update the CMU to 70.00.367 EU and also interested how to solve that issue mentioned above? The user and cmu doesn't work with the pswd jci. In this case, the only way is to be downgraded to firmware 70.00.352B. So, if somebody has a link for the mentioned firmware and a checksum, let me know, please. Thanks a lot in advance!

Forever-Young commented 3 years ago

@Nav1gatore send me an email

Nav1gatore commented 3 years ago

@Nav1gatore send me an email

@Forever-Young just have sent

Forever-Young commented 3 years ago

Hmm, I didn't get anything around that time. @.***

On Sun, Nov 28, 2021, 1:43 AM Nav1gatore @.***> wrote:

@Nav1gatore https://github.com/Nav1gatore send me an email

@Forever-Young https://github.com/Forever-Young just have sent

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-980801627, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVC55DNIYOWLDQ3YYRTUOFNKJANCNFSM5EJGPF7A .

Nav1gatore commented 2 years ago

Ok, I managed to find one. But I've got a trouble with install. So, need an advice how to resolve the "Install Not Successful". I started the downgrade from FW 70.00.367 to 70.00.352 and used the same instruction as for FW...367. When the update had almost been finished, at the point 99%, I got the screen with the message like that Install Not Successful: System failure. 1 2

So, the system is trying to get a finish of the update process and doing that in a permanent cycle without success. Also, I was connected through the serial port and used the putty's console. The log, attached bellow, has some errors like that Jan 1 00:00:20 reflash_app: [000.00:00:20.643624670], REFLASH, 230, reflash_app, 230, Warn, reflash_ul.c, REFLASH_UL_WriteLog 496, Failed to flush the reflash log file "/mnt/data_persist/reflash/reflash.log", error = 28 (No space left on device)! putty_log.txt Also, a small video here about how it looks Has somebody an idea how to resolve that issue or might be smd had the similar problem and knows how to fix it? Thanks to all in advance!

Nav1gatore commented 2 years ago

So, the issue is fixed. If briefly, it was necessary to clear the dumps folder using the next command: # rm -rf ./tmp/mnt/data_persist/log/dumps/* and than the update/downgrade process had been continued. All in all, the CMU wrote the message "Version 70.00.352 software install was successful".

By the next step the ID7_Recovery_XX scripts had been installed # cp -r /mnt/sd*/XX/* /mnt/data_persist/dev/bin/ # chmod +x /mnt/data_persist/dev/bin/autorun # /mnt/data_persist/dev/bin/autorun

So, the tweaks installs, the SSH works! The AndroidAuto (AA) is possible to install but it doesn't start after the connection of mobile. It's probably closed or well-secured for FW 70.00.XXX If somebody knows how to lunch the AA using the mentioned FW, let me know, please.

alexhermon commented 2 years ago

@Nav1gatore - did you ever find a fix for getting AA on version 70.00.352 EU N ? Or any recommendations?

Nav1gatore commented 2 years ago

@Nav1gatore - did you ever find a fix for getting AA on version 70.00.352 EU N ? Or any recommendations?

I tried to do that half year ago, but I didn't manage to find a fix for that time. So, probably, it could be available now.

jwronken commented 1 year ago

Hi, my car was delivered with .352 installed (2019 model), running the files in XX won't work unfortunately. Seems I need to downgrade (or better said, re-install) 70.00.352 EU version. However, I can't find this anywhere (the one's for sale are either .367 or the 74.xx versions). Does anyone have a backup? Many thanks

konwin commented 1 year ago

@jwronken sent you an invite with a download link for 70.00.352 EU!

jwronken commented 1 year ago

@konwin many many thanks!! Really appreciated

farghc commented 7 months ago

Hi all, same problem here. I am on version .367 and need to downgrade to 70.00.352 EU version. Can anyone provide this version? Many thanks

alexhermon commented 7 months ago

@farghc I bought the USB hub and didn't need to do the serial faff (Though installing the hub is still a bit of a faff...). The description on this AliExpress post contains a link to download the firmware too, which I've used in the past: https://a.aliexpress.com/_EJjvyOl

farghc commented 7 months ago

@alexhermon thank you very much. As i understand, i need to downgrade to 70.00.352 for using AIO Tweaks. The Version provided by AliExpress post (70.00.367) is already installed.

Visnitz commented 4 months ago

Can someone send me a 352 version compressed (shared password protected)? I can't find this version anywhere anymore.

Forever-Young commented 4 months ago

Can someone send me a 352 version compressed (shared password protected)? I can't find this version anywhere anymore.

If you see my profile email, please write me.