Serial solution doesn't work for 70.00.367 EU

[Forever-Young]

Hello Before upgrading to 70, I checked the serial connection, and I could login using user/jci and root/jci Using https://mazdatweaks.com/id7/ manual, I started upgrading to 70.00.367 Assuming:

When the update is finished the text will stop completely. After the update is complete, copy & paste this command:

means after the update but not restarting

I tried that, but console at that point only shows that system is awaiting restart After the restart, only login is available, but jci password doesn't work anymore.

Is there any other way to gain access (besides downgrading to 355 or whatever, right now I can only find firmware files for 100 and 367)?

[konwin]

Afaik they secured 367 pretty well so there is no sollution to gain access ATM. But there are no new features in comparison to 352, afaik. Just stay on 352! Sent you links via pm!

[Forever-Young]

I'll try with 70.00.352B.

Meanwhile, I unzipped several versions I have.

56.00.513B, 70.00.352B, 70.00.367A - all those have a step passwdupdate with the logic:

70x

# passwd needs updating everytime
cp /tmp/passwd /tmp/configtmp/passwd

but 56x:

if grep '^root:' /config-mfg/passwd ; then
    # passwd needs updating
    cp /tmp/passwd /tmp/configtmp/passwd

version 55x didn't have passwdupdate (at least NA one, I don't have EU 55x)

56x has cmu and user in passwd file (which is being copied during the install)

70x only has cmu user

cmu hashes are all the same (56/70)

user hash is much simpler, without the salt part, so I guess it's the jci one.

Today, before the update (being on 56), I could log in as user, and root with pw jci, didn't try the cmu user.

I guess we could "lost" the password for root even before 70, but password updating script was faulty.

Also, 70x updates has neutralizeid7 script:

LAST_MESSAGE='"ID7_Recovery_Scripts" is not found.'
TARGET_DIR="/mnt/data_persist/dev/bin"
CONF_FILE="autorun"

if [ -e "${TARGET_DIR}/${CONF_FILE}" ]; then
    echo '"ID7_Recovery_Scripts" is found, so that getting them disabled...'
    LAST_MESSAGE="completed."
fi

if [ -d ${TARGET_DIR} ] ; then
    cd ${TARGET_DIR}
    ${DEBUG} rm -rf 00-*
    ${DEBUG} rm -rf 01-*
    ${DEBUG} rm -f adb
    ${DEBUG} rm -f 99-*.autorun
    ${DEBUG} rm -f ${CONF_FILE}
fi

echo ${LAST_MESSAGE}
echo ls -al ${TARGET_DIR} ; ls -al ${TARGET_DIR}

exit 0

Regarding the ability to run commands during the update (I'm not sure if I would have it if I downgrade 367 -> 352), not sure where this is being specified (in install package).

[Forever-Young]

I started john the ripper on that cmu hash, not sure if it has any sense.

from the console

Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 SSE4.1 4x])
...
0g 0:00:39:37  3/3 0g/s 995.1p/s 995.1c/s 995.1C/s dwars2

I guess it means 995 passwords per seconds? (on macbook)

GPU (on some big AWS server) I guess would help, but I'm not sure if I'm using john in the right way.

[Forever-Young]

Ah, and XX does password recovery (to jci I guess) among other things..

[Forever-Young]

Seeing neutralizeid7 script contents and contents of /mnt/data_persist/dev/bin (headunit, websocketd)

I have a question (for ID7 solution author?) - autorun is a required name?

Is it being run somewhere in the firmware by absolute path (/dev/bin/autorun or something)? If not, maybe moving to sbin would help).

Or hooking to those 2 binaries in dev/bin - replacing with a script, starting autorun (renamed) and then starting real binary.

[A-nglea]

I'm 75 and over the hill for developing but in my yoof it was common to gain unofficial access to Garmin Aviation Map updates. We used a hex editor to change a flag (licensed or not) and then needed to re-adjust the checksum value in the file header before saving..

It strikes me that we have password access to .up files and can decompress them. The 1.7Gb for a firmware update is just too large to get ones head around but what about the gracenote update files? They have permission to execute and if some extra payload was added to the gracenote.up - checksum recalculated and set - it might be possible to return a serial connection.

There is an execute.ini file that seem ripe for tampering:- [Settings]

[Instructions] Count = 4 1 = Execute,"echo ========== Start deleting Gracenote related files ==========" 2 = Execute,"rm -rf /tmp/media.db" 3 = Execute,"rm -rf /data/media.db" 4 = Execute,"rm -rf /data/natp/persistence/usbaudio_*"

[Forever-Young]

@A-nglea but now it uses signatures to check the authenticity of the update..

[A-nglea]

Ok, I'll get my coat.

On Thu, 7 Oct 2021, 12:28 Anton Novosyolov, @.***> wrote:

@A-nglea https://github.com/A-nglea but now it uses signatures to check the authenticity of the update..

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-937703482, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANIE6OZTAIHLK3LKVKDCJQTUFV75LANCNFSM5EJGPF7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[Forever-Young]

@bmos emailed to you

[acidicX]

Hi, I just tried to install it for the first time, seems I'm also on 70.00.367 EU already. Can't login. @Forever-Young have you figured out a way to login?

Or is there a way to downgrade to 352B?

[Forever-Young]

@acidicX yeah, I just downgraded. I can email you the link

[acidicX]

Got it, thank you :)

[acidicX]

@Forever-Young do you maybe also have the manual on how to downgrade? Or is it just copy to a FAT32 USB drive and plug it in?

[Forever-Young]

The same manual as upgrade, do you have it?

On Sat, Nov 13, 2021, 7:44 PM Carsten @.***> wrote:

@Forever-Young https://github.com/Forever-Young do you maybe also have the manual on how to downgrade? Or is it just copy to a FAT32 USB drive and plug it in?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-968097467, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVAD7EB3TAIU3S242M3UL2IX5ANCNFSM5EJGPF7A .

[acidicX]

@Forever-Young sadly not, no

[acidicX]

thanks again :)

[aholovan]

Hi gents! Do you think - is it possible to unpack the firmware, chroot into it, just set new password for cmu user and pack it again? And then go ahead with setup?

[Forever-Young]

Updates are signed, so unless somebody would have a secret key to resign it, no, it's not possible. Or, patch the library that is doing the update to skip signature check..

On Mon, Nov 15, 2021 at 2:40 PM Andrii Holovan @.***> wrote:

Hi gents! Do you think - is it possible to unpack the firmware, chroot into it, just set new password for cmu user and pack it again? And then go ahead with setup?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-968824736, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVBYGCFKUIPOX2QWW7DUMDWQ7ANCNFSM5EJGPF7A .

[Nav1gatore]

Hi everyone, I have made an update the CMU to 70.00.367 EU and also interested how to solve that issue mentioned above? The user and cmu doesn't work with the pswd jci. In this case, the only way is to be downgraded to firmware 70.00.352B. So, if somebody has a link for the mentioned firmware and a checksum, let me know, please. Thanks a lot in advance!

[Forever-Young]

@Nav1gatore send me an email

[Nav1gatore]

@Nav1gatore send me an email

@Forever-Young just have sent

[Forever-Young]

Hmm, I didn't get anything around that time. @.***

On Sun, Nov 28, 2021, 1:43 AM Nav1gatore @.***> wrote:

@Nav1gatore https://github.com/Nav1gatore send me an email

@Forever-Young https://github.com/Forever-Young just have sent

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Trevelopment/MZD-AIO/issues/135#issuecomment-980801627, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF7GVC55DNIYOWLDQ3YYRTUOFNKJANCNFSM5EJGPF7A .

[Nav1gatore]

Ok, I managed to find one. But I've got a trouble with install. So, need an advice how to resolve the "Install Not Successful". I started the downgrade from FW 70.00.367 to 70.00.352 and used the same instruction as for FW...367. When the update had almost been finished, at the point 99%, I got the screen with the message like that Install Not Successful: System failure.

So, the system is trying to get a finish of the update process and doing that in a permanent cycle without success. Also, I was connected through the serial port and used the putty's console. The log, attached bellow, has some errors like that Jan 1 00:00:20 reflash_app: [000.00:00:20.643624670], REFLASH, 230, reflash_app, 230, Warn, reflash_ul.c, REFLASH_UL_WriteLog 496, Failed to flush the reflash log file "/mnt/data_persist/reflash/reflash.log", error = 28 (No space left on device)! putty_log.txt Also, a small video here about how it looks Has somebody an idea how to resolve that issue or might be smd had the similar problem and knows how to fix it? Thanks to all in advance!

[Nav1gatore]

So, the issue is fixed. If briefly, it was necessary to clear the dumps folder using the next command: # rm -rf ./tmp/mnt/data_persist/log/dumps/* and than the update/downgrade process had been continued. All in all, the CMU wrote the message "Version 70.00.352 software install was successful".

By the next step the ID7_Recovery_XX scripts had been installed # cp -r /mnt/sd*/XX/* /mnt/data_persist/dev/bin/ # chmod +x /mnt/data_persist/dev/bin/autorun # /mnt/data_persist/dev/bin/autorun

So, the tweaks installs, the SSH works! The AndroidAuto (AA) is possible to install but it doesn't start after the connection of mobile. It's probably closed or well-secured for FW 70.00.XXX If somebody knows how to lunch the AA using the mentioned FW, let me know, please.

[alexhermon]

@Nav1gatore - did you ever find a fix for getting AA on version 70.00.352 EU N ? Or any recommendations?

[Nav1gatore]

@Nav1gatore - did you ever find a fix for getting AA on version 70.00.352 EU N ? Or any recommendations?

I tried to do that half year ago, but I didn't manage to find a fix for that time. So, probably, it could be available now.

[jwronken]

Hi, my car was delivered with .352 installed (2019 model), running the files in XX won't work unfortunately. Seems I need to downgrade (or better said, re-install) 70.00.352 EU version. However, I can't find this anywhere (the one's for sale are either .367 or the 74.xx versions). Does anyone have a backup? Many thanks

[konwin]

@jwronken sent you an invite with a download link for 70.00.352 EU!

[jwronken]

@konwin many many thanks!! Really appreciated

[farghc]

Hi all, same problem here. I am on version .367 and need to downgrade to 70.00.352 EU version. Can anyone provide this version? Many thanks

[alexhermon]

@farghc I bought the USB hub and didn't need to do the serial faff (Though installing the hub is still a bit of a faff...). The description on this AliExpress post contains a link to download the firmware too, which I've used in the past: https://a.aliexpress.com/_EJjvyOl

[farghc]

@alexhermon thank you very much. As i understand, i need to downgrade to 70.00.352 for using AIO Tweaks. The Version provided by AliExpress post (70.00.367) is already installed.

[Visnitz]

Can someone send me a 352 version compressed (shared password protected)? I can't find this version anywhere anymore.

[Forever-Young]

Can someone send me a 352 version compressed (shared password protected)? I can't find this version anywhere anymore.

If you see my profile email, please write me.