Merge with MIB2-high toolbox?

[jilleb]

Hello :-) Great work, looking forward to this toolbox!!

Maybe we can merge our toolboxes, so we can have shared things like scripts/tweaks and such. It's possible to support multiple platforms with a single POI update distribution, like this:

|   metainfo2.txt
|
\---personalpoi
    +---MIB2DE
    |       metainfo2.txt
    |
    +---mib2high
    |   |   metainfo2.txt
    |   |
    |   \---personalpoi
    |       +---infofile
    |       |   \---0
    |       |       \---default
    |       |               Update.txt
    |       |
    |       \---package
    |           \---0
    |               \---default
    |                   |   bitmaps.xml
    |                   |   categories.pc
    |                   |   hashes.txt
    |                   |   lang_map.xml
    |                   |   poidata.db
    |                   |   strings_de-DE.xml
    |                   |   versions.xml
    |                   |
    |                   \---bitmaps
    |                           000_image.png
    |                           001_image.png
    |
    \---mib2tsd
        |   metainfo2.txt
        |
        \---personalpoi
            +---InfoFile
            |   \---1
            |       \---default
            |               Update.txt
            |
            \---ppoidb
                \---1
                    \---default
                        |   hashes.txt
                        |   poidata.db3
                        |
                        \---icon
                                000_image.png
                                001_image.png

with metainfo like this:

#################################################################################
#   
# This is the description file for the Software Update of Volkswagen components
#
#################################################################################

[common]
Vendor = "Volkswagen"
Variant = "FM?-H-*-*-*"
Variant2 = "17206"
Variant3 = "17207"
Variant4 = "37206"
Variant5 = "37207"
Variant6 = "47203"
Variant7 = "47204"
Variant8 = "17216"
Variant9 = "17217"
Variant10 = "37212"
Variant11 = "37213"
Variant12 = "47208"
Variant13 = "47209"
Variant14 = "17212"
Variant15 = "37208"
Variant16 = "47205"
Variant17 = "17222"
Variant18 = "47210"
Variant19 = "17210"
Variant20 = "17220"
Variant21 = "17245"
Variant22 = "17246"
Region = "Europe"
Region2 = "RoW"
Region3 = "USA"
MetafileChecksum = "232d798444ca274875adedd35900893b7a40c9e5"

[common_Release_1]
Name = "MIB 2 High Personal POI"
Path = "./PersonalPOI/MIB2HIGH"
Variant = "FM?-H-*-*-*"
Region = "Europe"
Region2 = "RoW"
Region3 = "USA"

[common_Release_2]
Name = "MIB 2 Standard Delphi Personal POI"
Path = "./PersonalPOI/MIB2DE"
Variant = "17245"
Variant2 = "17246"
Region = "Europe"
Region2 = "RoW"
Region3 = "USA"

[common_Release_3]
Name = "MIB 2 Standard TechniSat Personal POI"
Path = "./PersonalPOI/MIB2TSD"
Variant = "17206"
Variant2 = "17207"
Variant3 = "37206"
Variant4 = "37207"
Variant5 = "47203"
Variant6 = "47204"
Variant7 = "17216"
Variant8 = "17217"
Variant9 = "37212"
Variant10 = "37213"
Variant11 = "47208"
Variant12 = "47209"
Variant13 = "17212"
Variant14 = "37208"
Variant15 = "47205"
Variant16 = "17222"
Variant17 = "47210"
Variant18 = "17210"
Variant19 = "17220"
Region = "Europe"
Region2 = "RoW"
Region3 = "USA"

[Signature]
signature1 = "a7bb1ea31cb4da113c0f0bd0babbc453"
signature2 = "0c2b0b4458fbd1f21170f628a497bf16"
signature3 = "d9b0f37aa7fef5ef831cc979880aecff"
signature4 = "3d34c739cb000899483e35e8a0f15dba"
signature5 = "f0a9f4755a11f8d2ad40f20f73b2b0f8"
signature6 = "c0da8da8b39caad53ca0cbb9c2728688"
signature7 = "ec0580833f887f16e5f80ebb6dfa8bba"
signature8 = "0190b4953a7cfc91d4efc2b017f6e20a"

[mattcabb]

Hi, Sure! Seams like a great idea!

I'm just starting to figure out how to safely access filesystem of my MIB2Std. And since I don't have recovery tools for it yet - it's baby steps really.

You are far more experienced coder/hacker than I am. I'm not even sure which Variant number relates to 5F unit in my car. I believe that you also have better access to test devices (though MQB-C&R) and testers (though community around your toolbox).

By all means - if you see any value in what I have created, please use it as if it was your own. I'll be more than happy to see mib2-toolbox to be merged with mib2std-toolbox.

[jilleb]

❤️

Did you find a succesful way to install the custom .esd on the unit through the POI update?

On MIB2-high there are a few vulnerabilities that make it possible:

• POI update allows writing of ANY file onto the unit, by using the payload feature. However, they cannot be a script, because the copied file will not be executable (and there's no way to do chmod 777 during SWDL)
• leftovers from the development team: there's a script that imports files from a folder on SD, and does CHMOD 777 to each of the copied files.
• Green Engineering Menu can point to scripts in older folders than just the engdefs/scripts folder, which allows us to run anything that has been copied by the leftover script :-)

And then, on MIB1 High there was a vulnerability that allowed us to escape the POI folders by path traversal, with ../../ as path names for files. 😆 That was fixed on MIB2High, but not sure if it's still there on the STD ones.

[mattcabb]

No success yet...

BTW, have you seen this line? # VMOPTIONS="$VMOPTIONS -Dde.vw.mib.asl.internal.exlap.overrideSWaP" Not sure if it's interesting at all but the overrideSWaP got me excited 😃

[jilleb]

hmm that is looking interesting!! :-)

[hxigor]

For Technisat StdNav units there's a backdoor through onlineservices update. Works the same way as Jille's payload in MHI2 Toolbox. With some tweaking this could be a solution to enter these units. Unfortunately works only on nav units, doesn't work on StdPlus units.

[big-i-m]

Any new news on this

[Wolfillo]

I offer myself to test on a MIB STD2 5QA 035 846 A if there's a chance

[big-i-m]

No success yet...

BTW, have you seen this line? # VMOPTIONS="$VMOPTIONS -Dde.vw.mib.asl.internal.exlap.overrideSWaP" Not sure if it's interesting at all but the overrideSWaP got me excited

Any luck with this

[mattcabb]

No success yet... BTW, have you seen this line? # VMOPTIONS="$VMOPTIONS -Dde.vw.mib.asl.internal.exlap.overrideSWaP" Not sure if it's interesting at all but the overrideSWaP got me excited

Any luck with this

Not exactly. I believe that there are two ways of forcing MIB to accept FECs.

1. Replace FecContainer.fec with custom one and patch MIBRoot to skip signature validation of the file.
2. Insert _/tsd/etc/slist/signed_exceptionlist.txt and patch tsd.mibstd2.system.swap to skip signature validation of the file. For MIB2HIGH the file is /HBpersistence/FEC/Exceptionlist.txt

AFAIK the second method is using a mechanism developed to test SWaP features without valid FECs. Features will work but in hidden menu SWaP codes will remain not present at all.

[fikaa73]

No success yet... BTW, have you seen this line? # VMOPTIONS="$VMOPTIONS -Dde.vw.mib.asl.internal.exlap.overrideSWaP" Not sure if it's interesting at all but the overrideSWaP got me excited

Any luck with this

Not exactly. I believe that there are two ways of forcing MIB to accept FECs.

1. Replace FecContainer.fec with custom one and patch MIBRoot to skip signature validation of the file.
2. Insert _/tsd/etc/slist/signed_exceptionlist.txt and patch tsd.mibstd2.system.swap to skip signature validation of the file. For MIB2HIGH the file is /HBpersistence/FEC/Exceptionlist.txt

AFAIK the second method is using a mechanism developed to test SWaP features without valid FECs. Features will work but in hidden menu SWaP codes will remain not present at all.

What's file contents of signed_exception_list.txt?