Open jannikuhl opened 4 years ago
Nothing yet. Due to lockdown I had to put most of things on hold for now. Hope to get back to the hack soon.
Have you already had success reading the shadow file?
I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.
Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.
I am currently working on reverse engineering the FEC/SWaP system of Technisat.
Hello Jannik,
im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?
Best regards
Have you already had success reading the shadow file? I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password. Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com. I am currently working on reverse engineering the FEC/SWaP system of Technisat.
Hello Jannik,
im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?
Best regards
The MIB2STD does not have Telnet enabled by default and currently the only way to enable it is writing on the bench. Either by soldering or using (what I prefer) BDM. You need to add the following line to the file /fs/hd1-qnx6/tsd/bin/system/startup
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys/sbin/tinit -f /tmp/ttys &
I never heard about a serial connection on the quadlock, do you have any sources? It is also possible to inject patched binary files as a software update.
Found this in test mode.
"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)
Found this in test mode.
"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)
yes thats the serial connection i heard about it after a longer googeling about that stuff. But this PIN-Out in your picture is from a Label on a MIB2 HIGH Device, so i dont know if there is also a Serial Connection on a MIB2 STD device on this Pins 3 and 9. i also readed that you need pin 7 for the serial connection for the GND.
Do you know what the Pins 11 "ESO C3_TX" and 12 "ESO C3_RX" are on the A Part of the Quadlock Connector?
Where have you found that setting? It looks like mine doesn't have that. What units are you guys exactly have?
I have a Skoda Technisat MST2Nav unit.
We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.
I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.
Where have you found that setting? It looks like mine doesn't have that. What units are you guys exactly have?
I have a Skoda Technisat MST2Nav unit.
We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.
I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.
you need to activate the developing mode (Entlicklermodus) on the MIB, it can be done with VCDS or OBDeleven. After that you need to hold the MENU Button a couple of seconds and you are in the Service Mode. Now after enabling the developing mode you need to see there a function called "Test mode" and there you have this Trace Functions
Yes the Delphi Units are different. I also heard that they are not so good for retrofitting and unlocking.
the MIB2 HIGH Units are also from Harman. So maybe they have the same Quadlock Pinout like the Porsche Units.
Found it, thanks. I was always looking in the green menu.
Porsche PCM and MIB2 HIGH are nearly the same. Both from Harman and can be patched the same way. So I think the pinout is also the same.
I'm currently not up-to-date: Is it possible to upload custom green menus already? Anyone tried it the same way it works on MIB2 high?
Hello. I want to study the mib2std Technisat file system. I tried connecting via uart. Unsuccessfully. Technisat does not have a sequential shell. I want to try using telnet. Can you tell me what BDM is? I want to activate telnet.
You're right, Technisat does not have a serial shell. What you need to do is to read the EMMC chip, activate telnet and flash the whole system back to the chip. As described in this this guide: https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185
BDM can be used instead of soldering. You need BDM probes to connect directly to the circuit board. Here some pictures:
https://www.dhresource.com/0x0s/f2-albu-g9-M00-38-BB-rBVaWFwHnM-AICmuAAFDktohDAA328.jpg
Thanks. If necessary, I can share the instructions for mib2 High. There are root passwords for different firmware and instructions on how to work with fec/swap
How did yoy active telnet ? ... inetd ?
... /etc/system/enum/devices/net ;)
device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter waitfor(/dev/socket) driver (mount -Tio-pkt -o "verbose,phy_check,busnum=$(busno),devnum=$(devno)" devnp-asix.so) start/wait(if_up -p ax0) start(ifconfig ax0 192.168.1.4) requires(inetd,) requires(qconn,)
device(usb) echo("No match found for device ven=$(ven), dev=$(dev), class=$(class), busno=$(busno), devno=$(devno), cfg=$(cfg), iface=$(iface), msven=$(msven), mscomp=$(mscomp), mssubcomp=$(mssubcomp)" )
device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter
Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?
device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter
Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?
... its from PQ unit you have to try it on MIB2 STD/HIGH I have any to test ;) ... have you telnet connection with "login" promt ?
Okay, then i will look forward to buy one of these USB to LAN Adapters and then i can check if i can get a telnet promt. are there some special subnet and ip adress static settings i need to set for this network adapter? i dont think the MIB2 will host a DHCP
You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.
You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.
I am able to connect via D-Link (192.168.1.4) but only on few ports then I can see logs but connection on port 23 is refused, there is another network 10.X.x.x did you get "login" promt on 192.... or 10... ?
Okay, thanks for the information, i will look in the GEM for that IP Settings and i ordered a D-Link DUB-E100 USB to LAN adapter, the smaller black version.
You need to connect to port 23 and need the following adapter settings:
By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.
You need to connect to port 23 and need the following adapter settings:
- IP: 192.168.1.100
- Subnet: 255.255.255.0
... sorry for the question are the D-Link settings or the ethernet card in the computer?
By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.
... you have to find the way tu put this unit in "emrgency mode" then reflash it with software already installed
On the ethernet card of the PC.
I don't think it will go into emergency mode as it is in a constant boot loop.
On the ethernet card of the PC.
Thanks, and you login on address displayed in green menu e.g in my unit 192.168.1.4 ?
I don't think it will go into emergency mode as it is in a constant boot loop.
it doesn't matter, you can always turn on emergency mode, even if the unit is working properly, you just need to know how...
Yes, exactly. Login is root and there is no password, just press enter.
@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.
Yes, exactly. Login is root and there is no password, just press enter. ... THX I will try but I afraid in PQ unit it won't working
@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.
... no, unfortunately but I think it have to be similar as Technisat any way you need terminal connection usb/uart and putty to be able put this unit in emergency mode
Do you talk about Technisat or Delphi? uart does only work on Delphi and Harman units. Technisat does not have any serial port open, you need to read the emmc, e.g. using BDM. There is currently no other option. PQ is Technisat.
you have ZR devices from Techniat (Preh) / Delphi / Harman and PQ devices from Technisat. I think the ZR devices from Technisat are to handle the same as the PQ devices. Im waiting for this USB to LAN Adapter from ebay, so i can also test the Telnet function on my Preh device
i heard the Delphi Devices are not so hacking-friendly but i cannot proove if this is true.
i have a productive Technisat/Preh MIB2 in my Car and a test-device from technisat (without Navigation) for testing purposes. but for my test desk i still need som wiring stuff to connect the MIB2 with the ABT (single wires, HSD cable, plugs, etc...)
does anyone know how the component protection is going ON, when you use a MIB2 without CAN communication? Running time? Boot counter?
Yes, exactly. Login is root and there is no password, just press enter.
it doesn't work like I thought and that's why: start(ifconfig ax0 192.168.1.4) requires(inetd,) requires(qconn,)
I'm talking about Technisat PQ unit ;)
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.05.09 13:07:04 =~=~=~=~=~=~=~=~=~=~=~=
[41m-Welcome to TechniBoot-[0m SVN Rev: 490068 - Jun 18 2015 / 16:46:28 Variant: PQ stdNav 2GB LPDDR3 CAAM: CAAM_CSTA 0x00000202 - trusted Mode CAAM: init -> ok CAAM: open already instantiation ring 0! CAAM: open ok Image verified CAAM: clock 0x00018D00 type=00000004, cksum=00009803, address=10800000, length=002EE9CC type=00000006, cksum=00000006, address=10800000, length=00000000
iMX6.QNX.LoadImage.ready: 0x13107EAD Enabling only 2 CPUs L2 cache enabled CPU0: L1 Icache: 1024x32 CPU0: L1 Dcache: 1024x32 WB CPU0: VFP-d32 FPSID=41033094 CPU0: NEON MVFR0=10110222 MVFR1=01111111 CPU0: 412fc09a: Cortex A9 MPCore rev 10 996MHz Board version: PQ/6 v12
Detected i.MX6 Dual/Quad, revision TO1.5
device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter
i got this two adapters and try to get a LAN Connection between my notebook and the MIB2 STD ZR (VW, Preh, H41, SW0478)
i was in the debug settings in the GEM and there are IP adresses listed but i was not able to get a connection, the last IP adress in the list was not readable completely and only appeard when the USB to LAN Adapter was connected and the MIB2 was not pingable.
Maybe somebody have some hints?
Thanks
You cannot connect to a Technisat (ZR) MIB2 with these adapters. You need to read eMMc and enable Telnet. As I have described above.
Do you have an emmc Pinout ?
You cannot connect to a Technisat (ZR) MIB2 with these adapters. You need to read eMMc and enable Telnet. As I have described above.
what do you mean "enable telnet"? I am able to read emmc but as I asked before how do you think "enable telnet"?
Вы не можете подключиться к Technisat (ZR) MIB2 с этими адаптерами. Вам нужно прочитать eMMc и включить Telnet. Как я уже описал выше.
что значит "включить telnet"? Я могу читать emmc, но как я уже спрашивал, как вы думаете, «включить telnet»?
You don't understand anything. You have already been told several times. To use telnet, you must first activate the shell.
https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185 Read the first post
Вы не можете подключиться к Technisat (ZR) MIB2 с этими адаптерами. Вам нужно прочитать eMMc и включить Telnet. Как я уже описал выше.
что значит "включить telnet"? Я могу читать emmc, но как я уже спрашивал, как вы думаете, «включить telnet»?
You don't understand anything. You have already been told several times. To use telnet, you must first activate the shell.
https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185 Read the first post
In this XDA Forum Post, it is described how to activate a SERIAL shell. Serial and Telnet is not the same.
Вы не можете подключиться к Technisat (ZR) MIB2 с этими адаптерами. Вам нужно прочитать eMMc и включить Telnet. Как я уже описал выше.
что значит "включить telnet"? Я могу читать emmc, как вы думаете, «включить telnet»?
Вы ничего не понимаете. Вам уже сказали несколько раз. Чтобы использовать telnet, вы должны сначала активировать оболочку. https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185 Прочитайте первый пост
В этом сообщении на форуме XDA описано, как активировать SERIAL shell. Serial и Telnet - это не одно и то же.
Until you have either a serial connection or a telnet connection.
Вы не можете подключиться к Technisat (ZR) MIB2 с этими адаптерами. Вам нужно прочитать eMMc и включить Telnet. Как я уже описал выше.
что значит "включить telnet"? Я могу читать emmc, но как я уже спрашивал, как вы думаете, «включить telnet»?
You don't understand anything. You have already been told several times. To use telnet, you must first activate the shell.
https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185 Read the first post
you are wrong, I understand and repeat it again, even if you get a shell, you will not be able to login via telnet, at least in the Technisat PQ Unit
Вы не можете подключиться к Technisat (ZR) MIB2 с этими адаптерами. Вам нужно прочитать eMMc и включить Telnet. Как я уже описал выше.
что значит "включить telnet"? Я могу читать emmc, как вы думаете, «включить telnet»?
Вы ничего не понимаете. Вам уже сказали несколько раз. Чтобы использовать telnet, вы должны сначала активировать оболочку. https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185 Прочитайте первый пост
вы не правы, я понимаю и повторяю это снова, даже если вы получите оболочку, вы не сможете войти через telnet, по крайней мере, в Technisat PQ Unit
I won't argue with you. try again, but you are not going in the right direction. Telnet will work. This is evidenced by the facts.
Вы не можете подключиться к Technisat (ZR) MIB2 с этими адаптерами. Вам нужно прочитать eMMc и включить Telnet. Как я уже описал выше.
что значит "включить telnet"? Я могу читать emmc, как вы думаете, «включить telnet»?
Вы ничего не понимаете. Вам уже сказали несколько раз. Чтобы использовать telnet, вы должны сначала активировать оболочку. https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185 Прочитайте первый пост
вы не правы, я понимаю и повторяю это снова, даже если вы получите оболочку, вы не сможете войти через telnet, по крайней мере, в Technisat PQ Unit
I won't argue with you. try again, but you are not going in the right direction. Telnet will work. This is evidenced by the facts.
- jannikuhl wrote about this at the very beginning.
- I communicated with a hacker. He said it was free. This solution works. And offered a paid solution (500 euro). Software package
... oo yes;))) How about I have a unit with an unlocked console and telnet does not work? ;) Do you want "shadow" file and "passwd"?
Here you are: passwd: "Root: x: 0: 0: Superuser: /: / bin / sh ftp :: 0: 0: FTP User: /: / bin / sh mdnsd: x: 16: 7: mdnsd: / nonexistent: / bin / false "
shadow: "root: UGCfzJmLNga36:98:0:0"
... and now give me the telnet port where I can use my login and password ;)))
I repeat again, if you do not edit the firewall properly, you will not log in via telnet
... aha "pf.conf" if you know what is it ;)
ext_wlan_if=wlan0 ext_ppp_if=ppp0
set block-policy drop set skip on lo0 set reassemble yes scrub in all
nat on $ext_ppp_if from !($ext_ppp_if) to any -> ($ext_ppp_if)
block in from 127.0.0.0/8 to any
block in proto { tcp, udp } from any to 224.0.0.0/4 port !=1900
block in all pass in quick on tsd_imx60 all pass in quick on tsd_j50 all pass in quick on lo all pass out quick all keep state
pass in quick on ax proto tcp from any to any port 15001 keep stat
anchor port_rules load anchor port_rules from "/tsd/var/networking/port_rules.conf"
... do you want telnet you can only log in to port 15361 and see "flying logs";)))
pf_testmode.conf:
set block-policy drop set skip on lo0
pass in quick proto icmp from any to any pass in quick on ncm all pass in quick on tsd_imx60 all pass in quick on tsd_j50 all pass in quick on lo all pass out quick all keep state
pass in proto { udp , tcp } from any to any port 15361 keep state
pass in quick proto { tcp, udp } from any to any port 1234 keep state
... maybe there will be someone who can correctly set up a firewall? ;)))
Does anyone know how to read eMMC or Delphi Unit or even better how to push it into emergency mode? My Unit does no longer allow Telnet and reboots several times.
Thanks. If necessary, I can share the instructions for mib2 High. There are root passwords for different firmware and instructions on how to work with fec/swap
Do you have this info for Delphi devices also? I need it to give it a try...
Thanks. If necessary, I can share the instructions for mib2 High. There are root passwords for different firmware and instructions on how to work with fec/swap
Do you have this info for Delphi devices also? I need it to give it a try... look there: ␡
Technisat? Of course ❌
Who deletes my links? Do you feel sorry for that? Guys write in PM
I'm deleting them. I want this repo to stay clean.
Hi
Loving this informative thread I’m currently trying to also hack car play and unlock CP in these units As I understand the emmc dumping is only to read the emmc to run QNX virtually to then edit code to include a telnet console...... It seams easy and there’s is pinouts on the Porsche/xda thread above (via mega upload) And for the bricked unit it also has pinouts for shorting pinouts in the units and driving into emergency mode Mattcabb is it okay to share the megaupload link?
Delete if not allowed
Harman (edited)
✂️
Technisat ✂️ Delphi ✂️
Delete if not allowed
✂️
Harman Link is not working, asks for a encryption key
They have already been deleted previously by him. It’s fairly straight forward to unlock CP now and I assume that a lot of the techniques in these exploits could be used to run this toolbox. It’s well documented now on how to dump the files from the device on both technistat and Delphi.
Yes I know but there’s pinouts for dumping emmc without removing
Have you already had success reading the shadow file?
I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.
Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.
I am currently working on reverse engineering the FEC/SWaP system of Technisat.