mattcabb
commented
4 years ago Nothing yet. Due to lockdown I had to put most of things on hold for now. Hope to get back to the hack soon.
Open jannikuhl opened 4 years ago
mattcabb
commented
4 years ago Nothing yet. Due to lockdown I had to put most of things on hold for now. Hope to get back to the hack soon.
flipidus
commented
4 years ago Have you already had success reading the shadow file?
I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.
Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.
I am currently working on reverse engineering the FEC/SWaP system of Technisat.
Hello Jannik,
im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?
Best regards
jannikuhl
commented
4 years ago Have you already had success reading the shadow file? I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password. Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com. I am currently working on reverse engineering the FEC/SWaP system of Technisat.
Hello Jannik,
im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?
Best regards
The MIB2STD does not have Telnet enabled by default and currently the only way to enable it is writing on the bench. Either by soldering or using (what I prefer) BDM. You need to add the following line to the file /fs/hd1-qnx6/tsd/bin/system/startup
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys/sbin/tinit -f /tmp/ttys &
I never heard about a serial connection on the quadlock, do you have any sources? It is also possible to inject patched binary files as a software update.
mattcabb
commented
4 years ago Found this in test mode.
"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)
flipidus
commented
4 years ago Found this in test mode.
"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)
yes thats the serial connection i heard about it after a longer googeling about that stuff. But this PIN-Out in your picture is from a Label on a MIB2 HIGH Device, so i dont know if there is also a Serial Connection on a MIB2 STD device on this Pins 3 and 9. i also readed that you need pin 7 for the serial connection for the GND.
Do you know what the Pins 11 "ESO C3_TX" and 12 "ESO C3_RX" are on the A Part of the Quadlock Connector?
jannikuhl
commented
4 years ago Where have you found that setting? It looks like mine doesn't have that. What units are you guys exactly have?
I have a Skoda Technisat MST2Nav unit.
We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.
I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.
flipidus
commented
4 years ago Where have you found that setting? It looks like mine doesn't have that. What units are you guys exactly have?
I have a Skoda Technisat MST2Nav unit.
We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.
I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.
you need to activate the developing mode (Entlicklermodus) on the MIB, it can be done with VCDS or OBDeleven. After that you need to hold the MENU Button a couple of seconds and you are in the Service Mode. Now after enabling the developing mode you need to see there a function called "Test mode" and there you have this Trace Functions
Yes the Delphi Units are different. I also heard that they are not so good for retrofitting and unlocking.
the MIB2 HIGH Units are also from Harman. So maybe they have the same Quadlock Pinout like the Porsche Units.
jannikuhl
commented
4 years ago Found it, thanks. I was always looking in the green menu.
Porsche PCM and MIB2 HIGH are nearly the same. Both from Harman and can be patched the same way. So I think the pinout is also the same.
I'm currently not up-to-date: Is it possible to upload custom green menus already? Anyone tried it the same way it works on MIB2 high?
Vavulinalex
commented
4 years ago Hello. I want to study the mib2std Technisat file system. I tried connecting via uart. Unsuccessfully. Technisat does not have a sequential shell. I want to try using telnet. Can you tell me what BDM is? I want to activate telnet.
jannikuhl
commented
4 years ago You're right, Technisat does not have a serial shell. What you need to do is to read the EMMC chip, activate telnet and flash the whole system back to the chip. As described in this this guide: https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185
BDM can be used instead of soldering. You need BDM probes to connect directly to the circuit board. Here some pictures:
https://www.dhresource.com/0x0s/f2-albu-g9-M00-38-BB-rBVaWFwHnM-AICmuAAFDktohDAA328.jpg
Vavulinalex
commented
4 years ago Thanks. If necessary, I can share the instructions for mib2 High. There are root passwords for different firmware and instructions on how to work with fec/swap
yox2019
commented
4 years ago How did yoy active telnet ? ... inetd ?
yox2019
commented
4 years ago ... /etc/system/enum/devices/net ;)
device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter waitfor(/dev/socket) driver (mount -Tio-pkt -o "verbose,phy_check,busnum=$(busno),devnum=$(devno)" devnp-asix.so) start/wait(if_up -p ax0) start(ifconfig ax0 192.168.1.4) requires(inetd,) requires(qconn,)
device(usb) echo("No match found for device ven=$(ven), dev=$(dev), class=$(class), busno=$(busno), devno=$(devno), cfg=$(cfg), iface=$(iface), msven=$(msven), mscomp=$(mscomp), mssubcomp=$(mssubcomp)" )
flipidus
commented
4 years ago device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter
Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?
yox2019
commented
4 years ago device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter
Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?
... its from PQ unit you have to try it on MIB2 STD/HIGH I have any to test ;) ... have you telnet connection with "login" promt ?
flipidus
commented
4 years ago Okay, then i will look forward to buy one of these USB to LAN Adapters and then i can check if i can get a telnet promt. are there some special subnet and ip adress static settings i need to set for this network adapter? i dont think the MIB2 will host a DHCP
jannikuhl
commented
4 years ago You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.
yox2019
commented
4 years ago You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.
I am able to connect via D-Link (192.168.1.4) but only on few ports then I can see logs but connection on port 23 is refused, there is another network 10.X.x.x did you get "login" promt on 192.... or 10... ?
flipidus
commented
4 years ago Okay, thanks for the information, i will look in the GEM for that IP Settings and i ordered a D-Link DUB-E100 USB to LAN adapter, the smaller black version.
jannikuhl
commented
4 years ago You need to connect to port 23 and need the following adapter settings:
By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.
yox2019
commented
4 years ago You need to connect to port 23 and need the following adapter settings:
- IP: 192.168.1.100
- Subnet: 255.255.255.0
... sorry for the question are the D-Link settings or the ethernet card in the computer?
yox2019
commented
4 years ago By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.
... you have to find the way tu put this unit in "emrgency mode" then reflash it with software already installed
jannikuhl
commented
4 years ago On the ethernet card of the PC.
I don't think it will go into emergency mode as it is in a constant boot loop.
yox2019
commented
4 years ago On the ethernet card of the PC.
Thanks, and you login on address displayed in green menu e.g in my unit 192.168.1.4 ?
I don't think it will go into emergency mode as it is in a constant boot loop.
it doesn't matter, you can always turn on emergency mode, even if the unit is working properly, you just need to know how...
jannikuhl
commented
4 years ago Yes, exactly. Login is root and there is no password, just press enter.
@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.
yox2019
commented
4 years ago Yes, exactly. Login is root and there is no password, just press enter. ... THX I will try but I afraid in PQ unit it won't working
@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.
... no, unfortunately but I think it have to be similar as Technisat any way you need terminal connection usb/uart and putty to be able put this unit in emergency mode
jannikuhl
commented
4 years ago Do you talk about Technisat or Delphi? uart does only work on Delphi and Harman units. Technisat does not have any serial port open, you need to read the emmc, e.g. using BDM. There is currently no other option. PQ is Technisat.
flipidus
commented
4 years ago you have ZR devices from Techniat (Preh) / Delphi / Harman and PQ devices from Technisat. I think the ZR devices from Technisat are to handle the same as the PQ devices. Im waiting for this USB to LAN Adapter from ebay, so i can also test the Telnet function on my Preh device
i heard the Delphi Devices are not so hacking-friendly but i cannot proove if this is true.
i have a productive Technisat/Preh MIB2 in my Car and a test-device from technisat (without Navigation) for testing purposes. but for my test desk i still need som wiring stuff to connect the MIB2 with the ABT (single wires, HSD cable, plugs, etc...)
does anyone know how the component protection is going ON, when you use a MIB2 without CAN communication? Running time? Boot counter?
yox2019
commented
4 years ago Yes, exactly. Login is root and there is no password, just press enter.
it doesn't work like I thought and that's why: start(ifconfig ax0 192.168.1.4) requires(inetd,) requires(qconn,)
I'm talking about Technisat PQ unit ;)
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.05.09 13:07:04 =~=~=~=~=~=~=~=~=~=~=~=
cfectus
ianidor
shadowswan
Have you already had success reading the shadow file?
I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.
Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.
I am currently working on reverse engineering the FEC/SWaP system of Technisat.