search

nisargjhaveri / WirelessAndroidAutoDongle

Use Wireless Android Auto with a car that supports only wired Android Auto using a Raspberry Pi.
MIT License
729 stars 84 forks source link

Firmware from Chinese AndriodAuto (and Carplay) Dongle #213

Open hkfuertes opened 3 weeks ago

hkfuertes commented 3 weeks ago

@nisargjhaveri Just letting you know I was able to download the OTA update of one of this cheap Chinese android auto wireless adapter from aliexpres onto my machine. I just unsquashed it and I'm going over it looking for something interesting... but my decompilation skills aren't that good.

Here is the script (taken from the update page of the dongle) to download. You have 2 models to download (change the version and custom fields at the begining of the script):

<script>
    //Version is figured out via `queryDeviceVersion` whith out any Version.

    // One ...
    // const Version = "se_202409241744"
    // const PlatForm = "v851se";
    // const Custom = "jiuchangxin";

    // Another ...
    const Version = "se_202409241804"
    const PlatForm = "v851se";
    const Custom = "luruibao";

    window.download = () => {
        url = "http://120.79.59.57:8080/device-web/upgrade/downLoad";
        var xhr = false;
        try {
            var param = {};
            param["version"] = Version;
            param["platform"] = PlatForm;
            param["custom"] = Custom;

            console.log(param)

            xhr = new XMLHttpRequest();
            xhr.responseType = "blob";
            xhr.open('POST', url, true);
            xhr.setRequestHeader('Content-Type', 'application/json');
            xhr.addEventListener("progress", function (event) {
                if (event.lengthComputable) {
                    var percentage = Math.round((event.loaded * 50) / event.total);
                    console.log(`Downloaded ${percentage}%`);
                }
            }, false);

            xhr.onreadystatechange = function () {
                if (xhr.status === 500) {
                    alert("Server internal error.");
                    window.stop();
                }
                if (xhr.readyState === 4) {
                    if (xhr.status === 200) {
                        console.log(xhr.response);
                        var blob = xhr.response;
                        if (blob) {
                            var dk = document.createElement('a');
                            dk.href = window.URL.createObjectURL(blob)
                            dk.download = Version;
                            document.body.appendChild(dk);
                            dk.click();
                        };
                    } else {
                        alert('download file fail');
                    }
                }
            };

            xhr.send(JSON.stringify(param));
        } catch (failed) {
            xhr = false;
            //alert("Server internal error.");
        }
    }

    window.queryDeviceVersion = () => {
        try {
            request = new XMLHttpRequest();
        } catch (failed) {
            request = false;
        }

        if (!request)
            alert("Error initializing XMLHttpRequest!");

        var url = "http://120.79.59.57:8080/device-web/upgrade/queryDeviceVersion";
        request.open("POST", url, true);
        request.setRequestHeader('Content-Type', 'application/json');
        request.onreadystatechange = function () {
            if (request.readyState == 4) {
                if (request.status == 200) {
                    var response = request.responseText;
                    var myJSON = JSON.parse(response);

                    console.log(response);
                }
            }
        }

        var param = {};
        //param["version"] = Version;
        param["platform"] = PlatForm;
        param["custom"] = Custom;
        request.send(JSON.stringify(param));
    }

</script>
hkfuertes commented 3 weeks ago

Save it onto an html, open it on a browser and just use download(); and queryDeviceVersion(); from the developer tools.

hkfuertes commented 3 weeks ago

For what I have figured out already, it uses an AllWinner SoC (maybe this could bring more boards to this project) and its based of Tina Linux: https://home.xyhcloud.com:1443/tina-v85x/tina-v85x (which is an iteration over OpenWRT... so... buildroot)

hkfuertes commented 3 weeks ago

... The magic might be happening in /usr/bin/sdsdk and /usr/bin/sdDongle which seems to be the CarPlay part of the dongle. In the rc.init I don't see any android auto "starter script" only the carplay (actually, sdsdk when loading bluetooth), but somehow the dongle knows that the connected device is an android device and changes to android auto mode...

I don't know how to continue... maybe is usefull for someone :)

hkfuertes commented 3 weeks ago

I have 3 dongles. 2 of them are equal, the script above retrieves the firmware, but the third is different, with a different folder structure. You can get it here: https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/version.json https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/update.img

In this case is just only the app, without any usb gadget config, but again I don't know what to do with gHidra to make it useful...