VW_Flash
VW_Flash copied to clipboard
bri3d
Could this be used to flash virtual cockpit?
im looking for some way to crossflash 5NA920790B into 5G1920790B/5G1920791B will this project be way how to achieve this eventually?
Not sure. Each control module requires its own reverse engineering effort.
Quickly looking at an ODX for these units:
-
Flashing most control units using a stock, signed FRF is pretty easy. This unit seems to use the normal
FlashJobUDSlayer so it may be possible to flash an FRF with some enhancements to the flasher project in flash_uds.py. I do see some unimplemented signature blocks in there which we currently do not send with the tester - I would need to look and see if these need to be sent or not. -
I have no way of knowing whether the control unit will allow cross-flashing or what will happen if it is attempted, as I don't own one. The data in the ODX seems to be encrypted so it would take some reverse engineering effort to pull it apart and find out what is going on that way, too.
In short:
- No current support.
- It would probably be possible to add FRF flashing support for this control unit with small to moderate effort, although without owning the module I can't be too sure.
- I can't tell you whether or not the unit will allow a cross flash as-is without more information. Can this be done with ODIS Engineering or VCP?
- If it doesn't allow a cross flash as-is, I can't tell you how hard it would be to patch it to allow a cross-flash as this would be its own reverse engineering effort.
Thanks for info i just ordered that cluster and it will be my winter project to make it work in my car somehow :) so im looking for more informations how to hack it
unfortunatelly there is nearly nothing about it anywhere :-( so when it arrives i will take it apart and will try to find some more info based on used chips
i have feeling that it will be possible to crossflash with ODIS as there is some guy on forum who had a version for e-golf and made 5G1920795 and somehow he crossflashed to 5G1920791
https://www.golfmk7.com/forums/index.php?threads/mk7-5-digital-cockpit-retrofit.348993/page-14
i want to unpack ODX file to get binary so i can poke it via ghidra or some other tool..
and im stuck on following part
this part inside ODX is have following compression/encryption
<ENCRYPT-COMPRESS-METHOD TYPE="A_BYTEFIELD">AA</ENCRYPT-COMPRESS-METHOD>
where should i get AES key and IV part? is it also somewhere inside ODX or only way how to obtain this is from firmware binary?
SA2 i can see inside ODX so that i can reuse
The ENCRYPT-COMPRESS-METHOD in these Virtual Cockpit ODX files is actually 1A .
There is no guaranteed consistency for encrypt/compress methods across control units. It's simply an identifier which is sent with the RequestDownload message to the control unit to let it know what data to expect.
So, there is no way to say for sure that the encryption is AES, or what it is at all.
You have a few options here:
- Open up a control unit and see if an unencrypted firmware can be extracted physically (debug interface, ROM chip, serial interface, etc.).
- Hunt through internal / engineering file leaks ("map packs," seedy forums, etc.) to see if an unencrypted ODX file or some kind of engineering firmware dump exists in one.
- Enter a programming session and test if RequestUpload was left in UDS for the control unit (unlikely, have not seen it implemented for years).
- Extract the encrypted/compressed ODX data (edit the python script to write out the dataBinary directly) and attempt some form of statistical cryptanalysis on the encrypted/compressed data. This is made a lot harder with compression, but for example on old control units which just used an XOR key, the key could be recovered this way.
i think there is NAND flash 29F4G08ABADA inside cluster today i split it open this is how it looks like
does it make sense to try to read/write it directly? or there will be some other catch :-/
Odds of the NAND being encrypted are pretty low I think. Dumping it would definitely be a great start.
Ok is it better to unsolder it and use some NAND flash reader or somebody managed to wire this "onboard"?
I'm thinking something like 1 spare chip to mess with and this programmer https://www.aliexpress.com/item/1005001633255146.html
when i manage to dump it it is possible to run it inside qEMU somehow to mess with it realtime?
it looked to me that it runs kinda similar OS to what is running on MIB2/MIB2.5 platform :-)
What tools I should obtain for this job? Hotair gun some masking tape tweezers TSOP48 flasher flux (what type is best in order to put it back? :-D)
something else important?
also when ODIS is flashing firmware is there some part where I can sniff for unpacked raw binary (maybe after CAN->serial converter) or it is decrypted on cluster itself?
EDIT: or is there some sort of "NAND emulator" i can use as that chip replacement? so i can flash it via USB and keep it "onboard"?
EDIT2: what is purpose of 8 pin "debugging interface" which is accessible on back side of cluster?
Reading TSOP flash chips is pretty standard. Your list is fine to start, although to put it back you probably want solder paste instead of just flux.
For solder/desolder you could also use ChipQuik instead of hot air if you want. Or, look into a TSOP clip like 360clip.
also when ODIS is flashing firmware is there some part where I can sniff for unpacked raw binary (maybe after CAN->serial converter) or it is decrypted on cluster itself?
No, the encryption/decryption is done in the cluster itself, this is the fundamental protection method in most newer control modules - ODIS just reads the ODX and does what it says, the encryption and compression is performed in the control module.
EDIT2: what is purpose of 8 pin "debugging interface" which is accessible on back side of cluster?
With respect to both the debug interface and QEmu, maybe, you'll need to figure out what the CPU is (V850)? And go from there.
i think that cpu is V850Ev2 (D70F3539A)
that 360-Clip looks promising :-) i will try to use it as it can make process much faster in case that i will need to flash backup
EDIT: there are actually 2 V850 devices
-
D70F3526 -> probably used for CAN communication and mileage and CP handling
-
D70F3539A -> handling display so my question is how these 2 devices communicate? is there some UART between them or it is something more advanced?
as i would expect that i can probably hijack communication between them in order to deal with CP issue (it will probably still throw error on CAN but who cares :-D and also maybe modify mileage
this topology was probably used because VW already had everything for D70F3526 and they does not want to reimplement it again for D70F3539A
that is also probably the reason why ODIS flash is soo slow as it goes trough D70F3526 and then into D70F3539A and it is much faster when its flashed from MIB unit as then it goes directly to D70F3539A NAND via MOST connection
ok so managed to dump that NAND flash but it does not look much useful as there is no strings which i can use to make navigation in ghidra easier
is there some working tutorial i can use to run it in qemu for example?
There is update firmware for infotainment SD card on mib solution https://mibsolution.one/
Also what is cheapest way to obtain "mqb testrig"?
There is update firmware for infotainment SD card on mib solution https://mibsolution.one/
Also what is cheapest way to obtain "mqb testrig"?
Make it. Few wires, connectors, getaway, few displays, depends by unit, and few keyboards. Also usb port. EDIT. Or better buy it. € 85,01 6% Off | For VW SKODA SEAT MQB Audi A3 8V CAR MIB 2 PRO Display Screen Radio Unit Test Code Tools https://a.aliexpress.com/_mMZyA66
But this is probably not enough as it will require also working key + immo in order to flash firmware into cluster right?
To just wake cluster up i can probably use just Arduino + CAN shield
But I'm interested in "minimum viable rig" to flash VC on bench
But this is probably not enough as it will require also working key + immo in order to flash firmware into cluster right?
To just wake cluster up i can probably use just Arduino + CAN shield
But I'm interested in "minimum viable rig" to flash VC on bench
Can we communicate in messages? Skyle, whatsapp, viber, telegram?
Did you already had some progress with crossflashing the virtual cockpit? I am a mechanical engineer and want to learn these kind of interesting programming. Specially because I do many “programmings” (odis) in these vag cars. I heard about modified/patched firmwares for the virtual cockpits which are being used to crossflash/cp off etc
Hello. Unfortunately no progress.
2022-11-10, kt 00:52 heeyroen752 @.***> rašė:
Did you already had some progress with crossflashing the virtual cockpit? I am a mechanical engineer and want to learn these kind of interesting programming. Specially because I do many “programmings” (odis) in these vag cars. I heard about modified/patched firmwares for the virtual cockpits which are being used to crossflash/cp off etc
— Reply to this email directly, view it on GitHub https://github.com/bri3d/VW_Flash/issues/26#issuecomment-1309495934, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZGHYRMFA556HQKJJWUASKLWHQTJBANCNFSM5E3II4MA . You are receiving this because you commented.Message ID: @.***>
Unfortunately there is not much research going on for these devices. Mine is still waiting on the desk for more public information's :-)
But now it is hard times, because dealers not accept to adapt used cvirtual cockpits, so i think smart people start search ways how to adopt it without dealer, and ofcourse what will find whe way. I was send one cluster to people who unlock processor, to possibility to change mileage. I Was thinking, that after unlock, will be possible to read procesor, but unfortunately no. They unlock something only for mileage correction. And i see, that they unsloder all processor, not connect by processor pins
2022-11-10, kt 17:46 OneB1t @.***> rašė:
Unfortunately there is not much research going on for these devices. Mine is still waiting on the desk for more public information's :-)
— Reply to this email directly, view it on GitHub https://github.com/bri3d/VW_Flash/issues/26#issuecomment-1310490169, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZGHYRJ6CVR5V5GJX2APBS3WHUKELANCNFSM5E3II4MA . You are receiving this because you commented.Message ID: @.***>
I can read that NAND flash but it is either encrypted or something weird is going on there. Without some internal knowledge this will be tough challenge. It's interesting that some company is able to mess with odometer now, maybe there is still hope :-)
So what i know is the data from mileage, sport layout cp and some of them are being locked if the dash is over 100km. This data is being unlocked 2 ways. 1 by unlocking flash and second one by your hacked firmware. Same way they hack the mib2 system. I even readed some people have this solution by just sending can commands. Found some kind of patched firmware but not used yet as i dont know what the background/information is and what it does
Can you share this hacked firmware? ODX files are encrypted and probably signed but maybe we can see what they did in order to go around these limitations :-)
https://www.youtube.com/watch?v=k25l225FfBo
it must be clever to use ramdisk to not "break" internal storage but i think it can be achieved
About what firmware you are talking?
2022-11-11, pn 09:28 OneB1t @.***> rašė:
Can you share this hacked firmware? ODX files are encrypted and probably signed but maybe we can see what they did in order to go around these limitations :-)
— Reply to this email directly, view it on GitHub https://github.com/bri3d/VW_Flash/issues/26#issuecomment-1311329215, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZGHYRNOO7ORCXVBIEKUXRDWHXYRNANCNFSM5E3II4MA . You are receiving this because you commented.Message ID: @.***>
Yes ofcourse i can share it. How can i share it with you? You have telegram or something? The file is not odx. It is updated by sd through mib2 (most)
maybe upload it to mibsolution? ;) https://mibsolution.one/ there are multiple firmware updates for MOST https://mibsolution.one/#/1/9/VC-AID%20Updates so if you have some modified one maybe we can compare them :-)
Oke i will try today afternoon. Only thing is i don't think everyone in mibsolution admin group should be pleasured. Some want solutions not too be public as you can also see in the telegram group of them
I don't think that flashing firmware should be some "underground operation". On many other platforms phones, pc or even my dust cleaner it is routine operation. But for some reason in automobile industry you need to be some sort of shaman....