Add support to dump the shadow file

[jannikuhl]

Have you already had success reading the shadow file?

I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.

Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.

I am currently working on reverse engineering the FEC/SWaP system of Technisat.

[mattcabb]

Nothing yet. Due to lockdown I had to put most of things on hold for now. Hope to get back to the hack soon.

[flipidus]

Have you already had success reading the shadow file?

I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password.

Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com.

I am currently working on reverse engineering the FEC/SWaP system of Technisat.

Hello Jannik,

im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?

Best regards

[jannikuhl]

Have you already had success reading the shadow file? I am currently trying to access the MIB via Telnet. I can connect, but I don't have the root password. Unfortunately I can't contact you anywhere. If you are interested in exchanging information I would be happy if you send me an email to jannik.uhlmann(at)icloud.com. I am currently working on reverse engineering the FEC/SWaP system of Technisat.

Hello Jannik,

im am also trying to get inside the MIB2STD and im building a testing station at home. I am also interested in exchanging some information about this topic. I heard there is also a serial connection in the quadlock connector but i dont know if this is only on a HIGH device or also on a STD device. What tools you use exactly to establish a telnet connection?

Best regards

The MIB2STD does not have Telnet enabled by default and currently the only way to enable it is writing on the bench. Either by soldering or using (what I prefer) BDM. You need to add the following line to the file /fs/hd1-qnx6/tsd/bin/system/startup echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys/sbin/tinit -f /tmp/ttys &

I never heard about a serial connection on the quadlock, do you have any sources? It is also possible to inject patched binary files as a software update.

[mattcabb]

Found this in test mode.

"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)

[flipidus]

Found this in test mode.

"Serial" might be related to the quadlock (B:J5_TX, B:J5_RX)

yes thats the serial connection i heard about it after a longer googeling about that stuff. But this PIN-Out in your picture is from a Label on a MIB2 HIGH Device, so i dont know if there is also a Serial Connection on a MIB2 STD device on this Pins 3 and 9. i also readed that you need pin 7 for the serial connection for the GND.

Do you know what the Pins 11 "ESO C3_TX" and 12 "ESO C3_RX" are on the A Part of the Quadlock Connector?

[jannikuhl]

Where have you found that setting? It looks like mine doesn't have that. What units are you guys exactly have?

I have a Skoda Technisat MST2Nav unit.

We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.

I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.

[flipidus]

Where have you found that setting? It looks like mine doesn't have that. What units are you guys exactly have?

I have a Skoda Technisat MST2Nav unit.

We have to be careful because the MIB2STD unit with the same partnumber is manufactured by two different manufacturers (Technisat and Delphi). So maybe we have to split the toolbox since they both work very different.

I think the pinout is from a Porsche PCM 4.0 which is manufactured by Harman/Becker. These are both very different units.

you need to activate the developing mode (Entlicklermodus) on the MIB, it can be done with VCDS or OBDeleven. After that you need to hold the MENU Button a couple of seconds and you are in the Service Mode. Now after enabling the developing mode you need to see there a function called "Test mode" and there you have this Trace Functions

Yes the Delphi Units are different. I also heard that they are not so good for retrofitting and unlocking.

the MIB2 HIGH Units are also from Harman. So maybe they have the same Quadlock Pinout like the Porsche Units.

[jannikuhl]

Found it, thanks. I was always looking in the green menu.

Porsche PCM and MIB2 HIGH are nearly the same. Both from Harman and can be patched the same way. So I think the pinout is also the same.

I'm currently not up-to-date: Is it possible to upload custom green menus already? Anyone tried it the same way it works on MIB2 high?

[Vavulinalex]

Hello. I want to study the mib2std Technisat file system. I tried connecting via uart. Unsuccessfully. Technisat does not have a sequential shell. I want to try using telnet. Can you tell me what BDM is? I want to activate telnet.

[jannikuhl]

You're right, Technisat does not have a serial shell. What you need to do is to read the EMMC chip, activate telnet and flash the whole system back to the chip. As described in this this guide: https://forum.xda-developers.com/general/connected-car/success-to-hack-technisat-mib2-t3584185

BDM can be used instead of soldering. You need BDM probes to connect directly to the circuit board. Here some pictures:

https://contestimg.wish.com/api/webimage/5dc6806fe362821086a79e51-0-large?cache_buster=66a2ba98886f0bf85989036c6d6fd5c8

https://www.dhresource.com/0x0s/f2-albu-g9-M00-38-BB-rBVaWFwHnM-AICmuAAFDktohDAA328.jpg

[Vavulinalex]

Thanks. If necessary, I can share the instructions for mib2 High. There are root passwords for different firmware and instructions on how to work with fec/swap

[yox2019]

How did yoy active telnet ? ... inetd ?

[yox2019]

... /etc/system/enum/devices/net ;)

device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter waitfor(/dev/socket) driver (mount -Tio-pkt -o "verbose,phy_check,busnum=$(busno),devnum=$(devno)" devnp-asix.so) start/wait(if_up -p ax0) start(ifconfig ax0 192.168.1.4) requires(inetd,) requires(qconn,)

device(usb) echo("No match found for device ven=$(ven), dev=$(dev), class=$(class), busno=$(busno), devno=$(devno), cfg=$(cfg), iface=$(iface), msven=$(msven), mscomp=$(mscomp), mssubcomp=$(mssubcomp)" )

[flipidus]

device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter

Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?

[yox2019]

device(usb, ven=2001,dev=3c05) # D-Link DUB-E100 big version device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=772b) # Edimax EU-4208 small version device(usb, ven=0b95,dev=7720) # Edimax EU-4207 big version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter

Are these the working USB to LAN Interface Adapter for MIB2 STD/HIGH?

... its from PQ unit you have to try it on MIB2 STD/HIGH I have any to test ;) ... have you telnet connection with "login" promt ?

[flipidus]

Okay, then i will look forward to buy one of these USB to LAN Adapters and then i can check if i can get a telnet promt. are there some special subnet and ip adress static settings i need to set for this network adapter? i dont think the MIB2 will host a DHCP

[jannikuhl]

You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.

[yox2019]

You need to enable it in the green menu. Then you can connect with D-Link. You can read off the required network settings in the green menu.

I am able to connect via D-Link (192.168.1.4) but only on few ports then I can see logs but connection on port 23 is refused, there is another network 10.X.x.x did you get "login" promt on 192.... or 10... ?

[flipidus]

Okay, thanks for the information, i will look in the GEM for that IP Settings and i ordered a D-Link DUB-E100 USB to LAN adapter, the smaller black version.

[jannikuhl]

You need to connect to port 23 and need the following adapter settings:

• IP: 192.168.1.100
• Subnet: 255.255.255.0

By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.

[yox2019]

You need to connect to port 23 and need the following adapter settings:

• IP: 192.168.1.100
• Subnet: 255.255.255.0

... sorry for the question are the D-Link settings or the ethernet card in the computer?

[yox2019]

By the way, does anyone have experience recovering Delphi units? I bricked mine today with a invalid SWaP File.

... you have to find the way tu put this unit in "emrgency mode" then reflash it with software already installed

[jannikuhl]

On the ethernet card of the PC.

I don't think it will go into emergency mode as it is in a constant boot loop.

[yox2019]

On the ethernet card of the PC.

Thanks, and you login on address displayed in green menu e.g in my unit 192.168.1.4 ?

I don't think it will go into emergency mode as it is in a constant boot loop.

it doesn't matter, you can always turn on emergency mode, even if the unit is working properly, you just need to know how...

[jannikuhl]

Yes, exactly. Login is root and there is no password, just press enter.

@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.

[yox2019]

Yes, exactly. Login is root and there is no password, just press enter. ... THX I will try but I afraid in PQ unit it won't working

@yox2019 Do you know how to enter emergency mode? It seems to be the last chance for this unit before it needs soldering.

... no, unfortunately but I think it have to be similar as Technisat any way you need terminal connection usb/uart and putty to be able put this unit in emergency mode

[jannikuhl]

Do you talk about Technisat or Delphi? uart does only work on Delphi and Harman units. Technisat does not have any serial port open, you need to read the emmc, e.g. using BDM. There is currently no other option. PQ is Technisat.

[flipidus]

you have ZR devices from Techniat (Preh) / Delphi / Harman and PQ devices from Technisat. I think the ZR devices from Technisat are to handle the same as the PQ devices. Im waiting for this USB to LAN Adapter from ebay, so i can also test the Telnet function on my Preh device

i heard the Delphi Devices are not so hacking-friendly but i cannot proove if this is true.

i have a productive Technisat/Preh MIB2 in my Car and a test-device from technisat (without Navigation) for testing purposes. but for my test desk i still need som wiring stuff to connect the MIB2 with the ABT (single wires, HSD cable, plugs, etc...)

does anyone know how the component protection is going ON, when you use a MIB2 without CAN communication? Running time? Boot counter?

[yox2019]

Yes, exactly. Login is root and there is no password, just press enter.

it doesn't work like I thought and that's why: start(ifconfig ax0 192.168.1.4) requires(inetd,) requires(qconn,)

I'm talking about Technisat PQ unit ;)

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.05.09 13:07:04 =~=~=~=~=~=~=~=~=~=~=~=

[41m-Welcome to TechniBoot-[0m SVN Rev: 490068 - Jun 18 2015 / 16:46:28 Variant: PQ stdNav 2GB LPDDR3 CAAM: CAAM_CSTA 0x00000202 - trusted Mode CAAM: init -> ok CAAM: open already instantiation ring 0! CAAM: open ok Image verified CAAM: clock 0x00018D00 type=00000004, cksum=00009803, address=10800000, length=002EE9CC type=00000006, cksum=00000006, address=10800000, length=00000000

iMX6.QNX.LoadImage.ready: 0x13107EAD Enabling only 2 CPUs L2 cache enabled CPU0: L1 Icache: 1024x32 CPU0: L1 Dcache: 1024x32 WB CPU0: VFP-d32 FPSID=41033094 CPU0: NEON MVFR0=10110222 MVFR1=01111111 CPU0: 412fc09a: Cortex A9 MPCore rev 10 996MHz Board version: PQ/6 v12

Detected i.MX6 Dual/Quad, revision TO1.5

[flipidus]

device(usb, ven=2001,dev=1a02) # D-Link DUB-E100 small version device(usb, ven=0b95,dev=1780) # DELOCK 61969 USB 2.0 Gigabit LAN Adapter

i got this two adapters and try to get a LAN Connection between my notebook and the MIB2 STD ZR (VW, Preh, H41, SW0478)

i was in the debug settings in the GEM and there are IP adresses listed but i was not able to get a connection, the last IP adress in the list was not readable completely and only appeard when the USB to LAN Adapter was connected and the MIB2 was not pingable.

Maybe somebody have some hints?

Thanks