WirelessAndroidAutoDongle
WirelessAndroidAutoDongle copied to clipboard
nisargjhaveri
Firmware from Chinese AndriodAuto (and Carplay) Dongle
@nisargjhaveri Just letting you know I was able to download the OTA update of one of this cheap Chinese android auto wireless adapter from aliexpres onto my machine. I just unsquashed it and I'm going over it looking for something interesting... but my decompilation skills aren't that good.
Here is the script (taken from the update page of the dongle) to download. You have 2 models to download (change the version and custom fields at the begining of the script):
<script>
//Version is figured out via `queryDeviceVersion` whith out any Version.
// One ...
// const Version = "se_202409241744"
// const PlatForm = "v851se";
// const Custom = "jiuchangxin";
// Another ...
const Version = "se_202409241804"
const PlatForm = "v851se";
const Custom = "luruibao";
window.download = () => {
url = "http://120.79.59.57:8080/device-web/upgrade/downLoad";
var xhr = false;
try {
var param = {};
param["version"] = Version;
param["platform"] = PlatForm;
param["custom"] = Custom;
console.log(param)
xhr = new XMLHttpRequest();
xhr.responseType = "blob";
xhr.open('POST', url, true);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.addEventListener("progress", function (event) {
if (event.lengthComputable) {
var percentage = Math.round((event.loaded * 50) / event.total);
console.log(`Downloaded ${percentage}%`);
}
}, false);
xhr.onreadystatechange = function () {
if (xhr.status === 500) {
alert("Server internal error.");
window.stop();
}
if (xhr.readyState === 4) {
if (xhr.status === 200) {
console.log(xhr.response);
var blob = xhr.response;
if (blob) {
var dk = document.createElement('a');
dk.href = window.URL.createObjectURL(blob)
dk.download = Version;
document.body.appendChild(dk);
dk.click();
};
} else {
alert('download file fail');
}
}
};
xhr.send(JSON.stringify(param));
} catch (failed) {
xhr = false;
//alert("Server internal error.");
}
}
window.queryDeviceVersion = () => {
try {
request = new XMLHttpRequest();
} catch (failed) {
request = false;
}
if (!request)
alert("Error initializing XMLHttpRequest!");
var url = "http://120.79.59.57:8080/device-web/upgrade/queryDeviceVersion";
request.open("POST", url, true);
request.setRequestHeader('Content-Type', 'application/json');
request.onreadystatechange = function () {
if (request.readyState == 4) {
if (request.status == 200) {
var response = request.responseText;
var myJSON = JSON.parse(response);
console.log(response);
}
}
}
var param = {};
//param["version"] = Version;
param["platform"] = PlatForm;
param["custom"] = Custom;
request.send(JSON.stringify(param));
}
</script>
Save it onto an html, open it on a browser and just use download(); and queryDeviceVersion(); from the developer tools.
For what I have figured out already, it uses an AllWinner SoC (maybe this could bring more boards to this project) and its based of Tina Linux: https://home.xyhcloud.com:1443/tina-v85x/tina-v85x (which is an iteration over OpenWRT... so... buildroot)
... The magic might be happening in /usr/bin/sdsdk and /usr/bin/sdDongle which seems to be the CarPlay part of the dongle. In the rc.init I don't see any android auto "starter script" only the carplay (actually, sdsdk when loading bluetooth), but somehow the dongle knows that the connected device is an android device and changes to android auto mode...
I don't know how to continue... maybe is usefull for someone :)
I have 3 dongles. 2 of them are equal, the script above retrieves the firmware, but the third is different, with a different folder structure. You can get it here: https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/version.json https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/update.img
In this case is just only the app, without any usb gadget config, but again I don't know what to do with gHidra to make it useful...
I have 3 dongles. 2 of them are equal, the script above retrieves the firmware, but the third is different, with a different folder structure. You can get it here: https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/version.json https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/update.img
In this case is just only the app, without any usb gadget config, but again I don't know what to do with gHidra to make it useful...
How were you able to unsquash the img file? I have tried with no success.
Another device if anyone is interested
const PlatForm = "v851s";
const Custom = "suding";
Guys, is the firmware in those devices able to enable "Developer mode" like in AAWireless? I am asking because we're trying to change name to enable this feature.
Edit: nvm now, we managed to make it :)
I have ported a new version for my device that have been abandoned after sometime by then.
Its on my repository
Its carplay + android play implementation but. Car play requires a chip present in apple devices for auth. But is easy to solder on the board.
Android Car soon will demand a cert file to be connected to newer android auto versions.
MITM mode its just the initial implementation
So I will port it when needed for my device thats does not have it 😉
Hope it helps someone!
Guys, is the firmware in those devices able to enable "Developer mode" like in AAWireless? I am asking because we're trying to change name to enable this feature.
Edit: nvm now, we managed to make it :)
How were you able to change names?
I have another one from Aliexpress(https://www.aliexpress.com/item/1005009708341434.html). Managed to get adb shell and then uploaded telnet binary
Linux CarPlayBox 4.9.191 #1203 PREEMPT Thu Jul 31 03:53:52 UTC 2025 armv7l GNU/Linux
DISTRIB_ID='tina.masnuo.20250728.121733'
DISTRIB_RELEASE='Neptune'
DISTRIB_REVISION='5C1C9C53'
DISTRIB_TARGET='v851s-perf2/generic v2.1'
DISTRIB_DESCRIPTION='tina.masnuo.20250728.121733 4.0.0'
DISTRIB_TAINTS='no-all mklibs busybox'
./adb shell cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 48.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
Hardware : sun8iw21
Revision : 0000
Serial : 0000000000000000
sudo sunxi-fel list
USB device 001:003 Allwinner V853 62c05e00:8c404820:01055b28:209a205a
Reading flash using xfel in FEL mode:
xfel.exe spinor read 0x00000000 16777216 spinor_dump.bin
Partition map:
0x000000000000-0x000000060000 : "uboot"
0x000000060000-0x0000002a0000 : "boot"
0x0000002a0000-0x000000730000 : "rootfs"
0x000000730000-0x0000007b0000 : "rootfs_data"
0x0000007b0000-0x0000007d0000 : "env"
0x0000007d0000-0x0000007e0000 : "private"
0x0000007e0000-0x000000ea0000 : "app"
0x000000ea0000-0x000001000000 : "UDISK"
Mountpoints:
/dev/root on /rom type squashfs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=30128k,nr_inodes=7532,mode=755)
/proc on /proc type proc (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
sys on /sys type sysfs (rw,relatime)
/dev/by-name/rootfs_data on /overlay type jffs2 (rw,relatime)
overlayfs:/overlay on / type overlay (rw,noatime,lowerdir=/,upperdir=/overlay/upper,workdir=/overlay/workdir)
/dev/by-name/app on /mnt/app type squashfs (ro,relatime)
tmpfs on /run type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
/dev/mtdblock7 on /mnt/UDISK type jffs2 (rw,relatime)
tmpfs on /data type tmpfs (rw,relatime)
none on /sys/kernel/config type configfs (rw,relatime)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
@gxcreator did buy the same device as yours, can you share fw dump here? So I dont have to open mine ?
@gxcreator did buy the same device as yours, can you share fw dump here? So I dont have to open mine ?
Extracted FS: extracted_flash.tar.gz
Raw dump: https://disk.yandex.ru/d/r_pLJkF2_ohssw
By the way, you dont need to open device to gain root access:
- Install adb drivers
- Connect device to USB port
- There will be few seconds when adb is exposed to host
- Quickly push statically built telnet binary:
adb push .\mini_telnetd-static-build\mini_telnetd /bin/
adb shell "chmod +x /bin/mini_telnetd && echo '/bin/mini_telnetd -l /bin/ash&' >> /etc/init.d/rc.final"
- Wait 5 sec and reconnect dongle to USB to reboot
- Connect to wifi created by dongle
telnet 192.168.5.1- Done! Note, that exposes root shell without password, connect and edit /etc/init.d/rc.final last line to disable.
compiled binary: https://disk.yandex.ru/d/Q2Ks76EriMz1ZQ
Added more info and tools to my repo here: https://github.com/gxcreator/aa-smartbox-re
i got one of these recently and it curiously has a mipsel soc, haven't been able to get a root shell yet as the only way in i've managed to find would be to upload modified firmware to it (but i don't want to brick it atm) and it doesn't have adb enabled (i think? i've plugged it into my pc when i initially got it and didn't get anything)
saving just in case:
{"version":"","platform":"AX1800","custom":"luruibao"}
{ "success": true, "data": [ { "id": 982, "fileName": "ax_202509041025", "updateDate": 1757959816000, "name": null, "version": "ax_202509041025", "md5Encryption": "937fc62fcb18c8f77d99943678c7ff36", "custom": "luruibao", "url": null, "platform": "AX1800", "files": null, "createTime": 1757931016000, "isNew": null } ], "errorCode": "200", "errorMessage": null }
@gxcreator sure, here's the update image downloaded: https://r2.piwo.rocks/ax_202509041025
to extract squashfs: dd if=ax_202509041025 of=root.sqfs bs=1 skip=3219520 count=11437887
my device shipped with this exact version already so i don't have anything lower
How were you able to change names?
via MITM feature
All I want to do is change the name on a system that has the allwinner 851s. But I’m either not tech savy or having PC issues.
I read your MITM write up it looked like it was for a radio va dongle?
Added more info and tools to my repo here: https://github.com/gxcreator/aa-smartbox-re
I read your as wells for whatever reason I can’t see any file systems from my PC, I’ve been able to get it loosely recognized in FEL mode but that’s it.
@breakgimme seems easy exploit btw
xmlhttp.open("GET", "/cgi-bin/submition.cgi?filename=" + program_filename + "&", true);
All I want to do is change the name on a system that has the allwinner 851s. But I’m either not tech savy or having PC issues.
For this you need to hack this yourself. I was talking about my aa-proxy project which serves the firmware for SBCs like raspberry or radxa, not for a Chinese dongles with android.
@gxcreator oh nice, didn't notice that, although i think i might have tried doing something like this and had issues? might have been just my skill issue though my setup for "reverse engineering" was me just poking around with grep and strings while sitting awkwardly with my laptop in my relatively small car though might just go grab the device to check whether that will work
For this you need to hack this yourself. I was talking about my aa-proxy project which serves the firmware for SBCs like raspberry or radxa, not for a Chinese dongles with android.
At least V851S mostly run plain linux (Tina linux from AllWinner SDK). I am waiting for another V851S dongle with UART pins exposed to try to build custom image and then to try to port some FOSS AA proxy implementation. It is possible to do even with default linux image - but custom would be more clean way since we'll also cut crap from all this different dongle vedors at once.
For this you need to hack this yourself. I was talking about my aa-proxy project which serves the firmware for SBCs like raspberry or radxa, not for a Chinese dongles with android.
At least V851S mostly run plain linux (Tina linux from AllWinner SDK). I am waiting for another V851S dongle with UART pins exposed to try to build custom image and then to try to port some FOSS AA proxy implementation. It is possible to do even with default linux image - but custom would be more clean way since we'll also cut crap from all this different dongle vedors at once.
I have a handful of different dongles to pull information from including different firmware versions same dongle. I also have some identical that simply use different broadcast names. I was hoping to be able to do a search and find and locate those items in the dumps.