Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File system support #8

Open
shtry opened this issue Feb 27, 2021 · 16 comments
Open

File system support #8

shtry opened this issue Feb 27, 2021 · 16 comments

Comments

@shtry
Copy link

shtry commented Feb 27, 2021
edited
Loading

Hi.

"ext2" doesn't seem to work on my unit.

So, is there a different approach? For example, a file system?

My system vfat works.

And ntfs is mounted in a state that can only be read.

Thank you.
@ea
Copy link
Owner

ea commented Feb 27, 2021

What unit is this ?

In principle, the exploit could work with FAT partitions as well, the only problem is that files on FAT partitions won't be executable on linux , so even if mount dir traversal is still exploitable, you'd need a different way of getting code execution.

I'm sure it's doable, but requires some creativity.

Just as a side note, even though ext2 is supported on lcn2kai by linux, it's doesn't look like it's supported by other apps. As in, media player won't be able to detect and play media from an ext2 mounted flash drive.

@shtry
Copy link
Author

shtry commented Mar 1, 2021

Hi @ea

Thank you for your kind reply.

I'm using Subaru unit.

I'm testing to see if your knowledge can be used in my Subaru unit!

I'll update you if there's any news.

@shtry shtry closed this as completed Mar 1, 2021
@raburton
Copy link
Contributor

Just to add to this (I know it's closed, but useful info), if you mount a fat32 partition on my head unit all the files are marked as executable! However, a fat32 filesystem label is too short to contain ../../usr/bin and anyway it mounts using the fat32 serial number.
Tried isofs (but still on usb stick not an actual cd) and the ..'s get replaced with __'s in the mount point name, so it either goes through a different mount script, or the name is sanitised before being passed.

@balrog-kun
Copy link

So just to document my findings so far and some possible ideas, I tried the methods documented in this project on my 2013 Qashqai J10 (versions E607, hw 034) which I believe may be using LCN1, not 2. First I'm not sure it's even recognizing my ASIX AX88772B-based NICs as no lights come up other than momentarily (but they don't when I plug them into the PC either...) and I can't ping 172.17.0.1 or see anything on wireshark -- I might be doing something wrong though.

Like in this issue report, my head unit isn't recognizing ext2 filesystems, neither does it work with isofs or ntfs... I could only get it to read a vfat filesystem. Now if anyone wants to try vfat or iso or ntfs on their model, here are a few things they can try -- they didn't work for me but they may be good ideas:

  • if, like with vfat, the filesystem label is limited to 11 characters, try using ../../usr as the filesystem label and storing the script as bin/logger inside the FS. /bin/sh in theory shouldn't be linking against anything in /usr/lib so it should still be able to run the script.
  • to work around the disallowed characters, I created the FS with xx_xx_usr in the label and then replaced the two instances of the label with ../../usr with a hexeditor. The blkid command properly reads the label as ../../usr so I suppose UDEV should also set the env variables to that value. In any case the headunit didn't tell me my FS was unsupported and instead showed me the MP3s on it.
  • for both vfat and NTFS you can actually set the serial number to all zeros and that causes the UUID to be empty according to blkid, so hopefully it also works this way for UDEV. For mkfs.vfat you just pass -i 0, for NTFS you need to use a hexeditor.
  • with ext2 you can try all of usr/bin, ../usr/bin, ../../usr/bin, ../../../usr/bin (no luck in my case but who knew).
  • try making the filesystem on an msdos primary partition rather than on the whole block device.
  • with tune2fs -l you can check if the mount count has increased for the ext2 FS so even if the script didn't get executed, you'd know if it got mounted in the first place (probably doesn't work for read-only though..).

If all else fails I'm going to try upgraing to one of the Dxxx firmwares (current is Exxx) and see if that helps, or just extract the headunit (which I've done before and managed to put it back in intact) and add the serial connection.

@ea
Copy link
Owner

ea commented Dec 6, 2021 

with tune2fs -l you can check if the mount count has increased for the ext2 FS so even if the script didn't get executed, you'd know if it got mounted in the first place (probably doesn't work for read-only though..).

Oh that's an excellent idea! I'll add that to the testing procedure. Thanks!

@ea ea reopened this Dec 6, 2021
@balrog-kun
Copy link

FTR the LCN1 uses a different SoC, an OMAP5948, something made by TI specifically for Bosch headunits, according to the internets. So none of the LCN2 tricks are likely to work on it, and neither are the Dxxx software updates. The hardware's probably based on a TI's reference design and the software on a TI reference software so there may be little in common with the NEC stuff.

Now I found one pad that seems to send about the right amount of data for a boot log at 115200kbps but it's not text when I read it as standard UART. It may be a non-standard baudrate or it could be inverted, I need to try logging the rising and falling edges with timestamps on an ESP32 and hopefully I'll see something. There's another solder pad that sends less data, could be SPI or something else.

So in any case this whole thing isn't going to have much in common with this repo but if you don't mind I'll comment here when I have updates to keep a record of it.

And BTW I had a browser tab open from back when I bought the car, it's a qashqaiforums.co.uk thread about LCN2KAI reverse engineering, the people involved seem to have given up but there are some insights about the triton OS etc.

@ea
Copy link
Owner

ea commented Dec 8, 2021

Cool, that forum thread is interesting. I haven't come across it before. Could you post a link to this repository there if you have an account?

@duncho1
Copy link

duncho1 commented Dec 8, 2021
edited
Loading

Hi ea,
Please send me a link and I will upload the firmware I have (D302, D503, D605). I am one of the 3 guys who tried to break in.
Duncho

@balrog-kun
Copy link

Bad news for anyone hoping to do anything fun with LCN1 head units: they don't seem to run Linux. Personally I'm giving up on it but leaving some notes here for future reference. Feel free to close the issue since I think this was the only active topic.

The OMAP1 chip series (which OMAP5948 is part of) is pretty old and while it has good upstream Linux support it's also in a lot of non-Linux devices like Palm PDAs from around year 2000.

I've gone through every solder pad on the LCN1 main board (Nissan Connect 1 from J10 car) and marked what I found. All in all there's one UART serial output and a few pins that output something but are not UART.

pins

00 is the UART Tx at 57.6kbps and it outputs this (twice) in early startup and nothing else:

*******************
** ADR2-Software **
** Version 4.00  **
*******************
 > ADR-Main-Loop activ

There doesn't seem to be a corresponding Rx pin or it has no local echo. It may connect to the main CPU or some other chip. Doesn't seem to go to any buffer or passive element. The main CPU is BGA so I can't trace it to a specific pin. There are some references to ADR2 on the web but nothing that fits, although one is an automotive crash recorder product and another is a key fob reader demo by Texas Instruments (who also makes the OMAP CPUs).

Other pins output some data during boot, after boot, during and after, and one also after power loss is detected. These may be I2C, SPI, CANbus, etc., I didn't bother checking, but most seem to just output short positive pulses.

@IglooBY
Copy link

IglooBY commented Apr 18, 2023
edited
Loading

Good afternoon. I found your information on the net on Bosch radios. I have a Nissan Qashqai and a radio tape recorder LСN2KAI (photo below), but with firmware D605. Tell me, is it possible to somehow use your knowledge and ask for help from you? The fact is that every time you start the car engine, a license agreement appears on the screen and you must press the "Accept" button on the screen in order to start navigation. I can assume that this setting may be somewhere in some configuration file and it could be turned off? Thank you very much in advance for your help.
IMG_20150915_155240_1
5ece721f38618e0001aca0f9

@ea
Copy link
Owner

ea commented Apr 21, 2023

I have seen some region-specific strings and settings here and there while reversing the software, but nothing that would obviously and easily get you to skip that particular nag screen. I am not sure where and how the region is controlled but that might be one way of changing it.

@IglooBY
Copy link

IglooBY commented Apr 22, 2023
edited
Loading

I have seen some region-specific strings and settings here and there while reversing the software, but nothing that would obviously and easily get you to skip that particular nag screen. I am not sure where and how the region is controlled but that might be one way of changing it.

I unpacked the D605 firmware and studied its files a little. Found that the message about the license agreement is displayed in the file prochmi_out.out. I also tried to reversing it in IDA Pro, but I could not find a place where this message is specifically displayed and the "Accept" button is expected to be pressed. I really hoped that I would find some configuration file where the message can be disabled through the parameter. Didn't find anything either.

@RWayne93
Copy link

RWayne93 commented Nov 2, 2024

I got a Sentra 2014 SR with this head unit and I don't think ext2 file system is supported on my system as well since it doesn't reboot after trying the flash drive

@IglooBY
Copy link

IglooBY commented Nov 3, 2024 via email

@ea
Copy link
Owner

ea commented Nov 4, 2024

I got a Sentra 2014 SR with this head unit and I don't think ext2 file system is supported on my system as well since it doesn't reboot after trying the flash drive

Can you tell me the hardware and software version of your system?
Also, how exactly did you prepare the flash drive?

Cheers,
ea

@RWayne93
Copy link

RWayne93 commented Nov 10, 2024
edited
Loading

I got a Sentra 2014 SR with this head unit and I don't think ext2 file system is supported on my system as well since it doesn't reboot after trying the flash drive

Can you tell me the hardware and software version of your system?

Also, how exactly did you prepare the flash drive?

Cheers,

ea

I am not sure because I also can't get the secret menu to appear picture added for reference.

I flashed the drive with dd using the provided test script.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ea @balrog-kun @raburton @RWayne93 @shtry @duncho1 @IglooBY