Compare with MMI is completely different

to examine the console port of the MIB is not the problem ... the root passphrase behind is the real goal :-(

For me, signature and port definitions are problems

In that way, you're right. But the HB and elektrobit guys are much better this time ... They locked the backdoors ;-)

The same problems... Even the signature that necessary to run the copie_scr ...

The same problems... Even the signature that necessary to run the copie_scr ...

Yeah,yeah After this sign, maybe everything all right

After I unpack the APP is also not found any way to bypass signatures，Need a programmer to do a thing - to bypass signatures

Although I don't know how to use the pictures in the interface, but it looks like the entrance is a convenient maintenance

I guess they are used for MMX and V850 debugging interface

Manufacturers need this interface is reserved to rework certain machines

Should you want to make a good match tool to connect them



Can someone do some connectors to sales? I need to

So sad that requires a password！！！！:confusion:

How did you connect? Which pins?

closepIPL: A024 (C2 sample) ver.12144A [built 2012-04-05 15:31:38 2445784+]
CPU: PG2.1, 600/570/400 MHz (ARM/DSP/DDR)
RAM: 128 MB
Flash: 64 MB (GL-N type)
IOC boot mode: N3S.
[fastboot2: ARM=8540000/2 +8BE0000 DSP=BD00000]
*** WARNING: Enabling DSP access to the entire RAM!
Startup: PL_qnx_startup-jacinto5-v7_Dev_MibJ5_13061A, built 2013/02/04_07-49-16_UTC
Board: 0000a024.000000c2
Command: -x 0x87000000,0x01000000 -C 880,0 -wb
RAM: 128 MB
FLASH: 64 MB @0x08000000
Allocing from 87000000 for 01000000
dsp_mem_count= 00000001
DSP: loader c674x_ipl_T04 (Sep 20 2011 15:35:39), args @81ee7400 (512)
Added GPIO-callouts
Setting GPIO 0
Setting GPIO0_FAL to 00001000
Setting GPIO0_RIS to 00000004
Setting GPIO 2
Setting GPIO2_INTSET0 to 00004000
Setting GPIO2_INTSET1 to 00010000
VFPv3: fpsid=410330c3
coproc_attach(10): replacing fe087140 with fe0869e0
coproc_attach(11): replacing fe087140 with fe0869e0
Welcome - Harman/Becker Audi MIB - Build SOP2-Trunk_rcc_d1-13103B
QNX rcc 6.5.0 2011/11/22-16:57:17EST MiB-RCC armle
# TraceSettings for MIB Default
MID: loading persistent data from /var/opt/sys/diagpers.txt.
[t(p) usr/apps/MMX2RCCEarlyApp 65566 13 11 1028014]
Agentstarter Event 0, Details 0
[t(p) usr/apps/MIBRoot 98339 3 10 7800d330]


IOC version App: 1226
IOC version Bolo: U127
IOC Variant:= BOLOTYPE_MIB1_MQB + APPLTYPE_MIB1_MQB
[MSG]@6887 (98339.0): OOcS: getHardwareSample: hwSample = 0x28
[MSG]@6888 (98339.0): OOcS: getHardwareVariant: IocVariant = 0x11
[MSG]@6890 (98339.0): OOcS: IOCBoloMode: 0, if true SYSTEM-ON will be triggered...
[MSG]@6892 (98339.0): OOcS: Upd. newSystemState: 106
Engineering mode not active for this module 0x286f058c (key --> 0xf)
Engineering mode not active for this module 0x286f058c (key --> 0xf)
Engineering mode not active for this module 0x1e (key --> 0x0)
[MSG]@7189 (98339.0): OOcS: Upd. newSystemState: 14
CameraStateValue = 0, state = 2
[t(p) bin/AudioProcess 188434 8 10 103822c]
[MSG]@8227 (98339.0): OOcS: Upd. newSystemState: 121
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/io-pkt-v4 57364 2 21 7803d7a0]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
Unable to access /dev/shmem/AudioFadedIn
average erase count = 492.26
totally erased = 3507.38 MB
eso fw RCC: >FRAMEWORK_VERSION=5.3.7 MIB1SOP2 I41 CI13 G1.23<
eso fw MMX: >Framework = 5.8.2 MIB1MAIN I49 CI17<
multicored [000000016.761]:version 4.6.k_special, verbosity 1 (supported 4), scope 0x00000001, console: /dev/ser1 (fd=3), FILE_LOGGING, TESTCONTROL, DYNAMIC_LOAD
multicored [000000016.765]:using 750 buffers of size 1460 (total 1095000 bytes)
multicored [000000016.782]:going quiet
mib_ioc_update is running
copy_script is running
[t(p) usr/apps/dev-irc 282673 1 10 12e794]
[t(p) bin/io-pkt-v4 57364 2 11 17615c]
[t(c) usr/apps/MIBRoot 98339 83 11 1037cf8]
Password:[MSG]@21232 (98339.0): OOcS: Upd. newSystemState: 14
[t(p) usr/bin/grep 307256 1 10 1057a0]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) usr/apps/MIBRoot 98339 83 11 7800cdf4]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
Engineering mode not active for this module 0x286f058c (key --> 0xf)
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
Engineering mode not active for this module 0x25 (key --> 0x250006)
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/dev-i2c 57357 8 10 103318c]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/dev-tuner-amfm 147499 8 20 101cca8]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/dev-tuner-amfm 147499 9 10 1014538]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/dev-tuner-amfm 147499 9 10 19a00c]
[t(p) bin/io-pkt-v4 57364 2 21 140394]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
showtimes-jacinto5: PL_qnx_showtimes_11242A, built 2011/06/14_13-32-41_UTC
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe0875c0]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]


Login incorrect
login: [t(p) bin/dev-tuner-amfm 147499 9 10 7808b898]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]


login: [t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/dev-tuner-amfm 147499 9 10 105af58]
root
Password:[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]


Login incorrect
login: [t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/dev-tuner-amfm 147499 9 10 1051a0c]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]
[t(p) bin/io-pkt-v4 57364 2 21 1450b8]
[t(p) proc/boot/procnto-j5-instr 1 1 0 fe08e830]







What's behind all the same, don't know how to break this cycle, enter the command

Thats what I told you. You need the root PW for this way to enter the console... An other way was to push a new passwd and shadow into mashine by FW update... But they have signatures on it.
w/o the private keys, it´s sooo difficult!

Maybe Sergei they know how to solve this problem?

In " A6 4G MIB " someone in this thread gives a public key, it looks like from the inside out copies of the host

http://turbo-quattro.com/showthread.php?19874-Audi-A6-4G-MIB-Head-Unit-HIGH/page2 28#



Maybe someone will know the people inside the host plant, get some information?

Hello,

Anyone knows "where " to find the keys we all need ? I have a few systems with root acces so i should be able to get out this key if i know where it is found, eg, what folder .

Regards,

The public key can only be found in the firmware

Does anyone know the serial port Login Password decode it?

This file do? （shadow_rcc） ，it`s in the ETC


我想有人肯定早已经知道密码了，我� �要加油！

I'm sure someone's already knew the password, I have to go!