In Discover Pro firmware 388 it is possible to execute a script named autorun placed on USB stick:
from etc/mcd.conf:

[AUTORUN]
Callout = FNAME_MATCH
Argument = /autorun
Match Rule = INSERTED
Fail Rule = SW_UPDATE

However autorun is only executed when there is a matching signature in file called autorun.sig.

I think autorun.sig must have sha1 hash of autorun but that autorun is scrambled similar to copie_scr.sh in audi MIB but not exactly the same.
Check is performed in ELF file autorunner, when autorun loaded it will show png files below:
459984599946000

Here is a piece of pseudo code from autorunner:

DataFileBytes = ReadDataFile(hDataFile);
if ( DataFileBytes )
{
SignatureFileBytes = ReadSignatureFile(hSignatureFile);
SignatureFileBytesVar = SignatureFileBytes;
if ( SignatureFileBytes )
{
SignatureFileBytesOffset3 = SignatureFileBytes[3];
if ( HashFileSha1(DataFileBytes[3], DataFileBytes[2], &Sha1Hash) == 1 )
{
fwrite("[autorunner] Failed to calculate SHA1 hash", 1u, 0x2Au, (FILE *)&Stderr);
fputc(10, (FILE *)&Stderr);
fflush((FILE *)&Stderr);
}
else if ( sub_102D9C(
(int)&Sha1Hash,
SignatureFileBytesOffset3,
0x106B78,
(unsigned __int8 *)&dword_106B68[36]) )

It takes a normal sha1hash of file but then sub_102D9C does something I don't understand.
dword_106b68 is a large array:

LOAD:00106B68 dword_106B68 DCD 0x9302130, 0xE2B0506, 0x51A0203, 0x140400, 0x23014CDA
LOAD:00106B68 DCD 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3
LOAD:00106B68 DCD 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA
LOAD:00106B68 DCD 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5
LOAD:00106B68 DCD 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC
LOAD:00106B68 DCD 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0
LOAD:00106B68 DCD 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, 0x2A5CA779
LOAD:00106B68 DCD 0x27B2E66F, 0x10001

here is code from sub_102D9C:

signed int __fastcall sub_102D9C(int a1, int a2, int a3, unsigned __int8 *a4)
{
int v4; // r4@1
signed int v5; // r3@2
int v6; // r3@4
signed int v7; // r2@4
char *v8; // r2@6
int v9; // r3@6
signed int v10; // r3@9
char v12[128]; // [sp+0h] [bp-110h]@1
char v13; // [sp+80h] [bp-90h]@2
char v14; // [sp+81h] [bp-8Fh]@2
char v15; // [sp+DCh] [bp-34h]@4
char v16; // [sp+100h] [bp-10h]@5


v4 = a1;
if ( !sub_103B88(a2, a3, a4[2] | (*a4 << 16) | (a4[1] << 8), (int)v12) )
{
v13 = 0;
v14 = 1;
v5 = 2;
do
*(&v13 + v5++) = -1;
while ( v5 != 92 );
v6 = 0;
v15 = 0;
v7 = 93;
do
{
*(&v16 + v7 - 128) = *(_BYTE *)(v6 + 0x106B68);
v7 = (unsigned __int16)(v7 + 1);
++v6;
}
while ( v6 != 15 );
v8 = &v13;
v9 = 0;
do
(v8++)[108] = *(_BYTE *)(v4 + v9++);
while ( v9 != 20 );
if ( v13 == v12[0] )
{
v10 = 1;
while ( *(&v13 + v10) == v12[v10] )
{
if ( ++v10 == 128 )
return 1;
}
}
}
return 0;

signed int __fastcall sub_103B88(int a1, int a2, unsigned int a3, int a4)
{
int v4; // r12@1
int v6; // [sp+0h] [bp-88h]@2
char v7; // [sp+7Ch] [bp-Ch]@3
char v8; // [sp+7Dh] [bp-Bh]@3
char v9; // [sp+7Eh] [bp-Ah]@3
char v10; // [sp+7Fh] [bp-9h]@3


v4 = 0;
do
*((_BYTE *)&v6 + v4++) = 0;
while ( v4 != 124 );
v9 = BYTE1(a3);
v10 = a3;
v8 = a3 >> 16;
v7 = BYTE3(a3);
return sub_1037E4(a1, a2, (int)&v6, a4);
}


I'm looking for calculation of hash in autorun.sig so that it will match, maybe someone has an idea or has seen this before?

PS: I also found a challenge/response system in unit that allows root access via telnet without password but need to tackle this one first...

Чета мне это напоминает.. :D

You will discover great things

*bump* Anyone with ideas? Have useful information to trade if that helps, for instance how the public keys are created and can possibly replaced by own private/public keys

Old firmwares, such as 200 don't need sign :)

Yes on firmware <= 200 you can run an encoded script (if green menu is enabled). This is the replacement for firmware >200 and AFAIK a downgrade is not possible...

The the MIB for AUDI For the the FW and the release P01048 lower Accepts encoded scripts directory.
The Release P1531 CAN sometimes Do downgraded the BE. The depends the-hardware It version of the unit.
Newer the HW does not supported by p1048 and lower versions ... Here we need an: idea or a the password. ;-)

Both are welcome!

:(
I activation the MMX Emergency

echo "Emergency Flash Utility will start on next boot."echo
echo "If the emergency update doesn't start please check that"
echo "the SD card also contains the 'update***.dat'-files."
echo "These files are provided with every build in the file"
echo "UPD_NORMAL_<VERSION_NAME>.zip"

But how TODO the update.dat ? or exit EMG

I reflash RCC-fs0 successfully ,but it`s NOK


/net/mmx/devbpf mcd pci sda0 tap0 ttyp5
bpf0 mem pipe sda0t11 tap1 ttyp6
cam0 mnand0 profiler sem tap2 ttyp7
cd0 name ptyp0 ser1 tap3 tun0
console netmgr ptyp1 shmem text tun1
crypto null ptyp2 slog tty tun2
dbgmem nvgpio ptyp3 socket ttyp0 tun3
fs0 nvos ptyp4 stderr ttyp1 tymem
hd0 nvrm ptyp5 stdin ttyp2 zero
hd0t77 nvsku ptyp6 stdout ttyp3
io-usb nvtmon ptyp7 tap ttyp4

MMX fs0 and mnand0 partition unknown

For FW K1540
MMX root pass: WyQYeuyS
RCC emergency mode pass: harman_f

Regards!

@okmer

I've been looking into this myself, as i would like to be able to execute scripts from sdcard on my audi mib2.
Have you seen the last fname match in mcd.conf: mib_mmx_ultimate_challenge.txt ? Any idea what that does ?


[AUTORUN]
Callout = FNAME_MATCH
Argument = /autorun
Match Rule = INSERTED
Fail Rule = SW_UPDATE


[SW_UPDATE]
Callout = FNAME_MATCH
Argument = /metainfo2.txt
Match Rule = INSERTED
Fail Rule = CHALLENGE


[CHALLENGE]
Callout = FNAME_MATCH
Argument = /mib_mmx_ultimate_challenge.txt
Match Rule = INSERTED
Fail Rule = INSERTED

@Okmer
You need to take all bytes starting from offset 0x106B78, this means skipping 0x10 bytes (or 16 bytes = 4 dwords) from the start of that memory block.

Result:
sub_102D9C(a1,a2,a3,a4)

where

byte[] a3 = 0x23014CDA, 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3, 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5, 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, ...

byte a4 = 0x10001