PDA

Просмотр полной версии : Audi Connect data tethering on MIB2



Scrat
07.11.2016, 10:51
I'm trying to activate Audi Connect with usb data tethering on my A6 model 2017 with a MIB2 unit that does not have a simcard slot.
This was perfectly possible on the MMI3G+, as a lot of people on this forum know http://forums.audipassion.com/public/style_emoticons/default/icon6.gif, but the procedure has completely changed since audi's upgrade to the MIB2 platform.
I have already been successful in enabling all the Audi Connect functions and menu options.

These settings are no longer in the green menu:

Control unit: 5F Information Control Unit 1


<Long coding>
byte_15_Phone_NAD, On (OBDEleven)


<Adaptation>
IDE02122-Developer mode,Activated (OBDEleven)
IDE03471-ENG06575-Vehicle configuration-UOTA,On
IDE03471-ENG117848-Vehicle configuration-gracenote_online_coverarts,On
IDE03471-ENG117849-Vehicle configuration-gracenote_online_other,On
IDE03471-ENG117843-Vehicle configuration-my_audi,On
IDE03471-ENG117845-Vehicle configuration-online_dictation,On
IDE03471-ENG127495-Vehicle configuration-online_media,On
IDE03471-ENG117840-Vehicle configuration-online_navigation,On
IDE03471-ENG117837-Vehicle configuration-online_POI,On
IDE03471-ENG117838-Vehicle configuration-online_POI_voice,On
IDE03471-ENG117839-Vehicle configuration-online_portal_browser_services,On
IDE03471-ENG117841-Vehicle configuration-online_street_view,On


I've discovered that on the MIB2 the only supported ethernet device is the D-Link DUB-E100 (Revision B1 or C1).
On the MMI3GP you could also use any other usb dongle based on the ASIX chipset, but not anymore.



#D-Link DUB-E100 USB Dongle
device(usb, ven=2001,dev=3c05)
device(usb, ven=2001,dev=1a02)



Also, after inserting this device a script called extnet.sh is started:


start ( /etc/scripts/extnet.sh )


This script will automatically route all internet traffic and diagnostics to the ip of the ethernet dongle, but it will only do this if a marker file named 'dataoverdlink' is present:


if [[ -e /var/dataoverdlink ]]; then
# Set default route for debugging and data
/mnt/app/armle/sbin/route add default 172.16.250.248
echo "extnet.sh: /var/dataoverdlink was found -> Use $IFACE for internet traffic and debugging"


Does anyone have an idea how i can execute a script on my unit ?

ezdevelop
08.11.2016, 08:17
/var/dataoverdlink is an empty file, just as a mark.You have to telnet & login to the main unit via USB ethernet.
touch /var/dataoverdlink reboot for activation!"

Scrat
08.11.2016, 11:07
You are right, for the debugging interface (en0) there are different firewall rules in pf.conf, so i should be able to access the unit over telnet



################################################## ##############################
### Tranalation rules (NAT/redirection)
################################################## ##############################
## port redirections for RCC access
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 123 -> $rcc_if port 23
rdr pass on $dbg_if proto {tcp,udp} from any to ($dbg_if) port 445 -> $rcc_if
rdr pass on $dbg_if proto {tcp,udp} from any to ($dbg_if) port 851 -> $rcc_if
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7718 -> $rcc_if port 7618
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7725 -> $rcc_if port 7625
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7727 -> $rcc_if port 7627
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7877 -> $rcc_if port 7777
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7800 -> $rcc_if
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 8100 -> $rcc_if port 8000
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 18193 -> $rcc_if
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 57005 -> $rcc_if


i'll just need to get the root password. Does anyone know a faster way than john ?

malec
08.11.2016, 16:20
Hi!

Here is some sort of disassembled code. I hope you understand it is almost impossible to crack.

Scrat
08.11.2016, 18:02
So there is a socket server called 'challenge' on port 22111 that will temporarily replace the root and user passwords with blanks by executing


pathmgr_symlink("/etc/nopasswd", "/etc/passwd")

I had previously noticed that nopasswd file in the system image, now i know what it is for.

The bad news is that it requires a response (in mib_mmx_ultimate_response.txt) to a challenge file that it writes the first time an sdcard with that file is inserted (mib_mmx_ultimate_challenge.txt),
This response hash is verified using the public key on the unit in /ifs/challenge.pub, so i call this a dead end.

I guess i will just try to retrieve the root password from the system image hash, but that is going to take a while.

malec
08.11.2016, 18:32
For much faster way to get the pass for that HASH, look for GPU hash cracking.

zerbino
09.11.2016, 00:07
Find hash forum and buy decoding for 15-20eu.

Scrat
18.11.2016, 21:32
I can confirm that the DLink DUB-E100 Revision D1 also works on an audi MIB2 unit.
Apparently it has the same usb VID/PID as revision C1.

52918

ezdevelop
19.11.2016, 06:51
I can confirm that the DLink DUB-E100 Revision D1 also works on an audi MIB2 unit.
Apparently it has the same usb VID/PID as revision C1.

52918

That's right, MIB2 only support DUB-E100

Scrat
03.02.2017, 11:52
Could you take a look in the green menu under:
production/mmx_prod/onlineservices_prod

What is the value for OnlineState ?

I'm beginning to think that it'll be necessary to spoof the VIN..

edgaro
19.02.2017, 12:52
anyone knows if US unit with us phone module will work in EU ? or module GSM SIM bust be replaced on EU. in 3G+ work on 2G but its diff gsm then in mib

Tschako
19.02.2017, 17:39
Hi, the GSM Modules are differend for US and EU. You can update the US module to the EU software, but there was no support for G3 given.

For full UMTS G3 Speed, you have to change the GSM Module in the GSM group of the unit. There is an other thread here in the forum, we discussed tis isue in detail...
Use search function.

edgaro
20.02.2017, 21:27
I think u talk abaout 3G+ , im wondering if somebody know abaout MIB LTE GSM module

Tschako
20.02.2017, 21:49
Yes, I think there is a way to run LTE Module in MMI3GP. The problem seems not in the AT command set of the modules.
But the rest of the unit maybe to slow for an efficient data throughput like LTE...

edgaro
21.02.2017, 10:45
i think u still dont get me. i have a7 mib 2 usa and wondering if sim will work in EU or GSM module must be replaced

Tschako
23.02.2017, 18:05
Yes, sorry, I misunderstood. But the core message is quite the same for the MIB family. They use differend models of GSM modules in the case due to certification and RF requirements...

Scrat
10.03.2017, 12:10
@Congo

Can you give this a try ?
/bin/touch /tmp/ppp_connected

edgaro
13.03.2017, 23:36
i will buy gsm module from mib 2 EU

Scrat
14.03.2017, 15:59
@edgaro
in theory you could even use the usb development modules, see here in "usblauncher.lua":

-- Huawei ME909Tu/Au-120
device(0x12d1, 0x1573) {
configuration(2) {
interface(0) {
driver"/etc/scripts/huawei.sh attached normal_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)";
removal"/etc/scripts/huawei.sh removed normal_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)";
};
};


configuration(1) {
interface(0) {
driver"/etc/scripts/huawei.sh attached swdl_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)";
removal"/etc/scripts/huawei.sh removed swdl_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)";
};
};
};

-- Cinterion AH6A (3G)

device(0x1e2d, 0x0055) {
interface(0) {
driver"/etc/scripts/ah6a.sh path=$(USB_PATH),vid=$(vendor_id),did=$(product_id ),busno=$(busno),devno=$(devno),ign_remove,module= wireless_modules";
removal"/etc/scripts/ah6a_removed.sh";
};
-- Don't try matching any generic rules for the other interfaces
interface(1,127) {
Ignore;
};
};


-- Cinterion ALS1/ALS6 (4G)
device(0x1e2d, 0x0060) {
interface(0) {
driver"/etc/scripts/als6.sh path=$(USB_PATH),vid=$(vendor_id),did=$(product_id ),busno=$(busno),devno=$(devno),ign_remove,module= wireless_modules -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno), classid=0xff,subclassid=0xff /lib/dll/devnp-ecmplus.so /dev/serecm0";
removal"/etc/scripts/als6_removed.sh";
};
-- Don't try matching any generic rules for the other interfaces
interface(1,127) {
Ignore;
};
};

malec
14.03.2017, 16:17
@scrat

This is not for development purpose. The LTE modem is actually connected through a USB port. I don't think you will find LTE USB stick with cinterion modem inside.

From MMX Delphi unit log:

SLF: 00:00:10.509 5 12 100 USB-1.1:0: vid=1e2d, did=0060: Launch /etc/scripts/cintlte.sh path=/dev/io-usb/io-usb,vid=0x1e2d,did=0x60,busno=0x1,devno=0x1,ign_re move,module=wireless_modules -opath=/dev/io-usb/io-usb,busnum=0x1,devnum=0x1,classid=0xff,subclassid= 0xff /lib/dll/devnp-ecmplus.so /dev/serecm0

Scrat
14.03.2017, 16:21
I know that the original model is connected through a usb port, and i'm not talking about a usb 'stick', but there are developer modules from cinterion that could be used (sold directly by Gemalto):
https://webstore.gemalto.com/INTERSHOP/web/WFS/GEMALTO-B2CCORP-Site/en_US/-/EUR/ViewProduct-Start?SKU=A1898898A&CatalogID=M2M&CategoryName=M2M

Edit: I would like to point out that this is untested.

Scrat
14.03.2017, 16:25
But really, i don't think that any of this is necessary. There are drivers for using the WLAN in client mode present in the MIB2 firmware, and the connection manager has code to support and configure it.
You can even see this in the green engineering menu, there is an extra adapter interface called mlan0 (mobile lan).

I'm still figuring out how to enable the option, but it's a lot of work.

edgaro
11.04.2017, 10:45
Anyone knows if ER host send data for US vins ? for traffic

aleka
27.08.2017, 21:41
Please, help me create "dataoverdlink" file in VAR folder. I have connect to VW MIB2 with D-Link dub-e100, have ping 172.16.250.248, green menu is active. I want route internet traffic to the ip of the ethernet dongle. I try create update file, consisting metainfo2.txt file and VAR folder with empty "dataoverdlink" file, but it don't work. Can anybody help me to correct metainfo2.txt file?

################################################## ###########################
#
# This is the description file for the Software Update of Audi components
#
################################################## ###########################

[common]
MetafileChecksum = "561d435951f1b40fccac912eb5cd2219ca40ab19"
skipSaveTrainName = "true"
vendor = "AUDI"
region = "Europe"
variant = "FMU-*-*-EU-AU*"
variant2 = "FMU-*-*-EU-VW*"
variant3 = "FM2-*-*-EU-VW-*"
variant4 = "FM2-*-*-EU-AU-*"
variant5 = "FM2-*-*-EU-PO*"
variant6 = "FM2-*-*-EU-PO-*"
variant7 = "FM2-H-*-EU-SK-MQB"
variant8 = "FMQ-*-*-EU-AU-MLE"
variant9 = "*-*-*-EU-AU-*"
release = "2012/2013"
skipMetaChecksum = "true"
skipFileCopyChecksum = "true"
UserSWDL = "true"

[var]
VendorInfo = "DLINK"
DeviceDescription = "Network adapter"

[var\]
FileName = "dataoverdlink"
FileSize = "0"
CheckSum = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
Version = "1"
AppName = "Dataoverdlink"

andrius
07.09.2017, 13:31
How did you make it ping? :) i have connected same device, i see device is active and recognized by mib, but no PING pass other that IP :) many thanks for info :)

aleka
07.09.2017, 22:34
How did you make it ping? :) i have connected same device, i see device is active and recognized by mib, but no PING pass other that IP :) many thanks for info :)

I have setting IP adress in Windows 7 LAN connection to fixed 172.16.250.247 /255.255.0.0, then open CMD.EXE and write " ping 172.16.250.247 ". Or in windows telnet write " open 172.16.250.248 23 ", it give back request of login and password, which i don't know.

walawa75
18.02.2018, 14:32
Hello all,

Is someone succeeded to enable this feature ? I tried to connect with telnet but without the root password, I can't do anything. How to get it please ? And how to activate the tethering ?

Thank you

TheRavenOo
17.09.2018, 16:20
Hello,

I got my hands on an 8V1035035C mib2 with sw index 1326. does anyone know the root password from this or have the firmware files?

Thanks

Deezell
10.10.2018, 13:37
Hello. I am new to this forum. I am writing in English. I have a car that is the same as the original poster, Scrat. I have been searching many threads to find out how to connect data into the USB port, and enable Google maps and Audi connect. My car has MIB system. It has no AMI port. Control module 5F is different. I have used OBD eleven to enable red engineering menu and Green engineering/developer menu. I then found the correct buttons to open them on this site, post #1.

https://cartechnology.co.uk/showthread.php?tid=34635

On this site they discuss the hashed password. One post gives the password from the hash. This is in post #26. he states:

"RE: Green Menu MIB2 Audi A6/A7 + Red Menu ( update )Sorry ,I did not see this replay
My english is terrible
the password is
xxGvoFcxCZZmM = H0ga6uyk
I do not know how to upload picture in reply post.
I use odis -e with 5054 can change map region."

I am hoping this password might help someone who has more knowledge that I have. I hope that someone here will succeed in connecting data into Audi A6 MIB MMI, facelift car from 2015 on.

Absetup
06.02.2019, 17:21
pls i need password for this unit
5G0 035 043C 0290
MHIG_EU_VW_P1054

Absetup
06.02.2019, 17:22
pls i need password for this unit
5G0 035 043C 0290
MHIG_EU_VW_P1054