autorun script VW Discover Pro

[okmer]

In Discover Pro firmware 388 it is possible to execute a script named autorun placed on USB stick:
from etc/mcd.conf:

Код:

[AUTORUN]
Callout     = FNAME_MATCH
Argument    = /autorun
Match Rule  = INSERTED
Fail Rule   = SW_UPDATE

However autorun is only executed when there is a matching signature in file called autorun.sig.

I think autorun.sig must have sha1 hash of autorun but that autorun is scrambled similar to copie_scr.sh in audi MIB but not exactly the same.
Check is performed in ELF file autorunner, when autorun loaded it will show png files below:
fail.pngsuccess.pngwait.png

Here is a piece of pseudo code from autorunner:

Код:

      DataFileBytes = ReadDataFile(hDataFile);
      if ( DataFileBytes )
      {
        SignatureFileBytes = ReadSignatureFile(hSignatureFile);
        SignatureFileBytesVar = SignatureFileBytes;
        if ( SignatureFileBytes )
        {
          SignatureFileBytesOffset3 = SignatureFileBytes[3];
          if ( HashFileSha1(DataFileBytes[3], DataFileBytes[2], &Sha1Hash) == 1 )
          {
            fwrite("[autorunner] Failed to calculate SHA1 hash", 1u, 0x2Au, (FILE *)&Stderr);
            fputc(10, (FILE *)&Stderr);
            fflush((FILE *)&Stderr);
          }
          else if ( sub_102D9C(
                      (int)&Sha1Hash,
                      SignatureFileBytesOffset3,
                      0x106B78,
                      (unsigned __int8 *)&dword_106B68[36]) )

It takes a normal sha1hash of file but then sub_102D9C does something I don't understand.
dword_106b68 is a large array:

Код:

LOAD:00106B68 dword_106B68    DCD 0x9302130, 0xE2B0506, 0x51A0203, 0x140400, 0x23014CDA
LOAD:00106B68                 DCD 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3
LOAD:00106B68                 DCD 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA
LOAD:00106B68                 DCD 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5
LOAD:00106B68                 DCD 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC
LOAD:00106B68                 DCD 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0
LOAD:00106B68                 DCD 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, 0x2A5CA779
LOAD:00106B68                 DCD 0x27B2E66F, 0x10001

here is code from sub_102D9C:

Код:

signed int __fastcall sub_102D9C(int a1, int a2, int a3, unsigned __int8 *a4)
{
  int v4; // r4@1
  signed int v5; // r3@2
  int v6; // r3@4
  signed int v7; // r2@4
  char *v8; // r2@6
  int v9; // r3@6
  signed int v10; // r3@9
  char v12[128]; // [sp+0h] [bp-110h]@1
  char v13; // [sp+80h] [bp-90h]@2
  char v14; // [sp+81h] [bp-8Fh]@2
  char v15; // [sp+DCh] [bp-34h]@4
  char v16; // [sp+100h] [bp-10h]@5


  v4 = a1;
  if ( !sub_103B88(a2, a3, a4[2] | (*a4 << 16) | (a4[1] << 8), (int)v12) )
  {
    v13 = 0;
    v14 = 1;
    v5 = 2;
    do
      *(&v13 + v5++) = -1;
    while ( v5 != 92 );
    v6 = 0;
    v15 = 0;
    v7 = 93;
    do
    {
      *(&v16 + v7 - 128) = *(_BYTE *)(v6 + 0x106B68);
      v7 = (unsigned __int16)(v7 + 1);
      ++v6;
    }
    while ( v6 != 15 );
    v8 = &v13;
    v9 = 0;
    do
      (v8++)[108] = *(_BYTE *)(v4 + v9++);
    while ( v9 != 20 );
    if ( v13 == v12[0] )
    {
      v10 = 1;
      while ( *(&v13 + v10) == v12[v10] )
      {
        if ( ++v10 == 128 )
          return 1;
      }
    }
  }
  return 0;

signed int __fastcall sub_103B88(int a1, int a2, unsigned int a3, int a4)
{
  int v4; // r12@1
  int v6; // [sp+0h] [bp-88h]@2
  char v7; // [sp+7Ch] [bp-Ch]@3
  char v8; // [sp+7Dh] [bp-Bh]@3
  char v9; // [sp+7Eh] [bp-Ah]@3
  char v10; // [sp+7Fh] [bp-9h]@3


  v4 = 0;
  do
    *((_BYTE *)&v6 + v4++) = 0;
  while ( v4 != 124 );
  v9 = BYTE1(a3);
  v10 = a3;
  v8 = a3 >> 16;
  v7 = BYTE3(a3);
  return sub_1037E4(a1, a2, (int)&v6, a4);
}

I'm looking for calculation of hash in autorun.sig so that it will match, maybe someone has an idea or has seen this before?

PS: I also found a challenge/response system in unit that allows root access via telnet without password but need to tackle this one first...