autorun script VW Discover Pro
Добро пожаловать на Turbo Quattro.
Показано с 1 по 11 из 11
  1. #1
    Новичок
    Регистрация
    05.04.2016
    Адрес
    Netherlands
    Сообщений
    3

    По умолчанию autorun script VW Discover Pro

    In Discover Pro firmware 388 it is possible to execute a script named autorun placed on USB stick:
    from etc/mcd.conf:
    Код:
    [AUTORUN]
    Callout     = FNAME_MATCH
    Argument    = /autorun
    Match Rule  = INSERTED
    Fail Rule   = SW_UPDATE
    However autorun is only executed when there is a matching signature in file called autorun.sig.

    I think autorun.sig must have sha1 hash of autorun but that autorun is scrambled similar to copie_scr.sh in audi MIB but not exactly the same.
    Check is performed in ELF file autorunner, when autorun loaded it will show png files below:
    fail.pngsuccess.pngwait.png

    Here is a piece of pseudo code from autorunner:
    Код:
          DataFileBytes = ReadDataFile(hDataFile);
          if ( DataFileBytes )
          {
            SignatureFileBytes = ReadSignatureFile(hSignatureFile);
            SignatureFileBytesVar = SignatureFileBytes;
            if ( SignatureFileBytes )
            {
              SignatureFileBytesOffset3 = SignatureFileBytes[3];
              if ( HashFileSha1(DataFileBytes[3], DataFileBytes[2], &Sha1Hash) == 1 )
              {
                fwrite("[autorunner] Failed to calculate SHA1 hash", 1u, 0x2Au, (FILE *)&Stderr);
                fputc(10, (FILE *)&Stderr);
                fflush((FILE *)&Stderr);
              }
              else if ( sub_102D9C(
                          (int)&Sha1Hash,
                          SignatureFileBytesOffset3,
                          0x106B78,
                          (unsigned __int8 *)&dword_106B68[36]) )
    It takes a normal sha1hash of file but then sub_102D9C does something I don't understand.
    dword_106b68 is a large array:
    Код:
    LOAD:00106B68 dword_106B68    DCD 0x9302130, 0xE2B0506, 0x51A0203, 0x140400, 0x23014CDA
    LOAD:00106B68                 DCD 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3
    LOAD:00106B68                 DCD 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA
    LOAD:00106B68                 DCD 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5
    LOAD:00106B68                 DCD 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC
    LOAD:00106B68                 DCD 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0
    LOAD:00106B68                 DCD 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, 0x2A5CA779
    LOAD:00106B68                 DCD 0x27B2E66F, 0x10001
    here is code from sub_102D9C:
    Код:
    signed int __fastcall sub_102D9C(int a1, int a2, int a3, unsigned __int8 *a4)
    {
      int v4; // r4@1
      signed int v5; // r3@2
      int v6; // r3@4
      signed int v7; // r2@4
      char *v8; // r2@6
      int v9; // r3@6
      signed int v10; // r3@9
      char v12[128]; // [sp+0h] [bp-110h]@1
      char v13; // [sp+80h] [bp-90h]@2
      char v14; // [sp+81h] [bp-8Fh]@2
      char v15; // [sp+DCh] [bp-34h]@4
      char v16; // [sp+100h] [bp-10h]@5
    
    
      v4 = a1;
      if ( !sub_103B88(a2, a3, a4[2] | (*a4 << 16) | (a4[1] << 8), (int)v12) )
      {
        v13 = 0;
        v14 = 1;
        v5 = 2;
        do
          *(&v13 + v5++) = -1;
        while ( v5 != 92 );
        v6 = 0;
        v15 = 0;
        v7 = 93;
        do
        {
          *(&v16 + v7 - 128) = *(_BYTE *)(v6 + 0x106B68);
          v7 = (unsigned __int16)(v7 + 1);
          ++v6;
        }
        while ( v6 != 15 );
        v8 = &v13;
        v9 = 0;
        do
          (v8++)[108] = *(_BYTE *)(v4 + v9++);
        while ( v9 != 20 );
        if ( v13 == v12[0] )
        {
          v10 = 1;
          while ( *(&v13 + v10) == v12[v10] )
          {
            if ( ++v10 == 128 )
              return 1;
          }
        }
      }
      return 0;
    
    signed int __fastcall sub_103B88(int a1, int a2, unsigned int a3, int a4)
    {
      int v4; // r12@1
      int v6; // [sp+0h] [bp-88h]@2
      char v7; // [sp+7Ch] [bp-Ch]@3
      char v8; // [sp+7Dh] [bp-Bh]@3
      char v9; // [sp+7Eh] [bp-Ah]@3
      char v10; // [sp+7Fh] [bp-9h]@3
    
    
      v4 = 0;
      do
        *((_BYTE *)&v6 + v4++) = 0;
      while ( v4 != 124 );
      v9 = BYTE1(a3);
      v10 = a3;
      v8 = a3 >> 16;
      v7 = BYTE3(a3);
      return sub_1037E4(a1, a2, (int)&v6, a4);
    }
    I'm looking for calculation of hash in autorun.sig so that it will match, maybe someone has an idea or has seen this before?

    PS: I also found a challenge/response system in unit that allows root access via telnet without password but need to tackle this one first...
    Последний раз редактировалось okmer; 05.04.2016 в 20:25.

  2. #2
    Местный Аватар для zerbino
    Регистрация
    10.12.2013
    Адрес
    Moscow
    Сообщений
    256

    По умолчанию

    Чета мне это напоминает..

  3. #3

    По умолчанию

    You will discover great things
    Чтобы узнать от вас

  4. #4
    Новичок
    Регистрация
    05.04.2016
    Адрес
    Netherlands
    Сообщений
    3

    По умолчанию

    *bump* Anyone with ideas? Have useful information to trade if that helps, for instance how the public keys are created and can possibly replaced by own private/public keys

  5. #5

    По умолчанию

    Old firmwares, such as 200 don't need sign

  6. #6
    Новичок
    Регистрация
    05.04.2016
    Адрес
    Netherlands
    Сообщений
    3

    По умолчанию

    Yes on firmware <= 200 you can run an encoded script (if green menu is enabled). This is the replacement for firmware >200 and AFAIK a downgrade is not possible...

  7. #7

    По умолчанию

    The the MIB for AUDI For the the FW and the release P01048 lower Accepts encoded scripts directory.
    The Release P1531 CAN sometimes Do downgraded the BE. The depends the-hardware It version of the unit.
    Newer the HW does not supported by p1048 and lower versions ... Here we need an: idea or a the password. ;-)

    Both are welcome!

  8. #8

    По умолчанию


    I activation the MMX Emergency
    echo "Emergency Flash Utility will start on next boot."echo
    echo "If the emergency update doesn't start please check that"
    echo "the SD card also contains the 'update***.dat'-files."
    echo "These files are provided with every build in the file"
    echo "UPD_NORMAL_<VERSION_NAME>.zip"
    But how TODO the update.dat ? or exit EMG

    I reflash RCC-fs0 successfully ,but it`s NOK

    /net/mmx/devbpf mcd pci sda0 tap0 ttyp5
    bpf0 mem pipe sda0t11 tap1 ttyp6
    cam0 mnand0 profiler sem tap2 ttyp7
    cd0 name ptyp0 ser1 tap3 tun0
    console netmgr ptyp1 shmem text tun1
    crypto null ptyp2 slog tty tun2
    dbgmem nvgpio ptyp3 socket ttyp0 tun3
    fs0 nvos ptyp4 stderr ttyp1 tymem
    hd0 nvrm ptyp5 stdin ttyp2 zero
    hd0t77 nvsku ptyp6 stdout ttyp3
    io-usb nvtmon ptyp7 tap ttyp4
    MMX fs0 and mnand0 partition unknown
    Чтобы узнать от вас

  9. #9
    Новичок
    Регистрация
    04.07.2016
    Адрес
    Germany
    Сообщений
    13

    По умолчанию

    For FW K1540
    MMX root pass: WyQYeuyS
    RCC emergency mode pass: harman_f

    Regards!

  10. #10
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    @okmer

    I've been looking into this myself, as i would like to be able to execute scripts from sdcard on my audi mib2.
    Have you seen the last fname match in mcd.conf: mib_mmx_ultimate_challenge.txt ? Any idea what that does ?


    [AUTORUN]
    Callout = FNAME_MATCH
    Argument = /autorun
    Match Rule = INSERTED
    Fail Rule = SW_UPDATE


    [SW_UPDATE]
    Callout = FNAME_MATCH
    Argument = /metainfo2.txt
    Match Rule = INSERTED
    Fail Rule = CHALLENGE


    [CHALLENGE]
    Callout = FNAME_MATCH
    Argument = /mib_mmx_ultimate_challenge.txt
    Match Rule = INSERTED
    Fail Rule = INSERTED

  11. #11
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    @Okmer
    You need to take all bytes starting from offset 0x106B78, this means skipping 0x10 bytes (or 16 bytes = 4 dwords) from the start of that memory block.

    Result:
    sub_102D9C(a1,a2,a3,a4)

    where

    byte[] a3 = 0x23014CDA, 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3, 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5, 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, ...

    byte a4 = 0x10001

 

 

Ваши права

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Back to top