autorun script VW Discover Pro

Ответить


Этот вопрос предназначен для предотвращения автоматической отправки форм спам-ботами.
Смайлики
:courage: :bull_head: :boxing: :blue: :black_eyed: :bi_polo: :beguiled: :bee: :beaten: :barbershop: :apthy: :butterfly: :calm: :couple_inlove: :congratulatory: :confusion: :concern: :cold: :cocksure: :chuncky: :cheerful: :chargrined: :cat: :applouse: :apple: :applause: :tranquillity: :( :confused: :mad: :) :p ;) :D :flustered: :abnormal: :acne: :apologetic: :apathy: :anonymous: :angel: :o :ambivalence: :afro: :adoration: :adjoint: :rolleyes: :cool: :eek:
Ещё смайлики…
BBCode ВКЛЮЧЁН
[img] ВКЛЮЧЁН
[url] ВКЛЮЧЁН
Смайлики ВКЛЮЧЕНЫ
Обзор темы
   

Развернуть Обзор темы: autorun script VW Discover Pro

Scrat » Вт ноя 29, 2016 5:45 pm

@Okmer
You need to take all bytes starting from offset 0x106B78, this means skipping 0x10 bytes (or 16 bytes = 4 dwords) from the start of that memory block.

Result:
sub_102D9C(a1,a2,a3,a4)

where

byte[] a3 = 0x23014CDA, 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3, 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5, 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, ...

byte a4 = 0x10001

Scrat » Пн ноя 07, 2016 10:38 am

@okmer

I've been looking into this myself, as i would like to be able to execute scripts from sdcard on my audi mib2.
Have you seen the last fname match in mcd.conf: mib_mmx_ultimate_challenge.txt ? Any idea what that does ?


[AUTORUN]
Callout = FNAME_MATCH
Argument = /autorun
Match Rule = INSERTED
Fail Rule = SW_UPDATE


[SW_UPDATE]
Callout = FNAME_MATCH
Argument = /metainfo2.txt
Match Rule = INSERTED
Fail Rule = CHALLENGE


[CHALLENGE]
Callout = FNAME_MATCH
Argument = /mib_mmx_ultimate_challenge.txt
Match Rule = INSERTED
Fail Rule = INSERTED

malec » Вт сен 20, 2016 2:29 pm

For FW K1540
MMX root pass: WyQYeuyS
RCC emergency mode pass: harman_f

Regards!

audijiJQ » Чт май 12, 2016 6:25 am

:(
I activation the MMX Emergency
echo "Emergency Flash Utility will start on next boot."echo
echo "If the emergency update doesn't start please check that"
echo "the SD card also contains the 'update***.dat'-files."
echo "These files are provided with every build in the file"
echo "UPD_NORMAL_<VERSION_NAME>.zip"
But how TODO the update.dat ? or exit EMG

I reflash RCC-fs0 successfully ,but it`s NOK
/net/mmx/devbpf mcd pci sda0 tap0 ttyp5
bpf0 mem pipe sda0t11 tap1 ttyp6
cam0 mnand0 profiler sem tap2 ttyp7
cd0 name ptyp0 ser1 tap3 tun0
console netmgr ptyp1 shmem text tun1
crypto null ptyp2 slog tty tun2
dbgmem nvgpio ptyp3 socket ttyp0 tun3
fs0 nvos ptyp4 stderr ttyp1 tymem
hd0 nvrm ptyp5 stdin ttyp2 zero
hd0t77 nvsku ptyp6 stdout ttyp3
io-usb nvtmon ptyp7 tap ttyp4
MMX fs0 and mnand0 partition unknown

Tschako » Пн май 09, 2016 12:45 pm

The the MIB for AUDI For the the FW and the release P01048 lower Accepts encoded scripts directory.
The Release P1531 CAN sometimes Do downgraded the BE. The depends the-hardware It version of the unit.
Newer the HW does not supported by p1048 and lower versions ... Here we need an: idea or a the password. ;-)

Both are welcome!

okmer » Пн май 09, 2016 11:56 am

Yes on firmware <= 200 you can run an encoded script (if green menu is enabled). This is the replacement for firmware >200 and AFAIK a downgrade is not possible...

ZippeR » Сб апр 23, 2016 8:52 am

Old firmwares, such as 200 don't need sign :)

okmer » Сб апр 16, 2016 4:42 pm

*bump* Anyone with ideas? Have useful information to trade if that helps, for instance how the public keys are created and can possibly replaced by own private/public keys

audijiJQ » Ср апр 06, 2016 3:39 pm

You will discover great things

zerbino » Вт апр 05, 2016 11:05 pm

Чета мне это напоминает.. :D

autorun script VW Discover Pro

okmer » Вт апр 05, 2016 5:06 pm

In Discover Pro firmware 388 it is possible to execute a script named autorun placed on USB stick:
from etc/mcd.conf:

Код: Выделить всё

[AUTORUN]
Callout     = FNAME_MATCH
Argument    = /autorun
Match Rule  = INSERTED
Fail Rule   = SW_UPDATE
However autorun is only executed when there is a matching signature in file called autorun.sig.

I think autorun.sig must have sha1 hash of autorun but that autorun is scrambled similar to copie_scr.sh in audi MIB but not exactly the same.
Check is performed in ELF file autorunner, when autorun loaded it will show png files below:
success.png
success.png
success.png
Here is a piece of pseudo code from autorunner:

Код: Выделить всё

      DataFileBytes = ReadDataFile(hDataFile);
      if ( DataFileBytes )
      {
        SignatureFileBytes = ReadSignatureFile(hSignatureFile);
        SignatureFileBytesVar = SignatureFileBytes;
        if ( SignatureFileBytes )
        {
          SignatureFileBytesOffset3 = SignatureFileBytes[3];
          if ( HashFileSha1(DataFileBytes[3], DataFileBytes[2], &Sha1Hash) == 1 )
          {
            fwrite("[autorunner] Failed to calculate SHA1 hash", 1u, 0x2Au, (FILE *)&Stderr);
            fputc(10, (FILE *)&Stderr);
            fflush((FILE *)&Stderr);
          }
          else if ( sub_102D9C(
                      (int)&Sha1Hash,
                      SignatureFileBytesOffset3,
                      0x106B78,
                      (unsigned __int8 *)&dword_106B68[36]) )
It takes a normal sha1hash of file but then sub_102D9C does something I don't understand.
dword_106b68 is a large array:

Код: Выделить всё

LOAD:00106B68 dword_106B68    DCD 0x9302130, 0xE2B0506, 0x51A0203, 0x140400, 0x23014CDA
LOAD:00106B68                 DCD 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3
LOAD:00106B68                 DCD 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA
LOAD:00106B68                 DCD 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5
LOAD:00106B68                 DCD 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC
LOAD:00106B68                 DCD 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0
LOAD:00106B68                 DCD 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, 0x2A5CA779
LOAD:00106B68                 DCD 0x27B2E66F, 0x10001
here is code from sub_102D9C:

Код: Выделить всё

signed int __fastcall sub_102D9C(int a1, int a2, int a3, unsigned __int8 *a4)
{
  int v4; // r4@1
  signed int v5; // r3@2
  int v6; // r3@4
  signed int v7; // r2@4
  char *v8; // r2@6
  int v9; // r3@6
  signed int v10; // r3@9
  char v12[128]; // [sp+0h] [bp-110h]@1
  char v13; // [sp+80h] [bp-90h]@2
  char v14; // [sp+81h] [bp-8Fh]@2
  char v15; // [sp+DCh] [bp-34h]@4
  char v16; // [sp+100h] [bp-10h]@5


  v4 = a1;
  if ( !sub_103B88(a2, a3, a4[2] | (*a4 << 16) | (a4[1] << 8), (int)v12) )
  {
    v13 = 0;
    v14 = 1;
    v5 = 2;
    do
      *(&v13 + v5++) = -1;
    while ( v5 != 92 );
    v6 = 0;
    v15 = 0;
    v7 = 93;
    do
    {
      *(&v16 + v7 - 128) = *(_BYTE *)(v6 + 0x106B68);
      v7 = (unsigned __int16)(v7 + 1);
      ++v6;
    }
    while ( v6 != 15 );
    v8 = &v13;
    v9 = 0;
    do
      (v8++)[108] = *(_BYTE *)(v4 + v9++);
    while ( v9 != 20 );
    if ( v13 == v12[0] )
    {
      v10 = 1;
      while ( *(&v13 + v10) == v12[v10] )
      {
        if ( ++v10 == 128 )
          return 1;
      }
    }
  }
  return 0;

signed int __fastcall sub_103B88(int a1, int a2, unsigned int a3, int a4)
{
  int v4; // r12@1
  int v6; // [sp+0h] [bp-88h]@2
  char v7; // [sp+7Ch] [bp-Ch]@3
  char v8; // [sp+7Dh] [bp-Bh]@3
  char v9; // [sp+7Eh] [bp-Ah]@3
  char v10; // [sp+7Fh] [bp-9h]@3


  v4 = 0;
  do
    *((_BYTE *)&v6 + v4++) = 0;
  while ( v4 != 124 );
  v9 = BYTE1(a3);
  v10 = a3;
  v8 = a3 >> 16;
  v7 = BYTE3(a3);
  return sub_1037E4(a1, a2, (int)&v6, a4);
}
I'm looking for calculation of hash in autorun.sig so that it will match, maybe someone has an idea or has seen this before?

PS: I also found a challenge/response system in unit that allows root access via telnet without password but need to tackle this one first...
Вложения
fail.png
wait.png

Вернуться к началу