Audi Connect data tethering on MIB2
Добро пожаловать на Turbo Quattro.
Страница 1 из 2 12 ПоследняяПоследняя
Показано с 1 по 20 из 31
  1. #1
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию Audi Connect data tethering on MIB2

    I'm trying to activate Audi Connect with usb data tethering on my A6 model 2017 with a MIB2 unit that does not have a simcard slot.
    This was perfectly possible on the MMI3G+, as a lot of people on this forum know , but the procedure has completely changed since audi's upgrade to the MIB2 platform.
    I have already been successful in enabling all the Audi Connect functions and menu options.

    These settings are no longer in the green menu:

    Control unit: 5F Information Control Unit 1


    <Long coding>
    byte_15_Phone_NAD, On (OBDEleven)


    <Adaptation>
    IDE02122-Developer mode,Activated (OBDEleven)
    IDE03471-ENG06575-Vehicle configuration-UOTA,On
    IDE03471-ENG117848-Vehicle configuration-gracenote_online_coverarts,On
    IDE03471-ENG117849-Vehicle configuration-gracenote_online_other,On
    IDE03471-ENG117843-Vehicle configuration-my_audi,On
    IDE03471-ENG117845-Vehicle configuration-online_dictation,On
    IDE03471-ENG127495-Vehicle configuration-online_media,On
    IDE03471-ENG117840-Vehicle configuration-online_navigation,On
    IDE03471-ENG117837-Vehicle configuration-online_POI,On
    IDE03471-ENG117838-Vehicle configuration-online_POI_voice,On
    IDE03471-ENG117839-Vehicle configuration-online_portal_browser_services,On
    IDE03471-ENG117841-Vehicle configuration-online_street_view,On


    I've discovered that on the MIB2 the only supported ethernet device is the D-Link DUB-E100 (Revision B1 or C1).
    On the MMI3GP you could also use any other usb dongle based on the ASIX chipset, but not anymore.

    Код:
    #D-Link DUB-E100 USB Dongle
    device(usb, ven=2001,dev=3c05)
    device(usb, ven=2001,dev=1a02)

    Also, after inserting this device a script called extnet.sh is started:
    Код:
                    start ( /etc/scripts/extnet.sh )
    This script will automatically route all internet traffic and diagnostics to the ip of the ethernet dongle, but it will only do this if a marker file named 'dataoverdlink' is present:
    Код:
        if [[ -e /var/dataoverdlink ]]; then
            # Set default route for debugging and data
            /mnt/app/armle/sbin/route add default 172.16.250.248
            echo "extnet.sh: /var/dataoverdlink was found -> Use $IFACE for internet traffic and debugging"
    Does anyone have an idea how i can execute a script on my unit ?
    Последний раз редактировалось Scrat; 08.11.2016 в 14:03.

  2. #2

    По умолчанию

    /var/dataoverdlink is an empty file, just as a mark.You have to telnet & login to the main unit via USB ethernet.
    Код:
    touch /var/dataoverdlink
    reboot for activation!"
    Последний раз редактировалось ezdevelop; 08.11.2016 в 09:23.

  3. #3
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    You are right, for the debugging interface (en0) there are different firewall rules in pf.conf, so i should be able to access the unit over telnet

    Код:
    ################################################################################
    ### Tranalation rules (NAT/redirection)
    ################################################################################
    ## port redirections for RCC access
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 123 -> $rcc_if port 23
    rdr pass on $dbg_if proto {tcp,udp} from any to ($dbg_if) port 445 -> $rcc_if
    rdr pass on $dbg_if proto {tcp,udp} from any to ($dbg_if) port 851 -> $rcc_if
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7718 -> $rcc_if port 7618
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7725 -> $rcc_if port 7625
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7727 -> $rcc_if port 7627
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7877 -> $rcc_if port 7777
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7800 -> $rcc_if
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 8100 -> $rcc_if port 8000
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 18193 -> $rcc_if
    rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 57005 -> $rcc_if
    i'll just need to get the root password. Does anyone know a faster way than john ?
    Последний раз редактировалось Scrat; 08.12.2016 в 14:09.

  4. #4
    Новичок
    Регистрация
    04.07.2016
    Адрес
    Germany
    Сообщений
    13

    По умолчанию

    Hi!

    Here is some sort of disassembled code. I hope you understand it is almost impossible to crack.
    Вложения Вложения

  5. #5
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    So there is a socket server called 'challenge' on port 22111 that will temporarily replace the root and user passwords with blanks by executing
    Код:
    pathmgr_symlink("/etc/nopasswd", "/etc/passwd")
    I had previously noticed that nopasswd file in the system image, now i know what it is for.

    The bad news is that it requires a response (in mib_mmx_ultimate_response.txt) to a challenge file that it writes the first time an sdcard with that file is inserted (mib_mmx_ultimate_challenge.txt),
    This response hash is verified using the public key on the unit in /ifs/challenge.pub, so i call this a dead end.

    I guess i will just try to retrieve the root password from the system image hash, but that is going to take a while.

  6. #6
    Новичок
    Регистрация
    04.07.2016
    Адрес
    Germany
    Сообщений
    13

    По умолчанию

    For much faster way to get the pass for that HASH, look for GPU hash cracking.

  7. #7
    Местный Аватар для zerbino
    Регистрация
    10.12.2013
    Адрес
    Moscow
    Сообщений
    256

    По умолчанию

    Find hash forum and buy decoding for 15-20eu.

  8. #8
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    I can confirm that the DLink DUB-E100 Revision D1 also works on an audi MIB2 unit.
    Apparently it has the same usb VID/PID as revision C1.

    Neutrino Engineering Shell.png
    Последний раз редактировалось Scrat; 18.11.2016 в 21:37.

  9. #9

    По умолчанию

    Цитата Сообщение от Scrat Посмотреть сообщение
    I can confirm that the DLink DUB-E100 Revision D1 also works on an audi MIB2 unit.
    Apparently it has the same usb VID/PID as revision C1.

    Neutrino Engineering Shell.png
    That's right, MIB2 only support DUB-E100

  10. #10
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    Could you take a look in the green menu under:
    production/mmx_prod/onlineservices_prod

    What is the value for OnlineState ?

    I'm beginning to think that it'll be necessary to spoof the VIN..

  11. #11
    Пользователь
    Регистрация
    19.04.2014
    Сообщений
    55

    По умолчанию

    anyone knows if US unit with us phone module will work in EU ? or module GSM SIM bust be replaced on EU. in 3G+ work on 2G but its diff gsm then in mib

  12. #12

    По умолчанию

    Hi, the GSM Modules are differend for US and EU. You can update the US module to the EU software, but there was no support for G3 given.

    For full UMTS G3 Speed, you have to change the GSM Module in the GSM group of the unit. There is an other thread here in the forum, we discussed tis isue in detail...
    Use search function.

  13. #13
    Пользователь
    Регистрация
    19.04.2014
    Сообщений
    55

    По умолчанию

    I think u talk abaout 3G+ , im wondering if somebody know abaout MIB LTE GSM module

  14. #14

    По умолчанию

    Yes, I think there is a way to run LTE Module in MMI3GP. The problem seems not in the AT command set of the modules.
    But the rest of the unit maybe to slow for an efficient data throughput like LTE...

  15. #15
    Пользователь
    Регистрация
    19.04.2014
    Сообщений
    55

    По умолчанию

    i think u still dont get me. i have a7 mib 2 usa and wondering if sim will work in EU or GSM module must be replaced

  16. #16

    По умолчанию

    Yes, sorry, I misunderstood. But the core message is quite the same for the MIB family. They use differend models of GSM modules in the case due to certification and RF requirements...

  17. #17
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    @Congo

    Can you give this a try ?
    /bin/touch /tmp/ppp_connected

  18. #18
    Пользователь
    Регистрация
    19.04.2014
    Сообщений
    55

    По умолчанию

    i will buy gsm module from mib 2 EU
    Последний раз редактировалось edgaro; 13.03.2017 в 23:44.

  19. #19
    Пользователь
    Регистрация
    16.10.2016
    Сообщений
    33

    По умолчанию

    @edgaro
    in theory you could even use the usb development modules, see here in "usblauncher.lua":

    -- Huawei ME909Tu/Au-120
    device(0x12d1, 0x1573) {
    configuration(2) {
    interface(0) {
    driver"/etc/scripts/huawei.sh attached normal_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)" ;
    removal"/etc/scripts/huawei.sh removed normal_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)" ;
    };
    };


    configuration(1) {
    interface(0) {
    driver"/etc/scripts/huawei.sh attached swdl_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)" ;
    removal"/etc/scripts/huawei.sh removed swdl_mode vid=$(vendor_id),did=$(product_id),busno=$(busno), devno=$(devno) -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno)" ;
    };
    };
    };

    -- Cinterion AH6A (3G)

    device(0x1e2d, 0x0055) {
    interface(0) {
    driver"/etc/scripts/ah6a.sh path=$(USB_PATH),vid=$(vendor_id),did=$(product_id ),busno=$(busno),devno=$(devno),ign_remove,module= wireless_modules";
    removal"/etc/scripts/ah6a_removed.sh";
    };
    -- Don't try matching any generic rules for the other interfaces
    interface(1,127) {
    Ignore;
    };
    };


    -- Cinterion ALS1/ALS6 (4G)
    device(0x1e2d, 0x0060) {
    interface(0) {
    driver"/etc/scripts/als6.sh path=$(USB_PATH),vid=$(vendor_id),did=$(product_id ),busno=$(busno),devno=$(devno),ign_remove,module= wireless_modules -opath=$(USB_PATH),busnum=$(busno),devnum=$(devno), classid=0xff,subclassid=0xff /lib/dll/devnp-ecmplus.so /dev/serecm0";
    removal"/etc/scripts/als6_removed.sh";
    };
    -- Don't try matching any generic rules for the other interfaces
    interface(1,127) {
    Ignore;
    };
    };

  20. #20
    Новичок
    Регистрация
    04.07.2016
    Адрес
    Germany
    Сообщений
    13

    По умолчанию

    @scrat

    This is not for development purpose. The LTE modem is actually connected through a USB port. I don't think you will find LTE USB stick with cinterion modem inside.

    From MMX Delphi unit log:

    SLF: 00:00:10.509 5 12 100 USB-1.1:0: vid=1e2d, did=0060: Launch /etc/scripts/cintlte.sh path=/dev/io-usb/io-usb,vid=0x1e2d,did=0x60,busno=0x1,devno=0x1,ign_re move,module=wireless_modules -opath=/dev/io-usb/io-usb,busnum=0x1,devnum=0x1,classid=0xff,subclassid= 0xff /lib/dll/devnp-ecmplus.so /dev/serecm0

 

 

Ваши права

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Back to top