Audi Connect data tethering on MIB2

Scrat · Пн ноя 07, 2016 10:51 am

I'm trying to activate Audi Connect with usb data tethering on my A6 model 2017 with a MIB2 unit that does not have a simcard slot.
This was perfectly possible on the MMI3G+, as a lot of people on this forum know

, but the procedure has completely changed since audi's upgrade to the MIB2 platform.
I have already been successful in enabling all the Audi Connect functions and menu options.

These settings are no longer in the green menu:

Control unit: 5F Information Control Unit 1

<Long coding>
byte_15_Phone_NAD, On (OBDEleven)

<Adaptation>
IDE02122-Developer mode,Activated (OBDEleven)
IDE03471-ENG06575-Vehicle configuration-UOTA,On
IDE03471-ENG117848-Vehicle configuration-gracenote_online_coverarts,On
IDE03471-ENG117849-Vehicle configuration-gracenote_online_other,On
IDE03471-ENG117843-Vehicle configuration-my_audi,On
IDE03471-ENG117845-Vehicle configuration-online_dictation,On
IDE03471-ENG127495-Vehicle configuration-online_media,On
IDE03471-ENG117840-Vehicle configuration-online_navigation,On
IDE03471-ENG117837-Vehicle configuration-online_POI,On
IDE03471-ENG117838-Vehicle configuration-online_POI_voice,On
IDE03471-ENG117839-Vehicle configuration-online_portal_browser_services,On
IDE03471-ENG117841-Vehicle configuration-online_street_view,On

I've discovered that on the MIB2 the only supported ethernet device is the D-Link DUB-E100 (Revision B1 or C1).
On the MMI3GP you could also use any other usb dongle based on the ASIX chipset, but not anymore.

Код: Выделить всё

#D-Link DUB-E100 USB Dongle
device(usb, ven=2001,dev=3c05)
device(usb, ven=2001,dev=1a02)

Also, after inserting this device a script called extnet.sh is started:

Код: Выделить всё

                start ( /etc/scripts/extnet.sh )

This script will automatically route all internet traffic and diagnostics to the ip of the ethernet dongle, but it will only do this if a marker file named 'dataoverdlink' is present:

Код: Выделить всё

    if [[ -e /var/dataoverdlink ]]; then
        # Set default route for debugging and data
        /mnt/app/armle/sbin/route add default 172.16.250.248
        echo "extnet.sh: /var/dataoverdlink was found -> Use $IFACE for internet traffic and debugging"

Does anyone have an idea how i can execute a script on my unit ?

ezdevelop · Вт ноя 08, 2016 8:17 am

/var/dataoverdlink is an empty file, just as a mark.You have to telnet & login to the main unit via USB ethernet.

Код: Выделить всё

touch /var/dataoverdlink

reboot for activation!"

Scrat · Вт ноя 08, 2016 11:07 am

You are right, for the debugging interface (en0) there are different firewall rules in pf.conf, so i should be able to access the unit over telnet

Код: Выделить всё

################################################################################
### Tranalation rules (NAT/redirection)
################################################################################
## port redirections for RCC access
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 123 -> $rcc_if port 23
rdr pass on $dbg_if proto {tcp,udp} from any to ($dbg_if) port 445 -> $rcc_if
rdr pass on $dbg_if proto {tcp,udp} from any to ($dbg_if) port 851 -> $rcc_if
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7718 -> $rcc_if port 7618
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7725 -> $rcc_if port 7625
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7727 -> $rcc_if port 7627
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7877 -> $rcc_if port 7777
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 7800 -> $rcc_if
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 8100 -> $rcc_if port 8000
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 18193 -> $rcc_if
rdr pass on $dbg_if proto tcp from any to ($dbg_if) port 57005 -> $rcc_if

i'll just need to get the root password. Does anyone know a faster way than john ?

malec · Вт ноя 08, 2016 4:20 pm

Hi!

Here is some sort of disassembled code. I hope you understand it is almost impossible to crack.

Scrat · Вт ноя 08, 2016 6:02 pm

So there is a socket server called 'challenge' on port 22111 that will temporarily replace the root and user passwords with blanks by executing

Код: Выделить всё

pathmgr_symlink("/etc/nopasswd", "/etc/passwd")

I had previously noticed that nopasswd file in the system image, now i know what it is for.

The bad news is that it requires a response (in mib_mmx_ultimate_response.txt) to a challenge file that it writes the first time an sdcard with that file is inserted (mib_mmx_ultimate_challenge.txt),
This response hash is verified using the public key on the unit in /ifs/challenge.pub, so i call this a dead end.

I guess i will just try to retrieve the root password from the system image hash, but that is going to take a while.

malec · Вт ноя 08, 2016 6:32 pm

For much faster way to get the pass for that HASH, look for GPU hash cracking.

zerbino · Ср ноя 09, 2016 12:07 am

Find hash forum and buy decoding for 15-20eu.

Scrat · Пт ноя 18, 2016 9:32 pm

I can confirm that the DLink DUB-E100 Revision D1 also works on an audi MIB2 unit.
Apparently it has the same usb VID/PID as revision C1.

Вложение Neutrino Engineering Shell.png больше недоступно

ezdevelop · Сб ноя 19, 2016 6:51 am

Scrat писал(а):I can confirm that the DLink DUB-E100 Revision D1 also works on an audi MIB2 unit.
Apparently it has the same usb VID/PID as revision C1.

[ATTACH=CONFIG]52918[/ATTACH]

That's right, MIB2 only support DUB-E100

congo · Вт янв 17, 2017 11:09 pm

This is working on MIB2 also but ...
If you try to use online destinations then you get "the telephone module must be initialised completely before you can use the online destinations"

congo · Пт фев 03, 2017 11:34 am

One question,
on MIB1 GE became active as well as the online services but for some reason they do not want to use the connection over dlink.
I've looked the fw rules and the problem is not there ...
Any idea, and is that unit capable of such services.

Scrat · Пт фев 03, 2017 11:52 am

Could you take a look in the green menu under:
production/mmx_prod/onlineservices_prod

What is the value for OnlineState ?

I'm beginning to think that it'll be necessary to spoof the VIN..

congo · Пт фев 03, 2017 10:50 pm

On MIB1 there is only "Active Backend" and it's Live now.
I've used the esd from MIB2 and i saw that online state it's blocked

But the VIN is funny one -> BAUOTA6A6C4F37407 and that's not the VIN in the MIB nor the one in the FSC file.
I cant find that VIN anywhere ... i will continue to search

In MIB2 the vin is the right one.

edgaro · Вс фев 19, 2017 12:52 pm

anyone knows if US unit with us phone module will work in EU ? or module GSM SIM bust be replaced on EU. in 3G+ work on 2G but its diff gsm then in mib

Tschako · Вс фев 19, 2017 5:39 pm

Hi, the GSM Modules are differend for US and EU. You can update the US module to the EU software, but there was no support for G3 given.

For full UMTS G3 Speed, you have to change the GSM Module in the GSM group of the unit. There is an other thread here in the forum, we discussed tis isue in detail...
Use search function.

edgaro · Пн фев 20, 2017 9:27 pm

I think u talk abaout 3G+ , im wondering if somebody know abaout MIB LTE GSM module

Tschako · Пн фев 20, 2017 9:49 pm

Yes, I think there is a way to run LTE Module in MMI3GP. The problem seems not in the AT command set of the modules.
But the rest of the unit maybe to slow for an efficient data throughput like LTE...

edgaro · Вт фев 21, 2017 10:45 am

i think u still dont get me. i have a7 mib 2 usa and wondering if sim will work in EU or GSM module must be replaced

Tschako · Чт фев 23, 2017 6:05 pm

Yes, sorry, I misunderstood. But the core message is quite the same for the MIB family. They use differend models of GSM modules in the case due to certification and RF requirements...

Scrat · Пт мар 10, 2017 12:10 pm

@Congo

Can you give this a try ?
/bin/touch /tmp/ppp_connected