bosch_headunit_root icon indicating copy to clipboard operation
bosch_headunit_root copied to clipboard
verified publisher icon ea

File system support

Open shtry opened this issue 4 years ago • 16 comments

Hi.

"ext2" doesn't seem to work on my unit.

So, is there a different approach? For example, a file system?

My system vfat works.

And ntfs is mounted in a state that can only be read.

Thank you.

shtry avatar Feb 27 '21 06:02 shtry

What unit is this ?

In principle, the exploit could work with FAT partitions as well, the only problem is that files on FAT partitions won't be executable on linux , so even if mount dir traversal is still exploitable, you'd need a different way of getting code execution.

I'm sure it's doable, but requires some creativity.

Just as a side note, even though ext2 is supported on lcn2kai by linux, it's doesn't look like it's supported by other apps. As in, media player won't be able to detect and play media from an ext2 mounted flash drive.

ea avatar Feb 27 '21 19:02 ea

Hi @ea

Thank you for your kind reply.

I'm using Subaru unit.

I'm testing to see if your knowledge can be used in my Subaru unit!

I'll update you if there's any news.

shtry avatar Mar 01 '21 07:03 shtry

Just to add to this (I know it's closed, but useful info), if you mount a fat32 partition on my head unit all the files are marked as executable! However, a fat32 filesystem label is too short to contain ../../usr/bin and anyway it mounts using the fat32 serial number. Tried isofs (but still on usb stick not an actual cd) and the ..'s get replaced with __'s in the mount point name, so it either goes through a different mount script, or the name is sanitised before being passed.

raburton avatar May 12 '21 13:05 raburton

So just to document my findings so far and some possible ideas, I tried the methods documented in this project on my 2013 Qashqai J10 (versions E607, hw 034) which I believe may be using LCN1, not 2. First I'm not sure it's even recognizing my ASIX AX88772B-based NICs as no lights come up other than momentarily (but they don't when I plug them into the PC either...) and I can't ping 172.17.0.1 or see anything on wireshark -- I might be doing something wrong though.

Like in this issue report, my head unit isn't recognizing ext2 filesystems, neither does it work with isofs or ntfs... I could only get it to read a vfat filesystem. Now if anyone wants to try vfat or iso or ntfs on their model, here are a few things they can try -- they didn't work for me but they may be good ideas:

  • if, like with vfat, the filesystem label is limited to 11 characters, try using ../../usr as the filesystem label and storing the script as bin/logger inside the FS. /bin/sh in theory shouldn't be linking against anything in /usr/lib so it should still be able to run the script.
  • to work around the disallowed characters, I created the FS with xx_xx_usr in the label and then replaced the two instances of the label with ../../usr with a hexeditor. The blkid command properly reads the label as ../../usr so I suppose UDEV should also set the env variables to that value. In any case the headunit didn't tell me my FS was unsupported and instead showed me the MP3s on it.
  • for both vfat and NTFS you can actually set the serial number to all zeros and that causes the UUID to be empty according to blkid, so hopefully it also works this way for UDEV. For mkfs.vfat you just pass -i 0, for NTFS you need to use a hexeditor.
  • with ext2 you can try all of usr/bin, ../usr/bin, ../../usr/bin, ../../../usr/bin (no luck in my case but who knew).
  • try making the filesystem on an msdos primary partition rather than on the whole block device.
  • with tune2fs -l you can check if the mount count has increased for the ext2 FS so even if the script didn't get executed, you'd know if it got mounted in the first place (probably doesn't work for read-only though..).

If all else fails I'm going to try upgraing to one of the Dxxx firmwares (current is Exxx) and see if that helps, or just extract the headunit (which I've done before and managed to put it back in intact) and add the serial connection.

balrog-kun avatar Dec 04 '21 21:12 balrog-kun 

with tune2fs -l you can check if the mount count has increased for the ext2 FS so even if the script didn't get executed, you'd know if it got mounted in the first place (probably doesn't work for read-only though..).

Oh that's an excellent idea! I'll add that to the testing procedure. Thanks!

ea avatar Dec 06 '21 20:12 ea

FTR the LCN1 uses a different SoC, an OMAP5948, something made by TI specifically for Bosch headunits, according to the internets. So none of the LCN2 tricks are likely to work on it, and neither are the Dxxx software updates. The hardware's probably based on a TI's reference design and the software on a TI reference software so there may be little in common with the NEC stuff.

Now I found one pad that seems to send about the right amount of data for a boot log at 115200kbps but it's not text when I read it as standard UART. It may be a non-standard baudrate or it could be inverted, I need to try logging the rising and falling edges with timestamps on an ESP32 and hopefully I'll see something. There's another solder pad that sends less data, could be SPI or something else.

So in any case this whole thing isn't going to have much in common with this repo but if you don't mind I'll comment here when I have updates to keep a record of it.

And BTW I had a browser tab open from back when I bought the car, it's a qashqaiforums.co.uk thread about LCN2KAI reverse engineering, the people involved seem to have given up but there are some insights about the triton OS etc.

balrog-kun avatar Dec 08 '21 00:12 balrog-kun

Cool, that forum thread is interesting. I haven't come across it before. Could you post a link to this repository there if you have an account?

ea avatar Dec 08 '21 15:12 ea

Hi ea, Please send me a link and I will upload the firmware I have (D302, D503, D605). I am one of the 3 guys who tried to break in. Duncho

duncho1 avatar Dec 08 '21 15:12 duncho1

Bad news for anyone hoping to do anything fun with LCN1 head units: they don't seem to run Linux. Personally I'm giving up on it but leaving some notes here for future reference. Feel free to close the issue since I think this was the only active topic.

The OMAP1 chip series (which OMAP5948 is part of) is pretty old and while it has good upstream Linux support it's also in a lot of non-Linux devices like Palm PDAs from around year 2000.

I've gone through every solder pad on the LCN1 main board (Nissan Connect 1 from J10 car) and marked what I found. All in all there's one UART serial output and a few pins that output something but are not UART.

pins

00 is the UART Tx at 57.6kbps and it outputs this (twice) in early startup and nothing else:

*******************
** ADR2-Software **
** Version 4.00  **
*******************
 > ADR-Main-Loop activ

There doesn't seem to be a corresponding Rx pin or it has no local echo. It may connect to the main CPU or some other chip. Doesn't seem to go to any buffer or passive element. The main CPU is BGA so I can't trace it to a specific pin. There are some references to ADR2 on the web but nothing that fits, although one is an automotive crash recorder product and another is a key fob reader demo by Texas Instruments (who also makes the OMAP CPUs).

Other pins output some data during boot, after boot, during and after, and one also after power loss is detected. These may be I2C, SPI, CANbus, etc., I didn't bother checking, but most seem to just output short positive pulses.

balrog-kun avatar Jan 08 '22 15:01 balrog-kun

Good afternoon. I found your information on the net on Bosch radios. I have a Nissan Qashqai and a radio tape recorder LСN2KAI (photo below), but with firmware D605. Tell me, is it possible to somehow use your knowledge and ask for help from you? The fact is that every time you start the car engine, a license agreement appears on the screen and you must press the "Accept" button on the screen in order to start navigation. I can assume that this setting may be somewhere in some configuration file and it could be turned off? Thank you very much in advance for your help. IMG_20150915_155240_1 5ece721f38618e0001aca0f9

IglooBY avatar Apr 18 '23 15:04 IglooBY

I have seen some region-specific strings and settings here and there while reversing the software, but nothing that would obviously and easily get you to skip that particular nag screen. I am not sure where and how the region is controlled but that might be one way of changing it.

ea avatar Apr 21 '23 15:04 ea

I have seen some region-specific strings and settings here and there while reversing the software, but nothing that would obviously and easily get you to skip that particular nag screen. I am not sure where and how the region is controlled but that might be one way of changing it.

I unpacked the D605 firmware and studied its files a little. Found that the message about the license agreement is displayed in the file prochmi_out.out. I also tried to reversing it in IDA Pro, but I could not find a place where this message is specifically displayed and the "Accept" button is expected to be pressed. I really hoped that I would find some configuration file where the message can be disabled through the parameter. Didn't find anything either.

IglooBY avatar Apr 22 '23 15:04 IglooBY