uConnect 15.26.1 is buggy; I want to downgrade. - Page 15 - Jeep Garage - Jeep Forum

Go Back   Jeep Garage - Jeep Forum > Jeep Platform Discussion > Grand Cherokee - WK2 - > Audio/Visual/Navigation

Join Jeep Garage Today
Reply
 
Thread Tools Display Modes
 
  #169  
Old 10-17-2015, 11:22 AM
Senior Member
 
Join Date: Sep 2013
Posts: 1,309
Thanks: 48
Thanked 164 Times in 132 Posts
Rep Power: 2879
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
Quote:
Originally Posted by 14SummitHemi View Post
IMHO, with the smartphones and apps requiring location services, etc it is impossible to not be "on the grid" realistically. I'm over it, whatta ya gonna do?
The difference, of course, is that your smartphone isn't a life-critical system (if it is You're Doing It Wrong). If a hacker obtains access & control via a poorly designed attack surface on your smartphone *maybe* you'll lose some money in your accounts or something. On a life-critical system like a vehicle or a pacemaker the outcome can be quite different. Some systems simply should never be connected to a network and should be properly air-gapped. I know there is no way the current firmware "fixes" the underlying problem with the Jeep/uConnect attack surface, because any true fix would require hardware modification on the Jeep.

Also, FWIW, I use XPrivacy on my Android device to control access to location services (and spoof my location) for apps. I can always power off my smartphone and/or drop it in a small Faraday cage if I ever wanted to go off grid. As we've discovered thanks to RR, this aircard on our Jeeps is channeling seemingly chthonic powers to register on the cellular network despite stubbing out the antenna.

Reply With Quote
Sponsored Links
Advertisement
 
  #170  
Old 10-18-2015, 01:44 AM
Member
My Jeep: 2014 5.7L WK2
 
Join Date: Dec 2011
Location: South Coast
Posts: 53
Thanks: 11
Thanked 20 Times in 13 Posts
Rep Power: 1909
Rocketrancher is on a distinguished road
Re: uConnect 15.26.1 is buggy; I want to downgrade.

Quote:
Originally Posted by Roadkill
...channeling seemingly chthonic powers...
Confessing I had to look that one up.
Good fit!
Reply With Quote
  #171  
Old 10-18-2015, 07:21 AM
Senior Member
 
Join Date: Sep 2013
Posts: 1,309
Thanks: 48
Thanked 164 Times in 132 Posts
Rep Power: 2879
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
I spent a lot of time yesterday investigating modifying the uConnect firmware. It's feasible, thanks to the published exploits that illustrate what a horrible design this system has from a security perspective (it's all based on "security through obscurity"). Oddly, while the Harman firmware is used on both FCA and Toyota vehicles, the FCA approach doesn't use cryptographic signatures to validate the system updates.

Taking a look at uConnect, one finds that it's been assembled by an "amateur hour" grade dev team. Smartphones have *far* better security protecting their firmware bootstrap and operation. In fact, the primary reason I didn't jump right in with slamming in a modded uConnect firmware image is that I am so appalled by what I have seen that I'm not at all confident that this system won't get bricked by a minor perturbation of firmware. I mean, the update check process is triggered at the *end* of main boot, so any derailment before then would probably result in a permanent bootloop.

I came up with about four or five different potential approaches to disable the cellular link through the firmware; however, I'll have to advance cautiously to avoid causing the implosion of this ramshackle heap of firmware that is called uConnect.

I'll probably just get a DLink USB WiFi stick and plug it in. Because, you know, during boot the uConnect firmware looks for one of those to enable. Then you can telnet/ssh/invoke RPCs to control your vehicle with jailbroken uConnect. Or, if you have an earlier revision of firmware then you can just connect to inetd over cellular or WiFi link without authentication and run arbitrary shell commands as root via an intentionally built in feature. *That* is what they shipped, apparently without concern. All star team you've got there, Harman/FCA.

On the plus side, maybe eventually I'll be able to get the "default to on" seat ventilation I have always wanted. Heh.
Reply With Quote
The Following 2 Users Say Thank You to Roadkill For This Useful Post:
  #172  
Old 10-18-2015, 10:47 PM
Member
My Jeep: 2014 5.7L WK2
 
Join Date: Dec 2011
Location: South Coast
Posts: 53
Thanks: 11
Thanked 20 Times in 13 Posts
Rep Power: 1909
Rocketrancher is on a distinguished road
Re: uConnect 15.26.1 is buggy; I want to downgrade.

Quote:
Originally Posted by Roadkill
I spent a lot of time yesterday investigating modifying the uConnect firmware. It's feasible, thanks to the published exploits that illustrate what a horrible design this system has from a security perspective (it's all based on "security through obscurity"). Oddly, while the Harman firmware is used on both FCA and Toyota vehicles, the FCA approach doesn't use cryptographic signatures to validate the system updates
.
.
.
I came up with about four or five different potential approaches to disable the cellular link through the firmware; however, I'll have to advance cautiously to avoid causing the implosion of this ramshackle heap of firmware that is called uConnect.
That's an exciting plan, RK.
Thanks for engaging in a battle of wits with what seems to be an unarmed opponent (Harman development). I think Benz folks have rued the day Harman absorbed Becker although, in retrospect, they might have been made for each other. Interesting about the Toyota difference. Somewhere on my list is a desire to add a front cam to the JBL By #%@!! Harman unit in wife's Avalon. It seems they still use a single discrete to trigger the display instead of the network. Would also like to put a muzzle on EnTune, similarly not activated like the Jeep Access but wary of another DashRat, nonetheless.

Quote:
Originally Posted by Roadkill
I'll probably just get a DLink USB WiFi stick and plug it in. Because, you know, during boot the uConnect firmware looks for one of those to enable.
OMG...I didn't know that! I'd read in the whitepaper about using the built-in hotspot, but had written that off since Access was never activated. The other nite I was musing about tethering a terminal to the USB port in the media hub to see if anything was listening, but the wifi stick sounds heavenly. I used to keep a few in my desk at work; bound to be in a box round here somewhere... do they look for any particular model?

Quote:
Originally Posted by Roadkill
On the plus side, maybe eventually I'll be able to get the "default to on" seat ventilation I have always wanted. Heh.

If you start a WishList, please put me down for:
- initial Blower speed = Low, then ramp up after it decides the delta-T
- initial Display brightness = Low, then raise after it decides it's daytime.
The twisted b@$t@rd$ at Harman probably did it the other way on purpose to generate blizzards in the cabin and destroy our night vision.
Reply With Quote
The Following User Says Thank You to Rocketrancher For This Useful Post:
  #173  
Old 10-18-2015, 11:52 PM
Senior Member
 
Join Date: Sep 2013
Posts: 1,309
Thanks: 48
Thanked 164 Times in 132 Posts
Rep Power: 2879
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
Quote:
Originally Posted by Rocketrancher View Post
Thanks for engaging in a battle of wits with what seems to be an unarmed opponent (Harman development).
Their ISO security relies on the equivalent of RFC 3514 (aka "the evil bit"). Seriously, if you flip a single byte in the ISO image then the firmware update validation is disabled... again, by design.

It's nice that IOActive has done the initial workup of this firmware (their Remote Car Hacking whitepaper is a great read). However, this Harman/FCA uConnect security is all just sad. A fifth grader could bypass this stuff.

Quote:
do they look for any particular model?
I haven't delved into the binary .so library too much to see what precisely is compiled in for support. I did boot up a QNX neutrino VM to take a look at what was in the ifs-cmc (i.e. a standard IFS filesystem). Dumped that via the dumpifs utility and looked around.

That said, we can be pretty sure that a few models of USB ethernet adapter are supported. Others have already posted the ISO contents of these releases. For example, we can see from the code that Cisco Linksys USB300M wired adapter is supported. I'm guessing a "typical" D-Link USB WiFI stick will work just fine. That said, I'd actually prefer wired access w/ a crossover cable than dealing with a remote WiFi adapter at first.

"Some" of this stuff may be patched in the latest revision, but it's trivial enough to load the previous, hackable versions and roll forward from there.

The swdl.bin file inside the ISO holds more juicy data & config; however, it is in Harman's nonstandard memifs/hicifs format, but it's not like that is encrypted either so it readily submits to strings scanning. The memifs2 binary extracted from the ISO will not run on my QNX VM (i.e. likely compiled for a different architecture). It seems they tried to "improve security" in the latest release (i.e. the recall version) by moving the boot shell script into this more obscure, less-easily-editable location. However, even in the latest revision the boot.sh file chain-invokes other shell scripts that are still accessible/editable in the ISO, leaving us back at a "what were they thinking?" conclusion.

It's amazing how people so clearly out of their depth can deliver a system that is blithely deployed on millions of vehicles and land contracts worth billions.

Just goes to show you... I hadn't even considered trying to mod the firmware in the past because I thought of how I would have secured the system with cryptographic signing and encrypted updates that would require JTAG'ing or bus fritzing to crack like the PS3 code signing cracks did. I mean, this is a life-critical system (by virtue of peering on the canbus buses), so of course it would be designed to be at least as secure as a video game system, right? Right?
Reply With Quote
  #174  
Old 10-21-2015, 01:07 PM
Member
My Jeep: 2014 5.7L WK2
 
Join Date: Dec 2011
Location: South Coast
Posts: 53
Thanks: 11
Thanked 20 Times in 13 Posts
Rep Power: 1909
Rocketrancher is on a distinguished road
Re: uConnect 15.26.1 is buggy; I want to downgrade.

Lifted from a newsletter today.
If they're not careful, they will do more harm to end-users.
The last sentence about privacy policies amuses me. FCA/Uconnect has one; prob'ly the reason we converged here.


--House Committee Aims to Improve Automobile Cybersecurity
(October 15, 2015)
The US House Energy and Commerce Committee is discussing proposed
legislation that would make hacking automobiles illegal. The proposal
has raised concerns that such a provision would prevent flaws in cars'
computer code from being fixed in a timely fashion. The person who found
a vulnerability in GM's OnStar RemoteLink earlier this year told the
committee that they need to be careful with the language of the bill,
"because you will still have lots of bad guys who will continue to hack,
and there will not be any researchers exposing vulnerabilities." The
draft legislation would also impose a fine of US $5,000 a day for car
manufacturers that do not have privacy policies.

Congress aims to regulate car privacy, make hacks illegal | Computerworld
House committee seeks to outlaw car hacking - SC Magazine
https://www.washingtonpost.com/news/...rivacy-policy/
Committee Press Release:
Committee Releases Draft Proposal to Keep Families Safe on the Road | Energy & Commerce Committee
Discussion Draft of Proposed Bill:
http://docs.house.gov/meetings/IF/IF...dwaySafety.pdf
Reply With Quote
  #175  
Old 10-31-2015, 11:40 PM
Member
My Jeep: 2014 3.0L WK2
 
Join Date: Aug 2014
Location: Pennsylvania
Posts: 123
Thanks: 61
Thanked 21 Times in 17 Posts
Rep Power: 1030
jeepgrandcherokeesal is on a distinguished road
Re: uConnect 15.26.1 is buggy; I want to downgrade.

I hope they don't make hacking illegal.

I agree. Despite our inconveniences, I feel like the world learned a lot about cyber-security here. That was only possible because those engineers at I/O Active were motivated as white-hats to investigate. If it were illegal to hack, I believe they would have stopped for fear of being prosecuted. I feel rules like those proposed do nothing to save anyone. Rules stifle creativity, and keep honest people behind a picket fence. Besides, what kind of hacker would stop doing bad because Congress told them not to?
Reply With Quote
  #176  
Old 11-01-2015, 12:12 AM
Senior Member
 
Join Date: Sep 2013
Posts: 1,309
Thanks: 48
Thanked 164 Times in 132 Posts
Rep Power: 2879
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
Quote:
Originally Posted by jeepgrandcherokeesal View Post
Besides, what kind of hacker would stop doing bad because Congress told them not to?
Criminals gonna crim.
Reply With Quote
  #177  
Old 11-01-2015, 06:50 PM
Member
My Jeep: 2014 5.7L WK2
 
Join Date: Dec 2011
Location: South Coast
Posts: 53
Thanks: 11
Thanked 20 Times in 13 Posts
Rep Power: 1909
Rocketrancher is on a distinguished road
Re: uConnect 15.26.1 is buggy; I want to downgrade.

Hello everyone!

Here's the picture I promised awhile back, +1.
I was tidying-up the mid-dash from the camera install and removing a cord that I'd passed thru the upper corner of the bezel. I wanted to open Pandora's box again to study the SAW filters that are handling signals to, and within, the air card. I think we can see that they're using the satellite radio antenna for nav, too, with the aircard being the GPS receiver. Interesting that routes are defined for telematics and two cellphone flavors, and not too happy to see the TM center frequency so close to GPS.



Of course, after I closed it all up and reinstalled the box I realized that I should've turned over three more rocks: We already know about the modem, but three others' numbers were hidden under a blob of thermal compound. So, last week I had an opportunity and yanked it again, cleared the surfaces for one more photo shoot, and put it all back. The larger of the three, in the bottom section, is power management. The small two, in the right section, are yet TBD, but I kinda think that area handles RF power to the primary antenna along with antenna status. Speculation abounds, so if anyone has ideas, please chime-in



Meanwhile, I'm wondering where to go next. On the last install, I added foil shielding around and over the two stubs, tucking it into the bonding contacts. No diff. in the registration activity. Being as the main radio harness is just a bundle of wires, I'm wondering out loud if there is merit to consider shielding it.

...and saw another news item from last week that helps keep all of this stuff exciting:

U.S. says it's OK to hack cars and medical devices (sometimes) | Computerworld


RR


(edit: tried to save some space and include smaller thumbnails of the pics but, when clicked, they'd link to an ad-laden page with the image instead of just the image. bad dog. back to letting the forum handle the image linkage.)
Reply With Quote
  #178  
Old 11-01-2015, 07:00 PM
Member
My Jeep: 2014 5.7L WK2
 
Join Date: Dec 2011
Location: South Coast
Posts: 53
Thanks: 11
Thanked 20 Times in 13 Posts
Rep Power: 1909
Rocketrancher is on a distinguished road
Re: uConnect 15.26.1 is buggy; I want to downgrade.

Almost forgot: I got my new dipstick a week ago. Yay.

They nearly let me do an over-the-counter swap, but had a mechanic come around to verify outcome.
Drew a small crowd. No media, though.

Reply With Quote
  #179  
Old 11-04-2015, 11:37 PM
Member
My Jeep: 2014 5.7L WK2
 
Join Date: Dec 2011
Location: South Coast
Posts: 53
Thanks: 11
Thanked 20 Times in 13 Posts
Rep Power: 1909
Rocketrancher is on a distinguished road
Re: uConnect 15.26.1 is buggy; I want to downgrade.

It's a different perspective to look at the pictures instead of up-close to the boards, and it might've twisted my thinking a bit.

I went back to the block diagram in the product description and compared it to the aircard pics. The RF power section correlates and the diagram indicates that it is the only path for transmission. The primary antenna is the only way out; diversity and satellite antennas are receive-only.

Now for the fantasy:

Suppose the "1x" and "3G" indications on the screen are actually showing availability instead of registration? ...and the engineering screen is showing received signal strength (eg. the 105dBm) but not implying registration status?

Is it likely that the thing has been muzzled all along, sensing (and indicating) availability from the left side of the module, but not able radiate from the right side to phone home?

I know the only updates to my jeep's mileage on MOC have been for a comp. oil change by dealer and my own DIY oil change entry a few weeks back. Others report periodic (telematic?) updates to their mileage, I think as a side-effect of activating Access. Perhaps someone with an Access activation could try the primary antenna termination to see if those updates are affected?

I think I'll next work on putting a probe in there to sniff for action around 1850 when I drive thru town, just to see if anything is really radiating from the stub.
Reply With Quote
  #180  
Old 11-05-2015, 10:01 PM
Member
 
Join Date: Sep 2014
Posts: 264
Thanks: 17
Thanked 48 Times in 38 Posts
Rep Power: 7450
michaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond reputemichaelk has a reputation beyond repute
Re: uConnect 15.26.1 is buggy; I want to downgrade.

Quote:
Originally Posted by jeepgrandcherokeesal View Post
I hope they don't make hacking illegal.

I agree. Despite our inconveniences, I feel like the world learned a lot about cyber-security here. That was only possible because those engineers at I/O Active were motivated as white-hats to investigate. If it were illegal to hack, I believe they would have stopped for fear of being prosecuted. I feel rules like those proposed do nothing to save anyone. Rules stifle creativity, and keep honest people behind a picket fence. Besides, what kind of hacker would stop doing bad because Congress told them not to?
library of congress made it legal to hack your own for at least 3 years with DMCA exemption:
Library of Congress Says It's OK to Hack Your Car | WIRED

but if i recall you can only hack things related to the car and not to media related things- lol- like they're not all interconnected as proven by the uconnect hackers hijacking "the radio" to futz with the "car" side of things.
Reply With Quote
Reply

Tags
uconnect

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Oil life algorithm still buggy Roadkill 2014+ Jeep Grand Cherokee Ecodiesel 3.0 7 01-19-2015 09:33 PM
Want to Downgrade from my 2005 REC NAV jsquire1 Troubleshooting/Problems 3 11-14-2013 08:45 PM
The Buggy :: 2012 Jeep Grand Cherokee SRT8 Challenger15 Member Garage Discussions 0 01-04-2013 08:48 AM
My system downgrade - Finished w87will Audio, Video, Navigation & Electronic Modifications 80 10-27-2010 11:49 PM

Powered by vBadvanced CMPS v3.2.3

All times are GMT -5. The time now is 06:22 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2012 - JeepGarage.Org
The Jeep Grand Cherokee Owners Community

JeepGarage.org is in no way associated with or endorsed by FCA US LLC. Chrysler, Dodge, Jeep, Ram, Mopar and SRT are registered trademarks of FCA US LLC.