Go Back   Jeep Garage - Jeep Forum > Jeep Platform Discussion > Grand Cherokee - WK2 - > Tech Tips/DIY/How To

Join Jeep Garage Today
Reply
 
Thread Tools Display Modes
 
  #25  
Old 03-26-2014, 04:58 PM
Member
My Jeep: 2014 WK2
 
Join Date: Feb 2014
Location: Strongbadia
Posts: 206
Thanks: 0
Thanked 8 Times in 7 Posts
Rep Power: 683
Hayseed_wk2 has a reputation beyond reputeHayseed_wk2 has a reputation beyond reputeHayseed_wk2 has a reputation beyond reputeHayseed_wk2 has a reputation beyond reputeHayseed_wk2 has a reputation beyond repute
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by Roki303 View Post
One thing that I've seen is that 13.15.4 was build on 4/9. This release 13.19 was build on 5/6. Seems like they are on a monthly release cycle.
That would explain a lot about this uconnect if it were on a monthly cycle...
__________________

__________________
Reply With Quote
  #26  
Old 07-24-2014, 12:37 PM
Premium Member
My Jeep: 2014 3.6L WK2
 
Join Date: Jul 2014
Location: Clermont, FL
Posts: 40
Thanks: 12
Thanked 10 Times in 8 Posts
Rep Power: 271
DravenGSX is on a distinguished road
Re: 8.4 UConnect Update - Deconstructed

Good stuff here... Looking forward to seeing where this goes.

The QNX license guide (http://support7.qnx.com/download/dow...8.Feb20-14.pdf) references a QNX port of the Davlik VM (Android) runtime environment in the car infotainment section.

Has anybody been able to identify if this is present in the UConnect builds?
__________________

__________________
Reply With Quote
  #27  
Old 10-30-2014, 03:34 PM
New Member
 
Join Date: Jan 2014
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
johnsonnc is on a distinguished road
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by Joewert9 View Post
Hi, i am also VERY interessted in modding the OS for the Uconnect. Personally i am not a QNX specialist, but i know a guy who is very familiar with this stuff.
Question: did you have any success with telnet to break into the filesystem, is it possible to change parameters or layouts?
As far as i saw from the images i downloaded it should be very easy to mod the system, but atm i dont know how to connet to the system direct. u said via an USB interface from DLink or cisco?!? which type? I think the Uconnect has a LOT of potential to expand its functionality (Internet, Movies,...) but sowewhere we have to start... BTW, i have the Uconnect in a 2013 Fiat Freemont, which is the european Version of the Dodge Journey. Hope 2 hear from you, lets stay in touch for HACKING this great device ;-)
No luck. Can't find a username or password.
Changing any ui elements looks like just uploading new Adobe Flash file where appropriate. The usb interface (where you would plug in the flash drive looks for a CISCO or DLINK Ethernet Dongle. I don't have the specific models but they are in one of the LUA scripts in the ISO update file. They are pretty basic and cheap to get. It has to be there when it is booted to start.

Basically, if some one can either find the username and password for a sudo account on that SSH port you could do what ever you want with it. However, unless you have extensive JAVA, FLASH, and LUA experience (oh and know how to talk to the hardware with out causing it to crash ), probably going to be limited to moding what is there.

Personally, I would love to disable the damn Sprint Cell/Air card that does nothing for me except upload the vehicle location and engine data all the time to Chrysler. Yeah on by the, if you havent yet notice, even if your vehicle is off, the system 'quietly' boots every so often and brings up that cell connection and checks in with Chrysler. All regardless if you pay the 20$ a month for service.
__________________
Reply With Quote
  #28  
Old 10-30-2014, 03:48 PM
Premium Member
My Jeep: 2014 5.7L WK2
 
Join Date: May 2013
Location: Colorado
Posts: 2,883
Thanks: 45
Thanked 122 Times in 114 Posts
Rep Power: 44495
lstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond repute
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by johnsonnc View Post
No luck. Can't find a username or password.
Changing any ui elements looks like just uploading new Adobe Flash file where appropriate. The usb interface (where you would plug in the flash drive looks for a CISCO or DLINK Ethernet Dongle. I don't have the specific models but they are in one of the LUA scripts in the ISO update file. They are pretty basic and cheap to get. It has to be there when it is booted to start.

Basically, if some one can either find the username and password for a sudo account on that SSH port you could do what ever you want with it. However, unless you have extensive JAVA, FLASH, and LUA experience (oh and know how to talk to the hardware with out causing it to crash ), probably going to be limited to moding what is there.

Personally, I would love to disable the damn Sprint Cell/Air card that does nothing for me except upload the vehicle location and engine data all the time to Chrysler. Yeah on by the, if you havent yet notice, even if your vehicle is off, the system 'quietly' boots every so often and brings up that cell connection and checks in with Chrysler. All regardless if you pay the 20$ a month for service.
Do you see a shell prompt at all?
Is it bash, or pbash?
Did you try root and a carriage return?
... or changeme.
__________________
Reply With Quote
  #29  
Old 11-03-2014, 11:53 AM
Premium Member
My Jeep: 2014 3.6L WK2
 
Join Date: Jul 2014
Location: Clermont, FL
Posts: 40
Thanks: 12
Thanked 10 Times in 8 Posts
Rep Power: 271
DravenGSX is on a distinguished road
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by lstowell View Post
Do you see a shell prompt at all?
Is it bash, or pbash?
Did you try root and a carriage return?
... or changeme.
Here is the rub with trying to telnet into the radio:

(this is in boot.sh) --

# start packet filtering early enough to prevent telnet access
# even if user has DHCP server on connected PC
# starts enabled and reads config from default /etc/pf.conf
qon mount -T io-pkt lsm-pf-v4.so

One of the first things that the radio does during boot is to turn on a firewall that drops telnet, so even with your Cisco or DLink USB ethernet adapter, you won't be able to connect without first flashing a firmware that does not enable the firewall.
__________________
Reply With Quote
  #30  
Old 11-17-2014, 08:29 AM
New Member
 
Join Date: Jan 2014
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
johnsonnc is on a distinguished road
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by DravenGSX View Post
Here is the rub with trying to telnet into the radio:

(this is in boot.sh) --

# start packet filtering early enough to prevent telnet access
# even if user has DHCP server on connected PC
# starts enabled and reads config from default /etc/pf.conf
qon mount -T io-pkt lsm-pf-v4.so

One of the first things that the radio does during boot is to turn on a firewall that drops telnet, so even with your Cisco or DLink USB ethernet adapter, you won't be able to connect without first flashing a firmware that does not enable the firewall.

So it's a Cisco USB300M is the dongle that I have does work.
Both telnet and ssh presents a prompt. The telnet does have some QNX identification as a prompt message. SSH is just a u/p prompt.
I am guessing that the firewall is broke or the LUA script kills this later after it detects the dongle?? Or it may have been changed in more recent versions?? (have to admit I haven't poked around with the last two or three releases).

That being said the LUA scripts are rather nutty because they mount/remount/umount a lot of different partitions all over the place. I haven't bothered to unravel that mess. Point is it seems pretty sloppy for an embedded vehicle system, so I wouldn't put it past them to have some of the same "patterns" regarding their services like firewalls.

Why kill telnet with just a firewall? Why not kill the whole service?
Why did they leave ssh open?
I get killing it from the AirCard interface, but killing it on the local interface?

QNX debug port is open (800 i think) why not fire wall that? (this strikes me as the biggest hole to exploit btw, but it doesn't seem to respond)
__________________
Reply With Quote
  #31  
Old 12-03-2014, 01:02 PM
Premium Member
My Jeep: 2014 3.6L WK2
 
Join Date: Jul 2014
Location: Clermont, FL
Posts: 40
Thanks: 12
Thanked 10 Times in 8 Posts
Rep Power: 271
DravenGSX is on a distinguished road
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by johnsonnc View Post
So it's a Cisco USB300M is the dongle that I have does work.
Both telnet and ssh presents a prompt. The telnet does have some QNX identification as a prompt message. SSH is just a u/p prompt.
I am guessing that the firewall is broke or the LUA script kills this later after it detects the dongle?? Or it may have been changed in more recent versions?? (have to admit I haven't poked around with the last two or three releases).

That being said the LUA scripts are rather nutty because they mount/remount/umount a lot of different partitions all over the place. I haven't bothered to unravel that mess. Point is it seems pretty sloppy for an embedded vehicle system, so I wouldn't put it past them to have some of the same "patterns" regarding their services like firewalls.

Why kill telnet with just a firewall? Why not kill the whole service?
Why did they leave ssh open?
I get killing it from the AirCard interface, but killing it on the local interface?

QNX debug port is open (800 i think) why not fire wall that? (this strikes me as the biggest hole to exploit btw, but it doesn't seem to respond)
Ok, this makes sense. The more that I think about it, the boot.sh script that is in the ISO is the boot script to initiate the upgrade (hence the mount/remount/umount of partitions and the extractions of file systems. The entire filesystem is compiled (need QNX SDK to open). What we're able to see appear to be temp files.

It looks like the answer is in getting into the unit via telnet or SSH. What about adding a script that creates a user in the upgrade?
__________________
Reply With Quote
  #32  
Old 12-03-2014, 01:42 PM
New Member
 
Join Date: Jan 2014
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
johnsonnc is on a distinguished road
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by DravenGSX View Post
Ok, this makes sense. The more that I think about it, the boot.sh script that is in the ISO is the boot script to initiate the upgrade (hence the mount/remount/umount of partitions and the extractions of file systems. The entire filesystem is compiled (need QNX SDK to open). What we're able to see appear to be temp files.

It looks like the answer is in getting into the unit via telnet or SSH. What about adding a script that creates a user in the upgrade?
No dice, at least from my perspective. The ISO that is loaded is checksumed with MD5 and then signed by HarmonKarmon (or Chrysler). There is a hardware level check that is done (part of the TI OMAP Proc) by a certificate that is burned into the ROM/Board. If the MD5 Hash and signature don't line up it will refuse to upgrade it. If you do add a script in there it won't pass the checksum check.

The only thing I can think of is to possibly inject a script in to it during the update run itself. There are a lot of unknowns with that including wither or not the USB port is even brought up during the update, if the update has sudo rights after the main OS is reflashed, then find a way to execute the script once the iso is mounted. Best place to start would be to see if the network is brought up when the update runs, if it is, then see what ports or services are open if access can be gained there.
__________________
Reply With Quote
  #33  
Old 12-03-2014, 02:56 PM
Member
 
Join Date: Sep 2013
Posts: 606
Thanks: 29
Thanked 52 Times in 42 Posts
Rep Power: 1479
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
If it's really just a signed MD5 for the image, then it would seem possible to make arbitrary changes and add a binary file elsewhere in the directory structure that brings the checksum back into balance. MD5 is considered old and busted for this very reason.

Something along these lines:
http://cryptography.hyperlink.cz/MD5_collisions.html

I'm just going off your comment so YMMV, e.g. if the MD5 is salted or encrypted such that we don't know the actual value to try to collide with. Or perhaps I misunderstood your comment and we don't have the certificate because it's embedded in the hardware so can't get the value of the public key, or whatever.
__________________
Reply With Quote
  #34  
Old 12-03-2014, 04:28 PM
Premium Member
My Jeep: 2014 3.6L WK2
 
Join Date: Jul 2014
Location: Clermont, FL
Posts: 40
Thanks: 12
Thanked 10 Times in 8 Posts
Rep Power: 271
DravenGSX is on a distinguished road
Re: 8.4 UConnect Update - Deconstructed

So, we know it's been done.

Is this the ISO check that you're talking about? /usr/share/scripts/update/installer/system_module_check.lua:
local fname= string.format("%s/swdl.iso", os.getenv("USB_STICK") or "/fs/usb0")
local FLAGPOS=128

local f = io.open(fname, "rb")
if f then
local r, e = f:seek("set", FLAGPOS)
if r and (r == FLAGPOS) then
local x = f:read(1)
if x then
if x == "S" then
print("system_module_check: skip ISO integrity check")
else
-- Start full-ISO Authentication
local cmd = ""
local isoSigFile = "/tmp/isoSigHash" -- this is the full signed-hash of the full-ISO
local isoHashFile = "/tmp/isoHash" -- this is where we'll have openssl put the verified hash
local calcHashFile = "/tmp/calcHash" -- this is where we'll store our own generated hash
local iso_path = string.format("%s/swdl.iso", os.getenv("USB_STICK") or "/fs/usb0")

-- Step 1: Extract the FULL-ISO signed-hash from the iso (skipping past the digest signature)
cmd = "inject -e -i "..iso_path.." -f "..isoSigFile.." -o 64 -s 64"
print(cmd)
os.execute(cmd)

.............. And it goes on and on. Just want to make sure I'm looking in the right place?
__________________
Reply With Quote
  #35  
Old 12-05-2014, 11:28 PM
Premium Member
My Jeep: 2015 3.6L WK2
 
Join Date: Nov 2014
Posts: 9
Thanks: 2
Thanked 0 Times in 0 Posts
Rep Power: 133
logan_wk2 has disabled reputation
Re: 8.4 UConnect Update - Deconstructed

Does anyone know if the updates contain the full ROM or is it a patch?
__________________
Reply With Quote
  #36  
Old 12-06-2014, 12:55 AM
seeingwhite's Avatar
How long until the reckoning?
 
Join Date: Jul 2013
Location: FFH
Posts: 592
Thanks: 181
Thanked 83 Times in 59 Posts
Rep Power: 3759
seeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond reputeseeingwhite has a reputation beyond repute
Re: 8.4 UConnect Update - Deconstructed

Quote:
Originally Posted by logan_wk2 View Post
Does anyone know if the updates contain the full ROM or is it a patch?
Should be the whole ROM.
__________________

__________________
2015 Grand Cherokee Overland
V8, ORA II, Blu-ray RES, RAX Jailbreak
Reply With Quote
The Following User Says Thank You to seeingwhite For This Useful Post:
Reply

Tags
uconnect, uconnect 13.19.0, uconnect 8.4an

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Uconnect 430/430N update - June2013 Todd3.6 Interior/Exterior/Visual 23 12-05-2013 06:19 PM
Uconnect - update/patch Roki303 Audio/Visual/Navigation 11 10-09-2013 09:08 AM
Software Update - uConnect Access App Android jdchamp31 Audio/Visual/Navigation 2 06-15-2013 03:54 PM
UConnect 5.0 software update. JeepersCreepers Trouble Shooting/Problems/Service 9 05-09-2013 03:30 AM
UConnect Update Unsequestered Audio/Video/Navigation/Alarms 3 09-27-2012 04:20 PM

Powered by vBadvanced CMPS v3.2.3

All times are GMT -5. The time now is 07:56 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2015, vBulletin Solutions, Inc.
Copyright 2012 - JeepGarage.Org
The Jeep Grand Cherokee Owners Community

JeepGarage.org is in no way associated with or endorsed by FCA US LLC. Chrysler, Dodge, Jeep, Ram, Mopar and SRT are registered trademarks of FCA US LLC.