Jeep Garage  - Jeep Forum banner

8.4 UConnect Update - Deconstructed

48K views 57 replies 32 participants last post by  lamar7569 
#1 ·
So, the new uconnect update allowed for insight into the new 8.4 systems. Seems they are an embedded linux based (shocker) and has access to a lot of stuff. I was actually surprised that the upgrade wasn't encrypted in some form.

Things I found that were of interest:

SQLite3 databases containing siriusxm data for weather, traffic, fuel, ect

Splash screens for Ferrari, Lancia, Jeep, Dodge, ect.

Screen Calibration info. Makes me think there is a way to get into service/setup mode somehow.

There are files for an anti-theft keypad screen... Might turn out to be something like the Chevy concierge mode that locks out the phone book.

There is a REALLY strange video set to "Evanescence - My Immortal" with a bunch of accidents. Says Streetracing.ru and "Speeding. No one thinkgs big of you."

UI seems to be mostly on standard web platform with HTML, Flash, ect.

Leg work is being done via Lua and shell scripts.

SiLabs seems to be the partner for stereo tuner.

Seems some of the packages used are shared with Toyota's embedded OS.

Sierra Wireless devices used for the 3g connectivity

Partnership with airbiquity.com



I hope to get a stereo (once they are available) for testing. I think there is a lot of room for modding once root'd. I also fear, there is a lot of room for exploitation. Might lead to a cool blackhat talk...

Anyone else find anything else cool?

PS - cool Jeep and SRT files attached. Plus that strange video...
 

Attachments

See less See more
2
#3 · (Edited)
Funny I noticed that two when looking at the update, I did open several of the files for editing. I have done editing with game files like this. I cant wait for someone to figure them out. I have a new radio being installed next week I should go play with the files.
 
#6 ·
Yeah, told ya guys that video is creepy... If anyone is offended please let me know and I will remove it. It just made the interesting list b/c, well, you see why...

Thanks Willx for the new files, gonna take a look at those. I also hope to get some time to sit down and fully review the scripts and content to see what kinda mods can be done.

Just form the light reivew, the manifest files and scripts are not doing any serious validation. So it should be possible to swap in custom images and what not. Makes me wish they had a cert/hash check somewhere. Not that it is full proof, but it helps make it fool proof.

What I really want to do is get a full copy of the OS for a full review. From that, i am sure there are some bit flips that can do some cool stuff. The 8.4 systems are extremely integrated into the Jeep. To the point where if it were removed I am not even sure the jeep would run properly.
 
#7 · (Edited)
Yeah, told ya guys that video is creepy... If anyone is offended please let me know and I will remove it. It just made the interesting list b/c, well, you see why...

Thanks Willx for the new files, gonna take a look at those. I also hope to get some time to sit down and fully review the scripts and content to see what kinda mods can be done.

Just form the light reivew, the manifest files and scripts are not doing any serious validation. So it should be possible to swap in custom images and what not. Makes me wish they had a cert/hash check somewhere. Not that it is full proof, but it helps make it fool proof.

What I really want to do is get a full copy of the OS for a full review. From that, i am sure there are some bit flips that can do some cool stuff. The 8.4 systems are extremely integrated into the Jeep. To the point where if it were removed I am not even sure the jeep would run properly.
There is a mode in the Jeep that allows it to run normally without a functioning and or a corrupted system. Same as factory ship mode. Now whether there is pass through on the buss, dunno.

I don't think there is a problem with the video. It is encased in a public release that others received from Chrysler. I just think it is an interesting easter egg. Someone in development was clearly concerned about distractions while driving and was making a point. Up to the MODS to decide though.
 
#11 ·
So some additional tidbits.

Updates seemed to be rolled up, atm no need to run one and then the next.

Sierra Air Card seems to be running on sprintpcs network.

There is some code to do upgrade validation to verify it before executing. From what I can tell it isn't in use yet.

Sirius information on weather, destinations, movies, ect seems to be setup independently from driver A vs driver B

So far, none of the code is obfuscated. Standard decompilers work just fine on the swf and jar files.

Lots of notes in the scripts :thumbsup:

I think most have already observed this, but the apps require 3g connection.

I haven't solid poof yet, but there are some indications that sensor (diagnostic) information may be getting sent back to Chrysler. Time to put on my tin foil hat.

Lots more interesting bits to explore. If I ever get the time and become brave enough to mod or at least explore it, I will drop something under the new Uconnect Premium Members Area.
 
  • Like
Reactions: xteam and Willx
#12 ·
Lots more interesting bits to explore. If I ever get the time and become brave enough to mod or at least explore it, I will drop something under the new Uconnect Premium Members Area.
Where is this UConnect Premium Member area? My membership already paid itself by getting free tracking from Milous and build sheet. Seems like good stuff keep on coming. Best spend couple of $$$ so far.
 
#18 ·
Ok, watched the video content and, well, the first couple in particular, pretty much sucked the life out of me for the afternoon.

I live on a popular rush hour "short cut" and witness near misses daily due to texting or speeding, and have a 2 yr old who is in the take of and run phase right now.

These are the types of PSAs that need to be on american TV, could care less who is offended!!
 
  • Like
Reactions: jim_87
#19 ·
Here is what I have found out:

definitely QNX (6.5.0?) Same OS that runs the new blackberries.

The device looks for a DLink and Cisco network card when they boot. I forget the specific model but I have confirmed they do work when plugged in the USB port.

The IP of the device is 192.168.65.1 I think.

When linked up there are a lot of open ports, most of them don't seem to do anything but they do show as open. A couple are quite chatty. Mostly log stuff as far as I can tell.

The QConn exploit seems to be patched so no dice there.
The device uses I2c and a BMC to communicate with the truck, however the cluster display isnt dependant on it. In talking to on of the mechanics I think that it does have the ability to write to the Body control module. Basically there are codes they can put in that enable features in the vehicle its self.

QNX and the omap processor require the flash image to be signed and hashed before it will boot it or flash it, meaning anything that is done ROM wise will require a tethered solution unless the private cert is found.

Also from what I can tell the kernel, initrd, and the whole base OS ( including /etc) is compressed in some weird binary format thats proprietary to QNX. If that can be decompressed, might get lucky with a user name and password. The telnet and ssh ports are open and are responding.

The only way I can see in is through the network but I imagine that most things that may force root access or drop a shell would probably get caught by the strict watchdog they have. Its more advanced then the Linux standard watch dog. There is a specific reference to it in the LUA scripts; something about "petting the dog".
 
#22 ·
So, the new uconnect update allowed for insight into the new 8.4 systems. Seems they are an embedded linux based (shocker) and has access to a lot of stuff. I was actually surprised that the upgrade wasn't encrypted in some form.

Things I found that were of interest:

SQLite3 databases containing siriusxm data for weather, traffic, fuel, ect

Splash screens for Ferrari, Lancia, Jeep, Dodge, ect.

Screen Calibration info. Makes me think there is a way to get into service/setup mode somehow.

There are files for an anti-theft keypad screen... Might turn out to be something like the Chevy concierge mode that locks out the phone book.

There is a REALLY strange video set to "Evanescence - My Immortal" with a bunch of accidents. Says Streetracing.ru and "Speeding. No one thinkgs big of you."

UI seems to be mostly on standard web platform with HTML, Flash, ect.

Leg work is being done via Lua and shell scripts.

SiLabs seems to be the partner for stereo tuner.

Seems some of the packages used are shared with Toyota's embedded OS.

Sierra Wireless devices used for the 3g connectivity

Partnership with airbiquity.com



I hope to get a stereo (once they are available) for testing. I think there is a lot of room for modding once root'd. I also fear, there is a lot of room for exploitation. Might lead to a cool blackhat talk...

Anyone else find anything else cool?

PS - cool Jeep and SRT files attached. Plus that strange video...
strange about this Video...........but not realy funny........but this are real life:(
 
#33 · (Edited)
If it's really just a signed MD5 for the image, then it would seem possible to make arbitrary changes and add a binary file elsewhere in the directory structure that brings the checksum back into balance. MD5 is considered old and busted for this very reason.

Something along these lines:
http://cryptography.hyperlink.cz/MD5_collisions.html

I'm just going off your comment so YMMV, e.g. if the MD5 is salted or encrypted such that we don't know the actual value to try to collide with. Or perhaps I misunderstood your comment and we don't have the certificate because it's embedded in the hardware so can't get the value of the public key, or whatever.
 
#34 ·
So, we know it's been done.

Is this the ISO check that you're talking about? /usr/share/scripts/update/installer/system_module_check.lua:
local fname= string.format("%s/swdl.iso", os.getenv("USB_STICK") or "/fs/usb0")
local FLAGPOS=128

local f = io.open(fname, "rb")
if f then
local r, e = f:seek("set", FLAGPOS)
if r and (r == FLAGPOS) then
local x = f:read(1)
if x then
if x == "S" then
print("system_module_check: skip ISO integrity check")
else
-- Start full-ISO Authentication
local cmd = ""
local isoSigFile = "/tmp/isoSigHash" -- this is the full signed-hash of the full-ISO
local isoHashFile = "/tmp/isoHash" -- this is where we'll have openssl put the verified hash
local calcHashFile = "/tmp/calcHash" -- this is where we'll store our own generated hash
local iso_path = string.format("%s/swdl.iso", os.getenv("USB_STICK") or "/fs/usb0")

-- Step 1: Extract the FULL-ISO signed-hash from the iso (skipping past the digest signature)
cmd = "inject -e -i "..iso_path.." -f "..isoSigFile.." -o 64 -s 64"
print(cmd)
os.execute(cmd)

.............. And it goes on and on. Just want to make sure I'm looking in the right place?
 
#42 ·
Guys, you just had the solution right in front of your eyes :D

So, we know it's been done.

local FLAGPOS=128

local f = io.open(fname, "rb")
if f then
local r, e = f:seek("set", FLAGPOS)
if r and (r == FLAGPOS) then
local x = f:read(1)
if x then
if x == "S" then
print("system_module_check: skip ISO integrity check")

.............. And it goes on and on. Just want to make sure I'm looking in the right place?
Open an hex editor, put an S at Position 128 in the ISO and it will skip the integrity check. So you can install modified ISOs.

It also has been published here, now, but you had it before...:

http://www.ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf
 
#40 ·
What kind of problem are you having with the EFS file system? Mounting it? Or reading it after it has been mounted?

This article talks about mounting it:
foundry27 : Post
 
#46 ·
I think you are completely right and I'll test that soon. Here in Germany it is a little bit more complicated because we are using so called "converted" units. The manufacturer of that software fixed one of these bugs very early and uses own key material as far as I know. So I've to do a rollback to an official software release first to try to get a modified one running... But I'll do and will report ;-)
 
#49 · (Edited)
So.. I'm always into looking around and tinkering with things...

And after reading many forums and sites on the uConnect exploits, published in the hacking PDFs, etc...

My Current system:
Aussie MY14 Laredo RJ3 uConnect
Firmware v15.26.1 - RJ4.
NAV activated with 3D Maps - tho the 2012Q2 maps are ancient.. glad I did not shell out $$$ to dealer for this.

I have so far managed to perform the following:

1. Load up an "edited" Original ISO file and perform my own scripts/changes. Yes this works on the latest firmwares, as the ISO "passes" validation, and the system allows "downgrades" to run.

2. Dump the entire filesystem out to USB stick, for looking at, and also helped me do below actions.

3. I have managed to successfully "convert" my RJ3 RW model uconnect to other models, such as RJ4 RW unit. You will see below why I wanted to "convert" it...

4. I've managed to get the update ISOs to install the "uConnect Access" / Apps, however they are pointless and do not work, as they need the Sierra Wireless device for internet access - and they are not activated unless you can connect to uConnect Store.. which requires the internet connection.. I have read tho you can buy a LinkSys/DLink USB to ethernet dongle which gets enabled during bootup of the uConnect.

5. Since I own a MY14 Laredo, my NAV was not activated (RJ3).... I have now activated my NAV and updated the MAPS using the RJ4 Maps Update ISO... and yes, I have 3D Maps. As for their reasons why they say the "activated" RJ3 NAVs "cant" get 3D maps is beyond stupid.. I checked the filesystem free disk space using "df -h" and it had 4gb of free disk space before I uploaded the RJ4 Map update disk.. after checking it, that 4gb dropped to only 3.3gb free space... The only thing I can think is that possibly the NA or EU maps are much bigger in size, and would not be able to fit.. luckily for me the AU maps are only quite small.. maybe 1gb in total...

I am currently working on the following.... most of which I am digging through the Update ISOs that I have managed to download..

1. Enable SRT App - I know customtronix have this, so it must be able to be done... without paying bulk $$$ to CTX for a token / iso file theyve put together.. No offence - kudos to them for working out how to make their own custom ISOs - but I'm not willing to pay 130 euros for unlocking SRT app.. their "Jailbreak" doesnt even do NAV activation..

2. Enable DAB and get antenna sorted - Seen the post in the forum about this.. I did have the DAB button before I started all of this "hacking", not sure where I lost it.. but I never really looked into it much.. it did show up and stick around after factory reboots, and I could go into it but wouldnt find the stations - as shown in the other thread, you need the antenna hooked up for it to function 100% on the jeeps that get this DAB icon all the time...

3. Change the Splash screen pic, bg images, and more... I assume this would be easy - but since this is really a low priority for me I've not really looked at changing these files.. I assume it would be as simple as replacing the Jeep.png and Splash files I have located, with what ever I like... will probably look at this soon..

Phew... what a post.. sorry to blab on a bit. Hope this info helps any more people out... if they want to talk to me more about it, willing to chat.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top