Source Code Here!

ICE, Equipment, Options
covfefe
Posts: 6
Joined: Sun Jul 23, 2017 10:19 am
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by covfefe »

Nice to see that someone picked up where I stopped. Sorry I just disappear... :oops:

I sadly give up on LCN2kai in the mean time and just install an aftermarket DAB tuner (Pure Highway 400) into AUX and an antenna splitter to drive both the factory and aftermarket tuners. Now next project is to modify the Micra fog lights into fog+daytime running lights. That has nothing to do with this topic unfortunately.

FYI Amazon still has some DLink DUB-E100 USB Ethernet in stock. For the heck of it I bought one and will make a Wireshark dump of a cold boot once it arrives. Maybe it will help bring this project forward. Maybe not. Testing is the only way to know.

Before I tried like I wrote with TP-Link UE300 ethernet which the Linux kernel actually detected but the boot loader seemingly did not.

duncho is right that you must press power button for some seconds to hard reboot, otherwise it seems like resume from stand-by mode. I would go so far as to guess that what happens is similar to Suspend to RAM stand-by in PCs.

Easy way to test that would be to yank the battery for a minute but I'm not sure if LCN2kai then asks for a radio code or if that is already hardcoded at the factory per unit. I need the car daily so I cannot risk screwing it up.

Sorry I lack more in-depth reversing for hardware or assembler level. :(

But I will provide that Wireshark network dump...

If the bootloader is a dead end running shellcode with a compromised media file or compromised speed camera data/POI file is probably the only feasible way in. Like I wrote before, it seems to get SSH all you need is to run one simple command. :cry:

Load prochmi_out.out into IDA Pro and you get a huge disassembly mess but that may have the answers to everything.

PS: I google for prochmi_out and find this old topic: hxxp://forum.opel-club.ru/topic/117726-proshivka-navi-500-v-navi-800/
Has some screenshots and maybe it is not so useful but it looks like Bosh is recycling the code for other manufacturers?
Maybe these guys already know how to get access to more?

duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

Thank you for update on this. You can freely disconnect battery / power supply for Connect. J11 uses no longer radio code. Connect is verified via CAN-BUS with BCM and NATS.
It's a pity that no one else could help. I will try to approach the guy from the link you posted. However, I doubt he will be able to help without having Connect to play with.
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
covfefe
Posts: 6
Joined: Sun Jul 23, 2017 10:19 am
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by covfefe »

Well the D-Link USB Ethernet adapter arrived.

The boot loader doesn't do anything with it unfortunately. No tftp or anything. Linux boots and detects it as before with the TP-Link adapter and tries to open a connection to my laptop on port 7000. Not sure why it does that. I will run a netcat soon and see what it spits out.

The forum won't let me upload Wireshark dumps, so if you want to see the network dump, download the "lcn2kai-k13.docx", change the file extension to .zip and then extract the capture file from the ZIP archive.
lcn2kai-k13.docx
(5.92 KiB) Downloaded 234 times
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

What a pity that it didn't work. I sent a message to that guy you posted the link at forum last time, but haven't received his response yet.
Could it be that BOSCH uses some sort of listener and it tries to establish the connection on port 7000?

Is here anybody who has some connections to BOSCH? If so, please get in touch with us via PM.
Many thanks in advance!
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
covfefe
Posts: 6
Joined: Sun Jul 23, 2017 10:19 am
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by covfefe »

This is what happens on port 7000 after a reset (long-press power button):

00000000 01 0f 30 00 21 1f 04 64 00 fd 61 0e 8c c7 00 4e ..0.!..d ..a....N
00000010 01 03 00 00 ....
00000014 01 03 00 00 ....
00000018 01 03 00 00 ....
0000001C 01 03 00 00 ....
00000020 01 03 00 00 ....
00000024 01 03 00 00 ....
00000028 01 03 00 00 ....
0000002C 01 03 00 00 ....
00000030 01 03 00 00 ....

01 03 00 00 repeat forever, even after turning the ignition off completely (fun fact: USB always stays powered).

The data Looks like this:

nc.PNG

Wireshark dump is attached again as before (rename .docx to .zip, extract ZIP, open dump file).

I'm kind of at a dead end here. :(
Anyone have any ideas?

Last thing I can think of is pulling the battery for a few minutes and checking what happens then. Maybe long-pressing power actually never goes through the boot loader at all.
lcn2kai-k13-tcp7000.docx
(1.34 KiB) Downloaded 181 times
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

What if you try to go to service menu and initiate the firmware update process? Would that make sense to try?
If you lock yourself in the car and wait 10-15 minutes, BCM will cut the power of almost everything, NC including. Then unlocking the car will power on again the radio. Have you tried that?
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
covfefe
Posts: 6
Joined: Sun Jul 23, 2017 10:19 am
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by covfefe »

FW update through service menu won't initiate with the USB Ethernet adapter connected (will not even boot into update mode), and a FW update USB stick connected and then swapping to USB Ethernet also does not work.

Tried a total cold boot with the lcn2kai without power (USB Ethernet dead with no link), but the first packets only come after Linux has booted.

So no luck.

Patching the FW image is also out of the question since its apparently all digitally signed unless someone is able to brute force the private keys.
Mad Maru
Posts: 92
Joined: Wed Jun 21, 2017 9:51 pm
Qashqai Model: Mk.2 Qashqai - J11 (2013–2017)

Post by Mad Maru »

Oq183


Sent from my iPhone using Tapatalk
tripax
Posts: 3
Joined: Tue Jan 23, 2018 5:31 pm
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by tripax »

has anyone tried attaching a usb2serial adapter instead of a usb2ethernet? maybe the boot process can be interrupted that way
will try in the future but haven't received my nissan with lcn2kai nc3 yet
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

I can provide you with the following firmware versions if it helps: D302, D502 and D554.
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
Post Reply