Source Code Here!

ICE, Equipment, Options
User avatar
Hound
Posts: 1163
Joined: Tue May 19, 2015 12:37 am
Location: Deeside
Qashqai Model: Still looking for one....

Post by Hound »

Interesting stuff... unfortunately I don't have the first clue about Linux or any form of programming. :(
Used to have 2015 1.6dCi 130 Xtronic N-tec+ in Gun Metallic

covfefe
Posts: 6
Joined: Sun Jul 23, 2017 10:19 am
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by covfefe »

It seems another way to get ssh would be to exploit the firmware to run this shell command:

Code: Select all

/etc/init.d/develop_env.sh enable
Then SSH access should then be permanently enabled until the firmware is reflashed.

There also seems to be a one-shot(?) development access by calling

Code: Select all

/etc/init.d/fastboot/development.sh start
which will start the SSH server.

But this does not help yet since I cannot figure out what the Linux kernel is actually running as its init process.

I really wonder how the Bosch guys did it. I do not think they would lock it down permanently and I pray there is some sort of key combination like long-press POWER + ???? to get it to boot into development mode. The one-shot mode seems too perfect for that.

At the moment maybe finding an exploit for the media stack that lets you run shellcode would be the easiest way to continue. It seems LCN2kai uses gstreamer 0.10 internally for media decoding. That might be a starting point for someone with more skills than me.

As wrote before, firmware is unencrypted, just signed to prevent modification. I should also have mentioned before that the firmware image I am working with was actually shared here:

viewtopic.php?f=29&t=4881#p48833

So a late but hearty thanks for that! ;)

I might update this post every now and then with some more infos as I find them. Maybe in the future it will help someone else. Right now I try to figure out the boot loader which also seems to be available in the firmware ZIP.

Though to be honest in terms of "time vs money" it is cheaper to just trash the LCN2kai and swap it with a used Pioneer AVIC to get my DAB radio. :roll: Would be a real shame though since otherwise LCN2kai is working just fine. :(

PS: What is the stance on reverse engineering here? I do not want to get the admins in trouble with Nissan or Bosch. :oops:


Edit:

So I find the boot loader. And it gets a lot more bizarre. It seems Linux is just a guest OS and another Bosch-proprietary OS is also running. I guess this is why there is a second IP (in my first post I wrote "There is a Bosch virtio driver compiled into the Linux kernel. It makes that available at 172.17.0.136."). Check the strings of "triton_dualos.bin.uimage".

And the boot loader has a network stack?! :shock:

Just looking at the strings in the bootloader... see for yourself https://pastebin.com/4b3zC1jj

Edit 2:

Supported network card in bootloader (from pastebin above):

ASIX AX8817x USB 2.0 Ethernet
Netgear FA-120 USB Ethernet
DLink DUB-E100 USB Ethernet
Hawking UF200 USB Ethernet
ASIX AX88772 USB 2.0 Ethernet
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

Wow!!!! So much done in such a short time! I haven't received response from Vasvi yet. I also sent him a link to your post so I believe he will reply or sugest someone here.
How did you find / got to bootloader mode?
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
vasvi
Posts: 4
Joined: Thu Apr 16, 2015 2:13 pm

Post by vasvi »

Hi, Covfefe and Duncho!
First of all I have to say that it is very interesting topic for me as I dream of one important FW modification.
Second of all - sorry for my English :)

1. I can do some HW modifications, and actually I done some to make line output, but unfortunately I do not understand in programming at all.

2. My interest of FW modification is to make sound linear without Pre-Equalization. NC has Pre-Equalization which can not be switched off:
Image
It is obviously that rear channels is more linear, that is why I use them for front loudspeakers and rear channels for sub-woofer. But in that case I lost HF and navigation audio guidance functionality!
What not to sacrifice for the sake of sound quality. :)
I guess there are tree ways to make me happy: :)
a) Change configuration setting from BASE to BOSE (in this case all equalisation is done in external BOSE power amplifier),
b) Switch HF and navigation audio guidance functionality to rear channels,
c) Switch Pre-Equalization off, but fader and loudness functionalities has to be left as it is.

Photo of my NC HW is here, maybe it will help someone:
https://drive.google.com/open?id=0B86co ... ndWRzFlZTQ
Last edited by vasvi on Mon Jul 24, 2017 5:17 pm, edited 4 times in total.
chrisw99
Posts: 541
Joined: Mon Jul 11, 2016 10:42 am

Post by chrisw99 »

If we could modify the Connect code it brings up all kinds of possibilities, e.g..

There is a function in there for detecting a valid SD card for the sat nav data. You could disable the check, so you could just copy the files from the latest sat nav card onto any old SD card.
Oct 2014 N-tec+, 1.2 dig-T
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

chrisw99: no need for that one anymore, there is already solution to clone SD card with the latest MAPs on it. However, I agree that switching it off completely would allow us to use also other map sources which are updated on weekly basis, instead of waiting for Nissan to release 1.5 yrs old maps :)
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
Deleted User 759

Post by Deleted User 759 »

Reverse engineering to enable/add functionality to the HU: I think it fine unless Rob (site owner) gets a cease and desist order.

Discussion regarding cloning SD cards .... iffy water on anybody's watch and probably best left to Dunco's above post..... publicly anyway ;)
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

Nissan / BOSCH should make them more prone to illegal copying and cheaper to be easily available to masses. But as they care only for their own profits and zero to none support, people were trying until they succeeded.

That is what I said also to Nissan Sales CEE employee...
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
balrog
Posts: 6
Joined: Sun Oct 22, 2017 12:37 am
Qashqai Model: Mk.1 Qashqai Facelift - J10b (2010–2013)

Post by balrog »

Hi there,
So looking at what covfefe has uncovered so far and the uboot strings dump, I have some initial conclusions.

* a lot of it is standard uboot commands but at least the certificate verification stuff (impressive they'd do complete RSA certificate support in the bootloader) and the dualos stuff (whatever it is) are not in a standard u-boot and certainly not in a 2010 version... Maybe it's still a public tree somewhere living at bosch or montavista or wherever.

* looks like the USB recovery logic that is defined in all those macros there does not run by default unfortunately. On the other hand if covfefe has seen the device come up on IPv4 on the addresses defined in the u-boot config that'd mean that the TFTP stuff does run on every boot so perhaps you could boot custom stuff through TFTP without any other modifications? At least if your kernel was signed...

* I do wonder how come the satnav boots up in just those few seconds if they do dhcp, tftp, full linux boot and that triton_dualos thing on every boot.

* Looks like you could boot anything you wanted if you had access to the serial port. Looks like uboot configures the serial for 115200 and lets you interrupt the autoboot the normal way (send any character) so it might be possible to find the tx and rx pins and this might be the way to go. I might give it a go in a few weeks after I've resolved my other issues with the new Qashqai and all the other issues that forced me to actually get a car... Still downloading the D502 dump, it's going slow but thanks for the dumps you guys provided.
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

My guess is that it doesn't boot and load OS every time Connect is switched ON, but just recover from hibernate / sleep.
Fresh boot up can be done by pushing & holding Connect ON button for min. 4sec and then it takes as long as regular OS boot.
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
Post Reply