Nissan QashQai Forums

Forum for all Nissan QashQai Owners
https://www.qashqaiforums.co.uk/

Source Code Here!

https://www.qashqaiforums.co.uk/viewtopic.php?t=4842

Page 4 of 4

Re: Source Code Here!

Posted: Fri Jan 26, 2018 8:32 am
by tripax
most common entry points with the gstreamer libs seem removed or patched
flx decoder lib is present so may deserve some focus

Re: Source Code Here!

Posted: Wed Mar 07, 2018 3:25 pm
by bitsnpcs
duncho wrote: Thu Jan 25, 2018 9:57 pm I can provide you with the following firmware versions if it helps: D302, D502 and D554.
Hi buddy, I have LCN1 (25915BH10C) and desperate to find the firmware so I can update myself rather than pay 108 quid to the dealer (joke) My unit is surrefing for the random switch off but not off and drains the battery a royal PITA

So if you can help I would be hugely grateful

Re: Source Code Here!

Posted: Wed Mar 07, 2018 3:56 pm
by tophat57
This is quite interesting, could it be used to hack the voice commands that seem to have been removed, unlocking the press to call button on the steering wheel for proper hands free calling with either a droid or Apple phone?

As for the idea of video playing, it's about as safe as facebooking your friends as was pointed out earlier, not that I use that feature anyway. But most cars these days have the screen locked out when the vehicle is moving, specifically to keep your attention on the road not the screen.

Re: Source Code Here!

Posted: Sun Apr 15, 2018 11:12 pm
by duncho
I found this link, seems that guy found a way to get in: https://github.com/gboudreau/nissan-connect-php

Re: Source Code Here!

Posted: Sun Nov 24, 2019 8:25 am
by thebiggreenie
How does this link in to the equation? https://oss.bosch-cm.com/nissan.html

Re: Source Code Here!

Posted: Fri Dec 20, 2019 7:19 pm
by TAPNET
Hello my names Tom and I actually have an X-Trail, I have been slowly pulling apart the firmware which seems to be fairly wide open, i have started off the the latest firmware D605 the first weakness is the flashing process using USB. Once the ZIP file has been extracted we can see several interesting files I have started with container.iso.bin, removing the *.bin extention reveals a standard ISO file which can be mounted and read there is code inside to bypass any further MD5 hash checks

Script.lua has some interesting info inside it

Code: Select all

if TBD_CHECK_MD5_IMPLEMENTED == 1  then
   -- Backdoor: If DisableMD5Failure.dnl is available an error in MD5 does not lead to a stop of the download!
       md5FileAvail = fileAvailable ("/dev/rfs" ..mediumPath.. "/DisableMD5Failure.dnl");
   -- ******************* Check md5sum ******************************************
       remoteExec("echo \"Check MD5SUM start... (all checked files are shown)\" >> /tmp/downloadPipe");
       printDisplay ("USB System-Download\nCheck MD5SUM start\n");
       -- remove CarriageReturns, octal 15:
       remoteExec("cat /ext/var/opt/bosch/static/system/*.md5 | tr -d \'\\15\' > /tmp/checksum1.md5");
       -- substitute path:
       remoteExec("sed s_/_/ext/_ </tmp/checksum1.md5 >/tmp/checksum2.md5");

       Md5Result = 1;
       -- For developers: Comment out the next line if md5sum shall not be done:
       Md5Result = remoteExec("md5sum -c /tmp/checksum2.md5 >> /tmp/downloadPipe", 3600);
	   if Md5Result == 0 then
          remoteExec("echo \"Check MD5SUM ERROR...\" >> /tmp/downloadPipe");
          printDisplay ("USB System-Download\nCheck MD5SUM ERROR\n");
          if md5FileAvail == 1 then
            remoteExec("echo \"DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /tmp/downloadPipe");
            remoteExec("echo \"USB System Download (script.lua) DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /dev/errmem");
          else		  
            _verifyFile("MD5SUM_ERROR", 0);
		  end
	   end

       if (SDS_REGION_NAR_DATA_AVAIL==1 or SDS_REGION_EUR_DATA_AVAIL==1 or SDS_REGION_GOM_DATA_AVAIL==1) then
         -- ******************* Check md5sum  for SDS data ************************************
         remoteExec("echo \"Check MD5SUM for " ..SDS_VariantString.. "\" >> /tmp/downloadPipe");
         printDisplay ("USB System-Download\nCheck MD5SUM for SDS\n");
         -- remove CarriageReturns, octal 15:
         -- remoteExec("cp /ext/var/opt/bosch/static/system/static.md5 /ext/var/opt/bosch/region_static/"); -- TBC remove! (use only for test)
         remoteExec("cat /ext/var/opt/bosch/region_static/*.md5 | tr -d \'\\15\' > /tmp/checksum1sds.md5");
         remoteExec("cat /ext/var/opt/bosch/dynamic/system/*.md5 | tr -d \'\\15\' >> /tmp/checksum1sds.md5");
         -- substitute path:
         remoteExec("sed s_/_/ext/_ </tmp/checksum1sds.md5 >/tmp/checksum2sds.md5");

         Md5SdsResult = 1;
         -- For developers: Comment out the next line if md5sum shall not be done:
         Md5SdsResult = remoteExec("md5sum -c /tmp/checksum2sds.md5 >> /tmp/downloadPipe", 3600);
	     if Md5SdsResult == 0 then
            remoteExec("echo \"Check MD5SUM ERROR...\" >> /tmp/downloadPipe");
            printDisplay ("USB System-Download\nCheck MD5SUM for SDS ERROR\n");
	        if md5FileAvail == 1 then
              remoteExec("echo \"DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /tmp/downloadPipe");
              remoteExec("echo \"USB System Download (script.lua) DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /dev/errmem");
            else		  
              _verifyFile("MD5SUM_ERROR", 0);
		    end
	     end
       end
	   
       remoteExec("echo \"Check MD5SUM end...\" >> /tmp/downloadPipe");
       printDisplay ("USB System-Download\nCheck MD5SUM end\n");
  if TBD_CREATE_DYNREPAIR == 1  then
   -- ***************************************************************************
   -- ******************* Backup dynamic partition ******************************
   --   remoteExec("echo \"DynBackup start...\" >> /tmp/downloadPipe");
   --   remoteExec("echo \"Create tar file dynrepair.tar...\" >> /tmp/downloadPipe");
   --   remoteExec("cd /ext");
   --   _remoteExec("tar cvf ./var/opt/bosch/static/system/dynrepair.tar ./var/opt/bosch/dynamic");
      --remoteExec("echo \"Create tar file dynrepair.tar.bz2...\" >> /tmp/downloadPipe");
      --_remoteExec("tar cjvf ./var/opt/bosch/static/system/dynrepair.tar.bz2 ./var/opt/bosch/dynamic");
   --   remoteExec("cd /");
   --   remoteExec("echo \"DynBackup end...\" >> /tmp/downloadPipe");
   -- ***************************************************************************
  end
end
There seems to be md5 hashes stored inside plain text files surely you could modify those and get the new hash save the file and reseal back up in the ISO put the *.bin extension back on - or am I missing something here?

Re: Source Code Here!

Posted: Fri Dec 20, 2019 9:57 pm
by tripax
My name Tom too.

You're missing quite a lot of stuff unfortunately.
I've advanced much further and given up by now.
There are unexplored routes left though. You'd need solid reversing skill...

Re: Source Code Here!

Posted: Wed Dec 08, 2021 9:51 pm
by balrog
For anyone interested, there's now an active github repo at https://github.com/ea/bosch_headunit_root documenting what's probably the easiest way to root and log into the LCN2kai headunits. A lot of the internals are documented, I just found out about that project this week.

Re: Source Code Here!

Posted: Tue Dec 14, 2021 8:42 pm
by V6er
Just today remembered about this - came here to reread this topic and get myself ethernet adapter... and despite it being old topic - good, even fantastic!, news by @balrog!
I hope that all this ends with something meaningfull to those interested!
All times are UTC
Page 4 of 4

Powered by phpBB® Forum Software © phpBB Limited