Source Code Here!

ICE, Equipment, Options
tripax
Posts: 3
Joined: Tue Jan 23, 2018 5:31 pm
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by tripax »

most common entry points with the gstreamer libs seem removed or patched
flx decoder lib is present so may deserve some focus

bitsnpcs
Posts: 15
Joined: Sat Dec 09, 2017 11:00 pm
Qashqai Model: Mk.1 Qashqai - J10 (2006–2013)

Post by bitsnpcs »

duncho wrote: Thu Jan 25, 2018 9:57 pm I can provide you with the following firmware versions if it helps: D302, D502 and D554.
Hi buddy, I have LCN1 (25915BH10C) and desperate to find the firmware so I can update myself rather than pay 108 quid to the dealer (joke) My unit is surrefing for the random switch off but not off and drains the battery a royal PITA

So if you can help I would be hugely grateful
tophat57
Posts: 78
Joined: Sat Dec 30, 2017 10:42 pm
Qashqai Model: Mk.2 Qashqai Facelift - J11b (2017–2021)

Post by tophat57 »

This is quite interesting, could it be used to hack the voice commands that seem to have been removed, unlocking the press to call button on the steering wheel for proper hands free calling with either a droid or Apple phone?

As for the idea of video playing, it's about as safe as facebooking your friends as was pointed out earlier, not that I use that feature anyway. But most cars these days have the screen locked out when the vehicle is moving, specifically to keep your attention on the road not the screen.
Facelift J11b N-connecta 1.6 x-tonic in vivid blue. And a dual accelerator for my dodgy foot..........
duncho
Posts: 1672
Joined: Sun Mar 23, 2014 9:45 pm
Contact:

Post by duncho »

I found this link, seems that guy found a way to get in: https://github.com/gboudreau/nissan-connect-php
Qashqai J11, 1.6 dCi CVT, ThermaClear

For latest news & tests Subscribe! to my Youtube channel
Order Stop/Start reversing & DRL dim/OFF modules!
thebiggreenie
Posts: 20
Joined: Wed Mar 06, 2019 6:37 am
Location: Kent, UK
Qashqai Model: Mk.1 Qashqai Facelift - J10b (2010–2013)

Post by thebiggreenie »

How does this link in to the equation? https://oss.bosch-cm.com/nissan.html
Image
TAPNET
Posts: 1
Joined: Fri Dec 20, 2019 7:06 pm
Qashqai Model: Mk.2 Qashqai - J11 (2013–2017)

Post by TAPNET »

Hello my names Tom and I actually have an X-Trail, I have been slowly pulling apart the firmware which seems to be fairly wide open, i have started off the the latest firmware D605 the first weakness is the flashing process using USB. Once the ZIP file has been extracted we can see several interesting files I have started with container.iso.bin, removing the *.bin extention reveals a standard ISO file which can be mounted and read there is code inside to bypass any further MD5 hash checks

Script.lua has some interesting info inside it

Code: Select all

if TBD_CHECK_MD5_IMPLEMENTED == 1  then
   -- Backdoor: If DisableMD5Failure.dnl is available an error in MD5 does not lead to a stop of the download!
       md5FileAvail = fileAvailable ("/dev/rfs" ..mediumPath.. "/DisableMD5Failure.dnl");
   -- ******************* Check md5sum ******************************************
       remoteExec("echo \"Check MD5SUM start... (all checked files are shown)\" >> /tmp/downloadPipe");
       printDisplay ("USB System-Download\nCheck MD5SUM start\n");
       -- remove CarriageReturns, octal 15:
       remoteExec("cat /ext/var/opt/bosch/static/system/*.md5 | tr -d \'\\15\' > /tmp/checksum1.md5");
       -- substitute path:
       remoteExec("sed s_/_/ext/_ </tmp/checksum1.md5 >/tmp/checksum2.md5");

       Md5Result = 1;
       -- For developers: Comment out the next line if md5sum shall not be done:
       Md5Result = remoteExec("md5sum -c /tmp/checksum2.md5 >> /tmp/downloadPipe", 3600);
	   if Md5Result == 0 then
          remoteExec("echo \"Check MD5SUM ERROR...\" >> /tmp/downloadPipe");
          printDisplay ("USB System-Download\nCheck MD5SUM ERROR\n");
          if md5FileAvail == 1 then
            remoteExec("echo \"DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /tmp/downloadPipe");
            remoteExec("echo \"USB System Download (script.lua) DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /dev/errmem");
          else		  
            _verifyFile("MD5SUM_ERROR", 0);
		  end
	   end

       if (SDS_REGION_NAR_DATA_AVAIL==1 or SDS_REGION_EUR_DATA_AVAIL==1 or SDS_REGION_GOM_DATA_AVAIL==1) then
         -- ******************* Check md5sum  for SDS data ************************************
         remoteExec("echo \"Check MD5SUM for " ..SDS_VariantString.. "\" >> /tmp/downloadPipe");
         printDisplay ("USB System-Download\nCheck MD5SUM for SDS\n");
         -- remove CarriageReturns, octal 15:
         -- remoteExec("cp /ext/var/opt/bosch/static/system/static.md5 /ext/var/opt/bosch/region_static/"); -- TBC remove! (use only for test)
         remoteExec("cat /ext/var/opt/bosch/region_static/*.md5 | tr -d \'\\15\' > /tmp/checksum1sds.md5");
         remoteExec("cat /ext/var/opt/bosch/dynamic/system/*.md5 | tr -d \'\\15\' >> /tmp/checksum1sds.md5");
         -- substitute path:
         remoteExec("sed s_/_/ext/_ </tmp/checksum1sds.md5 >/tmp/checksum2sds.md5");

         Md5SdsResult = 1;
         -- For developers: Comment out the next line if md5sum shall not be done:
         Md5SdsResult = remoteExec("md5sum -c /tmp/checksum2sds.md5 >> /tmp/downloadPipe", 3600);
	     if Md5SdsResult == 0 then
            remoteExec("echo \"Check MD5SUM ERROR...\" >> /tmp/downloadPipe");
            printDisplay ("USB System-Download\nCheck MD5SUM for SDS ERROR\n");
	        if md5FileAvail == 1 then
              remoteExec("echo \"DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /tmp/downloadPipe");
              remoteExec("echo \"USB System Download (script.lua) DisableMD5Failure.dnl found: Do not break on MD5SUM ERROR...\" >> /dev/errmem");
            else		  
              _verifyFile("MD5SUM_ERROR", 0);
		    end
	     end
       end
	   
       remoteExec("echo \"Check MD5SUM end...\" >> /tmp/downloadPipe");
       printDisplay ("USB System-Download\nCheck MD5SUM end\n");
  if TBD_CREATE_DYNREPAIR == 1  then
   -- ***************************************************************************
   -- ******************* Backup dynamic partition ******************************
   --   remoteExec("echo \"DynBackup start...\" >> /tmp/downloadPipe");
   --   remoteExec("echo \"Create tar file dynrepair.tar...\" >> /tmp/downloadPipe");
   --   remoteExec("cd /ext");
   --   _remoteExec("tar cvf ./var/opt/bosch/static/system/dynrepair.tar ./var/opt/bosch/dynamic");
      --remoteExec("echo \"Create tar file dynrepair.tar.bz2...\" >> /tmp/downloadPipe");
      --_remoteExec("tar cjvf ./var/opt/bosch/static/system/dynrepair.tar.bz2 ./var/opt/bosch/dynamic");
   --   remoteExec("cd /");
   --   remoteExec("echo \"DynBackup end...\" >> /tmp/downloadPipe");
   -- ***************************************************************************
  end
end
There seems to be md5 hashes stored inside plain text files surely you could modify those and get the new hash save the file and reseal back up in the ISO put the *.bin extension back on - or am I missing something here?
tripax
Posts: 3
Joined: Tue Jan 23, 2018 5:31 pm
Qashqai Model: Mk.3 Qashqai - J12 (2021+) New Model

Post by tripax »

My name Tom too.

You're missing quite a lot of stuff unfortunately.
I've advanced much further and given up by now.
There are unexplored routes left though. You'd need solid reversing skill...
balrog
Posts: 6
Joined: Sun Oct 22, 2017 12:37 am
Qashqai Model: Mk.1 Qashqai Facelift - J10b (2010–2013)

Post by balrog »

For anyone interested, there's now an active github repo at https://github.com/ea/bosch_headunit_root documenting what's probably the easiest way to root and log into the LCN2kai headunits. A lot of the internals are documented, I just found out about that project this week.
V6er
Posts: 1
Joined: Tue Dec 14, 2021 8:39 pm
Qashqai Model: Still looking for one....

Post by V6er »

Just today remembered about this - came here to reread this topic and get myself ethernet adapter... and despite it being old topic - good, even fantastic!, news by @balrog!
I hope that all this ends with something meaningfull to those interested!
Post Reply