2004 to 2016 Mazda 3 Forum and Mazdaspeed 3 Forums banner

1 - 20 of 40 Posts

·
Registered
Joined
·
153 Posts
Discussion Starter #1 (Edited)
The Disable Car in Motion Sensor? thread prompted my curiosity...

I thought I would start this thread documenting findings on the IFS that might help h̶a̶c̶k̶i̶n̶g̶ understanding it.

You are welcome to add your own findings to make it more useful.

The OS version 20.00.007 disclaimers itemizes a handful of components t̶o̶ ̶p̶o̶t̶e̶n̶t̶i̶a̶l̶y̶ ̶e̶x̶p̶l̶o̶i̶t̶:
Code:
[CENTER]
This product includes MPEG Layer-3
audio decoding technology licensed
from Fraunhofer IIS and Thompson

Music recognition technology and
related data are provided by
Gracenote®, Gracenote®, Gracenote
logo and logotype, and the "Powered
by Gracenote" logo are either
registered trademarks or trademarks
of Gracenote, Inc. in the United States
and/or other countries. Portions of
the content is copyright© of
Gracenote's providers.

This product includes technology
owned by Microsoft and recipient is
not licensed to use or distribute such
technology without license from
Microsoft. This technology is
protected by certain intellectual
property rights of Microsoft. Use or
distribution of such technology
outside this product is prohibited
without a license from Microsoft.

This product includes fonts licensed
from Monotype Imaging Inc.

Heisei Kaku Gothic is copyright©
2006 Monotype Imaging Inc. and IBM
Corporation. All rights reserved. Heisei
Kaku Gothic was developed by
member companies of the Font
Development and Promotion
Comittee (FDPC) under the
Japanese Standards Association (JSA).
Unauthorized reproduction is
prohibited.

NYingHei is a trademark of Monotype
Imaging Inc. and may be registered in
certain jurisdictions.

OTS is a trademark of Monotype
Imaging Inc. and may be registered in
certain jurisdictions.

Tipperary is a trademark of Monotype
Imaging Inc. and may be registered in
certain jurisdictions.

When an SD™ memory card
provisioned for use with the
navigation feature has been installed,
this product uses map-related data
licensed from NAVTEQ and is
copyright© 2013 NAVTEQ. All rights
reserved. Additional end-user terms
may be found at MazdaEndUserAgreements-
Copyrights.com.

This product includes Nuance®
automated speech recognition and
text-to-speech technology. Use or
distribution of such technology
outside this product is prohibited
without a license from Nuance
Communications, Inc.

This product includes Opera™ Browser
from Opera Software ASA. Copyright
1995-2013 Opera Software ASA. All
rights reserved. Addidional disclosures
may be found at 
MazdaEndUserAgreements-
Copyrights.com.

This product includes Aviage® Acoustic
Processing Suite licensed from QNX®
Software Systems.© 1982-2013,
QNX Software Systems Limited. All
right reserved.

This product includes SQLite, a SQL
database engine. Additional
disclosures may be found at 
MazdaEndUserAgreements-
Copyrights.com.

This product contains free and/or
open source software subject to their
respective licenses. Additional details
may be found at 
MazdaEndUserAgreements-
Copyrights.com.[/CENTER]
Specifics here MazdaEndUserAgreements-Copyrights.com

I connected to the WiFi and ran a TCP Port scan (nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.2.34)two ports showed in service (and I received a login prompt initiating an SSH connection):
Code:
Port       State    Service   Reason  Product   Version Extra info 
22  tcp    open     ssh       syn-ack OpenSSH   5.9     protocol 2.0  
53  tcp    closed   domain    reset

nmap also guessed the OS, or part of it, is is likely a Unix variant:
Code:
remote operating system guess
•used port 22/tcp (open) 
•used port 53/tcp (closed) 
•os match: Sun Solaris 9 or 10
•accuracy: 92%
•reference fingerprint line number: 34286
•os match: OpenWrt White Russian 0.9 (Linux 2.4.30)
•accuracy: 90%
•reference fingerprint line number: 16172
•os match: OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)
•accuracy: 90%
•reference fingerprint line number: 17061
•os match: OpenWrt Kamikaze 7.09 (Linux 2.6.22)
•accuracy: 90%
•reference fingerprint line number: 22237
•os match: OpenBSD 4.3
•accuracy: 90%
•reference fingerprint line number: 30610
•os match: Sun Solaris 8 (SPARC)
•accuracy: 89%
•reference fingerprint line number: 34039
•os match: MikroTik RouterOS 3.0beta5
•accuracy: 88%
•reference fingerprint line number: 28109
•os match: Sun Solaris 7 (SPARC)
•accuracy: 87%
•reference fingerprint line number: 33934
•os match: Lexmark X644e printer
•accuracy: 87%
•reference fingerprint line number: 15566
•os match: Linux 2.6.24
•accuracy: 87%
•reference fingerprint line number: 20375
 

·
Registered
Joined
·
16 Posts
Nice work.

@ CES last week they were showing off something called Opencar, an SDK to interact with your vehicle. The demo vehicle was a Mazda 3. It looks like the SDK comes with a visualization environment to play around with your apps - not yet sure how you can push them to vehicle - likely Mazda will have some sort of audit, that we can hopefully bypass :).

In any case, I've requested access to the SDK and will share any other useful info as it arises.

OpenCar

Cheers,
Jon
 

·
Registered
Joined
·
153 Posts
Discussion Starter #3
Incremental update?

According to this « ...Mazda (manufacture) says that the dealer has to upgrade to v25 before upgrading to v27. » Hmmm, incremental update vs full system image upgrade will complicate analysis of the (yet to obtain) maintenance USB.
 

·
Registered
Joined
·
275 Posts
According to this « ...Mazda (manufacture) says that the dealer has to upgrade to v25 before upgrading to v27. » Hmmm, incremental update vs full system image upgrade will complicate analysis of the (yet to obtain) maintenance USB.
Hmm, that probably means they made a change to how updating works in the v25 code. I'm a software engineer, and when we have mandatory incremental upgrade steps, that is usually why. Also, these discussions make me nervous, as we've had to implement a lot of security features over the past year because of people doing this kind of stuff with our products. But we make money off software licenses, so it was probably bound to happen :p

Anyone know what's in the v27 code update? Just more bug fixes?
 

·
Registered
Joined
·
76 Posts
Pop you have my full support. I am also an software engineer, but when someone put in final product (car) all the HW prerequisites, and then ask for almost 1000$ (in Croatia where BDP per capita is more than 3 times lower than in USA) more for piece of SW and maps on SD card than I say, RIGHT, come on!?
 

·
Registered
Joined
·
153 Posts
Discussion Starter #7
ssh string

@anyone attempting to SSH to his car...

When I SSH to my car I receive a 17 characters string of numbers, before it prompts for a logonid and password.

In my case this string is 2417****2****8406 (some numbers masked to protect the innocent -- me). This string is constant for my car.

I'd like to know if your string 1) is also constant 2) the same as mine.
 

·
Registered
Joined
·
76 Posts
I will try it as soon as my car arrive from Hiroshima. In a meantime, for a start you can try to get root or maybe admin pass by using backTrack - Hydra...
 

·
Registered
Joined
·
76 Posts
@anyone attempting to SSH to his car...

When I SSH to my car I receive a 17 characters string of numbers, before it prompts for a logonid and password.

In my case this string is 2417****2****8406 (some numbers masked to protect the innocent -- me). This string is constant for my car.

I'd like to know if your string 1) is also constant 2) the same as mine.
Hi Pop,

I finally got a car, and managed to connect to it.

1) Mine number is also constant
2) But not as yours... :(

I have started hydra dictionary attack, and quit after 10k tries, as speed was around 7 tries/second. I think that this approach is not promising, and other better will be to clone someones original SD card, and then analyze the structure of it...
 

·
Registered
Joined
·
24 Posts
@anyone attempting to SSH to his car...

When I SSH to my car I receive a 17 characters string of numbers, before it prompts for a logonid and password.

In my case this string is 2417****2****8406 (some numbers masked to protect the innocent -- me). This string is constant for my car.

I'd like to know if your string 1) is also constant 2) the same as mine.
I wonder if the 17 character string is your VIN #?
 

·
Registered
Joined
·
76 Posts
You're right, it could be, but what is the purpose of it, and how it's used stays a mystery...

I gave up for a while to crack from inside, and rather go to see the content of SD card, and what could be done with it, but I need to wait for a month, to get a clone.
 

·
Registered
Joined
·
24 Posts
You're right, it could be, but what is the purpose of it, and how it's used stays a mystery...

I gave up for a while to crack from inside, and rather go to see the content of SD card, and what could be done with it, but I need to wait for a month, to get a clone.
The purpose might be to serve as an identifier. I can program my bash shell to show me any kind of messages after login. I'm pretty sure you can also configure the terminal session to show something as well. Maybe that number is there so that during maintenance they can be sure they are working on the correct vehicle ECU?
 

·
Registered
Joined
·
215 Posts
It would be interesting to find a way to use the Opera Browser when connected to the internet over Wi-Fi.
Having the Opera browser in there leads me to hope that well get the eventual Opencar SDK and related apps that come out of that initiative in our cars. Since the opencar press releases specifically name the 2014 m3's as being the first generation compatible with the tech, crossing fingers. If not, I'm sure some enterprising hacker will be able to take the firmware from the 15's and Flash it on to the 14's
 
1 - 20 of 40 Posts
Top