Nice work.

@ CES last week they were showing off something called Opencar, an SDK to interact with your vehicle. The demo vehicle was a Mazda 3. It looks like the SDK comes with a visualization environment to play around with your apps - not yet sure how you can push them to vehicle - likely Mazda will have some sort of audit, that we can hopefully bypass .

In any case, I've requested access to the SDK and will share any other useful info as it arises.

OpenCar

Cheers,
Jon

 

Incremental update?

According to this « ...Mazda (manufacture) says that the dealer has to upgrade to v25 before upgrading to v27. » Hmmm, incremental update vs full system image upgrade will complicate analysis of the (yet to obtain) maintenance USB.

 

According to this « ...Mazda (manufacture) says that the dealer has to upgrade to v25 before upgrading to v27. » Hmmm, incremental update vs full system image upgrade will complicate analysis of the (yet to obtain) maintenance USB.

Hmm, that probably means they made a change to how updating works in the v25 code. I'm a software engineer, and when we have mandatory incremental upgrade steps, that is usually why. Also, these discussions make me nervous, as we've had to implement a lot of security features over the past year because of people doing this kind of stuff with our products. But we make money off software licenses, so it was probably bound to happen

Anyone know what's in the v27 code update? Just more bug fixes?

 

Only a question of time before it spreads. I understand the poster needs avoiding trouble and fully respect his decision. But I think security by obscurity rarely works. Security is better improved by peer review. @silkice thanks for trying anyway.

 

Pop you have my full support. I am also an software engineer, but when someone put in final product (car) all the HW prerequisites, and then ask for almost 1000$ (in Croatia where BDP per capita is more than 3 times lower than in USA) more for piece of SW and maps on SD card than I say, RIGHT, come on!?

 

ssh string

@anyone attempting to SSH to his car...

When I SSH to my car I receive a 17 characters string of numbers, before it prompts for a logonid and password.

In my case this string is 2417****2****8406 (some numbers masked to protect the innocent -- me). This string is constant for my car.

I'd like to know if your string 1) is also constant 2) the same as mine.

 

@anyone attempting to SSH to his car...

When I SSH to my car I receive a 17 characters string of numbers, before it prompts for a logonid and password.

In my case this string is 2417****2****8406 (some numbers masked to protect the innocent -- me). This string is constant for my car.

I'd like to know if your string 1) is also constant 2) the same as mine.

Hi Pop,

I finally got a car, and managed to connect to it.

1) Mine number is also constant
2) But not as yours...

I have started hydra dictionary attack, and quit after 10k tries, as speed was around 7 tries/second. I think that this approach is not promising, and other better will be to clone someones original SD card, and then analyze the structure of it...

 

I will try it as soon as my car arrive from Hiroshima. In a meantime, for a start you can try to get root or maybe admin pass by using backTrack - Hydra...

 

No it's not. VIN starts with the letters, and here we have string of 17 numbers.

 

It could be a hashed or other converted string that corresponds to your VIN, especially if everyone has a different string.

 

You're right, it could be, but what is the purpose of it, and how it's used stays a mystery...

I gave up for a while to crack from inside, and rather go to see the content of SD card, and what could be done with it, but I need to wait for a month, to get a clone.

 

The purpose might be to serve as an identifier. I can program my bash shell to show me any kind of messages after login. I'm pretty sure you can also configure the terminal session to show something as well. Maybe that number is there so that during maintenance they can be sure they are working on the correct vehicle ECU?

 

Ok, but this identifier is shown before logging in, and it's not part of shell, right!?

 

What I'm saying is you can customize the shell message when you initiate a session (even before logging in - example: [ubuntu] Welcome message before Login prompt... is it possible? [Archive] - Ubuntu Forums).

 

Having the Opera browser in there leads me to hope that well get the eventual Opencar SDK and related apps that come out of that initiative in our cars. Since the opencar press releases specifically name the 2014 m3's as being the first generation compatible with the tech, crossing fingers. If not, I'm sure some enterprising hacker will be able to take the firmware from the 15's and Flash it on to the 14's

 

^
I concurr, same behaviour as you (I am on V20).

Don't know of an SSH exploit, as I mentioned in the OP the IFS SSH is at version 5.9.

Re-initiateing a new session after being disconnected and trying with the next password. I didn't try hard and not for long ... I can't really call it "brute force".

 

With older versions of ssh.. you could try a username, and if it was invalid your attempt was ended.. a valid one let you try several times.

Thanks for your clarification on the brute force.. thought i was missing something..

 

5.9 is fairly recent. Not most recent but not old either. My car doesn't get parked close enough to Wi-Fi, I was going to let ncrack run for a few hours :-(

 

Well, from what I can tell that number when you SSH into your infotainment system is the CMU Serial Number.. or at least most of that number, mine's missing a few digits at the end.. either getting cut off in the parsing of the banner by my SSH client or it's only partial as it represents a batch number or something.

If you want to verify for me it's what you're seeing as well, go to the diagnostic menu (Music+Favorites+MUTE for 3-5 seconds) and go to #59 (CMU Serial Number Readout).

For what it's worth, in the OS that banner is being generated when it reads out "/config-mfg/fgsn.dat" h34r:

 

Confirming. The first 15 characters of the SSH banner are the CMU serial as displayed by diagnostic #59. In my case, the last 2 characters are "06".

 

Version 31 Takes Away WiFi

Just took my 3 to get it upgraded to the latest firmware, it was version 31.000.300 I believe (I know 100% its version 31.xxx but cant remember the last portion 100% right now). Got home, and went to connect to WiFi to start looking for a way to crack this thing, but now there is no WiFi option. Looked under the old spot in settings>devices, and looked through every single men. Cant find it anywhere. Can anyone else on 31 confirm this? For those who find WiFI very important, and Im sure alot of you guys pursuing this are, id be cautious about version 31.

 

For anyone just following this thread, please check out http://mazda3revolution.com/forums/.../forums/2014-mazda-3-skyactiv-audio-electronics/57714-infotainment-project.html. We have successfully retrieved passwords and can get into the system via SSH (v30 <). So far we have shortened the warning dialog display time and enabled the touch screen over 10mph. We're still trying to get the system to enter a developer mode and accept our custom update packages.

 

The Disable Car in Motion Sensor? thread prompted my curiosity...

I thought I would start this thread documenting findings on the IFS that might help h̶a̶c̶k̶i̶n̶g̶ understanding it.

For anyone just following this thread, please check out http://mazda3revolution.com/forums/.../forums/2014-mazda-3-skyactiv-audio-electronics/57714-infotainment-project.html. We have successfully retrieved passwords and can get into the system via SSH (v30 <).
We're still trying to get the system to enter a developer mode and accept our custom update packages.

@PoP @Tinuviel

...so right now I'm really interested in trying to create a Virtual Copy of our Infotainment System using Virtual Box - for testing things in general and possibly seeing what sort of stuff the system is capable of as it is right now without changing too much - As well as maybe doing some simple app development with the help of the OpenCar SDK.

OpenCar InsideTrack > OpenCar Connect Overview
(already a member there, and have installed the OpenCar SDK to VirtualBox)

I've already done all the mods to my car... been fooling around with the v31 update file, but I'm trying to figure out some way to get the system running in VirtualBox, so I need some kind of bootable .iso file or something that the VirtualMachine can boot from foregoing the "exact" operating system .iso, maybe just something that can actually "Run" all the Java Script - If not, create some sort of partition for the Systems directory files and then Run all the scripts in my Browser...

I was given the idea that the Java Script was being run through the Opera Browser in someway since that's what the OpenCar SDK does (it opens a terminal, starts a server and then opens the operating system in Google Chrome)...

So I have a few questions, if anyone can help me out:

1. In a very broad sense, what would I need to "virtually" run the Infotainment OS?
(when the OpenCar SDK runs, it includes virtual buttons to press, and tons of other environmental changes that can be made)

2. Does anyone know the exact operating system underlying the whole thing?
(I saw mentions of Linux, and other stuff...)

3. Is there anyway that we could capture a complete disk image via SSH? and somehow use that to create a virtual copy?

If you are familiar with Virtual Box, choosing the OS (I chose other cause I wasn't sure):

To actually boot the system, I need a bootable disk image of some sort...

I was looking at the main_instructions.ini from the v31 Update file, instructions 2, 3, and 4:

2 = Execute, "bootstrap", "execute.ini", 7
# Something to do with booting or some continuous process or compiling the language

3 = ImageUpdate, "ibc1", "binary.ini", 3
# Copies zipped.dat files to some other location

4 = Execute, "linux1", "execute.ini", 6
# Flashes Linux Kernal if needed

Just trying to get an idea of what that has to do with the OS... I'm not too familiar so I only have the wiki definitions of what a "bootstrap" and a "kernel" are, but they seem to have something to do with the OS....

Anyway... maybe it's not possible but I still need to explore the SDK a bit and see if I can't run the infotainment system within there somehow.

Thanks for any help :smiley:

 

@Dimes2Dope your best bet to get this working is probably by grabbing the image right off the CMU. The packages you can download are installers, so you'd have to follow all the install instructions in the installer and re-create the filesystem. Even as such, you may be missing files, as the update packages may not have every file needed.

SSH in and copy the image out. It will probably take a long time to do the dump over WiFi though. I'm not really a linux versed guy though, so you'll have to research on how to do that. I found this link, it may give some insight: backup - Can I clone a root file system of a running server via ssh? - Super User.

And yes, the OS is a modified version of Linux. If you run a command you can even see the file system type and the distro it's based from. What that command is I don't remember though, sorry.

 

@Dimes2Dope, I don't think you'll get too far here. While the OS is a distro of linux, the architecture is not i386 or x86_64... it's ARM-based. These are low-powered CPUs that are commonly found in tablets, smartphones, and embedded systems like this one

I briefly looked at different ARM emulators that would be able to run the bootstrap app on an x86 system, but I didn't get too far.

You can get some info about a linux system by typing: uname -a

geoffcs@archer:~$ uname -a
Linux archer 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux


But to get the distro specifics depends on the distro... on redhat, there's a file in /etc/redhat-release, ubuntu is in /etc/issue.net, etc.

 

You can get some info about a linux system by typing: uname -a

geoffcs@archer:~$ uname -a
Linux archer 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux


But to get the distro specifics depends on the distro... on redhat, there's a file in /etc/redhat-release, ubuntu is in /etc/issue.net, etc.

Maybe you can point me in the right direction with these screenshots I took of the file structure:

Here is what you find in the "/etc" file from the root directory

This one is "/<root>" the top level you can view

Here is the "/tmp" folder

The "/jci" folder

"/bin"

"/sys"

Just thought I'd post these and see if anything catches your eye... obviously more research to do...

 

Something like this may work: https://code.google.com/p/armware/. Just research, I imagine there are solutions out there

 

@Dimes2Dope since you have winscp up and running, you can try dumping all files from infotainment system to an empty folder on your pc. From there you can play all you want without accidentally breaking something.

 

Yea... I was considering it.... the point is to actually be able to run the damn thing though....

And I don't know how to package it in a way that VirtualBox could boot from it.... not to mention they just reminded me that its running an Arm processor.... so virtual box might not work for it....

But some other emulator might.... I just want a damn little window on my desktop that does everything infotainment does so I can mess with it... lmao... and see if I can't get into that dev mode or access the web somehow... rofl.... :death:

 

Hello.

I'm interested in this thread but it seems so dead.

Well is it possible to emulate the frontend and backend mzd infotaiment in some system? VirtualBox, Raspberry pi, etc....

Thank you.