2004 to 2020 Mazda 3 Forum and Mazdaspeed 3 Forums banner

1 - 20 of 28 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Here are the latest data retrieval files, this should work with fw 59.00.502.

Dont be like some other people and post these files on github and claim to be a hacker showing vulnerabilities in the system.. Thats how we lose things.

https ://mega.nz/#!175CBZpA!DVdI0s_vpnpmKhC0mFFGEyk_PYmh3FL9lzUcxUs9a-0

remove space from url.
Same use, will need to be modified to execute scripts.
 

·
Registered
Joined
·
71 Posts
Can someone with version 502 test these to see if they work exactly the same as the previous versions? The end result should be some data backup folders on your USB drive. I saw some posts that people say the USB drive does not appear to be even read in version 502.

If I had to guess, they probably changed the key used to sign the .up files. There is no reason the previous data retrieval files wouldn't work; it actually side loads the dataRetrieval binary during the retrieval process. It doesn't use the local binary on the CMU. If the key was changed, there will be no way to use the old data retrieval files. It would also explain why the version 502 firmware cannot be downgraded. This would make the most sense but I was thinking maybe they didn't change it. Instead they made an updated data retrieval that allows for downloading of additional data and just made it so the data retrieval must be initiated in some way (and the firmware downgrade is being stopped by some other versioning check). It's a shot in the dark but something I want to verify.
 

·
Registered
Joined
·
35 Posts
Can someone with version 502 test these to see if they work exactly the same as the previous versions? The end result should be some data backup folders on your USB drive. I saw some posts that people say the USB drive does not appear to be even read in version 502.

If I had to guess, they probably changed the key used to sign the .up files. There is no reason the previous data retrieval files wouldn't work; it actually side loads the dataRetrieval binary during the retrieval process. It doesn't use the local binary on the CMU. If the key was changed, there will be no way to use the old data retrieval files. It would also explain why the version 502 firmware cannot be downgraded. This would make the most sense but I was thinking maybe they didn't change it. Instead they made an updated data retrieval that allows for downloading of additional data and just made it so the data retrieval must be initiated in some way (and the firmware downgrade is being stopped by some other versioning check). It's a shot in the dark but something I want to verify.
I have 502 version on my car, how i can help?
 

·
Registered
Joined
·
71 Posts
I have 502 version on my car, how i can help?
Put the files on a USB flash drive, formatted as FAT. Turn your car off and insert the USB drive in one of the open slots. Turn the car on and wait a few minutes. You may eventually see a dialog pop-up on screen. If you see the pop-up or your CMU restarts, then the process would have finished. If nothing happens after like 5 minutes, pull the drive. Check the contents to see if you have any new folders or files.
 

·
Registered
Joined
·
35 Posts
Put the files on a USB flash drive, formatted as FAT. Turn your car off and insert the USB drive in one of the open slots. Turn the car on and wait a few minutes. You may eventually see a dialog pop-up on screen. If you see the pop-up or your CMU restarts, then the process would have finished. If nothing happens after like 5 minutes, pull the drive. Check the contents to see if you have any new folders or files.
I did everything as you said. Here is the folder that appeared. Here is the link to the rar //yadi.sk/d/MNNZ8r3z3KQG7N
 

·
Registered
Joined
·
71 Posts
I did everything as you said. Here is the folder that appeared. Here is the link to the rar //yadi.sk/d/MNNZ8r3z3KQG7N
Thank you. The new data retrieval files worked. That is a bummer because it means they either changed the key used to sign the files or are doing some other version check.
 

·
Registered
Joined
·
35 Posts
Thank you. The new data retrieval files worked. That is a bummer because it means they either changed the key used to sign the files or are doing some other version check.
How do you think 502 can hack or downgrade7
 

·
Registered
Joined
·
184 Posts
They moved the execution call for the script from the config file to inside the up file.

The new firmware is programmed to look for the data retrieval instructions inside the up file. The up files are still signed with the same signature.

So TLDR the config file is truly a config file now that just turns on or off options, before it allowed you to specify the script file.
 

·
Registered
Joined
·
71 Posts
How do you think 502 can hack or downgrade7
I don't know. In previous versions it was really easy with the data retrieval. The data retrieval was changed with version 502 and the exploit was removed. I don't know of any way to do it right now with version 502 unless you had previously installed the autorun script or the SSH restore tweak. The autorun script allows you to run scripts off the SD card. The SSH restore tweak changed the admin password so you would be able to access the CMU via the serial console. At least one of these would have needed to have been installed prior to updating to version 502 though.

The CMU appears to be really locked down if neither of these were done. Finding a vulnerability in the update or data retrieval is possible but I'm just not sure where to start or how likely it is to find one. Getting the keys used for file signing or SSH access or knowing the admin password are the most straightforward ways. And it is unlikely we will get or find any of those.

There probably is a way to downgrade outside the update and data retrieval methods but it would involve reprogramming the NAND flash chip or the SPI NOR flash chip on the PCB. I don't know enough to say how to do this though.
 

·
Registered
Joined
·
35 Posts
I don't know. In previous versions it was really easy with the data retrieval. The data retrieval was changed with version 502 and the exploit was removed. I don't know of any way to do it right now with version 502 unless you had previously installed the autorun script or the SSH restore tweak. The autorun script allows you to run scripts off the SD card. The SSH restore tweak changed the admin password so you would be able to access the CMU via the serial console. At least one of these would have needed to have been installed prior to updating to version 502 though.

The CMU appears to be really locked down if neither of these were done. Finding a vulnerability in the update or data retrieval is possible but I'm just not sure where to start or how likely it is to find one. Getting the keys used for file signing or SSH access or knowing the admin password are the most straightforward ways. And it is unlikely we will get or find any of those.

There probably is a way to downgrade outside the update and data retrieval methods but it would involve reprogramming the NAND flash chip or the SPI NOR flash chip on the PCB. I don't know enough to say how to do this though.
Access to the CMU can be obtained through the rear connector TTL (rx,tx,gnd), does not it help? Look at PDF, this in Russian, but I think it will be clear, if necessary, I translate.
 

Attachments

·
Linux Dude
Joined
·
65 Posts
So, I'm just catching up to stuff. I hadn't realized so many awesome tweaks have been made until recently. I edited some of the UI myself back in 2014 to get the audio sources and stuff in the right order -- the "OG" stuff on the unmaintained website.

I was going to get all this stuff loaded on my car, but I took it to the dealer last week because the rear camera was acting up. I also had a recall on the infotainment system and a recall on the ECU that was required to register the car this year. Unfortunately they put me on the 502 firmware and I quickly realized the AIO stuff doesn't work :( Nor does SSH, as mentioned in previous threads. I had a late night a few nights ago probing around with a USB-Ethernet adapter. I wish they hadn't applied the infotainment sys recall :( I was on some old v2x version that I had updated to myself and it was working perfectly all these years.

So what's up with the serial console stuff? Is it that they've changed the credentials, so there's no way to get in with it?

How does the data retrieval stuff work? Is there any way to execute anything as a regular user on the system? On Android, I see companies like LG patching commonly used entry points to root, but still leaving the door wide open for exploits like Dirty COW. If only we had some sort of local user access, we could leverage some sort of privilege escalation bug.

I'm bummed I got the locked-down firmware, but I'd really like to help in any way I can. My background: Software eng / Linux user with 18 years of experience.
 

·
Registered
Joined
·
35 Posts
So, I'm just catching up to stuff. I hadn't realized so many awesome tweaks have been made until recently. I edited some of the UI myself back in 2014 to get the audio sources and stuff in the right order -- the "OG" stuff on the unmaintained website.

I was going to get all this stuff loaded on my car, but I took it to the dealer last week because the rear camera was acting up. I also had a recall on the infotainment system and a recall on the ECU that was required to register the car this year. Unfortunately they put me on the 502 firmware and I quickly realized the AIO stuff doesn't work :( Nor does SSH, as mentioned in previous threads. I had a late night a few nights ago probing around with a USB-Ethernet adapter. I wish they hadn't applied the infotainment sys recall :( I was on some old v2x version that I had updated to myself and it was working perfectly all these years.

So what's up with the serial console stuff? Is it that they've changed the credentials, so there's no way to get in with it?

How does the data retrieval stuff work? Is there any way to execute anything as a regular user on the system? On Android, I see companies like LG patching commonly used entry points to root, but still leaving the door wide open for exploits like Dirty COW. If only we had some sort of local user access, we could leverage some sort of privilege escalation bug.

I'm bummed I got the locked-down firmware, but I'd really like to help in any way I can. My background: Software eng / Linux user with 18 years of experience.
Oh, I would really like that you helped us)))
 

·
Linux Dude
Joined
·
65 Posts
Я тоже Русский, я живу в США

I'm curious what xenosap1en means that it won't work.

I can procure some hardware and find some time to get serial console up for myself, but what's the deal exactly?
 

·
Linux Dude
Joined
·
65 Posts
Check out the most recent posts in the "AIO - All-In-One tweaks" thread -- I can't link because my post count is too low, lol. Long time lurker, first time poster :)
 
1 - 20 of 28 Posts
Top