Simos18_SBOOT
mib2-toolbox
Simos18_SBOOT | mib2-toolbox | |
---|---|---|
5 | 13 | |
84 | 557 | |
- | - | |
0.0 | 2.4 | |
about 2 years ago | 6 months ago | |
Python | Python | |
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Simos18_SBOOT
-
Can Injection: keyless car theft
I did find an older VW "emergency start" product that claims to only work with Bosch MED17 and MED9, and I suspect it's using a memory-access primitive (either UDS or CCP) to release the immobilizer.
It's trivial to disable an immobilizer in software by re-flashing the ECU, yes, but modern ECUs have two strong protections against this:
* Cryptographic signature checking against update/re-flash payloads (I've done extensive research on these on VW Continental ECUs - https://github.com/bri3d/VW_Flash )
and an even better and more obvious protection:
* The ECU application software won't descend into the re-flash software (Customer Bootloader) unless the immobilizer is free (a valid key is present).
This is a lot of what helps to reduce surface area from an "emergency start" style attack to an AKL attack - now that the Customer Bootloader won't start without the Immobilizer being unlocked, an attacker needs to remove the control unit to flash it with a Supplier Bootloader exploit ( https://github.com/bri3d/simos18_sboot ) or physical access (BDM/JTAG).
-
ECU resources
SIMOS18 SBOOT: https://github.com/bri3d/simos18_sboot Illustrates common security vulnerabilities in modern control units (inadequate RNG entropy, reset exploits). Illustrates common "SBOOT recovery mode break-in" / "TSW Mode" concept that many control units have.
-
Hyundai car software update private keys came from easily Googleable sample code
That's pretty cool! I wonder how properly they were really signed - there are _so many_ mistakes even in systems that at least don't use an example key off the Internet.
The most common ones I know of are:
* Out-of-bounds write issues allowing "signature was validated" flags to be overwritten in Flash memory, like https://github.com/jglim/UnsignedFlash
* State machine mistakes, like https://github.com/bri3d/VW_Flash/blob/master/docs/docs.md - allowing Flash to be written again after it was already written, without an erase first.
* Filesystem parsing mistakes, like those in a number of VW AG head units: https://github.com/jilleb/mib2-toolbox/issues/122
* The use of RSA with E=3 and inadequate padding validation, like https://words.filippo.io/bleichenbacher-06-signature-forgery... .
* Failure to understand the system boundaries, like in the second part of https://github.com/bri3d/simos18_sboot where "secret" data can be recovered by halting the system during a checksum process.
* Hardware fault injection issues, as used in https://fahrplan.events.ccc.de/congress/2015/Fahrplan/system... .
Fundamentally this is of course, a very hard problem, since in the "protect against firmware modification" case, the attacker has physical access. But, compared to the state of the art in mobile devices and game consoles, automotive stuff is still way behind.
-
Hacking a VW Golf Power Steering ECU
My writeups and JG Lim's cover three of the common mistakes in modern modules (supplier backdoor bugs in Simos supplier bootloader, state machine issues in Simos VW bootloader, and block buffer validity confusion / bounds check issues in Mercedes instrument cluster).
-
Simos18 Supplier Bootloader (SBOOT) Exploit: Reading Boot Passwords
I have glossed over all of the actual data details here for brevity. For details including exact messages (and code!), please visit https://github.com/bri3d/Simos18_SBOOT
mib2-toolbox
-
Hate Apple CarPlay & Waze
The free traffic info isn't bad. You can change which channels the unit subscribes to (see TMC channel research). I enabled all useful channels on my unit and it does show traffic quite accurately. Now in my country there are not really any detours possible, there's just one highway that connects to cities/villages together, so any detour doubles to triples the distance driven (and thus it's not worth it).
-
Two navigation sources - Is there any way to have navigation from Google/Apple maps AND the navigation from the MMI at the same time, rather than one or the other?
They are working on it over on the dark side. Lol. https://github.com/jilleb/mib2-toolbox
-
Updated infotainment images
In answer to OP's question: it's likely this person has used the MIB2High toolbox available on GitHub to customize images and startup screens for the unit.
-
Hyundai car software update private keys came from easily Googleable sample code
That's pretty cool! I wonder how properly they were really signed - there are _so many_ mistakes even in systems that at least don't use an example key off the Internet.
The most common ones I know of are:
* Out-of-bounds write issues allowing "signature was validated" flags to be overwritten in Flash memory, like https://github.com/jglim/UnsignedFlash
* State machine mistakes, like https://github.com/bri3d/VW_Flash/blob/master/docs/docs.md - allowing Flash to be written again after it was already written, without an erase first.
* Filesystem parsing mistakes, like those in a number of VW AG head units: https://github.com/jilleb/mib2-toolbox/issues/122
* The use of RSA with E=3 and inadequate padding validation, like https://words.filippo.io/bleichenbacher-06-signature-forgery... .
* Failure to understand the system boundaries, like in the second part of https://github.com/bri3d/simos18_sboot where "secret" data can be recovered by halting the system during a checksum process.
* Hardware fault injection issues, as used in https://fahrplan.events.ccc.de/congress/2015/Fahrplan/system... .
Fundamentally this is of course, a very hard problem, since in the "protect against firmware modification" case, the attacker has physical access. But, compared to the state of the art in mobile devices and game consoles, automotive stuff is still way behind.
- BMW Wants to Charge for Heated Seats. These Grey Market Hackers Will Fix That.
-
Coolwalk Vertical Rail
For split screen you need to do something with the MIB 2 toolbox from what I remember.
-
Getting into QNX embedded system
The big one, a vulnerabilities in the firmware update mechanism which allows installing customised firmware packs, scripts, tools, ssh etc: https://github.com/jilleb/mib2-toolbox/pull/125
-
The First Android Auto 7 Update Is Now Available for Download
You mean stuff like split screen? It's possible but it must be either coming from your vehicle's manufacturer or you have to mess with properties and/or toolboxes (such as MIB2 Toolbox) to get it.
-
Is there an update/upgrade for the 2017 S3 mmi?
As far as I know, there's a MIB toolbox and MIB2 Patches to unlock stuff.
-
Android auto fullscreen problem (seat arona)
Try the MIB 2 toolbox You can modify the aspect ratio and such
What are some alternatives?
ghidra_tc1791_registers
mqb-pm - Performance Monitor for VAG-group cars with Android Auto
VWsFriend - VW WeConnect visualization and control
volkswagen - :see_no_evil: Volkswagen detects when your tests are being run in a CI server, and makes them pass.
TC1791_CAN_BSL - CAN Bootstrap Loader (BSL) for Tricore AudoMAX (TC1791 and friends), including arbitrary read/write as well as compressed read functionality.
VW_Flash - Flashing tools for VW AG control units over UDS. Compression, encryption, RSA bypass, and checksums are supported for Simos18.1/6/10, DQ250-MQB, DQ381-MQB, and Haldex4Motion-Gen5-MQB.
IDDataLogger - A DataLogger for Volkwagen ID vehicles. Includes an iOS Widget. Works with VW ID.3 and ID.4 vehicles.
UnsignedFlash - Firmware signature bypass on the IC204
mib-std2-pq-zr-toolbox - Toolbox for MIB STD2 PQ/ZR Technisat/Preh units.
ME7Sum - Checksum/CRC checker/corrector for Motronic ME7.1 firmware images. Download binaries here: