Mondeo MK5 IPC

[leader]

Thanks for your post. It seems that you already has many experiences with MK5 IPC and QNX operating system.

I also unpacked the IFS of jade and the IFS2 filesystem (and ifs of bitmap also):

GS7T_ifs2.zip

GS7T_jade.zip

GS7T_bitmap.zip

I found some interesting information on them:

• On JADE there are some scripts which configure network and start service. i don't think that IPC can be accesed on network, maybe this is only for development:

Code: Select all

$ cat start_network
io-pkt-v4 -dsmc9118 ioport=0x02000000,irq=10,mac=662200021605,verbose=5 -p tcpip &
waitfor /dev/socket 4
waitfor /dev/io-net 4
waitfor /dev/io-net/en0 4
ifconfig en0 192.168.1.11
inetd &
qconn port=8000 &

and telnetd starts from inetd and it's located on ifs2:

Code: Select all

$ cat etc/inetd.conf
telnet stream tcp nowait root /proc/boot/telnetd in.telnetd

• There are also some scripts which mount network shares (from hostname "PC") and flash filesystem from there:

Code: Select all

$ cat reflash_all
if [ ! -e /dev/io-net/en0 ]; then
    start_network
fi
fs-nfs2 pc:/make /exec
/exec/flash_all

• And of curse there is password for root (and ftp user) also, here are the password hashes:

Code: Select all

ftp:KQkZ75liLIBxw:1210374309:0:0
root:TT53LygWqk3W.:1210378834:0:0

• I also identifed that HMI contains some uart references, so maybe IPC can be accessed on UART port

Code: Select all

$ strings hmi | grep uart
uart_printf_tx_ctrl
uart_printf_rx_sig_selected
uart_printf_tx_sig_selected
uart_printf_rx_ctrl
uart_printf_signal_table
uart_printf_tx_msg_selected
uart_printf_rx_msg_selected
t=%d : uart_value_printf string too long
t=%d : uart_text_printf string too long

On the left side on the PCB of the IPC there are GND, SIN, SOUT pins. I tested them with some baudrate but always received garbage data. Maybe someoneelse has success on it. For login I think we will need to hack the root password......

I also protected (and will protect in the future) my files with password and I will send on PM to peoples who really works on some of microhacker's project.

to be continued....

[paxtonix]

Thanks for your post. It seems that you already has many experiences with MK5 IPC and QNX operating system.

Thank you, but my knowledge is residual. for now I am at the stage of learning the structure of the system. QNX is more unix style , and my knowledge over unix is shit - to be honest
http://www.qnx.com/developers/docs/6.5.0/index.jsp

the examples listed are good, but to understand them you need to know the operating principle more closely.

All this software remind me times where you had Nokia phones with Symbian software - and the apps were written in .js.
I have to look for similarity but I think it might be coded like - Shell ( operating system ) and apps ( writen in JADE ).

because blackberry own QNX, this gateway with IP you talk about might be ,a port for comm's to and from IPC for developers.

I don't know that for sure - but IP Address is there for a reason

[DGAlexandru]

...
I don't know that for sure - but IP Address is there for a reason

You might be surprised of how lazy some software developers can be - it might be there because the developing & testing environment had such a connection and they didn't cleaned the code enough for final product / production version

[paxtonix]

...
I don't know that for sure - but IP Address is there for a reason

You might be surprised of how lazy some software developers can be - it might be there because the developing & testing environment had such a connection and they didn't cleaned the code enough for final product / production version

But it gives us a chance for a backdoor entry , right ?

one way or another - we need someone who nows .js good enough to help us understand.
Im wondering what is behind this IP address and how we can access it. even if developers left it behind because of not cleaning the code - so lets use it on our advantage.

There is a Guy on German mk5 forum who made some changes of graphic content, Nick: Chemikus - He already made some changes so inviting him to this board will be a good thing.

[leader]

All this software remind me times where you had Nokia phones with Symbian software - and the apps were written in .js.
I have to look for similarity but I think it might be coded like - Shell ( operating system ) and apps ( writen in JADE ).

The main application in the IPC is the HMI, it's written in C++, and it use Altia SDK for the GUI.
Where did you seen java code?
I unpacked the jade IFS filesystem from GS7T-14C026-BJE, the IFS2 ifs end efs filesystem from GS7T-14C088-AJE and the bitmap ifs filesystem from GS7T-14C088-BJE but I doen't found any java files on them. (You can check the content of these filesystem in the zip files posted in my previous post).

In the IPC there are atleast 2 other IFS filesystems (IFS1 and IFS3) which are not part of any VBF file. I think that we need a full flash dump to get thise filesystems also and analyse the firmware.

[leader]

]You might be surprised of how lazy some software developers can be - it might be there because the developing & testing environment had such a connection and they didn't cleaned the code enough for final product / production version

Yes and that uncleaned developer stuffs can be the base of hacks in many cases....

[leader]

one way or another - we need someone who nows .js good enough to help us understand.
Im wondering what is behind this IP address and how we can access it. even if developers left it behind because of not cleaning the code - so lets use it on our advantage.

Can you show to us a sample where did you found Java code? (Java or Javascript (js))?

There is a Guy on German mk5 forum who made some changes of graphic content, Nick: Chemikus - He already made some changes so inviting him to this board will be a good thing.

I also reserved the compression of the bitmaps in mk5 ipc and I'm able to replace the backgground images and same other GUI elements.
(And of course I'm able to repack the firmware also)
If someone would like to play with a custom theme than I'm ready to help in this...

[Stevebe]

I also reserved the compression of the bitmaps in mk5 ipc and I'm able to replace the backgground images and same other GUI elements.
(And of course I'm able to repack the firmware also)
If someone would like to play with a custom theme than I'm ready to help in this...

Yes a area I find very chalanging but not certain where to start,,

[paxtonix]

Can you show to us a sample where did you found Java code? (Java or Javascript (js))?

you did not understand me. I wrote about the fact that the entire QNX reminds me of a system from mobile phones on which you could install .js applications. At the beginning I thought that the JADE-based application itself would use .js scripts for operation.

After viewing the vbf content for IPC - you have that commentary

Code: Select all

 Description:	Pre-installation script for Jade SWDL of bitmap images file via CAN

I thought differently about the whole concept, by JADE as java Development framework ,just wrong interpretation from my side - sorry, im only human.

[leader]

After viewing the vbf content for IPC - you have that commentary

Code: Select all

 Description:	Pre-installation script for Jade SWDL of bitmap images file via CAN

Thats one is SHELL script (processed by /bin/sh), and not JAVA.
The preinstall script just maps the /dev/fs0 device to virtual address 0x10000000 and erase the area of filesystem which will be rewrite. In your example the IFS filesystem containing BITMAPS will be erased from address 0xE00000 (offset from virtual address 0x10000000) until address 0x2000000 (size: 0x1200000 bytes):

Code: Select all

flashctl -p/dev/fs0 -o 14m -l 18m -b 6 -e &

Finally the post script (in case of bitmaps bitmaps_post_download.sh) will be write the new filesystem image (bitmap.bin) into the /dev/fs0:

Code: Select all

dd if=/tmp/bitmaps.bin of=/dev/fs0 bs=128k seek=112

Reference for flasctl: flashctl