Page 5 of 8
Re: Mondeo MK5 IPC
Posted: 23 Feb 2020, 17:30
by leader
Thanks for your post. It seems that you already has many experiences with MK5 IPC and QNX operating system.
I also unpacked the IFS of jade and the IFS2 filesystem (and ifs of bitmap also):
GS7T_ifs2.zip
GS7T_jade.zip
GS7T_bitmap.zip
I found some interesting information on them:
- On JADE there are some scripts which configure network and start service. i don't think that IPC can be accesed on network, maybe this is only for development:
Code: Select all
$ cat start_network
io-pkt-v4 -dsmc9118 ioport=0x02000000,irq=10,mac=662200021605,verbose=5 -p tcpip &
waitfor /dev/socket 4
waitfor /dev/io-net 4
waitfor /dev/io-net/en0 4
ifconfig en0 192.168.1.11
inetd &
qconn port=8000 &
and telnetd starts from inetd and it's located on ifs2:
Code: Select all
$ cat etc/inetd.conf
telnet stream tcp nowait root /proc/boot/telnetd in.telnetd
- There are also some scripts which mount network shares (from hostname "PC") and flash filesystem from there:
Code: Select all
$ cat reflash_all
if [ ! -e /dev/io-net/en0 ]; then
start_network
fi
fs-nfs2 pc:/make /exec
/exec/flash_all
- And of curse there is password for root (and ftp user) also, here are the password hashes:
Code: Select all
ftp:KQkZ75liLIBxw:1210374309:0:0
root:TT53LygWqk3W.:1210378834:0:0
- I also identifed that HMI contains some uart references, so maybe IPC can be accessed on UART port
Code: Select all
$ strings hmi | grep uart
uart_printf_tx_ctrl
uart_printf_rx_sig_selected
uart_printf_tx_sig_selected
uart_printf_rx_ctrl
uart_printf_signal_table
uart_printf_tx_msg_selected
uart_printf_rx_msg_selected
t=%d : uart_value_printf string too long
t=%d : uart_text_printf string too long
On the left side on the PCB of the IPC there are GND, SIN, SOUT pins. I tested them with some baudrate but always received garbage data. Maybe someoneelse has success on it. For login I think we will need to hack the root password......
I also protected (and will protect in the future) my files with password and I will send on PM to peoples who really works on some of microhacker's project.
to be continued....
Re: Mondeo MK5 IPC
Posted: 23 Feb 2020, 23:05
by paxtonix
leader wrote: ↑23 Feb 2020, 17:30
Thanks for your post. It seems that you already has many experiences with MK5 IPC and QNX operating system.
Thank you, but my knowledge is residual. for now I am at the stage of learning the structure of the system. QNX is more unix style , and my knowledge over unix is shit - to be honest
http://www.qnx.com/developers/docs/6.5.0/index.jsp
the examples listed are good, but to understand them you need to know the operating principle more closely.
All this software remind me times where you had Nokia phones with Symbian software - and the apps were written in .js.
I have to look for similarity but I think it might be coded like - Shell ( operating system ) and apps ( writen in JADE ).
because blackberry own QNX, this gateway with IP you talk about might be ,a port for comm's to and from IPC for developers.
I don't know that for sure - but IP Address is there for a reason
Re: Mondeo MK5 IPC
Posted: 24 Feb 2020, 00:19
by DGAlexandru
paxtonix wrote: ↑23 Feb 2020, 23:05...
I don't know that for sure - but IP Address is there for a reason
You might be surprised of how lazy some software developers can be - it might be there because the developing & testing environment had such a connection and they didn't cleaned the code enough for final product / production version
Re: Mondeo MK5 IPC
Posted: 24 Feb 2020, 14:25
by paxtonix
DGAlexandru wrote: ↑24 Feb 2020, 00:19
paxtonix wrote: ↑23 Feb 2020, 23:05...
I don't know that for sure - but IP Address is there for a reason
You might be surprised of how lazy some software developers can be - it might be there because the developing & testing environment had such a connection and they didn't cleaned the code enough for final product / production version
But it gives us a chance for a backdoor entry , right ?
one way or another - we need someone who nows .js good enough to help us understand.
Im wondering what is behind this IP address and how we can access it. even if developers left it behind because of not cleaning the code - so lets use it on our advantage.
There is a Guy on German mk5 forum who made some changes of graphic content, Nick: Chemikus - He already made some changes so inviting him to this board will be a good thing.
Re: Mondeo MK5 IPC
Posted: 24 Feb 2020, 20:31
by leader
paxtonix wrote: ↑23 Feb 2020, 23:05
All this software remind me times where you had Nokia phones with Symbian software - and the apps were written in .js.
I have to look for similarity but I think it might be coded like - Shell ( operating system ) and apps ( writen in JADE ).
The main application in the IPC is the HMI, it's written in C++, and it use Altia SDK for the GUI.
Where did you seen java code?
I unpacked the jade IFS filesystem from GS7T-14C026-BJE, the IFS2 ifs end efs filesystem from GS7T-14C088-AJE and the bitmap ifs filesystem from GS7T-14C088-BJE but I doen't found any java files on them. (You can check the content of these filesystem in the zip files posted in my previous post).
In the IPC there are atleast 2 other IFS filesystems (IFS1 and IFS3) which are not part of any VBF file. I think that we need a full flash dump to get thise filesystems also and analyse the firmware.
Re: Mondeo MK5 IPC
Posted: 24 Feb 2020, 20:33
by leader
DGAlexandru wrote: ↑24 Feb 2020, 00:19
]You might be surprised of how lazy some software developers can be - it might be there because the developing & testing environment had such a connection and they didn't cleaned the code enough for final product / production version
Yes and that uncleaned developer stuffs can be the base of hacks in many cases....
Re: Mondeo MK5 IPC
Posted: 24 Feb 2020, 20:37
by leader
paxtonix wrote: ↑24 Feb 2020, 14:25
one way or another - we need someone who nows .js good enough to help us understand.
Im wondering what is behind this IP address and how we can access it. even if developers left it behind because of not cleaning the code - so lets use it on our advantage.
Can you show to us a sample where did you found Java code? (Java or Javascript (js))?
paxtonix wrote: ↑24 Feb 2020, 14:25
There is a Guy on German mk5 forum who made some changes of graphic content, Nick: Chemikus - He already made some changes so inviting him to this board will be a good thing.
I also reserved the compression of the bitmaps in mk5 ipc and I'm able to replace the backgground images and same other GUI elements.
(And of course I'm able to repack the firmware also)
If someone would like to play with a custom theme than I'm ready to help in this...
Re: Mondeo MK5 IPC
Posted: 25 Feb 2020, 06:10
by Stevebe
leader wrote: ↑24 Feb 2020, 20:37
I also reserved the compression of the bitmaps in mk5 ipc and I'm able to replace the backgground images and same other GUI elements.
(And of course I'm able to repack the firmware also)
If someone would like to play with a custom theme than I'm ready to help in this...
Yes a area I find very chalanging but not certain where to start,,
Re: Mondeo MK5 IPC
Posted: 25 Feb 2020, 06:58
by paxtonix
leader wrote: ↑24 Feb 2020, 20:37
Can you show to us a sample where did you found Java code? (Java or Javascript (js))?
you did not understand me. I wrote about the fact that the entire QNX reminds me of a system from mobile phones on which you could install .js applications. At the beginning I thought that the JADE-based application itself would use .js scripts for operation.
After viewing the vbf content for IPC - you have that commentary
Code: Select all
Description: Pre-installation script for Jade SWDL of bitmap images file via CAN
I thought differently about the whole concept, by JADE as java Development framework ,just wrong interpretation from my side - sorry, im only human.
Re: Mondeo MK5 IPC
Posted: 25 Feb 2020, 08:11
by leader
paxtonix wrote: ↑25 Feb 2020, 06:58
After viewing the vbf content for IPC - you have that commentary
Code: Select all
Description: Pre-installation script for Jade SWDL of bitmap images file via CAN
Thats one is SHELL script (processed by /bin/sh), and not JAVA.
The preinstall script just maps the /dev/fs0 device to virtual address 0x10000000 and erase the area of filesystem which will be rewrite. In your example the IFS filesystem containing BITMAPS will be erased from address 0xE00000 (offset from virtual address 0x10000000) until address 0x2000000 (size: 0x1200000 bytes):
Code: Select all
flashctl -p/dev/fs0 -o 14m -l 18m -b 6 -e &
Finally the post script (in case of bitmaps bitmaps_post_download.sh) will be write the new filesystem image (bitmap.bin) into the /dev/fs0:
Code: Select all
dd if=/tmp/bitmaps.bin of=/dev/fs0 bs=128k seek=112
Reference for flasctl:
flashctl