When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.
Congrats mate! - Welcome to an elite club :p
If anyone works out how to have live, direct CLI access I'd be keen to know how you achieve it.
I dumped the HDD to the SD card and went through files upon files. You can join the WLAN of the car but there are basic packet filter rules that prevent communication from different networks. I've toyed with the idea of modifying the files but my interest levels dropped.
# This table contains the destination addresses that should not be
# reachable for incoming packets from WLAN clients which want to communicate
# with the Internet.
#
# Remark: This table should only be used in filter rules that are used for
# assuring that WLAN clients can reach the Internet (but nothing else).
# It is not appropriate for assuring that remote controls can reach the HU
# or for blocking the communication between WLAN clients.
#
$validForHUOnly table <UnallowedForWLANClients> const { $loAddress, $huWlanAddress, $huWlanAddressAlias, $mostnetwork } #only on HU
There are so many more rules but you get the idea. If you join the cars WLAN they only want you to get internet access and nothing else.
Telnet/23 runs on the HU but the packet filter rules don't allow a WLAN client to communicate on that port.
sshd/22 does not run at all on the HU
My next magic trick was to edit the shadow file to remove the root password if telnet became accessible, but again... lost interest in pursuing much more down this path.
The other cool 'nerd' thing I found was the PSK which made me giggle. If you understand what this is for hopefully you'll giggle too:
Originally Posted by QNX HU5
Ike, please send more tanks /Patton
Also, "cocoh" seems more interested in PM'ing me asking questions rather than proving they've done anything, so watch out
I will post here soon some pictures with live system.. but I WILL NOT SHARE HOW I do it...
I figured you weren't going to share, nor you had any actual valuable information to share when you wouldn't answer my questions or write up a step-by-step on what you did.
It was even more suspect when after I shared my bash scripts, srm.cfg and modified Engineering Mode persistance files, you still didn't want to write something up... Always asking for whatsapp or skype... no, just no!
The next big red flag was asking me if I knew how to/could write you a bash script to copy the filesystem... lol Not something I'd expect to hear from someone who apparently knows how to obtain live CLI access to the QNX system.
Now I guess the final confirmation is this admission!! haha
I hope somebody reads me and I can survive this post.
I made some progress on my C117 and frankly I'm pretty much surprised. I can see/change many options I wouldn't expect I could, among all of them there is CarPlay and MirrorLink.
I could change the splash screen for the AMG one, even the driving type to AMG which mean I have a different Dynamic Select menu - I've used for the very first time the Sport+ Drive's mode + the Sport ABS's mode.
Now I'm stuck with enabling CarPlay and MirrorLink - tomorrow I'll keep trying.
And the best, today I've done on a FB group for MB owners and a guy had the luck to activate MirrorLink and Dynamic Select successfully.
Are you saying that it’s possible to enable CarPlay? And what exactly is different on the dynamic select options? I’m not sure I understand... ABS Sport? As in, a recalibrated ABS?
Are you saying that it’s possible to enable CarPlay? And what exactly is different on the dynamic select options? I’m not sure I understand... ABS Sport? As in, a recalibrated ABS?
no, this is not possible even with StarDiagnose official way
for Cars with Audio20 production before 07/2017 CarPlay it is possible with OBD2 plug
for cars with Audio20 production after 07/2017 CarPlay it is not possible with OBD2 at all but possible with wiring harness temporary installed in between Audio20 and car, then removed after activation
do ebay search for "Mercedes CarPlay activation OBD" and you will find
Hey folks, been a while. I decided to check back in and see what's going on here. Good to hear more people still playing.
I saw some peeps seeking "live CLI access" (telnet/ssh/shell/etc), got bored last weekend and decided to try it out.
Shout out to Davesc63 for work he's put in! I'm sure he's already figured out what I'm posting here Sorry I missed your PM's dude!
Once in port 55559 I run "$(telnetd)" which.... starts the telnet daemon in the current session. Technically, we have a root shell here. Will explain more later.
Login as the hmi user (l/p: hmi/hmi ... check /etc/passwd, short of root, all user passwords are the login name!)
Run dispmsg to show a popup with some text.
I then run the "Keyboard" program (already on the HU) to show that you can control the HU with your "remote" keyboard if you so desire. This one is a little wonky and sometimes freezes up like seen in the video so I had to kill it off. Sorry for the crap demo, I was trying stuff on the fly and didn't plan it too well. Lets just reiterate you can dicate the input on the HU from a remote keyboard.
Finally, I start the famous graphics demo glxgears... 59FPS! Not bad!
Some finer points:
You'll still need to build/find/steal/etc the QNX library module to load the shell script (see below) on your SD card. You'll need to have the nc binary on the SD card to be copied over to the HU.
You might say "Why do you run telnetd and login as the HMI user when you seem to already have a root shell?" Well, something weird is going on with the tty when starting a netcat tunnel and piping ksh through it. I'm guessing some environment args aren't properly set or a virtual tty isn't allocated to ksh or something. I don't know QNX very well. I already have root via other methods (not "live" per se) so if I really need to get at a file or something, I can do it. The "hmi" user seems to have enough permissions for my needs and I don't quite feel like figuring out a cleaner way of starting a good root shell tunnel. Maybe if I get bored again.
Here's what you need in your shell script to accomplish the above (I use this as the basis for most my scripts):
# Copy netcat to the HU and make executable
cp /fs/sdb0/nc /tmp/root/nc
chown root:root /tmp/root/nc
chmod 4755 /tmp/root/nc
chmod +x /tmp/root/nc
dispmsg --timeout 1 --popup "Launching nc..." &
# Start netcat and listen on the port, execute ksh and pipe to that port
/tmp/root/nc -l -p 55559 -e /bin/ksh &
There you go. If you can follow the explanation above the example shell script, you should be able to "telnet" into the HU with the hmi user while connected to the in-car WiFi. Not great, but it works 100% of the time.
Now, for some more fun stuff...
I figured out a way to get a telnet session without any apparently "difficult to come by" QNX libraries or funky shell scripts... sorry for the **** video. It really is hard to record and type with one hand. No jokes plz. Also I realized my IP address mistake but didn't want to re-record the video.
What's happening here is upon cold boot of the HU the system enumerates all attached USB devices and if it finds one who's chipset matches the expected pattern it will create a new non-routeable network interface (typically "en5") with an IP of 192.168.168.168. The packet filtering system does not appear to account for this network interface so thats why you can get to telnet and various other open ports (nmap!). I deduced this info and repeatable process after scouring some system config files on the HU drive.
What you need:
A USB Ethernet adapter with one of the following chipsets: RTL8150, Pegasus, ASIX (I have this chip, model# 88772 in an AirLink 101 USB 2.0 to Ethernet), SMSC, MCS7830
Ethernet cable
Laptop with an Ethernet port.
What you need to do:
Turn on the HU or your car. "Reboot" your HU with the eject button trick and leave it off. OFF.
Configure your laptop's eth port to have 192.168.192.167 as the IP address, e.g. on Linux: ip addr add 192.168.192.167/16 dev eth0 ; ip link set eth0 up
Plug the USB Eth adapter into the 2nd USB port inside the arm-wrest. I don't know why but the 1st port doesn't work right... would love someone to confirm/deny.
Start pinging 192.168.192.168 from your laptop.
Fire up the HU by pressing down on the "volume" button.
Watch for ping replies. Once you see a reply continue.
Telnet to port 2021 of 192.168.192.168. I derp'd in the video and was trying to connect to the wrong IP. Anyway, this is a port that has some neat "comms" debug output.
Within a few seconds you should be able to telnet to 192.168.192.168 (obvs port 23) and login as usual (e.g. l/p == hmi/hmi)
The above steps are what I've seen in my experience and may not have to be followed to the exact step. But I've noticed, for some reason, that if you don't start the ping and connect to port 2021 (or any other open network port) before trying to telnet in, you'll get a message something to the effect of "no ports available" when you try to get to telnet. Something funky is going on with sockets at that point.
There's a lot more stuff that I've found but there's just not enough time in the day to play with and talk about all the neat and interesting stuff here. My initial goal many years back was to figure out how the COM/KOM and PASS units works (the thing that gets you online) but I've not been able to figure that out yet other than the fact that the embedded SIM for my car is a VZW Mobile2Mobile service.
Well, hope you enjoyed this as much as I did! And please, for the love of Chrysler, do NOT private message me asking how to update maps, recode your car for Chine/EU/JP/etc or how to do variant coding for things like blinkers. I have no idea how to do this.
Last edited by mozy; 07-09-2018 at 12:02 PM.
Reason: detail on eth
This is just an epic post... but you are a very bad man!
I gave up on playing around with the PF files and I also had a go at the USB-to-Ethernet adapter however I didn't get too far. You've definitely filled in heaps of the gaps!
All I really wanted to do was unlock VIM via file modification and this live access may help get that done. I'm guessing it's pretty easy, if you've seen the encrypted files for DVDinMotion... there's a reason why you'd encrypt it... to safeguard your IP / hide how easy it is to rip people off $150+!
So for the non-computer techs, are there any stand out features or benefits to accessing this? Enabling video while driving and that’s it so far?
I’d love to see some stuff around the car telemetrics (hp/torque gauges, g-force, throttle/brake position). Adjusting the hp/tq value display limits for folks that are tuned would be really cool. I know it’s been done with the M3/M4 guys.
This is just an epic post... but you are a very bad man!
Thanks for the compliment. I'm not sure I understand that last part, was it meant seriously or in jest? I'm confused...
Originally Posted by Davesc63
I gave up on playing around with the PF files and I also had a go at the USB-to-Ethernet adapter however I didn't get too far. You've definitely filled in heaps of the gaps!
All I really wanted to do was unlock VIM via file modification and this live access may help get that done. I'm guessing it's pretty easy, if you've seen the encrypted files for DVDinMotion... there's a reason why you'd encrypt it... to safeguard your IP / hide how easy it is to rip people off $150+!
I too am guessing unlocking VIM is possible with the access we have now... I know I've said this before but I'm only interested in the technical challenge here. I have no desire to figure out how to do VIM or worse yet profit from it. Yeah the companies providing the "service" are charging way too much but they gotta get paid for their R&D too... I guess.
Originally Posted by AlexZTuned
So for the non-computer techs, are there any stand out features or benefits to accessing this? Enabling video while driving and that’s it so far?
I’d love to see some stuff around the car telemetrics (hp/torque gauges, g-force, throttle/brake position). Adjusting the hp/tq value display limits for folks that are tuned would be really cool. I know it’s been done with the M3/M4 guys.
If by "this" you mean the internals of the Head Unit... no not really much benefit for most people. I mean its just another computer in your car.
My car doesn't have the HP/TQ figure screen since its a '15 but I'm guessing it might be possible to make adjustments to the numbers. Someone with a model year that has this display would need to try.
It would be super cool to see stuff like G's and throttle/brake but if it doesn't already exist from the factory it would be some miracle to come up with this. The HU doescommunicate with the CAN network so theoretically it might be possible but that's a challenge I'll leave to the uber-hackers out there.
I will test this if works on newer firmware.. I know its "a little" problem with newer flash (from 2017....). If you can post your firmware of your hu5?
I know I'm late to the party, but I've read everything with great interest. I'd like to execute a few commands as root, and as others before me have experienced: I can't get a QNX eval license (as to build the QNX library to load a shell script). Does anyone have the binary, and would he/she be willing to share it with me? I temporarily have access to an NTG 5.5 system, and would like to check if the same methods as presented above work. Otherwise I'll start trying to connect through a network adapter... Tia.
I've tested the tricks (shellscript execution, attaching a USB ASIX 88772B network adapter) to a NTG5.5 headunit of a S560 (production date of the car is june 2018), and both don't work on this more recent system. Also tried it on a G63 (2017), but I think that's a NTG4.5 system which also doesn't work.
01-30-2018, 06:50 AM
Not something I'd expect to hear from someone who apparently knows how to obtain live CLI access to the QNX system.
Sorry I missed your PM's dude!
