When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.
in the words of mozy, I am looking to "build/find/steal/etc the QNX library module to load the shell script", can anyone help me out? I had hoped to use the ethernet dongle approach, but it looks like to me from what I have, when connecting to usb port2, packet filtering is now being applied there, firmware update? nmap knows the head unit is alive on that ip, but all ports are closed. anyone else run into that? this is on a 2017 C300.
come on guys let s stop the bs and can you help with the files to make the engineer menu ? I read the posts but no way for someone that does not know how to program
I am trying to activate the engineer menu on my amg- gts I do not have vediano /dts or star. is there a way to bypass by usb/sd? I am assuming it is only 1 setting on the system but I cannot figure out.. help me!!!!! please
GUI_Setting
ASR key pressed.
..\..\..\..\gui-ui\daimler\GUI_AppManager.cpp
GUI_Setting
ASR cannot be started - SD card is locked
..\..\..\..\gui-ui\daimler\GUI_AppManager.cpp
NdbComparator
::confirmWithBlockedPrompt aId=%d RESTRICTED.
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp
NDB_SEARCH
As I understood this .so file is just a library with some relevant data so the Garmin app can start. My next move will be to make a patch and some some specific call, overwrite it with some custom code.
If you have also NTG5*1 and you wanna have a look, start checking binutils and binwalk
Really nice guide, but not so much information on the SD card. Can someone please tell me how to load the library to my head unit and then execute the script?
I have a 2014 S Klasse with MB Wifi so I won't need ethernet
I'm back in the Merc family (GLC63) but still cursed with an NTG5s2... Did anyone find anything cool to do with this access?
All I want is CarPlay and I am waiting for my VXDiag with DoIP to arrive to have a poke around even more!
About to dust off these old files and unlock engineering mode again
I'm back in the Merc family (GLC63) but still cursed with an NTG5s2... Did anyone find anything cool to do with this access?
All I want is CarPlay and I am waiting for my VXDiag with DoIP to arrive to have a poke around even more!
About to dust off these old files and unlock engineering mode again
Welcome back fam
I talked to a Security Engineer at Harman and was informed they were made aware of this sometime in 2016 (before/after my post? I dunno, he wasn't specific on time frame).
He said they provided a patch to Daimler to remove anything srm-related very soon after and this thing's been disabled since. My car's been to the dealer a few times and I can still reproduce this so I don't know if they patch(ed) pre-2016 cars but if he's right anything after 2016 won't work with this 'hack'.
I have found my config files so will give it a go in a few hours and report back. I spent many hours poking around with this before selling the C63s.
Did you guys ever achieve anything worthwhile with the access?
I just poked around a bunch of system files. Found the PSK for the VPN access to Daimler servers, Found and modified firewall rules... but never achieved anything of real value - VIM / CarPlay
Naw, I think there's maybe 3-4 of us here who did real work and have seen the guts. I pretty much gave up interest between the original breakthrough and that one "live shell" stunt.
In the early days I, too, explored the FS for hours (mostly via offline dump to USB because: battery) and found the raccoon configs,VPN cert and other misc QNX junk. Won't go into more detail on the VPN stuff but yeah poking around the online portal(s) entertained me for a bit before i started getting nervous and backed off I also think I broke something because I can't start Internet Radio directly anymore (lulz, oops).
I don't think anyone's really found anything exciting/valuable? I'd need to rescan the thread.
You know, now that I think about it, I never really had a goal besides getting root and then set course for Engineering Mode when someone asked if it existed (I honestly didn't think it was possible via this method, but the Dealer Mode gave me hope). Once that was done I just did the usual exploring and bored myself out. I kind of wanted to get access to the cell module to explore the Mobile2Mobile connectivity (anyone curious how remote unlock really works? ) but never got even close other than RE'ing the MB phone app for a bit. There's probably more fun stuff... who knows what other secrets lie beneath?
@mozy By any chance do you remember the QNX your NTG is/was running? I'm trying to figure out the QNX Browser's version. I'm crossing fingers that NTG5*1 && NTG5*2 shares same base image.
@mozy By any chance do you remember the QNX your NTG is/was running? I'm trying to figure out the QNX Browser's version. I'm crossing fingers that NTG5*1 && NTG5*2 shares same base image.
From /fs0/etc/SoftwareVersion:
QNX_VERSION=650
QNX_VERSION=MOMENTICS_6_5_0
Yeah give us a look at some of the menu's you've got/unlocked 📷
Anything specific? I've unlocked the engineering menu and gone through some stuff but nothing significant yet. I think I've found how to do the video in motion thing but I am unsure and am weary about changing **** that I don't know what it does. I'll keep going through the files and report back when I find cool ****. It takes quite a while to dump the file system and I just can't be bothered driving around for that long. I drove an hour last night and dumped maybe a quarter of the files.
Here's the engineering menu.
Also I think I've found a way to do this exploit with just the srm file and a bash script. No qnx compiled library needed. But I am yet to try this.
Anything specific? I've unlocked the engineering menu and gone through some stuff but nothing significant yet. I think I've found how to do the video in motion thing but I am unsure and am weary about changing **** that I don't know what it does. I'll keep going through the files and report back when I find cool ****. It takes quite a while to dump the file system and I just can't be bothered driving around for that long. I drove an hour last night and dumped maybe a quarter of the files.
Here's the engineering menu.
Also I think I've found a way to do this exploit with just the srm file and a bash script. No qnx compiled library needed. But I am yet to try this.
You're a dangerous man......💀💀💀
I've got Video in motion activated if you want the files as a reference i'll pm them over.
Regards,
George.
Last edited by George_1992; Oct 4, 2021 at 10:21 AM.
What I want to know is how to adjust the Engine Data display. I've done this traditionally after Mercedes di*k with the car and load a software update, by going into Car, Start Learn Mode and waiting for it to say Success. But others can finely adjust it to display KW/HP/PS blah blah.
I've got Video in motion activated if you want the files as a reference i'll pm them over.
Regards,
George.
I'd love the files, cheers. They also might make finding other things easier too.
What does learn mode actually do? I saw it but didn't touch it because I don't know what it is and didn't want to ruin my tune etc
I had a look today and can't see any equalizer settings.
Also can't see an "on/off" for bluetooth tethering. I already have the feature.
Of interest to me, also nothing for VIM although there are a few settings (0x0, 0x1, 0x2) that switch the TV off immediately, at 3kph, or standard
i’m gonna give this a shot but there is a way I have 2017 C-43 Canadian car I live in New York the car tries to connect via tethering but for some reason it’s like basically how can you tether to a modem so the car uses DUN/Pun this will explain everything
As a bit of a geek, I'm ashamed to admit I had to turn to the internet to try and work out how to hook up my COMAND NTG5 to the web via my mobile phone. Alas, there's not a lot of information on it, so I'll attempt to rectify it, mainly because someone was reporting how easy BMW's system works and how complicated MB's solution is. Actually, once you know how, it's easy and it's more of a feature on the phone than COMAND's shortcomings.
Firstly, let me clarify a few bits (Go to the bit in red, to skip my mumblings):
Bluetooth COMAND connects to your phone via Bluetooth (BT) - a wireless technology design for transmitting data over short distances. Any BT device has one or more "Profiles" available, depending on what the device does. For example, a BT computer mouse or keyboard would have the Human Interface Device (HID) profile.
COMAND makes use of the following BT profiles:
1. Telephony Make and receive calls: Hands-Free Profile (HFP). Access telephone phone book: Phone Book Access Profile (PBA)
2. Audio (Media) Play music stored on phone: Advanced Audio Distribution Profile (A2DP) Navigate music tracks stored on your phone, using COMAND: Audio/Video Remote Control Profile (AVRCP)
3. Internet Use your phone's data connection (tether) to browse the internet on the COMAND: Dial-Up Networking (DUN).
Most modern smart phones will have 1 & 2. Strangely, modern phones seem not to bother with DUN so much.
WiFi WiFi is what most of us have in the home or use in a Starbucks to connect our "wireless" devices to the Internet. If you've ever had to call up your Internet Service Provider, they have probably referred to it as a Wireless Router, or you may have seen the BT adverts for their Home Hub. This is all most need to know, but the fact is that "WiFi", or to give it its proper name, Wireless Local Area Network (WLAN) is a fully fledged computer network. We need a router to connect our devices to the Internet, but the Internet and WiFi routers are separate entities. We can have a WiFi network without the Internet. Any device on the same WiFi network (negating security for a moment) can "talk" to each other.
Sometime you see the term WiFi Hotspot. An interchangeable term, but often it denotes that the network is public, as in anyone can connect to it - unlike your home WiFi (I hope).
How does this relate to COMAND? By default, the COMAND creates a WiFi network a wireless hotspot for your passenger's devices. It acts like your router at home. If you scan for WiFi networks in your car, you'll probably see something like MB-nnnnn-n. Although I haven't tried it, if you connected two devices to the car's WiFi network, the two devices should be able to communicate. If you look at the advanced settings of the WiFi connection, they will have a similar IP address, such as 192.168.1.n. If you had two sprogs, each with their own tablet, they could play a game together, the same as they might at home.
Internet Connectivity So where does the Internet come in to all of this. Your phone can browse the Internet, but how does the COMAND? We let the COMAND share your phone's Internet connection in a similar way you may do this with a tablet, by enabling the "Personal Hotspot" feature on your phone. Your tablet then picks up a WiFi network created by your phone. This is known as "Tethering".
Ok, so now I have clarified a few bits (I hope), how do we hook up the Internet to the COMAND. To simplify things, put the WiFi connection part to one side for a moment. At this point we are only interested in connecting the phone to the COMAND via Bluetooth. We mentioned BT profiles earlier and the one that allows the COMAND to browse the Internet is the DUN BT profile, therefore your phone needs to support DUN.
So you've already "paired" your phone with COMAND, you know it supports DUN, but when you try and browse the Internet from COMAND, it shows as offline. The trick is to allow your phone to share its Internet Connection over Bluetooth. On an Android, this is done by:
1. Settings (Gear wheel)
2. More...
3. Bluetooth tethering = ON
(These settings may be slightly different for different versions of Android, but the key is to turn on Bluetooth tethering. Having never owned one of the white devices, I can't tell you if it will be similar or not).
Going back to WiFi, if you connect a device to the car's WiFi hotspot, it should have Internet Access too.
There is one caveat to all of this, your mobile phoneprovider has to allow tethering. I know EE does, and GiffGaff does (or at least, did) on all tariffs, apart from the unlimited data one. I can't speak for the others.
Connection flow: Phase 1: COMAND ---(BT DUN)---> phone ----(3G/4G)---> Internet
Phase 2: Tablet ---(WiFi)--->COMAND
Bluetooth isn't the fastest of technologies any more, and your connection will be slow. If you have sprogs that whant internet access from their tablets, I'd omit the COMAND from the equation and just turn on your Personal Hotspot.
I've been trying the things from mozy (with his test lib) and also attempted the connection method with usb to ethernet adapter. Nothing worked so far... does it work only on comand or also on audio20?
My car is 2015 (supposed to be working, unless it has been patched by MB)
In the end, I'm just interested in activating the engineering menu which was availble before but I lost it after I have resetted the system back to factory settings.
Mercedes SLR McLaren 722 S Is Extremely Rare Example Modified by McLaren
Slideshow: A one-of-one U.S.-spec Mercedes-Benz SLR McLaren Roadster became even rarer after a factory-backed transformation at McLaren's headquarters.
I also think I broke something because I can't start Internet Radio directly anymore (lulz, oops).
) but never got even close other than RE'ing the MB phone app for a bit. There's probably more fun stuff... who knows what other secrets lie beneath?
Nice haha
