Dealer Mode
#76
in the words of mozy, I am looking to "build/find/steal/etc the QNX library module to load the shell script", can anyone help me out? I had hoped to use the ethernet dongle approach, but it looks like to me from what I have, when connecting to usb port2, packet filtering is now being applied there, firmware update? nmap knows the head unit is alive on that ip, but all ports are closed. anyone else run into that? this is on a 2017 C300.
#77
#78
access
I am trying to activate the engineer menu on my amg- gts I do not have vediano /dts or star. is there a way to bypass by usb/sd? I am assuming it is only 1 setting on the system but I cannot figure out.. help me!!!!! please
Hi
I'm just leaving this right here
Go to this screen (2016):
Attachment 336611
Push the comand wheel to left for several seconds.
This happens:
Attachment 336612
Bye
I'm just leaving this right here
Go to this screen (2016):
Attachment 336611
Push the comand wheel to left for several seconds.
This happens:
Attachment 336612
Bye
#79
So, I have NTG*1 and I don't such smr.cfg file, but NaviPnd.so and I've been analyzing it and this is what contains:
The most interesting one are .rodata and .DBGmd.
Some sneak peak from .rodata
Some sneak peak from .DBGmd
As I understood this .so file is just a library with some relevant data so the Garmin app can start. My next move will be to make a patch and some some specific call, overwrite it with some custom code.
If you have also NTG5*1 and you wanna have a look, start checking binutils and binwalk
Let's see...
- NULL
- .hash
- .dynsym
- .dynstr
- .rel.dyn
- .rel.plt
- .init
- .plt
- .text
- .fini
- .rodata
- .ARM.extab
- .ARM.exidx
- .eh_frame
- .init_array
- .fini_array
- .jcr
- .data.rel.ro
- .dynamic
- .got
- .data
- DBGips
- DBGmd
- .bss
- .comment
- .ARM.attributes
- .gnu_debuglink
- .shstrtab
- .symtab
- .strtab
Some sneak peak from .rodata
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp: 590
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp: 586
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp: 563
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp: 556
..
..
readNvmChecksum
writeNvmChecksum
GARMIN.NVM
GARMIN.NVM_BAK
GARMIN_NOR.NVM
GARMIN_NOR.NVM_BAK
NVM_CHECKSUM.txt
Entering writeNvmChecksum
Finished executing writeNvmChecksum() in %d msec
Entering readNvmChecksum
Checksum file does not exist
Finished executing readNvmChecksum() in %d msec
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 284
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 241
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 192
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 176
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 165
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 125
Entering nvm_pwrp_intf() =========
&sLock
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp: 586
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp: 563
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp: 556
..
..
readNvmChecksum
writeNvmChecksum
GARMIN.NVM
GARMIN.NVM_BAK
GARMIN_NOR.NVM
GARMIN_NOR.NVM_BAK
NVM_CHECKSUM.txt
Entering writeNvmChecksum
Finished executing writeNvmChecksum() in %d msec
Entering readNvmChecksum
Checksum file does not exist
Finished executing readNvmChecksum() in %d msec
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 284
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 241
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 192
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 176
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 165
..\..\..\..\technologies\nonvol-manager\NVM_Checksum.cpp: 125
Entering nvm_pwrp_intf() =========
&sLock
GUI_Setting
ASR key pressed.
..\..\..\..\gui-ui\daimler\GUI_AppManager.cpp
GUI_Setting
ASR cannot be started - SD card is locked
..\..\..\..\gui-ui\daimler\GUI_AppManager.cpp
NdbComparator
::confirmWithBlockedPrompt aId=%d RESTRICTED.
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp
NDB_SEARCH
..
..
..
syc_ndb_wrapper
MAP_UNLOCK: exit NDB_get_card_id, SDCardUniqueID=%lu, card_id=%lu, success=%d
..\..\..\..\technologies\system-controller\SYC_NdbWrapper.cpp
syc_ndb_wrapper
ASR key pressed.
..\..\..\..\gui-ui\daimler\GUI_AppManager.cpp
GUI_Setting
ASR cannot be started - SD card is locked
..\..\..\..\gui-ui\daimler\GUI_AppManager.cpp
NdbComparator
::confirmWithBlockedPrompt aId=%d RESTRICTED.
..\..\..\..\gui-ui\daimler\GUI_DaimlerSafeMode.cpp
NDB_SEARCH
..
..
..
syc_ndb_wrapper
MAP_UNLOCK: exit NDB_get_card_id, SDCardUniqueID=%lu, card_id=%lu, success=%d
..\..\..\..\technologies\system-controller\SYC_NdbWrapper.cpp
syc_ndb_wrapper
If you have also NTG5*1 and you wanna have a look, start checking binutils and binwalk
Let's see...
#80
Really nice guide, but not so much information on the SD card. Can someone please tell me how to load the library to my head unit and then execute the script?
I have a 2014 S Klasse with MB Wifi so I won't need ethernet
Regards,
I have a 2014 S Klasse with MB Wifi so I won't need ethernet
Regards,
#81
I'm back in the Merc family (GLC63) but still cursed with an NTG5s2... Did anyone find anything cool to do with this access?
All I want is CarPlay and I am waiting for my VXDiag with DoIP to arrive to have a poke around even more!
About to dust off these old files and unlock engineering mode again
All I want is CarPlay and I am waiting for my VXDiag with DoIP to arrive to have a poke around even more!
About to dust off these old files and unlock engineering mode again
#82
I'm back in the Merc family (GLC63) but still cursed with an NTG5s2... Did anyone find anything cool to do with this access?
All I want is CarPlay and I am waiting for my VXDiag with DoIP to arrive to have a poke around even more!
About to dust off these old files and unlock engineering mode again
All I want is CarPlay and I am waiting for my VXDiag with DoIP to arrive to have a poke around even more!
About to dust off these old files and unlock engineering mode again
I talked to a Security Engineer at Harman and was informed they were made aware of this sometime in 2016 (before/after my post? I dunno, he wasn't specific on time frame).
He said they provided a patch to Daimler to remove anything srm-related very soon after and this thing's been disabled since. My car's been to the dealer a few times and I can still reproduce this so I don't know if they patch(ed) pre-2016 cars but if he's right anything after 2016 won't work with this 'hack'.
Looking forward to hearing what you find tho.
#83
I have found my config files so will give it a go in a few hours and report back. I spent many hours poking around with this before selling the C63s.
Did you guys ever achieve anything worthwhile with the access?
I just poked around a bunch of system files. Found the PSK for the VPN access to Daimler servers, Found and modified firewall rules... but never achieved anything of real value - VIM / CarPlay
Did you guys ever achieve anything worthwhile with the access?
I just poked around a bunch of system files. Found the PSK for the VPN access to Daimler servers, Found and modified firewall rules... but never achieved anything of real value - VIM / CarPlay
#84
Naw, I think there's maybe 3-4 of us here who did real work and have seen the guts. I pretty much gave up interest between the original breakthrough and that one "live shell" stunt.
In the early days I, too, explored the FS for hours (mostly via offline dump to USB because: battery) and found the raccoon configs,VPN cert and other misc QNX junk. Won't go into more detail on the VPN stuff but yeah poking around the online portal(s) entertained me for a bit before i started getting nervous and backed off I also think I broke something because I can't start Internet Radio directly anymore (lulz, oops).
I don't think anyone's really found anything exciting/valuable? I'd need to rescan the thread.
You know, now that I think about it, I never really had a goal besides getting root and then set course for Engineering Mode when someone asked if it existed (I honestly didn't think it was possible via this method, but the Dealer Mode gave me hope). Once that was done I just did the usual exploring and bored myself out. I kind of wanted to get access to the cell module to explore the Mobile2Mobile connectivity (anyone curious how remote unlock really works? ) but never got even close other than RE'ing the MB phone app for a bit. There's probably more fun stuff... who knows what other secrets lie beneath?
In the early days I, too, explored the FS for hours (mostly via offline dump to USB because: battery) and found the raccoon configs,VPN cert and other misc QNX junk. Won't go into more detail on the VPN stuff but yeah poking around the online portal(s) entertained me for a bit before i started getting nervous and backed off I also think I broke something because I can't start Internet Radio directly anymore (lulz, oops).
I don't think anyone's really found anything exciting/valuable? I'd need to rescan the thread.
You know, now that I think about it, I never really had a goal besides getting root and then set course for Engineering Mode when someone asked if it existed (I honestly didn't think it was possible via this method, but the Dealer Mode gave me hope). Once that was done I just did the usual exploring and bored myself out. I kind of wanted to get access to the cell module to explore the Mobile2Mobile connectivity (anyone curious how remote unlock really works? ) but never got even close other than RE'ing the MB phone app for a bit. There's probably more fun stuff... who knows what other secrets lie beneath?
#93
Anything specific? I've unlocked the engineering menu and gone through some stuff but nothing significant yet. I think I've found how to do the video in motion thing but I am unsure and am weary about changing **** that I don't know what it does. I'll keep going through the files and report back when I find cool ****. It takes quite a while to dump the file system and I just can't be bothered driving around for that long. I drove an hour last night and dumped maybe a quarter of the files.
Here's the engineering menu.
Also I think I've found a way to do this exploit with just the srm file and a bash script. No qnx compiled library needed. But I am yet to try this.
Here's the engineering menu.
Also I think I've found a way to do this exploit with just the srm file and a bash script. No qnx compiled library needed. But I am yet to try this.
The following 2 users liked this post by Mattigins:
George_1992 (10-02-2021),
Jimmy_c63s (10-03-2021)
#94
Anything specific? I've unlocked the engineering menu and gone through some stuff but nothing significant yet. I think I've found how to do the video in motion thing but I am unsure and am weary about changing **** that I don't know what it does. I'll keep going through the files and report back when I find cool ****. It takes quite a while to dump the file system and I just can't be bothered driving around for that long. I drove an hour last night and dumped maybe a quarter of the files.
Here's the engineering menu.
Also I think I've found a way to do this exploit with just the srm file and a bash script. No qnx compiled library needed. But I am yet to try this.
Here's the engineering menu.
Also I think I've found a way to do this exploit with just the srm file and a bash script. No qnx compiled library needed. But I am yet to try this.
I've got Video in motion activated if you want the files as a reference i'll pm them over.
Regards,
George.
Last edited by George_1992; 10-04-2021 at 10:21 AM.
#95
You're a dangerous man......💀💀💀
What I want to know is how to adjust the Engine Data display. I've done this traditionally after Mercedes di*k with the car and load a software update, by going into Car, Start Learn Mode and waiting for it to say Success. But others can finely adjust it to display KW/HP/PS blah blah.
I've got Video in motion activated if you want the files as a reference i'll pm them over.
Regards,
George.
What I want to know is how to adjust the Engine Data display. I've done this traditionally after Mercedes di*k with the car and load a software update, by going into Car, Start Learn Mode and waiting for it to say Success. But others can finely adjust it to display KW/HP/PS blah blah.
I've got Video in motion activated if you want the files as a reference i'll pm them over.
Regards,
George.
What does learn mode actually do? I saw it but didn't touch it because I don't know what it is and didn't want to ruin my tune etc
#96
Awesome bro, pm sent. Will be good to get a set of eyes over it and perhaps see what can be found?
Last edited by George_1992; 10-04-2021 at 10:21 AM.
The following 2 users liked this post by George_1992:
Jimmy_c63s (10-03-2021),
Wexlax732 (10-03-2021)
#97
Tethering
I had a look today and can't see any equalizer settings.
Also can't see an "on/off" for bluetooth tethering. I already have the feature.
Of interest to me, also nothing for VIM although there are a few settings (0x0, 0x1, 0x2) that switch the TV off immediately, at 3kph, or standard
Also can't see an "on/off" for bluetooth tethering. I already have the feature.
Of interest to me, also nothing for VIM although there are a few settings (0x0, 0x1, 0x2) that switch the TV off immediately, at 3kph, or standard
As a bit of a geek, I'm ashamed to admit I had to turn to the internet to try and work out how to hook up my COMAND NTG5 to the web via my mobile phone. Alas, there's not a lot of information on it, so I'll attempt to rectify it, mainly because someone was reporting how easy BMW's system works and how complicated MB's solution is. Actually, once you know how, it's easy and it's more of a feature on the phone than COMAND's shortcomings.
Firstly, let me clarify a few bits (Go to the bit in red, to skip my mumblings):
Bluetooth
COMAND connects to your phone via Bluetooth (BT) - a wireless technology design for transmitting data over short distances. Any BT device has one or more "Profiles" available, depending on what the device does. For example, a BT computer mouse or keyboard would have the Human Interface Device (HID) profile.
COMAND makes use of the following BT profiles:
1. Telephony
Make and receive calls: Hands-Free Profile (HFP).
Access telephone phone book: Phone Book Access Profile (PBA)
2. Audio (Media)
Play music stored on phone: Advanced Audio Distribution Profile (A2DP)
Navigate music tracks stored on your phone, using COMAND: Audio/Video Remote Control Profile (AVRCP)
3. Internet
Use your phone's data connection (tether) to browse the internet on the COMAND: Dial-Up Networking (DUN).
Most modern smart phones will have 1 & 2. Strangely, modern phones seem not to bother with DUN so much.
WiFi
WiFi is what most of us have in the home or use in a Starbucks to connect our "wireless" devices to the Internet. If you've ever had to call up your Internet Service Provider, they have probably referred to it as a Wireless Router, or you may have seen the BT adverts for their Home Hub. This is all most need to know, but the fact is that "WiFi", or to give it its proper name, Wireless Local Area Network (WLAN) is a fully fledged computer network. We need a router to connect our devices to the Internet, but the Internet and WiFi routers are separate entities. We can have a WiFi network without the Internet. Any device on the same WiFi network (negating security for a moment) can "talk" to each other.
Sometime you see the term WiFi Hotspot. An interchangeable term, but often it denotes that the network is public, as in anyone can connect to it - unlike your home WiFi (I hope).
How does this relate to COMAND? By default, the COMAND creates a WiFi network a wireless hotspot for your passenger's devices. It acts like your router at home. If you scan for WiFi networks in your car, you'll probably see something like MB-nnnnn-n. Although I haven't tried it, if you connected two devices to the car's WiFi network, the two devices should be able to communicate. If you look at the advanced settings of the WiFi connection, they will have a similar IP address, such as 192.168.1.n. If you had two sprogs, each with their own tablet, they could play a game together, the same as they might at home.
Internet Connectivity
So where does the Internet come in to all of this. Your phone can browse the Internet, but how does the COMAND? We let the COMAND share your phone's Internet connection in a similar way you may do this with a tablet, by enabling the "Personal Hotspot" feature on your phone. Your tablet then picks up a WiFi network created by your phone. This is known as "Tethering".
Ok, so now I have clarified a few bits (I hope), how do we hook up the Internet to the COMAND. To simplify things, put the WiFi connection part to one side for a moment. At this point we are only interested in connecting the phone to the COMAND via Bluetooth. We mentioned BT profiles earlier and the one that allows the COMAND to browse the Internet is the DUN BT profile, therefore your phone needs to support DUN.
So you've already "paired" your phone with COMAND, you know it supports DUN, but when you try and browse the Internet from COMAND, it shows as offline. The trick is to allow your phone to share its Internet Connection over Bluetooth. On an Android, this is done by:
1. Settings (Gear wheel)
2. More...
3. Bluetooth tethering = ON
(These settings may be slightly different for different versions of Android, but the key is to turn on Bluetooth tethering. Having never owned one of the white devices, I can't tell you if it will be similar or not).
Going back to WiFi, if you connect a device to the car's WiFi hotspot, it should have Internet Access too.
There is one caveat to all of this, your mobile phoneprovider has to allow tethering. I know EE does, and GiffGaff does (or at least, did) on all tariffs, apart from the unlimited data one. I can't speak for the others.
Connection flow:
Phase 1: COMAND ---(BT DUN)---> phone ----(3G/4G)---> Internet
Phase 2: Tablet ---(WiFi)--->COMAND
Bluetooth isn't the fastest of technologies any more, and your connection will be slow. If you have sprogs that whant internet access from their tablets, I'd omit the COMAND from the equation and just turn on your Personal Hotspot.
Sent from my iPhone
#98
Guys just came across this thread. Read through most of it understood maybe 1/2 of it.
I have a 2019 C63S, is it easy to access the Engineering menu?
I've aced the one through the Trip and also the basic one through the main system but look to get into the good stuff that guys have posted here.
I have a 2019 C63S, is it easy to access the Engineering menu?
I've aced the one through the Trip and also the basic one through the main system but look to get into the good stuff that guys have posted here.
#99
Hello all,
I've been trying the things from mozy (with his test lib) and also attempted the connection method with usb to ethernet adapter. Nothing worked so far... does it work only on comand or also on audio20?
My car is 2015 (supposed to be working, unless it has been patched by MB)
In the end, I'm just interested in activating the engineering menu which was availble before but I lost it after I have resetted the system back to factory settings.
If anyone has an idea, please reply or PM me.
Thank you
I've been trying the things from mozy (with his test lib) and also attempted the connection method with usb to ethernet adapter. Nothing worked so far... does it work only on comand or also on audio20?
My car is 2015 (supposed to be working, unless it has been patched by MB)
In the end, I'm just interested in activating the engineering menu which was availble before but I lost it after I have resetted the system back to factory settings.
If anyone has an idea, please reply or PM me.
Thank you