Dernier message de la page précédente :

This looks like a white list of devices that can be connected to R-Link.
https://github.com/egonalter/R-Link_ker ... hitelist.h
I'm thinking about two solutions now. USB-USB bridge (USB networking cable) or usb networking adapter (CONFIG_USB_USBNET).

Lets stop for a second and analyze, shall we? :)
What if you manage to boot from another environment, what next? ...

There is a a signed boot chain, specific for this type of application and it goes like this:

1. x-loader
2. u-boot
3. zimage
4. rootfs

For each step, there is an algorithm that checks to see if the signature of the loaded image is the correct one based on a public key that is inside a CPU only accessible registers.
To sign an image we would need the private key which obviously unless on of you has friends at TomTom, we will never see it.

Even if you manage to boot from another partition (sd, usb,etc), zimage will still check the signature which you dont have and refuse to mount it :)
Even if you manage to connect over USB, then what? You will not have root, just a regular user unable to change anything but the /tmp directory and no permissions. Anything important cannot be activated.
If you want to root it and activate debug mode etc, you need to put some parameters in the 2GB system image:

This parameters for example:
ro.secure=0
ro.debuggable=1
persist.service.adb.enable=1

I already tried, guess what, the partition size and signature changes and fails to boot immediately.


So to really have any shoot at this , one would need the following:

1. UART on the MFD to see what he is doing
2. Download the 4 MB image from the memory next to the CPU (it is under the big metal case on the side under the scree), not the one showed earlier in the pictures (the 2GB one is useless as it stores an image we could never use for anything as it is).

After that the real hacking comes from modifying in Hexa the content of the image in hope of breaking somehow the sign verification from zimage to rootfs.

If rootfs is not verified then you can get away with anything. But until now I haven't managed to make it fail :)

Anyone that wants to attempt this, keep in mind that you might damage the board when you try to desolder the chip from the board. Another goodie is that they decided to protect the memory from read/write while onboard so you must take it of to read it. Also think about the fact that you will probably need to read and write that memory at least a few hundred times in the process.

Every time you say something, sound like sentence of death

Just kidding or course... I mean, i can't belive that Tom Tom didn't left any kind of "backdoor" or "service mode"... LG left both with medianav and r-link2 (yep r-link2 is LG device) a way to access... i'm just reflecting in it

Yes I know :) R-Link 2 is much more easier to get into but for Tomtom I have not found a way ...
And you have above a sum of everything I tried until now. I wish it was easier.

If anybody has new ideas and another approach i would love to here it :)

stupid question again, some kind of attack to cpu to gain access to ram (If i'm not wrong) as geohot did with ps3? i don't know, this is just an idea... it worked with a real fortrees like ps3, it should work on a f*cking tom tom... other type of attack? we discarded almost everything... we may consider lan/ip attack? i don't know... involve other people? even for have a different point of view...

Maybe something with Stagefright ?

CPU attack or LAN would be great but how? Everything is locked ...
No USB access, no lan/wireless

Any attack can be used if you manage to run some code on it but right now you cannot.
On SD card any program you put will not be run unless signed.

Stagefright is based on an image or video hosting a code to run directly as root with a privilege elevation routine. And the R Link is capable of reading images or videos from a USB stick.

Hi guys,

Compiling stagefreight exploit in python need to insert host IP and port number (i suppose for remote control) but r-link is not a smartphone with data connection so is impossible to communicate. In your opinion is possibile to connect a pc via UART and insert in exploit 127.0.0.1 for host IP and UART port number in order to get a shell access?

I presume you will try to connect from the PC on UART using a USB device.So no, you cannot. Even more the UART on R-Link is read-only , you cannot interact with the console in any way ...

as far as we actually know, we don't have much to send command... as novas said, we can read but we can't write... stagefright is an opportunity, but actually we do not understand how it works, or we understand very well how it works, but without any kind of connection, we have no chance... we don't have wifi, and 2g/3g connection is usless (i think) if renault services are not activated (payed), finally bluetooth, we can conncet to a pc but only 3 services are recognised: audio stereo audio mono and remote control, we have a mac address and nothing else.. uart provide a read only access... so, again, stupid questions:
can we exploit bt audio for somekind of control?
does anyone tried to connect a wifi dongle to get some kind of lan?
can we use imei for any kind of attack?
@Novas, could you please tell me again what we could get from 4 mb chip?
ça m'prend la tete


http://create.tomtom.com/developers/debug-menu.html
this?

That link is for TomTom HOME :) That is the utility for Live not for R-link.

The 4MB chip contains the x-loader and uboot. Inside is a binary image that needs to be modified in order to trick the device not to start the sign verification procedure.
You download it and after that you start playing with a HEX editor and reload it until you see on the UART that it does not try to verify the z-image or rootfs signature

@Novas thank's, got It :)

now, reflecting on what you said, it's possible to trick that image in order to show, during boot, priv key?

:) No, the private key is not even on the device.
On the device is the public key which is used to decrypt what is written with the private key.
Only way is to block the process which tries to verify the image signature

again, thanks...
so, we can not get priv key... and what about retrieve public key? i mean, and it's just math, priv key is decrypted by public key, so it must gaves some kind of results, isn'it? as you sayd, priv key is NOT in the device, but if we get public key and if we get the result of decrypting procedure, we can theorically with an algorithm, generate or spoof or even find a valid priv key to sign the packages... of course you already tryed this solution, so please tell me what is wrong whit that? :)

Do you have any idea what kind of compute power and time would be required to crack an RSA key?!? In no way bruteforce is a solution.