Dernier message de la page précédente :

Do you have any idea what kind of compute power and time would be required to crack an RSA key?!? In no way bruteforce is a solution.

Well, even with Nasa's network it will takes years... and maybe without results... I'm not say' crack anche RSA, i asked if we can get public Key, get the results of decryption and try to reverse the process... Never sayd "bruteforce", we're not talking about of crack a password protected zip archive...

Unfortunately you have no chance. The private key public key encryption is something that is suppose to work exactly like this.
Why do you think they call it public key? :) It's no danger if you have it.
You will never succeed to find a private key just because you know the public one :)
Instead focus on stopping the verification process. Anything else is kind of useless ...

Bonjour
Pour les possesseur de stage 1 :le rs monitor plafonne avec les valeurs d’origine ??? y a moyen de modifier ça ?

@Novas yes, if we avoid verification, no keys needed.. but, and correct me if i'm wrong, we need to connect on circuit board (maybe once and never again with a little bit of luck), skip verification and then install RS monitor... No "easy" sdcard update... Right?

Yes, if we manage this, then the image that is on the unit can be modified and then we will have access over usb.
Once done, ssh will follow and push applications etc.
In any case to do it you need to read that memory, modify the image, upload it again and try to boot until you see that the signature verification is not done anymore

how do we connect to that chip? do we have to desolder it and find the pins or you already have a pinout? and we connect with a simple com port or we need some special hardware?

Either desolder it and use a memory programmer that knows how to program that type of memory either on board welding some wires on the pins and connecting again to the same memory programmer. (you cannot do it with a simple upart/com etc)

The pinout i dont have but is pretty easy to obtain on the net if you search for the memory type.

Maybe it's obvious, but I have some analysis after last update:
-There is no special firmware for R-Link with RS Monitor
-I have R-Link from non RS car, so I was a bit afraid that after update to last revision RS Monitor disappear. Fortunately nothing like that happened.
-Presence of RS Monitor has to be depends on some parameters in configuration. Maybe this configuration is not protected by any private key - if we change configuration by DDT there is no need to sign anything.
-Or Maybe RS monitor, like other apps, is installed on user partition (that is what we need to check)

Qbak, i know what you mean... in example r-link 2 has a-ivi ecu, is a second ecu that, with radnav, configure the whole unit. unfortunately, we're not so lucky, or at least, there is one but we do not know the existance... anyway, I think that NovaS already tryed almost everything... So, if he say that *actually* this is the only solution, i'm afraid he's right...

Everything is in configuration. You do not need to solder anything. I have already finished.

Congrat’s !

ebt25 well played, now if you could be more specific and explain how you did that, it could be very helpufl
thanks and, again congratulations

ATTENTION Activation involves physical access to the system and interference of the programmer in the memory, thus everyone does it at their own risk. Although the risk of damage is negligible I do not take responsibility for the resulting damage.

You do not need to buy anything to activate. Activation consists in changing one byte in the eeprom memory - anyone who deals with electronics at least is able to do so. You do not need to desoldering, you do not need any expensive or specialized tools, you just need a regular serial memory programmer and, for example, a soic8 clip. I had everything at hand and instead of starting from the simplest things I focused on UART / eMMC / u-boot / x-loader and it turned out that it's so simple. In this memory is saved the whole configuration of navigation, all options that we turn on / off, e.g. via DDT or Clip. The serial number and VIN are also recorded, just like in other modules.

On the R-Link board, we're looking for 24C64F serial eeprom memory. It may be on the side where the USB connectors are and may also be on the other side - then you must disconnect the screen.

We attach a soic8 clip and try to read the memory - it will probably be an error, so we turn on the navigation - we wait until it starts and we try to read the memory again - it should read without a problem.

We modify it as follows:

We are interested in 3 places:

Offset: 00000B11:

00 - RS Monitor disabled

01 - x95 RS ph2

02 - x98 RS

Offset: 00000B12 (Slot1):

00020001000A0E10010800050A8C01092EE02EE0659001075A5ABE010A3C3C7801042EE02EE032C801042EE02EE0345801076E6EA001050000190A0A2710271036B0010A5F5F91010A64646E010000000A010000008C01072EE032C884D0010B00010203040506070204000901000101010101000180808080757575726B6A686561605E615A58546154514B614F4B44614B463E614A443E614B443E614D443E614D443E618080808083838383858584818887877F8C8B897F908F8C7F97958F7F9E9B8F7FA8A28F7FB3A28F7FBAA28F7FBAA28F7F14506E013201280596230000000000000000000000000000000000

Offset: 00000C02: (Slot2):

0001000200525F6F7F8F9AA3A7AAAAAAA8A7A6A5A3A2A19B958E867E644B323232525F6F7F8F9AB4B4B4B4B4B4B4B4B1B1AEAAA8A49A8A7A78645A503269019064057864004E2064635F6401903C03E864646464646464004B007700A800E6012201606464325A6E010696965A829600014502640FDC1C87B402000000000100015F880F010200030414100A0300284B6E96BE000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

We save the modified file to the eeprom memory and do a restart of the navigation after which RS Monitor will appear automatically.

Slots probably determine the equipment of the car. There may be differences in the gearbox, etc. I will check it.

Possible errors include turning on navigation:

Connect to local dealer - damaged memory / incorrectly modified / reset
EOL settings - incorrect configuration / no complementary Slots with RS Monitor activated.

Thanks !!

man, simply genious... instead of using ddt, you directly modifyed the ".ini" file... really great... i have a question... if it worked, maybe mfd ecu has a wrong address, and we could easily change it an get it work via obd?