FORUMS

hacking nac peugeot

1 posts
Thanks Meter: 0
 
By crazychimp80, Junior Member on 15th February 2019, 03:06 PM
Post Reply Email Thread
12th March 2020, 10:28 AM |#21  
Junior Member
Thanks Meter: 2
 
More
HI guys, I've a new 3008 Allure version and i want to enable the iCockpit color personalization how to GT Line model. Is it possible? I think and hope yes
25th March 2020, 03:29 AM |#22  
Junior Member
Flag Sao Paulo/SP
Thanks Meter: 16
 
Donate to Me
More
EDITED
25th March 2020, 10:48 AM |#23  
Junior Member
Thanks Meter: 0
 
More
Pin location
The pins at on the middle connector.

It should be the yellow part wich is in the middle of the connector.

Pin 23 and 24
And
Pin 29 and 30

Regards
26th March 2020, 02:43 AM |#24  
Junior Member
Flag Sao Paulo/SP
Thanks Meter: 16
 
Donate to Me
More
By the verbose and the outputs, all i have found until now is the username is not "root".
29th March 2020, 09:51 AM |#25  
Junior Member
Flag Sao Paulo/SP
Thanks Meter: 16
 
Donate to Me
More
Quote:
Originally Posted by MitchtheMitch

The pins at on the middle connector.

It should be the yellow part wich is in the middle of the connector.

Pin 23 and 24
And
Pin 29 and 30

Regards

Thank you. They are the same on the BOSCH RCC unit but they dont give a proper output. Perhaps it is a fault of my TTL device. I was testing in the continental NAC unit and found two interesting things:

first, the boot text shows the path of the development folders
Code:
sh[3691]: OIPBI: Used SDK (Toolchain): /PROJ/oip/SDK/MG_20170106_M11_7.0.165p/MV_Tools
sh[3691]: OIPBI: Used Mirror:          /PROJ/oip/PDK/20170613_PDK_11.00.120.03/Mirror/solutions/com.continental/MV_PINT
And also says:

Code:
sh[3691]: OIPBI: Machine: Linux radfmxyu 3.13.0-106-generic #153~precise1-Ubuntu SMP Tue Dec 6 16:12:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
sh[3691]: OIPBI:
sh[3691]: OIPBI: Build Info
sh[3691]: OIPBI:
sh[3691]: OIPBI: Builder: uidg6656
sh[3691]: OIPBI: Built:   jeudi 15 juin 2017, 12:28:06 (UTC+0200)
sh[3691]: OIPBI:
sh[3691]: OIPBI: Build BL #Version: NAC_SOC_SYS_65.05.24.32_RCC #1
I think the username we need to explore is "uidg6656" and the path to find the password (or a hint of it) can be found on the firmware files. Linux usually stores passwords onto a file called "passwd" in "/etc" folder. However it needs to be decrypted.

For your information, these are the fundamentals of the software we are trying to access: http://events17.linuxfoundation.org/...oard_-_ALS.pdf

And the opensource software codes used on those units:
https://www.groupe-psa.com/en/oss/
31st March 2020, 05:41 PM |#26  
Junior Member
Thanks Meter: 2
 
More
Quote:
Originally Posted by horuscurcino

Thank you. They are the same on the BOSCH RCC unit but they dont give a proper output. Perhaps it is a fault of my TTL device. I was testing in the continental NAC unit and found two interesting things:

first, the boot text shows the path of the development folders

Code:
sh[3691]: OIPBI: Used SDK (Toolchain): /PROJ/oip/SDK/MG_20170106_M11_7.0.165p/MV_Tools
sh[3691]: OIPBI: Used Mirror:          /PROJ/oip/PDK/20170613_PDK_11.00.120.03/Mirror/solutions/com.continental/MV_PINT
And also says:

Code:
sh[3691]: OIPBI: Machine: Linux radfmxyu 3.13.0-106-generic #153~precise1-Ubuntu SMP Tue Dec 6 16:12:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
sh[3691]: OIPBI:
sh[3691]: OIPBI: Build Info
sh[3691]: OIPBI:
sh[3691]: OIPBI: Builder: uidg6656
sh[3691]: OIPBI: Built:   jeudi 15 juin 2017, 12:28:06 (UTC+0200)
sh[3691]: OIPBI:
sh[3691]: OIPBI: Build BL #Version: NAC_SOC_SYS_65.05.24.32_RCC #1
I think the username we need to explore is "uidg6656" and the path to find the password (or a hint of it) can be found on the firmware files. Linux usually stores passwords onto a file called "passwd" in "/etc" folder. However it needs to be decrypted.

For your information, these are the fundamentals of the software we are trying to access: http://events17.linuxfoundation.org/...oard_-_ALS.pdf

And the opensource software codes used on those units:
https://www.groupe-psa.com/en/oss/

can you point the rs in rcc connector

interesting here about RCC unit is possible to connect via sub2lan https://fccid.io/YBN-PSARCCA100/User...ibitReport.cfm
1st April 2020, 02:30 AM |#27  
Junior Member
Flag Sao Paulo/SP
Thanks Meter: 16
 
Donate to Me
More
For RCC is the same as MitchtheMitch said. Look in the document you posted there are "debug" lines on these pins. By the way, the LAN connection was not possible here using USB to Ethernet adapters (tried 3 different models/vendors). I think bosch submit to the test center an unlocked unit to make the certification tests possible.

Found this on "passwd" file from NAC firmware.
It shows all the registered users for this unit to use the linux environment
The structure says:
USER:X or * if a password is assigned:user directory
Code:
root::0:0:root:/home/root:/bin/sh
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
xuser:x:100:101:Linux User,,,:/tmp:/bin/sh
messagebus:x:101:103:Linux User,,,:/var/lib/dbus:/bin/false
pulse:x:102:1000:Linux User,,,:/tmp/home/pulse/:/bin/false
polkituser:x:104:1002:polkituser:/var/run/polkit:/bin/false
Org:x:0:0:org.genivi.NodeStartupController1:/:/bin/false
SerGet:x:0:0:[email protected]:/:/bin/false
sysdquot:x:0:0:systemd-quotacheck:/:/bin/false
dbuspub:x:10678:10678:dbus-public-bus:/:/bin/false
Dbu:x:0:0:dbus:/:/bin/false
dbssess:x:0:0:mm-dbus-session:/:/bin/false
rngd:x:10100:10100:rngd:/:/bin/false
hkdiag:x:10041:10041:diag-svc-plf-coding-daemon:/:/bin/false
rescue:x:0:0:rescue:/:/bin/false
console:x:0:0:[email protected]:/:/bin/false
systime:x:10014:10014:restore-system-time:/:/bin/false
quotaon:x:0:0:quotaon:/:/bin/false
persist:x:0:0:pas-daemon:/:/bin/false
persVlow:x:10090:10090:vlow-container-svc-daemon:/:/bin/false
systemd:x:0:0:systemd-exit:/:/bin/false
lcnsm:x:10010:10010:node state manager:/:/bin/false
lcnsc:x:10012:10012:node state manager:/:/bin/false
lcnhm:x:10567:10567:node-health-monitor:/:/bin/false
audmgr:x:14573:14573:media-audiomanager:/tmp/:/bin/false
audpls:x:10020:10020:pulseaudio:/var/run/pulse:/bin/false
audalsa:x:10573:10573:alsa-state:/:/bin/false
audsnd:x:10311:10311:media-soundgen-ref:/tmp:/bin/false
media:x:10030:10030:oip-media-timeshift:/tmp:/bin/false
video:x:10222:10222:splash:/:/bin/false
contel:x:10040:10040:oip-pi-telephonyservice:/:/bin/false
concb:x:10039:10039:oip-pi-contactbook:/:/bin/false
conmsg:x:10038:10038:oip-pi-messaging:/:/bin/false
conml:x:10053:10053:oip-pi-mirrorlink:/:/bin/false
conbrw:x:10037:10037:oip-pi-wbf:/:/bin/false
concm:x:0:0:connman:/:/bin/false
conwf:x:0:0:wifi:/:/bin/false
conusb:x:10001:10001:usbmgr:/:/bin/false
conbt:x:10042:10042:bluetooth:/:/bin/false
conphnpl:x:0:0:oip-pi-phoneplugin:/:/bin/false
swlman:x:0:0:swl-manager:/:/bin/false
mchineid:x:0:0:machineid:/:/bin/false
Key:x:0:0:keyprovider:/:/bin/false
udisks:x:0:0:udisks-daemon:/:/bin/false
persftop:x:0:0:top:/:/bin/false
firewall:x:0:0:iptables:/:/bin/false
graphic:x:10501:10501:wayland:/:/bin/false
ltsyslog:x:0:0:syslog-ng:/:/bin/false
ltdlt:x:10006:10006:dlt:/:/bin/false
ltdltsys:x:10007:10007:dlt:/:/bin/false
ltdltprint:x:10008:10008:dlt:/:/bin/false
persubi:x:0:0:ubi-attach2:/:/bin/false
NhmRec:x:0:0:nhm-recovery:/:/bin/false
NrmRec:x:0:0:nrm-recovery:/:/bin/false
VloSvcRec:x:0:0:vlow-svc-recovery:/:/bin/false
inptouchcal:x:0:0:oip-ssw-touch-calibration:/:/bin/false
slwmdutl:x:0:0:SWLD user:/:/bin/false
swlopkg:x:0:0:SWLD user opkg:/:/bin/false
SysUpdUtmShu:x:0:0:user update:/:/bin/false
conhfc:x:10568:10568:Handsfree Service:/:/bin/false
usbmux:*:10570:10570::/:/bin/false
concedc:*:10571:10571::/:/bin/false
lcnrm:*:10572:10572::/:/bin/false
fws:*:10573:10573::/:/bin/false
radio:*:10575:10575::/:/bin/false
i2c:*:10578:10578::/:/bin/false
infdat:*:10580:10580::/:/bin/false
phm-fsuc:*:10582:10569:phm-fsuc:/:/bin/false
persNba:*:10587:10587:Pers - NBA daemon:/:/bin/false
persVlow:*:10589:10589:Pers - Vlow container daemon:/:/bin/false
persHwi:*:10590:10590:Pers - HWInfo container daemon:/:/bin/false
persErly:*:10591:10591:Pers - EarlyData container daemon:/:/bin/false
persScrd:*:10592:10592:Pers - SecuredData container daemon:/:/bin/false
persIio:*:10594:10594:Pers - ImageIO ():/:/bin/false
condhcp:*:10596:10596:Conectivity DHCP daemon:/tmp:/bin/false
conaap:*:10598:10598:oip-connsvc-androidauto:/:/bin/false
usrprfmgr:*:10599:10599:User Profile Manager:/tmp:/bin/false
The only one not assigned as you can see is root user. But anyway it gaves me errors when trying to log in without password.

Unfortunately i cannot find the "shadows" file where the passwords are supposed to be stored in.
Found another file saying the password for some instance is "files" without quotes. Can you test it for those usernames?
The Following User Says Thank You to horuscurcino For This Useful Post: [ View ] Gift horuscurcino Ad-Free
1st April 2020, 06:56 AM |#28  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by horuscurcino

For RCC is the same as MitchtheMitch said. Look in the document you posted there are "debug" lines on these pins. By the way, the LAN connection was not possible here using USB to Ethernet adapters (tried 3 different models/vendors). I think bosch submit to the test center an unlocked unit to make the certification tests possible.

Found this on "passwd" file from NAC firmware.
It shows all the registered users for this unit to use the linux environment
The structure says:
USER:X or * if a password is assigned:user directory

Code:
root::0:0:root:/home/root:/bin/sh
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
xuser:x:100:101:Linux User,,,:/tmp:/bin/sh
messagebus:x:101:103:Linux User,,,:/var/lib/dbus:/bin/false
pulse:x:102:1000:Linux User,,,:/tmp/home/pulse/:/bin/false
polkituser:x:104:1002:polkituser:/var/run/polkit:/bin/false
Org:x:0:0:org.genivi.NodeStartupController1:/:/bin/false
SerGet:x:0:0:[email protected]:/:/bin/false
sysdquot:x:0:0:systemd-quotacheck:/:/bin/false
dbuspub:x:10678:10678:dbus-public-bus:/:/bin/false
Dbu:x:0:0:dbus:/:/bin/false
dbssess:x:0:0:mm-dbus-session:/:/bin/false
rngd:x:10100:10100:rngd:/:/bin/false
hkdiag:x:10041:10041:diag-svc-plf-coding-daemon:/:/bin/false
rescue:x:0:0:rescue:/:/bin/false
console:x:0:0:[email protected]:/:/bin/false
systime:x:10014:10014:restore-system-time:/:/bin/false
quotaon:x:0:0:quotaon:/:/bin/false
persist:x:0:0:pas-daemon:/:/bin/false
persVlow:x:10090:10090:vlow-container-svc-daemon:/:/bin/false
systemd:x:0:0:systemd-exit:/:/bin/false
lcnsm:x:10010:10010:node state manager:/:/bin/false
lcnsc:x:10012:10012:node state manager:/:/bin/false
lcnhm:x:10567:10567:node-health-monitor:/:/bin/false
audmgr:x:14573:14573:media-audiomanager:/tmp/:/bin/false
audpls:x:10020:10020:pulseaudio:/var/run/pulse:/bin/false
audalsa:x:10573:10573:alsa-state:/:/bin/false
audsnd:x:10311:10311:media-soundgen-ref:/tmp:/bin/false
media:x:10030:10030:oip-media-timeshift:/tmp:/bin/false
video:x:10222:10222:splash:/:/bin/false
contel:x:10040:10040:oip-pi-telephonyservice:/:/bin/false
concb:x:10039:10039:oip-pi-contactbook:/:/bin/false
conmsg:x:10038:10038:oip-pi-messaging:/:/bin/false
conml:x:10053:10053:oip-pi-mirrorlink:/:/bin/false
conbrw:x:10037:10037:oip-pi-wbf:/:/bin/false
concm:x:0:0:connman:/:/bin/false
conwf:x:0:0:wifi:/:/bin/false
conusb:x:10001:10001:usbmgr:/:/bin/false
conbt:x:10042:10042:bluetooth:/:/bin/false
conphnpl:x:0:0:oip-pi-phoneplugin:/:/bin/false
swlman:x:0:0:swl-manager:/:/bin/false
mchineid:x:0:0:machineid:/:/bin/false
Key:x:0:0:keyprovider:/:/bin/false
udisks:x:0:0:udisks-daemon:/:/bin/false
persftop:x:0:0:top:/:/bin/false
firewall:x:0:0:iptables:/:/bin/false
graphic:x:10501:10501:wayland:/:/bin/false
ltsyslog:x:0:0:syslog-ng:/:/bin/false
ltdlt:x:10006:10006:dlt:/:/bin/false
ltdltsys:x:10007:10007:dlt:/:/bin/false
ltdltprint:x:10008:10008:dlt:/:/bin/false
persubi:x:0:0:ubi-attach2:/:/bin/false
NhmRec:x:0:0:nhm-recovery:/:/bin/false
NrmRec:x:0:0:nrm-recovery:/:/bin/false
VloSvcRec:x:0:0:vlow-svc-recovery:/:/bin/false
inptouchcal:x:0:0:oip-ssw-touch-calibration:/:/bin/false
slwmdutl:x:0:0:SWLD user:/:/bin/false
swlopkg:x:0:0:SWLD user opkg:/:/bin/false
SysUpdUtmShu:x:0:0:user update:/:/bin/false
conhfc:x:10568:10568:Handsfree Service:/:/bin/false
usbmux:*:10570:10570::/:/bin/false
concedc:*:10571:10571::/:/bin/false
lcnrm:*:10572:10572::/:/bin/false
fws:*:10573:10573::/:/bin/false
radio:*:10575:10575::/:/bin/false
i2c:*:10578:10578::/:/bin/false
infdat:*:10580:10580::/:/bin/false
phm-fsuc:*:10582:10569:phm-fsuc:/:/bin/false
persNba:*:10587:10587:Pers - NBA daemon:/:/bin/false
persVlow:*:10589:10589:Pers - Vlow container daemon:/:/bin/false
persHwi:*:10590:10590:Pers - HWInfo container daemon:/:/bin/false
persErly:*:10591:10591:Pers - EarlyData container daemon:/:/bin/false
persScrd:*:10592:10592:Pers - SecuredData container daemon:/:/bin/false
persIio:*:10594:10594:Pers - ImageIO ():/:/bin/false
condhcp:*:10596:10596:Conectivity DHCP daemon:/tmp:/bin/false
conaap:*:10598:10598:oip-connsvc-androidauto:/:/bin/false
usrprfmgr:*:10599:10599:User Profile Manager:/tmp:/bin/false
The only one not assigned as you can see is root user. But anyway it gaves me errors when trying to log in without password.

Unfortunately i cannot find the "shadows" file where the passwords are supposed to be stored in.
Found another file saying the password for some instance is "files" without quotes. Can you test it for those usernames?

Pretty good work!

So you set following:

Login: x
password: passwd

Is that correct?

Like you, I did try to connect it via USB and serial and telnet but without success.

Regards
4th April 2020, 10:57 PM |#29  
Junior Member
Flag Lisbon
Thanks Meter: 3
 
More
An old NAC Wave 2 firmware version 21.05.65.32 (early 2017), was wrongly released without any encryption. It was pulled some hours later, but it was a bit too late... I've the full update .tar file, but here's some of the interesting files, including the root filesystem, after converting/extracting - https drive (dot) google (dot) com (slash) open?id=1ocCo5WJheeBkChpydxkE1Q28UYh0Xjq9
The Following 2 Users Say Thank You to rui.saraiva For This Useful Post: [ View ] Gift rui.saraiva Ad-Free
5th April 2020, 02:52 AM |#30  
Junior Member
Flag Sao Paulo/SP
Thanks Meter: 16
 
Donate to Me
More
Quote:
Originally Posted by rui.saraiva

An old NAC Wave 2 firmware version 21.05.65.32 (early 2017), was wrongly released without any encryption. It was pulled some hours later, but it was a bit too late... I've the full update .tar file, but here's some of the interesting files, including the root filesystem, after converting/extracting - https drive (dot) google (dot) com (slash) open?id=1ocCo5WJheeBkChpydxkE1Q28UYh0Xjq9

Thank you, Rui ! It will certainly help on our research.
Muito obrigado!

Early chinese versions have the same security flaw.
www(dot)chengzhidan(dot)com(slash)auto(slash)NAC22-new(dot)rar
yadi(dot)sk(slash)d(slash)2kUiXTSOqoGoUA
5th April 2020, 08:41 AM |#31  
Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by horuscurcino

Thank you, Rui ! It will certainly help on our research.
Muito obrigado!

Early chinese versions have the same security flaw.
www(dot)chengzhidan(dot)com(slash)auto(slash)NAC22-new(dot)rar
yadi(dot)sk(slash)d(slash)2kUiXTSOqoGoUA

Thir link does not work.

Thanks to Rui for the other link, maybe it will help more.

horuscurino, could you explain which parameters you set as Login name and password to extract the firmware darta?

i think somebody asked you allready before.

thank you
The Following User Says Thank You to NooBtheNoob For This Useful Post: [ View ] Gift NooBtheNoob Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes