FORUMS
Remove All Ads from XDA

 View Poll Results: What do you wanna see most on a uconnect system

Android!
 
103 Vote(s)
69.13%
Custom programs
 
11 Vote(s)
7.38%
Themes/UI Mods
 
4 Vote(s)
2.68%
Free wifi hotspot
 
9 Vote(s)
6.04%
Something even more awsome
 
2 Vote(s)
1.34%
Remove speed lockout
 
5 Vote(s)
3.36%
Add features (i.e. movies on the screen/games)
 
15 Vote(s)
10.07%

Rooted Jeep Cherokee '14 uConnect

43 posts
Thanks Meter: 18
 
By cm0002, Member on 5th September 2015, 03:40 AM
Post Reply Email Thread
DISCLAIMER:
Doing anything i describe in this thread is at YOUR OWN RISK, if your Jeep suddenly dies on the highway im not responsible, but if your jeep magically gets 200 MPG or limitless fuel i take full credit

So studying the white paper from those security researchers that hacked the jeep over the sprint network and about a half a days worth of tinkering with the uconnect iso update file, i was finally able to get it to take the modifications, changing root password and editing boot script to run commands from script on USB flash drive, but now I'm at a loss not really sure what to do now.
I just finished dumping the entire file system to the flash drive for analysis but other than that I don't know, I'm not familiar at all with qnx or even any embedded Linux for that matter so I'm just posting here to see what you guys can come up with.

One goal of mine is to bring up the hotspot manually without having to pay for it so I can establish a proper ssh terminal, but im dreaming of either running android over top of the jeeps interface or replacing it entirely (maybe someday)

Here's the link to the whitepaper
ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf

Ok so i decieded to do a quick run down of what i did,

First, using a hex editor on the 14.05.03 iso update file, at offset 0x80 insert an 'S' 0x53, on 14.05.03 ONLY this will bypass the initial ISO integrity on anything later the white paper describes a way to 'trick' the check. It involves 2 usb one with a modified ISO and one with a legit ISO. i have never done it this way, but i will describe it anyways: insert the USB with legit ISO, click yes on the pop-up, when the screen turns completely off immediately remove the USB and insert the one with the modified ISO

screenshot

Second i changed the root password at offset 0x5dd34b4 to 8CNGLiYvSaCbg which is "root"

screenshot

And lastly i inserted the code that will run scripts contained in 'cmds.sh' located on a usb flash drive, now this is tricky, orginially theres this line:
''# Start Image Rot Fixer, currently started with high verbosity"
make it look like this before you insert the line of code:
"######rently started with high verbosity"
now after the "-d -p 2000 .." insert "sh /fs/usb0/cmds.sh &" and make sure that after the '&' and before the first '#' there is a line termination hex code 0x0a

screenshot

And that's it, type up a script called 'cmds.sh' and put it on a FAT32 formatted flash drive and your good to go

The directory list:
pastebin.com/BKfSptbH

and a list of available commands
pastebin.com/jLTaEEge
Would it be a good idea to upload the actual dump from the file system?

for ****s and giggles, live long and prosper:
screenshot startrek

Last thing, most of the credit goes to Chris Valasek and Chris Miller the security researchers that paved the way and published the white paper, i just studied it and put the actual rooting process in an easier format.
The Following 9 Users Say Thank You to cm0002 For This Useful Post: [ View ] Gift cm0002 Ad-Free
 
 
7th September 2015, 06:34 PM |#2  
OP Member
Thanks Meter: 18
 
More
huh i thought there would be more interest? i mean this could be the key to getting rid of the crappy uconnect software and run android.
Android has already been made to run on the same SoC TI DM3730 here http://elinux.org/Android_on_OMAP
8th September 2015, 01:11 AM |#3  
Member
Thanks Meter: 11
 
More
Hi,

This is very interesting! I don't have a Cherokee but I own a 2015 Challenger RT with the 8.4 uConnect. There's so many FCA car that came with this system that could be very good to uconnect owner! I would like so much to see more options, customization, maybe having specificar car option unlocked or the navigation feature or the best would be to have android directly on it!

In the challenger community, we use a dongle called Tazer http://www.zautotech.com/tazer.html that can unlock special feature available only for a specific trim level. Like the Challenger SRT have an ECO Mode in the uConnect for saving gas but after plugging the Tazer you can unlock this feature for a Scat Pack/RT and it's working! I don't know for other FCA car but hacking the uConnect could open a pandora box for us!
8th September 2015, 03:59 AM |#4  
OP Member
Thanks Meter: 18
 
More
Quote:
Originally Posted by cilk

Hi,

This is very interesting! I don't have a Cherokee but I own a 2015 Challenger RT with the 8.4 uConnect. There's so many FCA car that came with this system that could be very good to uconnect owner! I would like so much to see more options, customization, maybe having specificar car option unlocked or the navigation feature or the best would be to have android directly on it!

In the challenger community, we use a dongle called Tazer http://www.zautotech.com/tazer.html that can unlock special feature available only for a specific trim level. Like the Challenger SRT have an ECO Mode in the uConnect for saving gas but after plugging the Tazer you can unlock this feature for a Scat Pack/RT and it's working! I don't know for other FCA car but hacking the uConnect could open a pandora box for us!

ah yes the dongles, the jeep community also has such things to remove the speed lockouts for the keyboard and add in cameras and such. I have been working a decompiling alot of the programs, but havent got so far yet been busy and all, but what i have noticed is that alot of it is easily decompiled compiled lua 5.1 scripts or just scripts here and there.
8th September 2015, 11:48 PM |#5  
Member
Thanks Meter: 11
 
More
Quote:
Originally Posted by cm0002

ah yes the dongles, the jeep community also has such things to remove the speed lockouts for the keyboard and add in cameras and such. I have been working a decompiling alot of the programs, but havent got so far yet been busy and all, but what i have noticed is that alot of it is easily decompiled compiled lua 5.1 scripts or just scripts here and there.

The dongle or even lockpick seem very popular. I didn't know the dongle was just some lua script, they make big money for just small hardware and script then! I've also read the PDF document and I find this interesting that we could setup a VM on qnx with uconnect on top of it. This could help people to have more interest for the uConnect if they can simply have a VM available easily. I'm not a developer but a simple IT technician and I find this really interesting, I've just started to read about this, qnx and lua script.
9th September 2015, 12:03 AM |#6  
OP Member
Thanks Meter: 18
 
More
Quote:
Originally Posted by cilk

The dongle or even lockpick seem very popular. I didn't know the dongle was just some lua script, they make big money for just small hardware and script then! I've also read the PDF document and I find this interesting that we could setup a VM on qnx with uconnect on top of it. This could help people to have more interest for the uConnect if they can simply have a VM available easily. I'm not a developer but a simple IT technician and I find this really interesting, I've just started to read about this, qnx and lua script.

Yea, this situation is exactly how it was with the ps3, some company found a way in and instead of opening it up they profit on it. The more i go through i have found that the entire uconnect front-end gui seems to be made up of lua scripts, html, flash, and adobe air which call the services for the various systems from the underlying QNX system.
7th October 2015, 09:23 PM |#7  
Junior Member
Thanks Meter: 0
 
More
Awesome!
I have a 2014 Ram and would LOVE to see some changes to the UI and maybe unlock somethings too. I'm an android developer with mostly web background, and could possibly lend a hand in the code department, but Lua is pretty new to me; however, not real complicated. What amount of flash does the UI depend on? Seems like a pretty terrible language choice, but I suppose uConnect started writing this code several years ago...

Ideally, we'd get a version of android running on this thing!! I don't know about the Jeeps, but the uConnect system on the Ram basically controls everything... I'd lose the ability to do most of my A/C controls so I'd simultaneously have to be making an app that would be able to interface with other systems in the truck...

I'd like to see what kind of interest there is about this as well @cm0002. Thanks for your guide!
10th October 2015, 03:22 PM |#8  
Senior Member
Flag Fort Worth
Thanks Meter: 28
 
More
Anyway to run android off the usb drive , run an upgrade boot and redirect to the android os on the usb and run it without changing the system on local ?
13th October 2015, 05:40 PM |#9  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by bled82

Anyway to run android off the usb drive , run an upgrade boot and redirect to the android os on the usb and run it without changing the system on local ?

I'm sure you could, but you wouldn't have access to any peripherals... That's really the hardest thing here, imo.
29th November 2015, 10:34 AM |#10  
Junior Member
Thanks Meter: 1
 
More
So, QNX will support Android Auto and CarPlay, some implementations are going out the door right now.

By rooting uConnect current versions, it may be possible to backport the future uConnect QNX apps that facilitate Android Auto headunit communication.

The sticking point will be if the QNX kernel that features Android Auto on those newer uConnect models, is backwards-compatible or not with today's uConnect head units. That's questionable at best... but probably the best implementation path.

Frankly there's nothing stopping FCA from doing the upgrade themselves. Would make for a heck of a game changer as a Mopar part.
10th December 2015, 04:16 PM |#11  
Joshwaaa's Avatar
Senior Member
Flag Lake Worth, FL
Thanks Meter: 287
 
Donate to Me
More
Watching this thread, very interesting to me as I have a 2016 Ram 1500 Laramie.
Post Reply Subscribe to Thread

Tags
blackberry, jeep, qnx, root, uconnect

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes