FORUMS
Remove All Ads from XDA

success to hack Technisat MIB2 infotainment system

3 posts
Thanks Meter: 5
 
By mengxp, Junior Member on 4th April 2017, 09:22 AM
Post Reply Email Thread
Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Step1.
Desolder the EMMC chip

Step2.
Dump EMMC chip via SD card reader

Step3.
qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

Step4.
Start QNX x86 vmware machine to modify the 682c.vmdk

Step5.
modify the file /fs/hd1-qnx6/tsd/bin/system/startup
add following line
--------------------
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
--------------------
Save the file

Step6.
Shutdown QNX6 VM

Step7.
qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

Step8.
write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

Step9.
Solder the EMMC chip back

done.
The Following 5 Users Say Thank You to mengxp For This Useful Post: [ View ] Gift mengxp Ad-Free
 
 
9th June 2017, 01:08 PM |#2  
Junior Member
Thanks Meter: 2
 
More
Can you post the dump please?
10th June 2017, 05:52 PM |#3  
Senior Member
Thanks Meter: 297
 
More
Please, can you post some images?
16th June 2017, 07:09 PM |#4  
qtek_metanol's Avatar
Senior Member
Thanks Meter: 3
 
More
Quote:
Originally Posted by mengxp

Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Was you able to access to the image? Could you post the image file?

THX in andvance and greetings
Metanol
17th October 2017, 06:06 PM |#5  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by mengxp

Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Step1.
Desolder the EMMC chip

Step2.
Dump EMMC chip via SD card reader

Step3.
qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

Step4.
Start QNX x86 vmware machine to modify the 682c.vmdk

Step5.
modify the file /fs/hd1-qnx6/tsd/bin/system/startup
add following line
--------------------
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
--------------------
Save the file

Step6.
Shutdown QNX6 VM

Step7.
qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

Step8.
write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

Step9.
Solder the EMMC chip back

done.

Can you tell which chip is the EMMC chip? there are quite some FBGA chips on board. Or maybe a picture?
18th October 2017, 08:04 AM |#6  
Junior Member
Thanks Meter: 0
 
More
Found the emmc chip its an MTFC8GLWDQ-3M AIT Z, cant get a datasheet of it. Maybe someone has it for me?
18th October 2017, 08:37 PM |#7  
Member
Thanks Meter: 6
 
More
Hi there!
The pinout is standard, just look for EMMC LFBGA 100 pin.

It's funny to see the title, hacking this unit is not about getting console access, there's a lot more than that. Good luck!
18th October 2017, 09:01 PM |#8  
Junior Member
Thanks Meter: 0
 
More
thanks i was expecting that, looks like the data lines ,clk and cmd, all go throug an resistor array 22ohm. maybe its possible to remove the array and read chip onboard. so there is no need for BGA soldering.

I know, this is just a starting point, lets start with chancing some start screens.. that must be possible and than see how to modifie the FEC key handling.

---------- Post added at 10:01 PM ---------- Previous post was at 10:00 PM ----------

thanks i was expecting that, looks like the data lines ,clk and cmd, all go throug an resistor array 22ohm. maybe its possible to remove the array and read chip onboard. so there is no need for BGA soldering.

I know, this is just a starting point, lets start with chancing some start screens.. that must be possible and than see how to modifie the FEC key handling.
16th November 2017, 01:23 PM |#9  
Junior Member
Flag Kiev
Thanks Meter: 0
 
More
anybody have PCB connection for download Emmc without desolder?
24th November 2017, 03:21 PM |#10  
Junior Member
Flag Warsaw
Thanks Meter: 0
 
More
Have tried it in couple of units and unfortunately still cannot send anything to the unit on serial port
25th November 2017, 11:19 AM |#11  
Junior Member
Thanks Meter: 0
 
More
Which version of QNX VMWare do U use?

Quote:
Originally Posted by mengxp

Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Step1.
Desolder the EMMC chip

Step2.
Dump EMMC chip via SD card reader

Step3.
qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

Step4.
Start QNX x86 vmware machine to modify the 682c.vmdk

Step5.
modify the file /fs/hd1-qnx6/tsd/bin/system/startup
add following line
--------------------
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
--------------------
Save the file

Step6.
Shutdown QNX6 VM

Step7.
qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

Step8.
write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

Step9.
Solder the EMMC chip back

done.

Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes