FORUMS
Remove All Ads from XDA

uConnect 6.5 (Alfa / Fiat) Root Access

272 posts
Thanks Meter: 73
 
By SquithyX, Senior Member on 12th August 2018, 01:28 PM
Post Reply Email Thread
25th December 2018, 02:18 PM |#121  
OP Senior Member
Flag Bradford
Thanks Meter: 73
 
More
Nothing is impossible, it may just take time.

Sent from my CLT-L09 using Tapatalk
 
 
25th December 2018, 02:25 PM |#122  
Senior Member
Flag Ferrara
Thanks Meter: 5
 
More
Quote:
Originally Posted by SquithyX

Nothing is impossible, it may just take time.

Sent from my CLT-L09 using Tapatalk

I know, but I guess this time Fiat has closed very well every hole. What’s next? Any idea?
25th December 2018, 05:12 PM |#123  
Member
Thanks Meter: 3
 
More
Quote:
Originally Posted by SquithyX

That is why I am asking from where does the script run, the uConnect is running the updated software so it will have the isochk scripts on its internal memory and when the media checker / mounter detects the swdl.upd it would make sense to run the in bulit isochk not the one on the update media.

Sent from my CLT-L09 using Tapatalk

Hi,
yes, it's possible. If the flag must be set in the internal memory (with a Ethernet connection, for example), will be very hard to bypass check...

---------- Post added at 06:12 PM ---------- Previous post was at 06:09 PM ----------

Quote:
Originally Posted by sofro1988

I know, but I guess this time Fiat has closed very well every hole. What’s next? Any idea?

I think it's worth trying, however, to try to modify the expression from: same as to different from
here some lines of isochksingleiso, decoded:

local L0_0
L0_0 = module
L0_0("isochksingleiso", package.seeall)
L0_0 = {}
L0_0.name = "Pre-update ISO validation"
function authenticateSingleISO(A0_1, A1_2)
local L2_3, L3_4, L4_5, L5_6, L6_7, L7_8, L8_9, L9_10
L2_3 = _UPVALUE0_
L2_3 = L2_3()
if L2_3 == "MS" then
L3_4 = print
L4_5 = "ISOCHKSINGLEISO: Mfg install mode"
L3_4(L4_5)
L3_4 = true
return L3_4
else
L3_4 = print
L4_5 = "ISOCHKSINGLEISO: Normal install mode"
L3_4(L4_5)
end
L3_4 = print
L4_5 = "ISOCHKSINGLEISO: Verifying "
L3_4(L4_5, L5_6)
L3_4 = os
L3_4 = L3_4.execute
L4_5 = "dd if="
L4_5 = L4_5 .. L5_6 .. L6_7
L3_4 = L3_4(L4_5)
if 0 ~= L3_4 then
L3_4 = false
return L3_4
end
25th December 2018, 05:30 PM |#124  
Senior Member
Flag Ferrara
Thanks Meter: 5
 
More
Quote:
Originally Posted by Tajadela

Hi,
yes, it's possible. If the flag must be set in the internal memory (with a Ethernet connection, for example), will be very hard to bypass check...

---------- Post added at 06:12 PM ---------- Previous post was at 06:09 PM ----------



I think it's worth trying, however, to try to modify the expression from: same as to different from
here some lines of isochksingleiso, decoded:

local L0_0
L0_0 = module
L0_0("isochksingleiso", package.seeall)
L0_0 = {}
L0_0.name = "Pre-update ISO validation"
function authenticateSingleISO(A0_1, A1_2)
local L2_3, L3_4, L4_5, L5_6, L6_7, L7_8, L8_9, L9_10
L2_3 = _UPVALUE0_
L2_3 = L2_3()
if L2_3 == "MS" then
L3_4 = print
L4_5 = "ISOCHKSINGLEISO: Mfg install mode"
L3_4(L4_5)
L3_4 = true
return L3_4
else
L3_4 = print
L4_5 = "ISOCHKSINGLEISO: Normal install mode"
L3_4(L4_5)
end
L3_4 = print
L4_5 = "ISOCHKSINGLEISO: Verifying "
L3_4(L4_5, L5_6)
L3_4 = os
L3_4 = L3_4.execute
L4_5 = "dd if="
L4_5 = L4_5 .. L5_6 .. L6_7
L3_4 = L3_4(L4_5)
if 0 ~= L3_4 then
L3_4 = false
return L3_4
end

What do you want to modify in those lines?
25th December 2018, 05:44 PM |#125  
Member
Thanks Meter: 3
 
More
Quote:
Originally Posted by sofro1988

What do you want to modify in those lines?

this line:
if L2_3 == "MS" then.... (equal to "MS")
to:
if L2_3 ~= "MS" then... (NOT equal to "MS")

but the file is compiled...
we should understand how the compiler translates the equal expression. in which hexadecimal bytes is converted ...

scifiction?
25th December 2018, 05:48 PM |#126  
Senior Member
Flag Ferrara
Thanks Meter: 5
 
More
Quote:
Originally Posted by Tajadela

this line:

if L2_3 == "MS" then.... (equal to "MS")

to:

if L2_3 ~= "MS" then... (NOT equal to "MS")



but the file is compiled...

we should understand how the compiler translates the equal expression. in which hexadecimal bytes is converted ...



scifiction?



So do you think “ms” is the option to check o don’t check. If we put “NOT” the original iso shouldn’t work and the modified one should work. Is my thought right?


Sent from my iPhone using Tapatalk
25th December 2018, 05:51 PM |#127  
Member
Thanks Meter: 3
 
More
Quote:
Originally Posted by sofro1988

So do you think “ms” is the option to check o don’t check. If we put “NOT” the original iso shouldn’t work and the modified one should work. Is my thought right?


Sent from my iPhone using Tapatalk

Yesss!
25th December 2018, 07:00 PM |#128  
Senior Member
Flag Ferrara
Thanks Meter: 5
 
More
Quote:
Originally Posted by Tajadela

Yesss!

ok, let me know as soon as you get any news about it.
25th December 2018, 07:55 PM |#129  
OP Senior Member
Flag Bradford
Thanks Meter: 73
 
More
Yea, the options I can see at the minute are:
1. Force unit into MS - though I think that to do that will require file system access, and if we have file system access then why not just remove the isochk all together.
2. Sign a update using one of the keys in /etc/keys - only problem is we have the public keys not the private ones.
3. Direct access to the file system - on the Alfa uConnect 1st gen the NAND is on a daughter board that could be directly read with the correct interface.
4. CAN bus interface manipulation - in theory we could send the MS or Mfg code to the uConnect from the cars BCM, it is how it self programs to which car it is in and what options it has.
5. Other bypass ???SD card - so far not seen anything referring to SD Card checks.

Sent from my CLT-L09 using Tapatalk
25th December 2018, 09:21 PM |#130  
Senior Member
Flag Ferrara
Thanks Meter: 5
 
More
Quote:
Originally Posted by SquithyX

Yea, the options I can see at the minute are:
1. Force unit into MS - though I think that to do that will require file system access, and if we have file system access then why not just remove the isochk all together.
2. Sign a update using one of the keys in /etc/keys - only problem is we have the public keys not the private ones.
3. Direct access to the file system - on the Alfa uConnect 1st gen the NAND is on a daughter board that could be directly read with the correct interface.
4. CAN bus interface manipulation - in theory we could send the MS or Mfg code to the uConnect from the cars BCM, it is how it self programs to which car it is in and what options it has.
5. Other bypass ???SD card - so far not seen anything referring to SD Card checks.

Sent from my CLT-L09 using Tapatalk



Number 3 would be good. What about number 4? Could you please explain better?


Sent from my iPhone using Tapatalk
25th December 2018, 09:36 PM |#131  
OP Senior Member
Flag Bradford
Thanks Meter: 73
 
More
The uConnect is linked to the cars bcm (body computer module) through the CAN bus. This is how the uConnect controls the DRLs and wipers... On the USA versions you can send a signal through OBD to tell your car to enable the SRT functions in your non SRT car, meaning the CAN bus is bidirectional.

So what else can we send, can we tell the uConnect to boot into service or MC mode?

Sent from my CLT-L09 using Tapatalk
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes