success to hack Technisat MIB2 infotainment system

Search This thread

mengxp

New member
Mar 29, 2017
3
7
Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Step1.
Desolder the EMMC chip

Step2.
Dump EMMC chip via SD card reader

Step3.
qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

Step4.
Start QNX x86 vmware machine to modify the 682c.vmdk

Step5.
modify the file /fs/hd1-qnx6/tsd/bin/system/startup
add following line
--------------------
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
--------------------
Save the file

Step6.
Shutdown QNX6 VM

Step7.
qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

Step8.
write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

Step9.
Solder the EMMC chip back

done.
;)
 

harwin3

Member
Dec 27, 2010
5
0
Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Step1.
Desolder the EMMC chip

Step2.
Dump EMMC chip via SD card reader

Step3.
qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

Step4.
Start QNX x86 vmware machine to modify the 682c.vmdk

Step5.
modify the file /fs/hd1-qnx6/tsd/bin/system/startup
add following line
--------------------
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
--------------------
Save the file

Step6.
Shutdown QNX6 VM

Step7.
qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

Step8.
write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

Step9.
Solder the EMMC chip back

done.
;)

Can you tell which chip is the EMMC chip? there are quite some FBGA chips on board. Or maybe a picture?
 

harwin3

Member
Dec 27, 2010
5
0
Found the emmc chip its an MTFC8GLWDQ-3M AIT Z, cant get a datasheet of it. Maybe someone has it for me?
 

radux.m.dan

Senior Member
Jun 18, 2014
53
7
Hi there!
The pinout is standard, just look for EMMC LFBGA 100 pin.

It's funny to see the title, hacking this unit is not about getting console access, there's a lot more than that. Good luck!
 

harwin3

Member
Dec 27, 2010
5
0
thanks i was expecting that, looks like the data lines ,clk and cmd, all go throug an resistor array 22ohm. maybe its possible to remove the array and read chip onboard. so there is no need for BGA soldering.

I know, this is just a starting point, lets start with chancing some start screens.. that must be possible and than see how to modifie the FEC key handling.

---------- Post added at 10:01 PM ---------- Previous post was at 10:00 PM ----------

thanks i was expecting that, looks like the data lines ,clk and cmd, all go throug an resistor array 22ohm. maybe its possible to remove the array and read chip onboard. so there is no need for BGA soldering.

I know, this is just a starting point, lets start with chancing some start screens.. that must be possible and than see how to modifie the FEC key handling.
 

mobista

Member
Oct 19, 2010
10
0
www.BlackMobile.pl
Which version of QNX VMWare do U use?

Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Step1.
Desolder the EMMC chip

Step2.
Dump EMMC chip via SD card reader

Step3.
qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

Step4.
Start QNX x86 vmware machine to modify the 682c.vmdk

Step5.
modify the file /fs/hd1-qnx6/tsd/bin/system/startup
add following line
--------------------
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
--------------------
Save the file

Step6.
Shutdown QNX6 VM

Step7.
qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

Step8.
write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

Step9.
Solder the EMMC chip back

done.
;)
 

bunny76

New member
Oct 27, 2012
4
0
5C0 035 680 C hi is this for this MIBSTD2? anyone have any success ? ive read about the patches etc is there any other way ?
 

yusufdincer

Member
Nov 26, 2013
26
6
Device: Technisat MIB STD2 PQ nav

This device does not have serial shell .
But I successfully hacked the emmc filesystem
Now serial port has a shell

Step1.
Desolder the EMMC chip

Step2.
Dump EMMC chip via SD card reader

Step3.
qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

Step4.
Start QNX x86 vmware machine to modify the 682c.vmdk

Step5.
modify the file /fs/hd1-qnx6/tsd/bin/system/startup
add following line
--------------------
echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
/sbin/tinit -f /tmp/ttys &
--------------------
Save the file

Step6.
Shutdown QNX6 VM

Step7.
qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

Step8.
write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

Step9.
Solder the EMMC chip back

done.
;)

As I see this only gives you a shell access. Not a complete hack of system like activating all functions and removing component protection on device, does not it ?
 

chobott

New member
Jun 20, 2004
4
0
Hello :)

do you have idea how we can remove Component protection? I need make retrofit with 100% clean components but Skoda auto cannot remove CP because dotn have online data for Old car and New radio.....grrrrr....

thank you for more info....
 

raptik

New member
Apr 4, 2009
2
0
Hey guys, anyone here willing to share any version of firmware files for VW MIB2 (preferably v0343 or newer) or anyone willing to make full dump of the VW MIB2's flash?
 

bell38

New member
Oct 6, 2018
1
0
Harman mib2 pro unit

Hi I have Harman discovery pro mib2 unit black screen green menu corrupt anybody know how to recover
 

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    Device: Technisat MIB STD2 PQ nav

    This device does not have serial shell .
    But I successfully hacked the emmc filesystem
    Now serial port has a shell

    Step1.
    Desolder the EMMC chip

    Step2.
    Dump EMMC chip via SD card reader

    Step3.
    qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

    Step4.
    Start QNX x86 vmware machine to modify the 682c.vmdk

    Step5.
    modify the file /fs/hd1-qnx6/tsd/bin/system/startup
    add following line
    --------------------
    echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
    /sbin/tinit -f /tmp/ttys &
    --------------------
    Save the file

    Step6.
    Shutdown QNX6 VM

    Step7.
    qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

    Step8.
    write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

    Step9.
    Solder the EMMC chip back

    done.
    ;)
    5
    I can fully unlock all MIB units. If you need it free free to contact me.
    2
    [QUOTE = "nevergiveup3, post: 84106841, member: 11340019"]
    Привет, ребята, есть шанс, что кто-то снова сможет поделиться этими материалами, потому что ссылки выше не работают. Думаю, многие из нас это оценили бы.

    Заранее спасибо.
    [/ QUOTE]
    2
    If anyone needs help with technisat mib2 SD card update for all FECs message me
    1
    hello have a mib std2 pq+nav ... i want to install it on a jetta 2013 this radio was remove it from crashed jetta 2017 i need cp remove it and help with the retrofit im able to donate to someone that can help me
    Check mibwiki and telegram channel. You will get help faster there.