Thank you!
Then I'll purchase one of these USB Network modules (I have a lot, USB 3.0 and 2.0, but none with the same chipset).
Regarding the PASS, the solution is get a backup of the same firmware version and decrypt the pass file. Right?
Golf MK7 Discover Pro Hack possible?
- Thread starter lionheartk
- Start date
Then I'll purchase one of these USB Network modules (I have a lot, USB 3.0 and 2.0, but none with the same chipset).
Regarding the PASS, the solution is get a backup of the same firmware version and decrypt the pass file. Right?
Yes indeed.
Open efs-system.img from the firmware files, search for root:
If you find root:, you will see the password hash. This hash is 3des, and can be cracked. That will be your password.
Open efs-system.img from the firmware files, search for root:
If you find root:, you will see the password hash. This hash is 3des, and can be cracked. That will be your password.
Yes MIB2(software 1027) - thanks a lot. Could you help me with setup of connection in green menu between laptotp and MIB?? I would like enable performance monitor.
Enabling Performance Mode isn't straightforward or easy. There's no configuration file or database that has a "enable performance mode" flag.
However, there are a lot of persistence addresses you could addres by using the updatePersistence binary that comes with firmware updates.
Have you some experience how update with modified files??? Could be possible use the update like for POI and the next metainfo file could be without signature??? Do you think that could be possible modify this file: efs-persist.img and update to MIB2???
Hi Chillout & others
I have a Mib2 High unit, Seat Plus Navi which is their version of the Discover Pro Mib2, you don't know what happens if you try to update the maps via the SWDL menu and you don't have Mapcare ?. I saw it on a Russian forum which wasn't too clear. They did it on a MIB1 and sort of implied you could do it on a MIB2, then a lot of bad mouthing in Russian on that board comment thread... bit tricky in translated Russian. On an Italian board someone seemed to hang theirs in the SWDL menu. Given that Seat don't sell Mapcare in the UK I'm lumbered with a highly expensive way of keeping the maps up to date unless I find an alternative.
I have a Mib2 High unit, Seat Plus Navi which is their version of the Discover Pro Mib2, you don't know what happens if you try to update the maps via the SWDL menu and you don't have Mapcare ?. I saw it on a Russian forum which wasn't too clear. They did it on a MIB1 and sort of implied you could do it on a MIB2, then a lot of bad mouthing in Russian on that board comment thread... bit tricky in translated Russian. On an Italian board someone seemed to hang theirs in the SWDL menu. Given that Seat don't sell Mapcare in the UK I'm lumbered with a highly expensive way of keeping the maps up to date unless I find an alternative.
Map will be upload to unit but navigation will be blocked by invalid key for new map. The upload of map by swdl is more quickly and more reliable.
Hi,
I need your help!
I have purchased one D-Link DUB-E100 (0x2001, 0x1a02). I connected it to the USB port of the car. Then I plug one network wire on the adapter and in my laptop. After a few seconds the leds of the adapter start to run... then I assume that the adapter has been initialized by the HU (if not, the leds will be off). However, I can't connect!
I have configured my laptop with the IP 172.16.250.247 and netmask 255.255.0.0 (no gateway). However, if I ping to 172.16.250.248 (the IP of the HU) I don't receive any response.
It's the address 172.16.250.248 the correct one?
Can be another address in use?
How I can detect the IP address of the HU?
FYI, I'm trying to connect to a MIB2 (Golf MY16) Discover Media (non PRO).
Any help, please?
I need your help!
I have purchased one D-Link DUB-E100 (0x2001, 0x1a02). I connected it to the USB port of the car. Then I plug one network wire on the adapter and in my laptop. After a few seconds the leds of the adapter start to run... then I assume that the adapter has been initialized by the HU (if not, the leds will be off). However, I can't connect!
I have configured my laptop with the IP 172.16.250.247 and netmask 255.255.0.0 (no gateway). However, if I ping to 172.16.250.248 (the IP of the HU) I don't receive any response.
It's the address 172.16.250.248 the correct one?
Can be another address in use?
How I can detect the IP address of the HU?
FYI, I'm trying to connect to a MIB2 (Golf MY16) Discover Media (non PRO).
Any help, please?
Is that uploaded to the unit via SWDL but still blocked ?.
The Russian thread
https://www.drive2.com/l/464916398250918465/
They do get a bit spitty in it translating.... so may be it is a con ?.
I've been prudent so far and not tried it.
Signatures and MetafileChecksum
Have we seen this link ?
https://reverseengineering.stackexchange.com/questions/12286/defeat-rsa-hash-verification/12287
Basically it covers the MetafileChecksum and the signatures. Problem is I need an A, B, C of how to do the activities. I sort of guess that the public key is the same or failing that it can be read from the unit ?. Have we got that key yet ?.
The n in the example is a chunk of the public key.
I can't work out the process for doing "signature s raised to the power of 3 modulus n" (my two maths degrees were too long ago for that). I guess somewhere on the net there are some boxes to fill in that gives you the
0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038
I've loaded up openssl but I really need to know in simple terms using an online process or tool how to compute the process "signature s raised to the power of 3 modulus n".
Any help most appreciated. Having emulated the process described in the link, one then wants to see what it means for the MIB2.
I reckon if one mastered this then one can start editing the map upload files and anything else that needed signed files etc.
Edit you do the maths in python, I was kindly given the formulae for the worked example:
384fc032192a20fd1e242ad64af5b509a76a7432f754aff0d6b74a7ec2072cbb11e91f68f569508b77712d1869edd6d0b9923eb77ba815dba8e44d5e09412cdf2e830518f3b38d48df892a3a0c65cc67f109e5e0f5f06ce0376d032ab21051510f3dab7f75fcdf54a96d8aa7f3c617f76d
e=3
n=0xC0F389EEC7B66C9DC736508FF88AEB1FB113942EAD020814D08D29E868F14B2086BCD7DDCCBA7559F999E76D24619660BBE17434DA59988087F2A99CD465B1FF423522B78CB0DE463A669613D356DFA9E86E0E2E0B6DAB5DE89131C5A0727AEAB1767278AB101DCD9C3CFC1026705C1DAB3BF53BF50AFAFB3F52DA2CEB0BEE57
>>> x = pow(s, e, n)
>>> hex(x)
'0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038L'
>>>
Pick off this bit as per the worked example.
3021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038
Feed into
https://lapo.it/asn1js/#3021300906052B0E03021A05000414A9BC4DC6DBF5A02B19E87DD56D9236EBADA47A2A
For the final bit to give the ANS.1 hex string which is the lock to the file. The metachecksum is locked to the rest of the file less the signature and the statement itself. The chipping away process and this program to get the SHA.1
https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/
The keys in the original post are applicable to the MIB2 High ones since I got the SLA.1 hash from the method to tally with the signatures that were protecting a VW POI upload file and a map update file. Haven't progressed it further yet, but interesting to note the public signatures are out there.
Perhaps all this is known....
Have we seen this link ?
https://reverseengineering.stackexchange.com/questions/12286/defeat-rsa-hash-verification/12287
Basically it covers the MetafileChecksum and the signatures. Problem is I need an A, B, C of how to do the activities. I sort of guess that the public key is the same or failing that it can be read from the unit ?. Have we got that key yet ?.
The n in the example is a chunk of the public key.
I can't work out the process for doing "signature s raised to the power of 3 modulus n" (my two maths degrees were too long ago for that). I guess somewhere on the net there are some boxes to fill in that gives you the
0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038
I've loaded up openssl but I really need to know in simple terms using an online process or tool how to compute the process "signature s raised to the power of 3 modulus n".
Any help most appreciated. Having emulated the process described in the link, one then wants to see what it means for the MIB2.
I reckon if one mastered this then one can start editing the map upload files and anything else that needed signed files etc.
Edit you do the maths in python, I was kindly given the formulae for the worked example:
384fc032192a20fd1e242ad64af5b509a76a7432f754aff0d6b74a7ec2072cbb11e91f68f569508b77712d1869edd6d0b9923eb77ba815dba8e44d5e09412cdf2e830518f3b38d48df892a3a0c65cc67f109e5e0f5f06ce0376d032ab21051510f3dab7f75fcdf54a96d8aa7f3c617f76d
e=3
n=0xC0F389EEC7B66C9DC736508FF88AEB1FB113942EAD020814D08D29E868F14B2086BCD7DDCCBA7559F999E76D24619660BBE17434DA59988087F2A99CD465B1FF423522B78CB0DE463A669613D356DFA9E86E0E2E0B6DAB5DE89131C5A0727AEAB1767278AB101DCD9C3CFC1026705C1DAB3BF53BF50AFAFB3F52DA2CEB0BEE57
>>> x = pow(s, e, n)
>>> hex(x)
'0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038L'
>>>
Pick off this bit as per the worked example.
3021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038
Feed into
https://lapo.it/asn1js/#3021300906052B0E03021A05000414A9BC4DC6DBF5A02B19E87DD56D9236EBADA47A2A
For the final bit to give the ANS.1 hex string which is the lock to the file. The metachecksum is locked to the rest of the file less the signature and the statement itself. The chipping away process and this program to get the SHA.1
https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/
The keys in the original post are applicable to the MIB2 High ones since I got the SLA.1 hash from the method to tally with the signatures that were protecting a VW POI upload file and a map update file. Haven't progressed it further yet, but interesting to note the public signatures are out there.
Perhaps all this is known....
Last edited:
Hi, can anyone help me get the key for root access? my hash is 0y2tvwJ338zFo
Mi unit its a MIB2 high.
Thanks a lot.
Mi unit its a MIB2 high.
Thanks a lot.
chillout, you say that you can use one of these adapters but i have read elsewhere that ver. c1 with chip AX88772B does not work. have you managed to get ver. c1 to work ok?
D-Link DUB-E100 (0x2001, 0x3c05) h/w ver. b1
D-Link DUB-E100 (0x2001, 0x1a02) h/w ver. c1
D-Link DUB-E100 (0x2001, 0x3c05) h/w ver. b1
D-Link DUB-E100 (0x2001, 0x1a02) h/w ver. c1
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
2Hello everyone, hope I'm posting in the right place!
I own a VW Golf MK7 with the Discover Pro media system.
Recently I found a copy of the update package for it, and dabbling inside I found out a ton of cool info.
It's based ona Tegra 2 platform, and runs QNX 1.2b. There seems to be a way to telnet to the system somehow. Inside the files I found a ton of stuff, like what seems to be the user and root passwords?
Code:root:x:0:0::/root/:/bin/sh user:x:100:100::/eso:/bin/sh nopasswd root::0:0::/root/:/bin/sh user::100:100:FTP User:/eso:/bin/sh group root:x:0: user:x:100:user root:f7otIPwQDbHLw:1320853303:0:0 user:6TfLBY3WGivFU:1324310912:0:0 ffs3.1ver #DATUM 2037
I don't know much about QNX, maybe someone can help and something can be done? Unlocking Mirrorlink? Unlocking other features? Installing apps? Installing android on it since it's Tegra 2 Based?
Thanks for the time and help!22Sorry for the late reply... but you inspired me some time ago to start digging into this.
I've built a serial cable to connect into the back of the Discover Pro MIB1 unit, and now I've got root access to the unit. So far I haven't been able to enable SWAP features, but I did make some changes to the Green Engineering Menu, that allow me to set stuff and run scripts from SD again.
I also enabled WLAN hotspot on the Non-telephone-capable unit, but I haven't been able to put it into WLAN Client mode yet... that's another hurdle for an other time, I guess. Enabling wlan unhides the Google Earth and online services checkboxes in the navigation, but since it doesn't have any connection yet... it doesn't do much.
I would love to exchange thoughts and experiences about this device!!2
1: should be possible, just use one of the network adapters I mentioned
2: as far as I can tell, this is always on. But it doesn't hurt to enable developer mode
3: all the time.
