Golf MK7 Discover Pro Hack possible?

Search This thread

Chillout

Senior Member
Jul 15, 2008
243
175
Have we seen this link ?

https://reverseengineering.stackexchange.com/questions/12286/defeat-rsa-hash-verification/12287

Basically it covers the MetafileChecksum and the signatures. Problem is I need an A, B, C of how to do the activities. I sort of guess that the public key is the same or failing that it can be read from the unit ?. Have we got that key yet ?.

The n in the example is a chunk of the public key.

I can't work out the process for doing "signature s raised to the power of 3 modulus n" (my two maths degrees were too long ago for that). I guess somewhere on the net there are some boxes to fill in that gives you the

0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038

I've loaded up openssl but I really need to know in simple terms using an online process or tool how to compute the process "signature s raised to the power of 3 modulus n".

Any help most appreciated. Having emulated the process described in the link, one then wants to see what it means for the MIB2.

I reckon if one mastered this then one can start editing the map upload files and anything else that needed signed files etc.

Edit you do the maths in python, I was kindly given the formulae for the worked example:

384fc032192a20fd1e242ad64af5b509a76a7432f754aff0d6b74a7ec2072cbb11e91f68f569508b77712d1869edd6d0b9923eb77ba815dba8e44d5e09412cdf2e830518f3b38d48df892a3a0c65cc67f109e5e0f5f06ce0376d032ab21051510f3dab7f75fcdf54a96d8aa7f3c617f76d
e=3
n=0xC0F389EEC7B66C9DC736508FF88AEB1FB113942EAD020814D08D29E868F14B2086BCD7DDCCBA7559F999E76D24619660BBE17434DA59988087F2A99CD465B1FF423522B78CB0DE463A669613D356DFA9E86E0E2E0B6DAB5DE89131C5A0727AEAB1767278AB101DCD9C3CFC1026705C1DAB3BF53BF50AFAFB3F52DA2CEB0BEE57

>>> x = pow(s, e, n)
>>> hex(x)
'0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038L'
>>>

Pick off this bit as per the worked example.

3021300906052b0e03021a050004145e3246e50a4dad079a61f99fa3297c01d802e038

Feed into

https://lapo.it/asn1js/#3021300906052B0E03021A05000414A9BC4DC6DBF5A02B19E87DD56D9236EBADA47A2A

For the final bit to give the ANS.1 hex string which is the lock to the file. The metachecksum is locked to the rest of the file less the signature and the statement itself. The chipping away process and this program to get the SHA.1

https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/

The keys in the original post are applicable to the MIB2 High ones since I got the SLA.1 hash from the method to tally with the signatures that were protecting a VW POI upload file and a map update file. Haven't progressed it further yet, but interesting to note the public signatures are out there.

Perhaps all this is known....

Sorry for the late reply. I didn't know this (although I do know the topic on stackexchange). Did you get any further with this?


chillout, you say that you can use one of these adapters but i have read elsewhere that ver. c1 with chip AX88772B does not work. have you managed to get ver. c1 to work ok?

D-Link DUB-E100 (0x2001, 0x3c05) h/w ver. b1
D-Link DUB-E100 (0x2001, 0x1a02) h/w ver. c1
I didn't test them all.. All I know is the stuff I mentioned should be supported according to the config files.
 

silkston38

New member
Mar 10, 2018
1
0
Vw tdi

Sent from my SM-G930F using Tapatalk

---------- Post added at 12:16 PM ---------- Previous post was at 12:12 PM ----------

Vw tdi g

Sent from my SM-G930F using Tapatalk
 

MORKAS

Member
Mar 3, 2010
27
0
Hello, greetings, this post is very interesting. I'm trying to enter my MIB2 from my car, through telnet, (It has helped me and explained, a lifelong friend who works as a computer, I think on networking issues), but I do not know the root password or user, I'm very unfamiliar with this terminal, but I would like to inquire into the system. I wanted to know, if it is possible to enter in some way without being root, I do not know if I explained myself well, thanks IMG-20180416-WA0078.jpeg

Enviado desde mi SM-G935F mediante Tapatalk
 
Last edited:

ac-xda

New member
Apr 25, 2018
1
0
Sorry to jump into the thread, but I have an issue with my Discover Pro in my Golf...

Basically it's stuck trying to update the firmware. It went in for a service and whilst updating the firmware it must have locked up or they pulled the SD card.
I have tried to update it myself, however when I insert the SD card with the firmware, it recognises it but ends up back at the current installing page telling me to reinsert the firmware media.

I also get a software update error every time I start the ignition.

So, is there a way to reset the unit or override the current failed update?

Thanks in advance
 

hugo_nz

New member
Apr 29, 2018
4
1
Auckland
Hey guys, I have a 2017 Tiguan with Discover Media MIB2 (same as the Pro minus the sim-card slot). You can access all the coding and features using the OBD-Eleven dongle and app. I have one and have done plenty of customisation on the headunit. Wifi is super easy to enable and the hardware exists in the headunit (yes, the Non-Pro one), but things like Google Earth and Street View require VW CarNet which isn't available in NZ. I can enable all the functions, but since I cannot enrol into the service I cannot enable them, and so none of the features that rely on CarNet work.

The MIB2 headunits also have the coding options to allow Wireless Car Play and Wireless Android Auto, but trying to activate them simply results in an error. To get past that you need a SWaP (Software as Product) release code from VW, and AFAIK those can only be generated in Germany.
 
Last edited:

vierchatura

New member
Apr 19, 2018
3
1
MIB RCC login with password: harman_f

Hi

Could anyone tell me how could i log in to RCC with known password: harman_f
I get login screen but login root password is unknown
as i know for all navi RCC login is same harman_f but that login to enter and how to log in?
 

raptik

New member
Apr 4, 2009
2
0
Hey guys, anyone here willing to share any version of firmware files for VW MIB2 (preferably v0343 or newer) or anyone willing to make full dump of the VW MIB2's flash?
 

henno88

Senior Member
Jan 31, 2011
53
18
anyone can tell me how to mount root dir of rcc rw?
I have tried
mount -uw /
mount -uw /usr

not working
An other qnx systems there is a marker file .boot, but seems to be not used in rcc
 

absetup

New member
Feb 6, 2019
1
0
pw

hello
how can i copy all date of the mib1 to the SD card,
i tryied many command but always errors
 
Last edited:

VAG_Grimreaper

New member
Mar 12, 2019
1
2
I have a harmann 9.2 and wanted to see if root access was possible?

5na 035 020a / firmware version 1161

i tried using the serial method by building a custom loom (USB to TTL) and plugging into the blue plug but no SSH access at all, RX is flashing on the TTL adapter.
I tried wifi access by enabling hotspot and again i can ping to the headunit but no access via port 22 or port 23

my final resort is the D Link usb / ethernet adapter which I hope will work!
i am assuming firmware 1161 has blocked the above access methods?

any help would be appreciated!!
 

offsystem

New member
May 18, 2017
3
0
Hello

IS it possible to flash a image from SD card in emergency mode?

I need different firmware on unit but SD card train is being rejected.

Thx
 
Last edited:

camarao69

Senior Member
Jun 2, 2010
65
4
Oporto
Codecs

Can some expert in this subject please explain me if it is possible do add video codecs to mib 2 units, expecially the ones that don't play videos ( discovery media ,composition, bolero.....), do they have any hardware limitation for not playing videos ?

Thank yo
 

Fastredz

New member
Dec 12, 2019
1
1
Hi everyone, newbie user here
Have read this thread with great interest.

I have bought a vw discover media head unit to try to get it to work in my vw t6 transporter startline

Vw dealer has removed the component protection and the unit worked for 5 mins.
After that all the extras stopped working.
Apps, nav, tel. Only radio works.
Ive been told that as my transported didnt have these from the factory then they wont be enabled in the head unit.
Google and a few retrofit companies have also said it wont work.

So reading this thread am i correct in thinking the unit can be hacked so all systems will work in my vw t6?
Please treat me as a complete newbie with the tech and hacking
 
  • Like
Reactions: cuilh1016

veso266

Member
Feb 27, 2019
15
6
enabling Engeneering menu without the CAN cable

Hi there new here
does anyone know is it possible to enable the green developer menu without needing to use ODB2 cable (beucase I don't want to buy 50$ + 90$ software (VCDS) if I only need to activate the green Engeneering menu)

Thanks and Best Regards
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Hello everyone, hope I'm posting in the right place!

    I own a VW Golf MK7 with the Discover Pro media system.

    Recently I found a copy of the update package for it, and dabbling inside I found out a ton of cool info.

    It's based ona Tegra 2 platform, and runs QNX 1.2b. There seems to be a way to telnet to the system somehow. Inside the files I found a ton of stuff, like what seems to be the user and root passwords?

    Code:
    root:x:0:0::/root/:/bin/sh
    user:x:100:100::/eso:/bin/sh
    nopasswd root::0:0::/root/:/bin/sh
    user::100:100:FTP User:/eso:/bin/sh
    group root:x:0:
    user:x:100:user
    root:f7otIPwQDbHLw:1320853303:0:0
    user:6TfLBY3WGivFU:1324310912:0:0
    ffs3.1ver #DATUM 2037

    I don't know much about QNX, maybe someone can help and something can be done? Unlocking Mirrorlink? Unlocking other features? Installing apps? Installing android on it since it's Tegra 2 Based?

    Thanks for the time and help!
    2
    I found by root this text: daPzPBI8LXeWY could you help me with decrypt???
    You have a Skoda? ;)
    2
    Sorry for the late reply... but you inspired me some time ago to start digging into this.

    I've built a serial cable to connect into the back of the Discover Pro MIB1 unit, and now I've got root access to the unit. So far I haven't been able to enable SWAP features, but I did make some changes to the Green Engineering Menu, that allow me to set stuff and run scripts from SD again.

    I also enabled WLAN hotspot on the Non-telephone-capable unit, but I haven't been able to put it into WLAN Client mode yet... that's another hurdle for an other time, I guess. Enabling wlan unhides the Google Earth and online services checkboxes in the navigation, but since it doesn't have any connection yet... it doesn't do much.


    I would love to exchange thoughts and experiences about this device!!
    2
    Yes indeed.

    Open efs-system.img from the firmware files, search for root:
    If you find root:, you will see the password hash. This hash is 3des, and can be cracked. That will be your password.
    2
    Hi,

    Some questions:

    1) This can be possible also with MIB2 "non-pro"?

    2) To enable the TELNET access is required to enable the Green Manufacturer Menu?

    3) The USB dongle has all the time the TELNET server enabled, or only when the Green Menu is enabled?

    Thank you for sharing this info.

    1: should be possible, just use one of the network adapters I mentioned
    2: as far as I can tell, this is always on. But it doesn't hurt to enable developer mode
    3: all the time.