hacking nac peugeot

[rui.saraiva]

It seems there isn't any USB HID support, so no external keyboard...

 

[MitchtheMitch]

It seems there isn't any USB HID support, so no external keyboard...

@rui.saraiva in the dlt.service file it is subscribed that a connection via ethernet could be established.

Therefore you have to use a d link dub e100 with the correct settings.

It is necessary that the ethernet adapter has to be plugged in when the nac is starting.

Did you try that?

@horuscurcino you wrote you did extract the firmware, did you extract it only with binwal or over uart?

@peugeotmafia the button is to advise your embedded system to search musik, Radio channel, to call somebody, to navigate, try to press the button short and say navigate to address.

If you press the button longer it will connect this functions to your phone.

Regards

 

[Crunchy_Nuts]

It seems there isn't any USB HID support, so no external keyboard...

Sad to hear...:crying:

But there must be some possibility for the recovery mode, or not?
I mean, as a developer you always have to keep a back door clear in case the system breaks.

What if you try to use the usb stick?

As far as we know there's an option called engineer mode.

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

Maybe it has another effect.
My ideas would be that maybe you can use it to call a function / module to unlock.

Like this:

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1
# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1

Or maybe just leave the USB Stick (with engineering_mode=1) plugged in and see if something changes at the ports.

And maybe the engineer mode is bound to an "id" to work.
To copy spylogs you also need engineer mode and an id (id = ???).
It won't work without the id.

Search for something like this:

#USB Demo file
[general]
id=

This is the complete procedure to copy spylogs from nac directly to usb without doing anything.

#USB Demo file
[general]
id=?????????????

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1

---------- Post added at 12:34 PM ---------- Previous post was at 12:02 PM ----------

Found it!

The id is ->

9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

You find it under rootfs\usr\bin\sem_dm_server



So the complete content of the usb file is

#USB Demo file
[general]
id=9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1

Create a file and rename it to ID (without any file extension!) and copy the code above into the file.
Copy the file in the root directory of the usb stick and plug it in to the nac.

After you insert it in the nac, it will copy the spylogs to usb.

And maybe you can do other things with the engineering mode.

 

[horuscurcino]

@MitchtheMitch did the extraction using the firmware file from web and binwalk.
I have compiled both Rui.Saraiva and mine extractions. There is the link: shorturl(dot)at(slash)ozMS8

 

[rui.saraiva]

@MitchtheMitch I did try the USB2Eth device after a hard reboot (long press on the phone toggle switch), the device is detected and the module is loaded, but no iface configured. Exactly the same if I plug it later.
@Crunchy_Nuts The SWL\*\Firmware\FirmwareList.ini has lines such as:

INSTALL_PACKAGE 0x0 oip-ssw-security-usergroup-helper-swl
DELETE_FILE /Data/mnt-wt/MessagingAppl/node/MsgTemplates.db
INSTALL_TAR_FROM_FILE / 42129 $(MEDIA_ROOT)/SWL/001315031486100876/Firmware/AUTO/1010113/ALL/OVIP/efs-app-data-resource.tar.gz
DELETE_FOLDER /mnt/mmc_ovip/media/datastore/radio

So maybe there's a way to write directly to the filesystem.
@horuscurcino Your files are from a Chinese NAC firmware 22.06.17.42.

 

[NooBtheNoob]

@MitchtheMitch did the extraction using the firmware file from web and binwalk.
I have compiled both Rui.Saraiva and mine extractions. There is the link: shorturl(dot)at(slash)ozMS8

Hello @horuscurcino can you explain how to do that?

 

[MitchtheMitch]

@MitchtheMitch I did try the USB2Eth device after a hard reboot (long press on the phone toggle switch), the device is detected and the module is loaded, but no iface configured. Exactly the same if I plug it later.

@Crunchy_Nuts The SWL\*\Firmware\FirmwareList.ini has lines such as:

INSTALL_PACKAGE 0x0 oip-ssw-security-usergroup-helper-swl
DELETE_FILE /Data/mnt-wt/MessagingAppl/node/MsgTemplates.db
INSTALL_TAR_FROM_FILE / 42129 $(MEDIA_ROOT)/SWL/001315031486100876/Firmware/AUTO/1010113/ALL/OVIP/efs-app-data-resource.tar.gz
DELETE_FOLDER /mnt/mmc_ovip/media/datastore/radio

So maybe there's a way to write directly to the filesystem.

@horuscurcino Your files are from a Chinese NAC firmware 22.06.17.42.

Did you change the ip address for the ethernet device to 192.168.2.122?

Netmask 255.255.255.0

 

[horuscurcino]

Hello @horuscurcino can you explain how to do that?

It needs Linux.
https://github.com/ReFirmLabs/binwalk/wiki/Quick-Start-Guide

 

[rui.saraiva]

Did you change the ip address for the ethernet device to 192.168.2.122?

Netmask 255.255.255.0

The network interface isn't configured. You can see that in the engineering mode cheatcode (1140 IIRC) or dmesg - you can force create a new spylog (press and hold the 4th toggle switch (vehicle button) until you hear a beep) and extract that from the .dlt files. I had my network interface in promiscuous mode and no traffic. I also did try running a dhcp daemon to no avail.

 

[MitchtheMitch]

The network interface isn't configured. You can see that in the engineering mode cheatcode (1140 IIRC) or dmesg - you can force create a new spylog (press and hold the 4th toggle switch (vehicle button) until you hear a beep) and extract that from the .dlt files. I had my network interface in promiscuous mode and no traffic. I also did try running a dhcp daemon to no avail.

When you connect the ethernet adapter and then press 1140 in the engineer mode, it should show you an ip.

Maybe it is only working when you use it with the dlt viewer.

It is described that way in the dlt. Service data.

 

[Crunchy_Nuts]

Any idea how to extract the .FRG (file extension) data?

 

[rui.saraiva]

Any idea how to extract the .FRG (file extension) data?

The usr/bin/swl-manager binary handles that .FRG files (and all the update process). It seems those fragment files are kind of .tar files - bunch of files and metadata. The first 11 bytes are always the same (signature+version?), they have an header with some commands (RUN_EXECUTABLE is one of them) and fields such as number of files, file length, checksum.

I did extract the readwrite-data.tar.gz file from 1010110.FRG, using binwalk. The 401021*.FRG have .s files with some sort of xxd dump and the *_no*.FRG are "empty" fragments, only header+metadata - it might be useful to understand the format.

 

[[email protected]]

Hi guys! Anyone know if is possibile to send G. Maps (using Android auto connection) on the 3d icockpit screen, like the stock Nav on a new Peugeot 208?

 

[rui.saraiva]

Hi guys! Anyone know if is possibile to send G. Maps (using Android auto connection) on the 3d icockpit screen, like the stock Nav on a new Peugeot 208?

No, you can only see the AA (and CarPlay/MirrorLink) in the central touchscreen. That infotainment system is basically the same used in older cars. The 3008 can have the NAC Wave 2 or 4 (in HYbrid/HYbrid4 versions) and the 208 the NAC Wave 3 or 4 systems.
Or RCC Wave 2 and 3, in systems without integrated sat nav.

 

[boubaka]

Hi guys !
Did you manage to progress in the project? I am very interested in your work ! :good:

 

[daewoo74]

Hi guys !
Did you manage to progress in the project? I am very interested in your work ! :good:

Hi , it's possible connect android auto wireless in my new peugeot 2008 ?????

 

[Crunchy_Nuts]

Wrong thread friend.

 

[enzolo42]

No, you can only see the AA (and CarPlay/MirrorLink) in the central touchscreen. That infotainment system is basically the same used in older cars. The 3008 can have the NAC Wave 2 or 4 (in HYbrid/HYbrid4 versions) and the 208 the NAC Wave 3 or 4 systems.
Or RCC Wave 2 and 3, in systems without integrated sat nav.

Hi Rui,

Did you succeed to dump the filesystem ?
I would like to know if there are tracklogs, location and routes history inside.

Thanks

Regards

 

[rui.saraiva]

The filesystem dump was already posted.
But that information you might find it in the spylogs.

 

[NooBtheNoob]

Thanks to @horuscurcino.

I tried the uart method on the nac and it seems to work.

I wanted to add photos here, but it does not work

I could even extract data.