hacking nac peugeot

MitchtheMitch

Member
Sep 28, 2019
10
0
0
It seems there isn't any USB HID support, so no external keyboard...
@rui.saraiva in the dlt.service file it is subscribed that a connection via ethernet could be established.

Therefore you have to use a d link dub e100 with the correct settings.

It is necessary that the ethernet adapter has to be plugged in when the nac is starting.

Did you try that?

@horuscurcino you wrote you did extract the firmware, did you extract it only with binwal or over uart?

@peugeotmafia the button is to advise your embedded system to search musik, Radio channel, to call somebody, to navigate, try to press the button short and say navigate to address.

If you press the button longer it will connect this functions to your phone.

Regards
 

Crunchy_Nuts

Member
Apr 9, 2018
9
5
0
It seems there isn't any USB HID support, so no external keyboard...
Sad to hear...:crying:

But there must be some possibility for the recovery mode, or not?:confused:
I mean, as a developer you always have to keep a back door clear in case the system breaks.:confused:

What if you try to use the usb stick?

As far as we know there's an option called engineer mode.
Code:
# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1
Maybe it has another effect.
My ideas would be that maybe you can use it to call a function / module to unlock.

Like this:
Code:
# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1
# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1
Or maybe just leave the USB Stick (with engineering_mode=1) plugged in and see if something changes at the ports.

And maybe the engineer mode is bound to an "id" to work.
To copy spylogs you also need engineer mode and an id (id = ???).
It won't work without the id.

Search for something like this:

Code:
#USB Demo file
[general]
id=
This is the complete procedure to copy spylogs from nac directly to usb without doing anything.

Code:
#USB Demo file
[general]
id=?????????????

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1


---------- Post added at 12:34 PM ---------- Previous post was at 12:02 PM ----------

Found it!

The id is ->
Code:
9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

You find it under rootfs\usr\bin\sem_dm_server



So the complete content of the usb file is
Code:
#USB Demo file
[general]
id=9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1
Create a file and rename it to ID (without any file extension!) and copy the code above into the file.
Copy the file in the root directory of the usb stick and plug it in to the nac.

After you insert it in the nac, it will copy the spylogs to usb.

And maybe you can do other things with the engineering mode. :D
 
Last edited:

rui.saraiva

Member
Apr 4, 2020
10
5
3
Lisbon
@MitchtheMitch I did try the USB2Eth device after a hard reboot (long press on the phone toggle switch), the device is detected and the module is loaded, but no iface configured. Exactly the same if I plug it later.
@Crunchy_Nuts The SWL\*\Firmware\FirmwareList.ini has lines such as:
Code:
INSTALL_PACKAGE 0x0 oip-ssw-security-usergroup-helper-swl
DELETE_FILE /Data/mnt-wt/MessagingAppl/node/MsgTemplates.db
INSTALL_TAR_FROM_FILE / 42129 $(MEDIA_ROOT)/SWL/001315031486100876/Firmware/AUTO/1010113/ALL/OVIP/efs-app-data-resource.tar.gz
DELETE_FOLDER /mnt/mmc_ovip/media/datastore/radio
So maybe there's a way to write directly to the filesystem.
@horuscurcino Your files are from a Chinese NAC firmware 22.06.17.42.
 

MitchtheMitch

Member
Sep 28, 2019
10
0
0
@MitchtheMitch I did try the USB2Eth device after a hard reboot (long press on the phone toggle switch), the device is detected and the module is loaded, but no iface configured. Exactly the same if I plug it later.

@Crunchy_Nuts The SWL\*\Firmware\FirmwareList.ini has lines such as:
Code:
INSTALL_PACKAGE 0x0 oip-ssw-security-usergroup-helper-swl
DELETE_FILE /Data/mnt-wt/MessagingAppl/node/MsgTemplates.db
INSTALL_TAR_FROM_FILE / 42129 $(MEDIA_ROOT)/SWL/001315031486100876/Firmware/AUTO/1010113/ALL/OVIP/efs-app-data-resource.tar.gz
DELETE_FOLDER /mnt/mmc_ovip/media/datastore/radio
So maybe there's a way to write directly to the filesystem.

@horuscurcino Your files are from a Chinese NAC firmware 22.06.17.42.
Did you change the ip address for the ethernet device to 192.168.2.122?

Netmask 255.255.255.0
 

rui.saraiva

Member
Apr 4, 2020
10
5
3
Lisbon
Did you change the ip address for the ethernet device to 192.168.2.122?

Netmask 255.255.255.0
The network interface isn't configured. You can see that in the engineering mode cheatcode (1140 IIRC) or dmesg - you can force create a new spylog (press and hold the 4th toggle switch (vehicle button) until you hear a beep) and extract that from the .dlt files. I had my network interface in promiscuous mode and no traffic. I also did try running a dhcp daemon to no avail.
 

MitchtheMitch

Member
Sep 28, 2019
10
0
0
The network interface isn't configured. You can see that in the engineering mode cheatcode (1140 IIRC) or dmesg - you can force create a new spylog (press and hold the 4th toggle switch (vehicle button) until you hear a beep) and extract that from the .dlt files. I had my network interface in promiscuous mode and no traffic. I also did try running a dhcp daemon to no avail.

When you connect the ethernet adapter and then press 1140 in the engineer mode, it should show you an ip.

Maybe it is only working when you use it with the dlt viewer.

It is described that way in the dlt. Service data.
 

rui.saraiva

Member
Apr 4, 2020
10
5
3
Lisbon
Any idea how to extract the .FRG (file extension) data?
The usr/bin/swl-manager binary handles that .FRG files (and all the update process). It seems those fragment files are kind of .tar files - bunch of files and metadata. The first 11 bytes are always the same (signature+version?), they have an header with some commands (RUN_EXECUTABLE is one of them) and fields such as number of files, file length, checksum.

I did extract the readwrite-data.tar.gz file from 1010110.FRG, using binwalk. The 401021*.FRG have .s files with some sort of xxd dump and the *_no*.FRG are "empty" fragments, only header+metadata - it might be useful to understand the format.
 
  • Like
Reactions: horuscurcino

rui.saraiva

Member
Apr 4, 2020
10
5
3
Lisbon
Hi guys! Anyone know if is possibile to send G. Maps (using Android auto connection) on the 3d icockpit screen, like the stock Nav on a new Peugeot 208?
No, you can only see the AA (and CarPlay/MirrorLink) in the central touchscreen. That infotainment system is basically the same used in older cars. The 3008 can have the NAC Wave 2 or 4 (in HYbrid/HYbrid4 versions) and the 208 the NAC Wave 3 or 4 systems.
Or RCC Wave 2 and 3, in systems without integrated sat nav.
 

enzolo42

New member
May 23, 2012
1
0
0
No, you can only see the AA (and CarPlay/MirrorLink) in the central touchscreen. That infotainment system is basically the same used in older cars. The 3008 can have the NAC Wave 2 or 4 (in HYbrid/HYbrid4 versions) and the 208 the NAC Wave 3 or 4 systems.
Or RCC Wave 2 and 3, in systems without integrated sat nav.
Hi Rui,

Did you succeed to dump the filesystem ?
I would like to know if there are tracklogs, location and routes history inside.

Thanks

Regards
 
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone