hacking nac peugeot

[Piest4r]

With stuff like this the manufacturer's showroom should have adjacent or connected maintenance garages who may help with codes etc. They're guaranteed to know them or have access to people who do. Did something similar with my car before (Renault) but I bought it there, they might charge if you didn't.

 

[NooBtheNoob]

It's about extracting the fw from the nac not about changing things on the nac.

Peugeot can't do that.

 

[dpeddi]

I think it would be nice to find out /Data/mnt-wt/public/efs/SecurityFwkInstaller/ca/psaRootCACert.pem,
/Data/mnt-wt/public/efs/SecurityFwkInstaller/certs/ovip_cert.pem and
/Data/mnt-wt/public/efs/SecurityFwkInstaller/keys/ovip_rsa_2048.key

these should allow to unpack encrypted firmware

 

[ecoli79]

Hi everyone! Firstly, sorry for my english
Tell me, please, how I can get access sql-lite data from nac? Can I do it directly from nac throw ssh (telnet) by wire?
I want change my RT6 system to nac in my peugeot 508 first generation.
Thank all

 

[dtosun]

Anybody know how can I replace RCC with NAC?

 

[Il gladiatore]

NAC screen resolution

I am using the screen2auto application to transmit the phone screen to the NAC, only not knowing the resolution I find the image cut on the sides.
I wanted to ask the community if they know the NAC "SCREEN WIDTH / SCREEN HEIGHT / DPI" screen resolution. thank you

 

[rui.saraiva]

I am using the screen2auto application to transmit the phone screen to the NAC, only not knowing the resolution I find the image cut on the sides.
I wanted to ask the community if they know the NAC "SCREEN WIDTH / SCREEN HEIGHT / DPI" screen resolution. thank you

https://developer.groupe-psa.io/webportal/v1/overview/infotainment-system/#screen-size

 

[dpeddi]

https://developer.groupe-psa.io/webportal/v1/overview/infotainment-system/#screen-size

interesting...

on my wave 3 i have no extra app except the "peugeot" do nothing app...

It would be interesting if the nac check the https certificate or if it accept self signed one.. if yes it would be possible to build a proxy and deploy our app.

Maybe it could be possible to reuse snippets from https://github.com/Mwyann/psakey/

 

[GuestD4234]

I think it would be nice to find out /Data/mnt-wt/public/efs/SecurityFwkInstaller/ca/psaRootCACert.pem,
/Data/mnt-wt/public/efs/SecurityFwkInstaller/certs/ovip_cert.pem and
/Data/mnt-wt/public/efs/SecurityFwkInstaller/keys/ovip_rsa_2048.key
these should allow to unpack encrypted firmware

I have found keys to decrypt firmware in Github "psa-nac-firmware-reverse-engineering"

I have uploaded firmware, decrypted-extracted firmware, and script_keys in google drive to make it easier to download anyone who is interested in this.
"drive.google.com/drive/folders/1_twUGEcjGGxYGINgGsaCYC23DraC8pNx?usp=sharing"
PS: I am no expert in all these, just here to find a way to enable 5GHZ (wireless), wireless android auto, and tomtom traffic in Australia.

 

[VLud]

I have found keys to decrypt firmware in Github "psa-nac-firmware-reverse-engineering"

I have uploaded firmware, decrypted-extracted firmware, and script_keys in google drive to make it easier to download anyone who is interested in this.
PS: I am no expert in all these, just here to find a way to enable 5GHZ (wireless), wireless android auto, and tomtom traffic in Australia.

You can't do that from reading the firmware, the Code Signing Certificate key is mandatory to be able to do anything interesting.

 

[turbare]

following this

 

[galaxys]

Bookmarked as well....

 

[therabbitwindfall]

Any idea how to extract the .FRG (file extension) data?

Using Windows 7-Zip you can open FRG file (sure only decrypted). But 7zip say that is not a full pack. I think it's simple some type of archive splitted on a parts.
What exactly part should be used you can find from FirmwareList.ini

 

[bennebartsch]

Very interesting thread, thank's for sharing all your work!
I am searching for a way to control things like the backlight of the NAC or Climate externally. Any ideas?

 

[therabbitwindfall]

Very interesting thread, thank's for sharing all your work!
I am searching for a way to control things like the backlight of the NAC or Climate externally. Any ideas?

Use CAN-bus. For example Arduino+CAN Shield

 

[bennebartsch]

Use CAN-bus. For example Arduino+CAN Shield

Is there any documentation about the CAN Commands or do i need to reverse engeneer?

 

[therabbitwindfall]

Is there any documentation about the CAN Commands or do i need to reverse engeneer?

I don't saw open sourced CAN commands Start from here hackaday DOT com/2017/05/04/reverse-engineering-the-peugeot-207s-can-bus/

 

[therabbitwindfall]

I mean, as a developer you always have to keep a back door clear in case the system breaks.

And they done this with recovery USB that make full reflash. Image of whole firmware (base) and after that they can install prod firmware. But I don't know anyone who doing this. All sales-managers instead sell you new NAC or used one. Just business... ((

 

[carson512]

Sad to hear...:crying:

But there must be some possibility for the recovery mode, or not?
I mean, as a developer you always have to keep a back door clear in case the system breaks.

What if you try to use the usb stick?

As far as we know there's an option called engineer mode.

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

Maybe it has another effect.
My ideas would be that maybe you can use it to call a function / module to unlock.

Like this:

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1
# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1

Or maybe just leave the USB Stick (with engineering_mode=1) plugged in and see if something changes at the ports.

And maybe the engineer mode is bound to an "id" to work.
To copy spylogs you also need engineer mode and an id (id = ???).
It won't work without the id.

Search for something like this:

#USB Demo file
[general]
id=

This is the complete procedure to copy spylogs from nac directly to usb without doing anything.

#USB Demo file
[general]
id=?????????????

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1

---------- Post added at 12:34 PM ---------- Previous post was at 12:02 PM ----------

Found it!

The id is ->

9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

You find it under rootfs\usr\bin\sem_dm_server



So the complete content of the usb file is

#USB Demo file
[general]
id=9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1

Create a file and rename it to ID (without any file extension!) and copy the code above into the file.
Copy the file in the root directory of the usb stick and plug it in to the nac.

After you insert it in the nac, it will copy the spylogs to usb.

And maybe you can do other things with the engineering mode.

I got rootfs\usr\bin\sem_dm_server is file and use ida to open. Can't find the id you said...


Also I try to modify the rootfs.fsn.Then may update use the modify rootfs.
But can't encrypt ....
I just decrypt rootfs.fsn02.And use the crt file in SWL to encrypt the rootfs.fsn02.

openssl smime -encrypt -binary -in /home/ubuntu/psa-nac-firmware-reverse-engineering-main/rootfsdir/decrypted/NAC_B2/OVIP/rootfs.fsn02 -out /home/ubuntu/psa-nac-firmware-reverse-engineering-main/rootfsdir/test02.fsn /home/ubuntu/psa-nac-firmware-reverse-engineering-main/SWL/001315201563355623/Certificates/DPCA-OVIP-CS-G1.crt

But the file out is not same with the original file. Is that the public key or encrypt command error.I think just the key error.
How to find the original public key.

 

[tuncina]

Selam,
Yazdığınız her şeyi uyguladım ve yaklaşık 50 "dlt" dosyasına baktım. Ancak araçta bağımsız telematik kutusu için IMEI numarasını bulamadım.

DLT Viewer - Step by Step for Windows

Meşguldüm, bu yüzden biraz zaman aldı DLT Viewer'ın çıktısı muhtemelen birçok insan için anlamlı olmayacak, ancak sonunda kendi sonucunuzu çıkarabilirsiniz. Her adımı not etmek için her şeyi sıfırdan kaldırdım ve yeniden yükledim. Bu, casus günlükleri 1111 kodunu kullanarak dışa aktardığınızı ve bunları PC'nize yerleştirdiğinizi varsayar.

1. Lz4 sıkıştırılmış casus günlüklerini çıkarmak için bir araç indirin.
   • 7-zip araçlarının / eklentilerinin hiçbiri benim için işe yaramadı.
   • Komut satırından buradaki ikililerden birini kullanabilirsiniz: github.com/lz4/lz4/releases. Dosyaları ayıklamak için komut satırından "lz4.exe <dosya adı> .dlt.lz4" komutunu çalıştırın.
   • Bir GUI arayüzü için reboot.pro/topic/22062-lz4-compressor adresine bakın. Araç içinde, VHD dosya alanında lz4 dosyanızı seçmeniz gerekir (örn. "1_startup_20190924_181656.dlt.lz4"). Lz4 Klasörü alanında çıktı klasörünü seçin . LZ4 alanını boş bırakın . Dosyayı çıkarmak için SIKIŞTIR düğmesine tıklayın (Biliyorum, düğmenin adı bir anlam ifade etmiyor).
   • Bir .dlt dosyası elde etmelisiniz.
2. Visual Studio Community Edition 2015'i indirin ve yükleyin: stackoverflow.com/questions/44290672/how-to-download-visual-studio-community-edition-2015-not-2017
   • Kurulum sırasında Özel kurulum ve Programlama Dilleri -> Visual C ++ 'ı seçin
3. DLT Viewer'ı indirin ve açın: github.com/GENIVI/dlt-viewer/archive/master.zip
4. Qt 5.12.6'yı indirin ve yükleyin: download.qt.io/official_releases/qt/5.12/5.12.6/qt-opensource-windows-x86-5.12.6.exe
   • Kurulum sırasında aşağıdaki bileşeni seçin: Qt -> Qt 5.12.6 -> MSVC 2015 64-bit
5. Derleyiciyi Qt'de yapılandırın
   • Araçlar menüsüne gidin -> Seçenekler
   • Sol bölmede Kitleri seçin -> Kitler sekmesi
   • "Otomatik algılandı" altında "Dekstop Qt 5.12.6 ..." seçeneğini tıklayın
   • Derleyici C'yi seçin: < Derleyici yok>
   • Derleyici C ++ için seçin: Microsoft Visual C ++ Derleyici 14.0 (amd64)
6. DLT Görüntüleyici projesini derleyin ve çalıştırın
   • Qt içinde Open Project'e tıklayın ve DLT Viewer'ın sıkıştırılmamış klasöründeki BuildDltViewer.pro projesini açın.
   • Qt, Projeler sayfasına geçecektir (aksi takdirde soldaki Projeler'e tıklayın)
   • Aktif Proje için BuildDltViewer seçilmelidir
   • Sağdaki Projeyi Yapılandır'a tıklayın
   • Build menüsüne gidin -> Build Project ...
   • Yapı tamamlandığında, Build menüsü -> Run'a gidin.
   • Dosya -> Aç'a gidin ve .dlt dosyalarından birini açın.
   • DLT Görüntüleyici kılavuzu şu adreste bulunabilir: at.projects.genivi.org/wiki/display/PROJ/DLT+Viewer+Manual

DLT Görüntüleyici çıktısına bakmak için fazla zaman harcamadım, bu yüzden kimsenin bunu çözmesine yardım edemem. Bulgularınızdan herhangi birini paylaşmaktan çekinmeyin.
[/ALINTI]