hacking nac peugeot

Piest4r

Member
Jul 28, 2020
12
1
0
With stuff like this the manufacturer's showroom should have adjacent or connected maintenance garages who may help with codes etc. They're guaranteed to know them or have access to people who do. Did something similar with my car before (Renault) but I bought it there, they might charge if you didn't.
 

dpeddi

Senior Member
Mar 10, 2007
205
133
63
I think it would be nice to find out /Data/mnt-wt/public/efs/SecurityFwkInstaller/ca/psaRootCACert.pem,
/Data/mnt-wt/public/efs/SecurityFwkInstaller/certs/ovip_cert.pem and
/Data/mnt-wt/public/efs/SecurityFwkInstaller/keys/ovip_rsa_2048.key

these should allow to unpack encrypted firmware
 

ecoli79

New member
Sep 6, 2020
1
0
0
Hi everyone! Firstly, sorry for my english :eek:
Tell me, please, how I can get access sql-lite data from nac? Can I do it directly from nac throw ssh (telnet) by wire?
I want change my RT6 system to nac in my peugeot 508 first generation.
Thank all :)
 

Il gladiatore

New member
Oct 5, 2014
4
0
21
NAC screen resolution

I am using the screen2auto application to transmit the phone screen to the NAC, only not knowing the resolution I find the image cut on the sides.
I wanted to ask the community if they know the NAC "SCREEN WIDTH / SCREEN HEIGHT / DPI" screen resolution. thank you
 

dpeddi

Senior Member
Mar 10, 2007
205
133
63

GuestD4234

New member
Oct 31, 2020
1
0
0
I think it would be nice to find out /Data/mnt-wt/public/efs/SecurityFwkInstaller/ca/psaRootCACert.pem,
/Data/mnt-wt/public/efs/SecurityFwkInstaller/certs/ovip_cert.pem and
/Data/mnt-wt/public/efs/SecurityFwkInstaller/keys/ovip_rsa_2048.key
these should allow to unpack encrypted firmware
I have found keys to decrypt firmware in Github "psa-nac-firmware-reverse-engineering"

I have uploaded firmware, decrypted-extracted firmware, and script_keys in google drive to make it easier to download anyone who is interested in this.
"drive.google.com/drive/folders/1_twUGEcjGGxYGINgGsaCYC23DraC8pNx?usp=sharing"
PS: I am no expert in all these, just here to find a way to enable 5GHZ (wireless), wireless android auto, and tomtom traffic in Australia.
 

VLud

New member
Nov 2, 2020
1
0
0
I have found keys to decrypt firmware in Github "psa-nac-firmware-reverse-engineering"

I have uploaded firmware, decrypted-extracted firmware, and script_keys in google drive to make it easier to download anyone who is interested in this.
PS: I am no expert in all these, just here to find a way to enable 5GHZ (wireless), wireless android auto, and tomtom traffic in Australia.
You don't make it easier at all, you just steal a work that is not yours and divide people from the original source :mad:
Put the Github link instead of yours. You also expose yourself to copyright issues that's why firmware archives are not on the repo.

And yes, you are clearly not an expert, you can't do that from reading the firmware, the Code Signing Certificate key is mandatory to be able to do anything interesting.
 
Last edited:

bennebartsch

Member
Mar 15, 2018
15
3
0
Very interesting thread, thank's for sharing all your work!
I am searching for a way to control things like the backlight of the NAC or Climate externally. Any ideas?
 

therabbitwindfall

New member
Nov 8, 2020
4
0
0
I mean, as a developer you always have to keep a back door clear in case the system breaks.:confused:
And they done this with recovery USB that make full reflash. Image of whole firmware (base) and after that they can install prod firmware. But I don't know anyone who doing this. All sales-managers instead sell you new NAC or used one. Just business... ((
 

carson512

Member
Aug 18, 2006
48
0
26
31
Tianjin
Sad to hear...:crying:

But there must be some possibility for the recovery mode, or not?:confused:
I mean, as a developer you always have to keep a back door clear in case the system breaks.:confused:

What if you try to use the usb stick?

As far as we know there's an option called engineer mode.
Code:
# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1
Maybe it has another effect.
My ideas would be that maybe you can use it to call a function / module to unlock.

Like this:
Code:
# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1
# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1
Or maybe just leave the USB Stick (with engineering_mode=1) plugged in and see if something changes at the ports.

And maybe the engineer mode is bound to an "id" to work.
To copy spylogs you also need engineer mode and an id (id = ???).
It won't work without the id.

Search for something like this:

Code:
#USB Demo file
[general]
id=
This is the complete procedure to copy spylogs from nac directly to usb without doing anything.

Code:
#USB Demo file
[general]
id=?????????????

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1
---------- Post added at 12:34 PM ---------- Previous post was at 12:02 PM ----------

Found it!

The id is ->
Code:
9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

You find it under rootfs\usr\bin\sem_dm_server



So the complete content of the usb file is
Code:
#USB Demo file
[general]
id=9cfd0bf57a94a3beb6c990e9c9c78247a8bc78fd3310aa6f58a247f8dabe3b7f

# Activate engineering mode
# engineering_mode=0 (Absent) engineering_mode=1 (Present)
engineering_mode=1

# Create one spy
# create_spy=0 (don't create spy) create_spy=1 (create spy)
create_spy=1

# Option to automatically sync spies with USB. Currently it exports spies to USB and delete the existing ones on NAND
sync_spies_with_usb=1
Create a file and rename it to ID (without any file extension!) and copy the code above into the file.
Copy the file in the root directory of the usb stick and plug it in to the nac.

After you insert it in the nac, it will copy the spylogs to usb.

And maybe you can do other things with the engineering mode. :D
I got rootfs\usr\bin\sem_dm_server is file and use ida to open. Can't find the id you said...


Also I try to modify the rootfs.fsn.Then may update use the modify rootfs.
But can't encrypt ....
I just decrypt rootfs.fsn02.And use the crt file in SWL to encrypt the rootfs.fsn02.

openssl smime -encrypt -binary -in /home/ubuntu/psa-nac-firmware-reverse-engineering-main/rootfsdir/decrypted/NAC_B2/OVIP/rootfs.fsn02 -out /home/ubuntu/psa-nac-firmware-reverse-engineering-main/rootfsdir/test02.fsn /home/ubuntu/psa-nac-firmware-reverse-engineering-main/SWL/001315201563355623/Certificates/DPCA-OVIP-CS-G1.crt
But the file out is not same with the original file. Is that the public key or encrypt command error.I think just the key error.
How to find the original public key.
 

tuncina

New member
Feb 27, 2021
1
0
11
Selam,
Yazdığınız her şeyi uyguladım ve yaklaşık 50 "dlt" dosyasına baktım. Ancak araçta bağımsız telematik kutusu için IMEI numarasını bulamadım.

DLT Viewer - Step by Step for Windows

Meşguldüm, bu yüzden biraz zaman aldı :) DLT Viewer'ın çıktısı muhtemelen birçok insan için anlamlı olmayacak, ancak sonunda kendi sonucunuzu çıkarabilirsiniz. Her adımı not etmek için her şeyi sıfırdan kaldırdım ve yeniden yükledim. Bu, casus günlükleri 1111 kodunu kullanarak dışa aktardığınızı ve bunları PC'nize yerleştirdiğinizi varsayar.

  1. Lz4 sıkıştırılmış casus günlüklerini çıkarmak için bir araç indirin.
    • 7-zip araçlarının / eklentilerinin hiçbiri benim için işe yaramadı.
    • Komut satırından buradaki ikililerden birini kullanabilirsiniz: github.com/lz4/lz4/releases. Dosyaları ayıklamak için komut satırından "lz4.exe <dosya adı> .dlt.lz4" komutunu çalıştırın.
    • Bir GUI arayüzü için reboot.pro/topic/22062-lz4-compressor adresine bakın. Araç içinde, VHD dosya alanında lz4 dosyanızı seçmeniz gerekir (örn. "1_startup_20190924_181656.dlt.lz4"). Lz4 Klasörü alanında çıktı klasörünü seçin . LZ4 alanını boş bırakın . Dosyayı çıkarmak için SIKIŞTIR düğmesine tıklayın (Biliyorum, düğmenin adı bir anlam ifade etmiyor).
    • Bir .dlt dosyası elde etmelisiniz.
  2. Visual Studio Community Edition 2015'i indirin ve yükleyin: stackoverflow.com/questions/44290672/how-to-download-visual-studio-community-edition-2015-not-2017
    • Kurulum sırasında Özel kurulum ve Programlama Dilleri -> Visual C ++ 'ı seçin
  3. DLT Viewer'ı indirin ve açın: github.com/GENIVI/dlt-viewer/archive/master.zip
  4. Qt 5.12.6'yı indirin ve yükleyin: download.qt.io/official_releases/qt/5.12/5.12.6/qt-opensource-windows-x86-5.12.6.exe
    • Kurulum sırasında aşağıdaki bileşeni seçin: Qt -> Qt 5.12.6 -> MSVC 2015 64-bit
  5. Derleyiciyi Qt'de yapılandırın
    • Araçlar menüsüne gidin -> Seçenekler
    • Sol bölmede Kitleri seçin -> Kitler sekmesi
    • "Otomatik algılandı" altında "Dekstop Qt 5.12.6 ..." seçeneğini tıklayın
    • Derleyici C'yi seçin: < Derleyici yok>
    • Derleyici C ++ için seçin: Microsoft Visual C ++ Derleyici 14.0 (amd64)
  6. DLT Görüntüleyici projesini derleyin ve çalıştırın
    • Qt içinde Open Project'e tıklayın ve DLT Viewer'ın sıkıştırılmamış klasöründeki BuildDltViewer.pro projesini açın.
    • Qt, Projeler sayfasına geçecektir (aksi takdirde soldaki Projeler'e tıklayın)
    • Aktif Proje için BuildDltViewer seçilmelidir
    • Sağdaki Projeyi Yapılandır'a tıklayın
    • Build menüsüne gidin -> Build Project ...
    • Yapı tamamlandığında, Build menüsü -> Run'a gidin.
    • Dosya -> Aç'a gidin ve .dlt dosyalarından birini açın.
    • DLT Görüntüleyici kılavuzu şu adreste bulunabilir: at.projects.genivi.org/wiki/display/PROJ/DLT+Viewer+Manual

DLT Görüntüleyici çıktısına bakmak için fazla zaman harcamadım, bu yüzden kimsenin bunu çözmesine yardım edemem. Bulgularınızdan herhangi birini paylaşmaktan çekinmeyin.
[/ALINTI]
 
Last edited: