Hacking UConnect update data

Disclaimer: Links on this page pointing to Amazon, eBay and other sites may include affiliate code. If you click them and make a purchase, we may earn a small commission.

LoneJeeper

Junior Member
Joined
Jan 3, 2017
Posts
9
Reaction score
3
Location
Earth
Ram Year
2013
Engine
Hemi 5.7
Hello all.

Perhaps my google-fu is failing me, as I didn't find much related to what I'm up to.... so far what I've found is interesting.

I have a fair amount of hardware and software hacking experience under my belt, so when I found out that I'm eligible for a UConnect update, and that I can apply it myself the wheels in my brain started turning. At this point, I'm mostly curious as to if this has been explored or if anyone has a source on it that I couldn't find.

It is possible to 'explode' the update file, explore the updates' file structure, files themselves, make edits, recompile the update files and the truck will use this new data to update the UConnect system.

Obviously, the usual warnings and caveats regarding warranty, bricking, etc all apply here.... I also think it is a huge mistake to put these files into the hands of end users as opposed to it being a dealer-only operation.

I've only given this a couple hours, but I've found where I could change dashboard colors, icons, and some text. It appears I can also export a system backup back out to my USB drive and run whatever shell commands I'd want. My end goal is to have my truck connect to the wireless internet at my house and transfer files to USB storage.

Other interesting finds:

Proxy options:
* Set up the truck to proxy all traffic through my home lab.
* This lets me see what requests and data are being sent/received and intercept any/all files, plus inject my own.

Sat/Nav setup options:
* I have Sat/Nav, so I'd have to see how other update files differ, but perhaps you could enable it through here.

Cameras:
* I have seen some camera information in the .lua code, need to dig here more.

Button action data:
* decompiling the *.swf files, I've seen some ActionScript concerning button names and corresponding scripts which I'd have to pull from the filesystem, but I can run my own edited .sh scrips... I just don't know, yet, how to trigger a second update once I've got those files.


I haven't yet seen where there is any tamper detection or MD5/SHA checksum going on, nor have I found where it is tied to the VIN. Given the RAX hack needs the VIN, it's probably in there somewhere I haven't found... I expect a method very similar to what I'm up to is used in the RAX kit.

So, anyone else know of some research into this area?
 
OP
OP
LoneJeeper

LoneJeeper

Junior Member
Joined
Jan 3, 2017
Posts
9
Reaction score
3
Location
Earth
Ram Year
2013
Engine
Hemi 5.7
Some of the Theme spec, looks like most of the interface is .swf. There's a call for the wallpaper toward the end.

I'd be glad to share any/all of what I have or have found.

package {
public class RAM142LonghornTanThemeDocumentClass extends BaseThemeDocumentClass {
override protected function defineFontSWFFileName():void{
super.defineFontSWFFileName(); mFontSWFFileName = "NimbusSanL-Regu.swf"; } override protected function defineColorValues():void{
super.defineColorValues(); mColorValues["MainThemeColor"] = {
hexValue:12671279, hue:17, saturation:76, brightness:76, contrast:0 }; mColorValues["SecondaryThemeColor"] = {
hexValue:12142105, hue:17, saturation:86, brightness:73, contrast:0 }; mColorValues["BarThemeColor"] = {
hexValue:10446654, hue:25, saturation:61, brightness:62, contrast:0 }; } override protected function defineStyles():void{
super.defineStyles(); mBarGraphic = {
method:"colorTransform", alpha:1, color:colorValues["BarThemeColor"] }; } } }//package package {
import flash.display.*; public dynamic class WallpaperBitmapData extends BitmapData {
public function WallpaperBitmapData(_arg1:int=640, _arg2:int=480){
super(_arg1, _arg2); } } }//package package {
import flash.display.*; public dynamic class ThumbnailBitmapData extends BitmapData {
public function ThumbnailBitmapData(_arg1:int=200, _arg2:int=90){
super(_arg1, _arg2); } } }//package
 

00R/T

Senior Member
Supporting Member
Joined
Apr 18, 2016
Posts
1,278
Reaction score
808
Location
CT
Ram Year
2013
Engine
5.7 HEMI
There's a guy on a Jeep forum that has done some promising work. There is a checksum verification in the boot loader, but it may be possible to bypass it. I messed with the files for a few days but ended up putting it on the back burner because I wanted to focus my tinkering time on my CAN bus projects.

I'm looking forward to seeing what you find.
 

BAMF

Senior Member
Joined
May 29, 2016
Posts
206
Reaction score
121
Location
Southern Louisiana
Ram Year
2015 Big Horn
Engine
Hemi 5.7
Way over my head.... Haha. Interesting though

Sent from my SM-N910V using Tapatalk
 

tcazes

Senior Member
Joined
Dec 7, 2016
Posts
198
Reaction score
48
Ram Year
2013
Engine
5.7L
I'd love to find an ability to manipulate the comfort settings to adjust the auto on air conditioned seat function at a lower temp like say 72. I hate having to click the air seats on every time lol first world problems.
 

tcazes

Senior Member
Joined
Dec 7, 2016
Posts
198
Reaction score
48
Ram Year
2013
Engine
5.7L
Lol you and my wife both. I'd like heat to kick on at 55-60 and below and air to come on around 70-72 and above
 

Ram Man

Senior Member
Joined
Jul 1, 2010
Posts
492
Reaction score
116
Location
FL
Ram Year
2013 Sport
Engine
5.7
These are my favorite types of threads. Taking the path less followed!

The different color schemes only apply to the newer model uconnects so it would be awesome to have them on the 13 too!

Check out mr_z_automotive on Instagram or zautotech.com, I have been following him for awhile, he does some great work on the uconnects in chargers/challengers.
 
OP
OP
LoneJeeper

LoneJeeper

Junior Member
Joined
Jan 3, 2017
Posts
9
Reaction score
3
Location
Earth
Ram Year
2013
Engine
Hemi 5.7
Looks like I'd need to have a different firmware set or iso to jailbreak and get root access... I assume I can do some clever google dorking to find the iso's I'd need but haven't given it much time.

I've got a plan to dump the entire filesystem to my thumbdrive via sh script. I've got a QNX emulation setup started to test with. If I can emulate the UConnect setup in a VM it gives me a lot more power (and I don't risk bricking my truck).

Hopefully the process Valesek used is still viable, I haven't found anyone trying it since updated firmware from the Wired/Jeep fiasco.

There's some ferrari-related interface stuff under /usr/share/SKINS/Ferrari, unless you want a FIAT logo as your wallpaper, that's there, too.
 

00R/T

Senior Member
Supporting Member
Joined
Apr 18, 2016
Posts
1,278
Reaction score
808
Location
CT
Ram Year
2013
Engine
5.7 HEMI
These are my favorite types of threads. Taking the path less followed!

The different color schemes only apply to the newer model uconnects so it would be awesome to have them on the 13 too!

Check out mr_z_automotive on Instagram or zautotech.com, I have been following him for awhile, he does some great work on the uconnects in chargers/challengers.



Zautotech doesn't do anything with the UConnect software itself. His stuff commands modules and sets configuration options over the CAN bus.
 
OP
OP
LoneJeeper

LoneJeeper

Junior Member
Joined
Jan 3, 2017
Posts
9
Reaction score
3
Location
Earth
Ram Year
2013
Engine
Hemi 5.7
The UConnect does (or at least did) have the same ability. The jeep hack early last year used a service that was open on the Sprint network to gain access and then send message through the UConnect to CAN to disable brakes, muck with HVAC, etc.

A lot of the CAN stuff via ODB2 interface used to simply use packet flooding to pull things off (it might still, I haven't kept up). When the CAN processor received more messages from the ODB2 hardware than the actual hardware it simply followed the direction of whoever sent the most messages, or the message that got there first, essentially.

That's why CAN needs packet authentication and authorization, WAN/LAN networks started out with the same problems, but we as a species just can't seem to avoid making the same mistakes over and over. There's not a technical reason why spoofing should still work, it boils down to laziness and/or cost.
 

00R/T

Senior Member
Supporting Member
Joined
Apr 18, 2016
Posts
1,278
Reaction score
808
Location
CT
Ram Year
2013
Engine
5.7 HEMI
Right, you can control pretty much anything in the vehicle via one of the CAN buses. My point was that zautotech has done nothing directly to the radios themselves. It accomplishes things like activating the backup camera or SRT pages by modifying the BCM configuration so the radio thinks it's in a car that is supposed to have those options. It's a very different method and has far less potential than what you would get if you could execute custom code on the radio.
 
OP
OP
LoneJeeper

LoneJeeper

Junior Member
Joined
Jan 3, 2017
Posts
9
Reaction score
3
Location
Earth
Ram Year
2013
Engine
Hemi 5.7
yep, I'm with you, the UConnect is a better target than ODB2 control.
 
OP
OP
LoneJeeper

LoneJeeper

Junior Member
Joined
Jan 3, 2017
Posts
9
Reaction score
3
Location
Earth
Ram Year
2013
Engine
Hemi 5.7
Updated my UConnect with some custom script work and have a full filesystem copy on a USB drive. They do a verification of the .iso at first, but you can pull the USB after the first reboot and swap in a different USB with a hacked .iso. It does not appear to reverify the iso. I edited some of the .sh files to perform a backup to the USB disk and then also copy the entire filesystem to the same.

It appears to also let you reinstall the same firmware version again, so you'd be able to make multiple attempts.

For now, I'm working on copying the filesystem into the QNX VM to see if I can emulate UConnect on my laptop.
 

Brew99

Member
Joined
Nov 14, 2016
Posts
65
Reaction score
8
Location
Victoria, Canada
Ram Year
2016
Engine
3.6
That's great progress you are making. Would like to see the future things you can pull-off using a VM environment where you are not worried about bricking your Uconnect!!
 
OP
OP
LoneJeeper

LoneJeeper

Junior Member
Joined
Jan 3, 2017
Posts
9
Reaction score
3
Location
Earth
Ram Year
2013
Engine
Hemi 5.7
When I get something worth sharing, I'll prop up a github repo and share the code/vm files.
 

timjthomas23

Junior Member
Joined
Jan 9, 2017
Posts
15
Reaction score
1
Ram Year
2014
Engine
Hemi 5.7
In for update

Sent from my SM-N910T using Tapatalk
 
Top