Hacking UConnect update data

Discussion in 'Audio & Electronics' started by LoneJeeper, Jan 3, 2017.

  1. LoneJeeper

    LoneJeeper Junior Member

    Age:
    37
    Posts:
    9
    Likes Received:
    1
    Joined:
    Jan 3, 2017
    Location:
    Earth
    Ram Year:
    2013
    Engine:
    Hemi 5.7
    Looks like I'd need to have a different firmware set or iso to jailbreak and get root access... I assume I can do some clever google dorking to find the iso's I'd need but haven't given it much time.

    I've got a plan to dump the entire filesystem to my thumbdrive via sh script. I've got a QNX emulation setup started to test with. If I can emulate the UConnect setup in a VM it gives me a lot more power (and I don't risk bricking my truck).

    Hopefully the process Valesek used is still viable, I haven't found anyone trying it since updated firmware from the Wired/Jeep fiasco.

    There's some ferrari-related interface stuff under /usr/share/SKINS/Ferrari, unless you want a FIAT logo as your wallpaper, that's there, too.
     
  2. 00R/T

    00R/T Supporting Member

    Posts:
    1,451
    Likes Received:
    899
    Joined:
    Apr 18, 2016
    Location:
    CT
    Ram Year:
    2013
    Engine:
    5.7 HEMI


    Zautotech doesn't do anything with the UConnect software itself. His stuff commands modules and sets configuration options over the CAN bus.
     
  3. LoneJeeper

    LoneJeeper Junior Member

    Age:
    37
    Posts:
    9
    Likes Received:
    1
    Joined:
    Jan 3, 2017
    Location:
    Earth
    Ram Year:
    2013
    Engine:
    Hemi 5.7
    The UConnect does (or at least did) have the same ability. The jeep hack early last year used a service that was open on the Sprint network to gain access and then send message through the UConnect to CAN to disable brakes, muck with HVAC, etc.

    A lot of the CAN stuff via ODB2 interface used to simply use packet flooding to pull things off (it might still, I haven't kept up). When the CAN processor received more messages from the ODB2 hardware than the actual hardware it simply followed the direction of whoever sent the most messages, or the message that got there first, essentially.

    That's why CAN needs packet authentication and authorization, WAN/LAN networks started out with the same problems, but we as a species just can't seem to avoid making the same mistakes over and over. There's not a technical reason why spoofing should still work, it boils down to laziness and/or cost.
     
  4. 00R/T

    00R/T Supporting Member

    Posts:
    1,451
    Likes Received:
    899
    Joined:
    Apr 18, 2016
    Location:
    CT
    Ram Year:
    2013
    Engine:
    5.7 HEMI
    Right, you can control pretty much anything in the vehicle via one of the CAN buses. My point was that zautotech has done nothing directly to the radios themselves. It accomplishes things like activating the backup camera or SRT pages by modifying the BCM configuration so the radio thinks it's in a car that is supposed to have those options. It's a very different method and has far less potential than what you would get if you could execute custom code on the radio.
     
  5. LoneJeeper

    LoneJeeper Junior Member

    Age:
    37
    Posts:
    9
    Likes Received:
    1
    Joined:
    Jan 3, 2017
    Location:
    Earth
    Ram Year:
    2013
    Engine:
    Hemi 5.7
    yep, I'm with you, the UConnect is a better target than ODB2 control.
     
  6. LoneJeeper

    LoneJeeper Junior Member

    Age:
    37
    Posts:
    9
    Likes Received:
    1
    Joined:
    Jan 3, 2017
    Location:
    Earth
    Ram Year:
    2013
    Engine:
    Hemi 5.7
    Updated my UConnect with some custom script work and have a full filesystem copy on a USB drive. They do a verification of the .iso at first, but you can pull the USB after the first reboot and swap in a different USB with a hacked .iso. It does not appear to reverify the iso. I edited some of the .sh files to perform a backup to the USB disk and then also copy the entire filesystem to the same.

    It appears to also let you reinstall the same firmware version again, so you'd be able to make multiple attempts.

    For now, I'm working on copying the filesystem into the QNX VM to see if I can emulate UConnect on my laptop.
     
  7. Brew99

    Brew99 Member

    Posts:
    42
    Likes Received:
    5
    Joined:
    Nov 14, 2016
    Location:
    Victoria, Canada
    Ram Year:
    2016
    Engine:
    3.6
    That's great progress you are making. Would like to see the future things you can pull-off using a VM environment where you are not worried about bricking your Uconnect!!
     
  8. HeavyOne

    HeavyOne Member

    Posts:
    43
    Likes Received:
    6
    Joined:
    Jun 30, 2014
    Ram Year:
    2014
    Engine:
    6.7L
    Awesome work!
     
  9. LoneJeeper

    LoneJeeper Junior Member

    Age:
    37
    Posts:
    9
    Likes Received:
    1
    Joined:
    Jan 3, 2017
    Location:
    Earth
    Ram Year:
    2013
    Engine:
    Hemi 5.7
    When I get something worth sharing, I'll prop up a github repo and share the code/vm files.
     
  10. timjthomas23

    timjthomas23 Junior Member

    Age:
    37
    Posts:
    15
    Likes Received:
    0
    Joined:
    Jan 9, 2017
    Ram Year:
    2014
    Engine:
    Hemi 5.7
    In for update

    Sent from my SM-N910T using Tapatalk
     

Share This Page