Could this be used to flash virtual cockpit? about vw_flash HOT 54 OPEN

I don't think that flashing firmware should be some "underground operation". On many other platforms phones, pc or even my dust cleaner it is routine operation. But for some reason in automobile industry you need to be some sort of shaman....

from vw_flash.

ok any idea where JTAG/serial is on my type of VC? As it looks like there is quite a lot of info about these NVIDIA tegra based AUDI VCs but basically nothing about my device (5NA920790B) :-(

I think that for AUDI VCs mileage correction will be possible by just messing with QNX jar file (take readout from security chip and just +- some value to it :-D) eventually i will need to deal with the same problem as my cluster is 130K km and my car only have 101K

from vw_flash.

Not sure. Each control module requires its own reverse engineering effort.

Quickly looking at an ODX for these units:

• Flashing most control units using a stock, signed FRF is pretty easy. This unit seems to use the normal FlashJobUDS layer so it may be possible to flash an FRF with some enhancements to the flasher project in flash_uds.py. I do see some unimplemented signature blocks in there which we currently do not send with the tester - I would need to look and see if these need to be sent or not.

• I have no way of knowing whether the control unit will allow cross-flashing or what will happen if it is attempted, as I don't own one. The data in the ODX seems to be encrypted so it would take some reverse engineering effort to pull it apart and find out what is going on that way, too.

In short:

• No current support.
• It would probably be possible to add FRF flashing support for this control unit with small to moderate effort, although without owning the module I can't be too sure.
• I can't tell you whether or not the unit will allow a cross flash as-is without more information. Can this be done with ODIS Engineering or VCP?
• If it doesn't allow a cross flash as-is, I can't tell you how hard it would be to patch it to allow a cross-flash as this would be its own reverse engineering effort.

from vw_flash.

Thanks for info i just ordered that cluster and it will be my winter project to make it work in my car somehow :) so im looking for more informations how to hack it

unfortunatelly there is nearly nothing about it anywhere :-( so when it arrives i will take it apart and will try to find some more info based on used chips

i have feeling that it will be possible to crossflash with ODIS as there is some guy on forum who had a version for e-golf and made 5G1920795 and somehow he crossflashed to 5G1920791

https://www.golfmk7.com/forums/index.php?threads/mk7-5-digital-cockpit-retrofit.348993/page-14

from vw_flash.

i want to unpack ODX file to get binary so i can poke it via ghidra or some other tool..

and im stuck on following part

this part inside ODX is have following compression/encryption
AA
where should i get AES key and IV part? is it also somewhere inside ODX or only way how to obtain this is from firmware binary?
SA2 i can see inside ODX so that i can reuse

from vw_flash.

The ENCRYPT-COMPRESS-METHOD in these Virtual Cockpit ODX files is actually 1A .

There is no guaranteed consistency for encrypt/compress methods across control units. It's simply an identifier which is sent with the RequestDownload message to the control unit to let it know what data to expect.

So, there is no way to say for sure that the encryption is AES, or what it is at all.

You have a few options here:

• Open up a control unit and see if an unencrypted firmware can be extracted physically (debug interface, ROM chip, serial interface, etc.).
• Hunt through internal / engineering file leaks ("map packs," seedy forums, etc.) to see if an unencrypted ODX file or some kind of engineering firmware dump exists in one.
• Enter a programming session and test if RequestUpload was left in UDS for the control unit (unlikely, have not seen it implemented for years).
• Extract the encrypted/compressed ODX data (edit the python script to write out the dataBinary directly) and attempt some form of statistical cryptanalysis on the encrypted/compressed data. This is made a lot harder with compression, but for example on old control units which just used an XOR key, the key could be recovered this way.

from vw_flash.

i think there is NAND flash 29F4G08ABADA inside cluster today i split it open this is how it looks like

does it make sense to try to read/write it directly? or there will be some other catch :-/

from vw_flash.

Odds of the NAND being encrypted are pretty low I think. Dumping it would definitely be a great start.

from vw_flash.

Ok
is it better to unsolder it and use some NAND flash reader or somebody managed to wire this "onboard"?

I'm thinking something like 1 spare chip to mess with and this programmer
https://www.aliexpress.com/item/1005001633255146.html

when i manage to dump it it is possible to run it inside qEMU somehow to mess with it realtime?

it looked to me that it runs kinda similar OS to what is running on MIB2/MIB2.5 platform :-)

What tools I should obtain for this job?
Hotair gun
some masking tape
tweezers
TSOP48 flasher
flux (what type is best in order to put it back? :-D)

something else important?

also when ODIS is flashing firmware is there some part where I can sniff for unpacked raw binary (maybe after CAN->serial converter) or it is decrypted on cluster itself?

EDIT: or is there some sort of "NAND emulator" i can use as that chip replacement? so i can flash it via USB and keep it "onboard"?

EDIT2: what is purpose of 8 pin "debugging interface" which is accessible on back side of cluster?

from vw_flash.

Reading TSOP flash chips is pretty standard. Your list is fine to start, although to put it back you probably want solder paste instead of just flux.

For solder/desolder you could also use ChipQuik instead of hot air if you want. Or, look into a TSOP clip like 360clip.

also when ODIS is flashing firmware is there some part where I can sniff for unpacked raw binary (maybe after CAN->serial converter) or it is decrypted on cluster itself?

No, the encryption/decryption is done in the cluster itself, this is the fundamental protection method in most newer control modules - ODIS just reads the ODX and does what it says, the encryption and compression is performed in the control module.

EDIT2: what is purpose of 8 pin "debugging interface" which is accessible on back side of cluster?

With respect to both the debug interface and QEmu, maybe, you'll need to figure out what the CPU is (V850)? And go from there.

from vw_flash.

i think that cpu is V850Ev2 (D70F3539A)

that 360-Clip looks promising :-) i will try to use it as it can make process much faster in case that i will need to flash backup

EDIT: there are actually 2 V850 devices

1. D70F3526 -> probably used for CAN communication and mileage and CP handling

2. D70F3539A -> handling display
   so my question is how these 2 devices communicate? is there some UART between them or it is something more advanced?

as i would expect that i can probably hijack communication between them in order to deal with CP issue (it will probably still throw error on CAN but who cares :-D and also maybe modify mileage

this topology was probably used because VW already had everything for D70F3526 and they does not want to reimplement it again for D70F3539A

that is also probably the reason why ODIS flash is soo slow as it goes trough D70F3526 and then into D70F3539A and it is much faster when its flashed from MIB unit as then it goes directly to D70F3539A NAND via MOST connection

from vw_flash.

ok so managed to dump that NAND flash but it does not look much useful as there is no strings which i can use to make navigation in ghidra easier

is there some working tutorial i can use to run it in qemu for example?

from vw_flash.

Hello. Maybe someone sucessfluly flashed virtual cockpit by mib2?

from vw_flash.

There is update firmware for infotainment SD card on mib solution https://mibsolution.one/

Also what is cheapest way to obtain "mqb testrig"?

from vw_flash.

There is update firmware for infotainment SD card on mib solution https://mibsolution.one/

Also what is cheapest way to obtain "mqb testrig"?

Make it. Few wires, connectors, getaway, few displays, depends by unit, and few keyboards. Also usb port.
EDIT. Or better buy it.
€ 85,01 6％ Off | For VW SKODA SEAT MQB Audi A3 8V CAR MIB 2 PRO Display Screen Radio Unit Test Code Tools
https://a.aliexpress.com/_mMZyA66

from vw_flash.

But this is probably not enough as it will require also working key + immo in order to flash firmware into cluster right?

To just wake cluster up i can probably use just Arduino + CAN shield

But I'm interested in "minimum viable rig" to flash VC on bench

from vw_flash.

But this is probably not enough as it will require also working key + immo in order to flash firmware into cluster right?

To just wake cluster up i can probably use just Arduino + CAN shield

But I'm interested in "minimum viable rig" to flash VC on bench

Can we communicate in messages? Skyle, whatsapp, viber, telegram?

from vw_flash.

Sure we can. Check xda-devs ;-)
Write to you on skype :)

from vw_flash.

Did you already had some progress with crossflashing the virtual cockpit? I am a mechanical engineer and want to learn these kind of interesting programming. Specially because I do many “programmings” (odis) in these vag cars. I heard about modified/patched firmwares for the virtual cockpits which are being used to crossflash/cp off etc

from vw_flash.

from vw_flash.

Unfortunately there is not much research going on for these devices. Mine is still waiting on the desk for more public information's :-)

from vw_flash.

from vw_flash.

I can read that NAND flash but it is either encrypted or something weird is going on there. Without some internal knowledge this will be tough challenge.
It's interesting that some company is able to mess with odometer now, maybe there is still hope :-)

from vw_flash.

So what i know is the data from mileage, sport layout cp and some of them are being locked if the dash is over 100km. This data is being unlocked 2 ways. 1 by unlocking flash and second one by your hacked firmware. Same way they hack the mib2 system. I even readed some people have this solution by just sending can commands. Found some kind of patched firmware but not used yet as i dont know what the background/information is and what it does

from vw_flash.

Can you share this hacked firmware? ODX files are encrypted and probably signed but maybe we can see what they did in order to go around these limitations :-)

https://www.youtube.com/watch?v=k25l225FfBo

it must be clever to use ramdisk to not "break" internal storage but i think it can be achieved

from vw_flash.

from vw_flash.

Yes ofcourse i can share it. How can i share it with you? You have telegram or something? The file is not odx. It is updated by sd through mib2 (most)

from vw_flash.

maybe upload it to mibsolution? ;) https://mibsolution.one/
there are multiple firmware updates for MOST https://mibsolution.one/#/1/9/VC-AID%20Updates so if you have some modified one maybe we can compare them :-)

from vw_flash.

Oke i will try today afternoon. Only thing is i don't think everyone in mibsolution admin group should be pleasured. Some want solutions not too be public as you can also see in the telegram group of them

from vw_flash.

https://drive.google.com/file/d/1SN4dpzfOhfeUcmpOY3xjDinIQkIeHk3h/view

from vw_flash.

Do you also have unmodified version of this "update"?

from vw_flash.

Unfortunately not i will check if i can find it

from vw_flash.

This looks like update for AUDI cluster. I'm not sure if that is also applicable for VW/SKODA clusters as there is some files for NVIDIA processor which I believe is not used inside 5NA920790B or similar

from vw_flash.

Yes it is for a a4 b9.

from vw_flash.

A few notes based on my experience with Gen1 VC units ie TT and Q7 4M0 (I didn't get past accessing KSS):

1. KSS = Atlas Chip MB9DF125 (this is a specific chip designed for automotive industry for VC. It has a secure internal 48KB EEFLash in it. Mileage and other "special stuff" stored here). @markis90210 - which chip did they desolder? MB9DF125?
2. 2. GSS = Nvidia board running QNX. It talks to KSS via the KSS Driver.
3. Current JTAG attempts to access KSS have failed (that I am aware of). If JTAG was possible then
4. NAND is just the storage for the Nvidia QNX board. So it contains boot partition information and QNX partitions etc..
5. If you flash the NAND from another "version" you can kill the VC as there is a "version check" between the KSS and GSS during bootup. They need to match the versions in the update media...

Hopefully this information helps

from vw_flash.

Is there a way to obtain console? There are some root passwords for this gen1 vc https://mibwiki.one/doc/mmx-root-passwords-Ksdm2xg8md

from vw_flash.

yes supposedly... there is an 10 pin 0.5mm pitch zif connector with no zif cable connected to it.. You need to open up the VC unit to access it. Some development units had the air grille on the back with some grilles removed so a cable could be run from the connector to a bench setup.... You need to figure out the pins for ttl and USB. 115200... etc.. etc..

from vw_flash.

from vw_flash.

This is how full PCB looks like any idea where to start search for console?

from vw_flash.

from vw_flash.

This is what i have

from vw_flash.

yep, Gen1 pinouts from what I know... Gen2 is obviously a different beast

from vw_flash.

I can also help by offering a cockpit which i have myself to test some things if needed. I could connect it to see if i can gain access. Should i buy segger j-link? I'd really like to learn more about these kind of programming and understanding more about pcb etc

from vw_flash.

By the way. People are doing this without opening the cluster. The solutions they have is by flashing the unit by mib2 (most). It seems they used patched flash files which unlocks the secured area for the special stuff (mileage, sport layout, wheel circumference etc)

from vw_flash.

Hello everyone Today I received a panel from audi Q8 (Virtual) on which they reset my mileage to 0! there was nothing soldered in the panel. Question??? Where can I get patched firmware???

from vw_flash.

Unfortunately not a public solution. There seems to be a possibility without even using a firmware update. They use uds commands to unlock the locked adaptation values. I wished i could have these information as well :)

from vw_flash.

Hello, maybe somebody can help me to remove CP from virtual cockpit? Odis doesn't work in my case but hear that it is possible to do offline.

from vw_flash.

VW_Flash issue comments are not a file trading website and not a place to discuss selling solutions.

VW_Flash is a good starting place to understand SA2 authentication, UDS flashing, and basic bootloader structure and exploit development, but once you start getting into individual exploit development, you should find a forum that's better suited than GitHub Issues, and "dm for solution" is not in the spirit or goals of this project.

I will leave most of the comments in this thread up as they represent good research, which I am not opposed to in any way (I think it just needs a better place to happen).

However, I am removing paid / secret solution related comments as they are not in the spirit of this project at all.

Basic UDS reflashing should not be a mystery to anyone at this point. , Programming Preconditions, Enter Reflashing/Bootloader Session, SA2 Security Access, Erase, RequestUpload, TransferData, ExitTransfer, Checksum, Repeat, Programming Complete. Everything beyond the basic routines is going to revolve around engineered exploits specific to the code running on an exact control module, not some generic "reflashing secret" that nobody is letting you in on.

from vw_flash.

It looks like there will be abrites interface which will be able to do mileage correction looking forward to that

I never really moved anywhere after NAND read and there is very little about components in VC so really not much to build on...

from vw_flash.

It looks like there will be abrites interface which will be able to do mileage correction looking forward to that

I never really moved anywhere after NAND read and there is very little about components in VC so really not much to build on...

Hi ,

abrites will not release programmer for audi virtual its only for renesas mcu . Not for fujitsu .

from vw_flash.

Hello you must not dream if you read the arm chip mb9df125e meter die the hw and block that is why it uses the mib

All vag vc virtual is easy is not same audi

from vw_flash.

can you explain more what tools / setup is required for normal VAG cluster (like 5NA920790B)?

there is only very little info on how to work on these clusters (JTAG, how to wake them up, some datasheets, what is stored where etc..) i have it on desk but i just dont know how to continue :-/

from vw_flash.

Hello

poldiag car read vw virtual cluster.
I use it to do the job .
https://keymaster.pl/shop/?v=9b7d173b068d

Best Regards

from vw_flash.

#26 (comment)

Comments relating to private discussions and file trading are not acceptable on this project.

This thread has gone off the rails and I am closing it.

from vw_flash.