Anyone thought of building a connected drive server?

[rhodesman]

so I was looking at the /etc/mcd.conf file specifically this:

############################################ 
# path/DVD/CD content detection rules 
[SW_UPDATE] 
Callout = FNAME_MATCH 
Argument = /hbautorun.sh 
Fail Rule = NAVI_UPDATE

and doing some more googling I found this is the "over the counter" way to update the CIC for DVD in motion. However, that's just ONE way to update the CIC SW. This is loading up a ".sh" file so.... I did some more digging and found this on a chinese website (thank got for google translate):

#! / Bin / fesh
echo "- = www.dvdinmotion.com = -"
cp - f / mnt / cd 0 /
.
DVD inMotion _ CIC. / Tmp chmod + x /tmp/.DVDInMotion_CIC./tmp/.DVDInMotion_CIC.
Echo "- ------ DONE ---------

Now, I'm wondering if google F-ed up that #!/Bin/fesh where maybe it should be #!/Bin/ksh ?
Anyways, I wondering if we can push code changes to the CIC by just making a CD with some scripts in it.

Thoughts????

 

[Xer0449]

Also for you and @Xer0449 I have successfully images the flash storage off the CIC. it took a bit of sleuthing and a TON of

You're a beautiful, beautiful man. Thank you

Now, I'm wondering if google F-ed up that #!/Bin/fesh where maybe it should be #!/Bin/ksh ?
Anyways, I wondering if we can push code changes to the CIC by just making a CD with some scripts in it.

Thoughts????

Definitely!
https://bmw.spoolstreet.com/threads...connected-drive-server.1512/page-8#post-12711

I bet whoever wrote and sells the "DVDinMotion" DVD either has read the same documents we have, or done all of the work we're doing and kept it private/for profit. I'm willing to bet that the vendor chose CD over USB to run their script strictly for DRM purposes. I said the same thing to Martial re: MHD iDrive app licensing/DRM.

 

[Xer0449]

Regarding "/bin/fesh"

http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/f/fesh.html

 

[rhodesman]

The other night I switched out the HDD for that SSD option! It's neat, but not as fast as that other forum thread suggested (IMO at least).

I did however plug in the HDD into my QNX VM and found a couple new files on the drive that were not there before! mainly these core dumps the iDrive system did at some point. Anyway, here are their raw dump data:

# coreinfo vdev-eeprom.core
vdev-eeprom.core:
 processor=SH num_cpus=1
  cpu 1 cpu=271582976 name=SH7785 (SH4A) speed=594
   flags=0xc0000001 FPU MMU
 cyc/sec=53150220288000000 tod_adj=1493934775000000000 nsec=522319477680 inc=999999
 boot=0 epoch=1970 intr=8204
 rate=80808080 scale=-15 load=12375
   HOSTNAME="l6target"
   type(514)="DBG_IF=scif.ffeb0000.57600.49500000.16
DIP=100
"
   MACHINE="HB SH7785"
 pid=16 parent=4 child=0 pgrp=4 sid=1
 flags=0x002200 umask=0 base_addr=0x8040000 init_stack=0x803fde0
 ruid=0 euid=0 suid=0  rgid=0 egid=0 sgid=0
 ign=0000000006800000 queue=ff00000000000000 pending=0000000000000000
 fds=5 threads=4 timers=0 chans=4
 canstub=0 sigstub=0
 thread 2 SIGNALLED-SIGABRT code=0  from pid=16 uid=-1 value=0(0)
  ip=0x70336692 sp=0x7fbee20 stkbase=0x7f9e000 stksize=135168
  state=STOPPED flags=5020000 last_cpu=1 timeout=00000000
  pri=10 realpri=10 policy=RR
# coreinfo vdev-eeprom.1.core
vdev-eeprom.1.core:
 processor=SH num_cpus=1
  cpu 1 cpu=271582976 name=SH7785 (SH4A) speed=594
   flags=0xc0000001 FPU MMU
 cyc/sec=53150220288000000 tod_adj=1493756427000000000 nsec=4743858256137 inc=999999
 boot=0 epoch=1970 intr=8204
 rate=80808080 scale=-15 load=12375
   HOSTNAME="l6target"
   type(514)="DBG_IF=scif.ffeb0000.57600.49500000.16
DIP=100
"
   MACHINE="HB SH7785"
 pid=16 parent=4 child=0 pgrp=4 sid=1
 flags=0x002200 umask=0 base_addr=0x8040000 init_stack=0x803fde0
 ruid=0 euid=0 suid=0  rgid=0 egid=0 sgid=0
 ign=0000000006800000 queue=ff00000000000000 pending=0000000000000000
 fds=5 threads=4 timers=0 chans=4
 canstub=0 sigstub=0
 thread 2 SIGNALLED-SIGABRT code=0  from pid=16 uid=-1 value=0(0)
  ip=0x70336692 sp=0x7fbee20 stkbase=0x7f9e000 stksize=135168
  state=STOPPED flags=5020000 last_cpu=1 timeout=00000000
  pri=10 realpri=10 policy=RR
# coreinfo vdev-tunnelipc.core
vdev-tunnelipc.core:
 processor=SH num_cpus=1
  cpu 1 cpu=271582976 name=SH7785 (SH4A) speed=594
   flags=0xc0000001 FPU MMU
 cyc/sec=53150220288000000 tod_adj=1493934775000000000 nsec=7327136672856 inc=999999
 boot=0 epoch=1970 intr=8204
 rate=80808080 scale=-15 load=12375
   HOSTNAME="l6target"
   type(514)="DBG_IF=scif.ffeb0000.57600.49500000.16
DIP=100
"
   MACHINE="HB SH7785"
 pid=15 parent=4 child=0 pgrp=4 sid=1
 flags=0x002200 umask=0 base_addr=0x8040000 init_stack=0x803fd70
 ruid=0 euid=0 suid=0  rgid=0 egid=0 sgid=0
 ign=0000000006800000 queue=ff00000000000000 pending=0000000000000000
 fds=5 threads=12 timers=0 chans=6
 canstub=0 sigstub=0
 thread 13 SIGNALLED-SIGABRT code=0  from pid=15 uid=-1 value=0(0)
  ip=0x70336692 sp=0x7e32e20 stkbase=0x7e12000 stksize=135168
  state=STOPPED flags=5020000 last_cpu=1 timeout=00000000
  pri=10 realpri=10 policy=RR

Curious if there is anything in there of use, looks like memory dump garbage to be LOL!

One thing of interest is that I googled "l6target" and found a Russian Audi forum who (with the help of google translate) seem to have found ways to do a hard reboot/recovery of the QNX OS on the combox via the serial port located on the combox board. I wasn't sure if there is anything there but I'm having my Russian friend who speaks & reads Russian take a look and see if there is something there that google can't translate.

 

[rhodesman]

FYI:

target:/> uname -a
QNX front 6.3.2 2009/10/30-15:33:18EDT HB_SH7785 shle

 

[rhodesman]

@Xer0449 & @BLACKHAT I'm not sure if you guys are still interested, but I found the source code to the CIC! Granted, it's the source code for the CIC-High (NBT) BUT, at the very least, they are quite similar in their code structures and will probably give you an idea of how the CIC system is coded/works in general. So have fun and download here: https://github.com/edent/BMW-OpenSource

 

[Xer0449]

Life got the best of me :|
This is great. Where the hell do you find this stuff?

@BLACKHAT he literally just asked BMW for the source code claiming it wasn't released until the GPL. I wonder if we could do the same?!

 

[doublespaces]

@Xer0449 & @BLACKHAT I'm not sure if you guys are still interested, but I found the source code to the CIC! Granted, it's the source code for the CIC-High (NBT) BUT, at the very least, they are quite similar in their code structures and will probably give you an idea of how the CIC system is coded/works in general. So have fun and download here: https://github.com/edent/BMW-OpenSource

Oh wow! So I wonder if it could be recompiled with some tweaks?

 

[rhodesman]

Life got the best of me :|
This is great. Where the hell do you find this stuff?

@BLACKHAT he literally just asked BMW for the source code claiming it wasn't released until the GPL. I wonder if we could do the same?!

Me too! Work's a bit*h! I forget how I stumpled onto it but I was trying to search if there was a firmware update to my iDrive and I came across that! I almost lost it!!!

Oh wow! So I wonder if it could be recompiled with some tweaks?

I mean, I don't see what not! Very easy to edit the raw .c files and recompile. Only issue I can see is this is a VERY extensive folder tree of programs and code, it will take a while to figure out what to edit then probably just as long to figure out how to edit it! But I'm not complaining, this will be fun!

 

[doublespaces]

Oh look, Memorial weekend. Who needs boats and water, time to code!

 

[emoRaivis]

Hi Guys,

First post here. This is the only place so far where I've found someone else trying to hack the CIC, so I thought I'd share some of my progress and observations.

So the CIC computer is running QNX operating system (version 6.3.2). The processor on this thing is some weird, hardly known Hitachi SuperH (sh4) - the same one used in Sega Dreamcast. You can download the QNX 6.3.2 SDK from their site, but good luck getting a License - the 30 day eval version they offer is only for version 7.0. With a bit of tinkering I did manage to get the compiler working and successfully compiled a hello world console app and ran it on the CIC. I'm now trying to figure out the graphics library to actually display something on the display. I'm not sure what my goal is yet, but I would like to make it run CarPlay/Android Auto or something like that.

If anyone is good with assembly, you could disassemble and take a look at the two main binaries:
* /usr/Hmi/bin/HmiMain (the main UI and entertainment features)
* /usr/HBproject/CicHighEceUsaSecond (larger binary that I belive is responsible for background services, logic, etc.)

Unfortunately, because the processor is so uncommon, the only usable reverse engineering tool is IDA Pro (which costs a lot of money)

As for the source code on GitHub that was mentioned earlier, it's only the open source parts the BMW uses in their code - it doesn't actually contain any of their proprietary code, so the repository is quite useless.

Btw, does anyone have the dvdinmotion binary file? I would love to take a look at it.

 

[rhodesman]

Welcome @emoRaivis !

Hi Guys,
...
If anyone is good with assembly, you could disassemble and take a look at the two main binaries:
* /usr/Hmi/bin/HmiMain (the main UI and entertainment features)
* /usr/HBproject/CicHighEceUsaSecond (larger binary that I belive is responsible for background services, logic, etc.)

Unfortunately, because the processor is so uncommon, the only usable reverse engineering tool is IDA Pro (which costs a lot of money)

Can you elaborate? I tried to do this last night with

objdump -d

but it did not work and came back with an 'unrecognized file format' error. I was going to try with my VM of QNX 6.4.1 but if you have any further details that would be helpful. (also: if you need a copy of the QNX 6.4.1 VM, juts PM me )

As for the source code on GitHub that was mentioned earlier, it's only the open source parts the BMW uses in their code - it doesn't actually contain any of their proprietary code, so the repository is quite useless.

I was noticing that. I was hoping that in some form or another there was at least settings to show how the system communicates with the world, but alas, I have not found anything to support that.

Btw, does anyone have the dvdinmotion binary file? I would love to take a look at it.

I don't have a full 'copy' of the dvdinmotion binary but if you look back a couple pages I did post the .sh code for it that I found on an asian forum. However, I have coded this via NCSExpert and can help you if you were looking to go that route if needed.

 

[emoRaivis]

Can you elaborate? I tried to do this last night with ... but it did not work and came back with an 'unrecognized file format' error

objdump is architecture specific - you probably ran the x86 objdump against the sh4 binary. Running it with the sh4 version does recognize the binary, but still shows error "no symbols". The only free disassembler with sh4 support that I found was radare2 ( https://github.com/radare/radare2 ), but it's not very good - you get only the raw instructions without proper labels for the jumps, no references, etc. I'm not that good with assembly yet to make use of that output. But it does show you all the strings and symbols in the binary.

 

[Xer0449]

Hi @emoRaivis . I'm amazed you got code to compile and execute. Fantastic!

I'd love to try and run it on my own box car

@rhodesman How do you feel about a password protected wiki (or similar) where we can post 'private' findings/documents we've been coming across?

 

[doublespaces]

Hi @emoRaivis . I'm amazed you got code to compile and execute. Fantastic!

I'd love to try and run it on my own box car

@rhodesman How do you feel about a password protected wiki (or similar) where we can post 'private' findings/documents we've been coming across?

I can make a secret section for you guys if that helps. LMK.

 

[emoRaivis]

So I've managed to connect to the graphics driver and actually draw an image on the screen. It's very slow and works only 10% of the time at the moment - a lot more research needed. But what's interesting is that it's possible to inject graphics to existing layers. So it's possible to, for example, replace just the navigation.

P.S. It's just an image I used for testing - it's not actually running Windows 95

 

[doublespaces]

Oh wow that is awesome. I wonder if you could inject something from an external source.

 

[rhodesman]

I can make a secret section for you guys if that helps. LMK.

I think that would be super helpful! I was going to build a wiki myself but I just haven't had any time to put towards it plus I tried to code my DSC last night to update it and now have a Christmas tree of lights in my gauge cluster and a whole page of errors showing on my iDrive So my not so existent free time just got a whole lot less!

 

[doublespaces]

I think that would be super helpful! I was going to build a wiki myself but I just haven't had any time to put towards it plus I tried to code my DSC last night to update it and now have a Christmas tree of lights in my gauge cluster and a whole page of errors showing on my iDrive So my not so existent free time just got a whole lot less!

Under the BMW General section there is now a new section at the top called BMW Technical. I've given the active users of this thread privileges to view that section, it is not visible to anyone else without explicit permission and is excluded from the sitemap and indexing.

 

[Xer0449]

omg beautiful. Thanks so much, @doublespaces

@rhodesman let's make a sticky with the docs we've been sharing back and forth in PM. I'll also get some stuff onto the sticky that I felt shouldn't be so public.