Anyone thought of building a connected drive server?

[BLACKHAT]

Like all German engineering, it's overly complicated
Slowly working through it, some findings below.

libCoreFramework.A.so - Contains all the basic application functions, like opening and closing sockets, date time, file interactions, string encodings etc. Open in IDA pro as an ELF file.


Pretty sure the GSM modem is on a serial interface @ /dev/ser_hb1
CIC-hdd\etc\ppp\options contains commented out variables that would help capturing the data, If i'm right, this may negate the need for MITM, hopefully it logs everything instead of just the ppp commands.

# debug
# logfile /mnt/hbuser/pppd.log
# record /tmp/pppdrecord.log
# kdebug 4
# logfile /tmp/pppd.log

Has a driver for a dual port Ethernet module.

Database format should be sqlite, File is empty CIC-hdd\dev\qdb\mme

bmw_l6.*rd - files are interesting, hard to find much history on the company that wrote them, their website is down. This is all i could find http://www.lt-world.org/kb/ipr-and-products/products/obj_90089



I notice that a lot of the files are empty. Could it be a permissions/symlink issue when copying?

 

[doublespaces]

I notice that a lot of the files are empty. Could it be a permissions/symlink issue when copying?

cp -L or cp -fRL

 

[rhodesman]

@BLACKHAT good info! I'll check it out tonight when I get home and see what I can see.

 

[rhodesman]

Database format should be sqlite, File is empty CIC-hdd\dev\qdb\mme

Check your PM, I removed a folder due to possible personal information about myself that the CIC had (i.e. gps coords to my house, kids school, address book, etc.). I have the MME file if you want it, just PM me This is what happens when someone calls you when you're in the middle of doing something! ;P

bmw_l6.*rd - files are interesting, hard to find much history on the company that wrote them, their website is down. This is all i could find http://www.lt-world.org/kb/ipr-and-products/products/obj_90089

I notice that a lot of the files are empty. Could it be a permissions/symlink issue when copying?

OUTSTANDING work! holy crap! Do you have any idea's on how I can copy/view the files? My car is live on my home network when I connect it so I'm wondering if there is something I can use to read the data of these file without copying them straight from my car's CIC HDD?

 

[doublespaces]

Check your PM, I removed a folder due to possible personal information about myself that the CIC had (i.e. gps coords to my house, kids school, address book, etc.). I have the MME file if you want it, just PM me This is what happens when someone calls you when you're in the middle of doing something! ;P



OUTSTANDING work! holy crap! Do you have any idea's on how I can copy/view the files? My car is live on my home network when I connect it so I'm wondering if there is something I can use to read the data of these file without copying them straight from my car's CIC HDD?

I'm not sure if QNX supports it, but one of the commands I gave above should work on linux. Symlinks are basically just files, so he might be right.

 

[rhodesman]

I'm not sure if QNX supports it, but one of the commands I gave above should work on linux. Symlinks are basically just files, so he might be right.

right, what I meant is that the actual file that symlink goes to I have not shared with the world due to possible sensitive data in it. But I will share it privately, just not publicly

 

[Xer0449]

Should we set up a private wiki to share findings? There's a lot of PM's going back and forth with either PII or other data points BMW may not be so thrilled about, and findings are all over the place. The last thing this community needs is a 100+ page thread

 

[Xer0449]

@rhodesman you were able to resolve and ping google from the CiC. Any chance you can disconnect your home router from the WAN and try again? I want to see if the car still has some sort of live connection, still.

 

[Xer0449]

I've asked the developer of JB4 mobile if he's willing to try porting the binaries to QNX6.3. I'll probably get told to kick rocks, but worth a try. I bet it's something the community would like, at least.

 

[rhodesman]

@Xer0449 I saw that! what's funny is I actually PMed him last week with virtually the same question. He has not responded to me yet :/

In other news: I went to open the MME file with SQLLite and was presented with this:

 

[Xer0449]

Interesting. Try the usuals that come to mind + the root pw's you dug up.

 

[Xer0449]

All these .sql files open just fine in any text editor. No need to use a sql browser.
Pasting some stuff I found interesting/pertinent to the conversation:

-- ===============================================================================
--      Device Monitoring
-- ===============================================================================
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/fs/cd0',                                 1, 'CD/DVD',       2, 5000);                     
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/mnt/hbmedia/entertainmentserver/',       1, 'HardDrive',    3, 0);
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/mnt/hbdata/IBA',                         1, 'IBA',          3, 0);
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/fs/usb0',                                1, 'USB',          1, 5000);
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/fs/usb1',                                1, 'USB',          1, 5000);
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/fs/ipod0',                               1, 'iPod',         4, 0);
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/fs/pfs0',                                1, 'PlaysForSure', 4, 0);
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/dev/wms/player1',                        1, 'Bluetooth',    9, 0);
INSERT INTO slots(path,zoneid, name, slottype, max_lib_entries)    VALUES('/dev/vdev-mpegts',                        1, 'DMB-Radio',    12,0);

-- *******************************************************************************
-- *******************************************************************************
--                       @table OUTPUTDEVICES
--  
-- The <fname>outputdevices</fname> table lists known output devices. Output 
-- devices define where media can be sent.  An output device could be a GF layer, an 
-- <fname>io-audio</fname> PCM name, a Bluetooth headset, etc.
--
--  @field outputdeviceid The ID of the output device.
--  @field type The type of device, as defined by the enumerated type
--  <dtype>mme_outputtype_t</dtype> values: <const>OUTPUTTYPE_*</const>.
--  @field available The availability of the output device. Set to 1 for available.
--  @field permanent The device permanency. Set to 1 to make the device permanent 
-- and forbid its removal.
--  @field name The name of the device.  This name can be shared with end users.
--  @field devicepath The location of the output device, used to connect to the 
--  output device. This path is not shared with end users.
-- *******************************************************************************
-- *******************************************************************************
CREATE TABLE outputdevices (
outputdeviceid  INTEGER PRIMARY KEY AUTOINCREMENT,
type            INTEGER DEFAULT 0 NOT NULL,
available       INTEGER DEFAULT 1 NOT NULL,
permanent       INTEGER NOT NULL,
name            TEXT NOT NULL UNIQUE,
devicepath      TEXT NOT NULL UNIQUE
);

-- *******************************************************************************
-- *******************************************************************************
--                       @table SLOTS
--  The <fname>slots</fname> table lists the slots known to the MME. Slots define the 
--  physical locations where the MME looks for new mediastores.  The default setup
--  assumes two USB mass storage devices, one CD/DVD drive, and the hard drive.
--  You may wish to customize where the location of the hard drive. In addition, if 
--  you add control contexts and they have their own slots, you must add them to 
--  this table. Note that the local control context's hard drive must be the first 
--  entry in the table, with <var>msid</var> = 1.
--  
--  @field slotid           The ID for the slot.
--  @field active           Indicates whether the slot is active (available), or
-- unavailable:
--                           * 1 = active
--  @field msid             The ID of the mediastore associated with this slot.
--  @field slottype         The type of slot.  These correspond to the 
-- <const>MME_SLOTTYPE_*</const> types defined in <fname sh>mme/interface.h</fname>:
-- * 0 = standard
-- * 1 = USB
-- * 2 = CD/DVD 
-- * 3 = harddrive
-- * 4 = media file system (<cmd>io-fs</cmd>)
--  @field zoneid           The ID of the zone associated with this slot.
--  @field max_lib_entries  The maximum number of library table entries an
--                          active media store in this slot is permitted to use.
--                          A value of 0 means there is no limit enforced.
--  @delete_at_start        If non-zero, mediastores that were listed as active
--                          at shutdown in this slot are deleted instead of
--                          being set to unvavailable.
--  @field path             The filesystem path to this slot.
--  @field name             The slot name. This name is used as the default for mediastores 
--                          without names.
-- *******************************************************************************
-- *******************************************************************************
CREATE TABLE slots (
      slotid           INTEGER PRIMARY KEY AUTOINCREMENT,
      active           INTEGER DEFAULT 0 NOT NULL,
      msid             INTEGER DEFAULT 0 NOT NULL REFERENCES mediastores,
      multimsid        INTEGER DEFAULT 0 NOT NULL,
      slottype         INTEGER DEFAULT 0 NOT NULL,
      zoneid           INTEGER NOT NULL REFERENCES zones,
      max_lib_entries  INTEGER DEFAULT 0 NOT NULL,
      delete_at_start  INTEGER DEFAULT 0 NOT NULL,
      path             TEXT NOT NULL,
      name             TEXT DEFAULT NULL
      );

 

[BLACKHAT]

^^ Nice find.

Doing a search of the github repository for "filename:.sh" gives me a good idea of how it all ties together.

Looking through the .sh files they don't provide a password to the qdbc client, maybe it's encased in the ODBC wrapper QDBC. See CIC-hdd/net/front/etc/mmelauncher_upgrade_mme_0.sh

You should be able to connect with the command "qdbc -d /path/to/mme" which should drop you into an SQL command shell.

Network Init

Also interesting is: CIC-hdd/EFS_RO/startl6sss.sh
Do these sound like they could have something to do with connected drive? "HostAgent AliveService MonitorService "
Seems like I'm back to the bmw_l6 files as the core app.

Also note the two different copy commands, and all running config, logs etc seem to get written to a persistent "memory" @ /dev/shmem

cp /etc/bmw_l6_sse_vr.bsd /dev/shmem/bmw_l6_sse_vr.bsd
qkcp /etc/bmw_l6.ard /dev/shmem
qkcp /etc/bmw_l6.brd /dev/shmem

if [[ -e /dev/shmem/lang.txt ]]; then
   cat /etc/default.cfg /dev/shmem/lang.txt > /dev/shmem/default.cfg
   /usr/bin/scp -f /dev/shmem/default.cfg -s sss_config -c HostAgent AliveService MonitorService SpellmatcherService SCFService AudioMatrixService RecognitionService PrompterService SAIPService SAOPService RmssService TNService -k VerboseLevel=2 >/dev/null &
else
   /usr/bin/scp -f /etc/default.cfg -s sss_config -c HostAgent AliveService MonitorService SpellmatcherService SCFService AudioMatrixService RecognitionService PrompterService SAIPService SAOPService RmssService TNService -k VerboseLevel=2 >/dev/null &
fi
exit 0

 

[BLACKHAT]

For the VM i'm using ftp, you may need to enable/allow root

vi /etc/ftpusers

root allow

 

[BLACKHAT]

Sooooooo.... tcpdump is part of the standard QNX distro. Is it in the BMW distro? If not, I'll send you the binary from the VM.

A straight tcpdump command will output just the basics to the console

Below should generate a wireshark compatible dump with all packets and data. Change the path to your hard drive otherwise the internal drive may fill up.

tcpdump -s 0 -w /path/to/your/harddrive/bmw.pcap

 

[rhodesman]

I am gitty with excitement to plug into my car tonight!!! I apologize to you guys for dropping off the past couple days. Work/life got crazy and spent two days without sleep, but I'm back at it tonight and will take this info to see what my car outputs!

 

[rhodesman]

@rhodesman you were able to resolve and ping google from the CiC. Any chance you can disconnect your home router from the WAN and try again? I want to see if the car still has some sort of live connection, still.

I missed this! Again, yesterday was a total haze for me. I'll try tonight, I can block my car's IP from getting access to the outside world and segregate it to a private network. I'll try this tonight on top of all these other insights you guys have found.

 

[Xer0449]

tcpdump doesn't appear to be in the CIC-HDD dump. He'll probably need the binary.

@rhodesman no worries, we all have our lives going on and put in time when we can.

I thought this was really interesting...

QNX interprocess communication consists of sending a message from one process to another and waiting for a reply. This is a single operation, called MsgSend. The message is copied, by the kernel,[citation needed] from the address space of the sending process to that of the receiving process. If the receiving process is waiting for the message, control of the CPU is transferred at the same time, without a pass through the CPU scheduler. Thus, sending a message to another process and waiting for a reply does not result in "losing one's turn" for the CPU. This tight integration between message passing and CPU scheduling is one of the key mechanisms that makes QNX message passing broadly usable. Most Unix and Linux interprocess communication mechanisms lack this tight integration, although a user space implementation of QNX-type messaging for Linux does exist. Mishandling of this subtle issue is a primary reason for the disappointing performance of some other microkernel systems such as early versions of Mach.[citation needed]
All I/O operations, file system operations, and network operations were meant to work through this mechanism, and the data transferred was copied during message passing. Later versions of QNX reduce the number of separate processes and integrate the network stack and other function blocks into single applications for performance reasons.
Message handling is prioritized by thread priority. Since I/O requests are performed using message passing, high priority threads receive I/O service before low priority threads, an essential feature in a hard real-time system.
The boot loader is the other key component of the minimal microkernel system. Because user programs can be built into the boot image, the set of device drivers and support libraries needed for startup need not be, and are not, in the kernel. Even such functions as program loading are not in the kernel, but instead are in shared user-space libraries loaded as part of the boot image. It is possible to put an entire boot image into ROM, which is used for diskless embedded systems.

Is QNX basically a "hypervisor" loading BMW's application as a "module" during the boot process? I feel like we (or at least, I) don't understand entirely what we're looking at from a high level. I'm still unsure where/when QNX finishes booting and when the BMW application is loaded.

Also, @BLACKHAT : feel like volunteering your CiC hdd for some quick dd action?

EDIT: It actually doesn't look that hard to get to. http://www.bimmerfest.com/forums/showthread.php?t=841458

 

[rhodesman]

I just got the ATA -> USB adaptor, I might just try to copy off my HDD myself (and upgrade to a SSD if I can get one). Maybe then I can try to boot the HDD copy inside the QNX VM?? Would that even work!?

wow it looks like the only thing between me and the CIC HDD are some retention clips! Don't even need a screw driver! LOL, gotta love the 1-series.

 

[Xer0449]

I just got the ATA -> USB adaptor, I might just try to copy off my HDD myself (and upgrade to a SSD if I can get one). Maybe then I can try to boot the HDD copy inside the QNX VM?? Would that even work!?

I hope so!
It will probably freak out looking for physical devices that don't exist, but we should be able to get something from it for sure. Definitely would make a better dev environment than what we have currently. I hope it doesn't end up being 80gig (it probably will).

Plug it into your adapter and into your machine, but do not mount the device! Find what device it is /dev/xxx/, and create a disk image from it like so:
dd if=/dev/device_of_cic of=/path/to/other/drive/cic.img bs=32M

It's going to take awhile...

LPT: It should be easy to ID the device by running dmesg shortly after plugging it in.

Also, this made me chuckle:

-k VerboseLevel=2 >/dev/null

I've seen a bunch of these scripts redirect stdin/out/err to /dev/console either directly, or by way of $logger. I just thought that was interesting.