IPL / Serial / Telnet and SSH

[superwofy]

There may be other patches I'm not aware of however, on the latest I-level I used physical access to get a serial connection to the Jacinto chip.
To do so, connect pins 3 and 4 on the top card edge connector to a TTL adapter. Connect one more lead to GND.

RX and TX are marked from the perspective of the NBT unit. I.e connect RX to adapter's TX and TX to adapter's RX.

Once connected, to enable SSH and Telnet on HU-Intel:

1. #> sysetshell
2. syset:> connect
3. syset:> login Diagnose
4. syset:> setk SYS_DEBUG=0x01
5. syset:> store
6. syset:> exit

Reboot.

Connect to 169.254.199.99 using ssh / telnet client.
Logon: root
Password: ts&SK412

 

[superwofy]

Since HU-Intel and HU-Jacinto are linked through QNET, the "on" binary can be used to run commands from either system.

For example, from Intel if you wanted to run pidin on Jacinto:

on -f hu-jacinto pidin

Similarly, the reverse is possible:

on -f hu-intel pidin

This is very useful in cases where perhaps there's an issue on the intel side and you have access to the Jacinto's serial port.

 

[superwofy]

To enter IPL on Jacinto:

Take the NBT's RX line and ground it while starting the unit. Once you see the IPL banner, connect the RX line back to the TTL adapter:

IPL: B069, 336/528/132 MHz (ARM/DSP/SDRAM); RAM: 64 MB
[ver.11501A, built 2011-12-12 15:05:56 0]

Entering CLI, type '?' for help

=> ?
?       - alias for 'help'
bconf
boot    - boot
clocks
crc32   - compute BG CRC32 over memory region
dsp     - reset and boot the DSP
echo    - echo args
fboot   - boot image from NOR
fload   - load image from NOR
fscan   - scan NOR for images (IFS, DSP, BIOS)
go      - jump to 'addr'
help    - print online help
hwconf  - dump hardware configuration
iplver  - show IPL status / version
md      - memory display
memfill - memory fill/verify (test pattern)
memperf - memory performance test (benchmark)
memtest - memory test
mt      - alias for 'memtest'
peek    - memory display
poke    - memory modify
rz      - alias for 'zmodem'
sleep   - wait 'sec' seconds
tstamps - dump time stamps
zmodem  - download img over serial line (Z-Modem protocol)

=> bconf
DBG_IF=8250.1c20000^2.115200.24000000.16
DIP=100
=> hwconf
DSPBOOTADDR         [ 1c48008] = 11800000
SUSPSRC             [ 1c4800c] =        0
BOOTCFG             [ 1c48014] =        5<HPI_SEL=0,BOOTSEL=5>
DEVICE_ID           [ 1c4802c] =  b72802f
VLYNQ_CTL           [ 1c48030] =        0
AUDSSMUX            [ 1c48034] =        0
SHAREAUX_CTL0       [ 1c48038] =        0
SHAREAUX_CMD0       [ 1c4803c] =        0
SHAREAUX_STAT0      [ 1c48040] =       30
DSP_INTCMD          [ 1c48080] =        0
DSP_INTSTAT         [ 1c48084] =        0
PINMUX0             [ 1c48100] = e8b00010<I2S5C,I2S5B,I2S5A,I2S4C=1,I2S4B=0,I2S3,I2S1B,I2S1A,BSTRAP=0,EA1>
PINMUX1             [ 1c48104] =      6c0<ECAP3=0,ECAP2=0,ECAP1=0,GPIO4_3=0,GPIO4_2=0,GPIO4_1=0,GPIO4_0=0,SPI3=1,SPI2B=2,SPI2A,I2C2,SD=0>
PINMUX2             [ 1c48108] =  e01a000<ASP0C,ASP0B,ASP0A,XREF2=0,XREF1=0,XREF0=1,VIN_B=2,VIN_A=2,VOUT_XCLK=0,VID=0,VOUT1=0,VID_B=0,VID_A=0>
PULLCTL             [ 1c4810c] =        0
IO_PWDN             [ 1c48118] =        0
OBSMUX              [ 1c4811c] =        0
HPI_CTL             [ 1c48124] =     1018
USBPHY_CTL          [ 1c48128] =       c7
VPSS_CLKCTL         [ 1c4812c] =        0
INTDMA_MUX0         [ 1c48134] =     8000
MISC_CTL0           [ 1c48138] =     1500
INTDMA_MUX1         [ 1c4813c] =   c00000
MSTPRI0             [ 1c48140] =    50333<LCDP=5,ARM_IP=3>
MSTPRI1             [ 1c48144] =  4040404<HPIP=4,VLYNQP=4,USBP=4,ATAP=4>
MPER_MAP            [ 1c48148] =        c
ARMAUX_CTL0         [ 1c4814c] =    f0001
ARMAUX_CMD0         [ 1c48150] =        0
ARMAUX_STAT0        [ 1c48154] =        0
VERR_FADR           [ 1c48160] =        0
VERR_FCMD           [ 1c48164] =        0
ARM_INTCMD          [ 1c48180] =        0
ARM_INTSTAT         [ 1c48184] =        0

VPSS_PCR            [ 1c93404] =        0<CPRIO=0>

EDMA_QUEPRI         [ 1c00284] =      630<PRIQ2=6,PRIQ1=3,PRIQ0=0>
EDMA_DMAQNUM0       [ 1c00240] = 22020022
EDMA_DMAQNUM1       [ 1c00244] =   222020
EDMA_DMAQNUM2       [ 1c00248] = 22112222
EDMA_DMAQNUM3       [ 1c0024c] = 22222222
EDMA_DMAQNUM4       [ 1c00250] = 21122222
EDMA_DMAQNUM5       [ 1c00254] = 22222222
EDMA_DMAQNUM6       [ 1c00258] = 22222222
EDMA_DMAQNUM7       [ 1c0025c] = 22222222
EDMA_QDMAQNUM       [ 1c00260] = 22222222
EDMA_QCHMAP0        [ 1c00200] =        0<PAENTRY=0,TRWORD=0>
EDMA_QCHMAP1        [ 1c00204] =        0<PAENTRY=0,TRWORD=0>
EDMA_QCHMAP2        [ 1c00208] =        0<PAENTRY=0,TRWORD=0>
EDMA_QCHMAP3        [ 1c0020c] =        0<PAENTRY=0,TRWORD=0>
EDMA_QCHMAP4        [ 1c00210] =        0<PAENTRY=0,TRWORD=0>
EDMA_QCHMAP5        [ 1c00214] =        0<PAENTRY=0,TRWORD=0>
EDMA_QCHMAP6        [ 1c00218] =        0<PAENTRY=0,TRWORD=0>
EDMA_QCHMAP7        [ 1c0021c] =        0<PAENTRY=0,TRWORD=0>
EDMA_DRAE_0         [ 1c00340] =   300000
EDMA_DRAE_1         [ 1c00348] =     c52c
EDMA_DRAEH_0        [ 1c00344] =    1fe50
EDMA_DRAEH_1        [ 1c0034c] =        0
EDMA_QRAE0          [ 1c00380] =        0
EDMA_QRAE1          [ 1c00384] =        0

GPIO_PID            [ 1c41000] = 43081100
GPIO_BINTEN         [ 1c41008] =        0
GPIO_DIR01          [ 1c41010] = ef3ecf33
GPIO_DIR23          [ 1c41038] = ffcf5f4f
GPIO_DIR4           [ 1c41060] = ffffffbf
GPIO_OUT_DATA01     [ 1c41014] = 10000004
GPIO_IN_DATA01      [ 1c41020] = 58008004
GPIO_OUT_DATA23     [ 1c4103c] =     2010
GPIO_IN_DATA23      [ 1c41048] = 30457810
GPIO_OUT_DATA4      [ 1c41064] =        0
GPIO_IN_DATA4       [ 1c41070] =     61b4
GPIO_SET_RIS_TRIG01 [ 1c41024] =  8000000
GPIO_SET_FAL_TRIG01 [ 1c4102c] = 40000000
GPIO_INTSTAT01      [ 1c41034] =        0
GPIO_SET_RIS_TRIG23 [ 1c4104c] =     1040
GPIO_SET_FAL_TRIG23 [ 1c41054] =   304000
GPIO_INTSTAT23      [ 1c4105c] =        0
GPIO_SET_RIS_TRIG4  [ 1c41074] =        f
GPIO_SET_FAL_TRIG4  [ 1c4107c] =        0
GPIO_INTSTAT4       [ 1c41084] =        0

UART0_PWREMU_MGMT   [ 1c20030] =     6003<UTRST,URRST,FREE>
UART0_PWREMU_MGMT   [ 1c20430] =        2
UART0_PWREMU_MGMT   [ 1c20830] =        2
UART0_PWREMU_MGMT   [ 1c20c30] =        2

EMIFA_SDCR          [18000008] =    10621<SDREN,CL=3,IBANK=2,EBANK=0,PAGESIZE=1>
EMIFA_SDRCR         [1800000c] =      3d8
EMIFA_SDTIMR1       [18000010] = 10912a09<T_RFC=8,T_RP=2,T_RCD=2,T_WR=1,T_RAS=5,T_RC=8,T_RRD=1,T_WTR=1>
EMIFA_SDTIMR2       [18000014] =    90005<T_XSR=9,T_CKE=5>
EMIFA_PBBPR         [18000020] =       10
EMIFA_ACS2CR        [18000080] =  21e50c1<W_SETUP=2,W_STROBE=7,W_HOLD=4,R_SETUP=a,R_STROBE=6,R_HOLD=0,ASIZE=1>
EMIFA_ACS3CR        [18000084] =  ffffffc<W_SETUP=f,W_STROBE=3f,W_HOLD=7,R_SETUP=f,R_STROBE=3f,R_HOLD=7,ASIZE=0>
EMIFA_ACS4CR        [18000088] =  30c906a<W_SETUP=3,W_STROBE=3,W_HOLD=1,R_SETUP=2,R_STROBE=3,R_HOLD=2,ASIZE=2>
EMIFA_ACS5CR        [1800008c] =  ffffffd<W_SETUP=f,W_STROBE=3f,W_HOLD=7,R_SETUP=f,R_STROBE=3f,R_HOLD=7,ASIZE=1>
EMIFA_AWCCR         [180000a0] = 40000580
EMIFA_IRR           [180000c0] =        0
EMIFA_IMR           [180000c4] =        0
EMIFA_IMSR          [180000c8] =        0
EMIFA_IMCR          [180000cc] =        0

PLL0_PLLCTL         [ 1ca1d00] =       49
PLL0_SECCTL         [ 1ca1d08] =   800000
PLL0_PLLM           [ 1ca1d10] =       15
PLL0_PLLDIV1        [ 1ca1d18] =     8000
PLL0_PLLDIV2        [ 1ca1d1c] =     8002
PLL0_PLLDIV3        [ 1ca1d20] =     8003
PLL0_POSTDIV        [ 1ca1d28] =     8000
PLL0_PLLCMD         [ 1ca1d38] =        1
PLL0_PLLSTAT        [ 1ca1d3c] =        6
PLL0_ALNCTL         [ 1ca1d40] =      1ff
PLL0_DCHANGE        [ 1ca1d44] =        0
PLL0_CKEN           [ 1ca1d48] =        3
PLL0_CKSTAT         [ 1ca1d4c] =        b
PLL0_SYSTAT         [ 1ca1d50] =      1ff
PLL0_PLLDIV4        [ 1ca1d60] =     8004
PLL0_PLLDIV5        [ 1ca1d64] =     8005
PLL0_PLLDIV6        [ 1ca1d68] =     8003
PLL0_PLLDIV7        [ 1ca1d6c] =     8004
PLL0_PLLDIV8        [ 1ca1d70] =     800f
PLL0_PLLDIV9        [ 1ca1d74] =     8000

PLL1_PLLCTL         [ 1ca2100] =       49
PLL1_SECCTL         [ 1ca2108] =   800000
PLL1_PLLM           [ 1ca2110] =       1b
PLL1_PLLDIV1        [ 1ca2118] =     8000
PLL1_PLLDIV2        [ 1ca211c] =     8001
PLL1_PLLDIV3        [ 1ca2120] =     8001
PLL1_POSTDIV        [ 1ca2128] =     8000
PLL1_PLLCMD         [ 1ca2138] =        1
PLL1_PLLSTAT        [ 1ca213c] =        6
PLL1_ALNCTL         [ 1ca2140] =       ff
PLL1_DCHANGE        [ 1ca2144] =        0
PLL1_CKEN           [ 1ca2148] =        3
PLL1_CKSTAT         [ 1ca214c] =        b
PLL1_SYSTAT         [ 1ca2150] =       ff
PLL1_PLLDIV4        [ 1ca2160] =     8001
PLL1_PLLDIV5        [ 1ca2164] =     8005
PLL1_PLLDIV6        [ 1ca2168] =     8003
PLL1_PLLDIV7        [ 1ca216c] =     8005
PLL1_PLLDIV8        [ 1ca2170] =     800b
PLL1_PLLDIV9        [ 1ca2174] =        0

=> fscan
** #0 @21e00000: IFS [vers.1, LZO, mark 0x10015184: application]
** #1 @20100000: IFS [vers.1, LZO, unmarked]
** #2 @22600000: IFS [vers.1, LZO, unmarked]
** #3 @23a00000: IFS [vers.1, LZO, unmarked]
** #4 @23f40000: BIOS packet
** #5 @22400000: DSP .out file (BGZ boot table format)

 

[Xantor]

new rabbit hole discovered. And I have absolutely no clue what all this means. But congrats on finding out and thanks for sharing.

 

[wheela]

Yes, @superwofy all your recent posts are well over my head, but I'm extremely impressed with the work, discovery, and sharing - this is amazing for the community. I'm just hoping I'll be able to get my Mobridge DA-G2 Pro working properly with the MOST bus when I finally get around to installing my stereo upgrades. THANK YOU for all these contributions!!

 

[Xantor]

Yes, @superwofy all your recent posts are well over my head, but I'm extremely impressed with the work, discovery, and sharing - this is amazing for the community. I'm just hoping I'll be able to get my Mobridge DA-G2 Pro working properly with the MOST bus when I finally get around to installing my stereo upgrades. THANK YOU for all these contributions!!

Mind me asking what your use case for that G2 Pro is? 5 minutes of googling yielded that it "provides a connection between the in-vehicle MOST25 infotainment system with any aftermarket analog/digital amplifier."

 

[wheela]

Mind me asking what your use case for that G2 Pro is? 5 minutes of googling yielded that it "provides a connection between the in-vehicle MOST25 infotainment system with any aftermarket analog/digital amplifier."

Yeah, no problem! That's pretty much what I'll be using it for. It gets a direct, unfiltered digital audio signal from the MOST bus right from the factory head unit. It retains all factory controls, volume, balance, fade, eq, etc. But it's a 10 channel DSP, with 1000 band parametric eq, crossover, and time alignment for each channel, plus a global eq that can be used simultaneously over all 10 channels. I'll disconnect my factory amp from MOST and this will get plugged in its place. You obviously need an amplifier(s) connected to this unit to power the speakers. I'm currently only planning on using 6 channels; 4 to a JL Audio HD600/4 for front doors & under-sear midbass, and 2 to a JL Audio HD1200/1 for two subs in a custom enclosure in the back. I'm happy to share more details, but I don't want to thread jack too much

Edit: the previous version needed coding to work, but supposedly this one doesn't - you set the dip switches for BMW and should be set. I haven't coded my car yet, so I guess we'll see....

 

[walkernight88]

There are several ways to open SSH on NBT and on NBT EVO units.
For NBT:
1) serial, as you've described earlier
2) USB method, using an update file (cfg + so), write a library to execute exactly what you've done with sys debug flag. In this case the HDD/SSD must work
3) Lv5 key... get the payload, sign it and give it to headunit using E-sys transmitter or any other tool which can communicate via UDS

For Evo:
1) serial, same same
2) USB method works, but it works until 2018-03 software. After that it was patched by Harman
3) Lv5 key

Personally, I prefer the serial way, I hook my TTL adapter using a pci-express slot to the units and c'est la vie. I need to open these up as they come beaten up by "professionals" and I need to recover them

 

[pRoxxx]

Usb bin for opening SSH in NBT

 

[superwofy]

Usb bin for opening SSH in NBT

Thanks for providing this.

I see it's an srm plugin. Is this intel123's work?

Looks pretty simple, I'm guessing it's not persistent.

void plugin_cb_main(void)

{
  do {
    system("/bin/pfctl -d");                                   // Packet filter disable
    system("/bin/sshd -p 31");                                 // SSH daemon on port 31
    sleep(0xf);
  } while( true );
}

 

[pRoxxx]

I see it's an srm plugin. Is this intel123's work?

And him too.

 

[pRoxxx]

Does NBT have Zmodem or something else for transferring files through ethernet?

 

[AlpineWhite]

Thanks for providing this.

I see it's an srm plugin. Is this intel123's work?

Looks pretty simple, I'm guessing it's not persistent.

void plugin_cb_main(void)

{
  do {
    system("/bin/pfctl -d");                                   // Packet filter disable
    system("/bin/sshd -p 31");                                 // SSH daemon on port 31
    sleep(0xf);
  } while( true );
}

I know this is a long shot, are you able to shed some light on how you derived this nice code from that BIN file? Would love to learn how to do that.

 

[pRoxxx]

I know this is a long shot, are you able to shed some light on how you derived this nice code from that BIN file? Would love to learn how to do that.

Disassembler, IDA Pro, Ghidra,Radare2 whatever you want.

 

[AlpineWhite]

Disassembler, IDA Pro, Ghidra,Radare2 whatever you want.

IDA Pro is exactly what I was looking for. Thank you!

 

[superwofy]

I know this is a long shot, are you able to shed some light on how you derived this nice code from that BIN file? Would love to learn how to do that.

Indeed like pRoxxx mentioned, that snippet came from Ghidra.