Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31
  1. #16
    Join Date
    Jun 2007
    Location
    Sanford FL
    Posts
    4,149
    Post Thanks / Like
    Seems to me like a LOT of work to do something thats readily available for under $500 from several vendors

    Even if you get in and manage to find a way to edit the calibration, its not going to work if you do not modify the PCM....
    Please don't PM me, I don't always have time to go through them!

  2. #17
    Join Date
    Aug 2007
    Location
    Maryland
    Posts
    111
    Post Thanks / Like
    Quote Originally Posted by innursery View Post
    If you want to go futher I can give you some information im PM.
    I'm down to listen to what you have to say.

    Quote Originally Posted by Mike@Diablosport View Post
    Seems to me like a LOT of work to do something thats readily available for under $500 from several vendors

    Even if you get in and manage to find a way to edit the calibration, its not going to work if you do not modify the PCM....
    Fully understand this, I'm going to keep poking. If I can get RCE on the Infotainment then I can potentially bounce to the PCM from there opening up other avenues. Nothing ventured nothing gained right? BTW love my Diablo Sport Tuner

  3. #18
    Join Date
    Aug 2009
    Location
    Cincinnati, OH
    Posts
    528
    Post Thanks / Like
    I'm not familiar at all with the Gen3's, but I think that the ability to get programmable access to the PCM through the Infotainment system is going to be a dead end. My thinking is that the Infotainment head is just another device node on the Can Bus and most likely has read-only, polling, and/or fixed status sending access. The Can Bus diagram for the Gen1 (probably apples to oranges, but gives you an idea) indicate that you would have to go from the VES (video entertainment system/Infotainment) node on Can-B bus through either the FCM (Front control module/Central Gateway) to Can-C bus PCM/TCM or from VES to SCM (steering control module) to PCM/TCM.

    From an engineering standpoint, I can't think of a scenario where you would want any kind of write access from the Infotainment system to the PCM. Personally, I think your only viable way is through the OBD port (point of entry for every other programmer/tuner). Best of luck to you nevertheless, hope you prove me wrong

  4. #19
    Join Date
    Aug 2007
    Location
    Maryland
    Posts
    111
    Post Thanks / Like
    Updating this with some information. 17.xx.xx updates have disabled the networking flag so anyone hoping to get an a usb to ethernet connection going might be SOL. I know I am till I figure out how to turn on the network flag. All new ISO images are signed by a private key from FCA so any modification to the files and such using a hex editor will cause them to fail a validation check before installation. Bluetooth fuzzing is underway and very promising. Found some buffer overflows but can't get a good heap groom so that the but I'm keeping those exploits private so FCA can't patch them for now.

  5. #20
    Join Date
    Jun 2016
    Location
    Georgetown, Tx
    Posts
    1,603
    Post Thanks / Like
    In non tech speak, you are figuring **** out.


    2016 Charger Scat Pack
    LMI Intake
    3.70 gears
    Borla Atak
    Active exhaust delete
    Hemifever Tuning
    2016 Charger Scat PackLMI Intake3.70 gearsLongtube headersBorla AtakActive exhaust deleteHemifever Tuning

  6. #21
    Join Date
    Sep 2011
    Location
    South FL
    Posts
    2,194
    Post Thanks / Like
    Quote Originally Posted by beirutbob View Post
    I'm not familiar at all with the Gen3's, but I think that the ability to get programmable access to the PCM through the Infotainment system is going to be a dead end. My thinking is that the Infotainment head is just another device node on the Can Bus and most likely has read-only, polling, and/or fixed status sending access. The Can Bus diagram for the Gen1 (probably apples to oranges, but gives you an idea) indicate that you would have to go from the VES (video entertainment system/Infotainment) node on Can-B bus through either the FCM (Front control module/Central Gateway) to Can-C bus PCM/TCM or from VES to SCM (steering control module) to PCM/TCM.

    From an engineering standpoint, I can't think of a scenario where you would want any kind of write access from the Infotainment system to the PCM. Personally, I think your only viable way is through the OBD port (point of entry for every other programmer/tuner). Best of luck to you nevertheless, hope you prove me wrong
    Agree, IF it's designed right. There should be no direct PCM access through any other system in the car. OP I understand most of that
    Is there a way to disable OTA? I just got my car.
    16 Charger RT, R1 slotted rotors, ST pads, Mopar super track pack suspension, Mopar strut bar
    07 300 SRT8-retired

  7. #22
    Join Date
    Jul 2018
    Location
    Looziana
    Posts
    281
    Post Thanks / Like
    I see the future for this PCM



    2006 Dodge Daytona (Top Banana #3494)
    1-7/8" MAXIMIZER Longtube headers w/hiflow cats/Corsa Sport Catback/CAI/EGR delete/170* thermostat w/tweaked duty cycle
    Eibach Sportlines/Leather R/T steering wheel w/EVIC controls/91 octane tune by Johan

  8. #23
    Join Date
    Jul 2010
    Location
    Central PA
    Posts
    335
    Post Thanks / Like
    Maybe this thread led to the new Uconnect Update our '18 Daytona started telling us we need "this week".

    I wondered what prompted the update when it popped up. (and what it's "fixing")
    Maybe it's FCA countermeasures to your poking about & posting results on the WWW.
    Probably got their panties all in a twist and decided to screw up the radio as punishment.
    Last edited by Runner2go; 09-21-2018 at 05:21 PM.
    The Herd
    2009 300c Black (The Wife's)
    2018 392 Daytona White (Wife's #2)
    2010 6sp Challenger Mopar'10
    2003 Ram 2500 diesel 4x4
    1966 383 4sp Charger
    1970 440+6 4sp Road Runner
    1974 360 Auto Challenger


  9. #24
    Join Date
    Feb 2007
    Posts
    123
    Post Thanks / Like
    Great work Fumanchu, you're coming from my side of the cyber world. Are you live emulating the operating system from a container or vm yet? This may sound stupid, but all I want to do is to be able to play a custom start up sound on my system and have different wall paper :D Hell ,or even run android side by side
    Pilot of a 2006 GMG Daytona Charger and a 2016 Jazz Blue Scatpack Charger
    ""We're in the pipe, 5 by 5""

  10. #25
    Join Date
    Feb 2017
    Location
    glendale az
    Posts
    196
    Post Thanks / Like
    You can tap into can bus "c" anywhere there are can c bus wires and access the pcm , starconnectors or any connector that has the hi and low can c bus wiring . I don't know why you wouldn't just go thru the obd port . These newer gpec2 gpec2a pcms are pretty well locked up though, these tuners physically have to crack the pcms's open and they either unlock them through a bdm read/write or replace the chips , haven't really got a answer on that one. What I do know is your not going to tune anything trying to jump from can IHS over to can c (which is what the pcm gets flashed with) they communicate at different speeds . The body control module does talk to both can IHS and can c but for scan tool communications it talks over can c. Maybe you can throw out a line to the guys involved with blackhat if your looking for exploits for fun.

  11. #26
    Join Date
    Aug 2007
    Location
    Maryland
    Posts
    111
    Post Thanks / Like
    Quote Originally Posted by Ultrakla$$ic View Post
    I see the future for this PCM



    Nah I know when to back off.

    Quote Originally Posted by Runner2go View Post
    Maybe this thread led to the new Uconnect Update our '18 Daytona started telling us we need "this week".

    I wondered what prompted the update when it popped up. (and what it's "fixing")
    Maybe it's FCA countermeasures to your poking about & posting results on the WWW.
    Probably got their panties all in a twist and decided to screw up the radio as punishment.
    I kinda ****ed myself over by posting on here, if FCA comes after me so be it.

    Quote Originally Posted by jeeplaw View Post
    Great work Fumanchu, you're coming from my side of the cyber world. Are you live emulating the operating system from a container or vm yet? This may sound stupid, but all I want to do is to be able to play a custom start up sound on my system and have different wall paper :D Hell ,or even run android side by side
    QEMU with specs to match the running environment. Doing a lot of chroot though to get the binaries to run.

    Quote Originally Posted by circ1977 View Post
    ]these tuners physically have to crack the pcms's open and they either unlock them through a bdm read/write or replace the chips
    That's what i'm trying to change, if there's anything I've learnt in my few years of doing this is that there is always some sloppy programmer doing things in a ****ty way. I'll find it and I'll exploit it.

    As a general update, had to pause on this. Got shipped out to an exercise at near Camarillo and then got shipped back due then got told to work on some warfare qualifications so I don't have a lot of free time. I'll spin back up in the new year for sure, fingers crossed.

  12. #27
    Join Date
    Feb 2017
    Location
    glendale az
    Posts
    196
    Post Thanks / Like
    let me know when you swing back around to this project, I have a pcm flash log with all the routines and unlocks in hex code of course, might be useful to you.

  13. #28
    Join Date
    Aug 2007
    Location
    Maryland
    Posts
    111
    Post Thanks / Like
    I'm back, this is more of a personal project now. Working on attack surfaces involving BT and WPA supplicant. Since I have a 2015 I don't get to play with the Android version but would like to test some theories on that if anyone has a few hours (non destructive tests!).



  14. #29
    Join Date
    Aug 2007
    Location
    Maryland
    Posts
    111
    Post Thanks / Like
    Still have free cycles on this. Been decompiling LUA scripts to attack the update mechanism. Here is a sample of decompiled and disassembled LUA for the isochk.lua script

    Code:
    -- Decompiled using luadec 2.2 rev: 895d923 for Lua 5.1 from https://github.com/viruscamp/luadec
    -- Command line: isochk.lua 
    
    
    -- params : ...
    -- function num : 0
    local l_0_0 = require("service")
    local l_0_1 = (l_0_0.register)("com.harman.service.SoftwareUpdate", {})
    get_flags = function()
      -- function num : 0_0
      local l_1_0 = (io.open)("/dev/fram/mfg", "r")
      if l_1_0 then
        local l_1_1 = l_1_0:seek("set", 0)
        do
          do
            if l_1_1 and l_1_1 == 0 then
              local l_1_2 = l_1_0:read(2)
              if l_1_2 and l_1_2 ~= 0 then
                l_1_0:close()
                return l_1_2
              end
            end
            l_1_0:close()
            return nil
          end
        end
      end
    end
    
    
    local l_0_3 = function(l_2_0, l_2_1)
      -- function num : 0_1 , upvalues : l_0_0, l_0_1
      if l_2_1 <= 0 then
        l_2_1 = 0
      end
      if l_2_1 >= 100 then
        l_2_1 = 100
      end
      if not l_2_0 then
        l_2_0 = "?"
      end
      local l_2_2 = {}
      l_2_2.unitName = l_2_0
      l_2_2.unitNumber = 1
      l_2_2.totalUnitCount = 1
      l_2_2.totalPercentComplete = l_2_1
      l_2_2.unitPercentComplete = l_2_1
      ;
      (l_0_0.emit)(l_0_1, "progress", l_2_2)
    end
    
    
    if get_flags() == "MS" then
      print("Mfg install mode")
      ;
      (os.exit)(0)
    else
      print("Normal install mode")
    end
    if (os.execute)("dd if=/fs/usb0/swdl.iso of=/tmp/a ibs=64 count=1 skip=1") ~= 0 then
      (os.exit)(-6)
    end
    if (os.execute)("openssl rsautl -verify -inkey /etc/keys/swdl.pub -in /tmp/a -pubin -out /tmp/b") ~= 0 then
      (os.exit)(-7)
    end
    fcmd = (io.popen)("hashFile sha256 /fs/usb0/swdl.iso /tmp/c 32768", "r")
    if not fcmd or error then
      (os.exit)(-1)
    end
    for l_0_7 in fcmd:lines() do
      local l_0_4 = nil
      -- DECOMPILER ERROR at PC72: Confused about usage of register: R7 in 'UnsetPending'
    
    
      if (string.match)((string.upper)(R7_PC72), "^%s*ERROR") ~= nil then
        (os.exit)(-2)
      end
      if (string.match)(R7_PC72, "^%s*%d") ~= nil and tonumber(R7_PC72) ~= 0 then
        l_0_3("Pre-update ISO validation", tonumber(R7_PC72))
      end
    end
    fcmd:close()
    if (os.execute)("cmp -s /tmp/c /tmp/b") == 0 then
      (l_0_0.unregister)(l_0_1)
      ;
      (os.exit)(0)
    else
      do
        ;
        (os.exit)(-5)
        -- DECOMPILER ERROR at PC121: freeLocal<0 in 'ReleaseLocals'
    
    
      end
    end
    So how it works:

    1. Copy the entire swdl.iso file to /tmp/a.
    2. Verify with openssl rsa and place that output into /tmp/b.
    3. hash the file mounted and save to /tmp/c.
    4. compare byte by byte with cmp the results of the hash and the rsa output.


    How to defeat it:
    1. Find a way into /dev/fram/mfg and set it to return MS.
    2. Change the hex bye for if get flags() == "MS" to != (This would permanently make it in MFG mode).
    3. Find the private key that this is signed with (good luck!).


    If anyone wants to decompile at home I'm using a Raspbian image inside of Qemu. You have to install lua/readline/ncurses for the compilation of the luadec tool.

    As I poke more and more I'll put my findings in here.

  15. #30
    Join Date
    Feb 2017
    Location
    glendale az
    Posts
    196
    Post Thanks / Like
    On a unrelated question, you seem super nerdy so I was wondering if I could send you a few pcm flash files to look at . Im struggling with this new flash file format and trying to find a way to convert them to use in another program I use to flash controllers. I have a stock file, and modified file that works with my programming software, and then the newer type of file that I haven't been able to convert. I've been just switching a few bytes in a hex editor and they use to work, but not working with the newer version. I can send this all in pm or email if you don't mind....

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Share This Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •