hacker

turmio

hacker
ms
hacker

wilho

started
2012-03-05 12:33:07
  • Presentation slides from 2012: HappyHackingToyotaTouchAndGo.pdf

  • Hacking Toyota Touch & Go

    New Toyotas can be connected to the Internet via bluetooth. We wanted to know what is going on under the hood. You can find our raw notes from here. These are our raw notes for fellow hackers to continue the work.

    Yes. We found similar vulnerabilities as in famous Jeep #CarHack by Charlie Miller and Chris Valasek found. You can find their great research from here: http://illmatics.com/Remote%20Car%20Hacking.pdf

    Instructions from mytoyota.com

    Free and paid content can be added to your account on the download services section of this portal. To ensure you install the content correctly onto your Toyota Touch & Go follow the steps below: Create a fingerprint of your Toyota Touch & Go using your USB stick (see guide) Download and install the Toyota Touch & Go Toolbox on your PC (download page) Connect the USB stick to your PC and launch your toolbox Login to your Toyota Touch & Go Toolbox and follow the instructions to download and install your content (see guide)

    There is devel documentation about the qnx platform..

    e.g.

    Firmware

    Firmware http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso

    /usr/share/swdl.bin looks interesting Strings findings:

    root:C9v0PdmoRiQ9.:1303406650
    toyota:QQkI3zYSmefdc

    $ file usr/share/V850/teb.bin 
    us/share/V850/teb.bin: 8086 relocatable (Microsoft)

    usr/share/scripts/install.sh

    QNX CAR Application Platform http://www.qnx.com/products/qnxcar/

    Open services on QNX machine

    /Nmap-run

    23 telnet

    $ telnet 172.20.10.6
    Trying 172.20.10.6...
    Connected to 172.20.10.6.
    Escape character is '^]'.
    
    
    QNX Neutrino (localhost) (ttyp0)
    
    login: 

    Accounts are now publicly known. Harman were kind to share account information to everybody on their scrum wiki.

    login: root
    password: Mc!AsR3

    851 Logdump?

    {{
    $ nc 192.168.2.6 851  
    åGåLåLMar 18 14:56:00.050        5 00008 300 io-winmgr: starting up...
    Mar 18 14:56:00.177        5 10000 00 Service com.harman.service.ToyotaMGR just appeared at time 7.200323 seconds
    Mar 18 14:56:00.276        5 00008 300 io-winmgr: attached to iow-keyboard
    Mar 18 14:56:00.335        5 10000 00 pid 340019: Binary persistence for 'TM' is empty.
    Mar 18 14:56:00.500        5 00008 300 io-winmgr: no mouse
    Mar 18 14:56:00.507        5 00008 300 io-winmgr: attached to iow-touch
    Mar 18 14:56:00.697        5 00008 300 io-winmgr: no control
    Mar 18 14:56:00.840        5 10000 00 pid 458795: Binary persistence for 'HMI' is empty.

    /Port-851-dump

    /InsertingUSBKeyboard

    /FromLogUSBStickWithFancyFiles

    /LogAfterBoot

    2021

    $ nc 172.20.10.6 2021
    <GCF  000163 TS_10_0001081726>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2';
    <GCF  000163 TS_10_0001082328>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2';
    <GCF  000082 TS_10_0001082381>CALL Bluephone:507 BSS_HFP_Write handle=1 codec=CODEC_HEX data='41542B434C43430D';
    <GCF  000055 TS_10_0001082382>CTRL INFO BSSService MSG='received event ET_DATA_SENT';
    <GCF  000056 TS_10_0001082383>RESP Bluephone:507 BSS_HFP_Write error=WRITE_ERROR_NONE;
    <GCF  000059 TS_10_0001082417>CTRL INFO BSSService MSG='received event ET_DATA_RECEIVED';

    /Port-2021-example

    6020

    $ nc 192.168.2.6 6020
    :CTRL CNFG GCFROUTER MODE=STANDARD;

    It might be serial port to GPS navigation device http://www.digital-eliteboard.com/showthread.php?88164-Supportthread_1-Becker-Z099-Z1XX-Z2XX-Z302/page52&p=953416&viewfull=1#post953416

    6667

    If I connect to this port with telnet it will say: ERROR "Unknown command"

    e.g:

    $ telnet 192.168.2.4 6667
    Trying 192.168.2.4...
    Connected to 192.168.2.4.
    Escape character is '^]'.
    foo
    ERROR "Unknown command"

    with nc there is nothing.

    Clues

    unix:path=/tmp/dbus-MNzOp3X3nV,guid=e21d288fe52bc59a6d8e19c04bbccfd0;tcp:host=localhost,port=6667,family=ipv4,guid=
    1b1a12b5fa8e657b3fd2d05b4bbccfd0

    http://community.qnx.com/sf/discussion/do/listPosts/projects.ide/discussion.ide.topc13034

    Bug reporter was: Glenn Schmottlach

    He have done before: D-Bus Platform Support - Ported and adapted D-Bus to QNX where it serves as the primary application IPC mechanism for mid-tier head unit designs. Includes developing an alternative JSON based messaging protocol on top of D-Bus. http://www.linkedin.com/pub/glenn-schmottlach/4/396/a5

    http://dbus.freedesktop.org/doc/dbus-specification.html#transports-exec

    D-bus tests

    DBus-trips

    /VulncoordReport

    Updated 2014-12 So.. it really was Dbus without any kind of authentication. You can get car coordinates, play any flash from the Internet on the screen etc. You really want to keep your car disconnected from the Internet. We have reported this to Toyota (2013-02) and they kindly answered (2013-05).

    51500

    After I say something to socket connection will close

    Bluetooth

    Key validation

    # cat apps-eu.pub 
    -----BEGIN PUBLIC KEY-----
    MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj
    d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ==
    -----END PUBLIC KEY-----
    
    % openssl rsa -pubin -in ./fuu.pub  -text
    Modulus (512 bit):
        00:b8:fd:29:5f:65:ff:07:66:0f:9b:3d:65:4a:d3:
        59:4a:4a:e8:68:fc:3b:11:63:77:b1:2b:39:fb:f3:
        fb:ad:ec:f2:42:3d:58:fb:d4:dc:81:61:b4:74:19:
        29:d9:fc:6a:b6:3a:0f:6b:fd:2f:33:95:fa:4d:af:
        fe:df:36:ec:53
    Exponent: 65537 (0x10001)
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj
    d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ==
    -----END PUBLIC KEY-----

    Links

    firmware update

    http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso

    http://www.vleeuwen.net/

    http://www.itviikko.fi/uutiset/2012/03/06/fordin-vastaus-ongelmiin-muistitikku/201224651/7

    http://www.harman.com/EN-US/Newscenter/Pages/HARMANdeliversTouchGoupgradeablemultimediasystemforToyotaEuropeanvehicles.aspx#.T6BCtI4beHkhttp://

    description
    Hacking Head Unit of Toyota Avensis (Toyota model in Europe)


    CategoryProjekti