Security on Remote Features

Reverse Engineering
#1

Hello Everyone,

Hope you all had great holidays, thank you for all your help with the fundraising. This will help us a lot in keeping up the effort on reverse engineering and adding features to OVMS.

Thanks to this bounty, we now have a log of a Thai car using the remote features. However with this new data we now hit upon 2 new snags:

  1. Our Gateway ECU works differently to Thai cars
  2. There is some sort of security key needed for the remote feature to activate

I have made a video to explain this:

The link to the data for the logged CAN messages is here (Remote Features Tab):

Cabin pre-heat / cool - OVMS
#2

Here is a collection of all challenges and responses from the spreadsheet (sorted by decimal challenge value):

Challenge (hex) Reponse (hex) Challenge (dec) Response (dec)
CEF109C0BFFA DAC939693B0B 4219671730510 164027486803018
D0967CDB6612 22A4AAC95394 26849390199751 88035791246618
AA1CE3E8C6FF 94CAA1E2878F 44449018779012 81317707085235
7D9AC6F41760 8740F15F6387 131130818935432 190394211221028
D46A4C2E3EB6 51D808EE080E 131874281711439 110323425770646
822968A5AB91 6E5DBD37DFC2 138103716321120 148712997217159
B63D76BDF3B3 2C83691C10F1 143114360957841 121348885569474
774345E1BA88 AD299B53BE24 143254946303086 62346151546653
03D67808D94E 952EA015944A 187041059489535 163598020282255
824A242FCC6E 38B418374F1D 200375101420467 48942915784945
186B5C5D83C7 50116E10951A 225782748161661 89489095245281
CD592480267D 5163CDBBBDE1 227534646067194 240557786479371
E53FA79524E6 0453579C88C3 229344758425106 38090635301780
77F05FB7674F 6456AC9A7C96 233553009721014 89988304603150
E67F8BCD650A 890F883D9426 250737958186885 279095340369303
E40B7AEDEF85 FDD5F29F0597 252061557269734 4755998673091
286D17F99584 49F5410B75B3 253435480728842 150699803251750

My first guess is that they don’t apply true public-key encryption, but rather use either some sort of symmetric-key style encryption or simply just hash the challenge with a semi-fixed salt (either the same for all cars, or the VIN?) and only send over the first 48 bits of the resulting hash.

A great resource to play around with encryption is https://gchq.github.io/CyberChef/

#3

Hi,
Do we have CaptDIY VIN number?

#4

Not yet, do you want me to ask for it?

#5

The spreadsheet contain CaptDIY challenges? if yes then maybe the VIN will help crack the challenge, as it is unique.

#6

Hey Mike, yes, if you could ask him that would be really helpful as a start :slight_smile:

#7

I have half seriously thought that one of these devices, adapted a bit, could be controlled by the OVMS unit to turn on the car so that it will be pre-condition itself:
https://www.amazon.co.uk/SwitchBot-Smart-Switch-Button-Pusher/dp/B07B4D9KVX

a more sophisticated approach would be to pull the on/off button out of the dash and wire on a miniature relay at the back so that you can effectively press the button through electronic control.

#8

Someone posted the radio software update on the MG EV owners club on Facebook.
I had a look through and come see some files related to openssl and various software that runs on the headunit, though not sure if this has the necessary interface for CAN modules.

Still may be worth a look for someone who knows a bit more about these things?

This is the link they provided, I’ve downloaded the files myself and scanned and all appears fine. But as I am not responsible for the upload, download at your own risk:
https://drive.google.com/u/0/open?id=1CjH7OkP2hGsH3FfJpZ8RAZDMfgybQr4z

1 Like
#9

When you extract the svp.bin file and go into /etc you will find file-explorer.conf which shows something promising; it seems a mapping of extensions to different file categories. For example, it maps .bmp, .jpg, .png, and .jpeg to “Image”. But, it also maps .gz, .tar.gz, and .tar to “APK”. I wonder if this means it can run Android applications if only you feed them packed with one of those compression algorithms.

<? xml version="1.0" encoding="utf-8"?>
<Document>  
 	<postfix value="*.txt#"/>
	<limit value="1000"/> 
</Document>
<Image>  
 	<postfix value="*.bmp# || *.jpg# || *.png# || *.jpeg#"/>
	<limit value="5000"/> 
</Image>
<Music>  
 	<postfix value="*.mp3# || *.wma# || *.aac# || *.ogg# || *.wav# || *.mp1# || *.mp2# || *.m4a# || *.ape# || *.flac#"/>
	<limit value="5000"/> 
</Music>
<Video>  
 	<postfix value="*.mkv# || *.mov# || *.mp4# || *.avi# || *.wmv# || *.asf# || *.flv# || *.mpg# || *.vob# || *.3gp# || *.mpeg# || *.m4v#"/>
	<limit value="2000"/> 
</Video>
<CMMB>  
 	<postfix value="*.mfs#"/>
	<limit value="100"/> 
</CMMB>
<APK>  
 	<postfix value="*.gz# || *.tar.gz# || *.tar#"/>
	<limit value="200"/> 
</APK>
<Common>  
 	<id3 value="no"/>
	<level value="32"/>
	<ingore value="no-media.flag"/>
	<navi value="MXNavi"/>
	<explore value="no-navicard"/>
</Common>

The hardkey.conf file shows mapping between physical keys and actions that can be performed by the media system. The IDs are 4 digit hexadecimals, so I wonder if those map to any value that can be send through CAN commands? The most promising mapping seems to be this one for diagnostics:

KEY_IDX = 25 VKEY_ID = 0x03E1 //VKEY_DIAGNOSTIC
KEY_IDX = 27 VKEY_ID = 0x03E0 //VKEY_DIAGNOSTIC

Also, there is a set of private and public RSA keys in the /etc/androidauto folder, but those might just be for Android Auto to allow connections from your phone.

Finally, hostapd.conf contains some WLAN settings that I’ll try soon. It might be broadcasting using a hidden SSID? If so, it should be called gan5G55 and use 123456789 as its passphrase.

interface=wlan0
driver=nl80211
ctrl_interface=/var/run/hostapd
ssid=gan5G55
channel=149
ieee80211n=1
hw_mode=a
ignore_broadcast_ssid=0
wowlan_triggers=any
wpa=3
wpa_passphrase=123456789
wpa_key_mgmt=WPA-PSK
rsn_pairwise=TKIP CCMP
wpa_pairwise=TKIP CCMP

Btw can anyone with an IPhone try the SAICLink app that is available from the app store? There seem to be a ton of references to this app in the code, so it might just work as soon as you have your phone connected (via cable, bluetooth or maybe even wifi using the credentials above) and do something?

More insights on this later; maybe spin off this deep dive into the entertainment system module source code into a separate topic?

#10

Can you add a link to that topic on Facebook? The code seems to contain a unique ID in /etc/svp.androidauto.conf for their car.

#11

If the files in the update.zip file are pushed to the entertainment system, /etc/shadow indicates that no password is required for the root user, if anyone would be able to get console access as some point.

#12

Hi Sjoerd,

Sure, the facebook post is at:

Comments suggest it is not the UK/EU version, but the screenshots in the manual from the links does show a UK/EU radio as the Thai and other region units have a different UI.

#13

The guide also describes how to enter engineering mode which allows you to see a screen like the below (this is from my car).
I couldn’t it apparently broadcasting anything, on the SSID above or just looking through hidden networks, nothing with adequately high signal sitting in the car.

#14

Great! The documentation also shows how to get into Engineering mode (but it might only work if you insert a USB key with the software, not sure).

  1. Press Setup on the Home screen.
  2. Open the System menu.
  3. Press all four corners within the main area in this order (clockwise):
    1. Top left
    2. Top right
    3. Bottom right
    4. Bottom left
  4. Wait for a few seconds.

image
image1233Ă—622 85 KB

#15

Yes, that works on my head unit and I’m able to get version info etc.
Couldn’t seem to get any WiFi networks showing still though (even hidden networks using scanner).

There’s a file: /etc/config_sll_5t_a7da_a7da_linux.xml which appears to have various config options of interest but I’m not really sure how it’s used.

It has “CMD_SERVER” set as /dev/ttyUSB0 perhaps there’s a way to get serial access?
Also has some WiFi related config, though not sure how this interacts with the overall setup

<SessionWiFiConfig> <WiFiMode>No</WiFiMode> <WiFiApSource>User</WiFiApSource> <WiFiAPs> <ApListLength>0</ApListLength> </WiFiAPs> </SessionWiFiConfig>

#16

I think that the head unit is searching the AP gan5G55.
But it wont help because we don’t have internet apps on the head unit.
It is remind me Fluence ZE head unit (searching fixed AP)
Maybe if we make router with the ssid gan5G55 and if the head unit will connect, we could see files on the Head unit and maybe change something.

#17

The hostapd config suggests that the head unit itself is responsible for the “gan5G55” network, but I’m unsure if the head unit even has WiFi in it, though it’s certainly possible, we know it doesn’t have the same hardware as the Thai unit which has 3/4G but there may still be some connectivity.

I’m still looking to see if there’s any other way I might be able to get on it. Serial might be an option if it supports usb tty devices then maybe one could be plugged in and used, but that might be wishful thinking!

Radio/Head unit software/interface
#18

I also saw that Channel 149 is listed which means WIFI 5Ghz and not 2.4Ghz

#19

Looking at the service files for getty, it looks as if maybe it starts a root session on the terminal interface. If anyone had a USB to serial to try it might be worth a go?

[Service]
Environment="TERM=xterm"
ExecStart=-/sbin/agetty --autologin root -8 --keep-baud %I 115200 $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=%I
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
KillMode=process
IgnoreSIGPIPE=no
SendSIGHUP=yes

#20

Created a new thread so head unit software/interface can be discussed separately as I think there’s a lot more to this element of the car:
https://discourse.mymgzsev.com/t/radio-head-unit-software-interface/357/2