hacker:: [[turmio]]
 hacker:: ms
 hacker:: [[wilho]]

 started:: 2012-03-05 12:33:07

 * Presentation slides from 2012: [[attachment:HappyHackingToyotaTouchAndGo.pdf]]

= Hacking Toyota Touch & Go =


New Toyotas can be connected to the Internet via bluetooth. We wanted to know what is going on under the hood. You can find our raw notes from here. These are our raw notes for fellow hackers to continue the work. 
<<BR>>
<<BR>>
Yes. We found similar vulnerabilities as in famous Jeep #!CarHack by Charlie Miller and Chris Valasek found. You can find their great research from here:  http://illmatics.com/Remote%20Car%20Hacking.pdf

<<TableOfContents()>>

= Instructions from mytoyota.com =


Free and paid content can be added to your account on the download services section of this portal. To ensure you install the content correctly onto your Toyota Touch & Go follow the steps below:
Create a fingerprint of your Toyota Touch & Go using your USB stick (see guide)
Download and install the Toyota Touch & Go Toolbox on your PC (download page)
Connect the USB stick to your PC and launch your toolbox
Login to your Toyota Touch & Go Toolbox and follow the instructions to download and install your content (see guide)
= There is devel documentation about the qnx platform.. =
e.g.
 * http://www.qnx.com/developers/docs/6.4.1/composition_manager/dev_guide/configuring.html
 * http://www.qnx.com/developers/docs/index.html
 * http://support7.qnx.com/download/download/20982/590.39_65_Quickstart_Guide_P6.pdf
 * http://community.qnx.com/sf/sfmain/do/home

 * [[http://haxor.fi/2012/10/how-the-firmware-updates-work-on-toyota-touch-go/]] 
 * UI: http://www.aicas.com/jamaicacar.html
 * Discussion forum about T&G [[http://www.vleeuwen.net/forum/viewforum.php?f=3&sid=e1ac5c9c49fddcb5d1ed76f9ac395900]]

 * Jeep http://illmatics.com/Remote%20Car%20Hacking.pdf


= Firmware =
Firmware [[http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso]]

/usr/share/swdl.bin looks interesting
Strings findings:
{{{
root:C9v0PdmoRiQ9.:1303406650
toyota:QQkI3zYSmefdc
}}}
{{{
$ file usr/share/V850/teb.bin 
us/share/V850/teb.bin: 8086 relocatable (Microsoft)
}}}
{{{
usr/share/scripts/install.sh
}}}
QNX CAR Application Platform
http://www.qnx.com/products/qnxcar/


= Open services on QNX machine =

 * 23/tcp    open  telnet    Openwall GNU/*/Linux telnetd
 * 851/tcp   open  unknown
 * 2021/tcp  open  servexec?
 * 6020/tcp  open  unknown
 * 6667/tcp  open  irc?
 * 51500/tcp  opn   ????
[[/Nmap-run]]

== 23 telnet ==
{{{
$ telnet 172.20.10.6
Trying 172.20.10.6...
Connected to 172.20.10.6.
Escape character is '^]'.


QNX Neutrino (localhost) (ttyp0)

login: 

}}}

Accounts are now publicly known. Harman were kind to share account information to everybody on their scrum wiki. 

{{{
login: root
password: Mc!AsR3
}}}

== 851 Logdump? ==
{{{
{{
$ nc 192.168.2.6 851  
åGåLåLMar 18 14:56:00.050        5 00008 300 io-winmgr: starting up...
Mar 18 14:56:00.177        5 10000 00 Service com.harman.service.ToyotaMGR just appeared at time 7.200323 seconds
Mar 18 14:56:00.276        5 00008 300 io-winmgr: attached to iow-keyboard
Mar 18 14:56:00.335        5 10000 00 pid 340019: Binary persistence for 'TM' is empty.
Mar 18 14:56:00.500        5 00008 300 io-winmgr: no mouse
Mar 18 14:56:00.507        5 00008 300 io-winmgr: attached to iow-touch
Mar 18 14:56:00.697        5 00008 300 io-winmgr: no control
Mar 18 14:56:00.840        5 10000 00 pid 458795: Binary persistence for 'HMI' is empty.
}}}
[[/Port-851-dump]]

[[/InsertingUSBKeyboard]]

[[/FromLogUSBStickWithFancyFiles]]

[[/LogAfterBoot]]
== 2021 ==
{{{
$ nc 172.20.10.6 2021
<GCF  000163 TS_10_0001081726>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2';
<GCF  000163 TS_10_0001082328>CTRL INFO IOFSMediaBT MSG='iofsmediabt_devctl(1617) DCMD_MEDIA_PLAYBACK_STATUS playstate: 2, speed: 0, playstate_flags: 0, trk_curr: 0, trk_total: 27, skipped: 2';
<GCF  000082 TS_10_0001082381>CALL Bluephone:507 BSS_HFP_Write handle=1 codec=CODEC_HEX data='41542B434C43430D';
<GCF  000055 TS_10_0001082382>CTRL INFO BSSService MSG='received event ET_DATA_SENT';
<GCF  000056 TS_10_0001082383>RESP Bluephone:507 BSS_HFP_Write error=WRITE_ERROR_NONE;
<GCF  000059 TS_10_0001082417>CTRL INFO BSSService MSG='received event ET_DATA_RECEIVED';
}}}

[[/Port-2021-example]]
== 6020 ==
{{{
$ nc 192.168.2.6 6020
:CTRL CNFG GCFROUTER MODE=STANDARD;
}}}

It might be serial port to GPS navigation device
[[http://www.digital-eliteboard.com/showthread.php?88164-Supportthread_1-Becker-Z099-Z1XX-Z2XX-Z302/page52&p=953416&viewfull=1#post953416]]

== 6667 ==
If I connect to this port with telnet it will say: ''ERROR "Unknown command"''

e.g:
{{{
$ telnet 192.168.2.4 6667
Trying 192.168.2.4...
Connected to 192.168.2.4.
Escape character is '^]'.
foo
ERROR "Unknown command"

}}}

with nc there is nothing. 

=== Clues ===
 * Migth be d-bus related: 
{{{
unix:path=/tmp/dbus-MNzOp3X3nV,guid=e21d288fe52bc59a6d8e19c04bbccfd0;tcp:host=localhost,port=6667,family=ipv4,guid=
1b1a12b5fa8e657b3fd2d05b4bbccfd0
}}}
http://community.qnx.com/sf/discussion/do/listPosts/projects.ide/discussion.ide.topc13034

Bug reporter was: Glenn Schmottlach

He have done before: ''D-Bus Platform Support - Ported and adapted D-Bus to QNX where it serves as the primary application IPC mechanism for mid-tier head unit designs. Includes developing an alternative JSON based messaging protocol on top of D-Bus.'' http://www.linkedin.com/pub/glenn-schmottlach/4/396/a5

http://dbus.freedesktop.org/doc/dbus-specification.html#transports-exec

=== D-bus tests ===
[[DBus-trips]] 

[[/VulncoordReport]]

'''Updated 2014-12''' So.. it really was Dbus without any kind of authentication. You can get car coordinates, play any flash from the Internet on the screen etc. You really want to keep your car disconnected from the Internet. We have reported this to Toyota (2013-02) and they kindly answered (2013-05). 


== 51500 ==
After I say something to socket connection will close
= Bluetooth =
 * Services:
  * AVRCP Remote Contro
  * Advanced Audio
  * Hands-Free unit
  * Personal Ad-hoc User Service
 
 * Device Service Class 0x3b0

 * [[/BluetoothServiceDump]]

= Key validation =

{{{
# cat apps-eu.pub 
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj
d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ==
-----END PUBLIC KEY-----

% openssl rsa -pubin -in ./fuu.pub  -text
Modulus (512 bit):
    00:b8:fd:29:5f:65:ff:07:66:0f:9b:3d:65:4a:d3:
    59:4a:4a:e8:68:fc:3b:11:63:77:b1:2b:39:fb:f3:
    fb:ad:ec:f2:42:3d:58:fb:d4:dc:81:61:b4:74:19:
    29:d9:fc:6a:b6:3a:0f:6b:fd:2f:33:95:fa:4d:af:
    fe:df:36:ec:53
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALj9KV9l/wdmD5s9ZUrTWUpK6Gj8OxFj
d7ErOfvz+63s8kI9WPvU3IFhtHQZKdn8arY6D2v9LzOV+k2v/t827FMCAwEAAQ==
-----END PUBLIC KEY-----
 
}}}
= Links =
 [[https://www.jkry.org/ouluhack/Toyota%20Touch%20%26%20Go]] 
 [[http://haxor.fi/2012/10/how-the-firmware-updates-work-on-toyota-touch-go/]] 

 [[http://muistio.tieke.fi/itB9pWrKmR]]


 [[http://www.toyota.co.uk/cgi-bin/toyota/bv/frame_start.jsp?id=Nav_TouchGo]]
firmware update
 
[[http://download.naviextras.com/content/!application/Toyota/OS/EU_Low/2011_12_08/swdl.iso]]

[[http://www.vleeuwen.net/]]

[[http://www.itviikko.fi/uutiset/2012/03/06/fordin-vastaus-ongelmiin-muistitikku/201224651/7]]

[[http://www.harman.com/EN-US/Newscenter/Pages/HARMANdeliversTouchGoupgradeablemultimediasystemforToyotaEuropeanvehicles.aspx#.T6BCtI4beHkhttp://]]
 description:: Hacking Head Unit of Toyota Avensis (Toyota model in Europe)
----
CategoryProjekti