SSH Access Guide - Supra NBTEvo Headunit

[a90.faz]

A week ago I posted about having obtained SSH access on the Supra's Headunit. This is a guide explaning how i did it.

There is no "hacking" here, only application of a method that people have been doing on F chassis BMWs and with iDrive 4-6 for a long time. I only applied that method to the Supra and surprisingly, it worked.

Here is how to do it:

WARNINGS:

• Risk of bricking your headunit is real.
• The software/downloads used here are shady. Although nothing happened to me, use these at your own risk.
• You should have basic technical knowlage about Unix filesystem and the command line to make use of this. DO NOT RUN ANY COMMANDS YOU DONT KNOW. YOU CAN AND WILL END UP BRICKING YOUR HEADUNIT.
• Make sure to back up your file system if you intend to muck around in there. If you delete/replace files, there is no "undo".

Requirments:

1. Windows Laptop
2. OBD-Ethernet ENeT cable
3. (Optional) Ethernet to USB adapter if your laptop does not have an ethernet port
4. Internet connection on laptop
5. Dowload SSH Client, i will use PuTTY (https://www.putty.org/)
6. Download "Feature Installer" software (https://bimmerportal.net/p/FEATURE INSTALLER)
7. Buy a key to activate SSH (https://www.flashxcode.com/product/feature-installer-code/)
   1. Message the guy on whatsapp via the button on the website as the dropdown doesnt contain the ID version of of the supra.
   2. Provide the guy with your headunit software version. Can be found in Navigation > Settings > Position and software version > software version. Mine is NBTEvo_T
   3. Provide the guy with your VIN number
   4. Make payment of €25 to the guys paypal.
   5. He will send you a 10 digit key in the format XXXXX-XXXXX

Steps:

1. Hook up the OBD-Ethernet cable to car and your laptop.
2. Make sure your laptop is connected to WiFi or Mobile Data (need internet access)
3. Boot up Feature installer. If it sees your car, you will see your VIN displayed in the log.
4. Hit "Identify" and enter your key.
5. Let it do its thing
6. Once "Start" is available, hit "Start"
7. Let it do its thing
8. Once compleated, you will see "...success..." in the log. Congrats, your SSH port is not open to the world. You can close Feature Installer.
9. Open up PuTTy and enter the following IP and port
   1. IP: 169.254.199.99
   2. Port: 22
   3. Connection type: SSH Telnet
10. If everything went well, a termainl will open asking the following.
    1. login as: root
    2. password: ts&SK412
       1. Dont worry, the password is same for all cars
11. You should be in! Type in the command ls and hit enter to confirm that you can run commands. You sould see the names of the folders in the current working directory.
12. You can hit ctrl+D to close the connection at any time.

Glossary:

• IP: 169.254.199.99
• Port: 22
• Connection type: SSH Telnet
• User: root
• Password: ts&SK412

Couple notes:

• Once the port is open, you can use a WiFi OBD ENeT adapter like the BM3 one to access the car. Otherwise, you can also use the physical cable if you want to be safe
• To close the SSH port, you will need the ISTA software. It will throw an error in ISTA if the port is open.
• The port should stay open even after turning the car on and off, no need to do the Feature Install steps again.
  • Is this a security risk? Yes, if you attend Defcon with the Supra, most likely not otherwise.

You now have SSH access to the headunit. I will be combing through the file system and trying to find things that we can change in here. My original goal was to change the default black Supra icons to match my build. Car is currently at the shop (getting Adro parts installed haha), so ming take a bit before i can though. I will also be posting a filesystem dump if im able to download all the files.

Otherwise, this is uncharted territory for the Supra. Let me know if you have any questions. Would love to see where this goes. Have fun exploring!

Sponsored

 

[Daemon]

Yes, if you attend Defcon with the Supra

I feel attacked. Good to know it operates over WiFi with the BM3 adapter though.

Something that does concern me with this is if it listens on 0.0.0.0 or only locally. Since these cars are connected via cellular, I wonder if it'd be possible to SSH into someones car using your car or another device on the same cell network, similar to the Jeep/UConnect vulnerability that made the news years ago.

 

[a90.faz]

I feel attacked. Good to know it operates over WiFi with the BM3 adapter though.

Something that does concern me with this is if it listens on 0.0.0.0 or only locally. Since these cars are connected via cellular, I wonder if it'd be possible to SSH into someones car using your car or another device on the same cell network, similar to the Jeep/UConnect vulnerability that made the news years ago.

Would be intresting to get some security folks on this. I am a graphics programmer so my knowlage of this stuff is basic.

 

[a90.faz]

Good to know it operates over WiFi with the BM3 adapter though.

The only reason you need the physical cables is because you also need internet connection on the laptop because Feature Installer makes some network calls. Otherwise you surely can do the whole thing on the BM3 Adapter if you can figure out how to get internet access while also connected to the car via WiFi

I do plan on WireShark-ing the network calls for "Educational Purposes"

 

[nanaisu]

So I know FeatureInstaller explicitly says "don't reverse engineer our software" and, welllllllll, I kinda did it anyways. I didn't read the ToC, but apparently in section 2.4 it's a no go

Maybe I can find a way to manipulate it so you don't actually need a feature installer code to enable SSH. App is writen in .NET so it's decompilable in ILSpy or DNSpy.

I know it sends a POST request w/ the feature installer key supplied from flashxcode (or any other vendor for that matter) to a Azure Logic App(? can't remember, but thats what we're going with). it's reply was pretty basic "here's the feature" (ex: CarPlay full screen) in json, along with the last couple digits of the vin iirc. I wonder if its possible to intercept and modify the response and change the last couple digits of the vin?

No byte code or anything like that in the initial stage. No checking is done serverside to see if the right vin was supplied with the feature installer key, which totally makes perfect sense. Thanks Fiddler.

Subsequent network traffic happens, but I haven't dived to deep into it yet. Assuming this is actually talking to the headunit to prep for the flash. Not sure. I might have to bite the bullet & order all the stuff next week & load up Fiddler, Wireshark & Burpsuite all in one go.

Definitely right about it being sketchy software. Managed to find a DoS condition in the app in under 5 minutes of looking at it.

Looking forward to the firmware dump great work op

 

[a90.faz]

Thanks bud! I will also try to decompile the app. I’m quite interested in how it does what it does. I believe this info should be open source.

 

[nanaisu]

Thanks bud! I will also try to decompile the app. I’m quite interested in how it does what it does. I believe this info should be open source.

I also forgot - vscode has a .NET debugger built in, so you can always step through everything - https://learn.microsoft.com/en-us/visualstudio/debugger/debugger-feature-tour?view=vs-2022

I could be totally wrong on this, it's been a hot minute since I've done .NET debugging, but might be a good thing to do.
I believe debugging symbols were included in the exe. Not that you cant just export the code using il/dnspy and recompile it, but that should save a minute or two...
I'll be home tomorrow to look into it some more.

 

[a90.faz]

I did do an initial dive into FeatureInstaller with decompilation using ILSpy. It seems to be communicating with the Headunit (NBT) using a TCP/IP socket on port number 21560.

The payload seems to be a byte stream possibly of UDS function descriptors. ISTA and ESys seem to use UDS codes too.

After scouring forums I found this post and a few others, which state

The right UDS is '31 01 FD EE 38' ----- it open ssh, but clear v850 data .
Anather UDS is '31 01 10 0E' -------it activate app-mode , and open ssh .

Similarly on forums, the code for closing ssh seems to be 31 01 A0 B0. To open ssh, an “L5 security key” seems to be needed but unsure where FeatureInstaller inserts this.

Anyone here with experience in ISTA/Esys coding can probably make sense of it.

It also seems to also communicate with the Central Gateway Module (ZGW) using UDP on port 7811. This is probably to obtain the address of the Headunit.

I’m unsure about the order of operations but I think it hits up the ZGW first, then connects to NBT with the data received from the ZGW. Then it starts a TCP socket once your FeatureInstaller key has been verified. Then it revives the UDS codes from the server. Then it sends those codes to NBT. Then resets NBT.

There seems to not be any actual code injection here. Only UDS codes to functions already available on NBT. Someone with Esys experience can speak to this.

Again, I’m a graphics programmer so I’m out of my element here, but makes me so happy to learn!

Nanaisu, please correct me if I’m wrong. I haven’t stepped through using a debugger yet but I will soon.

As a side note, these UDS codes seem to be a “trade secret” amongst the CarPlay coding/Headunit coding industry. Even software needed to do this stuff without paying like Esys Transmitter is distributed by DM’ing certain individuals.

I’m 60% sure Femto uses techniques like this for their ECU unlocks. They already have a FeatureInstaller-like software for CarPlay and such. I’m 90% sure Femto uses this technology to enable OEM remote start on the Supra

 

[nanaisu]

I did do an initial dive into FeatureInstaller with decompilation using ILSpy. It seems to be communicating with the Headunit (NBT) using a TCP/IP socket on port number 21560.

The payload seems to be a byte stream possibly of UDS function descriptors. ISTA and ESys seem to use UDS codes too.

After scouring forums I found this post and a few others, which state



Similarly on forums, the code for closing ssh seems to be 31 01 A0 B0. To open ssh, an “L5 security key” seems to be needed but unsure where FeatureInstaller inserts this.

Anyone here with experience in ISTA/Esys coding can probably make sense of it.

It also seems to also communicate with the Central Gateway Module (ZGW) using UDP on port 7811. This is probably to obtain the address of the Headunit.

I’m unsure about the order of operations but I think it hits up the ZGW first, then connects to NBT with the data received from the ZGW. Then it starts a TCP socket once your FeatureInstaller key has been verified. Then it revives the UDS codes from the server. Then it sends those codes to NBT. Then resets NBT.

There seems to not be any actual code injection here. Only UDS codes to functions already available on NBT. Someone with Esys experience can speak to this.

Again, I’m a graphics programmer so I’m out of my element here, but makes me so happy to learn!

Nanaisu, please correct me if I’m wrong. I haven’t stepped through using a debugger yet but I will soon.

As a side note, these UDS codes seem to be a “trade secret” amongst the CarPlay coding/Headunit coding industry. Even software needed to do this stuff without paying like Esys Transmitter is distributed by DM’ing certain individuals.

I’m 60% sure Femto uses techniques like this for their ECU unlocks. They already have a FeatureInstaller-like software for CarPlay and such. I’m 90% sure Femto uses this technology to enable OEM remote start on the Supra

That tracks roughly for what I've found too; here's a summary of what I've got:
Clicking "Find Vehicle" (or subsequently loading the software) triggers a broadcast message to be sent out to the local subnet to UDP port 6811 and (FeatureInstaller) will receive communications on UDP port 7811

It sends out a 6-byte Hello/Handshake \x00\x00\x00\x00\x00\x11

The handshake can be seen in the code here:

This function here shows the data its expecting - in short, it's expecting an arbitrary MAC address (6-bytes), the vehicle VIN number (17-bytes) and a Diagnostics address (2-bytes). I'm not sure what the diagnostics address is supposed to actually be.

I wrote a small Python script to spoof responses to Feature Installer & trigger the crash I talked about earlier. It doesn't handle malformed responses well.

import socket UDP_IP = "0.0.0.0" UDP_PORT = 6811 RESPONSE_MESSAGE = b"BMWMAC" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((UDP_IP, UDP_PORT)) print(f"Listening on UDP port {UDP_PORT}...") while True: data, addr = sock.recvfrom(1024) # Buffer size of 1024 bytes print(f"Received message from {addr}: {data}") sock.sendto(RESPONSE_MESSAGE, addr) print(f"Sent message 'BMWMAC' to {addr}")

hehe, oopsie.

Anyways - adding a few more lines and we can spoof whatever data we want:

import socket UDP_IP = "0.0.0.0" UDP_PORT = 6811 RESPONSE_MESSAGE = b"\x00\x00\x00\x00\x00\x11" RESPONSE_MESSAGE += b"BMWMAC" RESPONSE_MESSAGE += b"001122334455" RESPONSE_MESSAGE += b"BMWVIN" RESPONSE_MESSAGE += b"WZ1DB133713371337" RESPONSE_MESSAGE += b"DIAGADR" RESPONSE_MESSAGE += b"FF" RESPONSE_MESSAGE += b"\x90" * 16 # padding sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((UDP_IP, UDP_PORT)) print(f"Listening on UDP port {UDP_PORT}...") while True: data, addr = sock.recvfrom(1024) # Buffer size of 1024 bytes print(f"Received message from {addr}: {data}") sock.sendto(RESPONSE_MESSAGE, addr) print(f"Sending spoofed message to {addr}")

Example output:

Example response over the wire:

Afterwards, when you click "Identify" and put in your fancy feature installer key a connection request is sent out to that Azure website ( https://remotecloudinstaller[.]azurewebsites[.]net/api/ValidateFeatureCode2?code=B64StringHere) I was talking about earlier. It just sends a JSON response. I intercepted this using Fiddler; If you could see what the SSH response looks like, that'd be very much appreciated.

Sample response:

{ "Success": true, "Message": null, "FeatureList": "NBT2;FSC Pack;Coding;Full Screen CarPlay LHD;Video-In-Motion;Vin: 90877;", "Endpoint": "52.170.0.229:21560" }

Pressing continue appears to then reach out to the headunit, which I don't have hooked up so everything failed.

I did also observe communications over TCP/21560. It appears to be a Virtual Machine running out of Azure, or something.

Code seems to indicate its either a proxy, or maybe a VPN?

Fiddler didn't pick up any traffic exchanged - but there's definitely something happening here. Anyways - After I noticed a TCP connection over TCP 6801. I believe this is a port that esys/ista is using to perform or send any commands to the headunit.

decoded hex response:

00000000: 0000 0005 0001 f410 22f1 9000 0000 0500 ........"....... 00000010: 01f4 1022 f190 ..."..

I've been doing a bit of reading and it seems like anytime remote coding is done, the coder needs access to this port, mentioned here for example. It looks like I must've answered incorrectly...

This time I get the message of "Is Esys still connected?"

so I guess we do the whole song and dance of figuring out what it wants!
That seems like a tomorrow task...
A bit more on the whole "Connecting to that public IP address" thing. It looks like they may be sending commands to the server in the format of:

CC23C17C-9DC2-4936-8190-EC76316C812B;AUTHCODEHERE?;02;1.0.14.9;\n

and then after that, I think it may send commands on what we want it to do (ex: enable SSH) to server, where the server then gets data and does the thing.

So - what I'm curious about is if you could take a PCAP of TCP/6801 enabling SSH. I'd be willing to bet the L5 security key is in there someplace... If not, I'm going to order an enet cable next week and do it myself. Curiosities aside from "how tf does this work", I think we can probably execute a replay attack to enable SSH on the headunit.
For now, the biggest mystery function to me is RemoteClient, but I think I have a better understanding of what it does after looking at it tonight.

 

[a90.faz]

Amazing amazing work!! Let’s try to do what it does on the car and see if we can get a response from ZGW

I’d be wary of sending spoof messages to its server, these guys are super paranoid about leaks and might block us from using their stuff.

we should try and intercept the UDS codes before that happens. We can definitely PCAP the headunit connection but I’m waiting on my car to come back and you on hardware haha

Optimistic about this. Awesome work Nanaisu!

 

[nanaisu]

Amazing amazing work!! Let’s try to do what it does on the car and see if we can get a response from ZGW

I’d be wary of sending spoof messages to its server, these guys are super paranoid about leaks and might block us from using their stuff.

we should try and intercept the UDS codes before that happens. We can definitely PCAP the headunit connection but I’m waiting on my car to come back and you on hardware haha

Optimistic about this. Awesome work Nanaisu!

Agreed - my next project is to see if I can simulate whatever response it's expecting from the headunit to get to the "next stage in the enable ssh process".

But yeah, PCAP would be great as it could reveal what the expected response from the headunit is, at the very least. I can try a replay attack and see what the results look like now that we've got a better understanding of, well, everything.

If not, my hope is that the pcap will at least reveal the L5 security key we need. Or a method as to how to get it. I'm hoping its the same across vehicles (probably not). Regardless, I'll write up a script and release it to the community whenever we crack it

I really need to read the Car Hackers Handbook. Freely licensed and available to read if anyones interested! https://archive.org/details/car-hackers-handbook-the-craig-smith

 

[nanaisu]

Starting a repo - https://github.com/Sq00ky/Supra-Headunit-RE/tree/main

file & directory listing is in there

 

[a90.faz]

Awesome! Thanks for getting the ball rolling. The paint shop is taking their sweet time with my car ?

 

[nanaisu]

Ok - so I dumped some files off the headunit after work today. Mind you, I have a 2022.... This file was in the source code for the J29...
If we got this 2 years ago, we coulda confirmed the manual so long ago.

Dated back to 2021.

 

[MisterSkiz]

Pretty cool - you hacked the gibson!

Maybe you will find the GRMN MASTERS OF THE UNIVERSE S58 Picture in there too

Sponsored