SSH access obtained - NBTEvo Headunit

[a90.faz]

Hello guys, just wanted to share some thing I worked on this weekend. I was able to obtain root SSH access for the Headunit’s filesystem using Feature Installer.

I’m going to comb though the filesystem and see what we can change in here

the ultimate goal is to be able to swap the default black Supra in iDrive for one that matches my build

I will surely post both a dump of the filesystem on GitHub and a guide to do the same if I discover anything interesting.

also has anyone ever done this on the Supra? Curious if this is first (public one) in the world haha ? I know people have been doing this on F chassis. And Femto might be using this to enable remote start somehow.

I’ll keep this thread updated with findings

Update: Posted how-to guide: https://www.supramkv.com/threads/ssh-access-guide-supra-nbtevo-headunit.24190/

Edit October 16th 2024

I was successfully able to swap the black Supra icon on the welcome screen for a custom one! See the guide here: https://www.supramkv.com/threads/guide-custom-supra-icons-throughtout-idrive.24478/

Sponsored

 

[nanaisu]

I haven't heard of it happening on the Supra yet. Very much looking forward to the writeup!! Even if it's some high level instructions, I've been wanting to do something like this for a while now. Awesome work! The inner reverse engineer in me is all giddy right now ?

 

[ApexTheory]

Exciting post, nice work.

 

[Daemon]

But can it run Doom?

A writeup on how to get the root shell would be awesome even if you don't find anything interesting. I'd love to dig into this as well

 

[a90.faz]

For sure! The car is currently gone for some work, I’ll post a filesystem dump soon!

I’ll do a write up of the process soon too!

 

[Surebob]

You are definitely the first to gain ssh access on any G series that i personally know of, Let me know if youd like to collaborate, if your car is at the shop, im willing to dig in on mine with you tonight. DM me

EDIT: Meant to say J series not G lol. So first supra for sure i think

 

[MisterSkiz]

"rm -r *"

 

[SupraYYJ]

"rm -r *"

"It's a UNIX system. I know this!"

 

[Brenden]

I hope this means we can finally run Android Auto. Otherwise I have no idea what you guys are talking about. But good work anyway

 

[zrk]

Check the TCP/IP Settings

 

[nanaisu]

I hope this means we can finally run Android Auto. Otherwise I have no idea what you guys are talking about. But good work anyway

Maybe!
Apparently both CarPlay and AndroidAuto use H.264 video streams. I need to look into how CarPlay sends data & actually initiates the stream. Same with AA. I'm guessing we'll need to write a custom application to initiate a handshake with the phone that says "Hey, Android Auto is available!". But I don't really know.
I'm thinking I'll have to look at a firmware dump of the Z4 headunit (or other iDrive7 units) to see how they implement it.
It might be this mythical magical thing. I haven't done any real research into it.
I'm assuming its possible to run arbitrary code now that we have a method to gain SSH access.

My only concern is the file system may be volatile or read-only. I'm guessing not because updates can be issued to the headunit. Plus, we could always keep non volatile storage like a flashdrive plugged in and mounted. Biggest question would just be "how can we get reliable code execution to load/sideload our AndroidAuto package". I'm hoping the filesystem isn't read only and we can just create or modify a cronjob at startup to execute our things.

It'll be a slow process that'll probably take a months, if not longer. It'll be a small thing first like "we made an application that says hello world", then maybe something a bit more advanced, like "display oil temp, engine temp, coolant temp", then maybe AA.

I'm excited to start looking into everything once OP posts the firmware dump!

 

[a90.faz]

Sorry for the holdup, i'm preping for a local car show and will be atleast a week untill i have the car back from the shop.

iDrive 7 uses a whole different headunit (MGU) so this method probably wiill not work with it. Try it if you are brave! We have iDrive 6 with the NBTEvo headunit.

I have posted a guide on how to do this yourself! Take a look here: https://www.supramkv.com/threads/ssh-access-guide-supra-nbtevo-headunit.24190/

 

[J_D]

Try to find the magical variable/parameter/bit that will enable climate control sync. You be be hailed as the MK V Saviour

 

[nanaisu]

Hello guys, just wanted to share some thing I worked on this weekend. I was able to obtain root SSH access for the Headunit’s filesystem using Feature Installer.

I’m going to comb though the filesystem and see what we can change in here

the ultimate goal is to be able to swap the default black Supra in iDrive for one that matches my build

I will surely post both a dump of the filesystem on GitHub and a guide to do the same if I discover anything interesting.

also has anyone ever done this on the Supra? Curious if this is first (public one) in the world haha ? I know people have been doing this on F chassis. And Femto might be using this to enable remote start somehow.

I’ll keep this thread updated with findings

Update: Posted how-to guide: https://www.supramkv.com/threads/ssh-access-guide-supra-nbtevo-headunit.24190/

I believe this is a fairly comprehensive list:
https://github.com/Sq00ky/Supra-Headunit-RE/blob/main/information/car-graphics.txt

 

[a90.faz]

Awesome! You got it before me lol. Now all that remains is to see if we have write access

Sponsored