Results 181 to 190 of 606
3rd June 2012, 10:58 PM #181GPS Contributor
5th June 2012, 11:07 PM #182GPS Contributor
9th June 2012, 12:26 AM #183GPS Contributor
hey Rusigor , are you there ?
i just teared apart my dock
here is whats inside
maybe it can be of use for you
9th June 2012, 02:51 AM #184TomTom Master
Join Date : Dec 2011Location : LithuaniaPosts : 490Thanks: 42
- Thanked 538 Times in 254 PostsRep Power : 15Reputation : (1006)
Thanks basflt, let's see what we can get from that
9th June 2012, 08:17 PM #185GPS Contributor
the business tool ...
any tomtom user out there with knowledge of JAVA ?
i would like to know how to use the "FileDrop Tool"
i recon it has a purpose , they dont put it in for nothing
i can drop anything in it , .... but then what ?
how execute it ?
9th June 2012, 09:36 PM #186GPS Contributor
20th June 2012, 07:36 PM #187Join Date : Jun 2012Location : spaaaaaaacePosts : 1Thanks: 0
- Thanked 8 Times in 1 PostRep Power : 15Reputation : (25)
Via 160 and the way of the noob hacker ;)
I've tried everything that ic could find on the net to bring together in one package.
Since I have neither the time nor the desire was to work with 3 different languages, I leave everything in english, please do not blame them because most of it comes either from Opentom (english) or TomTom Heaven (in French).
Collected info's from all all over the net:
Special credits to the guys at Opentom!
I try to collect the things that are available so that there is one place with most of the available informations together.
About the firmware (Navcore):
When you install MyTomTom at your PC in C:\Documents and Settings\User\Local Settings\Application Data\TomTom\HOME3\cache you have a file like "content1. This is an upgrade.
This file includes 20 extra bytes for every 100Kb of data. With this simple script I've managed to remove it and extract the files:
After running this, you can unpack it from linux by "cpio -i -d < dest.dat". You can check if all the files are OK by checking the SHA1SUMs included in the file called "files":
Then you can extract the squashed root file system with "unsquashfs" or mount it.
When you connect TomTom to PC. We have another ethernet over usb. At this connection there is open 3 ports: - ftp/21 - ssh/22 - http/80
When you connect via ssh, it need authentication certificate. It is c:\Program Files\My TomTom3\Resources\TT_root_sign_cert crt.dat.
You can connect with your TomTom Start 20 by shh from linux. This file can be added as identity file to SSH via the -i switch. The passphrase for the connection is however unknown.
I look deeper to http connection and i see that work only:
Connecting to Linux:
When plugged into an Ubuntu 10:04 laptop, is identified as a usb based network interface (dwc_otg_pcd). The Linux desktop acquires an auto-configuration IP address, and the TomTom another on the same range. for example:
If usb0 interface doesn't show up in ifconfig output automatically, check that cdc_ether kernel module is loaded and try to run as root "ifconfig usb0 up" followed by "dhcpcd usb0" or "dhclient usb0". Afterwards ifconfig output should be similar to one provided above.
In this example the TomTom gets an IP address of 169.254.255.1. Portscanning the device shows the following:
Starting Nmap 5.00 at 2011-04-18 19:28 BST
Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds
Attempting an ssh connection reveals that the device uses authentication by key:
Apparently the publickey is contained in a file named "TT_root_sign_cert crt.dat" (Mac OS X) that can be found within MyTomTom's installation folder. This file can be added as identity file to SSH via the -i switch. The passphrase for the connection is however unknown.
Hi, I appreciate your work, but I have some comments and notes. First, to complete the list of opened ports, there is another port 3129 opened in the device. It's http/https proxy.
I'd advise you to stop bothering with vmware/windows combination (both sucks). Try ubuntu on USB or some other live distribution - it's much much better.
I think, the installed software doesn't have any kind of library for SSH, the certificate is IMHO only for SSL encryption - there is only one place in the TomTomSupporterProxy.dll, which uses this file - as a certificate for SSL using QtNetwork library.
Either there should be some communication to allow stealing of the correct certificate, or someone has to steal the certificate at TomTom's side.
Here's piece of dissassembled code of the TomTomSupporterProxy.dll
Translations from tomtomheaven about the Go1000 but problems are the same:
A friend ... I was told that it was not bad shielded, but that nothing was impossible a few details:
1) the tomtom connects directly to the PC using the network 169.254.255.1 (tomtom) -> 169.254.255.2 (PC)
a few xml messages are exchanged at that time ... Hello, Id tomtom ... etc..
2) Obviously, the tomtom is coming and the resident program seems MyTomTom relay information on the website of TomTom (also for s announce) certificate,
secure connection, etc. ...
3) The tomtom check itself for possible update ... this way ... the status being relayed between machines via xml ... progress, processing ...
In other words, if you planned to see something through these exchanges http ... it's only ads, the status of progress ... etc., not very informative .. well ...
Trying to access tomtom directly to: ssh or scp or another ... the tomtom responds, of course,
but dropbear is configured so that only holders of the private key can connect ... (authorized_key only ) for the common man was just right to
RSA Key fingerprint is 69:40: bf: 99 ... and a permission denied (publickey) ... even after he should have the passphrase.
I have been very recently a model VIA 125 and the problem of clamping MyTomTom is identical.
After some analysis I could find some parameters that are exchanged between the software and GPS MyTomTom.
However, I am quite interested in a list of certificates that nobody has talked on the web currently.
At the url:
It is an XML file containing all the device parameters (version, serial number) but also an extensive list of certificates (There are 22) in this form:
<Certificate id = "15e7406e-f8a4-47da-BF10-7506ae0b786a" certdata = "BQAAAFArBe64iHvg ....." /> (Truncated because too long)
Do you have an idea what these certificates could match?
A year after the release of these models, it is surprising that no one was more advanced on the subject.
I share this information which I am sure you will make a difference:
This info for access to the file system TT Live 1005. I was able to decode the files Maj (ttpkg) downloaded from the site of TT. Example: the file "content1" MyTomTom downloaded on my computer is the file 00000000-0074-0011-0310-008604472528_system-update.ttpkg
This file looks like a tar or cpio, but if you try to do a cpio above it does not work because TT has garbage characters inserted inside it must remove before making a cpio to extract all files in this container. The solution is here: See the shell script at the bottom of the page:
Once you can execute without a bp to cpio and get the following files:
- A folder "system-update_860447_bcm4760-current_data" containing:
Now that the extraction is done, we must look at the file rootfs.img.new
The first 4 characters of this file are "hsqs" indicating that this is a squashfs file format.
To access the contents simply mount it on a Unix mount point with the following command:
Then just browse to the folder / mnt to approach the holy grail. The hierarchy:
The contents of / etc / passwd for example gives us:
Details of all modules installed on the TT is placed in / usr / lib / opkg / status, indicates that:
Embedded processor in the TomTom Go Live 1005 is a BCM4760 home Broadband:
The SSH server: dropbear "SSH-2.0-dropbear_0.52". The ssh server is available for free download at TT at: @
The embedded Linux is a version 2.6.28 for BCM4760
The web server is: Mongoose web server:
Response from Cyph:
Not bad actually ...
While AC have long pass in / etc / passwd shadow ... are not really used, such as ... (in any case, this can give ideas to login ...)
After performing a port scan service it turns out that only 22 and 80 are visible.
22 for ssh
80 for http
I was interested in a feat ftp (the coup obexftpd) but it is grated since everything boils down to the ssh ...
I see a trail: attempt a feat of mongoose 3.1 ... there is clearly a BufferOverflow on a PUT ... that would execute arbitrary code.
It is not yet won to execute our own code ... but not despair ... (especially since the interest is just to bring you the plugins ... and THAT IT!)
We would have to talk a little in private tracks ... Any takers I am available on firstname.lastname@example.org
I searched a bit ... I like our friend searched as Anonymous
You can also unpack your files, it helps to understand the system.
rootfs.img.new would not be difficult to create, as said before: it is a compressed filesystem type squashfs.
What about other files around it?
File contents "files"
It therefore lists the files in the package, and obviously, there is already a first calculation:
I will say that it strongly resembles a calculation "digest" type SHA/SHA1.
I'm just guessing, of course.
The file Files.sig
Probably a signature file to ensure that does not change the file Files
No idea of ??his generation.
The file-system-update_890538_bcm4760 current.ipk
This is a tar.gz which itself contains three files
Control the file is an ASCII file containing the following information:
Source: rootfs / / depot-open/mcl/branch/navx10.2/branch/baarn/branch/rennes/main / ... @ 890538; riaf-mcl-navx10-2-stimpy-nlbld13; root @ nl- bld-13.intra.local; Wed, March 21, 2012 11:51:49 0100; Linux nl-bld-2.6.18-13.intra.local 274.el5 # 1 SMP Fri Jul 8 5:36:59 p.m. EDT 2011 x86_64 x86_64 x86_64 GNU / Linux gcc version 4.3.3 (TomTom CipherWizardry 2009q1_203-474426)
Description: System update
Go, I go back.
I'll dig this:
We begin by the webserver, some information was known, but some are quite fresh and have never been disclosed!
Looking in the file service_webserver.conf you find a lot of information about mount points made ??before launching the webserver (the one who answers when you load a POI file, cursor on your tomtom ...)
the root directory of the webserver is / var / run /
Suddenly, everything under / var / run can potentially be accessed:
Here's everything I could find ...
/ Var / run / PCMI => = The main page that everyone knows
/ Var / run / dump => = page to get her screenshots
/ Var / run / personal => = page to see everything you have loaded the tomtom
/ Var / run / pcmi_tmp => = Mystery! (Let's not open up / tmp to the webserver), we'll dig this stuff ...
/ Var / run / gpslogs / => = It's all in the name logs and GPS, it does not seem to me that someone had referred
/ Var / run / cprid / => = Connection reset by peer, digging ... # Ensure There Is access to the the timestamp for the last upload CPR.
/ Var / run / factorydata => = information on your tomtom
I feel that this information will be taken over, after all ... it is for this.
What can we do with that in your opinion?
1178 January 15, 2011 tt_rootfs_dev_pubkey.dsa
1192 January 15, 2011 tt_rootfs_dev_privkey.dsa
1178 January 15, 2011 tt_loopfs_prod_pubkey.dsa
2576 January 15, 2011 tt_loopfs_prod_privkey.dsa.gpg
1178 January 15, 2011 tt_loopfs_dev_pubkey.dsa
1192 January 15, 2011 tt_loopfs_dev_privkey.dsa
1178 January 15, 2011 tt_kernel_prod_pubkey.dsa
1291 January 15, 2011 tt_kernel_prod_privkey.dsa
1178 January 15, 2011 tt_kernel_dev_pubkey.dsa
1192 January 15, 2011 tt_kernel_dev_privkey.dsa
1192 January 15, 2011 tt_factory_dev_privkey.dsa
given by a friend who wishes us well ... without telling me if we can do something.
> Gpg tt_loopfs_prod_privkey.dsa.gpg
gpg: encrypted with ELG-E key, ID 18BBCF3F
gpg: encrypted with ELG-E key, ID CD70EBC0
gpg: encrypted with 2048 bit key ELG-E, ID 76C5C5C6, created on 2009-11-26
"Axx Bxxxxxxxx <email@example.com>"
gpg: decryption failed: secret key not available
It is not forbidden to search for its culture? I just want to learn.
I tried with putty after conversion of key ...
Refused the server your keys.
I think these keys are used, but elsewhere.
Signatures of packages such ...
Furthermore, I confirm this:
dgst-openssl sha1 ./system-update_890538_bcm4760-current_data/rootfs.img.new
SHA1 (./system-update_890538_bcm4760-current_data/rootfs.img.new) = d6d371cb99337b06b0101598a760a91fcb610b87
Which means I can generate the files
I still find files.sig .... and and and ... Exactly ...
I think our key for this. I continue.
Well I obviously also a tool for signature:
Hop, I found another source on the signing:
The Following 8 Users Say Thank You to ggggghhh For This Useful Post:
- [ Click To Expand ]
24th June 2012, 05:46 PM #188Join Date : Jun 2012Location : BelgiumPosts : 2Thanks: 0
- Thanked 0 Times in 0 PostsRep Power : 15Reputation : (10)
I took a look at the business tool, and here's my understanding of what happens:
- You select a TomTom package file (ttpkg) and select "Install"
- The tool has an embedded web server that uses https. The device itself also has an embedded web server that uses plain http
- The file you selected is added to a list of files that are to be served by the https web server
- A call is made to the device's web server, more specifically to the /mpnd/trigger URL
- This will cause the device in it's turn to contact the embedded https server which will serve the ttpkg file
It would be pretty easy to create such a tool yourself, since the certificates for the embedded https server are in the .jar file.
I don't have a TomTom of the latest generation so I can't test it, but can't you just use this business tool to upload the latest maps?
24th June 2012, 05:55 PM #189GPS Contributor
yes , it installs the map without problem , except :...its not activated ( thats where the connection w TTserver comes in , to sent activation key to device )
various navcore updates also can be installed , other then official
and , more "funny" ;... no way to remove the map
MyTomtom does not remove it either , unless there is not enough disk-space for official map
besides http the tool also uses ssh
for those who do have a device ;
use WireShark to see what is happening
24th June 2012, 06:42 PM #190Join Date : Jun 2012Location : BelgiumPosts : 2Thanks: 0
- Thanked 0 Times in 0 PostsRep Power : 15Reputation : (10)
I looked at the tool and it seems to use SSH in 2 cases:
1. To perform a "rescue" operation. It uploads an ipk file and then executes the command "opkg-cl -conf /etc/opkg.conf -o /content -p /bin install /content/pacakge.ipk; reboot"
2. To reboot the device (this is simply and /sbin/reboot).
It logs in with user "root" and password "dummy" for both operations.
I don't see anything involving maps activation. When you say "the connection w TTserver", is it the device that connects to the TTserver or is it your computer?
By b22c in forum TomTom DiscussionsReplies: 1Last Post: 4th February 2015, 10:20 PM
By biggerdave in forum TomTom Models ListingReplies: 0Last Post: 8th May 2012, 03:32 PM
By hieubac3 in forum Sygic GPS SystemReplies: 0Last Post: 31st March 2011, 03:30 PM
By HULK in forum Garmin MapsReplies: 0Last Post: 5th March 2011, 01:32 AM
By HULK in forum Garmin MapsReplies: 0Last Post: 5th March 2011, 01:22 AM