Results 491 to 500 of 615
31st August 2013, 03:17 AM #491Join Date : Jul 2012Location : EspañaPosts : 299Thanks: 219
- Thanked 268 Times in 143 PostsRep Power : 15Reputation : (845)
Re: NV4 navcore and map
read instructions, you are responsible for your device, not me.
[Login or Register to remove this advertisement]
1st September 2013, 01:49 AM #492TomTom Master
Join Date : May 2012Location : At homePosts : 1,050Thanks: 2,085
- Thanked 4,935 Times in 849 PostsRep Power : 15Reputation : (2545)
Thanks for the file Simba
4th September 2013, 02:09 AM #493
This is my first post, so I will introduce myself. I am very interested in embedded hacking, cryptography and reverse engineering (on MIPS and x86). Have already successfully rooted several SOHO routers (some by using quite lame exploits, others by modifying the flash chip and replacing the ssh pubkey) and analysed some crypto schemes they employ (for example how are configuration backups encrypted, before they are sent through the web interface to the user). Therefore I hope I can contribute here as well.
I have studied the past 47 pages and I hope I am up-to-date now. Please let me know if I have summed up things correctly.
The main problem seems to be:
(1) replace pubkey for ssh with self-generated key (and publish the privkey)
- for testing purposes this could be done by wiring a SD USB adapter to the TT PCB
- main issue seems to be the repacking of the squashfs
(2) replace pubkey for content verification with self-generated key (and publish the privkey)
- is it correct, that the content activation scheme is the same as for NAV2 devices (the .dct file holds the blowfish key for the map in RSA encrypted format)?
(3) find a suitable way the average user can employ to do (1) and (2). should be something completely software-driven like an exploit.
- both ftpd and httpd seem to have very crappy code (i have merely skimmed the opensource files, no in-depth analysis)
- maybe the bootloader offers some option for memory manipulation
(4) understand enough of the .ttpkg format to craft own packages to deploy custom apps (like cydia for tomtom)
- afaik unpacking is possible, but it is unclear how the header looks like and what the "garbage" bytes mean (maybe some sort of checksums? - so that in case of a faulty transfer only the defective 100 KB chunk needs to be resent?!)
Hopefully I can do step (1) if my TomTom arrives by the end of the week.
@parasonic: Would you provide a copy of your 4 GB dump? Have you ever tried to halt the bootloader by pressing a key?
4th September 2013, 12:37 PM #494GPS Contributor
welcome to the forum C(CH2OH)4+4HNO3
another problem is to get the files in / out the device
ATM we cannot enter the device at all
until that is solved any activation hack remains useless
4th September 2013, 04:14 PM #495
basflt: some time ago you have posted a link to the TomTom pages which explained how to restore a TT (sorry I cannot post links yet).
Have you or has anyone else investigated how this restore process is facilitated? Has anyone sniffed this with Wireshark (just to get an idea what protocol is used)? Maybe Telnet/Tftp/SSH? Does the bootloader verify the content it receives? How should it do this (the public keys for package verification reside in rootfs.img)? Does the BL contain another public key?
I do not have received my device yet so I cannot try for myself but if I had to guess this is most probably some bootloader interaction. Maybe this is what the root:dummy combination is for (which is known from decompiling the Java-Business-Tool).
4th September 2013, 08:51 PM #496GPS Contributor
i have no idea as it is beyond my skills
i tried Wireshark in the past , but further ??????
AFAIK it uses different protocols and also encrypted
all i know is that the Java-tool installs any .ttpkg package , weather it is compatible with the device or not
if you run the tool , you can see a log window by clicking the tray-icon
here you can see that it contacts the server for the required key(s)
what is also remarkable ;
firewall/antivirus must be disabled for any form of communication , found no way around yet
you probably read it ;
its an internet device
but it seems like all is locked from in the device
entering requires keys from TT-server
but , there exist a couple of links that dont require anything , not even internet
there are some users here that know more then me , but i never see them here
if you want i can do simple testing, but my knowledge of scripting is little and of Linux zero
4th September 2013, 10:06 PM #497GPS Contributor
installing the nav4 package in a nav3 device , makes the device useless
ea ; the normal restore function dont work anymore ; the only way to revert is to again use Java service tool and install a nav3 core again
what is also strange
Mytomtom dont get the picture and wants to install the usual crap-updates
so , you wonder why they want to let go of consumer market ?
they made a fool-proof system , and they dont understand it themselve
4th September 2013, 10:14 PM #498GPS Contributor
1 disable firewall / antivirus
2 connect device ( if not already )
3 start the tool
4 point to the .ttpkg package you want to install in the device
5 click "install"
6 wait until the device has fully rebooted before closing
the tool only accepts real .ttpkg files , nothing else
fake or renamed files dont work either
4th September 2013, 10:22 PM #499GPS Contributor
5th September 2013, 03:44 PM #500
Yes, the Java "Business Tool" does contain SSH Code and it contains the the root:dummy login combination as well. However, it does not seem to use this code. Maybe it is an artifact or for factory testing?
I have transferred a map of French Guiana (because it is small) to a TT Via 125 which was in "normal operation mode". I have captured the process with Wireshark on the TT network interface. What happens is the following:
1. TT device starts and sets up a "revinetd" server (please google "revinetd how it works", first hit; cannot post links yet, sorry). In the picture the TT device is the "Attacker". Furthermore the mongoose httpd on port 80 is started.
2. When the Java Business Tool starts it sets up a "revinetd" relay agent. In the picture from above link this corresponds to "compromised server". Immediately the relay agent connects to the TomTom (this is "relay agent communication channel established").
3. When you upload a package, the Java Tool triggers the mongoose webserver. The TT device then connects to its own loopback, which is in fact the revinetd server from step 1. The revinetd forwards this communication to the relay agent (which is the revinetd within the Java Tool) through the connection which was established in step 2. The communication exits the revinetd relay agent (i.e. the Java Tool) and goes through a jHTTPp (a java HTTP proxy included in the tool) before it reaches the jetty httpd (a java httpd included in the tool). Jetty serves whatever package you give it and the TT can download it.
To double check that the SSH code is not used I have put the TT in recovery mode (the spinning cogwheel). In this mode the transfer does not use SSH either. In recovery mode happens the same as in normal mode.
As a side note: jetty httpd serves some files over https as well and uses "xpto.cer" found in .jar as certificate. Furthermore the .jar contains another root CA cert "Device Authentication Test CA" in file "cacert.pem" and a Java Key Store in "ods.jks". Maybe I will post an overview of all certificates, public keys, private keys etc. found so far in MyTomtom, the Java tool and the navcore some time later. To me it is a bit messy at the moment.
Update: The ods.jks is password protected (password is "tomtom") and contains the aforementioned certs.
PS: Next I will have a look at the navcore binaries that process the .ttpkg files. I am well aware that this knowledge most probably won't get us in but I am still waiting for my TT device which I can afford to solder to.
By thirkell in forum TomTom DiscussionsReplies: 1Last Post: 13th February 2016, 02:53 PM
By b22c in forum TomTom DiscussionsReplies: 1Last Post: 4th February 2015, 10:20 PM
By biggerdave in forum TomTom Models ListingReplies: 0Last Post: 8th May 2012, 03:32 PM
By HULK in forum Garmin ArchivesReplies: 0Last Post: 5th March 2011, 01:32 AM
By HULK in forum Garmin ArchivesReplies: 0Last Post: 5th March 2011, 01:22 AM