Activity Stream
150,644 MEMBERS
1106 ONLINE
GPSurl On YouTube Subscribe to our Newsletter GPSurl On Twitter GPSurl On Facebook GPSurl On Google+

Page 50 of 61 FirstFirst ... 40484950515260 ... LastLast
Results 491 to 500 of 608
  1.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #491

    Default Re: NV4 navcore and map

    Quote:
    Only the registered members can see the QUOTE Contents. Please Login OR Register.

    tool
    read instructions, you are responsible for your device, not me.
    Code:
    Only the registered members can see the CODE Contents. Please Login OR Register.

    [Login or Register to remove this advertisement]


    greetings.

  2. The Following 2 Users Say Thank You to simba For This Useful Post:
    [ Click To Expand ]

    daniele57 (31st August 2013),oxili (31st August 2013)

  3.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #492
    TomTom Master
    Supporter
    Orni's Avatar

    Cracking <2010 devices that connect through MyDrive rather than TTHome

    Thanks for the file Simba

  4.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #493
    C(CH2OH)4+4HNO3's Avatar

    Hi everyone!

    This is my first post, so I will introduce myself. I am very interested in embedded hacking, cryptography and reverse engineering (on MIPS and x86). Have already successfully rooted several SOHO routers (some by using quite lame exploits, others by modifying the flash chip and replacing the ssh pubkey) and analysed some crypto schemes they employ (for example how are configuration backups encrypted, before they are sent through the web interface to the user). Therefore I hope I can contribute here as well.

    I have studied the past 47 pages and I hope I am up-to-date now. Please let me know if I have summed up things correctly.

    The main problem seems to be:
    (1) replace pubkey for ssh with self-generated key (and publish the privkey)
    - for testing purposes this could be done by wiring a SD USB adapter to the TT PCB
    - main issue seems to be the repacking of the squashfs

    (2) replace pubkey for content verification with self-generated key (and publish the privkey)
    - is it correct, that the content activation scheme is the same as for NAV2 devices (the .dct file holds the blowfish key for the map in RSA encrypted format)?

    (3) find a suitable way the average user can employ to do (1) and (2). should be something completely software-driven like an exploit.
    - both ftpd and httpd seem to have very crappy code (i have merely skimmed the opensource files, no in-depth analysis)
    - maybe the bootloader offers some option for memory manipulation

    Minor:
    (4) understand enough of the .ttpkg format to craft own packages to deploy custom apps (like cydia for tomtom)
    - afaik unpacking is possible, but it is unclear how the header looks like and what the "garbage" bytes mean (maybe some sort of checksums? - so that in case of a faulty transfer only the defective 100 KB chunk needs to be resent?!)

    Hopefully I can do step (1) if my TomTom arrives by the end of the week.

    @parasonic: Would you provide a copy of your 4 GB dump? Have you ever tried to halt the bootloader by pressing a key?

  5. The Following 3 Users Say Thank You to C(CH2OH)4+4HNO3 For This Useful Post:
    [ Click To Expand ]

    biggerdave (4th September 2013),gps4 (5th September 2013),Orni (9th September 2013)

  6.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #494
    GPS Contributor
    Advisor
    Helper
    basflt's Avatar
    Cracking <2010 devices that connect through MyDrive rather than TTHome

    welcome to the forum C(CH2OH)4+4HNO3

    another problem is to get the files in / out the device
    ATM we cannot enter the device at all
    until that is solved any activation hack remains useless

  7.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #495
    C(CH2OH)4+4HNO3's Avatar

    basflt: some time ago you have posted a link to the TomTom pages which explained how to restore a TT (sorry I cannot post links yet).
    Have you or has anyone else investigated how this restore process is facilitated? Has anyone sniffed this with Wireshark (just to get an idea what protocol is used)? Maybe Telnet/Tftp/SSH? Does the bootloader verify the content it receives? How should it do this (the public keys for package verification reside in rootfs.img)? Does the BL contain another public key?
    I do not have received my device yet so I cannot try for myself but if I had to guess this is most probably some bootloader interaction. Maybe this is what the root:dummy combination is for (which is known from decompiling the Java-Business-Tool).

  8. The Following 1 Users Say Thank You to C(CH2OH)4+4HNO3 For This Useful Post:
    [ Click To Expand ]

    Orni (9th September 2013)

  9.   Advertisements

  10.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #496
    GPS Contributor
    Advisor
    Helper
    basflt's Avatar
    Cracking <2010 devices that connect through MyDrive rather than TTHome

    i have no idea as it is beyond my skills
    i tried Wireshark in the past , but further ??????
    AFAIK it uses different protocols and also encrypted

    all i know is that the Java-tool installs any .ttpkg package , weather it is compatible with the device or not
    if you run the tool , you can see a log window by clicking the tray-icon
    here you can see that it contacts the server for the required key(s)

    what is also remarkable ;
    firewall/antivirus must be disabled for any form of communication , found no way around yet

    you probably read it ;
    its an internet device
    but it seems like all is locked from in the device
    entering requires keys from TT-server
    but , there exist a couple of links that dont require anything , not even internet

    there are some users here that know more then me , but i never see them here
    if you want i can do simple testing, but my knowledge of scripting is little and of Linux zero

  11. The Following 1 Users Say Thank You to basflt For This Useful Post:
    [ Click To Expand ]

    Orni (9th September 2013)

  12.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #497
    GPS Contributor
    Advisor
    Helper
    basflt's Avatar
    Cracking <2010 devices that connect through MyDrive rather than TTHome

    installing the nav4 package in a nav3 device , makes the device useless

    ea ; the normal restore function dont work anymore ; the only way to revert is to again use Java service tool and install a nav3 core again

    what is also strange
    Mytomtom dont get the picture and wants to install the usual crap-updates

    ------------------
    so , you wonder why they want to let go of consumer market ?

    they made a fool-proof system , and they dont understand it themselve

  13.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #498
    GPS Contributor
    Advisor
    Helper
    basflt's Avatar
    Cracking <2010 devices that connect through MyDrive rather than TTHome

    Quote:
    Only the registered members can see the QUOTE Contents. Please Login OR Register.


    1 disable firewall / antivirus
    2 connect device ( if not already )
    3 start the tool
    4 point to the .ttpkg package you want to install in the device
    5 click "install"
    6 wait until the device has fully rebooted before closing

    note
    the tool only accepts real .ttpkg files , nothing else
    fake or renamed files dont work either

  14.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #499
    GPS Contributor
    Advisor
    Helper
    basflt's Avatar
    Cracking <2010 devices that connect through MyDrive rather than TTHome

    Quote:
    Only the registered members can see the QUOTE Contents. Please Login OR Register.


    could be , but i dont think so
    Android version is about 30 MB or so , this one is more then 200 MB ( nav3 were about 65 MB )

  15. The Following 1 Users Say Thank You to basflt For This Useful Post:
    [ Click To Expand ]

    simba (5th September 2013)

  16.    Cracking <2010 devices that connect through MyDrive rather than TTHome   Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome
    #500
    C(CH2OH)4+4HNO3's Avatar

    Quote:
    Only the registered members can see the QUOTE Contents. Please Login OR Register.


    Yes, the Java "Business Tool" does contain SSH Code and it contains the the root:dummy login combination as well. However, it does not seem to use this code. Maybe it is an artifact or for factory testing?

    I have transferred a map of French Guiana (because it is small) to a TT Via 125 which was in "normal operation mode". I have captured the process with Wireshark on the TT network interface. What happens is the following:
    1. TT device starts and sets up a "revinetd" server (please google "revinetd how it works", first hit; cannot post links yet, sorry). In the picture the TT device is the "Attacker". Furthermore the mongoose httpd on port 80 is started.
    2. When the Java Business Tool starts it sets up a "revinetd" relay agent. In the picture from above link this corresponds to "compromised server". Immediately the relay agent connects to the TomTom (this is "relay agent communication channel established").
    3. When you upload a package, the Java Tool triggers the mongoose webserver. The TT device then connects to its own loopback, which is in fact the revinetd server from step 1. The revinetd forwards this communication to the relay agent (which is the revinetd within the Java Tool) through the connection which was established in step 2. The communication exits the revinetd relay agent (i.e. the Java Tool) and goes through a jHTTPp (a java HTTP proxy included in the tool) before it reaches the jetty httpd (a java httpd included in the tool). Jetty serves whatever package you give it and the TT can download it.

    To double check that the SSH code is not used I have put the TT in recovery mode (the spinning cogwheel). In this mode the transfer does not use SSH either. In recovery mode happens the same as in normal mode.

    As a side note: jetty httpd serves some files over https as well and uses "xpto.cer" found in .jar as certificate. Furthermore the .jar contains another root CA cert "Device Authentication Test CA" in file "cacert.pem" and a Java Key Store in "ods.jks". Maybe I will post an overview of all certificates, public keys, private keys etc. found so far in MyTomtom, the Java tool and the navcore some time later. To me it is a bit messy at the moment.

    Update: The ods.jks is password protected (password is "tomtom") and contains the aforementioned certs.

    PS: Next I will have a look at the navcore binaries that process the .ttpkg files. I am well aware that this knowledge most probably won't get us in but I am still waiting for my TT device which I can afford to solder to.

  17. The Following 1 Users Say Thank You to C(CH2OH)4+4HNO3 For This Useful Post:
    [ Click To Expand ]

    Orni (9th September 2013)

Page 50 of 61 FirstFirst ... 40484950515260 ... LastLast

Similar Threads

  1. Replies: 1
    Last Post: 27th July 2018, 11:37 PM
  2. Replies: 1
    Last Post: 4th February 2015, 10:20 PM
  3. NAV3 devices that use v10-v14 navcore and MyTomTom/MyDrive connection
    By biggerdave in forum TomTom Models Listing
    Replies: 0
    Last Post: 8th May 2012, 03:32 PM
  4. Garmin CHINA City Navigator NT 2010.32
    By HULK in forum Garmin Maps
    Replies: 0
    Last Post: 5th March 2011, 01:32 AM
  5. City Navigator Singapore/Malaysia NT 2010.40
    By HULK in forum Garmin Maps
    Replies: 0
    Last Post: 5th March 2011, 01:22 AM

Tags for this Thread

Amount:

Enter a message for the receiver:
BE SOCIAL
Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome Cracking <2010 devices that connect through MyDrive rather than TTHome GPSurl On Facebook Cracking <2010 devices that connect through MyDrive rather than TTHome