Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Junior Member
    Join Date
    Aug 2013
    Location
    Earth
    Posts
    2
    Rep Power
    0

    Default TomTom Carminat Live UART

    Hello everybody,

    It is all about Ecran A7 259153411R from Renault Megane 3 2012.

    I got the access to the Carminat UART console.

    So, here is photo of connection points:
    Spoiler: Uart
    2emq6ia

    If it doesn't work just switch rx and tx.
    Baudrate: 115200

    Here is boot log:
    Spoiler: Bootlog
    Code:
    Please Login or Register to see the links


    Bootloader is locked. I can't get access to the u-boot console and it's the main problem.
    But there is full root access to the linux.
    So I decided to play with it. From the boot log you can see that the root is mounting from the /content/rootfs.img. It is the internal 2Gb mmc drive.
    And there is write access to that drive.
    I tried to run external applications from sd card(/media/sdcard), but got permission denied.
    After some investigation I found out that all file systems except root are mounted with noexec option and 'mount -o remount,exec' can't remove it.
    But there is support for 'mount -o bind'. It allows to mount directories and files from sd card to the directories and files on the root partition. It does not allow to exec external binaries, but we can replace config files.

    From the u-boot partition I got some u-boot config options:
    Spoiler: u-boot options
    Code:
    Please Login or Register to see the links


    In this config we can see that there are two boot scenarios. First use partition 5 (/content) and is default. Second is rescue and will boot kernel image from partition 1(have backup of this partition). Second will boot if first failed.

    So, I decided to try dangerous thing. I did the next:
    cd /content
    cp zImage z1mage #backup original kernel
    cp rootfs.img rootfs.1mg #backup original root partition
    cp /media/sdcard/9.844/zImage ./ #replace kernel with older one. I have navcore 9.884
    cp /media/sdcard/9.844/rootfs.img ./ #replace rootfs with older one.
    And before the end of last command I got failed. Got read error for cp tool. It was bad idea trying copy file to the file which was mounted as a root partition.
    The correct(not tested) algorithm is:
    Code:
    Please Login or Register to see the links
    If it will be success, we can add and replace tools in the rootfs. For example tomplayer or patched ttn binary to load maps.

    For now I have infinity reboot:
    1. U-boot loads zImage successfully.
    2. Kernel tries to mount rootfs.img, but it is broken.
    3. Repeat previous step ten times
    4. Reboot.


    From that I understand that the kernel does not check rootfs.img checksum. It means that we can easy modify it.

    To restore my device I have few variants:
    1. Get access to u-boot and change kernel options to boot rootfs from rootfs.1mg.
    2. Get access to the flash directly with some kind of jtag or programmer.

    If you know how to break u-boot boot process and get console access, please, help.
    I tried different combinations: ctrl+c; ~;`; space+1;. Nothing helps(


    P.S. I am not going to stop and will order another device.

  2.    Advertissements


  3. #2
    Junior Member
    Join Date
    Aug 2013
    Location
    Earth
    Posts
    2
    Rep Power
    0

    Default

    Got direct access to the internal memory!!! Probably can change bootloader.
    Does anybody has bootloader, kernel and rootfs from 8.844 version?

  4. #3
    GPSPower Helper TomTom Carminat Live UART
    TomTom Carminat Live UART
    QUIN1965's Avatar
    Join Date
    May 2012
    Location
    al lado del mundo
    Age
    58
    Posts
    604
    Rep Power
    796

    Default

    Quote Originally Posted by sSpeaker View Post
    Got direct access to the internal memory!!! Probably can change bootloader.
    Does anybody has bootloader, kernel and rootfs from 8.844 version?
    No boot navcore carminat 8.844,8840,8841,8842



    How to unhide links: After clicking LIKE this post, hidden links will be available.

    [Only registered and activated users can see links. ]

  5. #4
    Junior Member
    Join Date
    Apr 2015
    Location
    Amsterdam
    Age
    63
    Posts
    1
    Rep Power
    0

    Default

    Hi sSpeaker,

    I am very interested in your activities in this area!
    I think it is a nice attempt to open-up a device that has been locked-down by the vendor.

    Any luck so far, despite the fact that apparently, a boot loader isn't directly available?

    Quote Originally Posted by sSpeaker View Post
    Got direct access to the internal memory!!! Probably can change bootloader.
    Does anybody has bootloader, kernel and rootfs from 8.844 version?

  6. #5
    Junior Member
    Join Date
    Aug 2017
    Location
    home
    Posts
    2
    Rep Power
    0

    Default

    Interested in the progress made to this post -- although fearing it is long dead.

    What happens when the recovery partition boots?
    Could that allow to have wider access to the system?

    AFAIK, there is available the SD card of NC 8.841 which should contain all requested materials.

    To break U-Boot, have you tried with minicom?

  7. #6
    VIP Master TomTom Carminat Live UART
    TomTom Carminat Live UART
    sylpa27's Avatar
    Join Date
    Mar 2014
    Location
    EC
    Posts
    67
    Rep Power
    41

    Default

    @flipybcn,

    Are you talking of 8.841 version or 9.8xx version?
    8.841 is a carminat Tomtom non live version. Tutorial is [Only registered and activated users can see links. ].

  8. #7
    Junior Member
    Join Date
    Aug 2017
    Location
    home
    Posts
    2
    Rep Power
    0

    Default

    I meant 9.841, and actually, 9.846 or lower as it seems those can be patched.

  9. #8
    Pro-Member kitos's Avatar
    Join Date
    Mar 2017
    Location
    In world
    Posts
    382
    Rep Power
    0

    Default

    any news????? In the hacking progrees¿
    I have 2 tomtom units for tests

    If anyone needs please send me a PM.

  10. #9
    Master janch's Avatar
    Join Date
    Jun 2010
    Location
    Hell
    Posts
    1,835
    Rep Power
    804

    Default

    This is the only "hacked"solution available for Carminat Live:
    [Only registered and activated users can see links. ]

  11. #10
    Pro-Member kitos's Avatar
    Join Date
    Mar 2017
    Location
    In world
    Posts
    382
    Rep Power
    0

    Default

    Yes, he knew that, It would be nice if you could explain to me how to find the rx and tx ports in the tomtom plates, since I have two tomtom plates in which we could get interesting information.

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •