Author Topic: Extracting firmware from generic chinese car headunit.  (Read 4489 times)

0 Members and 1 Guest are viewing this topic.

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Extracting firmware from generic chinese car headunit.
« on: November 29, 2021, 08:31:50 pm »
Hey everyone - Long story short: I want to extract the firmware from my generic chinese headunit. I've done something similar in the past (Well someone smarter than me did it LOL). I've already dumped the firmware from the headunit, and been examining the firmware by the ways i know of.

- I've ran DMDE on it (No results)
- Ran binwalk on it (Gave a lot of interesting results)
- Searched for filesystems (There is definitly one or more of them)
- Looked for clues as to what kind of partitions there might be (No results)

What i know so far is: The operating system appears to be 'eCos'
I'm not entirely sure, because the processor's identification has been washed away, but my guess is, that it is some type of ARM processor.
I've found boot sections, uImage headers, and lots of LZMA compressed data.

Ultimately the end goal is to replace the boot logo (I've already extracted some photos from the firmware, that i've never seen when using the unit itself, but i haven't found the boot logo so far), but i'd love to extract the firmware totally and have fun browsing around and exploring  :D

Hopefully someone in here, can help me on my way.

Thanks!

(I've attached the firmware below.)

: I have to attach the firmware this way, because the file is too large otherwise :

https://easyupload.io/mgdsr0
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #1 on: November 29, 2021, 11:29:30 pm »
Attached are the JPEGs that I was able to extract with JPEGSnoop.

Image #12 is a welcome screen.

Offset 0xB30000 appears to be the beginning of a JFFS2 flash file system. It appears to have 56 files.

These appear to be the magic numbers:

    85 19 01 e0 - 56 hits (file name & attributes)
    85 19 03 20 - 26 hits (64K boundary)
    85 19 02 e0 - 257 hits (file segments)

After carving it out, you should be able to mount the JFFS2 image in Linux.
« Last Edit: November 30, 2021, 03:54:23 am by fzabkar »
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #2 on: November 30, 2021, 02:09:58 pm »
Hey fzabkar - Thanks for taking a look at it  :D

I managed to extract those images as well using binwalk, but what's so odd is that i've never seen any of the images, when using the headunit in the car, and the boot image is the exact one that my previous headunit had (if you remember that), so why and where that welcome screen comes from is really weird.  :o

Great stuff with the JFFS2 flash file system - I'll do my best to carve it out, and mount it if i'm able to. Thanks!
 

Offline coromonadalix

  • Super Contributor
  • ***
  • Posts: 3624
  • Country: ca
Re: Extracting firmware from generic chinese car headunit.
« Reply #3 on: November 30, 2021, 03:26:10 pm »
what is the radio model ?  the cpu model and or the mcu version   in the systems infos

some radios have hidden menus with configurable boot menus / logos

you can find some help on XDA forums / android head units
 

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #4 on: November 30, 2021, 03:49:48 pm »
I'd love to know as well, but unfortunately there doesnt appear to be any such information within the user interface of the radio, and upon disassembling it, i found that the main processing unit has had it identification washed away. My guess is that this is done to make it harder to tamper with or replicate, by other manufacturers. The model number on the radio says 7013, but theres a dozen different models sharing that model number. Sorry  :D
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #5 on: November 30, 2021, 04:53:29 pm »
I found this JPEG in the JFFS2 image (file name = 0.bin). There appear to be 26 more of them (0.bin -> 26.bin). They contain embedded JFFS2 metadata, so you can't just carve them out directly. That's probably why JPEGSnoop didn't find them.

Edit:

I found a VW logo (1.bin). Is that what you are looking for?

[attach=3]
[attach=2]
« Last Edit: November 30, 2021, 07:44:05 pm by fzabkar »
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #6 on: November 30, 2021, 08:09:42 pm »
Wow great stuff.. I spent the good half of this evening searching for all possible documentation about the JFFS2 filesystem, and tried figuring out how to extract it from the firmware dump. Seems very complicated :/

- And yup! The blue image saying "HD MP5" Is the boot logo, which is the exact one my previous headunit also had. Funny. Cool you found a VW Logo as well. I wonder why they didn't make an option to change this boot logo, when they're all within the firmware anyway...

I looked at the offsets you provided earlier, and i see strings saying "JFFS2", but i don't understand how one would extract this filesystem, and maybe mount it as well. There must be some way to convert this data into regular folders and pictures, as they once were before they were compiled right?

THANKS fzabkar! I truly wish i was as smart as you  :)
 

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #7 on: November 30, 2021, 08:12:11 pm »
Sorry for the eagerness LOL. I think i've found a great page describing how to mount the JFFS2 filesystem on a regular linux PC. I think all the documentation i read, made me overcomplicate the procces, because examining your JFFS2 image file, shows me, that you literally just extracted the JFFS2 filesystem from within the firmware image. I think i understand it better now!
« Last Edit: November 30, 2021, 08:20:07 pm by Crawlie69 »
 

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #8 on: November 30, 2021, 10:18:38 pm »
Ah well. Finally got it working. I noticed there's a lot less information than i wanted. I wonder if it's stored within the JFFS2 Filesystem... Must be?.. Might be in some of those bin files, if they're not all pictures. Examining the files, many of them arent readable so they must be compressed... or something like that?  :D
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #9 on: November 30, 2021, 11:37:03 pm »
Nice work!

The numbered .bin files are JPEGs. Most of the other files appear to be copies of the same JPEGs. :-?

The JPEGs won't open in an image viewer because they are prefixed with a 32-bit size value.

Code: [Select]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 00 E1 03 FF D8 FF E1 00 18 45 78 69 66 00 00  ..á.ÿØÿá..Exif..
          ^^^^^^^^^^^ *****
JPEG size = 0xE103    beginning of JPEG = 0xFFD8

00000010  49 49 2A 00 08 00 00 00 00 00 00 00 00 00 00 00  II*.............
00000020  FF EC 00 11 44 75 63 6B 79 00 01 00 04 00 00 00  ÿì..Ducky.......
00000030  46 00 00 FF E1 03 2F 68 74 74 70 3A 2F 2F 6E 73  F..ÿá./http://ns
00000040  2E 61 64 6F 62 65 2E 63 6F 6D 2F 78 61 70 2F 31  .adobe.com/xap/1
........
0000E100  00 00 00 00 07 FF D9
                         ^^^^^ end of JPEG = 0xFFD9


Edit:

I think there are 17 files missing from your extracted list (eg airplay_ROM.bin). :-?

In fact all those files with text names and no .bin extension (airplay, android_auto, autolink, etc) should be zero sized files. Maybe these files are confusing your extraction tool?

18.bin is compressed. It can be decompressed with 7Zip.

2.bin should be a JPEG, but it hasn't been extracted correctly. In fact I think many files have been extracted incorrectly.



I think the easiest way to replace your welcome screen with the VW logo would be to swap the names of the 0.bin and 1.bin files. However, you would need to recalculate the CRCs for each file. If you are able to properly mount the file system image in Linux, then Linux should automatically handle the CRC updates after you rename the files ... I think.


Edit:

Could those zero-sized files actually be directories?
« Last Edit: December 01, 2021, 01:28:27 am by fzabkar »
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #10 on: December 01, 2021, 01:16:03 pm »
Thanks!

I just used a script i found which does all the work for you "unjffs2".

I'm guessing the mounting operation has gone wrong somehow - I think i'll try mounting it a different way if possible, to see if the results are different.

So far the extracted filesystem looks odd to me - There's too much missing, and the extracted files also appear rather weird to me. I think you're right.

Thanks for the help so far fzabkar :)
 

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #11 on: December 01, 2021, 04:05:20 pm »
Alright.. So things just got a lot funnier!!  :D

 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #12 on: December 01, 2021, 04:28:38 pm »
That's better!

I have attached your JPEGs.

Edit:

My first compilation was wrong (I stripped the first 3 bytes instead of the first 4 bytes).
« Last Edit: December 01, 2021, 05:23:39 pm by fzabkar »
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #13 on: December 01, 2021, 04:35:55 pm »
Thanks! - Stupid question - How did you convert them to jpegs and how would i convert them back to bin files before remaking the jffs2?

- Also weird sidenote. I'm not able to open or view the JPEGS in photoshop, paint or my windows media viewer. Am i doing something wrong?  :D
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #14 on: December 01, 2021, 05:25:16 pm »
Sorry, I have repaired the JPEGs. I made the mistake of stripping the first 3 bytes instead of the first 4 bytes. Strangely, PaintShop Pro still managed to display the images.

You can re-download the repaired archive in my previous post.
« Last Edit: December 01, 2021, 05:29:44 pm by fzabkar »
 
The following users thanked this post: Crawlie69

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #15 on: December 01, 2021, 05:43:40 pm »
You can swap the 0.bin and 1.bin file names by editing the following bytes:

Code: [Select]
Offset(h) 00       04       08       0C

00B30000                             851901E0              …..à
00B30010  2D000000 3A314D58 01000000 00000000  -...:1MX........
00B30020  02000000 A596EF60 05080000 A77004A0  ....¥–ï`....§p.
00B30030  74E3AAB4 302E6269 6EFFFFFF           t㪴0.binÿÿÿ
                   ^^                              ^
                   change 0x30 to 0x31            "0" -> "1"

Code: [Select]
Offset(h) 00       04       08       0C

00B3E360           851901E0 2D000000 3A314D58      …..à-...:1MX

00B3E370  01000000 01000000 03000000 A596EF60  ............¥–ï`
00B3E380  05080000 59ADC995 C4CACA89 312E6269  ....Y.É•ÄÊʉ1.bi
                                     ^^                    ^
                    change 0x31 to 0x30            "1" -> "0"

00B3E390  6EFFFFFF                             nÿÿÿ

When you mount the edited JFFS2.img file, I expect that Linux will complain about CRC errors. Hopefully the error message will report the expected and actual CRCs. If so, then we can patch the appropriate bytes.
« Last Edit: December 01, 2021, 06:15:47 pm by fzabkar »
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #16 on: December 01, 2021, 06:18:48 pm »
Thanks! Dunno if i'll get it sorted out tonight, but will work on it ASAP. Might even try making my own jpeg, and then just replace the boot image, that way i might be able to not swap the bin file names as well. Regarding the CRC, apparently it should be possible for linux to just fix that, but i don't know yet  :D You'll hear from me soon again - and THANKS for the help  :D
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #17 on: December 01, 2021, 06:38:24 pm »
After you create your own JPEG, you need to prefix the file with a 32-bit bigendian dword which reflects the size of the JPEG.

The image resolution is 1024 x 600 x 24-bit.
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #18 on: December 01, 2021, 07:03:22 pm »
I wasn't aware of that. Will do my best - You'll probably hear from me again soon. Lol :) THANKS  :-+
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #19 on: December 01, 2021, 10:37:16 pm »
I have decompressed all the ROMs.

All but one of the ROMs were encoded using a simple XOR.

For example, here is airplay\airplay_ROM.bin:

Code: [Select]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  10 4D 4D CD 4D B5 DC 45 4D 4D 4D 4D 4D 4D 33 4D

If we XOR each byte with 0x4D, we get ...

Code: [Select]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  5D 00 00 80 00 F8 91 08 00 00 00 00 00 00 7E 00

The result can then be decompressed with 7Zip.
« Last Edit: December 02, 2021, 06:46:06 pm by fzabkar »
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #20 on: December 02, 2021, 09:57:12 am »
Nice work! Would love to know more about these roms, and how they're run within the firmware. I also wonder how the rest of the firmware would be extracted. I see boot images (i believe?) and other cool stuff. Doesn't appear to be stored in any weird filesystem format, because a lot of it is readable straight from the firmware dump, but how it would be extracted i don't know yet  :D

Edit:

Maybe some of the data recovering programs could work? DMDE didn't give me any results, which i find weird because there appears to be lots of files visible outside the JJFS2 file system.. Would love to get the rest 'carved out' just cause.. Why not?  ;D

Edit:

Could the rest of the firmware just be stored in a simple UFS file system? Examining the decompressed roms, reveals unix paths, which appear to be stored outside the JFFS2 file system. The JFFS2 file system pretty much only seems to contain the pictures for boot and roms for Carplay, Android Auto, Apples IAP2, The chinese 'Carlife' and WFD. Seems like they just stacked the JFFS2 file system on top of the existing firmware, which also explains why it's pretty much identical to my last firmware from the user interface.
« Last Edit: December 02, 2021, 11:42:27 am by Crawlie69 »
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #21 on: December 02, 2021, 04:48:48 pm »
DMDE (and all data recovery programs) look for file signatures at specific sector offsets. For example, a JPEG file in an NTFS file system starts with 0xFF 0xD8 at offset 0 within the sector. Your embedded JPEGs, on the other hand, are all over the place.

There is a block of JPEGs in the eCOS section between offsets 0x33E510 and 0x41DC1D. The preceding data look like graphical bitmaps, but I can't identify the beginning and end of each file. There must be some kind of directory which tells the firmware where to find each file, but I can't see it.

You can see the beginning of the first file after the last JPEG. It appears to contain bitmap data (not compressed), but I can't think what image format it could be.

Code: [Select]
Offset(h) 00       04       08       0C

0041DC10  00000000 00000000 00000007 FFD90000
                                     ^^^^
                              end of last JPEG

0041DC20  14001100 08000000 CCF34198 14001100
          ^^^^^^^^
          beginning of next file

0041DC30  08000000 20F54198 0E000000 AC004C98
0041DC40  0E000000 2C004C98 3F000000 A4B05098
« Last Edit: December 02, 2021, 05:51:43 pm by fzabkar »
 
The following users thanked this post: Crawlie69

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7814
Re: Extracting firmware from generic chinese car headunit.
« Reply #22 on: December 03, 2021, 04:13:34 am »
LOL @ JPEG #6...

Based on strings "8368-U" "8368-U-X" "8268K-WC" etc. found in some of the firmware files, this is probably one of these: https://www.sunplus.com/products/adas.asp
Unfortunately, like a lot of SoCs, detailed information on them is hard to find.
 
The following users thanked this post: Crawlie69

Offline Crawlie69

  • Contributor
  • Posts: 27
  • Country: dk
Re: Extracting firmware from generic chinese car headunit.
« Reply #23 on: December 11, 2021, 10:59:09 am »
Sorry for the late reply - I've been very busy  :D

amyk: - Cool stuff - Seems that i was right in assuming it was some kind of arm processor lol.  :) I've had this happen multiple times, and it kinda makes the reverse engineering process harder, because without any datasheets it's harder to get an idea of how the firmware works in relation to the processor. I thought multiple times about the possibility of running the firmware in QEMU to have a live debugging environment, but i don't know if it's possible or even worth it.

fzabkar: Makes sense with DMDE, but i don't understand why it isn't possibe to scan all over the place instead of scanning specific sector offsets? - Maybe i don't really understand how it works. However since it's 99% sure that the firmware is based on some kind of version of eCos, which is open-source, would it be worth it reading the documentation about eCos? There must be a lot of 'default' settings or ways to set up the firmware, hence there must be a way to really debug and decompile the firmware right? Or atleast run it in a live environment somehow. Would love if there was some way to maybe bring up a terminal or console of some kind.

Thanks!

Edit:
After reading documentation about eCos and trying everything possible to extract the kernel and lzo compressed data, poking around the uimage header information, trying to understand the uboot images, etc. I truly think it's too hard to accomplish with the limited information available online, along with my limited knowledge. I think the first goal therefore will be to replace the boot image, and then at some point i hopefully will be able to modify more stuff.

Future goals will be to adjust the screen resolution a bit if possible, and modify some of the graphical user interface, as i'd love to modernize it a bit.

Edit2:
Will start working on replacing the boot image  :D I think i'll go the more simple route and just swap the existing VW Logo with the current boot image, like u suggested fzabkar. Will let you know how it goes :)
« Last Edit: December 11, 2021, 09:17:10 pm by Crawlie69 »
 

Offline fzabkar

  • Super Contributor
  • ***
  • Posts: 1297
  • Country: au
Re: Extracting firmware from generic chinese car headunit.
« Reply #24 on: December 12, 2021, 08:17:43 pm »
If you want to use your own custom image, I would mount the JFFS2 file system in Linux, rename 0.bin to w.bin, say, copy your new image to 0.bin in the root directory, and then overwrite the original JJFS2 file system with your modified file system.

As for DMDE, it is designed to work with storage devices where files are aligned to sector boundaries. You can specify custom file types with non-zero offsets, though.
« Last Edit: December 12, 2021, 08:22:14 pm by fzabkar »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf