This directory contains scripts capable of pwning the MediaNav 4 (target device).
The latest versions of the firmware (6.0.9.8+) removed a well-known backdoor that used an autorun_bavn/autorun.sh script on a USB drive to run code as root. This page details a new procedure to regain that ability without a modified update file.
It uses a bespoke implementation of a communication protocol used to send/receive files to/from the target device. Officially, this protocol is used to update the navigation maps on the device but it can also be used to update arbitrary files. That unrestricted ability can be used to create a new backdoor.
Check the accompanying blog post to understand the motivation and see how this was developed:
https://goncalomb.com/blog/2024/01/30/f57cf19b-how-i-also-hacked-my-car
This project does not contain any proprietary code. All code is original.
The procedure is something like this:
- Setup a Raspberry Pi Zero 2 W as a USB Gadget with specific parameters that trick the target device into thinking that it is connected to an Android device using Android Open Accessory (AOA);
- Exploit the navigation maps update feature of the target device to send arbitrary files;
- Send designed payload to the device;
- Trigger the payload (it runs as root);
- Profit;
./setup.sh: setups the Raspberry Pi, downloads dependencies, patches the kernel and creates the USB Gadget;./payload-send.sh [payload-file]: sends the payload to the device./payload-clear.sh: clears the payload from the device./cleanup.sh: removes the USB Gadget
You don't need to call these scripts directly, they are called by the primary scripts.
./scripts/install-dependencies.sh: installs dependencies./scripts/patch-kernel-module.sh: creates patched kernel module (required for AOA)./scripts/ctrl-gadget.sh: controls the USB Gadget./scripts/ctrl-proto.py: send commands to the target device (CAUTION: you could destroy your device with this script, e.g. delete system files)
Requirements: Raspberry Pi Zero 2 W (other versions might work but not tested), GNU/Linux system recommended.
Read all the instructions before starting so that you have an idea of what is required.
- Setup a microSD card with a fresh Raspberry Pi OS installation;
- I suggest just using the official imager.
- Tested with Raspberry Pi OS Lite (32-bit) (2023-10-10).
- Enable SSH, set password and configure wireless network;
- You can do all this using the official imager or other methods.
- Get the
mn4-pwnedcode;- If you are on a system that supports ext4, you can just copy the code to the microSD card at
/home/pi(rootfs). - If not, just wait for later.
- If you are on a system that supports ext4, you can just copy the code to the microSD card at
- Boot the Raspberry Pi;
- Connect using SSH;
- Get the
mn4-pwnedcode, if you didn't already, usegit,wgetor something else.
- Get the
- At this point you should have the
mn4-pwneddirectory,cdin into it; - Run
./setup.sh, the first time it should ask to reboot after settingdtoverlay=dwc2; - Reboot and
cdback intomn4-pwned. - Run
./setup.shagain, this time it should download the Linux kernel sources and compile a patched module. This can take ~9min. - After all that you should see the message "gadget created";
- Power off the Raspberry Pi;
This involves connecting the Raspberry Pi to the target device using a standard USB Micro-B to Type-A cable using the OTG port on the RPi. The RPi can be powered from the OTG port. While connected to the target device you need to have SSH access to the RPi, plan the wireless setup accordingly.
- Connect the Raspberry Pi (OTG port) to the target device;
- On the target device select "Navigation" > "Menu" > "Map Update" > "Options" > "Update with Phone";
- You should see the message "Phone not connected!";
- Connect to the Raspberry Pi using SSH;
cdintomn4-pwned;- Run
./setup.sh, after a few seconds you will see the message "gadget created"; - On the target device, you should see "Phone connected! Waiting for maps to be transferred.";
- Run
./payload-send.shto create the backdoor and deliver the payload; - Optionally run
./cleanup.shto close the connection; - Click "Exit update" on the target device;
To run the payload just go back into "Update with Phone". For a few seconds, you should see the message "PWNED!" showing the root user id.
Other payloads (bash scripts) can be delivered as an argument to ./payload-send.sh. To remove the backdoor and payload use ./payload-clear.sh.