Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firmware from Chinese AndriodAuto (and Carplay) Dongle #213

Open
hkfuertes opened this issue Oct 25, 2024 · 4 comments
Open

Firmware from Chinese AndriodAuto (and Carplay) Dongle #213

hkfuertes opened this issue Oct 25, 2024 · 4 comments

Comments

@hkfuertes
Copy link
Contributor

@nisargjhaveri Just letting you know I was able to download the OTA update of one of this cheap Chinese android auto wireless adapter from aliexpres onto my machine. I just unsquashed it and I'm going over it looking for something interesting... but my decompilation skills aren't that good.

Here is the script (taken from the update page of the dongle) to download. You have 2 models to download (change the version and custom fields at the begining of the script):

<script>
    //Version is figured out via `queryDeviceVersion` whith out any Version.

    // One ...
    // const Version = "se_202409241744"
    // const PlatForm = "v851se";
    // const Custom = "jiuchangxin";

    // Another ...
    const Version = "se_202409241804"
    const PlatForm = "v851se";
    const Custom = "luruibao";

    window.download = () => {
        url = "http://120.79.59.57:8080/device-web/upgrade/downLoad";
        var xhr = false;
        try {
            var param = {};
            param["version"] = Version;
            param["platform"] = PlatForm;
            param["custom"] = Custom;

            console.log(param)

            xhr = new XMLHttpRequest();
            xhr.responseType = "blob";
            xhr.open('POST', url, true);
            xhr.setRequestHeader('Content-Type', 'application/json');
            xhr.addEventListener("progress", function (event) {
                if (event.lengthComputable) {
                    var percentage = Math.round((event.loaded * 50) / event.total);
                    console.log(`Downloaded ${percentage}%`);
                }
            }, false);

            xhr.onreadystatechange = function () {
                if (xhr.status === 500) {
                    alert("Server internal error.");
                    window.stop();
                }
                if (xhr.readyState === 4) {
                    if (xhr.status === 200) {
                        console.log(xhr.response);
                        var blob = xhr.response;
                        if (blob) {
                            var dk = document.createElement('a');
                            dk.href = window.URL.createObjectURL(blob)
                            dk.download = Version;
                            document.body.appendChild(dk);
                            dk.click();
                        };
                    } else {
                        alert('download file fail');
                    }
                }
            };

            xhr.send(JSON.stringify(param));
        } catch (failed) {
            xhr = false;
            //alert("Server internal error.");
        }
    }

    window.queryDeviceVersion = () => {
        try {
            request = new XMLHttpRequest();
        } catch (failed) {
            request = false;
        }

        if (!request)
            alert("Error initializing XMLHttpRequest!");

        var url = "http://120.79.59.57:8080/device-web/upgrade/queryDeviceVersion";
        request.open("POST", url, true);
        request.setRequestHeader('Content-Type', 'application/json');
        request.onreadystatechange = function () {
            if (request.readyState == 4) {
                if (request.status == 200) {
                    var response = request.responseText;
                    var myJSON = JSON.parse(response);

                    console.log(response);
                }
            }
        }

        var param = {};
        //param["version"] = Version;
        param["platform"] = PlatForm;
        param["custom"] = Custom;
        request.send(JSON.stringify(param));
    }

</script>
@hkfuertes
Copy link
Contributor Author

hkfuertes commented Oct 25, 2024
edited
Loading

Save it onto an html, open it on a browser and just use download(); and queryDeviceVersion(); from the developer tools.

@hkfuertes
Copy link
Contributor Author

hkfuertes commented Oct 25, 2024
edited
Loading

For what I have figured out already, it uses an AllWinner SoC (maybe this could bring more boards to this project) and its based of Tina Linux: https://home.xyhcloud.com:1443/tina-v85x/tina-v85x (which is an iteration over OpenWRT... so... buildroot)

@hkfuertes
Copy link
Contributor Author

... The magic might be happening in /usr/bin/sdsdk and /usr/bin/sdDongle which seems to be the CarPlay part of the dongle. In the rc.init I don't see any android auto "starter script" only the carplay (actually, sdsdk when loading bluetooth), but somehow the dongle knows that the connected device is an android device and changes to android auto mode...

I don't know how to continue... maybe is usefull for someone :)

@hkfuertes
Copy link
Contributor Author

I have 3 dongles. 2 of them are equal, the script above retrieves the firmware, but the third is different, with a different folder structure. You can get it here:
https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/version.json
https://cpbox-abroad.oss-us-west-1.aliyuncs.com/2921/update.img

In this case is just only the app, without any usb gadget config, but again I don't know what to do with gHidra to make it useful...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hkfuertes