[bmwdd]

Hi,

Is it true that you cannot downgrade the major software version (e.g. 005 -> 003 / 003 -> 001) if component protection is activated?


Sent from my iPhone using Tapatalk Pro

[intel123]

Sure you can, you just have to do it manually from QNX emergency IFS or "Bootloader" how is it called around here.

[aboulfad]

Sure you can, you just have to do it manually from QNX emergency IFS or "Bootloader" how is it called around here.

Slightly OT, so QNX is the RTOS used in NBTEVO, and that there is a way to access the image file system (IFS)? I guess the HU has to be benched?

[intel123]

Slightly OT, so QNX is the RTOS used in NBTEVO, and that there is a way to access the image file system (IFS)? I guess the HU has to be benched?

you dont have to bench it, you can reboot it into, and from BL you can flash chips, eeprom and attached with whatever you wish. And yes, QNX is used on all HU's from CIC, before that CCC used VxWorks (terrible OS and terrible motherboard design), and e65 iDrive used WindowsCE

[aboulfad]

Slightly OT, so QNX is the RTOS used in NBTEVO, and that there is a way to access the image file system (IFS)? I guess the HU has to be benched?

you dont have to bench it, you can reboot it into, and from BL you can flash chips, eeprom and attached with whatever you wish. And yes, QNX is used on all HU's from CIC, before that CCC used VxWorks (terrible OS and terrible motherboard design), and e65 iDrive used WindowsCE

Hehe I've developed on VxWorks some time ago... I can't believe they used WinCE, now that's a terrible embedded OS. I've tried different methods, but there's almost nothing that can get me into HU_NBT, I know it runs a light httpd, and ssh ports are closed (although there's a public key stored in BL), so any clues how to reboot it into QNX? Please?

[intel123]

you dont have to bench it, you can reboot it into, and from BL you can flash chips, eeprom and attached with whatever you wish. And yes, QNX is used on all HU's from CIC, before that CCC used VxWorks (terrible OS and terrible motherboard design), and e65 iDrive used WindowsCE

Hehe I've developed on VxWorks some time ago... I can't believe they used WinCE, now that's a terrible embedded OS. I've tried different methods, but there's almost nothing that can get me into HU_NBT, I know it runs a light httpd, and ssh ports are closed (although there's a public key stored in BL), so any clues how to reboot it into QNX? Please?
[/quote]

Yes sure, its pretty simple, but way i see it you have two easy options:
1) you can connect to a console via UART TTL and go from IPL
2) create usb autorun script/bin which will enable sshd and telnet(inetd), and while you're at it you can modify shadow as well or any keys etc

if you have background in vxworks this will be very easy then, after getting shell access it becomes very easy, architecture is very well known and documentet, it runs ELF so you can CK binaries, or just hotpatch them, make inline hooking or whatever else you wish with them... toolchain for compilation is more or less standard and fully provided by blackberry/QNX so...

[aboulfad]

Yes sure, its pretty simple, but way i see it you have two easy options:
1) you can connect to a console via UART TTL and go from IPL
2) create usb autorun script/bin which will enable sshd and telnet(inetd), and while you're at it you can modify shadow as well or any keys etc
...

Thanks for sharing, now I did development in VxWorks eons ago, but i never said I was a hacker

Option 1 requires physical access and you'd have to remove the HU. Now Option 2 is way interesting and that confirms what I've been wondering about for a while. I have qnx6.5 installed, so I need me to learn some stuff! Appreciate all the pointers.

[bmwdd]

Sure you can, you just have to do it manually from QNX emergency IFS or "Bootloader" how is it called around here.

can you share more how this is being done? thanks.

[intel123]

Sure you can, you just have to do it manually from QNX emergency IFS or "Bootloader" how is it called around here.

can you share more how this is being done? thanks.

since you dont understand and its already explained in detail, maybe its better for your own good not to touch anything as you do not understand how this works and will mishandle it in one way or the other.