I will start this by saying that there is a better method (reversing the actual algorithm) but I didn't have the time or patience to figure it out. Instead, I exploited the fact that CIC and COMBOX use the same software architecture. The Combox uses essentially the same hardware as the CIC sans the Fujitsu Carmine gpu and half the RAM. If you read the HARMAN manual you will note that pins 8 (TX), 9 (RX) and 16 (GND) are UART to the SH4 chip.
Hook up a simple UART (57600) adapter to those pins and you will see debug output that is printed by a custom binary (TestMenu). However, in order to do anything fun like say, execute commands we will need to login with root access. This is the process I developed to gain access:
FTP into CIC and upload comboxconsole, rootpersists.DAT and t.DAT to /mnt/hbuser.
SSH into CIC and run:
Then: l - login, 6 - Show Passwords
You can now use the passwords to log in as 'root' in the Combox UART console. This will allow you to get a shell and execute commands in the Combox as if you were SSHd into it.
Why might you want this? The Combox contains the default provisioning XMLs that it falls back to if there's any issue during the provisioning update (no internet, etc.). You will need to update the IPs to point to your own proxy server. This will be relevant when I release my server VM.
Hook up a simple UART (57600) adapter to those pins and you will see debug output that is printed by a custom binary (TestMenu). However, in order to do anything fun like say, execute commands we will need to login with root access. This is the process I developed to gain access:
Press l - login to level 1 (default access) with password "COMBOX__01HB".
Press 2 - log menu -> write to usb (pendrive plugged in to armrest).
This creates a folder "Log_*day*_*month*_*year*__*hour*_*minutes*_*seconds*
Get Protect.DAT from subdir HBHK and rename to "t.DAT"
FTP into CIC and upload comboxconsole, rootpersists.DAT and t.DAT to /mnt/hbuser.
SSH into CIC and run:
chmod +x comboxconsole
./comboxconsole
Then: l - login, 6 - Show Passwords
You can now use the passwords to log in as 'root' in the Combox UART console. This will allow you to get a shell and execute commands in the Combox as if you were SSHd into it.
Why might you want this? The Combox contains the default provisioning XMLs that it falls back to if there's any issue during the provisioning update (no internet, etc.). You will need to update the IPs to point to your own proxy server. This will be relevant when I release my server VM.
Attachments
Last edited: