Very cool so far!
I hope there's a way to enable shell access to the device... would make life a lot easier.
rSAP will probably not be useful at all, but at least I proved the wLAN device is functional for non-premium MIB1's as well. Hopefully I can turn the device into a wlan client.
Last edited by Chillout; 01-04-2016 at 06:02 AM.
I'm just flying by here - I own a 2016 GTI base, don't know what model radio it has but I'd love to dive into this as well. I just haven't committed to reading enough yet, though I will soon.
I see your NMAP fingerprint and formatted it a little bit nicer.
I'm sure you already know this, so I will explain it for others looking. NMap is connecting to the port with various requests types and seeing what it replies with. It's returning HTML, which is interesting to me. The other thing I find interesting is DLNADOC/1.50. This is a media service protocol.Code:r(FourOhFourRequest,B4,"HTTP/1.1 400 Bad Request CONNECTION: close SERVER: Audi-MIB/5.21 DLNADOC/1.50/1 CONTENT-TYPE: text/html CONTENT-LENGTH: 50 <html><body><h1>400 Bad Request</h1></body></html>") r(GetRequest,B4,"HTTP/1.1 400 Bad Request CONNECTION: close SERVER: Audi-MIB/5.21 DLNADOC/1.50/1 CONTENT-TYPE: text/html CONTENT-LENGTH: 50 <html><body><h1>400 Bad Request</h1></body></html>") r(HTTPOptions,B4,"HTTP/1 .1 400 Bad Request CONNECTION: close SERVER: Audi-MIB/5 .21 DLNADOC/1.50/1 CONTENT-TYPE: text/html CONTENT-LENGTH: 50 <html><body><h1>400 Bad Request</h1></body></html>") r(RPCCheck,A1,"HTTP/1 .0 400 Bad Request SERVER: Audi-MIB/5 .21 DLNADOC/1.50/1 CONTENT-TYPE: text/html CONTENT-LENGTH: 50 <html><body><h1>400 Bad Request</h1></body></html>") r(kumo-server,A1,"HTTP/1.0 400 Bad Request SERVER: Audi-MIB/5.21 DLNADOC/1.50/1 CONTENT-TYPE: text/html CONTENT-LENGTH: 50 <html><body><h1>400 Bad Request</h1></body></html>");
I'm interesting in poking around now. How did you enable the WiFi?
Last edited by OneWheelDoin200; 01-04-2016 at 10:48 PM.
This is (as I understand) the basic enabling method for WiFi though Chillout may have other instructions.
PS: If you want to download an admap for a Discover Pro unit in a Japanese mK7 (with WLAN enabled) see HERE
Thanks for formatting it the right way and explaining it in a non-nerdy way.
It's DLNA indeed . Yesterday afternoon, I was able to stream music from BubbleUPNP (DLNA server) on my phone over bluetooth. Screenshots will follow.
Enabling WLAN is done like DV52 said(enable WLAN in Adaptation, but with mine it was already on despite not being a Premium device), but also needs in long coding the"Phone NAD" bit to be enabled. I will find the exact bit as soon as I hook it up to VCP pro again.
Last edited by Chillout; 01-05-2016 at 08:22 AM.
Can you explain how?
I have activated all the online adaptation. But to no avail.
That Bit or necessary enable Phone NAD in long coding for module 5F? THANKS
Last edited by XaGiCo; 01-05-2016 at 06:33 AM. Reason: Phone NAD in long coding for module 5F?
Also: great work!
I've noticed that you have a different "Green menu"... mine is missing the first entry, for configuration. Can you share your long coding/adaptation channels?
edit: could also be because of the software version... my green menu shows GEM 3.3, yours is GEM 3.0.
I'll do full write-up after I've been back in the car with VCP
My discoveries of undocumented/previously unknown features so far:
- WLAN is on same chip as bluetooth and is available in all Discover Pro devices.
- Screenshots can be made by pushing the right twist-knob
- Overlay view of screen elements can be enabled by pushing and holding CAR button
- Developer menu can be enabled through Adaptation.
- Developer menu can be opened by holding MENU for ~20 seconds
- Overlay view of screen data/names can be enabled by pushing and holding TRAFFIC button
- Skin can be changed through Debug options in Developer menu
- Loudness can be disabled through the Green menu in the Developer menu
- Mirrorlink button in main menu can be enabled through Debug options in Developer menu
- WLAN is available after enabling Phone NAD bit in long coding(which enabled Premium Phone)
- DLNA is available after enabling WLAN (this is port 49152)
- Wlan packets can be sniffed and saved to SD through the Green menu in the Developer menu
Last edited by Chillout; 01-05-2016 at 08:36 AM.
Looks likely that QNX can be changed like this:
Last edited by A2theK; 01-08-2016 at 12:12 PM.
Ahhhh here is something else from what you have...
DNLA 1.50 server is old... try using Nikto (https://cirt.net/nikto2) against it or maybe Metasploit once Nikto has revealed any holes.
You should be able to use either of these to execute CLI commands on the box, eventually throwing a shell.
EDIT a bit of reading around suggests that a buffer overflow is possible in this DNLA server version by passing it a bad content icon (in XML)... definitely very real possibilities here!
Last edited by A2theK; 01-08-2016 at 12:11 PM.
Very Very Thanks @Chillout
Enabled WLAN access point
But it leaves an error!
Example App DNL UPnP Apple:
Example App DNL UPnP Android:
My Golf February 2014 but my second Discover Pro May 2014. The first gave me problems navigation!
I think that menu $configset is the MMI retrofit!
Regards and Good Day!
I was looking with a customer of mine a lot off time now but didn't find the green menu. Now we can acces i will look further into it. I'm also form the NL and iff need some contact you can find me true whatsapp +31 6 15228709 or by mail info @lowering.nl. I like to keep in touch
I ran a couple of Nikto runs on port 49152 with different settings. Nothing spectacular. I will have an other go this week with Nikto2(Kali Linux had Nikto 1.6?!) , I'm pretty sure something will show up eventually. If only I had an android client so I could easily scan while I'm on my way to work
About the error: yes, that is common. You don't have to set the "Premium Phone" checkbox, because it will cause troubles, since the Phone module is not there.
I have just bought a 2014 golf R with the discover pro installed and after reading this very interesting thread I want to play.
I already have the green menu enabled and can see the screens similar to the ones shown in the 1st 3 pictures but I can't find anything like the ones in the last 2 pictures.
so my question to chillout is how did you enable the green engineering mode, using the sd card script trick from the Russian forums? or did you just use vcp?
Well... I retrofitted Discovery Pro into my car, but threre is some things that doesn't work - Navi is locked and TPMS button send "Implaussible signal" (??). So I tried to update firmware (with files from beggining of page 2) and... It updateg. But now there is no sound. Everything worked well, but speakres is muted (there is still a small "bum" in speakers when turning on the unit.). CP is removed. Is it back? There is no error from CP..
There is error in memory "Check Software Version Menagement", or something like this, later will add the error code, need to check.
Anyone can help?
Thanks in advance
I know, i know. VCDS should be good - sound work before.
But I can't write on Ross-Tech forum, because there is needed to say code from white sticker on side of VCDS-cable, and mine is just blank after all this years :/
1555 - Check Software Version Management
B201A 00  - -
Confirmed - Tested Since Memory Clear
Fault Status: 00000001
Fault Priority: 6
Fault Frequency: 1
Reset counter: 140
Mileage: 4032 km
Chillout, very interested in your ability to enable WLAN on the MIB I Nav Pro (which I have in my 2013 GTD).
I've enabled the WLAN function in VCDS for the controller 5F (was set to off), but I still don't get the WLAN option under Media.
You mentioned enabling Phone NAD earlier in the thread. Is this something that can only be done with VCP or is this a check box in VCDS (as I only have VCDS). Any chance you could point me in the right direction please ?
Hi everyone. Canadian 2016 S3 user checking in here. I had my interest caught initially when I saw the words "discover pro" show up, but then assumed there could be sufficient differences in our systems for me to wait a bit. Well, I've since activated the green menu and found that the choices are the same:
We have no SIM slot in our vehicles here. WLAN works fine (after adaptation with my VCP). About as far as I want to get right now is enabling data to the system through my phone, either through rSAP (which sounds unlikely) or USB->RJ45. The step that seems to be missing for me at least, when comparing procedures to the A1/4/5 etc is the 'install fair mode' or 'dlinkreplacesPPP' equivalent function which instructs the system to be able to look to the AMI port for its data.
I'll continue to watch with interest. The enabling of Google etc might be possible through adaptation of various 'online' flags in the vehicle config I can see in 5F, but I haven't got as far as trying this yet, and of course with no network it's likely just going to be an exercise to see if some extra options show up.
If there's anything that I can offer with a different vehicle to help this discussion, do let me know.
I went down the road of USB-RJ45... didn't work. But I have good hopes that it's might be posible to enable WLAN Client mode, which would make it possible for the device to connect to a mobile hotspot.
Someone told me it might be a good idea to turn OFF UPnP... might enable Wlan client mode.
Also, I put up a BT Sync with Discover Pro Firmware versions 0200 and 0388. Feel free to download:
I'm going to compare files on these to see the differences
Update: Be careful playing around with this thing guys... I disabled my DVD player... Might be a loose connection or something, it currently doesn't work
Also, I did a comparison between my adaption channels from oktober and a recent one... I did a lot of changes, but there were also a lot of things that were changed that I never changed manually... this wasn't caused by any software update, comparing adaption channel maps from before the update leads to the same conclusion: this device can do weird stuff!
I'm currently trying to download the firmware files (although it still says "Connecting......") in order to decompile it. Once it is decompiled, it's a lot easier to discover vulnerabilities that could possibly be exploited.
Once I have the files and decompiled them, I'll write a little manual on how to do this (if this is wanted)