VDO Dayton C-IQ series customisation - Proof Of Concept
Although there are a fairly high number of supported languages in VDO C-IQ color series you might find that yours is unfortunately not on the list. As far as I know so far nobody has translated the menu system of such a device to their own language probably because of the strong elliptic curve crypto (ECC) protection of the update files, however we do have a knowledge of dozens of crashed, bricked or irreversibly tampered units.
The scope of this document is to show that the ECC protection is not really an important factor during the update process, what you do afterwards is up to you, most of interested parties probably would translate the menu to their own language. This document is not intended to be a complete walkthrough and assumes some sort of expertise preferably with modifying update discs for non-CIQ equipment.
Whatever you do you do it at your own risk. I take no responsibility of any sort, the information presented here might or might not be true, might or might not work for you, it was you if your unit is dead, bricked, you are left with a black screen, your NAVI-ID turned into ????????, your girlfriend breaks up with you, your dog dies etc. no warranty of any sort provided, neither expressed nor implied, the information below is purely for educational purposes. you don't need to take any risk, just press back or close now, only the experienced, brave and talented should read further, please don't proceed if you do not know what you are doing, because chances are high that you render your unit into an expensive piece of paperweight. you have been warned.
okay, the update process looks like the following in case of C-IQ series:
1. update CD inserted
2. disc quickly examined
3. if it seems to be an update disc update option is offered
4. user picks yes (or no)
5. if yes was picked update disc is examined for label, disc id
6. if all above is fine update files are checked against CRC AND SIGNATURE (ECC)
7. if all still fine disc is locked
8. device reboots itself
9. device boots itself from the update disc
10. load of update files , CRC check (!!!NO signature check!!!),update
11. unlock of update disc
12. device boots itself with updated files
checking the above process carefully it is quite obvious that the device is left unprotected while it reboots itself, this is where one can slipstream their improved version of the firmware. all the files are checked before reboot and the device reboots itself knowing that it is being booted from a verified and good media with untampered files, after reboot only a sanity (crc) check happens to protect the unit against side-effects of defective or unreadable media.
so in case of a pc5400 the unit can be safely 'crashed' with a proper but (let's say) mode1 disc, the unit can be safely turned off when it won't boot from the mode1 disc, unit must be disassembled (warning Torx screwdrivers required!) and the CD released from the unit, after this the unit is happy to boot from a slightly modified mode2 update disc. please kindly note that there is no way to 'safecrash' pc5500 and 5700 since these are DVD based units like BMW mk4 and they are happy to boot from any sort of disc, but power can be simply disconnected when the device reboots itself....
you will find some Proof-Of-Concept pictures below.
Re: VDO Dayton C-IQ series customisation - Proof Of Concept
When something is fully encrypted, you have to break the crypto (usually).
But when just a signature is encrypted, it opens up the world of soldering iron attacks; man-in-the-middle attacks, essentially: all you have to do is bit-twiddle to convince the code that checks the signature to say YES all the time, even when it should say NO…