Playing with Nissan Connect

A few weeks ago I found an article on Hackaday reporting ea‘s success in getting root access to a Nissan Connect LCN2kai sat nav head unit. I have one of these in my Nissan Pulsar, and my wife has an older version (LCN1) in her Qashqai, and I’ve always fancied playing with them but never had the time (or wanted to risking break it! – ea bought a spare to play with). Now someone else has done the hard work and got access, it prompted me to have play. The question is – what can I to do with it now? Very often the answer to that is ‘nothing useful’, but at least there’s some fun to be had in the playing.

Anyway, from initial playing I found a few interesting things which aren’t mentioned in the original write-up:

  • The system starts in runlevel 4.
  • The device comes with developer scripts, and can be switched into development mode. This enables sshd and I think enables a serial terminal. There is also a script to mount /opt/bosch over NFS (presumably for testing new builds).
  • Most of the user applications are not updatable, without a complete firmware update of the unit. The satnav application is the exception – it is symlinked to a writeable partition and can be updated by a newer version shipped on the maps sd card.
  • Most of the programs in /bin are provided by busybox, but there are more utilities compiled in to busybox than are symlinked. E.g. md5sum is provided in /usr/bin so you don’t have access while using the mount trick (which has mounted over /usr/bin). This is unfortunate if you want to create an easy way for users to modify their system just via usb stick, as you’d probably want to use md5sum to check files on the system before modifying them to avoid breaking an incompatible system. Luckily, busybox also provides md5sum. As there is no symlink in /bin you need to call /bin/busybox md5sum <file> instead.
  • The system is quite happy to use a usb hub, so you can connect a usb stick and network adapter at the same time. This means you can image the filesystem for offline research. At ~900mb for the system partition, it took half an hour to dd it to a usb stick and required the engine running to keep the unit powered on that long. On the other hand, if you download a system update you can access the complete filesystem there which is a lot less effort. In fact, looking at how ea worked out how to exploit the mounting of a usb stick to get root access to the system, this could have been worked out entirely from examining the firmware update without any need to get serial access to the device itself!

Leave a comment