On Wed, Aug 10, 2011 at 06:25:30PM +0200, Alexander Lehner wrote: > [ ... ] > For the hacker's delight I would give a try to find the private ssh > key in the Windows TomTom Software. Maybe they were lazy enough to > put it in plaintext somewhere.
All I could find was a certificate called TT_root_sign_cert.crt. Feeding this to google revealed this page: http://www.opentom.org/MyTomTom But there's no news for me to find on this page. BTW: I don't think any of the methods listed in "Future Investigations" will work. The user manual states that the device needs to be connected _directly_ to the PC, not even using a hardware-hub. I bet they have put some effort to check whether there's some sniffing involved. In the meantime, I've checked on a Win-PC from a friend. We installed USBsniff, wireshark and MyTomTom on it. Here's what I found: - Starting MyTomTom from the Start menu don't have any effect. Very strange. - When I plug the device into the PC, tomtom.com site gets opened automatically in a browser. Really bogus. I'd expect such behavior from some virus/trojan, but not from a mature product. Next thing is that they require installing Flash to use MyTomTom. That's where I finally give up. I'm not going to install flash just to use such a crippled device. >From analyzing the USBsniff log, I found that the device responds to following requests: jw@kiste:~> wget -qO- http://169.254.255.1/sa/hello);echo <?xml version="1.0" encoding="utf-8"?><hello xmlns="http://www.tomtom.com/ns/device/1.0"; deviceid="_device_id_" /> jw@kiste:~> wget -qO- http://169.254.255.1/mpnd/status);echo <?xml version="1.0" encoding="utf-8"?><jobstatus xmlns="http://www.tomtom.com/ns/device/1.0"; deviceid="_device_id_" rescue="false"></jobstatus> jw@kiste:~> wget -qO- http://169.254.255.1/mpnd/progress); echo <?xml version="1.0" encoding="utf-8"?><jobprogress xmlns="http://www.tomtom.com/ns/device/1.0"; deviceid="_device_id_" progress="0" state="waiting" eta="0" /> Here's the perl script I used to analyze the log from USBsniff: #!/usr/bin/perl use strict; use warnings; my $output_hexdump=0; my $snip_deviceid=1; my $suppress_duplicates=0; my $direction="unknown"; my $data=""; $|=1; while (<>) { chomp; $direction = $1 if /USBD_TRANSFER_DIRECTION_(IN|OUT)/; # look for payload if (/^ ([\da-f]{8}):(( [\a-f][\a-f])+)$/i) { # decode the hexdump $data .= join ("", map {chr hex $_} split (" ", $2)); } else { # end of package, dump the data &dump_data(); } } my %seen_packets; sub dump_data { return unless length $data; if ($snip_deviceid) { $data=~s,devices/.+?/,devices/_device_id_/,i; $data=~s,deviceid=".+?",deviceid="_device_id_",i; $data=~s,<timestamp>\s*?\d+\s*?</timestamp>,<timestamp>0</timestamp>,i; } if ($data=~/(HTTP|GET)/) { my $plaintext = substr ($data, hex 62); print "---- line $. $direction ----\n"; if ($suppress_duplicates && exists $seen_packets{$plaintext}) { print "duplicate\n"; } else { $seen_packets{$plaintext} = 1; if ($output_hexdump) { if (open (my $hd, "|-", "hexdump", "-C")) { print $hd $data; close $hd; } } else { print $plaintext; } } print "\n"; } $data=""; } Please feel free to add this information to the opentom page mentioned above. Maybe there's somebody out there who is willing to install flash and can provide more sniffing information?
