Aperture Controls

Cobb Accessport Reverse Engineering


Part of the startup script for the Accessport

The Accessport is essentially an ARM based Linux (kernel 2.6) machine running a command line application through a handful of binaries and a lot of scripts. The graphical display uses a library called DirectFB to write directly to the framebuffer. Application data such as vehicle, settings, hardware types are passed around in environment variables. The ap-app/init script starts the screen, imports some globally used shell functions (sh_funcs.sh), reads the eeprom to acquire installation data, then starts the /ap-app/bin/gui executable in an infinite loop with stdout piped to /dev/null.

Browsing libap_comms in Ghidra

The USB communication is done through the library /ap-app/lib/libap_comms.so. There are three main classes that I investigated in this library. The first was USBCommunicator, which contained the getPacket and sendPacket functions for communicating over USB. A curious thing I found in getPacket was a check for the first two bytes of the buffer to equal 0xC0bb. I sent that sequence to the device a couple of times quickly and didn't see much, but it might be worth looking into further. The next class I looked at was USBManagerBase which is the base class for USBManagerClient. It has functions for send/receiving packets, files, and a callback function for OnCommunicatorEvent which might be for USB plug/unplug event handling. USBManagerClient contains all the command handlers for each type of packet the Accessport supports over USB. This warrants its own page for detailing the functionality.

Another library that I investigated was libPackaging.so. This library contains all the encryption/compression functionality and is called by most of the other software on the Accessport. The library has implementations of AES (Rijndael), Blowfish, BZip2 (zlib), TEA, Base64, and CRC32 checksumming. I will be covering the encryption routines on its own page as well.

Running Accessport executables on a Raspberry Pi

I used a Raspberry Pi 1b with a distribution called Moebius 250GTO to run Accessport executables off a command prompt. You set up Moebius per the instructions included with the distribution, then you copy the Accessport filesystem contents on top of the Moebius filesystem on the SD card. Once you boot up Moebius, add /ap-app/lib and /usr/local/lib to the library path with this command:

export LD_LIBRARY_PATH=/ap-app/lib:/usr/local/lib
After that it might work. Most of the tinkering I had to do to get the Accessport software to run on other things involved getting library links correct.

Running Accessport executables on Linux with qemu

  • use your package manager of choice to install qemu (specifically arm-static)
  • make a subdirectory for the Accessport filesystem to live in
  • copy the rootfs files into that subdirectory
  • copy the files from the ap-app image into ap-app
  • copy the files from the ap-data image into ap-data
  • copy the files from the userfs image into user
  • copy /usr/bin/qemu-arm-static to /usr/bin inside your subdirectory
  • cd into that subdirectory and use this command to start a shell inside that environment
  • sudo chroot / ash
  • export the Accessport library paths to the environment
  • export LD_LIBRARY_PATH=/ap-app/lib:/usr/local/lib
  • test your environment. I usually try running /ap-app/bin/rom_encrypter
Prev: Filesystems Next: USB