Aperture Controls

Cobb Accessport Reverse Engineering

Filesystems


Extracting data from the filesystems

I ended up writing some software in C# to extract the FCB, trim the spare data fields from the flash, find all the relevant magic numbers in the image, and dump the volumes into image files. The only actual filesystem parser I got to function before I paused work on the project was for UBI filesystems. This involved taking C++ code from the Linux kernel source tree and porting it over to C#. The magic number scanner was implemented in C# threads, with 8 threads taking about 1.5 seconds to scan a full 276 megabyte image.

Filesystem 1 - rootfs_volume

The rootfs_volume is a SquashFS filesystem that is mounted read-only at runtime. The image can be opened natively with 7-Zip on Windows. It is your typical Busybox setup, with two extra mounting points (/ap-app and /ap-data) for the other two read-only filesystems, along with one more mounting point (/userfs) for the user filesystem that you can access. The rootfs contains a couple kernel mode drivers, one for communication with the PIC bus controller, and the other for the usb "gadget."

Filesystem 2 - ap-data

The ap-data volume is another SquashFS filesystem that is mounted read-only at runtime. It can also be opened with 7Zip. This volume contains these directories:

  • car_info - contains configuration files for the supported cars that lists gear ratios/weight/etc...
  • ecu_info - contains configuration files that define the files used to edit a specific ECU. Also contains challenge keys.
  • maps - contains initial maps for each ECU (Stage 0)
  • roms - contains maps for each ECU all labelled "patch"
  • stubs - contains "stub" images (.bin)

Filesystem 3 - ap-app

The ap-app volume is yet another SquashFS filesystem that is mounted read-only at runtime. 7Zip works on this image as well. This is where most of the software that the user interacts with is held. It contains these directories:

  • bin - Contains the scripts and executables for the Accessport application. 
    • 	11/13/2018  04:02 AM               175 about
	02/07/2019  08:36 AM            26,335 about.bin
	11/13/2018  04:02 AM               152 activate
	02/07/2019  08:34 AM             5,461 adjustments
	02/04/2019  09:37 AM             6,053 change_map
	11/13/2018  04:02 AM             1,657 create_eodlog.sh
	11/13/2018  04:02 AM             3,088 create_log.sh
	11/13/2018  04:02 AM             1,031 create_screenshot.sh
	11/13/2018  04:02 AM               325 create_user_fs.sh
	02/07/2019  08:36 AM            34,823 cur_map
	02/06/2019  03:32 PM             5,455 diagnostic_file
	02/07/2019  08:36 AM            34,727 dtc
	02/07/2019  08:37 AM         5,621,081 exec_util
	11/13/2018  04:02 AM             1,545 expose_user
	11/13/2018  04:02 AM               187 fuel_econ
	02/07/2019  08:36 AM             5,659 getuserinput
	02/07/2019  08:35 AM           424,539 gui
	02/07/2019  08:36 AM             9,843 hash
	11/13/2018  04:02 AM             1,376 import_user
	02/04/2019  09:37 AM             9,337 install
	02/07/2019  08:36 AM            22,327 jffs2
	11/13/2018  04:02 AM               106 live_data
	02/07/2019  08:36 AM            38,823 live_data_demo
	11/13/2018  04:02 AM             1,350 main_menu
	02/07/2019  08:35 AM            59,347 main_menu.bin
	11/13/2018  04:02 AM            10,644 main_menu_demo
	02/07/2019  08:36 AM            51,363 map2rom
	02/07/2019  08:36 AM            39,087 map_props
	02/07/2019  08:36 AM            59,639 map_select
	02/07/2019  08:34 AM               973 mitsubishi_funcs.sh
	02/07/2019  08:36 AM            43,095 mitsu_can_flash
	02/07/2019  08:36 AM            43,023 mitsu_can_identify
	02/07/2019  08:37 AM           296,967 mitsu_can_livedata
	02/07/2019  08:37 AM            30,571 mitsu_can_reset
	02/07/2019  08:34 AM            12,171 modular_funcs.sh
	11/13/2018  04:02 AM             3,647 obd_funcs.sh
	11/13/2018  04:02 AM                80 perf_data
	02/07/2019  08:36 AM            71,859 perf_data.bin
	11/13/2018  04:02 AM            58,656 pnmtopng
	02/07/2019  08:36 AM            34,763 prep_rom
	02/07/2019  08:36 AM            34,863 readeeprom
	02/07/2019  08:34 AM             2,190 recovery
	11/13/2018  04:02 AM             1,140 reset_ecu
	02/07/2019  08:34 AM               389 restore_ots_maps.sh
	02/07/2019  08:37 AM            18,119 rom_encrypter
	02/07/2019  08:34 AM             7,014 serialnumber.sh
	02/07/2019  08:34 AM             1,414 show_cur
	02/07/2019  08:34 AM            35,519 sh_funcs.sh
	02/07/2019  08:34 AM             4,068 trouble
	02/06/2019  03:32 PM             1,003 tunerflash
	11/13/2018  04:02 AM             5,839 uiInterface.sh
	02/04/2019  09:37 AM             4,650 uninstall
	02/07/2019  08:34 AM            11,375 upgrade_pn
	02/07/2019  08:36 AM            22,319 usbmgr
	11/13/2018  04:02 AM             4,607 user_dump
	02/07/2019  08:34 AM            11,777 user_funcs.sh
	11/13/2018  04:02 AM             1,045 using_realtime.sh
	02/07/2019  08:36 AM            72,067 writeeeprom
				  58 File(s)      7,310,738 bytes
  • fonts - contains TrueType font files
  • images - contains image files for the user interface (icons/backgrounds/etc)
  • langs - contains text files with text strings used for DTCs/application info. There are different languages listed, but they all seem to contain English on my image even if labelled French or German.
  • lib - shared library files used by the application. I'll cover these more when I cover the application itself.
  • modules - a kernel module for the PIC possibly.
  • obd_firmware - firmware images for the PIC bus processor
  • splash - images in framebuffer format that are shown when the AP is booted

Filesystem 4 - userfs

The userfs volume is an UBIFS filesystem that is read-write at runtime. I wrote custom C# code to extract this filesystem so I could also extract deleted files, but imx-tools could probably also extract the files from this image. Most of the files in this filesystem can be accessed through Accessport Manager on Windows since it's datalogs/maps/etc. When you do a firmware upgrade to the Accessport itself, this filesystem is where the new firmware is "staged".

Prev: Flash Next: Application