MG4 Secret Menu Mode...

[Rolfe]

When you have your phone connected to the car (e.g. to use Google maps) and you've selected the Android Auto button (if AA hasn't come up automatically), press and hold the Voice button (top left on the steering wheel) and wait for the "bidly-bing" sound from AA and a visual prompt at the bottom of the screen. Then say (for example) "call <contact name>" and Google should place the call. (You should see text representing what you've just said in that visual prompt). If that person has more than one number in the contact card in your phone then it should prompt you to select which one. Alternatively say "call <contact name> mobile" (for example) and it should dial their mobile number.

Thanks. I think I managed to do it by hitting the wee microphone icon on the screen, but this sounds better.

I was well impressed when I said "call Anne Boyd" and the voice replied "home or mobile?"

It has some nice other features, for example if you're using an app like TuneIn radio, you can just say 'Hey Google, play Magic' (not even worrying about the button) and it will figure it out. Saves a bit of screen faff

Thanks, but that's not going to happen! (See other threads on car audio...)

 

[avargas04]

Hello everyone, I have the MG Marvel R and unfortunately I cleared some values in the 200519 menu and now the Speedometer is in Miles (instead of KM) and when trying to sign in to connect with my mobile it gives me an AES Encrypt error, anyone knows how to fix this? Both error or at least to access any menu to change it to KM on the Speedometer side, it is in Kms on the main screen, which is weird.

 

[Ian Key]

Hello everyone, I have the MG Marvel R and unfortunately I cleared some values in the 200519 menu and now the Speedometer is in Miles (instead of KM) and when trying to sign in to connect with my mobile it gives me an AES Encrypt error, anyone knows how to fix this? Both error or at least to access any menu to change it to KM on the Speedometer side, it is in Kms on the main screen, which is weird.

Might be worth posting your message on the Marvel R forum as I suspect the software is different.

MG Marvel R EV Forum

Discussions and information about the MG Marvel R SUV electric car in the Comfort, Luxury and Performance editions.

www.mgevs.com

 

[LittlePickle]

Ok, so progress.

The engineering second level password is a number. (In my case, 8 digits)

The problem is it appears to be calculated from your cars serial number, so it's different for everybody. I haven't sat down to figure out how they convert the serial number into the code yet.

The way I got it was:

• Bring up the password box and try something, which will be wrong.
• Export the HU logs to a USB stick
• Open the dmesg files for that session in a text editor app on a PC and search for "password".

No kidding, when they compare what you enter to the password, they put the actual password in the Android logs!!!!

it looks something like this:

A9_Diag_V1.0.0.58_P: [MainMenuModel] getRightPassword
PasswordFactory: getPassword origin sn - xxxxxxxxxxxxxx
PasswordFactory: getPassword ---> str_sn - xxxxxxxxxxxxxxx
PasswordFactory: getPassword ---> pwd = 12345678

Behind that password box a couple of extra buttons open up: "Tools" and "Disable Version Check"
In Tools:

• Reboot
• Factory Reset
• Switch to OTG (changes to Switch to Host when pressed)
• Disable AA (Android Auto)
• Disable CP (Carplay)

For those people wanting to disable features / etc, this isn't for you. The main purpose for the moment is to allow people with Android coding experience to get into the system and start poking around.

i have went through every log, there is nothing like this at all on mine… any advice?

 

[sila0164]

Is it possible to run the Coolant pump for servicing in this menu?
And/or the ABS Pump?

 

[magior]

Don't stress, you can't break anything in that menu. It's the same one the dealers get to do updates and see version numbers.
You can't actually do any harm in there.

There is an extra level of engineering menu in there that we don't have access to yet.
If you tap the bottom right corner of the engineering screen 5 times, a password box pops up. We haven't cracked that one yet.

I tried to reach the second level of the engineering menu on my Mg4 Luxury 2022 (it should be the Trophy LR equivalent for the Italian market), but I didn't receive any login request.

I tried tapping on the bottom right corner just inside the engineering menu (to be honest, I tapped on all corners).

I'm on R46.

Any hint?

TIA,
Marco

 

[siteguru]

In the Trophy (Luxury) I thought you tapped on one of the version numbers a few times? The bottom-right corner is for the SE's further-embedded menu I thought?

 

[magior]

In the Trophy (Luxury) I thought you tapped on one of the version numbers a few times? The bottom-right corner is for the SE's further-embedded menu I thought?

I tapped on the version number to reach the first level of the eng menu (using the code 200519). Now, I'm trying to open the second level, as Leonkernan suggested.

Marco

 

[RAKty]

In my mg4 SE SR (R21) I entered in the engineering menu with the ##4479#*, pressed 5 times in the bottom right, typed a casual string and then dumped the logs but i couldn't get the password in any of the files.
I tryed to reboot the head unit and also the whole car but no luck.
There are some lines that contain the "A9_Diag_" string but nothing like this:

A9_Diag_V1.0.0.58_P: [MainMenuModel] getRightPassword
PasswordFactory: getPassword origin sn - xxxxxxxxxxxxxx
PasswordFactory: getPassword ---> str_sn - xxxxxxxxxxxxxxx
PasswordFactory: getPassword ---> pwd = 12345678

If anyone has any enlightening solution to share I would be grateful because I'm at a dead end at the moment.

 

[leonkernan]

I wonder if they fixed that in the newer updates (Mine is an Australian R05).
When I get home from work i'll post the password from my car and we can see if it works for others.
(It changes daily)

 

[Onehebergeur]

Hello everyone and thank you for your work.
Here is what I have in the file: "logcat"
I don't see a clear password anywhere

08-23 16:36:30.235 4141 4141 I A9_Diag_V1.0.0.66_P: [MainMenuModel] getRightPassword
08-23 16:36:30.235 4141 4141 I PasswordFactory: getPassword origin sn =
08-23 16:36:30.235 4141 4141 E PasswordFactory: sn is empty!!!
08-23 16:36:30.235 4141 4141 I A9_Diag_V1.0.0.66_P: [MainMenuModel] getRightPassword
08-23 16:36:30.235 4141 4141 I PasswordFactory: getPassword origin sn = 7F4997AN9090162
08-23 16:36:30.235 4141 4141 I PasswordFactory: getPassword ---> str_sn = 7F4997AN90901620

I'm on a standard MG4 in R33.
Any idea?
Thx

 

[leonkernan]

There should be a line after like:
16707: 12-30 15:45:26.107 4081 4081 D PasswordFactory: getPassword ---> pwd = 18818315

If not then that pretty much confirms they removed it from the logs, because that's the second one i've seen who couldn't find it.
That's likely since yours is a9_diag version 1.0.0.66 and mine is v1.0.0.58

Edit 2nd October. Now we've got the APKs to disassemble, I don't need to leak my serial number any further.

 

[DeeKay]

I tried with perplexity.ai, and the answer was:

To calculate the password for the date 2024-08-24 based on the provided serial number and previous passwords, we can analyze the pattern in the existing passwords.

Given Data​

• Serial Number: 7F9684AP6200268
• Previous Passwords:
  • 2024-01-24: 40642125
  • 2024-01-23: 19006167
  • 2024-01-15: 16649426
  • 2024-01-05: 42651592

Observations​

1. Date Sequence: The passwords are associated with specific dates, and the passwords seem to change over time.
2. Password Values: The passwords vary in a seemingly random manner, but they may follow a specific algorithm or pattern based on the date or serial number.

Analyzing Password Changes​

The passwords appear to be numeric and may depend on a combination of the date and the serial number. However, without a clear mathematical or algorithmic relationship provided in the search results, we need to estimate the next password based on the last known password pattern.

Estimation Method​

Given that the last password was for 2024-01-24, and the next date we need is 2024-08-24, we can observe that:

• The passwords do not follow a simple linear progression.
• The changes between the passwords do not reveal a straightforward arithmetic or geometric pattern.

Conclusion​

Without a definitive pattern or formula derived from the previous passwords, it's impossible to accurately calculate the password for 2024-08-24 based solely on the information provided. If there is a specific algorithm or rule that connects the serial number and the previous passwords to generate a new password, that would be necessary to make an accurate prediction.

 

[leonkernan]

You need to use the serial with the 0 on the end. They're padding the 15 character serial number out to a 16 character hex string according to ChatGPT.

 

[Onehebergeur]

I don't have this line
16707 : 12-30 15:45:26.107 4081 4081 D PasswordFactory : getPassword ---> pwd = 18818315

Just hope that someone finds the algorithm...

 

[hojnikb]

Is there a way to use some known exploits for android/linux kernel (i'm assuming this doesn't run the latest version) to gain root escalation that way.

Would be great to know what kernel and android version (along with security patches) this infotainment is running and focus on looking for exploits that may cover that.

 

[leonkernan]

Is there a way to use some known exploits for android/linux kernel (i'm assuming this doesn't run the latest version) to gain root escalation that way.

Would be great to know what kernel and android version (along with security patches) this infotainment is running and focus on looking for exploits that may cover that.

I've tried a few of the basics and not gotten very far.
They've massively locked down their interface, so a lot of the standard Android stuff just isn't available.
Plugging in a keyboard didn't let me use any shortcut keys or anything either.
Holding the home button causes a restart, but no button combination has given access to recovery.

I have got the ability to replace the on device manual with custom html files and javascript is enabled, but I haven't found a way to write to anything other than the specific folder. The manual viewer app doesn't allow accessing other files on the filesystem.

 

[Onehebergeur]

hello everyone, I also read somewhere that the on-board computers between the standard and luxury versions would be the same... if only we could activate features... that would be really good.

like wifi...connection sharing...

 

[leonkernan]

Would be great to know what kernel and android version (along with security patches) this infotainment is running and focus on looking for exploits that may cover that.

Kernel version:

6,0,0,-;Booting Linux on physical CPU 0x0
5,1,0,-;Linux version 4.9.188 (nj-compile01@njcompile01-PowerEdge-R7515) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Wed May 31 12:36:16 CST 2023
6,2,0,-;Boot CPU: AArch64 Processor [410fd041]

Kernel command line:

5,31,0,-;Kernel command line: console=ttyS0,921600n1 initrd=0x4a000000,32M debugshell=1 printk.disable_uart=0 rootwait ro init=/initfast initcall_debug=0 earlycon=uart8250,mmio32,0x11002000 androidboot.console=ttyS0 androidboot.hardware=mt2712 loop.max_part=7 androidboot.selinux=enforcing  dm="1 vroot none ro 1,0 5159992 verity 1 PARTUUID=dafd8b07-ebca-4a53-9dc2-af9510081fb2 PARTUUID=dafd8b07-ebca-4a53-9dc2-af9510081fb2 4096 4096 644999 644999 sha1 388e52f190b89d90643948979fb767e34fe6c2a1 86866785e0f12d219bca7dc3bbf885ee26fcbd672dc26e849cc40533df1fda2d 10 restart_on_corruption ignore_zero_blocks use_fec_from_device PARTUUID=dafd8b07-ebca-4a53-9dc2-af9510081fb2 fec_roots 2 fec_blocks 650080 fec_start 650080" root=/dev/dm-0 androidboot.vbmeta.device=PARTUUID=4041b415-f55d-4406-8c4b-39d8d8e6f58e androidboot.vbmeta.avb_version=1.1 androidboot.vbmeta.device_state=locked androidboot.verifiedbootstate=green androidboot.vbmeta.hash_alg=sha256 androidboot.vbmeta.size=2496 androidboot.vbmeta.d

 

[hojnikb]

I've tried a few of the basics and not gotten very far.
They've massively locked down their interface, so a lot of the standard Android stuff just isn't available.
Plugging in a keyboard didn't let me use any shortcut keys or anything either.
Holding the home button causes a restart, but no button combination has given access to recovery.

I have got the ability to replace the on device manual with custom html files and javascript is enabled, but I haven't found a way to write to anything other than the specific folder. The manual viewer app doesn't allow accessing other files on the filesystem.

GitHub - JlSakuya/Linux-Privilege-Escalation-Exploits: Linux privilege escalation exploits collection.

Linux privilege escalation exploits collection. Contribute to JlSakuya/Linux-Privilege-Escalation-Exploits development by creating an account on GitHub.

github.com

This might be a good starting point. Given how they're using quite old kernel, there might be some public exploit, that could work with this.

That's assuming you could run the exploit.