• This section is for help and assistance with 2018 and NEWER Buick Regals. If you need assistance with a 2011-2017 Buick Regal, CLICK HERE. If you need assistance with a 2010 or older Buick Regal, CLICK HERE. This notice may be dismissed by clicking the X in the right corner.
  • Car enthusiast? Join us on Cars Connected! iOS | Android | Desktop

TSB 19-NA-100 Radio Software Version 22.8 and TSB 19-NA-249 Favorites Grayed Out- Nov 4, 2019

pioadam said:
Np! Didn't dig too deep in those files, but it seems that we should be able to edit build version so we can cheat the version check and install custom OS with same base image. It have been a while since I've build my last custom android for Samsung, but we are on Android 5.1.1 so there is huge chance for rooting and enabling sideload. For sure will look in it, any specific app you'd like to install? Maybe we could add it to the build 🙂
Click to expand...
I'd love to install Highway Rader primarily and Torque Pro. Just makes sense to run those directly in the car. But there are ram considerations tho. I think I read somewhere our cars have 2gb ram. But if it's rootable then it can be configured to use the USB port as swap
 
pioadam said:
Guys, enjoy:
Microsoft OneDrive
Re-upload of 22.10 + modded 22.11 - I wasn't able to install it from image provided by @AWD 2.0T ('failed to download' error), but with some small mods I've successfully upgraded to 22.11 🙂
One thing to mention - on my mod there is missing finall reboot, so after 10min of black screen I've decided to push ON button and unit booted up properly.
Click to expand...
thx a lot ..... car updated on each version . thx
 
Small update on Android hacking:
- I've pasted cxfile explorer to /system/app (mounted file 85515572 as EXT4 in linux with R/W). Operation was successful but installation failed due to error:
"The following update file is invalid 58815568.mnf". Mentioned file seems to be Manifest, and there is an encoded part in the header, probably checksum :/
Moreover file 85515569.smd contains filehash and filehash with RSA:

-----BEGIN SHA256 SW PN 85515572-----
4BiRdiww9bzgOm1gBVNzZZGE687h5MKYLb1X241//T0=
-----END SHA256 SW PN 85515572-----

-----BEGIN sha256WithRSAEncryption SW PN 85515572-----
HMF+hjh4fKaaFvCArzlOareaVKxPkQLFrlAPC2aiYGlvRpp7IhYkQWcs4SzseUA/Qfdm96n7LAMC
NtryzIyRjqmm5jtnO3gqCI+XtkxpCKH2n1zr1lU6iEegZNeBE2ObFJMW7C/GW1e3tJdQj6E/nB7I
8ZMGsEywPhCFeFeB1UBaxoUngsHfNwkpsqSjBr9XK61o7ctFHhWPKtOHcgnEYRgxro0J2UhL5xiQ
Wx3V1+XwOF4PMN14sW0NJiNydtSCLvtX70ZoCJcKFSPDAxOYtkWN8xXskklPur2w3+6Rq1jxbO6C
SCCpyqCXhEE8DDIlTXmtJyrO7CGGe5lYEacCjQ==
-----END sha256WithRSAEncryption SW PN 85515572-----

I've tried to calculate SHA256 for original file, but received different sum, so I'm doing something wrong or this SHA is already salted. Still, considering that sha256 with RSA is checked during the installation, it's a dead end as we don't have private key to sign the hash. 🙁

I've looked around this locked ADB - it's not only a flag in config - there is separate service running - "gm_security". I've also seen in one file that there is whitelist for approved APKs, unfortunately located in /DATA, so I don't have image of this partition and can't confirm it.
Going with "official" way is also useless - we can get GMTool for dev, but we need to register car's VIN and will be able to ADB only via GM server, car needs to be connected to WiFi and when connections is closed our changes will be reverted (that's what I've understood from GM Dev page).

Now I'll look for some CVEs that could be executed on our headunits, same way Honda Civic was hacked (autohack[.]org) but Honda OS is based on Android 4.1 while we use 5.1.1 so fingers crossed! If I remember correctly our security updates were from 2016 so we have a chance to find something that will work 😉

One more interesting finding:
Boot animations are located in:
84529440\resource\ro\anim\
8 - Vauxhall black
7 - Opel
6 - Vauxhall red
5 - Buick
3 - GMC
0 - Cadillac
so swapping folder names should allow us to change the boot animation and there is a chance, that we will pass verification as no new files will be added.
 
Last edited:
pioadam said:
Small update on Android hacking:
- I've pasted cxfile explorer to /system/app (mounted file 85515572 as EXT4 in linux with R/W). Operation was successful but installation failed due to error:
"The following update file is invalid 58815568.mnf". Mentioned file seems to be Manifest, and there is an encoded part in the header, probably checksum :/
Moreover file 85515569.smd contains filehash and filehash with RSA:

-----BEGIN SHA256 SW PN 85515572-----
4BiRdiww9bzgOm1gBVNzZZGE687h5MKYLb1X241//T0=
-----END SHA256 SW PN 85515572-----

-----BEGIN sha256WithRSAEncryption SW PN 85515572-----
HMF+hjh4fKaaFvCArzlOareaVKxPkQLFrlAPC2aiYGlvRpp7IhYkQWcs4SzseUA/Qfdm96n7LAMC
NtryzIyRjqmm5jtnO3gqCI+XtkxpCKH2n1zr1lU6iEegZNeBE2ObFJMW7C/GW1e3tJdQj6E/nB7I
8ZMGsEywPhCFeFeB1UBaxoUngsHfNwkpsqSjBr9XK61o7ctFHhWPKtOHcgnEYRgxro0J2UhL5xiQ
Wx3V1+XwOF4PMN14sW0NJiNydtSCLvtX70ZoCJcKFSPDAxOYtkWN8xXskklPur2w3+6Rq1jxbO6C
SCCpyqCXhEE8DDIlTXmtJyrO7CGGe5lYEacCjQ==
-----END sha256WithRSAEncryption SW PN 85515572-----

I've tried to calculate SHA256 for original file, but received different sum, so I'm doing something wrong or this SHA is already salted. Still, considering that sha256 with RSA is checked during the installation, it's a dead end as we don't have private key to sign the hash. 🙁

I've looked around this locked ADB - it's not only a flag in config - there is separate service running - "gm_security". I've also seen in one file that there is whitelist for approved APKs, unfortunately located in /DATA, so I don't have image of this partition and can't confirm it.
Going with "official" way is also useless - we can get GMTool for dev, but we need to register car's VIN and will be able to ADB only via GM server, car needs to be connected to WiFi and when connections is closed our changes will be reverted (that's what I've understood from GM Dev page).

Now I'll look for some CVEs that could be executed on our headunits, same way Honda Civic was hacked (autohack[.]org) but Honda OS is based on Android 4.1 while we use 5.1.1 so fingers crossed! If I remember correctly our security updates were from 2016 so we have a chance to find something that will work 😉

One more interesting finding:
Boot animations are located in:
84529440\resource\ro\anim\
8 - Vauxhall black
7 - Opel
6 - Vauxhall red
5 - Buick
3 - GMC
0 - Cadillac
so swapping folder names should allow us to change the boot animation and there is a chance, that we will pass verification as no new files will be added.
Click to expand...
My Instrument cluster boots with Opel Boot animations - However I could not figure out how to change the infotainment boot to Opel. Even White Automotive & Media Services. WAMS doesn't offer this service.
 
______________________________

Help support this site so it can continue supporting you!
I wasn't able to find any config file that use this path, need to dig deeper, but looking at whole image I could assume, that GM is using single firmware for all cars running this headunit. Maybe software is detecting car brand by VIN? Tomorrow I'll try to manipulate paths for animations and compare SHA256. One thing I'm afraid is journal file, it will create new lines after modifications so probably image hash will change :/
 
pioadam said:
Small update on Android hacking:
- I've pasted cxfile explorer to /system/app (mounted file 85515572 as EXT4 in linux with R/W). Operation was successful but installation failed due to error:
"The following update file is invalid 58815568.mnf". Mentioned file seems to be Manifest, and there is an encoded part in the header, probably checksum :/
Moreover file 85515569.smd contains filehash and filehash with RSA:

-----BEGIN SHA256 SW PN 85515572-----
4BiRdiww9bzgOm1gBVNzZZGE687h5MKYLb1X241//T0=
-----END SHA256 SW PN 85515572-----

-----BEGIN sha256WithRSAEncryption SW PN 85515572-----
HMF+hjh4fKaaFvCArzlOareaVKxPkQLFrlAPC2aiYGlvRpp7IhYkQWcs4SzseUA/Qfdm96n7LAMC
NtryzIyRjqmm5jtnO3gqCI+XtkxpCKH2n1zr1lU6iEegZNeBE2ObFJMW7C/GW1e3tJdQj6E/nB7I
8ZMGsEywPhCFeFeB1UBaxoUngsHfNwkpsqSjBr9XK61o7ctFHhWPKtOHcgnEYRgxro0J2UhL5xiQ
Wx3V1+XwOF4PMN14sW0NJiNydtSCLvtX70ZoCJcKFSPDAxOYtkWN8xXskklPur2w3+6Rq1jxbO6C
SCCpyqCXhEE8DDIlTXmtJyrO7CGGe5lYEacCjQ==
-----END sha256WithRSAEncryption SW PN 85515572-----

I've tried to calculate SHA256 for original file, but received different sum, so I'm doing something wrong or this SHA is already salted. Still, considering that sha256 with RSA is checked during the installation, it's a dead end as we don't have private key to sign the hash. 🙁

I've looked around this locked ADB - it's not only a flag in config - there is separate service running - "gm_security". I've also seen in one file that there is whitelist for approved APKs, unfortunately located in /DATA, so I don't have image of this partition and can't confirm it.
Going with "official" way is also useless - we can get GMTool for dev, but we need to register car's VIN and will be able to ADB only via GM server, car needs to be connected to WiFi and when connections is closed our changes will be reverted (that's what I've understood from GM Dev page).

Now I'll look for some CVEs that could be executed on our headunits, same way Honda Civic was hacked (autohack[.]org) but Honda OS is based on Android 4.1 while we use 5.1.1 so fingers crossed! If I remember correctly our security updates were from 2016 so we have a chance to find something that will work 😉

One more interesting finding:
Boot animations are located in:
84529440\resource\ro\anim\
8 - Vauxhall black
7 - Opel
6 - Vauxhall red
5 - Buick
3 - GMC
0 - Cadillac
so swapping folder names should allow us to change the boot animation and there is a chance, that we will pass verification as no new files will be added.
Click to expand...
Thank you for what you've done so far. And I concur that the cve route might be the only real option. I've installed the GM developer apps as well. But seeing that it appears to run apache that might be a viable vector
 
ascii42 said:
I took mine to the dealer on Friday and stated that I had the issues of the reverse lines disappearing and the clock in the DIC being wrong. They weren't able to replicate the reverse line issue and "fixed" the clock by setting it to not display 🙄, so they didn't try installing the update. I downloaded your files, put them on a USB stick, and it worked just like you said. Thank you.
Click to expand...
Responded to wrong person apparently*** 😂

Do you still by any chance have the files to do this? Bought my 19’ Regal Sportback Essence 2 awd and the radio has only CarPlay issues. Stuck on 21.1. Would love to update myself ☺️
 
MisterAndi_R said:
Responded to wrong person apparently*** 😂

Do you still by any chance have the files to do this? Bought my 19’ Regal Sportback Essence 2 awd and the radio has only CarPlay issues. Stuck on 21.1. Would love to update myself ☺️
Click to expand...
If no one else responds I'll upload it to my OneDrive and post the link
 
CNYmetalGuy said:
If no one else responds I'll upload it to my OneDrive and post the link
Click to expand...
I would definitely appreciate it too, just dealt with My local dealership this week about it, still haven’t been able to get the update
 
______________________________

Help support this site so it can continue supporting you!
diplocentrus said:
I would be forever grateful if I could get the files! Been looking for this for 5 years now.
Click to expand...
I have both updates: version 22.10 and version 22.11. Which version do you need?
 
______________________________

Help support this site so it can continue supporting you!
You must log in or register to reply here.

Cars Connected in the Apple App Store Cars Connected in the Android App Store
Great products:
- VIN Check
- Windshield repair kit
- Clean your leather!
- Safe Emergency Charging
- Chemical Guys HydroSpeed Ceramic Quick Detailer
- Chemical Guys HydroCharge High-Gloss Hydrophobic SI02 Ceramic Spray Coating
- Get a dash cam!
- Auto Buyers Market
- Foreign invaders vs USA gangs
Protect your vehicle from code scanners #ad

Share this page

Back
Top