Saturday, May 26, 2007

Hacking TomTom

I bought a TomTom 910. It sucks the ass of the Garmin Nuvi 660; literally can't compete on any feature, from traffic to navigation to even the remote control. Turns out the sole advantage it has over other's is the 20gig drive that you can load up with music. That's cool, but turns out I already have a big ole iPod for that anyhow. Soo,.... I was thinking of returning this crap . I mean seriously, they haven't put *any* thought into it, right down to the black plastic case (for a system designed to sit on a windshield that ain't too smart).

Well, I may actually end up keeping this thing. Turns out it’s very hackable. I don’t mean hackable as in OpenTom, I mean they’re just plain sloppy about stuff.

For instance, they keep system shell files in /mnt/sd, which is the volume that’s displayed when you mount it as a USB drive. Here’s what I found:

Under the PPP directory they maintain shell scripts to perform PPP/CHAP authentication (since you dial in via your cellphone for traffic updates). I don’t see a reason to keep these in a user mountable volume, but they did. Actually, I now see a benefit to it: you can self configure your phone connection much easier than using the interface on the hardware itself. And trust me, if you’re in the US using a smartphone (like say, the wickedly popular T-Mob MDA or other HTC device that’s so popular amongst US based geeks now) you’ll be manually configuring your connection.

Here are the files:

Volume in drive F is TomTom Disk
Volume Serial Number is 4371-ED7D

Directory of F:\ppp

04/30/2007 06:56 PM -DIR- .
04/30/2007 06:56 PM -DIR- ..
05/26/2007 03:28 PM 268 ip-up
05/26/2007 03:28 PM 53 ip-down
05/26/2007 03:28 PM 375
05/26/2007 03:28 PM 185 gprs-disconnect-chat
05/26/2007 03:28 PM 6 pap-secrets
05/26/2007 03:28 PM 6 chap-secrets
05/26/2007 03:28 PM 293 gprs-connect-chat
05/26/2007 03:28 PM 302 ttgobuddy-ppp-peers
05/26/2007 03:28 PM 112
9 File(s) 1,600 bytes
2 Dir(s) 9,462,497,280 bytes free


They do stuff like turn up a loopback interface, etc … the basics. They initalize when you try to connect via the phone for traffic updates etc.

So, in one of these scripts I slipped a little “mkdir n074h4x0r, cp /etc/* /mnt/sd/n074h4x0r“ and sure enough, I now have a copy of the /etc dir in userland for me to see … now I have direct access to the entire system without going through the trouble of building serial connectors, etc. like the OpenTom folks did (I’m not dissing them, I just don’t have the time or interest in going to the extent they did).

Interesting little device, and boy are they sloppy. BTW /etc/passwd contains one entry, and I bet you can figure out what it looks like


Post a Comment

Links to this post:

Create a Link

<< Home