From mystery firmware → Allwinner V851S3, Tina Linux, SWUpdate & SquashFS
Wireless CarPlay "4-in-1" adapters are everywhere: small USB dongles that magically turn a wired infotainment system into wireless CarPlay and Android Auto. Sold under dozens of brand names with virtually no technical documentation.
This post documents a complete reverse-engineering journey of one such adapter, starting with a vague firmware image and ending with a full understanding of the update mechanism, boot format, operating system, root filesystem, and the actual SoC behind the product.
The investigation started with a firmware file named update.img, associated with a "Ziyun series" wireless CarPlay adapter. Early hints surfaced identifiers like LY3370, but nothing clearly pointed to a known processor or platform. Time to dig deeper.
.swu ContainerA hex dump of the firmware immediately revealed readable ASCII strings: update.swu and sw-description. This pointed directly to SWUpdate — a well-known open-source embedded Linux update framework.
The extracted kernel file opened with the magic string ANDROID!, identifying it as an Android boot image. Despite the name, this does not imply Android userspace — the format is simply reused as a container for a bare Linux kernel.
Parsing the boot image header revealed the embedded product name:
v851s3-lybox_rtl
The string v851s3 directly identifies the platform as Allwinner V851S3 — an ARM Cortex-A7 SoC commonly used in compact embedded Linux systems.
LY3370 is a board/project identifier from the OEMThe Android boot image claimed a ramdisk of just 12 bytes. Dumping those bytes revealed a simple placeholder:
ramdisk.img\nThis is intentional. The system uses no initramfs — the kernel mounts its root filesystem directly from a separate partition.
The customer image turned out to be a SquashFS filesystem:
The same hardware and firmware stack ships under many product names. A vulnerability in one brand likely affects all the others — patch availability depends on the OEM, not the reseller.
Linux kernel, BusyBox/OpenWrt-derived userspace, SWUpdate. Good for transparency — but only if vendors actually keep them updated.
Immutable FS improves reliability and boot speed, but security fixes require full firmware updates. If vendors stop shipping updates, known vulnerabilities remain unpatched indefinitely.
Wi-Fi, Bluetooth, USB, direct interaction with the infotainment system. This device should be threat-modeled like any other networked embedded computer — not a passive cable replacement.
With the SquashFS root extracted, a full static credential scan was run across all text files, shell scripts, binaries (via strings), and kernel modules. Several findings stand out.
ota/www/cgi-bin/index.cgi contains a static Alibaba Cloud Access Key ID compiled directly into the binary. It is used to authenticate against Alibaba STS to generate temporary credentials for uploading firmware and logs to OSS buckets.
AccessKeyId : LTAI5tPPbTZ5JjXvbGWnHe6g
Account ID : 1869969722566981
Role ARN : acs:ram::1869969722566981:role/ramosstest
Session name : user01
STS endpoint : https://sts.aliyuncs.com
Sig method : HMAC-SHA1The role name ramosstest strongly suggests a development/test role left in production firmware. The OSS buckets targeted are cpbox (Shenzhen, China) and cpbox-abroad (US West). Every device running this firmware ships the same key ID — extractable by anyone with a screwdriver and a copy of strings.
The same CGI binary contains the string wangyanshen immediately adjacent to the credential block, and references the company domain liaoyuan.tech. This is consistent with a developer username or internal identifier compiled in at build time rather than injected at runtime.
lylinkapp include startCp psk = %s, startCp ssid = %s, and startCp bssid = %s. The device logs the phone's Wi-Fi PSK in plaintext to logcat at connection time. The OTA web interface exposes a /cgi-bin/index.cgi?id=logcat endpoint that returns a compressed logcat dump — meaning the PSK is retrievable over the local network from any device connected to the adapter's AP.The BusyBox httpd config (ota/httpd.conf) is minimal — no auth directives, no TLS. The CGI endpoint accepts firmware uploads, triggers reboots, reads/writes MTD partitions, retrieves logcat, and can switch the device between AP and P2P Wi-Fi modes. All of this is accessible to any client on the same network segment as the adapter with zero credentials required.
H:/usr/ota/www
E404:index.htmlMultiple shell scripts (lyLoadModule.sh, p2p.sh, ly_wifi_mode.sh) fall back to hardcoded network values when environment variables are unset. These are predictable across all devices of this type.
AP IP : 192.168.1.101 / 255.255.255.0
P2P IP : 192.168.43.1 / 255.255.255.0
P2P freq: 2437 MHz (2.4GHz ch6) or 5180 MHz (5GHz).pem, .key, .crt, or .p12 files. Runtime credentials (STS tokens, session PSKs) exist only in memory and writable partitions not present in this image.What began as an opaque consumer gadget turned out to be a well-structured, understandable embedded Linux system — with all the power and responsibility that implies.