AP

Thanks guys for the clarification ... If I had a C6 w/ Nav ... I woul definately aid in the effort ...

I am surprise that Denso would make the code that difficult ... Has anyone tried to reverse engineer the code from the complied binaries?

If I had access to the Nav binaries ... it would not be that hard to get the codes ... that is how people did it on the Acura TL ... the just manually look at the Hex and figured the stuff out ...

TheDaveMan

That's what has been done, but the codes found so far that way will only let you go on a diag screen where you can't configure anything.

ein Tier

We have, but we don't have the proper tools to do much, and there doesn't appear to be anyone here specialized enough with IDA Pro and deconstructing Denso's machine code.

I have figured out this much. Denso uses some kind of "building block" code builder. There are too many hooks and empty pathways and "useless" code inside any of the Denso loading files I've been able to pick apart -- and too many similarities for vastly different units. You can find the same code and same keywords in the Pioneer AVIC series of navigation systems as you can in ours. Even keywords that should not exist in ours because we don't have that functionality.

What I imagine is that for simplicity's sake, they have a "skeleton tree" that they work from. This is a code base that goes into every Denso nav unit. Then they pick an external "look" that narrows down what software can be attached to the tree -- this is why the Corvette nav and Land Rover nav look so similar despite the fact that one is in a GM product and one is under the Ford umbrella.

Once that's done, requested features can be attached to the "tree", like DVD playback, air conditioning/heater controls, XM Traffic, MP3 playback, etc.

That should spit back a parts list for the manufacturing of the navigation unit itself. For instance, if "DVD Playback" wasn't added to the tree, then the daughterboard to control that is left off. Certain external packaging would preclude the use of certain features, as there simply would no room and no plug on the hardware.

At that point, it's just a matter of very minor customization -- changing the graphics, the colors, the fonts, and probably setting which features are unlocked with which codes, and what "hot spots" are used to input the codes. There's probably even a "show nag screen" flag that can be set.

It feels like we're close, but I think that any serious hacking is going to require the use of leaked Denso software tools. The upside is that if we can completely crack one of these, we can likely crack ALL of these -- and there's a lot of Denso units in a lot of different products.

I've figured out a lot, and I found the magic numbers, but I've hit my end until someone else makes some forward progress.

AP

It makes me wonder if anyone at Denso is monitoring this thread ... and changing the code tree as we try to hack into it ...

I would bet that if the Pioneer unit has the same code base, then getting their code would help a whole lot also ....

So ... all we now need is a corrupt Denso developer ...

ein Tier

Believe me, I've tried to find one. Every developer I've found that has worked on the project won't return my emails or phone calls.

BlackHawk#36

Wow you guys have been working on this hack for a while.
I do have a question here... I installed a Pioneer navigation system into the wife's SUV and avoided this "having to stop and pull the e-barke problem" via the way I wired it in.
In the Pioneer's wiring there is a connection that goes to the parking brake sensor... The same switch that tells the light on the dash to illuminate if the e-brake is enganged. Of course, if you just take this wire and hook it directly to a 12v source instead, the Navigation unit thinks that the e-brake is always engaged and unlocks the ability to program on the go. Nothing else is altered and it will still give speed readings and evertything.

The Denso unit might not be that simple... But has anyone looked into the wiring of the unit? There might be a really simple solution like that in there.

ein Tier

The way our units detect "in motion" is from a wire that feeds in velcoity data from the driveline. Some have indeed modified their systems so that a toggle switch shuts off this signal. While it is deactivated you lose some dead reckoning accuracy. I know for a fact it works in the Infiniti line of autos, but I think someone said it caused problems in ours.

Gov'sGuy

I've been following your posts for months.

I just wanted to say thanks for the effort. And if you aren't making progress you're at least entertaining.

Keep it up.

Al

ein Tier

I make a run at it every so often. If there's anyone who can translate Russian or Japanese, it would be a HUGE help -- there are many sites talking about loading.kwi files in those languages, but I'm illiterate in the two, and tools like bablefish don't work well on technical articles.

RAP

One of the most popular threads on the forum. You would think someone would be able to drop us a hint. It is apparent that we aren't giving up till the solution is found. (Not that I'm any help)

ein Tier: as our resident expert on the crack, have you been in regular contact with any of the other hackers from the other car forum hackers with similar Denso products? I was wondering if any of them may have had some success or if you compared notes, possibly with some of the Japanese makers as you stated a lot of the sites are in Japanese.

yell01

My cousins husband is a mechanic for Chevy and I asked him about it and he's talked to the other mechanics and he told me it absolutely cannot be done. I can get into my Lexus nav to override it very easily, but not on the Vette.

ein Tier

A bit. I wish I had found Sonar Tech from the Caddy forums a year or so ago. I actually met with him in person a few times and we discussed our theories. He's a MS engineer specializing in reverse engineering of embedded technology and would have been a very valuable resource if I could have caught him before he got disinterested in the project and sold his Cadillac.

He's the only person I know who's actually taken his navigation system apart, taken photos, and thought seriously about extracting chips and their code. He wasn't afraid to "brick" his system either.

The pioneer AVIC forums people have made pretty good headway customizing their graphics and overriding controls and finding hacks, but their disc structures are subtly different than ours, and the entire system is much more "hack friendly". No one there has been helpful about revealing their sources and methods.

No one else has contacted me, and the other forum members seem to be mostly building off what Sonic Tech started and we continued here. We're pretty much the "experts" regarding the Denso navigation system.

ein Tier

I wouldn't go that far.

The Range Rover uses a very similar derivative of our navigation system (it's closer to ours than the ones used in Cadillacs) and putting 751 in their keypad screen unlocks navigation while driving. It was found by brute force -- no one at LR was aware of its existance.

It's very likely we have a similar code. Just because I was only able to extract three codes does not mean there aren't more. However, brute forcing is problematic. First, there's literally a million combinations (six digits, including 000000). Second, you have to actually enter the code and then drive or enter it while driving. Third, even if we assign blocks of numbers like the Cadillac forum did (that's how they found their 1791 code), we have no way of verifying that the numbers were tested correctly. Fourth, we tried the block assigning and it didn't go far as there were only about three of us actively trying codes. We didn't even make it to 660, if that tells you anything.

I do think there are codes left to be found.

maugli

Use IDA + MIPS CPU, guys.

For example, first function from GE12 MIUT FILE module:

Module virtual start address: 30600000
Module entry point: 306000F0

seg002:306000F0 sub_306000F0:
seg002:306000F0 addiu $sp, -0x68
seg002:306000F4 sw $ra, 0x68+var_4($sp)
seg002:306000F8 sw $s6, 0x68+var_50($sp)
seg002:306000FC sw $s5, 0x68+var_54($sp)
seg002:30600100 sw $s4, 0x68+var_58($sp)
seg002:30600104 sw $s3, 0x68+var_5C($sp)
seg002:30600108 sw $s2, 0x68+var_60($sp)
seg002:3060010C sw $s1, 0x68+var_64($sp)
seg002:30600110 sw $s0, 0x68+var_68($sp)
seg002:30600114 sw $fp, 0x68+var_4C($sp)
seg002:30600118 li $fp, 0x68000300
seg002:30600120 la $a0, aFile2 # "FILE2"
seg002:30600128 jal sub_30604F5C
seg002:3060012C li $a1, 0
seg002:30600130 jal sub_3060504C
seg002:30600134 li $s0, 0
seg002:30600138 lui $v1, 0x6800
seg002:3060013C addiu $s1, $v1, 0x400
seg002:30600140 li $s2, 0x20 # ' '
seg002:30600144
seg002:30600144 loc_30600144: # CODE XREF: sub_306000F0+74j
seg002:30600144 move $a0, $s1
seg002:30600148 li $a1, 0xFF
...

LR Visitor

As an LR3 owner who has been searching for his own answers concerning our Nav Sys I have read this thread with great interest. Buffy and Ein, you are doing some fine work and I believe you will succeed eventually. Good Luck. The 1791 code does work on my system and I have used it occaionally.

I have posted on this forum because I think that this is the most likely place to decode the Nav Data when somebody gives it a shot.

Buffy stated in an earlier post

"As far as taking the Kiwi files apart and getting at the nav data, it shouldn't be too hard, but would take some time and wouldn't be that much use unless we wanted to write our own nav system."

There is interest on the LR forums in creating our own maps because there are quite a few of us operating in areas of nil, limited or incomplete coverage.

I wish I could decode these files myself, but I can't and it doesn't seem like there is anyone on the LR forums that has the technical knowledge I have read of here, so I have come to the 'Vette forum searching for assistance.

If you fellas decide to give the quest for crack codes a sabbatical and are up to a new, and perhaps equally fulfilling challenge, I know the LR community would greatly appreciate your efforts.

LR Visitor
2006 LR3 HSE

crosborne

What is that for non-programmers?

burtonbl103

Glad to see this thread is still running !

clownmagician

Love you guys for trying to solve this.

Barrie Strachan

I tried the hidden button as described by others and got the keypad all right, but none of the numbers I tried did anything.

Something else to think about: the nav/entertainment system has to get a signal somewhere to tell it the car is moving, which locks out the DVD player and being able to enter addresses and such in the nav system. It might be worth looking at the schematics to see if there is an obvious signal line for this. Or, it may be a data word that comes in as a bunch of 1's and 0's on the LAN that connects the alleged 17 microprocessors in the car.

Barrie Strachan

Oops! I didn't see the last page of this thread where my comment was already covered. Sorry.