Cracking the NAV - What we know so far
11-21-2006, 05:29 AM
#1
Racer
Thread Starter
Member Since: Jun 2006
Location: Mulhouse FRANCE
Posts: 254
Likes: 0
Received 0 Likes
on
0 Posts
Cracking the NAV - What we know so far
Hello,
LAST UPDATE : 11/21/2006
As mentionned in one of the longest running thread on this forum (http://forums.corvetteforum.com/..1204336), it would be a good idea to sum up on a few posts what we know about the NAV system in the C6 and try to keep it short and updated so poeple can get a quick view of what we know and the progress that we are making (or not making).
So this is why I decided to start that thread. By no means I'm trying to get credit for what has been found, since all of this has not been found by me.
Right now I'm trying to dissassemble the code (thanks to tools and the help given to me by einTier), but this has not been very succesful so far.
So enough with the talk, as of November 21st, 2006, here's what we know :
- The unit is made by a Japanese company called Denso. So is the units found in other GM brands, Lexuses, Toyotas, Land-Rovers,...
- There is a DIAG screen that can be accessed when going in the NAV screen, then going into MENU and then touching the screen and holding your finger for 5 seconds a bit right to the yellow Nav. Menu that is on top (about half an inch right of the word Menu)
- From that DIAG menu, there are 3 codes that are known to be working : 660, 9448, and 295660
- The difference between the 3 codes are little:
660 : diagnostic menus, no back button to go back to the menus (you have to turn off the car to exit this screen)
9448 : diagnostic menus plus a button to update the software and a back button to go back to the menus
295660 : diagnostic menus, no software update button but a back button to get back to the menus
- When going into the DIAG screens and back to the menus (if you use code 9448 or 295660), the hard button on the left of the unit are not backlit anymore until you turn off and on the car
- Nothing in the DIAG screens that let us use the NAV while moving, nothing about playing video DVD either (there are really only diagnostic tools there).
- Other Denso units found in other brands have different diag codes. What work for one unit is not working on ours. There are codes on Lexuses, Toyotas, Range Rover that enable address input while moving or DVD play, so there is hope we can find a similar thing on the C6 unit.
- On Toyotas that have the Denso unit wihtout the touchscreen, the access to the diag screen is different. You need to use a combination of things, like left signal, lights on/off... (I don't know the exact combination).
Let me know if you want me to update this post and put more useful information there.
LAST UPDATE : 11/21/2006
As mentionned in one of the longest running thread on this forum (http://forums.corvetteforum.com/..1204336), it would be a good idea to sum up on a few posts what we know about the NAV system in the C6 and try to keep it short and updated so poeple can get a quick view of what we know and the progress that we are making (or not making).
So this is why I decided to start that thread. By no means I'm trying to get credit for what has been found, since all of this has not been found by me.
Right now I'm trying to dissassemble the code (thanks to tools and the help given to me by einTier), but this has not been very succesful so far.
So enough with the talk, as of November 21st, 2006, here's what we know :
- The unit is made by a Japanese company called Denso. So is the units found in other GM brands, Lexuses, Toyotas, Land-Rovers,...
- There is a DIAG screen that can be accessed when going in the NAV screen, then going into MENU and then touching the screen and holding your finger for 5 seconds a bit right to the yellow Nav. Menu that is on top (about half an inch right of the word Menu)
- From that DIAG menu, there are 3 codes that are known to be working : 660, 9448, and 295660
- The difference between the 3 codes are little:
660 : diagnostic menus, no back button to go back to the menus (you have to turn off the car to exit this screen)
9448 : diagnostic menus plus a button to update the software and a back button to go back to the menus
295660 : diagnostic menus, no software update button but a back button to get back to the menus
- When going into the DIAG screens and back to the menus (if you use code 9448 or 295660), the hard button on the left of the unit are not backlit anymore until you turn off and on the car
- Nothing in the DIAG screens that let us use the NAV while moving, nothing about playing video DVD either (there are really only diagnostic tools there).
- Other Denso units found in other brands have different diag codes. What work for one unit is not working on ours. There are codes on Lexuses, Toyotas, Range Rover that enable address input while moving or DVD play, so there is hope we can find a similar thing on the C6 unit.
- On Toyotas that have the Denso unit wihtout the touchscreen, the access to the diag screen is different. You need to use a combination of things, like left signal, lights on/off... (I don't know the exact combination).
Let me know if you want me to update this post and put more useful information there.
Last edited by TheDaveMan; 11-21-2006 at 03:18 PM.
11-21-2006, 12:05 PM
#4
Intermediate
Member Since: Sep 2005
Location: San Diego CA
Posts: 39
Likes: 0
Received 0 Likes
on
0 Posts
I applaud the extra effort that you guys have been putting toward solving this problem.
What do these three codes do?
Originally Posted by TheDaveMan
- From that DIAG menu, there are 3 codes that are known to be working : 660, 9448, and 295660
11-21-2006, 01:59 PM
#6
Instructor
Member Since: Aug 2006
Location: Crystal Lake Illinois
Posts: 107
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by BlackHawk#36
I applaud the extra effort that you guys have been putting toward solving this problem.
What do these three codes do?
What do these three codes do?
11-21-2006, 02:12 PM
#7
Moderator
Member Since: Dec 2002
Location: Lakewood Ranch, FL
Posts: 40,056
Received 3,570 Likes
on
1,615 Posts
Originally Posted by Geech
I feel like we just stumbled onto the numbers from LOST.
11-21-2006, 02:39 PM
#8
Racer
Thread Starter
Member Since: Jun 2006
Location: Mulhouse FRANCE
Posts: 254
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by BlackHawk#36
What do these three codes do?
There are slight difference on the menus depending which of the three codes you use. We hope to find a code that shows extra menus like : override warnings (to let you use the gps while moving), play dvd, ...
11-23-2006, 10:01 AM
#14
Racer
Thread Starter
Member Since: Jun 2006
Location: Mulhouse FRANCE
Posts: 254
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Big Jimm
Is there really a need - or wide interest in - breaking this code?
Big Jimm
So. Fla.
Big Jimm
So. Fla.
Personnaly, I miss the ability to input destinations while moving (which I have on my other cars). So I'm willing to look into it just for me, but I'll be more than glad to share it with the world if someone is interested too (that is, if I find a way to do it, which is not that certain for now, considering how small is my progress in the area so far).
Watching a DVD from the unit would be fun, but not that critical to me.
Last edited by TheDaveMan; 11-23-2006 at 10:08 AM.
11-23-2006, 10:05 AM
#15
Le Mans Master
Originally Posted by TheDaveMan
Well looking at the number of posts and views of the original thread, I'd say there is (probably the longest and most viewed thread in this forum).
Personnaly, I miss the ability to input destinations while moving (which I have on my other cars). So I willing to look into it just for me, but I'll be more than glad to share it with the world if someone is interested too (that is, if I find a way to do it, which is not that certain for now, consdering how small is my progress in the area so far).
Watching a DVD from the unit would be fun, but not that critical to me.
Personnaly, I miss the ability to input destinations while moving (which I have on my other cars). So I willing to look into it just for me, but I'll be more than glad to share it with the world if someone is interested too (that is, if I find a way to do it, which is not that certain for now, consdering how small is my progress in the area so far).
Watching a DVD from the unit would be fun, but not that critical to me.
11-23-2006, 10:53 AM
#16
Melting Slicks
Member Since: Jan 2006
Location: Columbus Georgia
Posts: 2,796
Likes: 0
Received 0 Likes
on
0 Posts
I have enough to do, not driving, to setup the NAV. I wouldn't trust myself while moving. However, all of you that can walk and chew gum at the same time--GOOD LUCK.
11-23-2006, 11:10 AM
#18
Team Owner
Originally Posted by Lightning Coyote
I have enough to do, not driving, to setup the NAV. I wouldn't trust myself while moving. However, all of you that can walk and chew gum at the same time--GOOD LUCK.
I'd be elated if we could just crack the code that forces us to "Agree" every time we get into the car. I have two cars with Navigation, and if I had a dollar for every time I've had to "Agree", I'd be a rich man. The ironic thing is that I have not once read what it is I'm agreeing too, yet by the grace of God, I have not wrecked my car yet while operating the Navigation Screen
11-23-2006, 04:03 PM
#19
Melting Slicks
Member Since: Jan 2005
Location: Austin, Texas Codes 660, 9448, and 295660 work in the C6 navigation unit. No DVD playback yet.
Posts: 3,168
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Lightning Coyote
I have enough to do, not driving, to setup the NAV. I wouldn't trust myself while moving. However, all of you that can walk and chew gum at the same time--GOOD LUCK.
I've been working on this as long as anyone, and I found the three codes we have today. I'll try to work up a summary of my knowledge sometime this weekend.
And yes, people do want this. If we can figure out how to hack the software on our Denso unit, we figure it out for all units. Much of what we know is built on the backs of others doing similar things with their own non-Corvette navigation units. Many other forums are using our knowledge to gain insight into their own units.
[disclaimer]
This is a large consolodation of a lot of information from a very long thread in Corvette Forum. I did not attribute every bit of information to its original author, as it would make this even more cumbersome to read. However, we would not have been able to do this without help from many different people. I'd like to take the time to thank the following people who have helped greatly over the course of this project. This is by no means all, only the people who stick out in my mind and whose knowledge was particularly valuable.
Thanks,
Buffy
SonarTech (Cadillac Forums)
abrimberry
VamPY
PHANTOMC6
Tuxlex
yevlem
Mark1107
TheDaveMan
anyone else I missed... you know who you are.
What we know so far about hacking the Corvette's Navigation System:
As a brief overview, the Corvette's system is far from unique. Almost every in-car naviagtion system you'll find, from ours to aftermarket units made by Pioneer use some form of Denso's software and hardware. Nissan/Infiniti is a notiable exception to this rule, as they use a totally different system, and BMW has the propriatary iDrive. Virtually everyone uses NavTeq's maps, which are based on the KIWI disc format. What this means for us is that if someone figures out how to crack one of these systems, they often will figure out how to crack all the systems. However, there are notible differences, so something that works on one won't nessessarily work anywhere else. But you can see on the Land Rover forums where they used our methods to figure out where their PIN entry screen was (same as ours) and brute forced the code for enabling full control access while moving. Denso likes to reuse codes and numbers, so there is some hope that codes found on one machine will work on others -- but in the past couple of years, codes have started to become much more distinct. Manufacturers known to use the Denso system include (but is not limited to): GM (all lines), Land Rover, Pioneer, Alpine, Eclipse, Toyota/Lexus, Acura/Honda, Daimler/Chrysler, and Audi group (all lines).
What we can do: Right now, we can access the Diagnostic utilities in the navigation.
The Diagnostic screens can be accessed by going in the NAV screen, then going into MENU and then touching the screen and holding your finger for 5 seconds a bit right to the yellow Nav. Menu that is on top (about half an inch right of the word Menu) PDF instructions
When you do this successfully, there will be a keypad on which you can enter any 1-6 digit code.
There are 3 codes that are known to be working : 660, 9448, and 295660
The difference between the 3 codes are little:
660 : diagnostic menus, no back button to go back to the menus (you have to turn off the car to exit this screen)
9448 : diagnostic menus plus a button to update the software and a back button to go back to the menus
295660 : diagnostic menus, no software update button but a back button to get back to the menus
I obtained these numbers using the Unix command strings on both the original files and the extracted binaries. Of all the multi-number strings we returned, only these three appear to do anything.
While they don't appear to do much, they are somewhat fun to explore. Being able to see your exact lattitude and longitude is something people have asked for, and it's nice to see how many satellites you're viewing at any given time. The software update function will come in handy if we ever manage to write a new program for the navigation, as this will likely be our only way to update/revert.
BE VERY CAREFUL WITH THE "TOUCH SCREEN" MENU!!! It's a calibration screen for the nav. I didn't realize this and just pressed the "default" button in the center of the screen. I had one hell of a time hitting the hidden button again. When you go into that menu, there's a little dot at the upper left. You should touch that, then press it again when it moves to the next corner.
There is also a second hidden keypad. We do not know what its function is, or what codes it uses (this screen has been forgotten, and no seems to have run codes through it -- myself included). To get to it:
This may have been posted already, but here goes. I removed the NAV DVD and put in a movie DVD and an error comes up. The error says something like this insert a nav DVD. At the top of the screen there is the word "Caution" in yellow. Press the middle of the word caution and the number pad screen shows up. I tried a few of the codes already posted, but nothing happened.
What we can't do:
Nothing fun that everyone wants.
We can't play DVDs.
We can't install a backup camera.
We can't install "new features" found in other Denso based navigation systems.
We can't get the nag screen to go away.
We can't allow full access while moving -- though you can in some Cadillacs, some Toyotas, and Land Rovers.
Known codes that work in other navigation systems but don't appear to work in the Corvette:
1791
1971
753 (unlocked by brute force by LR forum members -- no one at Range Rover was aware of it's existance, and it can't be found by any method we used to find our codes)
"touch pattern" on some Lexus/Toyota models
About the manufacturer:
Part of the problem is knowing which Denso to call - there's Denso Japan, Denso International America, Denso Europe, Denso Iridium, Denso TD, Denso Australia, etc. If we can figure out which part of Denso this may have come from I might be able to exchange the secret IEEE handshake with somebody and get a clue where to look.
I should have Googled before I typed. Looks like it might be:
DENSO Wireless Systems America
3250 Buisness Park Dr.
Vista, CA 92081
They list "Navigation and automotive electronics" for this site.
Any forum members near Vista, CA?
Another possibility is:
DENSO Manufacturing Tennessee
1720 Robert C. Jackson Drive
Maryville, Tenn. 37801-3748
Which lists "Starters, alternators, instruments and instruments clusters, automotive electronic products".
About the Denso hardware/software:
SonarTech took apart his Cadillac nav and posted pictures which are here. It was using a Hitachi SH-3e chip. The Denso system appears to use a *NIX variant as its operating system, as references to things like /dev/cd/cd2/slot0/ALLDATA.KWI can be found by opening the software files in a plain text editor. It is most likely running QNX.
About the Kiwi Format: KIWI is a Japanese specification, and much documentation and software is written in Japanese, which makes it difficult for non-japanese to figure out what's going on. There are many files on the KIWI disc. The most important for our purposes is the LOADING.KWI file, which contains the actual executable code for our navigation software. Not all KIWI discs have a LOADING.KWI file, as it's not required for a valid map disc. However, if the car detects a LOADING.KWI file, it will check it for versioning and applicability. If the version is newer than the version currently installed, and is designed for that particular nav unit, it will write the new LOADING.KWI into the BIOS automatically, and use that to run the nav after a restart. Theoretically, one could change the bits around on a non-GM LOADING file and cause it to load onto our Corvette's nav. No one's tried this, so no telling what might happen. Perhaps unsurprisingly, the latest updated map discs have not included an updated LOADING.KWI file -- these are typically released seperately.
Here's a huge document on how to read/write the KIWI database format that the .KWI files actually use on our discs. If you'd like to look at a C6 Loading.kwi file, you can get them here. These are the updates we got last year, which improved the nav and added mp3 functionality.
Someone wrote a KIWI decoder in Ruby, but it's also in Japanese, so good luck. Here's another in Perl. Buffy wrote a Java extractor, and provided the extracted binary files, but I need some place to put them.
Loading files vary greatly. Ours is something like 10MB compressed, but the Lexus ones run over 45MB. I've seen some smaller than 5MB.
The Denso format appears to be of a "building block" design. There are many pieces to the navigation system, and you can use all or just some of them, depending on your needs. I see a lot of commonality between the various discs and loading.kwi files, which leads me to believe there's a significant "skeleton" to build off of and significant chunks of code that can be added on or deleted as the design specification demands. I've found a few Denso engineers, but none willing to even say "no, I don't want to talk to you." I'm fairly convinced there's some kind of development suite and you start with a default "skeleton" and plug in the various modules and options and that then dictates what kind of hardware options you have. Then you assign it a "look and feel" and you're done. There's too much similarity with systems that should be completely different. For instance, there's no reason the Land Rover (owned by Ford) navigation should look almost exactly like ours and operate exactly the same including the same "hot spots".
There are significant differences as well, but they seem to be confined to customization, for instance, a climate control system that's present in the Lexus but is a completely seperate unit on our Corvettes.
The best analogy I can come up with for this is like saying a home is "wired for cable". If you think of the navigation unit like a house, then there are certainly wires run in the house that currently aren't doing anything -- for example, wires for cable. When you move in, the house is ready for cable, but it's not hooked up. Now, it may be as simple as running a wire from the wall to your television (if Time Warner has already attached a cable line to your house) or it may be more complex. The Denso code is much the same way. All the hooks are there to make things like DVD playback and external cameras work. However, how much of it is there is the question. In the cable analogy, there might already be a television in the house and it might even be wired up. All we have to do is turn it on. In the Denso nav, this would be the equivalent of flipping a few bits. Or, maybe it's just unplugged, and we need to hook it up. This would be analogous to writing some simple custom code into the nav. Then again, there may not be a television at all -- just the wires in the house. This would mean that the denso nav has no way of actually decoding the DVD content, and would require an add-on hardware chip or a big chunk of software code. However, all is not lost, because there are Denso navs with this functionality, and if the "skeleton" format is real, then one could "frankenstein" a fix by removing the decoder chips from one nav and placing them in ours.
Originally Posted by buffy
Right now I'm dealing with information overload - looks like Denso has an OS of sorts for the Super-H type CPUs, and has done a joint venture with Toshiba and Sony to develop an OS for the Toshi x49 SOC, which uses MIPS architecture. And of course VxWorks is a possiblity, but that usally uses ELF formats so I'm betting on the proprietary OS and a Super-H. Most likely something related to TRON, a pretty common Japanese RTOS. Many articles about TRON, but I haven't found a lot of documentation so far.
I do find a fair amount of stuff labelled "callback" in the code, which implys some sort of windowing system most likely derived from X-Windows, and path strings using POSIX-style notation so I think we can let out Microsoft Windows CE.
I do find a fair amount of stuff labelled "callback" in the code, which implys some sort of windowing system most likely derived from X-Windows, and path strings using POSIX-style notation so I think we can let out Microsoft Windows CE.
Originally Posted by yevlem
Hi all!
I have a Lexus, but the Denso NAV system there is much the same. As I am living out of the USA, I am interested in de-coding KWI files and making a map with our country data.
Just to give my 5 cents, the correct address for KIWI viewer software description is:
http://www.datawest.co.jp/seihin-jyo...Eng-latest.pdf
Unfortunatelly the software itself is only for sale with HASP protection.
I have a Lexus, but the Denso NAV system there is much the same. As I am living out of the USA, I am interested in de-coding KWI files and making a map with our country data.
Just to give my 5 cents, the correct address for KIWI viewer software description is:
http://www.datawest.co.jp/seihin-jyo...Eng-latest.pdf
Unfortunatelly the software itself is only for sale with HASP protection.
What we've tried already:
We've tried using codes from other systems (unsuccessful)
Using UNIX "strings" function to extract codes (successful)
Contacting Denso engineers (unsuccessful)
Trying to get a copy of the Denso software development kit. (unsuccessful)
Brute forcing key codes (unsuccessful -- and unfeasible, given the amount of codes and lack of effort by forum members)
"Social engineering" (unsuccessful -- who do we ask for, and what do we ask for once we get them?)
What we're still trying:
Trying any codes that come up on any other navigation system.
Trying to contact anyone who knows anything about the Denso system.
Trying to get software to write software for the Denso unit.
Trying to get information/parts from third-party companies who have integrated "lost" functionality with other navigation systems.
Interesting information that doesn't fit anywhere else:
The first idea we got that there was even a hidden menu at all was from a post by a forum member who witnessed a Corvette Tech do it at the Bowling Green facility:
The NAV software is updated through the DVD player. I watched the engineer at the C5/C6 Bash update the software on my unit.
There is also a debug/diag screen you can access by holding your finger on a point at the top of the screen. after 5 seconds, a virtual keypad comes up and depending on what code you enter, settings are visable/open to change. for example, one code will let you only view most of the settings, another will let you view all of the settings, and still a third will let you start changing the settings. i asked the engineer if there was a way to turn off the lockout feature this way and he replied no. I also asked about MP3 playback and some sources being louder than others. His response was that the levals of the sources were set in the compiled software and the mp3 playback capability will be comming soon.
There is also a debug/diag screen you can access by holding your finger on a point at the top of the screen. after 5 seconds, a virtual keypad comes up and depending on what code you enter, settings are visable/open to change. for example, one code will let you only view most of the settings, another will let you view all of the settings, and still a third will let you start changing the settings. i asked the engineer if there was a way to turn off the lockout feature this way and he replied no. I also asked about MP3 playback and some sources being louder than others. His response was that the levals of the sources were set in the compiled software and the mp3 playback capability will be comming soon.
We found a few interesting threads at Cadillac Forums, which appear to be mostly dead now.
Another Nav Diagnostic Code (page 2)
Nav System Malfunction (page 4)
This pointed us to the KIWI format, and we started plugging away at that.
After we found our three codes, Tuxlex from Lexus forums had this to say:
I've been talking with some professionals at work who
test code for vulnerabilities including Microsoft's OS.
They are curently working on handheld code that uses
the same processor as our Denso nav unit. I believe
it is the Hitachi processor.
I remember reading in one of the forums where someone
dissasembled the various boards inside their nav unit.
It had pictures of all the boards and chips. It might have
been the Cadillac forum, I can't remember. In it, the
processor part number was specified. Could someone
point me to that processor number.
Knowing the processor, I could ask them to help me
disasemble the loading.kwi file. They said that they use
IDA Pro Advanced from DataRescue and that it works well.
http://www.datarescue.com/idabase/idaproc.htm
The manufacurer wants $875 for this disassembler with
optional support for another $10,000 per year. Hopefully, our
computer science department at work will be willing to
disassemble this code for us.
test code for vulnerabilities including Microsoft's OS.
They are curently working on handheld code that uses
the same processor as our Denso nav unit. I believe
it is the Hitachi processor.
I remember reading in one of the forums where someone
dissasembled the various boards inside their nav unit.
It had pictures of all the boards and chips. It might have
been the Cadillac forum, I can't remember. In it, the
processor part number was specified. Could someone
point me to that processor number.
Knowing the processor, I could ask them to help me
disasemble the loading.kwi file. They said that they use
IDA Pro Advanced from DataRescue and that it works well.
http://www.datarescue.com/idabase/idaproc.htm
The manufacurer wants $875 for this disassembler with
optional support for another $10,000 per year. Hopefully, our
computer science department at work will be willing to
disassemble this code for us.
QNX is indeed a good candidate, as something with this much function could use more than the simple TRON-derived RTOS. The one hitch is that programs to run on QNX should be recognizable as ELF binaries, and I haven't (so far) been able to find ELF headers.
Regarding the source code, I do find a lot of apparent module names which imply the source code is indeed C:
MasterApp_Entry.c
..
MasterApp_Callbacks.c
ClockApp_Entry.c
ClockApp_Callbacks.c
..
HardSwApp_Callbacks.c
..
DvdxApp_Entry.c
CommonApp_Entry.c
..
CommonApp_Callbacks.c
..
CommonApp_Method.c
CDApp_Entry.c
CD2App_Entry.c
MP3App_Callbacks.c
MP3App_Entry.c
RadioBandApp_Entry.c
RadioBandAppAMTouchsw_Callbacks.c
..
RadioBandAppXM_Callbacks.c
..
RadioBandAppXMTouchsw_Callbacks.c
RadioBandAppXM_Entry.c
DiagSWInfoApp_Entry.c
DiagPartInfoApp_Entry.c
DiagTouchScreenApp_Entry.c
DiagScreenTestApp_Entry.c
DiagHardSWApp_Entry.c
DiagMicrophoneTestApp_Callbacks.c
DiagMicrophoneTestApp_Entry.c
DiagNaviApp_Entry.c
DiagNaviRGBApp_Entry.c
DiagVoiceOutputTestApp_Entry.c
ScreenAdjustApp_Entry.c
AdjustApp_Entry.c
AdjustAppTouchsw_Callbacks.c
..
SoundAdjustApp_Entry.c
StatusApp_Callbacks.c
StatusApp_Entry.c
DebugFunctions.c
Regarding the source code, I do find a lot of apparent module names which imply the source code is indeed C:
MasterApp_Entry.c
..
MasterApp_Callbacks.c
ClockApp_Entry.c
ClockApp_Callbacks.c
..
HardSwApp_Callbacks.c
..
DvdxApp_Entry.c
CommonApp_Entry.c
..
CommonApp_Callbacks.c
..
CommonApp_Method.c
CDApp_Entry.c
CD2App_Entry.c
MP3App_Callbacks.c
MP3App_Entry.c
RadioBandApp_Entry.c
RadioBandAppAMTouchsw_Callbacks.c
..
RadioBandAppXM_Callbacks.c
..
RadioBandAppXMTouchsw_Callbacks.c
RadioBandAppXM_Entry.c
DiagSWInfoApp_Entry.c
DiagPartInfoApp_Entry.c
DiagTouchScreenApp_Entry.c
DiagScreenTestApp_Entry.c
DiagHardSWApp_Entry.c
DiagMicrophoneTestApp_Callbacks.c
DiagMicrophoneTestApp_Entry.c
DiagNaviApp_Entry.c
DiagNaviRGBApp_Entry.c
DiagVoiceOutputTestApp_Entry.c
ScreenAdjustApp_Entry.c
AdjustApp_Entry.c
AdjustAppTouchsw_Callbacks.c
..
SoundAdjustApp_Entry.c
StatusApp_Callbacks.c
StatusApp_Entry.c
DebugFunctions.c
Well, I'm fairly confident as to the extraction. The Kiwi documentation is fairly complete if a bit hard to read; I find legible names where I expect them, the lengths add up, etc. So as far as the two files extracted from LOADING.KWI I'm pretty confident that they're what's there.
There's no sign that the stuff is encrypted or compressed, not that there's much point in compressing 25MB of stuff to put it on a CD-ROM! But if it were it wouldn't have the legible text strings we've found.
Most such devices use flash to store the code and fixed data but load it into RAM at boot time and run from there as flash is usually too slow to run from and requires a special write sequence.
Typically, fairly simple devices will have either a straight "core" image or some sort of relocatable binary code with fixups to link to ROM libraries or relocate the code to the target processor's address range. If it was just a core image it would almost certainly start with a branch to the beginning of the startup code. If it had relocation segments or whatnot it would have some sort of header and directory near the beginning, and most everybody uses ELF format binaries these days so I'd expect an ELF header (0x7F 'E' 'L' 'F').
More complex devices often treat the flash as a filesystem, often FAT or CRAMFS, in which case I'd expect a header and directory. I haven't found any recognizable signatures for that either!
What I've got is:
The first 2K block starts with 0x00 0x02 'X' 0x00 0x00 .. "GE141312" and is filled out with 0x00s. The "GE141312" makes sense, as it's the module name and version.
The second 2K block has a table of 256 8-byte entries. The first two bytes of each entry are a sequence number (0, 1, 2 .. 255). The remainder has bytes with equal nybbles, e.g. 0x11, 0x22 .. 0xFF. Doesn't look like addresses or displacements, maybe some sort of type codes or flags.
The third 2K block starts with "rGpaihDc BV 5046" .. "91990--4511 :000" followed by a bunch of 4-byte somethings with a definite pattern, typically starting with 0x2b, 0x2c or 0x2d and ending with 0x01. This could be some sort of interrupt vector table, I suppose, which is the sort of thing you'd expect to find in low memory.
Mostly, I've been hoping to find recognizable code in there and guess the offsets, etc. from that. Alas, the Super-H uses most of the bits, so looking for sequences of valid instructions doesn't work too well. I'll probably have to start looking for logical sequences - e.g. we'd expect compare instructions to be followed by conditional branch instructions. Or branches followed by no-ops, if it uses delayed branching.
As far as the audio file from disc 2, I haven't made a lot of sense of it either. After 16 0xFFs it has a table somewhat like that found in the other code, with four-byte entries ending in 0xFC 0x00. That would (possibly) put code starting at 0x000090, where we have:
00000090 1d21 MOV.L R2,@(01,R13)
00000092 5218 MOV.L @(01,R8,R2)
00000094 394a SUBC R4,R9
00000096 571a MOV.L @(01,R10,R7)
00000098 2834 MOV.B R3,@-R8
0000009A 6235 MOV.W @R3+,R2
0000009C 060c MOV.B @(R0,R0,R6)
0000009E 1524 MOV.L R2,@(04,R5)
000000A0 2016 MOV.L R1,@-R0
000000A2 2202 MOV.L R0,@R2
Which doesn't make a lot of sense.
Of course, I'm not all that confident of my disassembler - easy enough to get some things messed up in there.
As far as taking the Kiwi files apart and getting at the nav data, it shouldn't be too hard, but would take some time and wouldn't be that much use unless we wanted to write our own nav system. So far I've only done the stuff related to the LOADING.KWI file.
Hope things ease up on you soon - on me too, I've got a project due this month so I won't be able to fiddle too much. Unless I get lucky and things go better than expected or I find some free time!
There's no sign that the stuff is encrypted or compressed, not that there's much point in compressing 25MB of stuff to put it on a CD-ROM! But if it were it wouldn't have the legible text strings we've found.
Most such devices use flash to store the code and fixed data but load it into RAM at boot time and run from there as flash is usually too slow to run from and requires a special write sequence.
Typically, fairly simple devices will have either a straight "core" image or some sort of relocatable binary code with fixups to link to ROM libraries or relocate the code to the target processor's address range. If it was just a core image it would almost certainly start with a branch to the beginning of the startup code. If it had relocation segments or whatnot it would have some sort of header and directory near the beginning, and most everybody uses ELF format binaries these days so I'd expect an ELF header (0x7F 'E' 'L' 'F').
More complex devices often treat the flash as a filesystem, often FAT or CRAMFS, in which case I'd expect a header and directory. I haven't found any recognizable signatures for that either!
What I've got is:
The first 2K block starts with 0x00 0x02 'X' 0x00 0x00 .. "GE141312" and is filled out with 0x00s. The "GE141312" makes sense, as it's the module name and version.
The second 2K block has a table of 256 8-byte entries. The first two bytes of each entry are a sequence number (0, 1, 2 .. 255). The remainder has bytes with equal nybbles, e.g. 0x11, 0x22 .. 0xFF. Doesn't look like addresses or displacements, maybe some sort of type codes or flags.
The third 2K block starts with "rGpaihDc BV 5046" .. "91990--4511 :000" followed by a bunch of 4-byte somethings with a definite pattern, typically starting with 0x2b, 0x2c or 0x2d and ending with 0x01. This could be some sort of interrupt vector table, I suppose, which is the sort of thing you'd expect to find in low memory.
Mostly, I've been hoping to find recognizable code in there and guess the offsets, etc. from that. Alas, the Super-H uses most of the bits, so looking for sequences of valid instructions doesn't work too well. I'll probably have to start looking for logical sequences - e.g. we'd expect compare instructions to be followed by conditional branch instructions. Or branches followed by no-ops, if it uses delayed branching.
As far as the audio file from disc 2, I haven't made a lot of sense of it either. After 16 0xFFs it has a table somewhat like that found in the other code, with four-byte entries ending in 0xFC 0x00. That would (possibly) put code starting at 0x000090, where we have:
00000090 1d21 MOV.L R2,@(01,R13)
00000092 5218 MOV.L @(01,R8,R2)
00000094 394a SUBC R4,R9
00000096 571a MOV.L @(01,R10,R7)
00000098 2834 MOV.B R3,@-R8
0000009A 6235 MOV.W @R3+,R2
0000009C 060c MOV.B @(R0,R0,R6)
0000009E 1524 MOV.L R2,@(04,R5)
000000A0 2016 MOV.L R1,@-R0
000000A2 2202 MOV.L R0,@R2
Which doesn't make a lot of sense.
Of course, I'm not all that confident of my disassembler - easy enough to get some things messed up in there.
As far as taking the Kiwi files apart and getting at the nav data, it shouldn't be too hard, but would take some time and wouldn't be that much use unless we wanted to write our own nav system. So far I've only done the stuff related to the LOADING.KWI file.
Hope things ease up on you soon - on me too, I've got a project due this month so I won't be able to fiddle too much. Unless I get lucky and things go better than expected or I find some free time!
I really think that we need to start tying together the various communities that share the Denso code. As we saw here, it took several of us working together, using clues off others, to finally crack the pin codes.
Considering it seems we're all trying to get to the same place (disable the nanny-code, add missing features), this might be the best way for us all to succeed. There's no need for five different forums to continually reinvent the wheel.
I just stumbled on the AVIC 411 forums. This is for the Pioneer AVIC set of aftermarket navigation systems, and they're doing a pretty good job of getting inside the code.
I'm interested to see if any of this will work on ours. I'm going to try it on Friday or Saturday once I'm back with the Corvette. Two interesting threads I found quickly:
Creating Custom Backgrounds
someone decompiled part of the code with a NEC 78K decompiler.
Apparently, they used this software to do it.
I'm trying to make friends.
Considering it seems we're all trying to get to the same place (disable the nanny-code, add missing features), this might be the best way for us all to succeed. There's no need for five different forums to continually reinvent the wheel.
I just stumbled on the AVIC 411 forums. This is for the Pioneer AVIC set of aftermarket navigation systems, and they're doing a pretty good job of getting inside the code.
I'm interested to see if any of this will work on ours. I'm going to try it on Friday or Saturday once I'm back with the Corvette. Two interesting threads I found quickly:
Creating Custom Backgrounds
someone decompiled part of the code with a NEC 78K decompiler.
Apparently, they used this software to do it.
I'm trying to make friends.
Originally Posted by DarthStimpy
Bad news bears.
I spoke with someone who worked on the corvette navigation setup.
He said, YES, there is a code and a way to defeat the agree AND the lock out while driving.
The bad news? the code can ONLY be entered on a GM scan tool specifically designed to diagnose the Nav system.
I spoke with someone who worked on the corvette navigation setup.
He said, YES, there is a code and a way to defeat the agree AND the lock out while driving.
The bad news? the code can ONLY be entered on a GM scan tool specifically designed to diagnose the Nav system.
I spent two hours today with the a friend who is a gm tech. We pulled up every sub menu on the OBD scan Tech II tool. There is nothing you can enter that affects the navigation sub menus. I even opened up the diagnostic menus from the PIN entries and there is nothing.
I did find this though:
There is different Vehicle Communication Interface Module (VCIM)
and Traffic information Receiver (UZD/U3Z) for export C6's only. These are parts that can be ordered and added to our navigation systems. It may work like the XM Nav traffic function on the AVIC Z1 units that do real time traffic updates? The part numbers are:
OEM: 12047663
OEM: 4F1012-0001
The document ID # for the tech screens is: 1480961
I did find this though:
There is different Vehicle Communication Interface Module (VCIM)
and Traffic information Receiver (UZD/U3Z) for export C6's only. These are parts that can be ordered and added to our navigation systems. It may work like the XM Nav traffic function on the AVIC Z1 units that do real time traffic updates? The part numbers are:
OEM: 12047663
OEM: 4F1012-0001
The document ID # for the tech screens is: 1480961
I think someone's going to have to order the parts, plug them in and see what they do. This also leads credibility to the theory the whole Denso unit is based on a skeleton where parts/features are easily added and subtracted at the whilm (and pocketbook) of the manufacturer. This makes some sense, as GM might find the $1.50/unit for DVD playback is acceptable in top of the line Cadillacs, but the $1.50 profit over hundreds of thousands of vehicles is worth more in the case of the Pontiac G6. If that's the case, the circuit boards should still have the adapters to accept the hardware that wasn't included.
A recent post by me, musing on this very topic:
We have, but we don't have the proper tools to do much, and there doesn't appear to be anyone here specialized enough with IDA Pro and deconstructing Denso's machine code.
I have figured out this much. Denso uses some kind of "building block" code builder. There are too many hooks and empty pathways and "useless" code inside any of the Denso loading files I've been able to pick apart -- and too many similarities for vastly different units. You can find the same code and same keywords in the Pioneer AVIC series of navigation systems as you can in ours. Even keywords that should not exist in ours because we don't have that functionality.
What I imagine is that for simplicity's sake, they have a "skeleton tree" that they work from. This is a code base that goes into every Denso nav unit. Then they pick an external "look" that narrows down what software can be attached to the tree -- this is why the Corvette nav and Land Rover nav look so similar despite the fact that one is in a GM product and one is under the Ford umbrella.
Once that's done, requested features can be attached to the "tree", like DVD playback, air conditioning/heater controls, XM Traffic, MP3 playback, etc.
That should spit back a parts list for the manufacturing of the navigation unit itself. For instance, if "DVD Playback" wasn't added to the tree, then the daughterboard to control that is left off. Certain external packaging would preclude the use of certain features, as there simply would no room and no plug on the hardware.
At that point, it's just a matter of very minor customization -- changing the graphics, the colors, the fonts, and probably setting which features are unlocked with which codes, and what "hot spots" are used to input the codes. There's probably even a "show nag screen" flag that can be set.
It feels like we're close, but I think that any serious hacking is going to require the use of leaked Denso software tools. The upside is that if we can completely crack one of these, we can likely crack ALL of these -- and there's a lot of Denso units in a lot of different products.
I have figured out this much. Denso uses some kind of "building block" code builder. There are too many hooks and empty pathways and "useless" code inside any of the Denso loading files I've been able to pick apart -- and too many similarities for vastly different units. You can find the same code and same keywords in the Pioneer AVIC series of navigation systems as you can in ours. Even keywords that should not exist in ours because we don't have that functionality.
What I imagine is that for simplicity's sake, they have a "skeleton tree" that they work from. This is a code base that goes into every Denso nav unit. Then they pick an external "look" that narrows down what software can be attached to the tree -- this is why the Corvette nav and Land Rover nav look so similar despite the fact that one is in a GM product and one is under the Ford umbrella.
Once that's done, requested features can be attached to the "tree", like DVD playback, air conditioning/heater controls, XM Traffic, MP3 playback, etc.
That should spit back a parts list for the manufacturing of the navigation unit itself. For instance, if "DVD Playback" wasn't added to the tree, then the daughterboard to control that is left off. Certain external packaging would preclude the use of certain features, as there simply would no room and no plug on the hardware.
At that point, it's just a matter of very minor customization -- changing the graphics, the colors, the fonts, and probably setting which features are unlocked with which codes, and what "hot spots" are used to input the codes. There's probably even a "show nag screen" flag that can be set.
It feels like we're close, but I think that any serious hacking is going to require the use of leaked Denso software tools. The upside is that if we can completely crack one of these, we can likely crack ALL of these -- and there's a lot of Denso units in a lot of different products.
Originally Posted by some guy at CadillacForums
According to Delphi's site ( http://delphi.com/news/pressReleases/pr_2006_06_26_001/ ), the Cadillac Escalade has been host to the TNR800 from Delphi since 2003.
Their FAQ's state the following;
Can TNR800 play DVD movies on its display?
Even though the product has the capability to play video on its display, current product configuration doesn’t have it available in order to comply with safety laws. There are modules in the aftermarket that can activate this capability but it is not supported and recommended by Delphi. In addition, customers who use these modules will lose the Delphi warranty.
http://www.delphioffer.com/tnr800/faq.html#dvdmovies (dead link, can't find where it moved)
I have tried to access the code input screen mentioned here on my TNR800 without success, and have searched for days to find one of these "after market modules" they mention.
1.) is the TNR800 the same unit you guys are discussing? (probably not, but sounded like from FIDGAF's comments it could be)
2.) anyone seen in your research anywhere I might find a discussion specifically about the TNR800
quite frustrated, any help is appretiated.
Their FAQ's state the following;
Can TNR800 play DVD movies on its display?
Even though the product has the capability to play video on its display, current product configuration doesn’t have it available in order to comply with safety laws. There are modules in the aftermarket that can activate this capability but it is not supported and recommended by Delphi. In addition, customers who use these modules will lose the Delphi warranty.
http://www.delphioffer.com/tnr800/faq.html#dvdmovies (dead link, can't find where it moved)
I have tried to access the code input screen mentioned here on my TNR800 without success, and have searched for days to find one of these "after market modules" they mention.
1.) is the TNR800 the same unit you guys are discussing? (probably not, but sounded like from FIDGAF's comments it could be)
2.) anyone seen in your research anywhere I might find a discussion specifically about the TNR800
quite frustrated, any help is appretiated.
But the most interesting thing is when you read between the lines. It really does appear that my initial suspicion was correct -- that features are simply "turned off" instead of "removed" and can be turned back on by someone with the right knowledge.
It also appears that all of our nag screens, lockouts, and abscence of DVD video is exactly what we thought it was -- legal safety
.
Last edited by ein Tier; 11-28-2006 at 05:13 AM.
