condiczek
-
Content Count
160 -
Joined
-
Last visited
Content Type
Profiles
Forums
Blogs
Gallery
Posts posted by condiczek
-
-
hello condczek, nice work by you, congratulations! Tell me what's default gps application on F models , what's .exe file for running default gps application on F models?
You need to block runing default gps application in backround of F models, then you'll make "free" gps port of F models, you can do that on this way, just use some simple unlock based on daniel's sysinformation.exe and first run it, then igo application from that shell menu, on this way i think will not be problem with finding correct gps port and baudrate.
I don't have F model, and i don't know what's inside, this is just advice for you, cause you own that model...
Its not that easy as you think..
Hi. I'm new here, Planning to buy X930BT, have x910BT now.
Just a clue. When I've hacked x910Bt I was able to install third party navi software, using testmode 2.3 and launcher, found on Russian site 4pda.ru. However all navi application run (Navitel, Autosputnik, etc.), I couldn't manage to free GPS (Com 7) port. I've tried three or four versions or Port Splitter with no positive result.
After searches I found a solution which I haven't tried, but it was claimed that it should work: The guy with nickname Porutchik suggested to reflash WinCe image with older one from F900BT, don't remember exactly, but probably older than one, contained in firmware 3.01, which has no gyro support.
X930 has gyro, so disabling it should free up GPS port.
Unfortunately link to 4pda.ru is dead and Pioneer AVIC subforum is closed there, but there are other resources, (in Russian)
http://www.alfessa.net/forum/121-679-1
there are two links to 4 shared.com there for gyro and non gyro WinCE images, if someone can figure out the difference.
Yes, I think that its the key to success - replace EU090PLT.PRG or EU090RGD.PRG with other, correct image. We need someone, who could make proper modified image - with avics header, some crc's (if there are any..) and other things.
thanks a lot!!!!!!
Yes, go to Herbs's thread, I also wrote there solution for your problem.
A while back I started trying to port HaRET to the F90BT, it detected the processor and the fact it was running on the F90. Then as always, the paying job got in the way and I had to shelve the project for another time... The email with the patch can be found at http://lists.linuxtogo.org/pipermail/haret-devel/2010-February/000009.html. I don't think it will gracefully apply to the current git repo, but you can at least see what changes I made (though they may not necessarily be the right ones).
The link to your email is not available. Do you have copy somewhere?
We've got to move forward somehow!!
-
Hello , I am new in this forum ,come from Austria and i am with enthusiasm from this forum
I had update my F9210bt with the new cnsd-210 . Now it is impossible to use the hackmode. Testmode is all right.
I had the same operation (testmode, hackmode) like befor the update. Have anybode an idea ??
Many greetings from Austria/Tirol
There are two ways to use hackmode in updated unit.
Easiest method is to:
1) always make backup of PRG0, PRG1 directories!,
2) delete PRG0, make another copy of PRG1 and name it as PRG0,
3) delete PRG.FLG file,
4) apply hackmode like always.
It doesnt work now, because after update unit creates file PRG.FLG - empty file,
if PRG.FLG file exists on the unit, then it boots PRG1 software,
if not - then uses PRG0. Its just some kind of 'switch'
Update changes/modifies other than used at present PRG directory.
For example when you will update your unit with future firmware update,
then it would propably modify PRG0 files, and delete PRG.FLG.
br
condi
-
I'm inclined to go pick up another one just to throw on my bench (since working out of a car isnt as productive). I think i can get a z120 for like $400.
Big question here is this... Does the unit have a control sequence if you blow the image completely up? Think of the hard boot loader that you find on most devices that makes it almost impossible to brick the device since you can completely reflash back.
I'm so happy to see you here working to free our avics, friend!
We can access testmode, which is loading after the device find testmode.key file on sd/usb.
We don't know if we will modify or even delete EU090PLT/RGD/BOT files we could access service menu via testmode.key.
There is a risk of brick. Some time ago when I was looking through bin (prg) image files - I saw somewhere WINDOWS CE bootloader with blue background
, like in any other wince devices/navigations. With options like flashing wince.img etc. But we don't have such images correct for that bootloader.The question is how to access native wince bootloader? Some gpses which I was working were able to access wince bootloader via shorting a pin of one chip to ground.
We can also flash appriopriate images - PLT, BOT, RGD etc. via testmode.key. There is menu where it can be flashed from sd - another way to do this.
Or we could simple replace RGD file, where was coredll.exe, nk.exe.
If there is a way I could help just ask!
RNDIS USB KITL - is this what we need? havent I seen this somewhere in my unit?
-
Just to confirm... Right now one of the problems related to running homebrew executables, is that any of them linked to coredll.dll or ceshell.dll will not work?
That's not a problem, almost every app which i modified to use other dlls than limited in our devices - worked without any problems. Its problem, but its easy to bypass. I've got all the gps software running fine like tomtom, garmin, automapa, igo etc. But its just a software. We have problem with busy hardware, like gps port and audio. We need to get free gps port, and other hardware resources.
Me and all the great guys here - we just gave opportunity to further hack avics. All the working utilities such as DiskRW, working registry etc. - this is for all of you to test and try to get some useful result
-
Condi and all
at Menu Settings / AV-Settings there are two buttons regarding Mute of the AV-Source (when f.e. a phone call comes in).
At my F30BT I can select different Mute-Scenarios (left button) but can not select different Mute Levels (All/-10db/-20dB) on the rigth button. AV-Source is ON and button is active, but Mute Levels are not displayed in the button.
Have you ever seen that on a Navi with hackmode?
Originally it worked correctly!
Thanks for your suggestions
Bernd
hmm got f30bt, and also cant change mute level.. more interesting thing is that with original files it also cant be changed hmm.. check it with your backup files, maybe my copy is modified in some way already..
-
I'm going on vacation - last week of July. After that I will gonna replace my EU090RGD.PRG, we will continue all the hackmode thing
Before that - I can't be without gps/audio etc
PS. last night I was dreaming that we had a full solution for gps port LOL
-
Hey guys no news? Condi o thinking about change the enter on hackmode Windows , u can put a time to press t
Yes , maybe 5 seconds ,if not press the default is original mode !
I've made already that kind of entrance into hackmode, but it was not working correctly.
SleepMessage is only delayed message, without possibility to make condition like yes/no etc.
We've got also thing like ChoiceDefault, and it would run pioneer soft by default for example after 3s,
but it was displayed ugly for me
question window - like for now - much better i think.And yes - no news for now. Anybody here can correctly replace .dll .exe files in wince img?
Especially .exe .dll files in modules? If yes - we would modify EU090RGD.PRG and it could work..
-
I bought the Navi online. I asked and they said they aren't a service point, they only sell. I can try to ask a Pioneer Service Point... What else can i do?
Try attached testmode - it should be uncompressed to SD like:
/SDMMC/TestMode/..." - files in TestMode directory in root of sd.
Post results, pass like always - avic411
-
How can i dump the maps? I can't enter in testmode or something similar...
@condiczek: Any ideas?
I'm sorry friend, no other ideas how to help you.. Check all the versions of testmode available in the internet,
check that 4shared collection, for our devices GGS1080 work, maybe other version will work for you!
Condi, where do we stand on finding out the process that is capturing that port?
All guys here are doing great job, we all are working to find the solution!
So we can beat them up for developing horrible software
Thanks for the hardwork so far. Its much appreciated!
I'm going to try this on my x920 soon. I also dabble into SW dev (usually for servers) but im going to take a look at this.
Everyone is welcome to help! All the work/research is appreciated
I've got read.img file from memory and using ImDisk Virtual Driver can mount them to my PC but
it shows 2 unmounted partitions, and if I mount any of them it says that drive is not formated.
Fat32 partitions can be mount as normal drives.
We do not know which port is our GPS antenna uses.
We do not know which module keeps this port occupied.
About our mysterious unmonted partition:
I have it in separate file, but I have problem to upload it here.
so here a link to 4shared.
hidden partition files contain:
00000000-00100200-EU090RGD.bin (3rd copy of EU090RGD.PRG like in USER\PRG0(1)\PLATFORM)
00100200-03144600-EU090PLT.bin (3rd copy of windows image!!!)
03144600-03200000-EU092OPN.bin (welcome screen - 16 bit BMP without header)
03200000-03300200-EU090RGD.bin (4th copy of EU090RGD.PRG)
03300200-06344600-EU090PLT.bin (4th copy of windows image!!!!!!!!!!!!!!!!)
06344600-06400000-EU092OPN.bin (welcome screen - again!!!)
I have welcome screen customised so this welcome screen is exactly the one unit uses.
Bad thing we have no EU090BOT.PRG or/and configs of the unit.
May be it is another hidden patition somewhere?
Why this dump is less then entire 4GB chip volume?
Where is lost 143,130,624bytes?
ImDisk shows another unmounted patition at the end of the drive (check image before) Partition4! but it has 0 length. May be DiskRW didn't copied entire image...
Im almost sure that gps port is com7!
GREAT work friend
We are getting closer day by day!If there is no EU090BOT.PRG bootloader, then maybe after getting corrupted EU090PLT.PRG, or even deleted - it should still be repairable, maybe even testmode working?
We can still look into /NAND/PRG0/BOOT/EU090BOT.PRG
About your list of partition content - .bin files are repeated, doubled, because of PRG0 and second PRG1 copy. One set of RGD+PLT+OPN in PRG0, and another one in PRG1. To get windows in full working condition we need to replace system resources, the most important is coredll.dll, commctrl.dll etc.
coredll.dll is in RGD part.
I've got another idea how to get fully working gps/audio etc.
RGD contains: AstProc.exe, nk.exe, coredll.dll, ceconfig.h and snapshot_secureos.dat.
We need to replace coredll.dll, and maybe edit ceconfig.h to get full working windows ce, and..
the main idea - make copy of AstProc.exe as AstProc1.exe, replace AstProc.exe with mortscript with some condition - for example: if hackmode.key exists on sd - then run explorer, else run AstProc1.exe. Similar as now with hackmode. We should take a look into AstProc.exe - maybe some IDA Pro analyze etc.
I will upload complete dumped AstProc.exe and NEventWatcher.exe (not corrupted/shortened like from dumpromx.exe) later, but now my sdcard-reader isnt working.
---edit:
attached interesting not corrupted - complete rom files like: coredll.dll (which is limited in our wince), NEventWatcher.exe, TestMode.exe, and device dlls NP....dll, NPCommonLib.dll, NEventBaseLib.dll etc.
-
Hey condi , its work perfectly! Good work lets foward! 1,4 ok
Great to hear that!
thanks u all,,is there a way to free gps port for using IGO SOFTWARE?
Its our no.1 objective. We are looking for the solution.. For now - we can't.
PS. 100 post
! -
Condi, I tried with the SD already inserted before the boot, without success. How did you discover the test mode? What is in the testmode.key file?
In the F220 I have the possibility to launch application like photo viewer... Do you think I can use that to enter in test mode?
Maybe in the F220 the GPS port is already unlocked, who knows! But... The first step is to enter in test mode!
Please try old testmode for other units (TestMode 2.3) maybe from this thread
-
Great work Condi!!!
1.4 working well on my unit.
DiskRW now works, but I have problem to save IMG file- it says couldn't write log file, and SD card full (before it was 3.8GB free) but image is 514KB only, it looks I need full 4GB free space on SD or USB. So I will try with clean 4GB or 8GB one.
Yes ignore log error, it will create it also
yes, for full image you need almost 4gb, you could also decrease size to be dumped, first 100mb should be our secret partition will investigate it later! -
Hello, i have an AVIC F220... Can i help you? I would like to install another navigation software in the future
We all want to have that possibility. If you can release gps port to be used with other software, then yes - you can help
If not, then - we've got a lot of tools, possibilities right now to try to achieve that.
I don't know what F220 is based on. Try to copy TESTMODE.KEY to root of SD and check if it works on your unit.
br
condi
PS. V1.3 to V1.4 UPDATE ready
-
Oh, Sorry, I misunderstood. I am at 1.3 now and thought 1.4 was autoupdate from 1.3.
No need for autoupdate, thanks!
Making it right now.. will post later today
-
I dont see a "CONDIUPDATE" folder and script, are you changing how the update process works?
You've got v1.3? I could make and update-version if you want.. Until now only base version.
-
sweet, I'll try it when I get home tonight!
Counting on that
Please post results!We've got more and more possibilities, need help with hacking avics from all of you guys!
-
v1.4 ready
I need help with Part00 - our secret partition! In new ver. there are mountUNmount tools - .exe's to automount or unmount partitions. It works on Part01 and Part02 (NAND and NAND2), but not on Part00! Maybe some missing registry? Maybe bad MountFlags, MountHidden etc? - Info about that misterious partition in DiskRW.
-
http://www.youtube.com/watch?v=S-my-zSDU5g
Got DiskRW working
Output path is being inserted via automatic script!It took ~1h to read full image - 3,59GB! Log from DiskRW:
Saturday, June 11, 2011 2:18:25 PM (01CC28426D15CE80) Opening Disk ...OK Getting Disk Information ...OK GEOMETRY Cylinders = 1 Tracks per Cylinder = 1 Sectors per Track = 7536640 Bytes per Sector = 512 TotalSectors = 7536640 Disc Size = -436207616 bytes **Flags Code = 0xA Getting Store Information ...OK StoreName = Centrality MLC Flash Disk DeviceName = DSK1: DeviceType = FLASH DeviceClass = BLOCK DeviceFlag = READWRITE DeviceProfile = SDMLC Total Sectors = 7536640 Free Sector = 0 Bytes per Sector = 512 Biggest Partition Creatable = 0 Attributes = 0x0 Number of Partition = 3 Number of Mounted Partition = 2 Last Format = 1/1/1601 12:00:00 AM Last Modified = 1/1/1601 12:00:00 AM Requested Operation ... Operation type = Disc Reading Store = DSK1: Offset = 00000000h - E5FFFFFFh Length = 3858759680 (E6000000h) bytes Output File = \SDMMC\odczyt.img Creating File: \SDMMC\odczyt.img ...OK Starts Reading Disc ... Starts on Sector = 0 Ends on Sector = 7536639 Buffer Size = 512 kb +---Viewing first 512 bytes extracted 00000000: EB 3C 90 00 ë<Â. 00000004: 00 00 00 00 .... && 000001B8: 8E 25 CF 46 Ž%ÄŽF 000001BC: 00 00 00 BF ...ż 000001C0: 02 00 00 00 .... 000001C4: 13 03 40 00 ..@. 000001C8: 00 00 00 20 ... 000001CC: 03 00 00 7B ...{ 000001D0: 14 03 0B 00 .... 000001D4: 56 09 40 20 V.@ 000001D8: 03 00 00 10 .... 000001DC: 06 00 00 22 ..." 000001E0: 57 09 0B 00 W... 000001E4: 4D 75 40 30 Mu@0 000001E8: 09 00 C0 CF ..ŔĎ 000001EC: 69 00 00 00 i... 000001F0: 00 00 00 00 .... && 000001FC: 00 00 55 AA ..UÅž *************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************I will read later only the hidden unmounted partition, and investigate the content
Via DiskRW it should be more safe to read, modify and write modified image, I think?
And then just grab EU090PLT.PRG file from NAND which should get modified?
---edit:
Do you guys know how to get proper offset (lenght we've got = 100mb), for unmounted 'secret' partition?
--edit2:
Got almost complete v1.4.. beta testing
-
I wonder if either of those ports would be freed if the antenna was disconnected at boot?
I think no, disconnecting antenna will gonna stop giving correct data/signal, but com port will still be busy.. presuming of course
-
on F900Bt they have same looking "unmounted" partition and it contains serial number (with region and model in it) welcome screens, and even windows folder! so.. I think it is very important to read and dump this hidden thing, what software can mount partition after windows bootup has finished?
Is it possible to modify DiscRW program to have default pass to save files to our external media?
I thought the same about default path for saving! I searched for maybe some additional parameters for that app, but its not working. Tried also adding keyboard driver, sip, jotkbd, eurokbd, but none of them worked. Present keyboard driver is working, but only for such keys as: enter, esc, etc. No letters/numbers. Another way to get that data is to get working Storage Manager from control panel. How did you get content of the partition - windows/screens etc?
I'm working now on running newest GpsGate, it wasn't starting, now I'm on the right track!
---edit:
Still no free gps port.. but.. after maaaany hours I've got working newest version of GpsGate - two versions:
GpsGateWINCE.arm.CAB and GpsGatePPC.ARM.CAB. It was very hard, because:
- we cant install .cab's (im working on it..)
- we cant normally run GpsGate.exe (dlls etc. - had to modify a lot of them..)
- we cant run GpsGate without proper registry (error 340), too many entries to write it manually in mortscript, also we couldnt import .reg files - until now! I can successfully import .reg at last very handy for future modifications.
For now it will not give us working gps - which is propably on com4 or com7(propably that). Few ports are still busy. Busy already after system boot.
From now I think I can get .net framework installed, and try ShortFuse gps utility.
The most important thing for now is also to get to Storage Manager/Control Panel, mount hidden partition and explore it.
---edit2:
I've got some script which will type automatically output-path in DiskRW to read/write rom! Will test it tomorrow! Good night!
- we cant install .cab's (im working on it..)
-
In manual of rewriting 7zip we read:
"7z.dll" MUST be used as the file name for the edited 7zip library.
Other file names will not be written into the product."
So the script is written only to get 7z.dll.
Another idea - we need to know how to modify ScriptExec.ini..
Anybody knows how to get plain text from it? How to decode/decompile it and complie again?
Maybe there is some trick to decode data via bruteforce
- we know that it should contain '7z.dll' phrase in it after decrypted... ??
Something like that?
-
I dont know if this matters but I haven't been using the TESTMODE.KEY you provided or any other file lately. I just hold the Mode button and press left right a bunch of times (suppoed to be 3 times but I got into a reboot loop and frantically hit left right now to get in
) till the device reboots.On your device you can do this combination of keys, its the same entrance to testmode
But your keypress combination will not work to get into pioneer-file-replacer provided by aero_eng16 But on my f30bt and other devices also this key combination doesnt work
PS. In readme file of 7zip-replacer there is one sentence at the end:
"Do not rewrite or falsify any files other than 7z.dll."
This means that we definitely can replace other files!
-
I've tested 7zip replacer - conclusions:
- TESTMODE.KEY file is different then the one we use to get pioneers service mode!,
- there are more than one different TESTMODE.KEY files which runs other service functions,
- our old TESTMODE.KEY runs service mode with many options to use, the TESTMODE.KEY from aero_eng16 runs pioneers file replacer module - on green background,
- the key to success is ScriptExec.ini and also correct TESTMODE.KEY!
Our target:
- modify ScriptExec.ini to replace other file than 7zip.dll!
- TESTMODE.KEY file is different then the one we use to get pioneers service mode!,
-
Does anyone have experience with emulators? I tried a few with my EU090PLT.PRG (even removed the first 200 bytes to make it a .BIN and even tried to convert it to .nb0) with no luck... but I dont have any experience with emulators.
I tried googling, but how do I confirm the z120bt is running WinCE 5? Is the system ARMv4i? How do I confirm these things in order to find the right emulator? I think if we can get an emulator working, then we will be able to verify modded bins before putting them on our system.
Try to run attached process manager and there will be system info about your device.
Problem with Testmode with Avic F220/iGo on F220 (Tutorial)
in Hacks/Mods
Posted
Use this one.