condiczek

Current state:

 

I've made short script, which checks if on the card is empty file with 'condiczek.tmp' name,

if yes = runs file manager;

if no = runs official pioneer navi software - everything runs like stock

 

 

Thats why I can keep working on the hack, and also use my unit normally, on the drive

 

I've got few ideas how to bite it!

Keep your fingers crossed, I will post all the news.

 

PS. wait for some 'beta state', for now its not usable to enduser, ok... its usable for about 30s then AV process locks out, its on front, when I kill AV process - it 'hangs' - cant use touchscreen/app, when I push home/mode to get out from AV to filemanager - it hangs with black screen! But the music is still playing in background! haha

 

br

condi

Thanks guys, its nice to hear good words

I managed to run some apps, TCPMP player, iGO8, Mireo Cardinale, and other gps software works too. New mortscript is not working, like some other software also, i think because of lack of some libraries/dlls. Windows in this units is very 'handicaped', there is no explorer.exe, control panel cpl's are not running etc.

But thats not important, not a big thing. It will work

I will make some scripts which will run some custom software/menu if proper files will appear on sd/usb.

 

For now I must get rid of av going front after ~30s.

When everything will work as I want to, then of course I will release full solution

Pioneer AVIC HACKMODE by Condi

IMPORTANT! FOR NOW WE STILL CAN'T USE OUR UNITS GPS WITH OTHER SOFTWARE!
WE CAN RUN THE SOFTWARE LIKE TOMTOM, GARMIN, IGO ETC.,
BUT GPS IS NOT WORKING (NO SIGNAL, GPS PORT BUSY..).
WE ARE TRYING TO FIGURE IT OUT TO GET IT WORKING..

---------------------------------------------------------------------------------------------------------
V2.0 HAS BEEN RELEASED! THX TO PIONARA FOR FINDING GREAT NEW POSSIBILITIES,
SOLUTION FOR DECODING/ENCODING TESTMODE WE'VE GOT NOW

AUTOINSTALLING HACKMODE!



COMPATIBLE WITH F40BT, X940BT, Z140BT ETC.!

JUST UNPACK HACKMODE TO SDCARD, PUT INTO DEVICE
WAIT AND VOILA!

IMPORTANT - SINCE WE'VE GOT LIMITED KNOWLEDGE ABOUT ALL THE COMMANDS
AND ITS SYNTAX IN PIONEER SCRIPTING - V2.0 WILL WORK ONLYIF YOU HAVE PRG0
AND PRG1 FOLDERS, FOR NOW THERE IS NO SCRIPT-CHECK FOR THAT.

----------------------------------------------------------------------------------------


Finally we've got access to new Pioneer units!
After many tries, many scripts, I think that
its proper state to be released.

SO FAR CONFIRMED TO WORK ON:

• F30BT (tested by me )
• X920BT (thanks to Krms!)
• X930BT (thanks to Ralpharn!)
• Z110BT with Z120BT firmware (thanks to PatrickFernandes!)
• F920BT (thanks to Tudor Z!)
• F20BT (thanks to wikke!)
• Z130BT (thanks to uglyb0b!)
  
  
  ...

!!!!!
I'm not responsible of any damage/brick,
so all of this you are doing at your own risk.
Its working on my unit perfectly,
but its not 100% sure that it will work on yours!

FOR EDUCATIONAL PURPOSES ONLY!
THERE IS NONE OF PIONEER SOFTWARE INCLUDED,
THIS 'HACK' IS MADE WITH FREE SOFTWARE,
= NO COPYRIGHTS ARE BROKEN!
!!!!!

On the new units standard testmode with windows explorer
is not working. Funny is, that on the newer units
there is no even explorer.exe!
Fortunately we've got GGS1080 with TESTMODE.KEY,
which is working on F30BT, and other units also, I think.
But plain Pioneers Service Mode is not handy and 'usable' for us.
To hack Pioneer device I used Pioneers 'service mode'.

OK, so everything what we will need is in the attachment.
Below are detailed instructions, but in few words
we need to delete Av.exe, and copy hackfiles to its place.


INSTRUCTIONS:

HowTo backup/use Pioneer UI - Video by JasonH!

pts. 1-9 = BACKUP:

• download the archive, unpack it to root of your 'SD',
• instert SD to your AVIC, Pioneer Service Mode will appear,
  
  
  **navigating in service mode is little confusing, you've got to get use to the interface,
• move down and enter FILE MAINTENANCE,
• go to USER, select COPY on the menu,
• move up, and go to SD,
• select PASTE on the menu,
• once it finish - BACKUP IS DONE.
• now hold EJECT button for 5s to get to sd card, take it and connect to pc,
• copy USER directory somewhere safe on your computer and delete it from SD,
• insert again SD to AVIC, go to 'USER/PRG0/Apl' and delete Av.exe file,
  
  
  **you've got to delete it first, because service mode will not overwrite files!,
• go to 'SD/CONDIHACK', select ALL on the menu, and select COPY,
• go to 'USER/PRG0/Apl' and select PASTE on the menu,
• get out from FILE MAINTENANCE (home button),
• reset - turn off and on the unit - enter again service mode,
  
  
  **afaik its good to boot it again to service mode, I had few times problems with copied files - once they just disappeared after rebooting directly to system,
• go to FILE MAINTENANCE, 'SD', and delete TESTMODE.KEY,
• reboot unit, and done you can now delete CONDIHACK directory from SD!

To get into HACKMODE you need to have HACKMODE.KEY file on root of your SD.
HACKMODE.KEY is empty/dummy file to easy operate between hack/normal mode.
When Pioneer is booting it will search for HACKMODE.KEY file.
If the HACKMODE.KEY file is on root of SD - it will boot hacked, to file manager.
If the HACKMODE.KEY is deleted/renamed - it will boot to normal/stock Pioneer software.

Also if you have already turned ON AVIC (and for example car engine ON also),
then you can easly jump into HACKMODE - just insert SD with the file,
AVIC is scanning SD every 15s, when it will notice SD with the file,
it will quickly reset and after few seconds you will be in HACKMODE!
Its handy, you dont have to turn off the engine!

And one more thing - you can easly jump out from HACKMODE,
just by closing file manager! After close it will run standard Pioneer software
(also it will not scan for the key in every 15s! after restart it will be back).


Thats all for now. I wanted to give you nice mortscript menu,
but it just doesn't working. Many of commands doesn't work.
It was very hard to get everything working, the devil is in the details!
But after many hours of bricking and unbricking my device, here it is - the HACKMODE

Thanks guys for all 'good luck' words If you have any questions then just ask.
HACKMODE was checked only on my device, so please be careful in any actions,
Please check if it works with other models!


NOTE FOR UPGRADED FW UNITS:
If you've got upgraded from lower model unit,
like Z110BT to Z120BT, and hackmode
is not working correctly (cant run normal mode),
then probably you've got only PRG0 with new version
of firmware, but PRG1 is with old version!
You will have to:

• make another copy of your backup PRG0 directory,
• rename unmodified copy of PRG0 to PRG1,
• delete PRG1 from the avic,
• copy prepared PRG1 to avic (should be with same content as PRG0),
• install HACKMODE normally like in instructions above the note!

Oh and one more thing - please dont get me wrong, I share it free for all,
but if you want to buy me a beer, then I will drink for you
And as abb1 wrote on his topic - any donations will be greatly
appreciated, but they are by no means mandatory! 'buy me a beer' via paypal


DOWNLOAD: attachment below
PASSWORD: avic411


CHANGELOG:
[28.09.2012]
v2.21:
- small bugfix/typo in script for USB

[27.09.2012]
v2.2:
- compatible with SD and now USB also,
- additional check if the hackmode is on the device already,
to not to get two copies on one device (prg0+prg1).

[27.09.2012]
v.2.1

[24.09.2012]
v.2.0 AUTOINSTALL!

- installer now check which PRG0/1 is in use, and install in correct path.
- bugfixes, no more 'red screen' because of odd syntax of pio's script

[13.06.2011]
v.1.4 BASE - INSTALL VIA TESTMODE:

• added (modified) working DiskRW utility,
• added (modified) working GpsGate tool - shortcut on desktop (GPS IS STILL NOT WORKING!),
• added (modified) working RegEditor - finally we can import .reg files via mortscript!
  
  
  (example: Run("\NAND\PRG0\Apl\HACKMODE\Regedit.exe", "-s /SDMMC/your-regfile.reg"),
• .reg files are now associated with new RegEditor! just double-click on .reg file to import!
• added TextFiller tool (in CONDITOOLS directory),
  
  
  we don't have keyboard - script will automatically
  type your text to desired textfield in 10s - edit TextFiller.mscr!,
• added utilities to mount/unmount 3 partitions od Disk1 (Part00 = ?, Part01 = NAND, Part02 = NAND2)
  
  
  (credits goes to RubinX [cinus] - thx!) - found that app, can be useful,
  i've just adapted it to our avic's and made modified copies for oher two partitions,
• added some simple, nice wince wallpaper
• added some (modified) dll's to above apps,
• and some other i don't remember

[20.05.2011]

v.1.3 BASE - INSTALL VIA TESTMODE:

• moved HACKMODE back from HMIManager.exe to Av.exe,
• moved addon apps to seperate directory ('NAND/PRG0/Apl/HACKMODE')
• added (modified) working SirfTech utility,
• added (modified) working Task Manager with process killing feature,
• changed the way to enter hackmode - now you can choose between normal/hackmode on boot,
• added some (modified) dll's to above apps,
• and some other i don't remember!

[20.05.2011]

v.1.3 UPDATE FROM v1.2:
Changes via AUTOUPDATE!

• moved addon apps to seperate directory ('NAND/PRG0/Apl/HACKMODE')
• added (modified) working SirfTech utility,
• added (modified) working Task Manager with process killing feature,
• changed the way to enter hackmode
• now you can choose between normal/hackmode on boot ,
• added some (modified) dll's to above apps,
• and some other i don't remember!

[08.05.2011]

v.1.2 UPDATE FROM v1.1:
Changes via AUTOUPDATE!
!!!!!!!!!! WHEN UPDATING DEVICE WILL REBOOT 5/6 TIMES !!!
!!!!!!!!!! KEEP ON WAITING (FIRST REBOOT ~38s, LAST ~25s) !!!

• moved HACKMODE from Av.exe to HMIManager.exe
  
  
  (propably main exe of Pioneer software),
• added empty directory on desktop with name of HACKMODE VERSION,
  
  
  (will use it on future updates for 'version check')

[08.05.2011]

v.1.1 UPDATE FROM v1.0:
Small change - via AUTOUPDATE!

• replaced FileManCE app with other one, more usefull
  
  
  (works copy/paste, all files are visible).
  FIRST INSTALL v1.0 via standard method,
  then copy CONDIUPDATE to root of your SD/USB,
  insert it to device, it will run and reboot 'blink' three times, and done!

[08.05.2011]

v1.0:

• Works with both SD and USB! just connect hdd or pendrive
  
  
  with HACKMODE.KEY and enter HACKMODE like before!
• AUTOUPDATE feature - no more deleting Av.mscr
  
  
  via inconvenient Pioneer Service Mode.
  When new version will be released, you will just copy
  'CONDIUPDATE' directory to root of SD/USB, insert it,
  and it will automatically update the HACKMODE!!
  FROM NOW ON I WILL RELEASE SMALL PATCHES/UPDATES to this version!

[06.05.2011]

v0.2:
with windows ce explorer! of course not everything works,
but we've got desktop, shortcuts with FileMan and Restart,
its getting more and more handy!
another small step to achieve the target!!

[04.04.2011]
added alternative version with filemance instead of total commander!
the only difference is other file manager! - in attachment.
To change from other version just delete Av.mscr and cecmd.exe,
then copy new Av.mscr and FileManCE directory to /PRG0/Apl/.
(special for users who had an issue with rebooting device with total commander!)

, sorry for bad quality, sunny day here
I show iGO8 software running, keep in mind that gps port is locked for now,
(I will take a look at this), HACKMODE is entrance to further developing


Done List:

• HACKMODE access,
• Windows Explorer (not fully working..),
• autorun when SD inserted (scanning for HACKMODE every 15s),
• USB HACKMODE (SD&USB both working now),
• AutoUpdate - all future updates autoinstall with small patches,
• better File Manager with working copy/paste,
• Registry Backup Tool (in this post),
  
  
  ...

ToDo List:

• get working GPS signal/port,
• fully working Windows CE,
• version info of HACKMODE in windows,
• crack/modify wince img - EU090PLT.PRG?,
• crack/modify EU090BOT.PRG - to pass modified wince img EU090PLT.PRG? (maybe not needed),
• in-script check for fw updated units (PRG.FLG related),
• internet browsing via bluetooth from mobile? with Internet Explorer?,
• usb mouse (and propably keyboard) are working - enable mouse pointer?,
• change ShellFolders - Desktop directory to NAND, to get permanent not-erasing on every reboot desktop? (need registry/EU090PLT.PRG hack..),
• run emulated image of our devices on PC,
• integrate different GPS software instead of stock pioneer into the system, it should work with standard Player, Bluetooth etc,
• connect usb 3G/GPRS modem to use independent internet access, to load traffic info (for GPS software, that support it).
  
  
  ...any suggestions?

br

condi

 

Moderator Note: This has not been updated since 2012 and has a very high likelihood of bricking modern units. DO NOT install without a full backup. Testmode is currently recommended in place of hackmode.

Condi's HACKMODE v1.3 BASE - INSTALL VIA TESTMODE.zip

Condi's HACKMODE v1.4 BASE - INSTALL VIA TESTMODE.zip

UPDATE - Condi's HACKMODE v1.3 to v1.4.zip

Condi's HACKMODE v2.1 - AUTOINSTALL.zip

Condi's HACKMODE v2.21 - AUTOINSTALL.zip

My adventure with F30BT to be continued here

We need to find that testmode. Are you sure it doesn't work? Have you done it before on a Z110/Z120?

 

Is there any manual available?

 

I haven't done it on Z110/Z120. It's my first AVIC, but I was working with many gps devices in my work,

made many mortscript scripts etc. Windows CE is familiar for me.

I'd like to help as much as I can

I will have more time to check all service testmode discs etc, over the weekend.

What about GGS1080, GGV1345 or maybe some newer version?

Testmode 2.3 of course is not working.

 

 

http://www.schematics.me/purchase.php?id=Pioneer+AVIC-F30BT%2FXNEU5+Service+Manual+%2F+Schematics

 

hmmm.. fake?

 

------------

interesting thing:

http://www.zeroplus.com.tw/software_download/Protocol%20Analyzer%20SD%20Introduction..pdf

http://www.jinvanisystech.com/sd_sleuth_pro.html

Maybe there would be a good solution to use some logic analyzer, something which could give as the key-filename to the testmode?

Pioneer device when booting - search for testmode executable, then check for the proper blank key-file, and grant access :>

Am I right?

If we could get some logger/analyzer on the SD or maybe USB device, than we could sniff it?

One more:

http://www.robotshop.com/sfe-sd-sniffer-1.html

You can run it but as I stated above there simply is nothing useful that can be done with it. If so it would have already been done. There are about 10 people over the last two years that claimed they were hacking geniuses and that they could hack this unit only to never be seen again. Feel free to try but don't get your hopes up.

 

Hi friend,

 

 

We have to be optimistic

I had a lot gps devices in my hands.

As far as I know the problem is that new fw hidden files, executables of interface,

and thats why we cant replace them, and run some mortscript stuff? :>

 

I cant move forward before I can get into 'testmode' - simple script which runs explorer.

I had some other gps devices in past, which had hidden/locked partitions.

We should make some dig into registry - maybe its the key to the hack?

 

For now its only loose thoughts

 

 

br

condi

It could be possible to make package our own update by using testmode to dump the Z130BT file and flashing it ot the Z110BT/Z120BT

 

I've got F30BT with 3.000 fw, but i can't access to explorer via testmode.

I could make a copy 'my flash disk', if there was an option to get working testmode for f30bt.

 

br

condi

thanks friend for your reply.

what about this topic?

http://avic411.com/index.php?/topic/29150-cracking-the-z11020bt-f10f20bt-included-region-changing/page__st__186

 

i fought that it would work on f20/f30 models,

cracked upgrade file, or testmode via button combination?

Hello friends!

 

I've recently bought Pioneer AVIC-F30BT,

thats why i'm new in here

 

My unit has 3.000 firmware version.

I want to boot into testmode,

but none of the versions i've found worked.

 

Will I have to wait for Pioneer to release

first firmware update?

..or is there an other option to get

the correct key-file for the testmode?

 

BR

condi