GnatGoSplat Posted July 28, 2008 Report Share Posted July 28, 2008 D'OH! Back to square one. Apparently there's no checksum checking, but the modified Navi.exe didn't make one bit of difference. Quote Link to post Share on other sites
CaptainInsaneO Posted July 29, 2008 Author Report Share Posted July 29, 2008 Hey do you think you could make an image of the Windows install on the AVIC? I'd really like to pick through it if it wouldn't be too much trouble to you. Also, I looked through the registry file that you posted earlier and I think you're right about NEventWatcher.exe. See this link for details: http://www.informit.com/articles/articl ... 2&seqNum=7 If you can, try removing the following lines from the registry and see if that takes out the nag screen (also, make sure you make a backup first, this may break more stuff than we want): "Depend90"=hex:1e,00 "Launch90"="NEventWatcher.exe" So after removing that, the whole section should look like this: [HKEY_LOCAL_MACHINE\init] "Depend30"=hex:14,00 "Launch30"="gwes.exe" "Launch20"="device.exe" It's a shot in the dark, but it may work. Quote Link to post Share on other sites
GnatGoSplat Posted July 29, 2008 Report Share Posted July 29, 2008 Not sure what you're wanting, the files extracted from the firmware dump? I can send you those. Unfortunately, I can't modify the registry. I was able to extract it from the firmware dump and convert it from an .fdf to .txt file, BUT I can't convert it from readable .txt back to .fdf. Even if I could, I don't know how to re-insert it into the firmware dump... and another problem after that, is I think the AVIC probably does check firmware checksum upon flashing. Now assuming I get past all that... flashing a bad/corrupt firmware could brick my AVIC, that makes me a little nervous. It's possible I can recover it by going into the Service Menu and force it to flash a good firmware, but that's assuming the Service Menu still works after a bad flash. Anyhow, I think there are tools on how to convert .txt to .fdf and build the individual files back into a flashable firmware, but I haven't found those tools yet. They would be the same tools people use to build custom Windows Mobile 2003 ROMs back when that was current, so I know they're out there. I think NEventWatcher.exe is the main shell program. I believe it catches button press events, screen touch events, that kind of thing. I'm thinking removing it will just result in an AVIC that hangs at the Pioneer splash screen. Quote Link to post Share on other sites
CaptainInsaneO Posted July 29, 2008 Author Report Share Posted July 29, 2008 I definitely hear you on bricking your AVIC, I don't know what I was thinking there. In theory it certainly would be possible to flash changes to the OS and the registry within, but I don't want you to potentially ruin your HU. Sorry I made the suggestion. I REALLY freakin need a test box, but my girlfriend's birthday is coming up in August and I don't have the funds to put forward to buy another AVIC right now. I really WOULD like the files you got from the dump you did, also what reader are you using to access those files? Did you make it yourself or did you buy it? I'd like to get one but all I can find at Fry's are the drop-the-chip-in kind. I tried getting Platform Builder for you but I can't find it anywhere. I'll keep my eyes open, I'll also ask around at my shop to see if maybe we have it in our software inventory. The Marine Corps is moving over to XP though so I highly doubt we'll have it, but I'm hoping to be pleasantly surprised. Once you get those files to me, I'm going to see if I can dump NEventWatcher to hex and play around with that. This egg needs to be cracked, you and I are too deep into this to give up now. Edit: The most frustrating part about this is that the value or procedure call we need is probably right under our noses, and would take about two seconds to edit. The real bitch is finding the damn thing without FUBARing the rest of the OS or firmware. Quote Link to post Share on other sites
GnatGoSplat Posted July 29, 2008 Report Share Posted July 29, 2008 Here's the link to the dumped files: http://rapidshare.com/files/133365294/AVIC_Z3_Platform_Dump.rar I think MAYBE the utility I used to extract the files from the firmware image can insert files as well, but I'm a little afraid to try it. I didn't need a reader at all to get the firmware... if you go into the hard drive, you will find two identical folders, PRG0 and PRG1. I have no idea why there are 2 copies, I found only PRG0 is used and a binary compare shows they are identical. Anyway, inside those folders is a PLATFORM folder. There you will find the firmware image: EU060PLT.PRG. The AVIC bootloader seems to do a compare of the EU060PLT.PRG to its existing firmware and will flash its firmware if the version on disk is newer. This is why simply copying a Z3 hard drive works to update a Z2 or Z1. You can go into the Service Menu and force the firmware flash to older or newer versions as well. Anyhow, I just took the .PRG file and noticed it's a fairly standard CE 4.2 ROM image so I tried DUMPROM.EXE (for WM2003) on it to extract the files and it worked. I think there is no bootloader image inside the PRG file. This means you can modify the PRG file and even if you flash a bad/corrupt copy, you can recover by going into the Service Menu and forcing it to flash a good firmware back in. However, I'm not willing to risk my expensive toy to prove that theory! A spare would be great, but they're a bit too expensive to buy a spare. Ideally, we should have someone with an AVIC that's under warranty try it, and if it gets bricked, they can get it fixed under warranty, just say "it just quit working, I don't know why!" I'm still almost convinced the safety warning is somewhere in Navi.exe. If that's the case, we can pretty much play with that without worrying about permanently disabling the AVIC. Yeah, I think Platform Builder is the key to having some real fun with the AVIC. I believe Platform Builder can recompile any of the CE OS files as SH4 binaries. Unfortunately, Z-series hacking is limited due to the SH4 being fairly rare for CE devices. The F-series guys are at a huge advantage since the F-series uses an ARM CPU and they even have a full set of CE libraries and Windows CE Explorer built-in too! Quote Link to post Share on other sites
CaptainInsaneO Posted July 29, 2008 Author Report Share Posted July 29, 2008 My mistake, I was under the impression that you had dumped the OS files off the ROM chip inside the HU itself. I'd like to do that, but I can't find a clip-on EEPROM reader. Thanks for the info on the firmware, I'll definitely play with that. I bet there's two PRGs (PRG0 and PRG1) because one is the main and one is a backup. If you messed up PRG0 you could probably just remove it and rename PRG1 to 0. Just a theory though, I haven't even looked at it yet except to play with Navi.exe. I also think you're correct on Navi.exe. Too bad I don't know assembly, although I do have a book on reversing. If you want a PDF copy I'll be more than glad to send it to you. Quote Link to post Share on other sites
GnatGoSplat Posted July 29, 2008 Report Share Posted July 29, 2008 Yep, you can rename PRG1 to 0 and it will work. I've tried that already just to try to figure out if it keeps a copy to prevent tampering or what. So far, I haven't really found out why it keeps a second copy because it doesn't automatically replace tampered-with files. I don't know assembly either. I keep wishing if I stared at it long enough, I'd start picking up something. It doesn't seem to be working out that way! I might have that same book on PDF... is it "Reverse Engineering Code with IDA Pro"? Quote Link to post Share on other sites
CaptainInsaneO Posted July 29, 2008 Author Report Share Posted July 29, 2008 I'll send you details in a PM. Quote Link to post Share on other sites
Kronyk420 Posted August 1, 2008 Report Share Posted August 1, 2008 To kronyk, thanks for the great input. Did you make your own reader, or did you buy it? If you bought it, which one is it? I've searched for clip-on ones but all I can find are the writers/programmers that you have to insert the chip into. I've got a theory that if you could access the data on that chip, you could of course copy all of it over to a storage medium and begin working with it that way. Sounds like you guys are on to some major stuff......... I hope my 2 cents can help. The EEPROM reader I used was homemade, the parts cost me about $12 at the local electronics store. Wrapped it all up in a case with a 9v power supply (regulated to 5v at the chip) in case the chip's supply fails during transfer. Credit goes to Unicron1 at the Afterdawn forum, though I'm linking this without permission. It's an old thread: http://forums.afterdawn.com/thread_view.cfm/357863 I never used a chip clip or aligator's, I opted for the full on solder for my contact points. With the Xbox there was an LPC header that corresponded to all the pin locations so soldering was easy ---- probably not the case for the Z*. Once it was hooked up you can read or flash your eeprom with any software. I used ponyprog, but I've heard there's others out there. I just bricked my first Xbox with a bad BIOS flash yesterday ---- Had to pull out the old reader to recover the HDD and thought I'd follow up here. Seems like good timing! I found out something else interestingly similar to the Xbox and AVIC in the hard drives too. In the early Xbox days softmodders were having trouble with HDD recognition when upgrading to non-OEM drives. This is due to proprietary drive recognition between the box and HDD, and was finally solved by editing cluster values to match an OEM drive. I had a light bulb go on while I was using Hex Workshop to prepare my new 750G Xbox drive, and I was looking at my Z3 upgrade drive sitting right beside. Xbox scene tutorial on drive preparation, it's similar to the Z3 upgrade minus the hex editing: http://www.xbox-scene.com/articles/no-m ... d-swap.php I've searched the forum for about 3 hours now and haven't found anything similar to this idea, and I know it's off topic in this thread, but I figured you were the guys that might be able to do something with it. So no lashing please, I'm just trying to help! I wish I knew coding so I could help more, but I'm better at 'search and destroy' missions when I'm modding ---- I do what I need to get the job done. There are just too many similarities in these hacks to not take notice! Quote Link to post Share on other sites
dawgbone Posted August 2, 2008 Report Share Posted August 2, 2008 You know, I've spent some time looiking over the Avic Z's schematics.... just looking for the opertunity of a Xbox style mod, where you can jump in front of the BIOS, and run your own code via a soldered in chip job... This would be the ideal OS, being that if others (not me) could write code to take advantage of the Z's hardware and peripherals....It would be kewl to have BT tethering for internet...etc... http://www.ubuntu.com/products/mobile Hell.... even cramming a Sony PSP with GPS functionality in the unit would be sweet as apple pie... Quote Link to post Share on other sites
GnatGoSplat Posted August 2, 2008 Report Share Posted August 2, 2008 Where did you get the AVIC-Z schematics? Quote Link to post Share on other sites
dawgbone Posted August 2, 2008 Report Share Posted August 2, 2008 Where did you get the AVIC-Z schematics? Please rightclick and download...33+something or other MB.. http://www.dawgbonez.com/Misc/AVIC-Z2_Manual.pdf Quote Link to post Share on other sites
GnatGoSplat Posted August 3, 2008 Report Share Posted August 3, 2008 Thanks so much, dawgbone! I really appreciate it, I've been looking for that ever since I got my Z2!!! Quote Link to post Share on other sites
dawgbone Posted August 4, 2008 Report Share Posted August 4, 2008 Thanks so much, dawgbone! I really appreciate it, I've been looking for that ever since I got my Z2!!! Cool...no prob... It's probably alot more useful in others' hands than mine... Quote Link to post Share on other sites
dawgbone Posted August 4, 2008 Report Share Posted August 4, 2008 Just throwing random junk out there. But the whole nag screen thing almost acts like an application. Could it possibly not have anything to do with Navi.exe, and possibly an application of it's own that we could...get rid of? And another interesting thing I noticed... In the service manual, there is absolutely no explanation of the File Maintenance menu of the TestDisc... which just so happens to be chapter 4-20...Easter Egg??? Has anyone bruned and used the Test Disc to play with? (Test Disc is in all Z images, and easier acquired in Pioneer's updates) Hmmm... a USB directory? Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.