CaptainInsaneO Posted August 5, 2008 Author Report Share Posted August 5, 2008 You bring up a good point dawgbone. The nag screen probably IS an application, Navi.exe most definitely calls it (in programming language, it's actually CALLED a "call" lol) when the unit starts up. What we're trying to do is find exactly where it calls that screen up, and put a NOP (No Operation) instruction in place of that call. This will effectively neutralize the nag screen, because it won't even be called for in the first place. The big problem GnatGoSplat and I are running into (aside from the fact that my job keeps me out of the country much of the time) is going through the pages upon pages of code to find what we need, and then on top of that, testing the new Navi.exe executable file to see if it actually works. It's a process of "let's change this... ok now let's take the drive out to the car and test it... nope that doesn't work, let's change this..." and so on. I've never burned the test disc myself, but I'm glad you added that idea into the mix. That's really what I made this thread for, kind of as an info-dump/collaboration area for things like this. Many minds working together are ALWAYS better than many minds working by themselves. Quote Link to post Share on other sites
GnatGoSplat Posted August 5, 2008 Report Share Posted August 5, 2008 I'm almost sure the nag screens are called from Navi.exe for navigation and AV.exe for video because there appears to be similar code calling safety messages in both apps. The nag screens are definitely in a different library, one of the common libraries. I see calls to get the language and calls to build the warning message string from language files (or at least that's what it looks like). I did try removing the nag screen from AV.exe. Unfortunately, it had no effect. Funny thing is I NOP'd out a lot of subroutines and didn't notice ANY difference, the program didn't crash either. I replaced the exe's in both PRG0 and PRG1 so that it couldn't detect and restore the original version (I don't think it can do this, but I wanted to be sure). I'm starting to wonder if the programs are somehow cached, but then that doesn't explain the boot time. Anyway, I think just guessing isn't going to get me anywhere. I'll have to learn SH4 assembly and go through the program line by line! It would definitely be easier to have a separate unit for experimentation, I keep looking for broken AVICs on eBay, but they all go for a lot, almost as much as I paid for my good one. I've been looking over the service manual posted by dawgbone and have been rather disappointed that there doesn't appear to be a USB port or even USB pins inside the unit. I wonder why all the references to USB in the test mode and USB drivers in the OS? Maybe I'm just not looking close enough. Quote Link to post Share on other sites
CaptainInsaneO Posted August 5, 2008 Author Report Share Posted August 5, 2008 Yeah there definitely are a lot of references in the code AND registry about USB. Perhaps the drivers are for a USB adapter that you can add-on? Check out OllyDbg and see if that works for you. After you make changes to the assembly, you just right-click anywhere in the code and then select Copy To Executable>>>All Modifications, and then save it. Quote Link to post Share on other sites
GnatGoSplat Posted August 5, 2008 Report Share Posted August 5, 2008 Thanks, I'll look into that. I had just been using a hex editor and reloading into IDA to make sure my hex edits were correct. Quote Link to post Share on other sites
CaptainInsaneO Posted August 13, 2008 Author Report Share Posted August 13, 2008 I've hit a wall with this project. Lately I have just not had the time to dedicate to this. That's not to say that: 1) I won't revisit it again when I have time (which I definitely will) 2) Without me, this cannot continue. Anyone is more than welcome to contribute to this if they so desire. Hopefully, once I float out on the Pacific (I'm in the Marine Corps and have a deployment coming up) I'll have plenty of free time on my hands. I will definitely be taking the z3image with me, along with my debugging/disassemblers and Acronis. Life on ship allows for a lot of free-time (in my job - networking - once the network is up, it's up and I'm free to do whatever as long as I troubleshoot things as needed) so hopefully I won't have to abandon this. Quote Link to post Share on other sites
dawgbone Posted August 13, 2008 Report Share Posted August 13, 2008 I've hit a wall with this project. Lately I have just not had the time to dedicate to this. That's not to say that: 1) I won't revisit it again when I have time (which I definitely will) 2) Without me, this cannot continue. Anyone is more than welcome to contribute to this if they so desire. Hopefully, once I float out on the Pacific (I'm in the Marine Corps and have a deployment coming up) I'll have plenty of free time on my hands. I will definitely be taking the z3image with me, along with my debugging/disassemblers and Acronis. Life on ship allows for a lot of free-time (in my job - networking - once the network is up, it's up and I'm free to do whatever as long as I troubleshoot things as needed) so hopefully I won't have to abandon this. Well..that stinks...but I can relate... I was a 2nd class IT on the USS Cleveland in SD... a Marine transport... Last I heard, when I was on my way out, that they were extending deployments up to 8 months... You can only do so much floating on a metal turd in the middle of the ocean... Quote Link to post Share on other sites
GnatGoSplat Posted August 27, 2008 Report Share Posted August 27, 2008 Just an update on this... no real progress, but I did get it to do something different which makes me think it's really in Navi.exe. I NOP'd out too many JSRs and managed to get it into an infinite boot loop, I think once it loaded Navi.exe it would trigger a reboot. So then I tried nulling out the references to WIN_UIN_SafetyCaution. I'm thinking somehow it builds that string to send to some other function that in turn calls a function by that name. So nulling it out makes it impossible for it to call any function. That made it to where when the annoying nag screen is supposed to come up, it does make the beep for it, but nothing shows up - it just stays at the boot screen. There is no way to continue onto the map, however all the AV functions and AV screens still work fine. I have too many projects going on right now, but I do have an extra Z1 in my home office so once I have some free time I'll play around with it some more. Oh, and unfortunately that OllyDbg only works with x86 code so I'm stuck having to manually hexedit the file with NOPs (09 00). Quote Link to post Share on other sites
CaptainInsaneO Posted October 21, 2008 Author Report Share Posted October 21, 2008 Small update, here is the RISC (Reduced Instruction Set) Programming Manual for Hitachi SH4 Assembly Code. Just about anything you could want to know about the code running on the AVIC Z series is in here. http://mc.pp.se/dc/files/h14tp003d2.pdf Quote Link to post Share on other sites
bbob85 Posted October 29, 2008 Report Share Posted October 29, 2008 If you check the /System/JIT directory on the USER partition for HL.TXT, you can see runtime exceptions when you experiment around with AV.exe or the other dlls within the APL folders. Each time it reboots it will add to the log. Good luck. Quote Link to post Share on other sites
CaptainInsaneO Posted April 1, 2010 Author Report Share Posted April 1, 2010 I'm re-visiting this project. Just for the hell of it, I know nobody will care now that the 110bt is out Quote Link to post Share on other sites
GnatGoSplat Posted April 1, 2010 Report Share Posted April 1, 2010 I would care, I still use an old Z. I never got smart enough to figure this out though. It's too bad there's not enough nerd interest in these car stereos to have a real hacking community like there are for WinMo phones. Quote Link to post Share on other sites
CaptainInsaneO Posted April 1, 2010 Author Report Share Posted April 1, 2010 I have a buddy in Australia who knows assembly pretty well, he looked over some of the stuff I sent him and couldn't make heads or tails of it. The biggest wall I'm facing (and what made it hard for him as well) is that the assembly is for an SH4 proc which isn't very common. If the Z ran intel or amd it would be cake. I REALLY wish I had kept better notes when we were going full-bore on this, I can't remember the disassembler I used to get the code I posted. I'm using IDA Pro right now and it's not giving me what I want. Quote Link to post Share on other sites
GnatGoSplat Posted April 1, 2010 Report Share Posted April 1, 2010 I used IDA Pro as well, maybe that's part of the problem? I have version 5.2.something. The code generated looks like SH4 assembly, but even trying to follow the SH4 opcode reference doc, I can't figure it out. Quote Link to post Share on other sites
CaptainInsaneO Posted April 1, 2010 Author Report Share Posted April 1, 2010 I have 5.5. It DOES generate the code we need but the layout of all of it is REALLY strange, not like what I was getting before. The thing that is most frustrating for me is I look at the code I got years ago and I actually understand it and could probably do this now that I've learned a little more, but now I don't have the correct tools. Round and round we go I'm gonna keep trying out different things to see if I can get something I can really work with. For right now though I've got a ton of homework I've been putting off (on spring break this week) so I need to get that done first. Oh, I also tried using the WinCE emulator that Microsoft offers but got pissed off at it because I don't have Platform Builder. lol I wish I knew more about WinCE Quote Link to post Share on other sites
andrewdonald1 Posted April 2, 2010 Report Share Posted April 2, 2010 Note to the Genius' here in this thread: Can you give me more than 400 telephone contacts in the phone book?? Please.. pretty please... Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.