Jump to content
AVIC411.com

Warning screen bypass on the AVIC-D2

jreiter

By jreiter,
in Hacks/Mods

 Share Followers 0

Recommended Posts

  • Replies 36
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

bushing

bushing

Posted
Posted
Does that mean we can edit the text at least? If so that could be kinda funny.

 

Probably not until someone figures out the checksum.

 

Ok, you're right -- there is a checksum. I tried editing UC050DAT.USA and reburning it, then used the service mode menu to force-update the application flash. It worked, but when the unit restarted, it said "beginning program update", tried to reflash (again) off the same DVD, said that the update was corrupt, and then rebooted -- I had to eject the DVD to get it out of a loop.

 

(Maybe this isn't news, but) I think the checksum is the last 16 bits of the file. Here's what I make of the header:

 

0000000: a55a 5aa5 7300 0002 5543 3035 3044 4154  .ZZ.s...UC050DAT
0000010: 0000 0000 5553 4100 2ead 0000 4000 0000  ....USA.....@...
0000020: b074 0000 aaaa aaaa aaaa aaaa aaaa aaaa  .t..............
0000030: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa  ................

 

a55a 5aa5 = magic number

7300 0002 = version number (2.00.0073)

5543 3035 3044 4154 = filename 'UC050DAT'

0000 0000 = padding?

5554 4100 = extension 'USA'

2ead 0000 = 0x0000dae2 = 44334 (filesize)

4000 0000 ? (same for all three languages)

b074 0000 = 0x74b0 ?? this is 0x7ee8 for .ESP and 0x7dec

aaa... padding out to 64 bytes

 

End of file:

000ad20: 2201 ffff 0000 0000 0000 0000 700c       "...........p.

 

I think the 700c is the checksum.

 

Unfortunately, the program files look similar:

0000000: a55a 5aa5 5000 0102 4555 3035 3041 504c  .ZZ.P...EU050APL
0000010: 0000 0000 5052 4700 0000 4400 0100 0000  ....PRG...D.....
0000020: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000030: ffff ffff ffff ffff ffff ffff ffff ffff  ................

 

a55a 5aa5 = magic number

5000 0102 = version number (2.01.0050?)

4555 3035 3041 504c = filename 'EU050APL'

0000 0000 = padding?

5052 4170 = extension 'PRG'

0000 4400 = 0x00440000 = 4,456,448 (filesize)

0100 0000 ? attributes or flags, maybe?

 

ffff... padding out to 64 bytes.

 

End of the file:

043fff0: ffff ffff ffff ffff ffff ffff ffff d8c8  ................

 

checksum = d8c8?

 

Any guesses as to how they're calculating that value?

Link to post
Share on other sites
bushing

bushing

Posted
Posted

The OS loader starts around 0x1000. I can disassemble there no problem. Another chunk starts at 0x1200. It's using the NEC RX OS. I'll attach some of the documentation I've found so far and the disassembler I'm using.

 

All I get is garbage at 0x1000 -- 0x1200 looks more promising. (we're talking about UC050SYS.USA, right?)

 

BTW, I'm not sure if there's a difference in the instruction sets, but the chip in the AVIC-D1 is a "UPD705103GM-180S1". I can't find a datasheet for that anywhere, but I did find one for the UPD705102GM (aka NEC V832), which at least has an identical pinout to the one in the unit.

 

http://www.necel.com/cgi-bin/nesdis/o006_e.cgi?article=UPD705102

Link to post
Share on other sites
  • 3 months later...
bushing

bushing

Posted
Posted

I've still been working on this, off and on for the past few months. I wrote a V830 disassembler plugin for IDA Pro. While it's not perfect, it works well enough to disassemble most of UC050SYS. I believe the code that verifies the checksums is in there, but I haven't been able to figure out where.

 

Does anyone here read assembly? I'd be happy to email my partial disassembly...

Link to post
Share on other sites
bushing

bushing

Posted
Posted
Excellent work! Did you have to decompress anything within the files? When I loaded it with a hex editor, I didn't find any obvious ASCII for that message.

 

Thanks :) If you scroll back up to http://avic411.com/forum/viewtopic.php?p=25112#25112, that's one of the strings in UC050DAT.USA; the "hard" part was finally figuring out the checksum so that it would actually let me reflash that file using the service menu. (If you don't fix the checksum, it will try to reflash, but it will tell you it failed, and it will refuse to boot until you insert a DVD with a valid copy of that file, which it will then reflash.)

 

I'll post the checksum program in a bit, but what I'm really trying to do is patch the code (in EU050APL.PRG) to skip the screen entirely.

Link to post
Share on other sites
GnatGoSplat

GnatGoSplat

Posted
Posted

I will love you forever if you figure it out! I would much rather leave mine on the map or gauges screen than the boring blue background, but having to press OK to dismiss that screen is a headache.

 

I searched forever for any recognizable strings, I guess I just didn't search hard enough!

Link to post
Share on other sites
  • 2 weeks later...
  • 2 weeks later...
bushing

bushing

Posted
Posted

Okay, I'm pretty much stuck here, so I'm posting what I have so far in the hopes that someone else might be able to get further.

 

The "Application" code is contained on the DVD as EU050APL.PRG, and it references strings in the file UC050DAT.USA.

 

http://people.freedesktop.org/~bbyer/avic/eu050apl.prg

 

http://people.freedesktop.org/~bbyer/avic/UC050DAT.USA

 

A parsed version of the strings file is here: http://people.freedesktop.org/~bbyer/avic/UC050DAT.USA.txt

 

That was produced with this program: http://people.freedesktop.org/~bbyer/avic/parse-dat.c

 

In order to modify either of those files, you'll need to edit the file with a hex editor, and then recompute the checksum, which is stored in the last two bytes of the file. A program to compute the checksum is here: http://people.freedesktop.org/~bbyer/avic/fcs.c

 

You can reflash modified files onto the unit using just a CD-R and the service menu; I can post details about this if anyone's curious.

 

Finally, the disassembled code from EU050APL.PRG: http://people.freedesktop.org/~bbyer/avic/eu050apl.lst.bz2

 

That output's not perfect, but it's getting pretty good. It was produced using IDA Pro and a custom processor plugin for the NEC V830.

 

The code that retrieves the strings displayed for the "nag screen" is in the function I called show_nag_1, but they aren't actually displayed in that function, and I can't figure out what calls that function, which is where I'm stuck.

 

I hope to get back to this someday, but am too busy with Real Work at the moment. :(

Link to post
Share on other sites
GnatGoSplat

GnatGoSplat

Posted
Posted

You can reflash modified files onto the unit using just a CD-R and the service menu; I can post details about this if anyone's curious.

 

I'm curious, how's it done?

 

I looked at the source listing, but I don't know assembly.

Each section ends in a jmp rXX where the XX is some number. Any idea what the rXX addresses are? I couldn't find any sections labeled with the rXX scheme.

 

I'm curious what would happen if the function is just filled with NOP so it executes, does nothing, and returns nothing.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing


×
×
  • Create New...