Jump to content


Photo

Condi's HACKMODE v2.2 - AUTOINSTALL! working also with F40BT, X940BT etc! [updated: 27.09.2012]


  • Please log in to reply
1052 replies to this topic

#1 condiczek

condiczek

    Member

  • Members
  • 160 posts

Posted 25 April 2011 - 11:08 AM

Pioneer AVIC HACKMODE by Condi

IMPORTANT! FOR NOW WE STILL CAN'T USE OUR UNITS GPS WITH OTHER SOFTWARE!
WE CAN RUN THE SOFTWARE LIKE TOMTOM, GARMIN, IGO ETC.,
BUT GPS IS NOT WORKING (NO SIGNAL, GPS PORT BUSY..).
WE ARE TRYING TO FIGURE IT OUT TO GET IT WORKING..

---------------------------------------------------------------------------------------------------------
V2.0 HAS BEEN RELEASED! THX TO PIONARA FOR FINDING GREAT NEW POSSIBILITIES,
SOLUTION FOR DECODING/ENCODING TESTMODE WE'VE GOT NOW

AUTOINSTALLING HACKMODE!

http://www.youtube.com/watch?v=R2jajXM-3gw

COMPATIBLE WITH F40BT, X940BT, Z140BT ETC.!

JUST UNPACK HACKMODE TO SDCARD, PUT INTO DEVICE
WAIT AND VOILA!

IMPORTANT - SINCE WE'VE GOT LIMITED KNOWLEDGE ABOUT ALL THE COMMANDS
AND ITS SYNTAX IN PIONEER SCRIPTING - V2.0 WILL WORK ONLYIF YOU HAVE PRG0
AND PRG1 FOLDERS, FOR NOW THERE IS NO SCRIPT-CHECK FOR THAT.

----------------------------------------------------------------------------------------


Finally we've got access to new Pioneer units!
After many tries, many scripts, I think that
its proper state to be released.

SO FAR CONFIRMED TO WORK ON:
  • F30BT (tested by me Posted Image )
  • X920BT (thanks to Krms!)
  • X930BT (thanks to Ralpharn!)
  • Z110BT with Z120BT firmware (thanks to PatrickFernandes!)
  • F920BT (thanks to Tudor Z!)
  • F20BT (thanks to wikke!)
  • Z130BT (thanks to uglyb0b!)


    ...
!!!!!
I'm not responsible of any damage/brick,
so all of this you are doing at your own risk.
Its working on my unit perfectly,
but its not 100% sure that it will work on yours!

FOR EDUCATIONAL PURPOSES ONLY!
THERE IS NONE OF PIONEER SOFTWARE INCLUDED,
THIS 'HACK' IS MADE WITH FREE SOFTWARE,
= NO COPYRIGHTS ARE BROKEN!
!!!!!

On the new units standard testmode with windows explorer
is not working. Funny is, that on the newer units
there is no even explorer.exe!
Fortunately we've got GGS1080 with TESTMODE.KEY,
which is working on F30BT, and other units also, I think.
But plain Pioneers Service Mode is not handy and 'usable' for us.
To hack Pioneer device I used Pioneers 'service mode'.

OK, so everything what we will need is in the attachment.
Below are detailed instructions, but in few words
we need to delete Av.exe, and copy hackfiles to its place.


INSTRUCTIONS:

HowTo backup/use Pioneer UI - Video by JasonH!

pts. 1-9 = BACKUP:
  • download the archive, unpack it to root of your 'SD',
  • instert SD to your AVIC, Pioneer Service Mode will appear,


    **navigating in service mode is little confusing, you've got to get use to the interface,
  • move down and enter FILE MAINTENANCE,
  • go to USER, select COPY on the menu,
  • move up, and go to SD,
  • select PASTE on the menu,
  • once it finish - BACKUP IS DONE.
  • now hold EJECT button for 5s to get to sd card, take it and connect to pc,
  • copy USER directory somewhere safe on your computer and delete it from SD,
  • insert again SD to AVIC, go to 'USER/PRG0/Apl' and delete Av.exe file,


    **you've got to delete it first, because service mode will not overwrite files!,
  • go to 'SD/CONDIHACK', select ALL on the menu, and select COPY,
  • go to 'USER/PRG0/Apl' and select PASTE on the menu,
  • get out from FILE MAINTENANCE (home button),
  • reset - turn off and on the unit - enter again service mode,


    **afaik its good to boot it again to service mode, I had few times problems with copied files - once they just disappeared after rebooting directly to system,
  • go to FILE MAINTENANCE, 'SD', and delete TESTMODE.KEY,
  • reboot unit, and done Posted Image you can now delete CONDIHACK directory from SD!
To get into HACKMODE you need to have HACKMODE.KEY file on root of your SD.
HACKMODE.KEY is empty/dummy file to easy operate between hack/normal mode.
When Pioneer is booting it will search for HACKMODE.KEY file.
If the HACKMODE.KEY file is on root of SD - it will boot hacked, to file manager.
If the HACKMODE.KEY is deleted/renamed - it will boot to normal/stock Pioneer software.

Also if you have already turned ON AVIC (and for example car engine ON also),
then you can easly jump into HACKMODE - just insert SD with the file,
AVIC is scanning SD every 15s, when it will notice SD with the file,
it will quickly reset and after few seconds you will be in HACKMODE!
Its handy, you dont have to turn off the engine! Posted Image

And one more thing - you can easly jump out from HACKMODE,
just by closing file manager! After close it will run standard Pioneer software
(also it will not scan for the key in every 15s! after restart it will be back).


Thats all for now. I wanted to give you nice mortscript menu,
but it just doesn't working. Many of commands doesn't work.
It was very hard to get everything working, the devil is in the details!
But after many hours of bricking and unbricking my device, here it is - the HACKMODE Posted Image

Thanks guys for all 'good luck' words Posted Image If you have any questions then just ask.
HACKMODE was checked only on my device, so please be careful in any actions,
Please check if it works with other models!


NOTE FOR UPGRADED FW UNITS:
If you've got upgraded from lower model unit,
like Z110BT to Z120BT, and hackmode
is not working correctly (cant run normal mode),
then probably you've got only PRG0 with new version
of firmware, but PRG1 is with old version!
You will have to:
  • make another copy of your backup PRG0 directory,
  • rename unmodified copy of PRG0 to PRG1,
  • delete PRG1 from the avic,
  • copy prepared PRG1 to avic (should be with same content as PRG0),
  • install HACKMODE normally like in instructions above the note!
Oh and one more thing - please dont get me wrong, I share it free for all,
but if you want to buy me a beer, then I will drink for you Posted Image
And as abb1 wrote on his topic - any donations will be greatly
appreciated, but they are by no means mandatory! 'buy me a beer' via paypal


DOWNLOAD: attachment below
PASSWORD: avic411


CHANGELOG:
[28.09.2012]
v2.21:
- small bugfix/typo in script for USB

[27.09.2012]
v2.2:
- compatible with SD and now USB also,
- additional check if the hackmode is on the device already,
to not to get two copies on one device ;) (prg0+prg1).

[27.09.2012]
v.2.1

[24.09.2012]
v.2.0 AUTOINSTALL!

- installer now check which PRG0/1 is in use, and install in correct path.
- bugfixes, no more 'red screen' because of odd syntax of pio's script ;)

[13.06.2011]
v.1.4 BASE - INSTALL VIA TESTMODE:
  • added (modified) working DiskRW utility,
  • added (modified) working GpsGate tool - shortcut on desktop (GPS IS STILL NOT WORKING!),
  • added (modified) working RegEditor - finally we can import .reg files via mortscript!


    (example: Run("\NAND\PRG0\Apl\HACKMODE\Regedit.exe", "-s /SDMMC/your-regfile.reg"),
  • .reg files are now associated with new RegEditor! just double-click on .reg file to import!
  • added TextFiller tool (in CONDITOOLS directory),


    we don't have keyboard - script will automatically
    type your text to desired textfield in 10s - edit TextFiller.mscr!,
  • added utilities to mount/unmount 3 partitions od Disk1 (Part00 = ?, Part01 = NAND, Part02 = NAND2)


    (credits goes to RubinX [cinus] - thx!) - found that app, can be useful,
    i've just adapted it to our avic's and made modified copies for oher two partitions,
  • added some simple, nice wince wallpaper
  • added some (modified) dll's to above apps,
  • and some other i don't remember
[20.05.2011]

v.1.3 BASE - INSTALL VIA TESTMODE:
  • moved HACKMODE back from HMIManager.exe to Av.exe,
  • moved addon apps to seperate directory ('NAND/PRG0/Apl/HACKMODE')
  • added (modified) working SirfTech utility,
  • added (modified) working Task Manager with process killing feature,
  • changed the way to enter hackmode - now you can choose between normal/hackmode on boot,
  • added some (modified) dll's to above apps,
  • and some other i don't remember!
[20.05.2011]

v.1.3 UPDATE FROM v1.2:
Changes via AUTOUPDATE!
  • moved addon apps to seperate directory ('NAND/PRG0/Apl/HACKMODE')
  • added (modified) working SirfTech utility,
  • added (modified) working Task Manager with process killing feature,
  • changed the way to enter hackmode
  • now you can choose between normal/hackmode on boot Posted Image,
  • added some (modified) dll's to above apps,
  • and some other i don't remember!
[08.05.2011]

v.1.2 UPDATE FROM v1.1:
Changes via AUTOUPDATE!
!!!!!!!!!! WHEN UPDATING DEVICE WILL REBOOT 5/6 TIMES !!!
!!!!!!!!!! KEEP ON WAITING (FIRST REBOOT ~38s, LAST ~25s) !!!
  • moved HACKMODE from Av.exe to HMIManager.exe


    (propably main exe of Pioneer software),
  • added empty directory on desktop with name of HACKMODE VERSION,


    (will use it on future updates for 'version check')
[08.05.2011]

v.1.1 UPDATE FROM v1.0:
Small change - via AUTOUPDATE!
  • replaced FileManCE app with other one, more usefull


    (works copy/paste, all files are visible).
    FIRST INSTALL v1.0 via standard method,
    then copy CONDIUPDATE to root of your SD/USB,
    insert it to device, it will run and reboot 'blink' three times, and done!
[08.05.2011]

v1.0:
  • Works with both SD and USB! just connect hdd or pendrive


    with HACKMODE.KEY and enter HACKMODE like before!
  • AUTOUPDATE feature - no more deleting Av.mscr


    via inconvenient Pioneer Service Mode.
    When new version will be released, you will just copy
    'CONDIUPDATE' directory to root of SD/USB, insert it,
    and it will automatically update the HACKMODE!!
    FROM NOW ON I WILL RELEASE SMALL PATCHES/UPDATES to this version!
[06.05.2011]

v0.2:
with windows ce explorer! of course not everything works,
but we've got desktop, shortcuts with FileMan and Restart,
its getting more and more handy!
another small step to achieve the target!! Posted Image

[04.04.2011]
added alternative version with filemance instead of total commander!
the only difference is other file manager! - in attachment.
To change from other version just delete Av.mscr and cecmd.exe,
then copy new Av.mscr and FileManCE directory to /PRG0/Apl/.
(special for users who had an issue with rebooting device with total commander!)


Demo movie on youtube, sorry for bad quality, sunny day here Posted Image
I show iGO8 software running, keep in mind that gps port is locked for now,
(I will take a look at this), HACKMODE is entrance to further developing Posted Image


Done List:
  • HACKMODE access,
  • Windows Explorer (not fully working..),
  • autorun when SD inserted (scanning for HACKMODE every 15s),
  • USB HACKMODE (SD&USB both working now),
  • AutoUpdate - all future updates autoinstall with small patches,
  • better File Manager with working copy/paste,
  • Registry Backup Tool (in this post),


    ...
ToDo List:
  • get working GPS signal/port,
  • fully working Windows CE,
  • version info of HACKMODE in windows,
  • crack/modify wince img - EU090PLT.PRG?,
  • crack/modify EU090BOT.PRG - to pass modified wince img EU090PLT.PRG? (maybe not needed),
  • in-script check for fw updated units (PRG.FLG related),
  • internet browsing via bluetooth from mobile? with Internet Explorer?,
  • usb mouse (and propably keyboard) are working - enable mouse pointer?,
  • change ShellFolders - Desktop directory to NAND, to get permanent not-erasing on every reboot desktop? (need registry/EU090PLT.PRG hack..),
  • run emulated image of our devices on PC,
  • integrate different GPS software instead of stock pioneer into the system, it should work with standard Player, Bluetooth etc,
  • connect usb 3G/GPRS modem to use independent internet access, to load traffic info (for GPS software, that support it).


    ...any suggestions?
br

condi

Attached Files



#2 Krms

Krms
  • Members
  • 11 posts

Posted 25 April 2011 - 01:51 PM

Well done Condiczek.

How did you get explorer to boot? Can you attach the files and steps please.

#3 VBLUE42

VBLUE42

    Established Member

  • Moderators
  • 8,746 posts
  • LocationMS

Posted 25 April 2011 - 04:12 PM

Well, I have to say that out of all the promising attempts I have seen over the last three years with this series of unit, this is certainly the most promising. Lets just see where this goes however. Good luck to you condiczek.

2010 SCION TC, iPhone 5, SPH-DA100 APPRADIO 2, APPRADIO EXTENSIONS, ROCKFORD FOSGATE 3SIXTY.2 PROCESSOR, POLK DXI 6500 COMPONENTS IN FRONT, JL AUDIO SEALED POWER WEDGE 12" SUB, SMITH & WESSON.


#4 condiczek

condiczek

    Member

  • Members
  • 160 posts

Posted 25 April 2011 - 07:20 PM

Thanks guys, its nice to hear good words :)
I managed to run some apps, TCPMP player, iGO8, Mireo Cardinale, and other gps software works too. New mortscript is not working, like some other software also, i think because of lack of some libraries/dlls. Windows in this units is very 'handicaped', there is no explorer.exe, control panel cpl's are not running etc.
But thats not important, not a big thing. It will work :)
I will make some scripts which will run some custom software/menu if proper files will appear on sd/usb.

For now I must get rid of av going front after ~30s.
When everything will work as I want to, then of course I will release full solution :)

#5 JasonH

JasonH

    Administrator

  • Administrators
  • 1,776 posts

Posted 25 April 2011 - 07:58 PM

Wow, this is big news!

#6 Krms

Krms
  • Members
  • 11 posts

Posted 26 April 2011 - 01:48 PM

I have a X920BT. Let me know if you need a beta tester. :grin:

#7 VBLUE42

VBLUE42

    Established Member

  • Moderators
  • 8,746 posts
  • LocationMS

Posted 26 April 2011 - 03:43 PM

This topic is now stickied.

2010 SCION TC, iPhone 5, SPH-DA100 APPRADIO 2, APPRADIO EXTENSIONS, ROCKFORD FOSGATE 3SIXTY.2 PROCESSOR, POLK DXI 6500 COMPONENTS IN FRONT, JL AUDIO SEALED POWER WEDGE 12" SUB, SMITH & WESSON.


#8 condiczek

condiczek

    Member

  • Members
  • 160 posts

Posted 26 April 2011 - 08:27 PM

Current state:

I've made short script, which checks if on the card is empty file with 'condiczek.tmp' name,
if yes = runs file manager;
if no = runs official pioneer navi software - everything runs like stock :)


Thats why I can keep working on the hack, and also use my unit normally, on the drive :)

I've got few ideas how to bite it!
Keep your fingers crossed, I will post all the news.

PS. wait for some 'beta state', for now its not usable to enduser, ok... its usable for about 30s :D then AV process locks out, its on front, when I kill AV process - it 'hangs' - cant use touchscreen/app, when I push home/mode to get out from AV to filemanager - it hangs with black screen! But the music is still playing in background! haha :)

br
condi

#9 VBLUE42

VBLUE42

    Established Member

  • Moderators
  • 8,746 posts
  • LocationMS

Posted 27 April 2011 - 01:57 AM

There are a few folks that may be of some assistance to you that do a lot of hacks on the previous F series. They will also be very interested to learn of your accomplishments. You may be hearing from them soon

2010 SCION TC, iPhone 5, SPH-DA100 APPRADIO 2, APPRADIO EXTENSIONS, ROCKFORD FOSGATE 3SIXTY.2 PROCESSOR, POLK DXI 6500 COMPONENTS IN FRONT, JL AUDIO SEALED POWER WEDGE 12" SUB, SMITH & WESSON.


#10 abb1

abb1

    Established Member

  • Members
  • 1,606 posts
  • LocationSaskatchewan, Canada

Posted 27 April 2011 - 09:56 AM

This is amazing as the F30bt seems to be the european version of the Z120bt, so if we can get into the OS to mod it....... Wow, I am just thinking of the possibilities.
I am looking forward to hearing about this! Condiczek, if you can some how make a backup of your drive and upload it with 4-shared, I would love to look at the file structure and see what can all be modded! GREAT WORK!!

Main system in car---AVIC X950BT
 


#11 flash_the_hun

flash_the_hun
  • Members
  • 15 posts

Posted 27 April 2011 - 02:33 PM

Wow, great news, I would like to see IGO8 running on my F10BT, I only wonder if the speed signal and the gyro signal could be used too, like in the native navi software.
It would be also nice to have an own app which can control the volume depending on the speed.

I hope the base system is the same for F30/F20/F10, so we could use the same hack on all systems.
If you need a beta tester on a F10BT ( I'm running 2.003 Firmware, so basically it is a F20BT), PM me ;)

#12 condiczek

condiczek

    Member

  • Members
  • 160 posts

Posted 27 April 2011 - 09:06 PM

Hi guys,


Tomorrow I will backup my units files and post it here.
Today again - ten or more tries to get rid of that annoying AV app.
Its time to go further, tomorrow I will make some risky thing with Av.exe.
Wish me good luck, dont want to have expensive coffeecup stand :D :D

I would like to give final solution, 100% usable,
not only for limited 30s time.
Its my no.1 objective :)

PS. 10-18 in work, if I could have more free time... ;)


br
condi

---edit:
found some useful app for pc > "depends" - open .exe for wince, and check which libraries it needs :) tomorrow I will make tests also regarding dlls.

---edit2: !!! its working! without 30s limit! few more checks, and we've got full access to the unit :) today/tomorrow release.
---edit3: something messed up, wait till i fix it :/

#13 wikke

wikke
  • Members
  • 10 posts
  • LocationFinland

Posted 28 April 2011 - 03:22 PM

Hi friends,

I've finally found some free time.
I've got AVIC-F30BT which was currently unhackable.

I got it running file manager, where I can do whatever I want.
Copy, delete, run etc. :)

After some time AV application is popping up, but that's not a problem,
one short script and it will be terminated, or our app will go back to front ;)

Check out my video :)

br
condiczek


Yes!!! Finally some good news! I was already about to sell this whole piece of crap, F20BT unit. I wish you a good luck to go in to the windows and hopefully we can see the whole radio running with completely different software. Especially navigator... :-)

#14 abb1

abb1

    Established Member

  • Members
  • 1,606 posts
  • LocationSaskatchewan, Canada

Posted 28 April 2011 - 11:04 PM

Well, it doesn't look good :(, I extracted the files and there is no image file or nav file that I can find. The majority of the files in the APL folder are .dll files, nothing that is workable. Also, the size of the file is 66 mb, so there is no way that image files or map files ccan be found in there.
Condiczek, are there any other files or folders in an offset location?

Main system in car---AVIC X950BT
 


#15 kruuth

kruuth

    Member

  • Members
  • 146 posts

Posted 29 April 2011 - 02:48 PM

Well, it doesn't look good :(, I extracted the files and there is no image file or nav file that I can find. The majority of the files in the APL folder are .dll files, nothing that is workable. Also, the size of the file is 66 mb, so there is no way that image files or map files ccan be found in there.
Condiczek, are there any other files or folders in an offset location?


Condiczek, can you please elaborate a little more on the NAV system of this? Is it running an iGO flavor?

Abb, if it's running iGO there's some "tricks" that can be done to obscure a lot of the data and directories. It's a possibility that's what is happening.

**EDIT: There aren't any map files there. Condiczek, is it possible there's another hidden partition or something like that?






Recent blog entries on this topic

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users