condiczek Posted May 22, 2011 Author Report Share Posted May 22, 2011 Hey Condi! Had some problems updating from v1.1 to v1.3. To v1.2 I had to change HMIManager script with the above, because the unit constantly rebooted. After that the unit turns on very slow. It takes a couple of seconds for the buttons on the unit to light up, and then more time for the desktop (or stock software) to show, which is realy annoying. After updating to v1.3 the same reset loop occured. So I just went back to stock for now. Can you please post all the files that are changed on the unit, so I can do a direct to v1.3 hack from stock via testmode. I would also like to try running the hack off Av.exe, maybe that will speed things up a bit. You're right, even my unit had some problems, and it was about HMIManager.exe. Working now, got 1.3 on Av.exe. Changing all the updates etc.. --changed. added to first post. give me info if its ok. Still no GPS signal, but some curiosity - I managed to run TomTom on F30BT So when we get signal - we get iGO, TomTom, Garmin(?), oh yesss... Quote Link to post Share on other sites
Tudor Z Posted May 22, 2011 Report Share Posted May 22, 2011 --changed. added to first post. give me info if its ok. Base update 1.3 works. But you forgot about the "Pioneer Software" shortcut, it's still on HMIManager, so it doesn't do anything. Quote Link to post Share on other sites
Afoce707 Posted May 23, 2011 Report Share Posted May 23, 2011 Im a noob so bare with me please... A few weeks ago, my Avic x910bt got stuck in a reboot loop with the message saying "Fatal Error" From my researchon this site, Im thinking i just need to reinstall the firmware? I dont know what kind of firmware I already have, but if I use your method, will I be able to reinstall firmware 3.1 AND make it hacked? PS: does having 3.1 mean that I will have the newest maps, and other apps? Thank you Quote Link to post Share on other sites
VBLUE42 Posted May 23, 2011 Report Share Posted May 23, 2011 The X910 is a completely different unit and nothing in this thread applies to that unit. You need to view the topics pertaining to F and previous X units. Quote Link to post Share on other sites
Afoce707 Posted May 23, 2011 Report Share Posted May 23, 2011 The X910 is a completely different unit and nothing in this thread applies to that unit. You need to view the topics pertaining to F and previous X units. Got it, I'll look into it more. thanks! Quote Link to post Share on other sites
GG777 Posted May 23, 2011 Report Share Posted May 23, 2011 Hello any idea if this hackmode works on F500BT !!!!! Quote Link to post Share on other sites
Ralpharn Posted May 24, 2011 Report Share Posted May 24, 2011 Hello any idea if this hackmode works on F500BT ! You post it to wrong tread. This hack is NOT working for you. but use search, F500 hacked complitely, so you can do almost watever you want. Quote Link to post Share on other sites
VBLUE42 Posted May 24, 2011 Report Share Posted May 24, 2011 Hello any idea if this hackmode works on F500BT !!!!! No. Quote Link to post Share on other sites
vod Posted May 24, 2011 Report Share Posted May 24, 2011 I have a suggestion to ToDo list: connect usb 3G/GPRS modem to use independent internet access, to load traffic info (for GPS software, that support it). Quote Link to post Share on other sites
Ralpharn Posted May 24, 2011 Report Share Posted May 24, 2011 I am thinking about other way to break in to our devices. First- connect it via USB. we need to run UsbClientSwitch.exe first. This file sits in Windows folder and if we can run it we probably will be able to connect to our devices by straight USB-to-USB cable. But I can't start it. second option- previous Pioneer devices had Service mod, when only bootloader runs- it is made for repair Windows in case windows is not operational. To enter this mode they had to hold some buttons while switch device ON. It is pretty much as BIOS on PC. So... we can try "brute force" this key combination. if we find this service mode we can download firmware and start to play with EU090PLT.PRG (winCE image) Third option- in testmode on third screen we have "Program Forced Write" option and in service manual it says that it is designed to "Write / Read Fixed Data" but I am not sure that TestMode works without WinCE. Last option- Jtag. we have connector. Quote Link to post Share on other sites
condiczek Posted May 24, 2011 Author Report Share Posted May 24, 2011 I have a suggestion to ToDo list: connect usb 3G/GPRS modem to use independent internet access, to load traffic info (for GPS software, that support it). Added yes after we will get gps working, then it will be very handy thing. Like in Navigon in my android phone ! I am thinking about other way to break in to our devices. First- connect it via USB. we need to run UsbClientSwitch.exe first. This file sits in Windows folder and if we can run it we probably will be able to connect to our devices by straight USB-to-USB cable. But I can't start it. second option- previous Pioneer devices had Service mod, when only bootloader runs- it is made for repair Windows in case windows is not operational. To enter this mode they had to hold some buttons while switch device ON. It is pretty much as BIOS on PC. So... we can try "brute force" this key combination. if we find this service mode we can download firmware and start to play with EU090PLT.PRG (winCE image) Third option- in testmode on third screen we have "Program Forced Write" option and in service manual it says that it is designed to "Write / Read Fixed Data" but I am not sure that TestMode works without WinCE. Last option- Jtag. we have connector. 1) UsbClientSwitch.exe - you can just change between ActiveSync and Mass Storage mode. There is registry for usb, maybe it works already - you've got to check My unit is installed in car, and there is no indication that I will unmount it 2) I think that even if we delete EU090PLT.PRG - our winceimg, then it should not be totally bricked. Testmode should work. As far as Im concerned testmode is checked before PLT is loaded. Im ready to play with EU090PLT.PRG - test modified, test other etc. But there is one problem - PLT in F30BT doesnt have 'B000F' header of image.. And also dumprom/dumpromx gives us incomplete, corrupted files. I could test simply modified img, with added explorer.exe for example, but we need to figure out how to add some files without messing the image. 3) Yep, good thing to look into Im attaching working DiskRW, there is one problem to read data - we have to point OUTPUT directory, but: 1) virtual keyboard is not working, jotkbd.exe is not working properly, 2) browse [...] button is not working (propably because of not fully working explorer/windows/ceshell), So first we need to somehow give OUTPUT parameter, and then we can read/write image via DiskRW Also interesting thing - check INFO/My Device/DSK1/Partition Information! There is one NOT MOUNTED partition, maybe some pioneers secrets? Maybe some gps/audio/hw related things/apps? PS. Flugwerk wrote that usb mouse is working, anybody has usb keyboard to check with avic? DiskRW.zip Quote Link to post Share on other sites
PatrickFernandes Posted May 24, 2011 Report Share Posted May 24, 2011 Added yes after we will get gps working, then it will be very handy thing. Like in Navigon in my android phone ! 1) UsbClientSwitch.exe - you can just change between ActiveSync and Mass Storage mode. There is registry for usb, maybe it works already - you've got to check My unit is installed in car, and there is no indication that I will unmount it 2) I think that even if we delete EU090PLT.PRG - our winceimg, then it should not be totally bricked. Testmode should work. As far as Im concerned testmode is checked before PLT is loaded. Im ready to play with EU090PLT.PRG - test modified, test other etc. But there is one problem - PLT in F30BT doesnt have 'B000F' header of image.. And also dumprom/dumpromx gives us incomplete, corrupted files. I could test simply modified img, with added explorer.exe for example, but we need to figure out how to add some files without messing the image. 3) Yep, good thing to look into Im attaching working DiskRW, there is one problem to read data - we have to point OUTPUT directory, but: 1) virtual keyboard is not working, jotkbd.exe is not working properly, 2) browse [...] button is not working (propably because of not fully working explorer/windows/ceshell), So first we need to somehow give OUTPUT parameter, and then we can read/write image via DiskRW Also interesting thing - check INFO/My Device/DSK1/Partition Information! There is one NOT MOUNTED partition, maybe some pioneers secrets? Maybe some gps/audio/hw related things/apps? PS. Flugwerk wrote that usb mouse is working, anybody has usb keyboard to check with avic? i Try ms Desktop 3000 Wireless Mouse and Keyboard , the mouse works but the keyb is dead!! Ps: Work with no arrow! but click right click and move ok but no sow arrow!! i didnt try with a pure usb wired keyboard , and the virtual keyb not work too. i search into my emulator its have a drive and registry entry about Keyb while in Avic not, maybe add some reg entry could work! Quote Link to post Share on other sites
Ralpharn Posted May 26, 2011 Report Share Posted May 26, 2011 2) I think that even if we delete EU090PLT.PRG - our winceimg, then it should not be totally bricked. Testmode should work. As far as Im concerned testmode is checked before PLT is loaded...TestMode.exe - uses COREDLL.dll NStandardLib.dll NEventBaseLib.dll GraphicLib.dll NPCommonLib.dll ... So it is winCE programm. So if this archive is 'corupted' you will have brick with probability of 99.99% after reboot.Also TestMode.exe inside EU090PLT.PRG itself How to disassemble file EU090PLT.PRG First 0x200 bytes - header, CRC32 firmware and size. then 0xC0000 bytes - unknown area. After that imadge data starting from nb0 - you can use dumpromx to exstract or add files (do not forget -5 key for dumprom/dumpromx ) so... cut block from nb0, do whatever you need, put header back before nb0, change size and crc32 in the begining of EU090PLT.PRG, Then try to put it in AVIC, not upload - Use update feature - it will be last chance to let AVIC to check this modified file for consistensy. But it is realy risky. Very risky. As I said testmode inside this imadge, so if somethig went wrong it will brick device. Quote Link to post Share on other sites
PatrickFernandes Posted May 26, 2011 Report Share Posted May 26, 2011 TestMode.exe - uses COREDLL.dll NStandardLib.dll NEventBaseLib.dll GraphicLib.dll NPCommonLib.dll ... So it is winCE programm. So if this archive is 'corupted' you will have brick with probability of 99.99% after reboot. Also TestMode.exe inside EU090PLT.PRG itself How to disassemble file EU090PLT.PRG First 0x200 bytes - header, CRC32 firmware and size. then 0xC0000 bytes - unknown area. After that imadge data starting from nb0 - you can use dumpromx to exstract or add files (do not forget -5 key for dumprom/dumpromx ) so... cut block from nb0, do what we need, put header before nb0 back, change size and crc32 in the begining of EU090PLT.PRG, Then try to put it in AVIC, not upload - Use update feature - it will be last chance to let AVIC to check this modified file for consistensy. But it is realy risky. Very risky. As I said testmode inside this imadge, so if somethig went wrong it will brick device. I agree! but i wanna make a add-on i update my unit to z120 bt in the stock unit two folders pr0 and pr1 are the same i did the update , its change only pr0, the pr1 still with z110bt software, when i try firt hackmode by condi i cant boot to original av.exe because the hack mode call av.exe from pr1 since the pr0 is the hackmode it self! "MAYBE" if the image into pr0 could not acept, the avic will call the backup into pr1! there something about a PRG.FLG file into garrettoomey's Z its point to pr0 or pr1 ... but i can try this because in Brasil has no Pioneer Service to this unit! Quote Link to post Share on other sites
Ralpharn Posted May 26, 2011 Report Share Posted May 26, 2011 Interesting finding inside EU090BOT.PRG: U) UPDATE image from SD/MMC cardR) UPDATE Ready Guard OS image from SD/MMC card UPDATE logo from SD/MMC card D) DOWNLOAD image L) LAUNCH NAND FLASH image S) LAUNCH SD CARD image F) Low-level FORMAT Boot Media Enter your selection: Does it mean operator need to push button on keyboard?Also they have some words that refer to LAN conection, It would be great if we can conect unit to computer by LAN for updates. How to get to this menu on device? Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.