Jump to content
AVIC411.com

Condi's HACKMODE v2.2 - AUTOINSTALL! working also with F40BT, X940BT etc! [updated: 27.09.2012]

condiczek

By condiczek,
in Hacks/Mods

 Share Followers 1

Recommended Posts

condiczek

condiczek

Posted
  • Author
Posted

Hey Condi! Had some problems updating from v1.1 to v1.3. To v1.2 I had to change HMIManager script with the above, because the unit constantly rebooted. After that the unit turns on very slow. It takes a couple of seconds for the buttons on the unit to light up, and then more time for the desktop (or stock software) to show, which is realy annoying. After updating to v1.3 the same reset loop occured. So I just went back to stock for now. Can you please post all the files that are changed on the unit, so I can do a direct to v1.3 hack from stock via testmode. I would also like to try running the hack off Av.exe, maybe that will speed things up a bit.

You're right, even my unit had some problems, and it was about HMIManager.exe.

Working now, got 1.3 on Av.exe. Changing all the updates etc..

 

--changed. added to first post. give me info if its ok.

 

Still no GPS signal, but some curiosity - I managed to run TomTom on F30BT :)

So when we get signal - we get iGO, TomTom, Garmin(?), oh yesss... :)

Link to post
Share on other sites
  • Replies 1.2k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

Afoce707

Afoce707

Posted
Posted

Im a noob so bare with me please...

 

A few weeks ago, my Avic x910bt got stuck in a reboot loop with the message saying "Fatal Error"

From my researchon this site, Im thinking i just need to reinstall the firmware?

I dont know what kind of firmware I already have, but if I use your method, will I be able to reinstall firmware 3.1 AND make it hacked?

 

PS: does having 3.1 mean that I will have the newest maps, and other apps?

 

Thank you

Link to post
Share on other sites
Ralpharn

Ralpharn

Posted
Posted

I am thinking about other way to break in to our devices.

 

First- connect it via USB. we need to run UsbClientSwitch.exe first. This file sits in Windows folder and if we can run it we probably will be able to connect to our devices by straight USB-to-USB cable. But I can't start it.

 

second option- previous Pioneer devices had Service mod, when only bootloader runs- it is made for repair Windows in case windows is not operational. To enter this mode they had to hold some buttons while switch device ON. It is pretty much as BIOS on PC. So... we can try "brute force" this key combination. if we find this service mode we can download firmware and start to play with EU090PLT.PRG (winCE image)

 

Third option- in testmode on third screen we have "Program Forced Write" option and in service manual it says that it is designed to "Write / Read Fixed Data" but I am not sure that TestMode works without WinCE.

Last option- Jtag. we have connector.post-51370-0-64274500-1306248757_thumb.png

Link to post
Share on other sites
condiczek

condiczek

Posted
  • Author
Posted

I have a suggestion to ToDo list:

connect usb 3G/GPRS modem to use independent internet access, to load traffic info (for GPS software, that support it).

Added :) yes after we will get gps working, then it will be very handy thing. Like in Navigon in my android phone :)!

 

I am thinking about other way to break in to our devices.

 

First- connect it via USB. we need to run UsbClientSwitch.exe first. This file sits in Windows folder and if we can run it we probably will be able to connect to our devices by straight USB-to-USB cable. But I can't start it.

 

second option- previous Pioneer devices had Service mod, when only bootloader runs- it is made for repair Windows in case windows is not operational. To enter this mode they had to hold some buttons while switch device ON. It is pretty much as BIOS on PC. So... we can try "brute force" this key combination. if we find this service mode we can download firmware and start to play with EU090PLT.PRG (winCE image)

 

Third option- in testmode on third screen we have "Program Forced Write" option and in service manual it says that it is designed to "Write / Read Fixed Data" but I am not sure that TestMode works without WinCE.

Last option- Jtag. we have connector.post-51370-0-64274500-1306248757_thumb.png

 

1) UsbClientSwitch.exe - you can just change between ActiveSync and Mass Storage mode. There is registry for usb, maybe it works already - you've got to check ;) My unit is installed in car, and there is no indication that I will unmount it ;)

2) I think that even if we delete EU090PLT.PRG - our winceimg, then it should not be totally bricked. Testmode should work. As far as Im concerned testmode is checked before PLT is loaded. Im ready to play with EU090PLT.PRG - test modified, test other etc. But there is one problem - PLT in F30BT doesnt have 'B000F' header of image.. And also dumprom/dumpromx gives us incomplete, corrupted files. I could test simply modified img, with added explorer.exe for example, but we need to figure out how to add some files without messing the image.

3) Yep, good thing to look into :)

 

Im attaching working DiskRW, there is one problem to read data - we have to point OUTPUT directory, but:

1) virtual keyboard is not working, jotkbd.exe is not working properly,

2) browse [...] button is not working (propably because of not fully working explorer/windows/ceshell),

 

So first we need to somehow give OUTPUT parameter, and then we can read/write image via DiskRW :)

Also interesting thing - check INFO/My Device/DSK1/Partition Information!

There is one NOT MOUNTED partition, maybe some pioneers secrets? Maybe some gps/audio/hw related things/apps?

 

PS. Flugwerk wrote that usb mouse is working, anybody has usb keyboard to check with avic?

DiskRW.zip

Link to post
Share on other sites
PatrickFernandes

PatrickFernandes

Posted
Posted

Added :) yes after we will get gps working, then it will be very handy thing. Like in Navigon in my android phone :)!

 

 

 

1) UsbClientSwitch.exe - you can just change between ActiveSync and Mass Storage mode. There is registry for usb, maybe it works already - you've got to check ;) My unit is installed in car, and there is no indication that I will unmount it ;)

2) I think that even if we delete EU090PLT.PRG - our winceimg, then it should not be totally bricked. Testmode should work. As far as Im concerned testmode is checked before PLT is loaded. Im ready to play with EU090PLT.PRG - test modified, test other etc. But there is one problem - PLT in F30BT doesnt have 'B000F' header of image.. And also dumprom/dumpromx gives us incomplete, corrupted files. I could test simply modified img, with added explorer.exe for example, but we need to figure out how to add some files without messing the image.

3) Yep, good thing to look into :)

 

Im attaching working DiskRW, there is one problem to read data - we have to point OUTPUT directory, but:

1) virtual keyboard is not working, jotkbd.exe is not working properly,

2) browse [...] button is not working (propably because of not fully working explorer/windows/ceshell),

 

So first we need to somehow give OUTPUT parameter, and then we can read/write image via DiskRW :)

Also interesting thing - check INFO/My Device/DSK1/Partition Information!

There is one NOT MOUNTED partition, maybe some pioneers secrets? Maybe some gps/audio/hw related things/apps?

 

PS. Flugwerk wrote that usb mouse is working, anybody has usb keyboard to check with avic?

 

i Try ms Desktop 3000 Wireless Mouse and Keyboard , the mouse works but the keyb is dead!! Ps: Work with no arrow! but click right click and move ok but no sow arrow!!

 

i didnt try with a pure usb wired keyboard , and the virtual keyb not work too.

i search into my emulator its have a drive and registry entry about Keyb while in Avic not, maybe add some reg entry could work!

Link to post
Share on other sites
Ralpharn

Ralpharn

Posted
Posted
2) I think that even if we delete EU090PLT.PRG - our winceimg, then it should not be totally bricked. Testmode should work. As far as Im concerned testmode is checked before PLT is loaded...
TestMode.exe - uses COREDLL.dll NStandardLib.dll NEventBaseLib.dll GraphicLib.dll NPCommonLib.dll ... So it is winCE programm. So if this archive is 'corupted' you will have brick with probability of 99.99% after reboot.

Also TestMode.exe inside EU090PLT.PRG itself <_<

 

How to disassemble file EU090PLT.PRG

First 0x200 bytes - header, CRC32 firmware and size.

then 0xC0000 bytes - unknown area.

After that imadge data starting from nb0 - you can use dumpromx to exstract or add files (do not forget -5 key for dumprom/dumpromx )

 

so... cut block from nb0, do whatever you need, put header back before nb0, change size and crc32 in the begining of EU090PLT.PRG,

Then try to put it in AVIC, not upload - Use update feature - it will be last chance to let AVIC to check this modified file for consistensy.

But it is realy risky. Very risky. As I said testmode inside this imadge, so if somethig went wrong it will brick device.

Link to post
Share on other sites
PatrickFernandes

PatrickFernandes

Posted
Posted

TestMode.exe - uses COREDLL.dll NStandardLib.dll NEventBaseLib.dll GraphicLib.dll NPCommonLib.dll ... So it is winCE programm. So if this archive is 'corupted' you will have brick with probability of 99.99% after reboot.

Also TestMode.exe inside EU090PLT.PRG itself <_<

 

How to disassemble file EU090PLT.PRG

First 0x200 bytes - header, CRC32 firmware and size.

then 0xC0000 bytes - unknown area.

After that imadge data starting from nb0 - you can use dumpromx to exstract or add files (do not forget -5 key for dumprom/dumpromx )

 

so... cut block from nb0, do what we need, put header before nb0 back, change size and crc32 in the begining of EU090PLT.PRG,

Then try to put it in AVIC, not upload - Use update feature - it will be last chance to let AVIC to check this modified file for consistensy.

But it is realy risky. Very risky. As I said testmode inside this imadge, so if somethig went wrong it will brick device.

 

 

I agree!

 

but i wanna make a add-on

 

i update my unit to z120 bt

in the stock unit two folders pr0 and pr1 are the same

i did the update , its change only pr0, the pr1 still with z110bt software, when i try firt hackmode by condi i cant boot to original av.exe because the hack mode call av.exe from pr1 since the pr0 is the hackmode it self!

 

"MAYBE" if the image into pr0 could not acept, the avic will call the backup into pr1! there something about a PRG.FLG file into garrettoomey's Z its point to pr0 or pr1 ... but i can try this because in Brasil has no Pioneer Service to this unit!

Link to post
Share on other sites
Ralpharn

Ralpharn

Posted
Posted

Interesting finding inside EU090BOT.PRG:

U) UPDATE image from SD/MMC card

R) UPDATE Ready Guard OS image from SD/MMC card

B) UPDATE logo from SD/MMC card

D) DOWNLOAD image

L) LAUNCH NAND FLASH image

S) LAUNCH SD CARD image

F) Low-level FORMAT Boot Media

Enter your selection:

Does it mean operator need to push button on keyboard?

Also they have some words that refer to LAN conection, It would be great if we can conect unit to computer by LAN for updates. How to get to this menu on device?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 1
Go to topic listing


×
×
  • Create New...