Condi's HACKMODE v2.2 - AUTOINSTALL! working also with F40BT, X940BT etc! [updated: 27.09.2012]

[pionara]

Condi, you can use ERROR OFF in that script to prevent a red screen if removing a file that doesnt exist. (You can turn error off right before you do an operation that might fail, then turn it back on afterwards)

[Melvin v/d berg]

I'm sorry friend, no other ideas how to help you.. Check all the versions of testmode available in the internet,

check that 4shared collection, for our devices GGS1080 work, maybe other version will work for you!

 

 

All guys here are doing great job, we all are working to find the solution!

 

 

Everyone is welcome to help! All the work/research is appreciated

 

 

 

 

 

Im almost sure that gps port is com7!

GREAT work friend We are getting closer day by day!

If there is no EU090BOT.PRG bootloader, then maybe after getting corrupted EU090PLT.PRG, or even deleted - it should still be repairable, maybe even testmode working?

We can still look into /NAND/PRG0/BOOT/EU090BOT.PRG

About your list of partition content - .bin files are repeated, doubled, because of PRG0 and second PRG1 copy. One set of RGD+PLT+OPN in PRG0, and another one in PRG1. To get windows in full working condition we need to replace system resources, the most important is coredll.dll, commctrl.dll etc.

 

coredll.dll is in RGD part.

I've got another idea how to get fully working gps/audio etc.

RGD contains: AstProc.exe, nk.exe, coredll.dll, ceconfig.h and snapshot_secureos.dat.

We need to replace coredll.dll, and maybe edit ceconfig.h to get full working windows ce, and..

 

the main idea - make copy of AstProc.exe as AstProc1.exe, replace AstProc.exe with mortscript with some condition - for example: if hackmode.key exists on sd - then run explorer, else run AstProc1.exe. Similar as now with hackmode. We should take a look into AstProc.exe - maybe some IDA Pro analyze etc.

 

I will upload complete dumped AstProc.exe and NEventWatcher.exe (not corrupted/shortened like from dumpromx.exe) later, but now my sdcard-reader isnt working.

 

---edit:

attached interesting not corrupted - complete rom files like: coredll.dll (which is limited in our wince), NEventWatcher.exe, TestMode.exe, and device dlls NP....dll, NPCommonLib.dll, NEventBaseLib.dll etc.

 

It is an old quote but could anyone help me with dumping these files.

These files aren't corrupted from the post above but I can't find a way to dump the content of eu090plt on my pc.

Tried dumprom,dumpromx and with parameters -5. Always corrupted..

 

Condi,

Could you tell me how you dumped the files without corrupting them?

[condiczek]

Condi, you can use ERROR OFF in that script to prevent a red screen if removing a file that doesnt exist. (You can turn error off right before you do an operation that might fail, then turn it back on afterwards)

Great! Gonna use it in next version Thanks friend! I was thinking how to make some check if file exists (EXIST?),

that solution will be just great.

I will put some checks if currently used apl is from PRG0 or PRG1.

I next ver

 

It is an old quote but could anyone help me with dumping these files.

These files aren't corrupted from the post above but I can't find a way to dump the content of eu090plt on my pc.

Tried dumprom,dumpromx and with parameters -5. Always corrupted..

 

Condi,

Could you tell me how you dumped the files without corrupting them?

Hmm... yes, it was looooooooooooong time ago. I had some windows ce app,

which was dumping files on running system.

Because of lack of virtual keyboard as far as I remember I've made a script which after few seconds wrote filename to that app.

Got to search for that things on my hdd, i'm almost sure that I have them somewhere

[pionara]

Melvin,

see here:

http://avic411.com/i...-platform-file/

 

You can dump newer roms with:

dumpromx.exe -5 -i 0x200 -d romdump EU090PLT.PRG

I dont know if the files are corrupted or not. they seem to disassemble in ida ok?

 

Condi, was that NDump?

[Melvin v/d berg]

pionara,

 

true they dissamble in ida but are definitely corrupted.

They don't run in the emulator.

Also if you compare the dumpromx vs the one from condi you see a difference.

Dumpromx adds a lot off zeros (ASCII) to some sections and some bits are different at the PE header.

 

Condi,

Would be great if you can find the script or just remember the windows ce app.

I can code something to copy every file from the windows dir then.

 

Would be great if I can run testmode on an emulator. Missing some important dll's now.

[jazapata]

Sorry but I dont understand if this Scrip work with AVIC-Z140BH??? Thanks,

[condiczek]

the script was made to fill forms in romextractor app.

you have to prepare it with your dll names, and select correct field after message,

then click dump.

 

 

----edit

got hackmode v2.1 ready. with prg0/1 check - it installs on currently used apl - especially for upgraded units

i have to test it anybody wants betatest?

hackmode_WRITER.zip

[Melvin v/d berg]

Thank you Condi!! Got Testmode almost working in the emulator.

Testmode needed a LOT dll's. Took some time in the car with my sd card.

Now the problem is that testmode want's to communicate with some data port.

When I start testmode nothing happens. The following exception comes up in the debug console.

I think testmode could start now on a real win ce 5.0 device. Trying some more things tommorrow.

 

And one thing: I can see enough network things in testmode. IP, TCP etc. So an network card on the AVIC is possible.

Maybe pioneer uses bluetooth to access the AVIC?

romfiles.zip

[condiczek]

goooood every progress is priceless

 

v2.1 released

[pionara]

Melvin,

I think it wants to communicate with uCom (Via some libs) which is needed for UI events, hw buttons, etc. There is also bluetooth, and then some nand/rom stuff.

 

Also it wasnt clear to me how testmode is passed the string from decoded testmode.key. I wonder if that is an ascii string option passed from SysCtrl lib...

 

yes, I saw lots of functions and classes in various libs for network, http, etc. Not sure how they could do it (like you said maybe bluetooth?).

 

They (pioneer or whoever they contracted develop) have to have some device emulator in order to test on, so there must be some way.

[pionara]

Nice work Condi.. I think I will try to install tonight after work.

 

Question, does the "enter hackmode" prompt at startup automatically timeout (i.e., default to NO) after some time?

 

 

Condi,

I noticed it did not install on my unit, but that was because I used USB stick instead of SD card.

Maybe you can put in alternate script for USB users, so they can use that version. Unfortunately until we can figure out how compare/exist or any basic conditional logic works in this script language, it would have to be a pre-requisite manual step (for the user to choose to use USB version of ScriptExec.ini)

[Jfinley0]

Hi Guys:

I did the Condi hack 2.0 and did not have any problems. Then I installed the Hack 2.1 and while I can get into the Condi Hack the HU locked up when I exit Condi Hack.. It just hangs at the start up. Unfortunately I did not make a backup because I could not find the user file/folder.

Can anyone help me for the next step?

Thanks all,

Jimbo

[pionara]

Condi,

I wonder if there is a problem with the autoinstaller script. What I mean is, if somebody installs two times, what happens to the original AV.EXE.

First time, av.exe (real) is backed up to av1.exe. Av.exe is replaced w/ mortscript exe.

Then what happens if somebody tries to do a second install? Will it overwrite av1.exe (real) with mortscript (av.exe)?

 

Unfortunately, I dont know how to do any checks/tests yet from this scripting mode. One possible workaround is to always attempt to copy av1.exe to av.exe first. If it's a new install, that should fail - av1.exe should not exist, and av.exe should be real. If av1.exe is real, and av.exe is mortscript, then it should restore av.exe, just so you can proceed with original way and be sure you are copying the real av.exe. (This would need to be tested to make sure if av1.exe does not exist, a copy would not touch av.exe)

[condiczek]

Nice work Condi.. I think I will try to install tonight after work.

 

Question, does the "enter hackmode" prompt at startup automatically timeout (i.e., default to NO) after some time?

 

 

Condi,

I noticed it did not install on my unit, but that was because I used USB stick instead of SD card.

Maybe you can put in alternate script for USB users, so they can use that version. Unfortunately until we can figure out how compare/exist or any basic conditional logic works in this script language, it would have to be a pre-requisite manual step (for the user to choose to use USB version of ScriptExec.ini)

thanks yep USB - i've got already updated .ini to work with usb also!

all .mscr's are ready for both sd and usb, but I forgot about scriptexec

its in one .ini, no need two seperate

 

Hi Guys:

I did the Condi hack 2.0 and did not have any problems. Then I installed the Hack 2.1 and while I can get into the Condi Hack the HU locked up when I exit Condi Hack.. It just hangs at the start up. Unfortunately I did not make a backup because I could not find the user file/folder.

Can anyone help me for the next step?

Thanks all,

Jimbo

thats right, its because hackmode now uses the 'older prg' for hackmode,

and the 'newer/updated prg' for stock software.

now you have hackmode on prg0 and prg1

what fw version you had? which device? you can fix it by entering hackmode,

file manager, delete av.exe on NAND/PRG0/Apl/Av.exe and write there some original ~3mb Av.exe.

I need to make some additional checks before install

 

If you would have problems to replace Av.exe,

then I could make an automatic fix for you later

 

 

IF YOU HAVE V2.0 ALREADY ON DEVICE,

THEN THERE IS NO NEED TO INSTALL V2.1

[Sanik]

Please correct text messages in 2.0 version. Start message has a 1.4 version in label.