Condi's HACKMODE v2.2 - AUTOINSTALL! working also with F40BT, X940BT etc! [updated: 27.09.2012]

[PatrickFernandes]

Here's a link to my post with the contents of the CD provided by Pioneer:

 

http://avic411.com/index.php?/topic/26072-filesystem-access/page__view__findpost__p__199279

 

Thanks Man, i will try mess with this!!

[Bernd]

Pioneer Software shortcut simple runs original Av.exe from PRG1. Thats it.

Menus - load/save etc - its not working, its all related with explorer/windows - ...

When we will get working explorer/popup windows, then it will work in other software menus etc. ...

 

Condi

Thanks a lot for your explantions, that makes it much clearer to me!

Is softkeyboard on the same page or is it a different issue?

 

From your words I hear that you still see a chance to get explorer (and menus) working correctly! If I can be of any help for you, just a mention it!

So far your work helped me with my biggest concern regarding F30BT, the picture show works already with TCMP .

 

Thanks a lot and best regards

Bernd

 

PS: I have corrected the shortcut for Pioneer Software in the MSR-Script, works perfect!

[condiczek]

What's in the unmounted partition? It looks pretty big.

We dont know that.. Control Panel and their applets are not working, tried some modifications without success. Thats why we cant use Storage Manager to mount it. Second option - registry - automount, unhide it - but after reboot it will back to factory state..

 

Here's a link to my post with the contents of the CD provided by Pioneer:

 

http://avic411.com/index.php?/topic/26072-filesystem-access/page__view__findpost__p__199279

Thats a great thing! The key to success is ScriptExec.ini - if we could modify it to point other files than 7zip.dll to be replaced, then we could replace files in ROM safely! Without fear that .img is incorrectly modified etc! So the testmode will always popup and we could replace back to stock EU080PLT.PRG!

I will check if the script works on my F30bt later this day..

BTW aero_eng16: Veeeery good move with LGPL!!!

 

Condi

Thanks a lot for your explantions, that makes it much clearer to me!

Is softkeyboard on the same page or is it a different issue?

 

From your words I hear that you still see a chance to get explorer (and menus) working correctly! If I can be of any help for you, just a mention it!

So far your work helped me with my biggest concern regarding F30BT, the picture show works already with TCMP .

 

Thanks a lot and best regards

Bernd

 

PS: I have corrected the shortcut for Pioneer Software in the MSR-Script, works perfect!

 

Yes, everything can be done. We've got to figure out method of safely-replacing rom files

[kttii]

Does anyone have experience with emulators? I tried a few with my EU090PLT.PRG (even removed the first 200 bytes to make it a .BIN and even tried to convert it to .nb0) with no luck... but I dont have any experience with emulators.

 

I tried googling, but how do I confirm the z120bt is running WinCE 5? Is the system ARMv4i? How do I confirm these things in order to find the right emulator? I think if we can get an emulator working, then we will be able to verify modded bins before putting them on our system.

[kttii]

BTW, you can viewbin on EU090RGD.PRG after deleting the first 199 bytes:

 

D:\>viewbin.exe -t EU090RGD.bin
ViewBin... EU090RGD.bin
Image Start = 0x9BD00000, length = 0x000B3000
               Start address = 0x9BD01000
Checking record #8 for potential TOC (ROMOFFSET = 0x00000000)
Found pTOC  = 0x9bd7fa2c
ROMOFFSET = 0x00000000

ROMHDR ----------------------------------------
   DLL First           : 0x01FF01FF
   DLL Last            : 0x02000000
   Physical First      : 0x9BD00000
   Physical Last       : 0x9BDB3000
   RAM Start           : 0x9BE00000
   RAM Free            : 0x9BE16000
   RAM End             : 0x9BF80000
   Kernel flags        : 0x00000002
   Prof Symbol Offset  : 0x00000000
   Num Copy Entries    :          1
   Copy Entries Offset : 0x9BD60FE8
   Num Modules         :          3
   Num Files           :          2
   MiscFlags           : 0x00000002
   CPU                 :     0x01c2 (Thumb)
   Extensions          : 0x9BD03950

ROMHDR Extensions -----------------------------
   PID[0] = 0x00000000
   PID[1] = 0x00000000
   PID[2] = 0x00000000
   PID[3] = 0x00000000
   PID[4] = 0x00000000
   PID[5] = 0x00000000
   PID[6] = 0x00000000
   PID[7] = 0x00000000
   PID[8] = 0x00000000
   PID[9] = 0x00000000
   Next: 00000000

COPY Sections ---------------------------------
   Src: 0x9BD5C20C   Dest: 0x9BE06000   CLen: 0xC91      DLen: 0xEE0C

MODULES ---------------------------------------
   11/05/2009  05:26:49      400896  nk.exe
   10/23/2009  08:17:40      142336  coredll.dll
   11/05/2009  05:26:36        4608  AstProc.exe

FILES ----------------------------------------
    10/23/2009  07:57:13  C_R_        264        521                ceconfig.h (ROM 0x9BD7F924)
    11/05/2009  05:29:17  _HRS          0     196608     snapshot_secureos.dat (ROM 0x9BD83000)
Done.

 

cvrtbin and dumprom work on it.

 

 

I can not get viewbin to work on EU090BOT.PRG even if I remove the first 199 bytes because it doesnt have B000FF, I tried adding B000FF too.

[condiczek]

Does anyone have experience with emulators? I tried a few with my EU090PLT.PRG (even removed the first 200 bytes to make it a .BIN and even tried to convert it to .nb0) with no luck... but I dont have any experience with emulators.

 

I tried googling, but how do I confirm the z120bt is running WinCE 5? Is the system ARMv4i? How do I confirm these things in order to find the right emulator? I think if we can get an emulator working, then we will be able to verify modded bins before putting them on our system.

 

Try to run attached process manager and there will be system info about your device.

CEProcessV.zip

[condiczek]

I've tested 7zip replacer - conclusions:

• TESTMODE.KEY file is different then the one we use to get pioneers service mode!,
  
• there are more than one different TESTMODE.KEY files which runs other service functions,
  
• our old TESTMODE.KEY runs service mode with many options to use, the TESTMODE.KEY from aero_eng16 runs pioneers file replacer module - on green background,
  
• the key to success is ScriptExec.ini and also correct TESTMODE.KEY!
  

 

Our target:

• modify ScriptExec.ini to replace other file than 7zip.dll!
  

[kttii]

Try to run attached process manager and there will be system info about your device.

 

Ah, Thank you! I will try that when I am able.

 

My truck is in the shop for a week or so!

[kttii]

I've tested 7zip replacer - conclusions:

• TESTMODE.KEY file is different then the one we use to get pioneers service mode!,
  
• there are more than one different TESTMODE.KEY files which runs other service functions,
  
• our old TESTMODE.KEY runs service mode with many options to use, the TESTMODE.KEY from aero_eng16 runs pioneers file replacer module - on green background,
  
• the key to success is ScriptExec.ini and also correct TESTMODE.KEY!
  

 

Our target:

• modify ScriptExec.ini to replace other file than 7zip.dll!
  

 

I dont know if this matters but I haven't been using the TESTMODE.KEY you provided or any other file lately. I just hold the Mode button and press left right a bunch of times (suppoed to be 3 times but I got into a reboot loop and frantically hit left right now to get in ) till the device reboots.

[condiczek]

I dont know if this matters but I haven't been using the TESTMODE.KEY you provided or any other file lately. I just hold the Mode button and press left right a bunch of times (suppoed to be 3 times but I got into a reboot loop and frantically hit left right now to get in ) till the device reboots.

 

On your device you can do this combination of keys, its the same entrance to testmode But your keypress combination will not work to get into pioneer-file-replacer provided by aero_eng16

But on my f30bt and other devices also this key combination doesnt work

 

PS. In readme file of 7zip-replacer there is one sentence at the end:

"Do not rewrite or falsify any files other than 7z.dll."

This means that we definitely can replace other files!

[condiczek]

In manual of rewriting 7zip we read:

"7z.dll" MUST be used as the file name for the edited 7zip library.

Other file names will not be written into the product."

 

So the script is written only to get 7z.dll.

Another idea - we need to know how to modify ScriptExec.ini..

Anybody knows how to get plain text from it? How to decode/decompile it and complie again?

Maybe there is some trick to decode data via bruteforce

- we know that it should contain '7z.dll' phrase in it after decrypted... ??

 

Something like that?

http://en.wikipedia.org/wiki/Known-plaintext_attack

[Ralpharn]

Some secret/hidden things? Or some useless things haha

on F900Bt they have same looking "unmounted" partition and it contains serial number (with region and model in it) welcome screens, and even windows folder! so.. I think it is very important to read and dump this hidden thing, what software can mount partition after windows bootup has finished?

 

Is it possible to modify DiscRW program to have default pass to save files to our external media?

[condiczek]

on F900Bt they have same looking "unmounted" partition and it contains serial number (with region and model in it) welcome screens, and even windows folder! so.. I think it is very important to read and dump this hidden thing, what software can mount partition after windows bootup has finished?

 

Is it possible to modify DiscRW program to have default pass to save files to our external media?

 

I thought the same about default path for saving! I searched for maybe some additional parameters for that app, but its not working. Tried also adding keyboard driver, sip, jotkbd, eurokbd, but none of them worked. Present keyboard driver is working, but only for such keys as: enter, esc, etc. No letters/numbers. Another way to get that data is to get working Storage Manager from control panel. How did you get content of the partition - windows/screens etc?

 

I'm working now on running newest GpsGate, it wasn't starting, now I'm on the right track!

 

---edit:

Still no free gps port.. but.. after maaaany hours I've got working newest version of GpsGate - two versions:

GpsGateWINCE.arm.CAB and GpsGatePPC.ARM.CAB. It was very hard, because:

• we cant install .cab's (im working on it..)
  
• we cant normally run GpsGate.exe (dlls etc. - had to modify a lot of them..)
  
• we cant run GpsGate without proper registry (error 340), too many entries to write it manually in mortscript, also we couldnt import .reg files - until now! I can successfully import .reg at last very handy for future modifications.
  

 

For now it will not give us working gps - which is propably on com4 or com7(propably that). Few ports are still busy. Busy already after system boot.

From now I think I can get .net framework installed, and try ShortFuse gps utility.

The most important thing for now is also to get to Storage Manager/Control Panel, mount hidden partition and explore it.

 

---edit2:

I've got some script which will type automatically output-path in DiskRW to read/write rom! Will test it tomorrow! Good night!

[gtsdohcvvtli]

Can somebody get me a copy of the original AVIC-X920BT XM files . I completely forgot to back mine up. Thank You!

[tasdemır]

x920bt

 

1. I want to set up the map of europe

2. I want to set up Turkish language

3. radou the frequency

of the united 90.1 90.3 90.5

Europe 90.1 90.2 90.3 90.4 90.5 I want to do

please help I do not know how to do it