Sanik Posted May 1, 2013 Report Share Posted May 1, 2013 Now, we have firmware for 850/950 series. http://www.pioneer.eu/files/support/AVIC-F50BT/AVIC-Fx50BT_Ver1.030000.zip Bad News: We need new testmode.key file. Testmode.key from 920-930-940 cannot work, other content and may be other encryption (?) Good News: We can decompile PLT file with Remaker_WinCE5 utility We can extract NEvenWatcher.exe and other (Navi.exe, Hmimanager.exe, Av.exe, Download.exe and new app AppManager.exe) form PLT We can decompile registry (in attach) default.rar Quote Link to post Share on other sites
Sanik Posted May 1, 2013 Author Report Share Posted May 1, 2013 Here I would like to discuss the overall achievements in the analysis of new devices, produced in 2013. I wrote a link to the firmware, the method for reverse engineering the firmware. I have attached the decompiled registry file. All this may help other researchers and will save them time. Quote Link to post Share on other sites
pionara Posted May 2, 2013 Report Share Posted May 2, 2013 Sanik, I'm a bit lazy to try to fire up my windows VM at the moment. Does anyone have a romdump of the new PLT somewhere, so i can start decompiling in IDA Quote Link to post Share on other sites
pionara Posted May 2, 2013 Report Share Posted May 2, 2013 NM. looks like "dumpromx.exe -5 -d dumpdir -i 0x200 EU130PLT.PRG" works ok Quote Link to post Share on other sites
pionara Posted May 2, 2013 Report Share Posted May 2, 2013 sizes in kB: total 53444 836 AIPI.dll 944 AplLib.dll 124 AppManager.exe 4336 Av.exe 136 BTAPI.dll 40 BTSourceFilter.dll 16 ClockSerial.dll 8 ComCommon.dll 2652 Communication.exe 52 DRF.dll 36 DTD.dll 612 DataUpdate.dll 440 DownLoad.exe 624 EBLib.dll 180 ENTRFSD.dll 160 ENTRUTL.dll 116 FontEngine.dll 100 FontLib.dll 8 GPS.dll 288 GPSLIB.dll 1060 GraphicsLib.dll 8280 HMIManager.exe 12 HiraUDSansPIAsciiMono-W4.ttf 56 HiraUDSansPILatin02-W4.ttf 16 I2C0.dll 16 I2C1.dll 16 I2C2.dll 16 I2C3.dll 388 IPILib.dll 32 JITDbgrDLL.dll 8 JITDbgrEXE.exe 64 LGD.dll 640 NDeviceLib.dll 84 NEventBaseLib.dll 1788 NEventWatcher.exe 232 NPAvLib.dll 32 NPAviPodLib.dll 84 NPCommonLib.dll 20 NPJctDrvIF.dll 16 NPStorageLib.dll 244 NStandardLib.dll 196 NStorageLib.dll 60 NSystemInfoLib.dll 5824 Navi.exe 96 PAVASFParserFilter.dll 92 PAVAVIParserFilter.dll 72 PAVMP3ParserFilter.dll 108 PAVMP4ParserFilter.dll 68 PAVWAVParserFilter.dll 8 PhysicalMemory.dll 8 PhysicalMemory2.dll 8 ProbeCommon.dll 16 RTC.dll 4 SDDmacLib.dll 20 SDMemory.dll 20 SDMemory2.dll 12 SNS.dll 244 SPU2AACDecoderFilter.dll 160 SPU2MP3DecoderFilter.dll 256 SPU2WMADecoderFilter.dll 20 SYS.dll 16 Serial_SCI.dll 60 SymbolLib.dll 1996 TestMode.exe 272 UICommonLib.dll 88 VEUVideoRendererFilter.dll 124 VPU5H264DecoderFilter.dll 132 VPU5Mpeg4DecoderFilter.dll 536 VPU5WMVDecoderFilter.dll 24 VoicePlayEntity.dll 160 VoicePlayService.dll 56 XBD.dll 28 XCBMap.dll 44 XCBObex.dll 16 XCBObjectPush.dll 20 XCBPbap.dll 8 XcbStackControl.dll 88 afd.dll 4 asterisk.wav 16 asyncmac.dll 24 audevman.dll 8 autoras.dll 12 binfs.dll 36 bt_a2dp.dll 52 bt_dun.dll 12 busenum.dll 20 cdfs.dll 20 cdrom.dll 16 ceconfig.h 24 ceddk.dll 12 cefobj.dll 4 close.2bp 4 close.wav 24 com16550.dll 328 commctrl.dll 80 commdlg.dll 120 connmc.exe 12 connpnl.cpl 16 control.exe 4 copyrts.txt 536 coredll.dll 180 cplmain.cpl 8 credprov.dll 48 credsvc.dll 4 critical.wav 232 crypt32.dll 8 ctlpnl.exe 20 cxport.dll 132 ddi_nop.dll 180 default.fdf 4 default.wav 4 device.dll 52 devmgr.dll 28 dhcp.dll 8 dhcpsrv.dll 12 diskcache.dll 4 dmac_sh7777.dll 8 dmaex.dll 104 dssdh.dll 24 edwdif.dll 972 edwecli.dll 52 edwexp.dll 8 edwgsp.dll 12 edwmap.dll 56 edwopt.dll 28 edwsta.dll 72 ehci_sh7777.dll 4 empty.wav 4 eventrst.exe 4 eventrst.lnk 12 exclam.wav 76 exfat.dll 44 fatutil.dll 208 filesys.dll 112 fsdmgr.dll 548 gwes.dll 8 infbeg.wav 4 infend.wav 4 infintr.wav 2788 initDB.dat 12 initdb.ini 20 initobj.dat 44 intll.cpl 48 iphlpapi.dll 16 jsproxy.dll 20 k.ceddk.dll 532 k.coredll.dll 216 k.crypt32.dll 8 k.dhcpsrv.dll 40 k.fatutil.dll 48 k.iphlpapi.dll 4 k.logdef.dll 8 k.mmtimer.dll 36 k.msasn1.dll 12 k.nspm.dll 80 k.schannel.dll 12 k.secur32.dll 28 k.ssllsp.dll 8 k.toolhelp.dll 8 k.winsock.dll 32 k.ws2.dll 8 k.wspm.dll 212 kernel.dll 504 layoutCreators.dat 4 logdef.dll 4 menupop.wav 4 menusel.wav 164 mgtt_o.dll 8 mmtimer.dll 16 msacmce.dll 36 msasn1.dll 24 msdmo.dll 20 mspart.dll 28 msvcr80.dll 116 ndis.dll 8 ndispwr.dll 36 netbios.dll 188 netui.dll 68 nk.exe 36 notify.dll 12 nspm.dll 4 oalioctl.dll 60 ohci_sh7777.dll 4 ok.2bp 144 ole32.dll 148 oleaut32.dll 4 openprog.wav 1448 pcorelib.dll 8 pio.dll 12 pm.dll 96 ppp.dll 116 putillib.dll 8 pwm.dll 460 quartz.dll 4 question.wav 8 ramdisk.dll 44 rapisrv.exe 4 recend.wav 4 recstart.wav 8 regenum.dll 52 repllog.exe 36 rnaapp.exe 12 romfsd.dll 12 rra_stm.dll 156 rsaenh.dll 116 s1r72v17f.dll 88 sbcDecodeFilter.dll 84 schannel.dll 72 sdbus.dll 40 sdhi.dll 4 sdhi_isr.dll 12 secur32.dll 28 serial.dll 32 serialusbfn.dll 12 services.exe 12 servicesEnum.dll 4 servicesStart.exe 28 servicesd.exe 52 shell.exe 12 shellcelog.dll 60 shlwapi.dll 8 spu2.dll 92 spusrv.dll 28 ssllsp.dll 12 startup.wav 4 stdsm.2bp 4 stdsm.bmp 24 stguil.cpl 12 sysroots.p7b 4 system.cpl 136 tahoma.ttf 64 tapi.dll 268 tcpstk.dll 8 toolhelp.dll 16 udevice.exe 44 udfs.dll 8 udp2tcp.exe 4 uiproxy.dll 16 umpf3410.i51 40 unimodem.dll 8 usbcharge.dll 20 usbd.dll 24 usbdisk6.dll 20 usbehid.dll 20 usbmsc.dll 16 usbmsfn.dll 1564 vautov5.dll 16 veim.dll 16 veu.dll 4 viewsm.2bp 4 viewsm.bmp 12 vpu.dll 56 waveapi.dll 24 wavedev2.dll 24 wavedev3.dll 24 wavedev4.dll 40 wavedev_usbaudio.dll 244 wince.nls 4 windmax.wav 4 windmin.wav 396 wininet.dll 8 winsock.dll 36 ws2.dll 8 ws2instl.dll 52 ws2k.dll 28 ws2serv.dll 12 wspm.dll 500 xBtProt.dll Quote Link to post Share on other sites
pionara Posted May 2, 2013 Report Share Posted May 2, 2013 ok I might have a candidate for an x50 series testmode. Can someone test it out and let me know if it works. Please only folks having experience with testmode.key should try this out. It wont brick anything - either it works or it doesnt do anything. Quote Link to post Share on other sites
Sanik Posted May 2, 2013 Author Report Share Posted May 2, 2013 Nice work! I wait device for test! Why you use dumpromx? Remaker_WinCE5 can extract not only modules, but files from Pioneer firmware. Cut first 0x200 bytes and have fun with this util Quote Link to post Share on other sites
2000se Posted May 3, 2013 Report Share Posted May 3, 2013 The key you provided doesn't not allow me to enter testmode. To make sure I have a z150. Inserted SD card into slot I started the z150 It said checking media Then it said unable to enter testmode Anything else you need me to try? Quote Link to post Share on other sites
pionara Posted May 3, 2013 Report Share Posted May 3, 2013 I made a slight change and re-uploaded. If it doesnt work, then I'll need to figure out why IDA is havign trouble disassembling testmode.exe around some key sections of the code Quote Link to post Share on other sites
2000se Posted May 3, 2013 Report Share Posted May 3, 2013 Ok. Cars in the shop right now so as soon as I get it back ( hopefully Monday ) I'll give it a shot. Quote Link to post Share on other sites
pionara Posted May 3, 2013 Report Share Posted May 3, 2013 Ok, looks like this platform (x50) is no longer ARM but SH-X? cpu!!! This probably means no custom apps unless u can find them built for SH4 - sorry Sanik! Anyhow, with Remaker i was able to get a better dump of the files. Quote Link to post Share on other sites
shatty Posted May 4, 2013 Report Share Posted May 4, 2013 Nope..Caution...Test mode failed starting Quote Link to post Share on other sites
shatty Posted May 4, 2013 Report Share Posted May 4, 2013 Can we disable the caution nag screen like on the earlier units? Quote Link to post Share on other sites
pionara Posted May 4, 2013 Report Share Posted May 4, 2013 (edited) nag screen removal will come later, first we must get testmode working ! ok this is attempt 3: testmode-x50v2.zip also, wondering if the hidden, in-app debug/service menus work on x50 series. Can someone try it out? advanced topic: hidden debug menus Edited May 4, 2013 by pionara Quote Link to post Share on other sites
shatty Posted May 4, 2013 Report Share Posted May 4, 2013 The testmode works! Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.