Jump to content
AVIC411.com

NEX runs Android, and other useless info


Recommended Posts

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

I don't speak programmer, but what caught my eye was the 8 GB SD card. Is it that simple to upgrade a 7000 to an 8000? I wouldn't think that the disassembly required to reach the SD card would be too onerous.

 

Could this be adapted to the NEX series?

 

Fascinating work. I'd be willing to buy one if the modding work is this easy.

Link to post
Share on other sites

You are bushing from failoverflow? I highly respect you and your work!

 

Thanks for the extremey interesting blog!

 

I'm a software developer myself but don't have experience at the low-level systems like you using.  I've used JTAG interfaces before but still don't really have much experience with them.

 

I'm really, really looking forward to see what progress you make!

 

It sounds like you might even be able to root the device and/or modify the Pioneer menu systems to install other Android apps, etc.

Link to post
Share on other sites

Well this is an interesting turn, from all I had read and heard it looked like the NEX was powered by QNX instead of Android or the former units ancient WinCE. Seeing the SD Card inside, knowing the NEX8000 has 16GB inside, leads me to wonder if additional space (or a faster card than the mid pack Trancend card) could lead to some marginal performance and space upgradability in the future. Once all of your hard work pans out into something for the commoners to handle that is... ;)

Link to post
Share on other sites

I don't speak programmer, but what caught my eye was the 8 GB SD card. Is it that simple to upgrade a 7000 to an 8000? I wouldn't think that the disassembly required to reach the SD card would be too onerous.

 

Could this be adapted to the NEX series?

 

Possibly; there's a lot of parts missing on my 5000NEX compared to the most expensive models (e.g. HDMI input, internal (visible SD slot), CAN bus interface of some sort?   What specific features would you like to try "upgrade"?

 

 

You are bushing from failoverflow? I highly respect you and your work!

 

Thanks for the extremey interesting blog!

 

It sounds like you might even be able to root the device and/or modify the Pioneer menu systems to install other Android apps, etc.

 

Thanks for the kind words! Sometimes you just need to find a project that annoys you enough to make it worth the time.  This counts, for me.   In principle, there's nothing keeping us from rooting these boxes, though more research is necessary to figure out how to e.g. enable ADB.   (There seems to be a hidden debug menu that will allow this, but I haven't been able to find it yet.)

Link to post
Share on other sites

The biggest issue on a starting point is unlocking that storage card so you can get to it in other devices.  I can understand why you didn't post the password, but that remains the key....

 

Getting root is easy once the card is unlocked -- mount it on another unix-style machine, stuff "su" in the /system directory and flag it SUID, then stick it back in the head unit! :D

 

That also leads to another interesting thought -- if you stick a file manager in the system directory along with /bin/su, you should be able to navigate to an attached device (e.g. SD card in the front, attached USB disk, etc) and install APKs!  Whether they'll run given what are probably a number of missing sensors and I/O points, however, is a different thing entirely.

 

A real hoot would be if it will attach to a WiFi USB adapter; suddenly you have a device that can hit your tether-enabled phone.

 

Note that "Android" isn't descriptive enough by itself.  It is the frameworks that make Android useful, and who knows what's on there unless you go through the storage.  One thing that's almost-certainly NOT is GAPPs.

Link to post
Share on other sites

The biggest issue on a starting point is unlocking that storage card so you can get to it in other devices.  I can understand why you didn't post the password, but that remains the key....

 

Getting root is easy once the card is unlocked -- mount it on another unix-style machine, stuff "su" in the /system directory and flag it SUID, then stick it back in the head unit! :D

 

That also leads to another interesting thought -- if you stick a file manager in the system directory along with /bin/su, you should be able to navigate to an attached device (e.g. SD card in the front, attached USB disk, etc) and install APKs!  Whether they'll run given what are probably a number of missing sensors and I/O points, however, is a different thing entirely.

 

A real hoot would be if it will attach to a WiFi USB adapter; suddenly you have a device that can hit your tether-enabled phone.

 

Note that "Android" isn't descriptive enough by itself.  It is the frameworks that make Android useful, and who knows what's on there unless you go through the storage.  One thing that's almost-certainly NOT is GAPPs.

 

Yeah, the SD card password just isn't useful for most people because it's pretty difficult to use -- and I'm not even sure it's the same for all units!  More useful would be a dump of the SD card, because any(?) system will boot an unlocked card; I can't release my image, but hopefully I've provided enough information for someone else to reproduce this and post an image.

 

No need to "root" the thing, it's pre-rooted, if you can manage to turn on ADB or find the correct serial port and enable it (I believe that both of these are possible by pressing hidden buttons in the display, much like the "bypass").

 

I've posted another blog post about patching the software -- TL;DR is that I've successfully patched out the nag screen on my own unit but I would have to solder JTAG up to someone else's unit if I wanted to repeat the task.  I'm trying to now make an update that could be applied with a USB stick or SD card.  I'm having trouble putting all the correct files in place for the system to recognize my update as valid (it tries to install it and then gives an uhelpful error message).  I also accidentally got my unit stuck in a Recovery mode with this TESTMODE_N.KEY file, and it took a lot of nerve-wracking fiddling to get it to boot back into the normal mode.  (Fortunately, it's possible, but more research is necessary to make this robust.)

 

I haven't given up on making my own update, but if Pioneer releases the CarPlay update, I should be able to use that as a template to make a nag screen update with just a day or two of work. We'll see who releases an update first.   I just need to resist the urge to actually put this thing in my car (right now, it's sitting in pieces on my floor "workbench") -- if I do, I'll have to unsolder everything and probably won't ever get back to hooking my debug stuff back up to it.

Link to post
Share on other sites

@bushing:  You mentioned that you think a secret debug button exists similar to the parking brake bypass.  Did you try reversing it from the standpoint of searching for the "SET ON" message that is displayed during the bypass?  Maybe if you found that then you would find the code containing other secret bypass buttons, etc.

 

Also, I really appreciate and enjoy reading your blog posts.  I'm glad that you are describing everything instead of just saying "I'm working on it"!  I just hope that Pioneer doesn't change the system after the update disabling some of the methods you are using to reverse engineer everything.

Link to post
Share on other sites

@bushing:  You mentioned that you think a secret debug button exists similar to the parking brake bypass.  Did you try reversing it from the standpoint of searching for the "SET ON" message that is displayed during the bypass?  Maybe if you found that then you would find the code containing other secret bypass buttons, etc.

 

Also, I really appreciate and enjoy reading your blog posts.  I'm glad that you are describing everything instead of just saying "I'm working on it"!  I just hope that Pioneer doesn't change the system after the update disabling some of the methods you are using to reverse engineer everything.

 

Yes, I did try going back from the "SET ON" message.  Someone with more practice reversing Android apps could probably find this in five minutes, let me know if anyone wants the APK / ODEX ...

 

But if I'm doing it on my own, here's what the layout for the AV "Off" screen is (when you're in the AV screen, but all sources are off) -- http://pastie.org/private/z0brsx08glku0erwteuvg

 

After staring at that for a while, I boil that down to

<CTL_Control_ViewGroupBase layout_width=fill_parent layout_height=fill_parent>
    <CTL_Control_ImageViewBase width=267 height=144 marginLeft=63 marginTop=24 />
    <View width=fill_parent height=fill_parent />
    <CTL_Control_ViewGroupBase width=fill_parent height=fill_parent>
        <CTL_Button_SingleImage id=off_debug_1_button 
            width=200 height=200 marginLeft=50 centerVertical=true />
        <CTL_Button_SingleImage id=off_debug_2_button 
            width=200 height=200 marginLeft=300 centerVertical=true />
        <CTL_Button_SingleImage id=off_debug_3_button 
            width=200 height=200 marginLeft=550 centerVertical=true />
    </CTL_Control_ViewGroupBase>
    <CTL_Button_SingleImage id=off_videoCheckMode_button width=100 height=100 
        alignParentLeft=true alignParentBottom=true />
</CTL_Control_ViewGroupBase>

I read that as -- the text "OFF" 267x144, located at 63,24 from top-left of screen.  The hidden "videoCheckMode" button, 100x100, on the bottom-left corner of the screen.  Three debug buttons, 200x200 each, centered vertically on the screen, at offset 50, offset 300, and offset 550 from the left side of the screen -- if the screen is 800 pixels wide, then that would place debug_2 at the very center of the screen and the other 2 buttons on either side at the edges of the screen.

 

I tried tapping them, I tried "long-pressing" them (like the "SET ON") button, nothing.  I don't know if they need to be pressed in some particular order.  There's notes in the code about a "debug password input" but I think that's a separate screen that should pop up once the debug mode is triggered (and we should be able to reverse-engineer the password without much trouble).  Really, it's just this GUI stuff that's hard :)

 

The screen in question is:

7CJ5ijU.jpg

Link to post
Share on other sites

Just wondering, but is anybody making any progress on decompiling the APK?

 

The possibility of having a secret debug menu that enables USB OTG and a ADB console on one of the exposed USB ports is very exciting.  Having access to a full android system and adding custom applications (Google Maps, etc) would be fantastic!

 

@bushing:  I'm just wondering, but are you an electrical engineer?  I'm a "lowly" software developer and only know the very basics about UARTs, JTAG, etc, and I've love to learn more about reverse engineer and that field of electronics.  Your posts have really inspired me to learn more... :)

Link to post
Share on other sites
  • 2 weeks later...

Hi guys! I already have the apk / odex files disassembled to .smali, I can share them if anyone else wants to look at them

 

Sofakng, yes, I have some background in EE, glad you like the blog posts! :)

 

I have a crafted "update" that you can apply using one of the test modes that can patch the PLCaution nag screen out. It also offers a couple different ways of backing up your internal SD card to external USB or SD; you can use a built-in EasyRecovery mode to re-image the internal SD without opening up the case (or you can use the image to restore the internal card manually if that doesn't work and you can open the thing up.

 

You can also use the image to reverse-engineer the thing.

 

The thing is, in order to get the modified system to boot, I have to turn off Warp!!, which makes the system take longer to boot (26 seconds vs 13 seconds); I'm working on that right now (but that's a whole other task).

 

gEDv1Lv.jpg

 

JaKU847.jpg

 

9ICwx9E.jpg

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...



×
×
  • Create New...