bushing Posted May 13, 2014 Report Share Posted May 13, 2014 I'm doing a bit of reversing of my AVIC-5000NEX with the goal of eventually making my own update that disables the nag screen. I'm still quite a ways away from that, but I wrote up a blog post that some of you might find interesting. Quote Link to post Share on other sites
highctech Posted May 13, 2014 Report Share Posted May 13, 2014 Dude - as I read your blog it felt like I was there trying to hack the AVIC with you. I'm digging the full story, assembler output and all. No matter how it turns out; It's already very interesting. WTG!!! Quote Link to post Share on other sites
jhanson999 Posted May 13, 2014 Report Share Posted May 13, 2014 Keep up the good work! I love seeing projects like this... maybe once you knock out the 5000 you'll be willing to take a look at the 8000? Quote Link to post Share on other sites
douger Posted May 13, 2014 Report Share Posted May 13, 2014 I don't speak programmer, but what caught my eye was the 8 GB SD card. Is it that simple to upgrade a 7000 to an 8000? I wouldn't think that the disassembly required to reach the SD card would be too onerous. Could this be adapted to the NEX series? Fascinating work. I'd be willing to buy one if the modding work is this easy. Quote Link to post Share on other sites
sofakng Posted May 13, 2014 Report Share Posted May 13, 2014 You are bushing from failoverflow? I highly respect you and your work! Thanks for the extremey interesting blog! I'm a software developer myself but don't have experience at the low-level systems like you using. I've used JTAG interfaces before but still don't really have much experience with them. I'm really, really looking forward to see what progress you make! It sounds like you might even be able to root the device and/or modify the Pioneer menu systems to install other Android apps, etc. Quote Link to post Share on other sites
epsilonkore Posted May 13, 2014 Report Share Posted May 13, 2014 Well this is an interesting turn, from all I had read and heard it looked like the NEX was powered by QNX instead of Android or the former units ancient WinCE. Seeing the SD Card inside, knowing the NEX8000 has 16GB inside, leads me to wonder if additional space (or a faster card than the mid pack Trancend card) could lead to some marginal performance and space upgradability in the future. Once all of your hard work pans out into something for the commoners to handle that is... Quote Link to post Share on other sites
bushing Posted May 15, 2014 Author Report Share Posted May 15, 2014 I don't speak programmer, but what caught my eye was the 8 GB SD card. Is it that simple to upgrade a 7000 to an 8000? I wouldn't think that the disassembly required to reach the SD card would be too onerous. Could this be adapted to the NEX series? Possibly; there's a lot of parts missing on my 5000NEX compared to the most expensive models (e.g. HDMI input, internal (visible SD slot), CAN bus interface of some sort? What specific features would you like to try "upgrade"? You are bushing from failoverflow? I highly respect you and your work! Thanks for the extremey interesting blog! It sounds like you might even be able to root the device and/or modify the Pioneer menu systems to install other Android apps, etc. Thanks for the kind words! Sometimes you just need to find a project that annoys you enough to make it worth the time. This counts, for me. In principle, there's nothing keeping us from rooting these boxes, though more research is necessary to figure out how to e.g. enable ADB. (There seems to be a hidden debug menu that will allow this, but I haven't been able to find it yet.) Quote Link to post Share on other sites
tickerguy Posted May 15, 2014 Report Share Posted May 15, 2014 The biggest issue on a starting point is unlocking that storage card so you can get to it in other devices. I can understand why you didn't post the password, but that remains the key.... Getting root is easy once the card is unlocked -- mount it on another unix-style machine, stuff "su" in the /system directory and flag it SUID, then stick it back in the head unit! That also leads to another interesting thought -- if you stick a file manager in the system directory along with /bin/su, you should be able to navigate to an attached device (e.g. SD card in the front, attached USB disk, etc) and install APKs! Whether they'll run given what are probably a number of missing sensors and I/O points, however, is a different thing entirely. A real hoot would be if it will attach to a WiFi USB adapter; suddenly you have a device that can hit your tether-enabled phone. Note that "Android" isn't descriptive enough by itself. It is the frameworks that make Android useful, and who knows what's on there unless you go through the storage. One thing that's almost-certainly NOT is GAPPs. Quote Link to post Share on other sites
kelkin Posted May 15, 2014 Report Share Posted May 15, 2014 Interesting thread.. .can't wait to see where this winds up. Quote Link to post Share on other sites
bushing Posted May 19, 2014 Author Report Share Posted May 19, 2014 The biggest issue on a starting point is unlocking that storage card so you can get to it in other devices. I can understand why you didn't post the password, but that remains the key.... Getting root is easy once the card is unlocked -- mount it on another unix-style machine, stuff "su" in the /system directory and flag it SUID, then stick it back in the head unit! That also leads to another interesting thought -- if you stick a file manager in the system directory along with /bin/su, you should be able to navigate to an attached device (e.g. SD card in the front, attached USB disk, etc) and install APKs! Whether they'll run given what are probably a number of missing sensors and I/O points, however, is a different thing entirely. A real hoot would be if it will attach to a WiFi USB adapter; suddenly you have a device that can hit your tether-enabled phone. Note that "Android" isn't descriptive enough by itself. It is the frameworks that make Android useful, and who knows what's on there unless you go through the storage. One thing that's almost-certainly NOT is GAPPs. Yeah, the SD card password just isn't useful for most people because it's pretty difficult to use -- and I'm not even sure it's the same for all units! More useful would be a dump of the SD card, because any(?) system will boot an unlocked card; I can't release my image, but hopefully I've provided enough information for someone else to reproduce this and post an image. No need to "root" the thing, it's pre-rooted, if you can manage to turn on ADB or find the correct serial port and enable it (I believe that both of these are possible by pressing hidden buttons in the display, much like the "bypass"). I've posted another blog post about patching the software -- TL;DR is that I've successfully patched out the nag screen on my own unit but I would have to solder JTAG up to someone else's unit if I wanted to repeat the task. I'm trying to now make an update that could be applied with a USB stick or SD card. I'm having trouble putting all the correct files in place for the system to recognize my update as valid (it tries to install it and then gives an uhelpful error message). I also accidentally got my unit stuck in a Recovery mode with this TESTMODE_N.KEY file, and it took a lot of nerve-wracking fiddling to get it to boot back into the normal mode. (Fortunately, it's possible, but more research is necessary to make this robust.) I haven't given up on making my own update, but if Pioneer releases the CarPlay update, I should be able to use that as a template to make a nag screen update with just a day or two of work. We'll see who releases an update first. I just need to resist the urge to actually put this thing in my car (right now, it's sitting in pieces on my floor "workbench") -- if I do, I'll have to unsolder everything and probably won't ever get back to hooking my debug stuff back up to it. Quote Link to post Share on other sites
sofakng Posted May 20, 2014 Report Share Posted May 20, 2014 @bushing: You mentioned that you think a secret debug button exists similar to the parking brake bypass. Did you try reversing it from the standpoint of searching for the "SET ON" message that is displayed during the bypass? Maybe if you found that then you would find the code containing other secret bypass buttons, etc. Also, I really appreciate and enjoy reading your blog posts. I'm glad that you are describing everything instead of just saying "I'm working on it"! I just hope that Pioneer doesn't change the system after the update disabling some of the methods you are using to reverse engineer everything. Quote Link to post Share on other sites
bushing Posted May 20, 2014 Author Report Share Posted May 20, 2014 @bushing: You mentioned that you think a secret debug button exists similar to the parking brake bypass. Did you try reversing it from the standpoint of searching for the "SET ON" message that is displayed during the bypass? Maybe if you found that then you would find the code containing other secret bypass buttons, etc. Also, I really appreciate and enjoy reading your blog posts. I'm glad that you are describing everything instead of just saying "I'm working on it"! I just hope that Pioneer doesn't change the system after the update disabling some of the methods you are using to reverse engineer everything. Yes, I did try going back from the "SET ON" message. Someone with more practice reversing Android apps could probably find this in five minutes, let me know if anyone wants the APK / ODEX ... But if I'm doing it on my own, here's what the layout for the AV "Off" screen is (when you're in the AV screen, but all sources are off) -- http://pastie.org/private/z0brsx08glku0erwteuvg After staring at that for a while, I boil that down to <CTL_Control_ViewGroupBase layout_width=fill_parent layout_height=fill_parent> <CTL_Control_ImageViewBase width=267 height=144 marginLeft=63 marginTop=24 /> <View width=fill_parent height=fill_parent /> <CTL_Control_ViewGroupBase width=fill_parent height=fill_parent> <CTL_Button_SingleImage id=off_debug_1_button width=200 height=200 marginLeft=50 centerVertical=true /> <CTL_Button_SingleImage id=off_debug_2_button width=200 height=200 marginLeft=300 centerVertical=true /> <CTL_Button_SingleImage id=off_debug_3_button width=200 height=200 marginLeft=550 centerVertical=true /> </CTL_Control_ViewGroupBase> <CTL_Button_SingleImage id=off_videoCheckMode_button width=100 height=100 alignParentLeft=true alignParentBottom=true /> </CTL_Control_ViewGroupBase> I read that as -- the text "OFF" 267x144, located at 63,24 from top-left of screen. The hidden "videoCheckMode" button, 100x100, on the bottom-left corner of the screen. Three debug buttons, 200x200 each, centered vertically on the screen, at offset 50, offset 300, and offset 550 from the left side of the screen -- if the screen is 800 pixels wide, then that would place debug_2 at the very center of the screen and the other 2 buttons on either side at the edges of the screen. I tried tapping them, I tried "long-pressing" them (like the "SET ON") button, nothing. I don't know if they need to be pressed in some particular order. There's notes in the code about a "debug password input" but I think that's a separate screen that should pop up once the debug mode is triggered (and we should be able to reverse-engineer the password without much trouble). Really, it's just this GUI stuff that's hard The screen in question is: Quote Link to post Share on other sites
tickerguy Posted May 20, 2014 Report Share Posted May 20, 2014 I can decompile APKs down to Java (really .smali files, but close enough.) The problem would be a potential missing set of frameworks, but I can certainly try it. Quote Link to post Share on other sites
sofakng Posted May 22, 2014 Report Share Posted May 22, 2014 Just wondering, but is anybody making any progress on decompiling the APK? The possibility of having a secret debug menu that enables USB OTG and a ADB console on one of the exposed USB ports is very exciting. Having access to a full android system and adding custom applications (Google Maps, etc) would be fantastic! @bushing: I'm just wondering, but are you an electrical engineer? I'm a "lowly" software developer and only know the very basics about UARTs, JTAG, etc, and I've love to learn more about reverse engineer and that field of electronics. Your posts have really inspired me to learn more... Quote Link to post Share on other sites
bushing Posted May 31, 2014 Author Report Share Posted May 31, 2014 Hi guys! I already have the apk / odex files disassembled to .smali, I can share them if anyone else wants to look at them Sofakng, yes, I have some background in EE, glad you like the blog posts! I have a crafted "update" that you can apply using one of the test modes that can patch the PLCaution nag screen out. It also offers a couple different ways of backing up your internal SD card to external USB or SD; you can use a built-in EasyRecovery mode to re-image the internal SD without opening up the case (or you can use the image to restore the internal card manually if that doesn't work and you can open the thing up. You can also use the image to reverse-engineer the thing. The thing is, in order to get the modified system to boot, I have to turn off Warp!!, which makes the system take longer to boot (26 seconds vs 13 seconds); I'm working on that right now (but that's a whole other task). Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.