Bypass AVIC-Z2

[8AxleEd]

im sure there is a line of code in the OS that says something like "if VSS or GPS is >10MPH then disable (dvd and nav) = 1. I have a feeling all thats needed is either change the MPH to like 200, or change the 1 to a 0 and turn off the disable. Anybody have any idea about that?

 

I'm hoping the statement would look more like this:

 

if (vss <= 10mph) || (gps <= 10mph) || (lockoutDisabled == true) {

playDVD

}

 

Where lockoutDisabled is initialized to false, but will be set to true if certain pins are pulled up or grounded at boot time. This would be the back door that they have put into it and it is the back door we are hoping that someone will leak to us shortly.

 

As far as hacking the code goes, it wouldn't be very easy to do. First thing we need to know is what processor is being used. Anyone want to take their Z2 apart to tell us that? It will tell us what instruction set is being used. Second, is it an embedded controller, or a bigger system? What OS is being used? Is it an open source kernel, or is it something proprietary like Windows CE? That might give an idea of what library calls we can trap on. It would also help to know something about the memory map of the system. Are there periferals on the processor itself (extremely common to embeded controllers)? Is the brake signal and vss signal simply configurable ports on the processor? Is the GPS an NMEA serial stream? What are the addresses to those ports? What are the chip selects set to? That will determine the address range for memory, hard drive controllers, serial ports, etc.. If you know stuff like that, you could possibly drop in an emulator that can do a hardware trace on those addresses. Then, you could disassemble the code around those areas and hopefully find the aforementioned logic. Doing the actual patch isn't hard. I could simply change a Branch On Equal instruction (BRE) to something like Branch ON Not Equal (BNE) opcode. This is preferable because those optodes are the same length, and no branching to other code is necessary. Writing the patch isn't hard, the difficult part is finding where to put it!

 

Anyway, it is not an easy task to do. It would be much easier to just hope someone leaks what the back door is.

[cntrylvr79]

THere;s a lot of really long words in that post. I don'et under stand most of them.

[MPS]

was that in english

[ltl2007]

8axle, I know the OS is a version of Windows Automotive. I can tear my Z2 open on monday when im back at my shop, its in my Yukon. Your right about the code line, I was just trying to give a basic example. It might even be some sort of registry key. On the flash memory module there are many MANY pins that are labeled, sort of like on the bottom of the unit. If there is some sort or ground-out bypass solution, I have a feeling that it will be on that board. The Gyro is mounted on the bottom board (i think) and the VSS decoder is build into the OS. I dont know what the system structure is as far as file system and any secondary or external processors. I will take a high res pic of the bottom of the flash memory module, and the top with all the chip model numbers, maybe someone with a little more knowledge in that area can lend us all a hand. But i have a feeling that a leak from Pioneer is only a dream for right now. Ive talked to a few R&D people, and they have told me (probably cuz of protocol) that the bypass is all software. Oh ya one more thing before i forget, I think the parking brake and VSS are, like you said, set up as ports on the system. I believe there are labels for them on the CPU board. 8axle i can email you the pics i take on monday if you like. It might give us an idea of what processor, ect, we are dealing with.

[8AxleEd]

Hi ltl2007,

 

I honestly don't know that it is a good idea for you to take apart your Z2, I don't want you to ruin it or anything. If the unit is running some variant of Windows, then that narrows down the processor to most likely be Intel. I guess some of the pocketPCs might use an ARM or something. Going through the stuff I mentioned would be a huge undertaking. Personally, I was looking at this to see if I should buy a Z1, or a Z2.

 

Did you get the impression from Pioneer that there is a back door, but they weren't going to share it with us, or that there was no back door at all? If a bypass exists, do you think it will get leaked to us? That is by far the easiest way to do this. Another way is to just start a trial and error of difference sequences on the inputs. If that doesn't work, then a software hack would be needed, and I'm not sure anyone is going to want to put in the time required to do it. I am very familiar with GPS systems, and how they work.

[ltl2007]

8axle. thanks for the fast reply. Ive already torn down both the Z1 and Z2 to nothing. I own a car/home stereo shop in SoCal, and since we cant get the Z1's anymore, im pretty motivated to figure out this bypass. the pioneer reps that i have talked to have said that the bypass is 100% software. all the resistor stuff i dont think will work. there are a few other topics that guys are doing like im saying, moving files around from the Z1 to the Z2. The thing im not understanding is they are using the HDD, which is only NAV files, MP3's, and maybe a few large system files. I have a feeling, like ive been saying, that the files that need to be changed are on the FMM. As far as getting a Z1 or Z2, get a Z1 in my opinion. The 3D mapping of POI's isnt all that great, and Route Learning is kind of dumb unless u get the XM navtraffic so it can tell u how traffic is every day on ur way to/from work, ect. Thats just my 2c.

[nateair]

I am sad to say that I actually understand the computer language being spoken in this forum. I am relatively new and have been following the hack for some time now. (ever since i bought a Z1 online and they sent me a Z2) Just a thought... I know at most computer stores they make a adapter so you can hook up any hard drive to a USB port. As far as a software hack goes, wouldnt it be easier to take the drive out, hook it up to your computer and change the settings in the registry then slide it back in? i know there is a lot of code to go through but if you know your code you can create a program to find that line needed. Im sure everybody is thinking if i think its that easy why dont i do it? I hate code and unfortunately don't have too much time on my hands. Just wanted to throw an idea out there.

[ltl2007]

nateair, if you had read back a few pages, you will see that i found that all the OS files, with all the input and output controls are on the FMM, not the hard drive. Im working on a way to get the files off the flash memory module. There are many other posts about unlocking the HDD. all that does it accesses some user files, backgrounds, boot logos, ect. You can take the HDD out and push down the sensor switch for it and the Z1 or Z2 will still boot up. And Flash Memory experts around here. If i got ahold of some of the OS files i can decompile them, i have done it many times before. I also have a file list from another member that has a full directory layout of the HDD. I searched each line and nothing seems like it will be what we are looking for. My bet is somewhere in the FMM.

[ducatiboy]

As I said in the other post:

tl2007, while you are right that the flash memory in the Z1/Z2 does have an OS capable of running a lot of the system even without a hard drive. An update to the hard drive will change the bypass. We learned this with the bluetooth update CD. It changes files on the hard drive and the bypass. Replacing the hard drive, will switch the bypass on the Z1's. So the OS is checking for the rule of what it should do on the hard drive. The flash module is something to look at but getting new ones or modifying files on that is much harder than the hard drive and I think that changing something on the hard drive will get us what we want.

[brikkman1]

Well, I'm glad to know I'm not the only semi-geek on the forum, LOL.

I think you guys are going about it the right way, I'm just curious how you guys are going to get that in another computer to decipher. I'm pretty sure it will be a line of code that states the lockout or a registry key of some sort. If it is link to a registry key, its possible to disable it rather than change the code (assuming that the instruction is embedded oh though I'm sure its not because we can watch video in park). The HDD would be the simple way to do it, but do not count out the ROMs either. If and when in the future they decide to provide us with a bypass, it will probably be via DVD that will either: Flash the ROM or update the HDD files. I strongly feel it is in ROM rather than on the HDD! But, if anyone one wants to email me the code you find, I'll be glad to be another set of eyes to look it. grouppolicy2007@yahoo.com

[cntrylvr79]

Wow I'm sober now and I still don't understand what's going on. So I'll say good luck with it and hope you guys figure it out.

[ducatiboy]

Well, I'm glad to know I'm not the only semi-geek on the forum, LOL.

 

You are not the only one, I did understand all that as well.

[jkawar]

Not an expert here, but.....in reading through all these posts, it looks like the the file should be on the hard drive. I believe someone posted that they put a Z1 hard drive in a Z2 and the Z2 was bypassed. Once the Z2 hard drive was put back in.....they were back at a dead end. Am I understanding this right? Looks to me that the hard drive is the place we should be looking rather than the flash memory.

[8AxleEd]

I think that ducatiboy and ltl2007 are on the right track.

 

ltl2007, you said that this is a complete software hack, right?

 

Is it possible that you could show us those log files and user files? If the user file is some sort of preference file, it could be that this is where the override goes, although the setting may not appear in the file. It could be that you need to add a line to it that doesn't exist or something. Looking at the log files might give us an idea of what to do. Try to run the DVD when the vehicle is moving, so that any conditions that might trigger end up in the log file. Then, look at the log file to see if any entries were made. It might give a clue.

 

Also, ducatiboy said that when he did the bluetooth upgrade CD, that it was noted that both the FMM and the HD were changed. That is, the OS portion was changed, and the user settings were changed. It would be a great hope to think that we just need to add a user setting to get this to work.

 

As for your flash memory, what does it look like? Is it something like a pcmcia, or a compact flash card, or an secure data memory card you can just put into a card reader and examine?

 

Can you show us directories of what you are looking at??

[ducatiboy]

That's my feeling as well too. but there is something with the flash memory cause I think that ltl2007 said he took a stock Z2 drive and had the Z1 flash memory and it was bypassable with the Z1's methods. And yes, you can take a stock Z2 flash memory and a Z1 hard drive and bypass the Z2 like a Z1. So it seems there is a combination of both. I think modifying the hard drive will be MUCH easier for people in the field and would think we should focus on that.