Bypass AVIC-Z2

[YzRacer]

The HmiManager.exe file in the PRG1/APL folder is what I think controlled the bypass on the Z1, and when I replace that file the Z2 gets constant reboots. I can replace almost any other .exe and the unit will work, which makes me believe Pioneer made sure that we couldn't just swap that one file. I wish I had some programming skills, hopefully you guys will get it soon. Thanks for the hard work!

[HenryJ]

YzRacer, did you try replacing the HMIManager dll along with the HMIManager exe, the dlls from z1 to z2 although the same size appear to be different. They may need to be matched?

[makoto]

What if the bypass isn't a hardware bypass but maybe as simple as combination of keys pressed to access a hidden menu?

 

Could be something like holding down two buttons for 10 seconds, or something like that.

 

Has anyone tried this?

That would be pretty hard to figure out, and unlikely. We've already narrowed down the interlock being controled by the software, and usually these things have a solution that doesn't need to be done every time like pushing buttons. I mean, without insider knowledge that's pretty much impossible to know the buttons, how long to hold them, and when.

 

I would not say impossible. If someone can figure out that you need to pulse the Illumination signal at x seconds for y amount of times, then this doesn't seem impossible either. Just a thought though. Not being able to bypass is what is holding me back from upgrading my Z1 to the Z2.

[8AxleEd]

Your effort is commendable, but you all are really headded down a dead end road. Your efforts will not pay off doing what you are doing.

 

Here is one suggestion... If you don't know anything about programming, it is better to ask questions than to act foolishly.

 

First. Do any of you know what a .dll is? It stands for dynamically linked library. It is a set of common calls that can be used by multiple programs (the .exe files). They are loaded by the program at runtime instead of at compile time by static libraries. They save disk space, and make the program more modular - that is an array of programs can now have a similar functionality, or a similar look and feel without a lot of added effort.

 

Second. You can't just open a few .dlls in C++, edit them, save them, and put them back on the hard drive. It doesn't work that way. How do you know that you are looking at C++ code anyway? I don't know the syntax of your disassembler, but you look for C++ "mangled" names (due to the c++ ability to do overloaded methods and such).

 

The disassembler may or may not work for what you are doing. It may or may not know about statically linked global variables, or vector tables and such. That means the code may not have the right offset and data and code may overlap each other. You may also be running a processor that is a variant of what runs on a PC, it may have a few different opcodes that the assembler may not know about. Because of those issues, you may not be able to edit a few instructions and then recompile and have it still run.

 

The more sure fired way is to use the disassembler to look at the code, then recompile the instructions you want by hand, and then use a hex editor on the .exe file to change those specific opcodes and operands indexed a specific number of bytes into the file. You use a hex editor because the bytes are not readable characters. How do you type the character 0x07 for instance? If you go that way, you can only change opcodes and operands in such that they take the same number of byes as the old opcodes and operands. You may need to pad with NOP opcodes. This isn't an easy process. I haven't seen your disassembler so far dissasemble any code, it is just showing you symbols. You can't edit the stuff you are looking at because you aren't looking at any code thus far.

 

The other impediment is lack of knowledge of environment. The GPS is most likely an NMEA stream on a serial port. What address is that port? Is it on the chip, or is it on an external chip? What is the chip select for it? What is the address range for the memory? How do you set those chip selects? How do you access the hard drive, or the file system? What variant of the intel processor is there? What ports does it have built in? Are there any differences in instruction set? You need to know that stuff if you are going to be able to recompile a .exe file. If the chip is an embedded variant, you might need a cross compiler. What compiler are you using? Are you using visual source studio, or a different IDE? Are you using gcc? if youa are using gcc, what backend are you using?

 

Basically, you aren't setup to do any changing of the code.

 

It would be more prudent to do a bit more investigation before you try to change the code.

 

Someone said there were log files in the unit. Why not try to do stuff that locks and unlocks the DVD playback, and then look at what was put in the log files? That is a much better place to start. Turn on the DVD player, let out the parking brake. Bypass the brake, play the DVD player, then drive < 5mph. Bypass the brake control, play the DVD player, drive > mph. Do the same as above, this time mess with the vss wire. Do a bunch of scenarios with different things bypassed, and then look at what the log file says.

 

The european version apparently doesn't have this problem. Do you think they wrote a separate version of the software just for that market? I don't. I'm guessing it is just the preference file change or something. Why not look at that avenue FIRST. Doing that is within your capabilities. Changing the code will require a steep learning curve.

 

Right now, it looks like the easiest way to bypassthe Z2 to try to get the european version.

[bobmun]

party pooper

[YzRacer]

YzRacer, did you try replacing the HMIManager dll along with the HMIManager exe, the dlls from z1 to z2 although the same size appear to be different. They may need to be matched?

 

 

Yes, I replaced all the associated files and no help. I can replace just about any file or files and it will work, but whenever the HMIManager.exe is involved, you get constant reboots.

[YzRacer]

I read a little on this model, seems like the one we are looking for :

 

http://www.pioneer.eu/eur/products/10/2 ... index.html

 

However it shows that bluetooth comes standard with this unit, but since bluetooth is much more common in Europe I suspect they just included the adapter in the box. I emailed a shop in London for a price quote, but I am sure it won't be cheap. Maybe I could just go to europe, purchase one, unlock the HDD and make an image, then return the unit to the store and fly home? Truthfully I think a round trip ticket and one night hotel stay would be cheaper than buying the unit lol.

[8AxleEd]

 

I emailed a shop in London for a price quote, but I am sure it won't be cheap. Maybe I could just go to europe, purchase one, unlock the HDD and make an image, then return the unit to the store and fly home? Truthfully I think a round trip ticket and one night hotel stay would be cheaper than buying the unit lol.

 

London is the last place you want to try to buy one. The dollar is at a 26 year low against the pound, and the exchange rate was over $2 per pound. In addition, their sales tax (VAT) is something like 17.5% right now. They don't believe in taxation without representation. I think you might do better against the Euro.

 

If you bought one in Europe, they might be looking to see if those warranty void seals have been broken when you returned it. It is an expensive gamble.

 

If the cost of the Eurpean Z2 minus the cost of the domestic Z2 is less than the cost of a plane flight and hotel, then it is cheaper to just spend a little more and buy the european Z2. Just make sure you put domestic maps on it.

[bdmpastx]

I agree with everything that 8AxleEd said. Decompiling and recompiling is a pain in the major ass. This is like hacking a satelite card. You really don't know the processor and it's built in codes so getting something to work that way is the wrong appoach.

 

Even the guys that are swapping out files like the HMIManager.exe and dll are having problems because the HMIManager.exe uses more than just that dll. It probably calls to another exe which calls another set of dlls etc. It is a daisy chain affect. Having some code writing experience would help you guys a long ways.

 

I was looking into ways that windows automotive uses a registry and the name of the registry repository. I think that if we can find that, we will be closer to a solution.

 

I think that the registry is getting updated based off of some initialization file on the hdd upon boot. Which is why you see that "Updating file 1 of 1' message.

[Hyperite]

Basically, you aren't setup to do any changing of the code.

 

 

Right now, it looks like the easiest way to bypassthe Z2 to try to get the european version.

I disagree, at least two of us are using the tools used to decompile, recompile, and patch executables and DLLs.

 

And the european version is probably quite different, which you should've mentioned in your rant about GPS memory address references, since the whole GPS system is different over there. Looking at the file structure differences would probably give us some interesting information, but as-is, i think we're going down a pretty good path. You willing to help?

[8AxleEd]

I disagree, at least two of us are using the tools used to decompile, recompile, and patch executables and DLLs.

 

Okay, great. Why not let them address the issues I posted and see if they can offer a satisfactory answer as to what they are doing. If you happen to be one of them, then your opinion has far more weight if you can address those issues.

 

And the european version is probably quite different, which you should've mentioned in your rant about GPS memory address references, since the whole GPS system is different over there.

 

You don't seem to know what you are talking about. GPS stands for *GLOBAL* Positioning system. There are 24 positioning satellites on six orbital planes that circle the earth every 12 hours. The orbital planes are inclined about 55 degrees from the equator and don't go over the poles. There are a handful of WAAS (Wide Area Augmentation Satellites) that provide atmospheric corrections to the positioning satellites. It works all over the world. The european system, Galileo is not in operation (it has 1 satellite that isn't broadcasting the final pseudo random code), and is in beurocratic trouble right now. The Russian System, Glonass has been around for a long time, and it works all over the world, even here. They uses frequency division instead of code divisiion and their orbital curve fits aren't as accurate (because their inertial guidance systems aren't as good), but it is free. The Chinese satellite system is just *barely* operational, and it only works in China (currently) with three satellites in orbit, although not all of them are being used.

 

As for what you call a "rant about GPS memory address references", I was very specific about how to find a solution. It doesn't sound like you understood what I wrote, because I didn't mention a GPS memory address. If you can address those specific issues I brought up, then your opinion will carry more weight.

 

Looking at the file structure differences would probably give us some interesting information, but as-is, i think we're going down a pretty good path. You willing to help?

 

It is far more adventageous to learn as much about the system before you try to find your bypass than it is to start groping around to find a solution.

 

I do not have an AVIC-Z2 in my posession to work with. This is mainly because I purchase a double-din face plate for my 2006 Volvo V70. Scosche said they might start shipping them some time in June.

 

I can, however, at least try to direct you all towards the right direction.

[kb5ysc]

well i am the guy on ebay, kb5ysc yea the one who posted on here and my post was killed. well lets see yes i am using the 3 switches, i had it installed for almost 1 month. no problems

 

here some of the messages i got from the users of avic411

 

it is going to crash after 3500 miles, well 6000 miles so far. still works.

 

will have to reset uint everyday. nope not yet. still working

 

look i would love to have a mod that lets me drive and watch video and nav at the same time, but so far no go.

 

but for now the 3 switches works, hack mod works. but if someone will come out with a better mod, i take my hat off to you. I used to be a computer programer a long time ago, and I think the rewriting the code might be the best way. good luck, i have not pulled the HDD yet, You guys keep working on it.

 

oh yea my newest mod is how to backup a new 07 dodge with the door open and the horn starts blowing. stupied dodge, put a cable crimp on the seat belt wire, now i can backup with door open, and no horn going off.

[mdyod]

well i am the guy on ebay.....

 

which raises the question. What about those guys on ebay? Goto ebay and search using "Z2 Bypass" and you will find at least 3 guys selling an unlock scheme. has any one tried any of these?

 

D

[kb5ysc]

i am one of the guys selling the mod on ebay. i had 19 people buy it, no complants...

[ducatiboy]

well i am the guy on ebay, kb5ysc yea the one who posted on here and my post was killed. well lets see yes i am using the 3 switches, i had it installed for almost 1 month. no problems

 

I don't think it was killed. It was just edited. And it's not a bypass, it's just a hack to make the unit think it's stationary.

 

And I have seen those fail within a couple miles to a couple hundred. I have never seen those actually function correctly for very long. Not on the Z1 or the Z2.

 

And it depends on how much you use it or don't. If you have it flipped on and use the video in motion all the time and never use the nav, it will work MUCH longer. Why some fail real quick and some last longer, I don't know why. I think it has something to do with the calibration of the system.

 

I wish I could pin down why those are unreliable, but I haven't figured it out. But I have not seen any of those last. I'm glad you have someone which has had luck with it.