Bypass AVIC-Z2

[8AxleEd]

ltl2007, looks like you are really motivated to figure this one out!

 

Before anyone decides to re-compile an exe file, it is better to try to get a picture of what is going on.

 

You mentioned, "statechangebypkbstatus"

 

It sounds like this means State Changed By ParKing Brake Status. What do you think?

 

What do you think the other one means? "drivingstatusbyinterlockchangedevent"

 

What is an interlock changed event?

 

It looks like you found a bunch of ISRs or something.

 

DrivingStateByPkbChangedEvent - It looks at the parking brake

DrivingStateBySpeedChangedEvent - The VSS signal maybe?

DrivingStateByZeroChangedEvent - ??

DrivingStateBySpeedDelayChangedEvent - ??

DrivingStateByInterLockChangedEvent - ??

DrivingStateChangedEventBase

PKBConfByInterlockChangedEvent

SkyStateChangedEvent - GPS Status No Fix, 2D Fix, 3D Fix - could be a catalyst for other events.

 

The interlock changed event sounds the most intriguing. Do you see this word interlock appear in any other files on the hard drive? Do you see this word "interlock" appear in any of the log files? Do you see it appear in the user preference file?

 

Does anyone here know a way to change the region settng for the Z1/Z2? The european unit seems to be bypassed by messing with the parking brake signal. So, is there a way to change the region? My car radio goes into an OEM programming mode by powering it up while holding down the power button and the input button at the same time for three seconds. Does anyone know if you can do something similar to the Z1/Z2 to get to the OEM settings?

 

It would be good to try to prioritize how to do this bypass.

 

1. Try to find a way to change something like an interlock setting via user controls - setting region, or some other OEM setting.

 

2. Try to edit the preference file on the hard drive. Maybe there is a line in there like, "SetInterlock=false". If that is the case, change it to "SetInterlock=true". That will only work on a user preference file, not a .dll file, or a .exe file.

 

3. If the first two fail, then try to change the .exe file. It looks like you have found the right area to do it by looking at ISRs. To do this, you can't just edit the file like one of those posters did. It isn't a text file. You have to recompile the code before you try it. It is a great score for our side that they left the symbols in the code!

 

It is very unlikely that the hack will be in a .dll file. A lockout of this type should be found in the application, not in a library.

[action]

The point is, most of the programming you write in assembly, you can write the same code in C.

I'd agree with you there, which is why I'm suggesting that it is the result of the disasembler.

 

You specialized in it in college? When did you have time for girls then?

 

Well, now that we've beaten that dead horse... Those of you working on this do know that this goes completely against the pioneer software license ("You shall not copy, reverse engineer, translate, port, modify or make derivative works of the Software.")? Not that I think that any of you are actually concerned about this, just thought I'd point it out.

[ltl2007]

hey guys. right on with what you guys are saying. There are a bunch of other lines as well. i will try to get maybe a text file or a pdf posted on a couple things. there are a bunch of things in strating to figure out with how the OS for the Z2 works. especially that all the changestate and doaction commands are only in 3 dll's. im going to try swapping the same dll's from a Z1 and see what happens!!

[ltl2007]

for anybody out there that needs/wants this, here is a breakdown of all the files on a Z2.

Z2 FILE LIST.txt

[bdmpastx]

I wasn't suggesting that the bypass could be done in a dll or an exe. I was suggesting that the dll may hold the answer as to where it was looking. Like in a registry setting somewhere or even perhaps a file that is easily changed like a text file that is used on boot like an ini file. I too do a lot of code. Mine is mainly in logic. I program PLCs, DCSs and such for Chemical plant control systems. But I have had my fair share of programming in vb as well. Programming is programming you just have to learn the language. Typically it isn't too difficult to follow.

[ltl2007]

Hey guys. I downloaded the Z1 files in the PRG0 and PRG1 folders, and except for a few DSM files, the files are identical in name and quantity. they are not the same in size. If indeed there is a registry file or boot INI then most likely on the flash memory, like i was saying so long ago. I decompiled all the apps in the folders mentioned above, and they are different. Im going to try and swap them in my Z2 and see if it does anything

[HenryJ]

When I inserted a drive with the Z2 image into my Z1 unit the screen said "Updating program do not turn off power" Updating 1 of 2 then 2 of 2. While this was occuring the whole time I was hoping that it wouldn't wipe out the possibility of the bypass with the Z1 program. The Z2 program worked great many streets nearby that were not on the Z1 program were found using the Z2 program I didn't have time to check out any other possible updates from Z1 to Z2. I then inserted my Z1 HDD and the screen said "updating program please wait" update 1 of 1. I then had my Z1 reinstalled WITH the bypass. For this reason I don't believe it's on the flash memory unless the flash is updated with the HDD when they are changed and updating. I then reinserted the Z2 HDD and again got " updating program please wait" but only updating 1 of 1. the Z2 again acting as a Z2 no bypass. Now the next question is will the Z2 unit bypass with the Z1 HDD? It should

[Hyperite]

HenryJ, no need to crosspost everything.

[action]

Yeah! most of us have no lives and read everything anyway!

[ltl2007]

henryj, im going to swap exe's one by one tomorrow and see which one is the one causing the issue. or maybe two or more. hopefully its as simple as replacing an exe. i will let you guys know tomorrow. Also, when you were swapping drives, did the Z1 bypass work when the Z2 drive was installed?

[HenryJ]

ltl2007, No, the bypass or lack of bypass followed the drives/software. Z1 had bypass----Z2 no bypass in a Z1 unit.

[ltl2007]

henry, thanks for the info. im workin on swapping files right now. i have my fingers crossed!!

[makoto]

What if the bypass isn't a hardware bypass but maybe as simple as combination of keys pressed to access a hidden menu?

 

Could be something like holding down two buttons for 10 seconds, or something like that.

 

Has anyone tried this?

[Hyperite]

What if the bypass isn't a hardware bypass but maybe as simple as combination of keys pressed to access a hidden menu?

 

Could be something like holding down two buttons for 10 seconds, or something like that.

 

Has anyone tried this?

That would be pretty hard to figure out, and unlikely. We've already narrowed down the interlock being controled by the software, and usually these things have a solution that doesn't need to be done every time like pushing buttons. I mean, without insider knowledge that's pretty much impossible to know the buttons, how long to hold them, and when.

[ltl2007]

ok well i messed around with the dll's and exe's and all i got was either a no boot, an error, or constant restarts. im going to open a few Dll's in C++ and see what i can do. i think i found the line that we need to edit. ive attatched a screenshot, its the hilighted line. anybody else out there know C++ really well?