rjoc

Small update, I completely recovered my HU.. but some some stupid reason my carplay doesn't work, it's gives a 02-60 error on the HU screen (Communication Error during iPod Authentication). If carplay is disabled on my iPhone it can authenticate and be used as an ipod so the auth chip works at some level. I am uncertain if this is my phone or my HU. This is running stock firmware. So this means that I can't test to see if my nag screen patch works! Also, it's important to note that carplay is basically just airplay. The phone does _all_ of the work, the HU basically becomes an exter

The only major difference between the NEX-4000 firmware and the SPH-DA120 is the model number and the GPS module stuff. You can cross flash a SPH-DA120 1.07 with the NEX-4000 1.08 back and forwards. There are very few, if any, other differences in my analysis. I think because SPH-DA120 is basically the same as the NEX and uses the same base software they just decided to sync the numbers to make manufacturing easier - they didn't push and update because there was no update, just a version number changing - leaving us confused

I don't have any skin in the game, I have neither of the HUs but I've done a bunch of reversing on Pioneer's firmware and hardware/SD hacking on my unit APPRADIO 4 which has a common software and hardware base. What's the goal? What do people actually want from the x100 series? I took a really quick look at the differences between the 4000 / 4100 and it looks like the hardware is super similar, with a few differences: CPU Unit * New flash rom - this could mean the BSP has changed (and the SD passwords are different) but can't tell until inspecting the kernel or dumping the flas

Sorry for the lack of updates, I've been really busy at work. * Looks like I got into a test mode that's not actually supposed to be accessed directly. Touch buttons *should* work on my unit in test mode (assuming if accessed correctly). * I've not yet been able to solder on my JTAG connector because the pitch is super fine and I don't solder fine regularly so I'm not confident yet. I trashed all my connectors in testing, so I've got to get some more in. In the mean time, I'm confident the software patch will work with a crafted update. I just not sure how user friendly it is. I'm

I'm waiting for a last part to arrive to actually get started, but here's where I'm at: * I'm still stuck in a TESTMODE_N recovery mode. * Messing with the file-system and partition table has been basically useless due to Warp! * I need to change the BSP to get out. * The most straightforward way to modify the BSP is JTAG. Instead of soldering on wires to the JTAG pads that I'll need to remove when I put the thing back together I've identified the connector, (it's on the way) and I'll solder this on so that I can leave it in place. I'll also need to make a adaptor board once I'v

I'm still stuck. Waiting for a new JTAG debugger, and not looking forward to soldering onto those small surface mount pads. Having some success with modifying file systems to do some strange things though, I should be able to run code and/or get an ADB console soon enough. Conscious of the weird WARP mode though - that could still get in the way. Once I get console there's potential to read and edit the BSP, this would be far better in my mind the actually modding the device - (till now other than disassembling it all I've done is remove the SD card.) I'd love to find that mythical /dev/tt

SPH DA120 has no physical buttons - it's all a touch screen. If you take the front panel apart you'll see it's a glass panel over a piece of black plastic with clear bits in the shape of the "buttons". Underneath them is a light pipe for the single LED that lights them all up. They're just touch targets. Some testmodes don't load the drivers so the "buttons" don't work.

Thanks - I built one today and had no success, it didn't work at all. I can't be 100% certain what I built was correct as I haven't been able to test it in a working unit but I tried a lot of different resistances for several hours with a POT. I also tried the steering wheel interface in my car directly and no good. I missed the mode selector for TESTMODE_S! I'll have to check this when I get booting again. I pulled two different keys for TESTMODE_A both trigger the system to go in to the test mode but I instantly get an error about it failing to launch and to "Turn ACC power off

I'm actually using a SPH-DA120 and while it has the same software it's hardware appears different (I haven't seen a 5000NEX). The whole front plate is a touch screen - I took it apart and there are no hardware buttons. Either Pioneer tech's have a different interface or they've shipped a recovery mode that doesn't work with this hardware!

I found how to access three of the TESTMODE_N functions: 'copy device', 'easy recovery' and 'mode change'. I assumed (wrongly) that 'copy device' took from internal to external, turns out it's the opposite, which makes a lot of sense in the context of servicing. Upside it has made future re-images far easier to deploy. 'easy recovery' changes the BootMode in the BSP to boot from recovery partitions. (It appears you can't get out of this mode with just a touch screen) Not sure what 'mode change' does; it appears to change update and sub-update flags in BSP but not sure the implications of

Yep, I've got several SD backups. However the mode I'm in is the one in Bushing's photo: To get here I inserted a USB drive containing a specially crafted TESTMODE_N.KEY, the system automatically picks it up and it flips a bit in the NOR flash ROM to boot to the recovery partition then reboots. So if you boot with any SD card it boots to the recovery partition. This persists past reboots and SD card changes so the only way to get out is to flip that bit again - (I can't get out the same way I got in either!) The issue I've got is my touchscreen doesn't work in this mode so I can'

Quick update. I got the head unit and managed to bypass the SD card password to take an image - just opening it up and swapping the powered SD card into a computer to then read the data off - the HU unlocks the card then I whip it out (powered) and the card stays in an unlocked state. I then started information gathering in the various the filesystem images and discovered how to access several of the TESTMODE's I've bricked and recovered my unit about 5 times today, the final time it's stuck ironically on a programming screen (but not responding to touchscreen input) and unless I

Fantastic work by Bushing, thanks! SPH-DA120 and 5000NEX seem to be very similar software wise. A firmware update came out for both late last year: http://www.pioneerelectronics.com/PUSA/Car/GPS-Navigation/AVIC-5000NEX?tab=firmware http://www.pioneerelectronics.com/PUSA/Car/AppRadio/AppRadio%204%20(SPH-DA120)?tab=firmware I've got a SPH-DA120 so I'm going to be focusing on that (wrong forum, I know). This firmware zip contains a bunch of stuff, notably two file types in a few directories: $ tree AVIC5000NEX AVIC5000NEX/ ├── BLUETOOTH │ ├── PJ140BTHBTL.