enzotcat

Thanks. Looks like my IFS extraction was successful (I checked using flashlock to generate the FS offsets, and one of the 3 was 0xba0000). I'd bet that if I used the wrong offset the file system extraction would have failed. I'm now looking at MIBRoot to try to patch it. However, running into issues actually finding things like "aCalculatedHash" - I'm trying out Ghidra because I can't seem to find a version of IDA that has ARM support. What did you use for the MIBRoot patching?

rainer

is this jeopardy????

rainer

I used a ready available patch (which I knew already worked in another car with same FW version):

MHI2_ER_POG11_P3299_MU0807

No need to create the patch myself, just made sure it is ok.
Plus I compared the unpatched dump of the other car with my own car for the ifs stage 2 area and both were identical, so I knew it should easily work.

Which firmware/unit version are you on? There's 5 patches available..

enzotcat

OK, next thing I'm running into - @asellus or @chris2 - my MIBRoot doesn't seem to be anything like the one in the PDF that was posted on some random forum . Here's what I get for a checksum on the unmodified MIBRoot:
If you've got it handy, could you run a cksum on the original MIBRoot that you extracted? Also @rainer - any chance you could run cksum against your original IFS?

asellus

@enzotcat may be because you're using Ghidra? I used IDA Pro to do the editing. As far as IDA having ARM support, I assume you're on an ARM-based Mac or something?

Fired up my VM I did this on and checksummed the MIBRoot file on what I believe is the original extraction. My numbers match yours exactly.

enzotcat

Yeah I'm trying both Cutter (radare2 based) and Ghidra because I can't find an IDA Pro and it seems a little excessive to spend $3k for a license to do this. I'm actually doing the decompilation/disassembly on a Linux VM on an intel-based Mac (I've got basically every option available - x86, ARM, Mac, VM, Linux, Windows 10 - it's just a matter of finding something that actually works). The IDA Home/Free version that I downloaded does not support disassembly of ARM binaries.

asellus

Yeah, that's kinda what I figured.

I'll send you a PM shortly.

rainer

@asellus

we patched a US model PCM today w/ M.I.B and logbook came up immediately, so logbook is not a matter of region. AA and CarPlay works perfect.

must be missing coding in your case.

it‘s a plain PCM4 w/o factory nav, but it does receive GPS position, so an antenna must be there.
I also managed to load the latest map data for Europe into the PCM.

I asssumed w/ patched EL all would work, but the Nav function does not work.

any idea what to code to make the Nav function work?

asellus

Very interesting.

Nav is enabled through one of the FECs. 00040100 I think?

enzotcat

So, I've got an "interesting" problem. I've tried a couple of times to get AA working - got a patched MIBRoot that I created, and I've verified with others that my patched MIBRoot is exactly the same as theirs - same cksum, same file size. My IFS filesystem that I created looks legit, because the extraction from the patched FS seems to be the same bar the MIBRoot - individual cksums are all the same.

I created a new FecContainer.fec using a fixed version of the MIB2 FEC creation script (fixing the place where the FEC list size is incorrectly output as a text string instead of a hex value; the former will cause a boot loop due to an incorrect FEC list length).

I've successfully flashed the file system several times. I've updated the FecContainer.fec, and have verified that I do not get a change to IllegalFecContainer.fec - it remains as a 4 byte zero-filled file after the reboot. I have also tried the "alternate" method of adaptation because I do not have PIWIS or VCDS - see page 7 of this thread (basically it's executing "on -f mmx /eso/bin/apps/pc b:0:3221356628:7.7 1" when logged into the mmx). It doesn't reboot the system like it is described in the PIWIS method, so I wind up rebooting it myself.

Here's my problem - it seems like this just doesn't work. After the reboots, nothing seems to have changed. I plug my phone in and it shows "USB device connected", but there's no AA icon on the home screen, and if I press the option button and select the connect smartphone option (I forget the exact wording), it tells me to connect an iPhone device, which is not particularly helpful.

I don't know if I'm not rebooting properly (holding the left button down inside the left volume control for 30s), or if the adaptation is not working correctly, or if I don't have all the FE codes added. My list of FECs is the following: 00060500,00040100,06310099,00030000,00050000,00060700,00060800,00060100, 00060a00,00060900

For those who have successfully used this method to enable AA on their cars, I would greatly appreciate it if you could supply your list of FECs so that I can compare them with mine to see if I have omitted something that is crucial. Also, if you could give me some details on how you performed the adaptation after flashing your FS and rebooting, I'd be grateful.

asellus

I believe the only connection I did with my phone to the headunit was bluetooth. The porscheconnect/device connect screen is specifically for iphone, as you've found out.



When you do this the screen will turn off long before you let go. When you let go, wait a few seconds, then push the button for 1, maybe 2 seconds, and you should be greeted with the full bootup sequence. On my headunit that sequence takes a good, say, ten seconds? Shows the "Porsche" logo, then shows my car's model with a little shine animation or something for a while, then loads the main menu.

If it's going directly to your main menu it hasn't been rebooted.

There was at least one time where I couldn't get it to reboot by holding the button, likely my fault with a short attention span or something, and I ended up getting out of the car, locking it, watching everything shut down in the cockpit, then unlocking and getting back into the car.

[QUOTE=enzotcat;17213087]My list of FECs is the following: 00060500,00040100,06310099,00030000,00050000,00060700,00060800,00060100, 00060a00,00060900[/quote]
erm, @enzotcat , you have a space before those last two codes, one of which is AA... you don't have a space when passing the parameters to the script, right?

MY17 4S here, without going to the car and pulling the container currently on it, my original AA endeavour ended up with the following codes:

00060500 -- sport chrono
00040100 -- activate nav
06310022 -- this seems to have to do with the nav maps for north america, yours being 99 instead of 22 is beyond me.
00030000 -- enable USB
00050000 -- enable bluetooth
00060700 -- enable "online services" (no subscription so can't verify, but the car came with this)
00060800 -- enable apple carplay
00060900 -- enable android auto -- this is the only one I added

Right now I think I have a couple other codes in there for testing with rainer that didn't pan out. Haven't touched it since.


You have 00060a00 which I don't have, near as I can tell it's a baidu something-or-another for carplay. Baidu is a chinese market search engine, if I'm not mistaken.
Additionally you have 00060100 which is "vehicle data interface" -- no idea what that's for, but I don't have it.

Have you had your modified FEC container in the car for a day or however long to have the car sit for over 30 minutes locked to fully go to "sleep" or did you put the original one back in the same testing session? I ask because of the rebooting problem I've had before -- having the car go to sleep fully will definitely reboot the headunit system.
If you have, or we're certain a full reboot has otherwise occurred, try matching my FEC list and see where it gets you. Once you're on the hacked mibroot you should be able to freely change out your FEC container without issue, provided it's formatted properly.

rainer

Thanks, @asellus ,

good feedback, as always

we did not change FEC container as in my case only EL did the job, but both cars have a totally different configuration.
Mine is fully loaded, my buddy's car is entirely "naked" and has almost no options.

I have a long FEC container, the other one seems entirely empty. I'll copy/complement my FEC and will adjust VIN and VCRN to the other car.

Will be interesting to see if Nav will work in that one. My expectation is: Yes.

It'll take a while as he's 1.5 hrs away, but I'll feed back once done here.

asellus

I'm actually super curious about this, please report back when you can. If it just straight up works, that means the map databases are loaded on the headunit regardless of purchased options on a vehicle.

Given PDIs involve plugging in a computer and updating things for modern cars, I'd just assume the PCM is blank and all that is loaded upon during PDI, especially with how PIWIS calls home and verifies the VIN with the purchased options.

rainer

I will definitely report back, but it might take some weeks as my buddy is remote and I‘m not sure when he‘ll stop by my place next time.

He‘s extremely happy with his new CarPlay function since yesterday anyway.. ;-)

what I can see and confirm is that the map data was loaded into the PCM w/o any issues. It took the usual approx 45 minutes. I loaded from USB this time, did the same for my car from SD. It does not seem to make a difference in terms of reading speed.

Map Database can be seen in settings menu as well as in vehicle analysis report w/ Piwis. The missing piece is the link between the obviously existing nav function and the database it self. It might be disabled by the unchanged FEC (I hope).

I prepared a suitable FEC container with his FIN and VCRN already, so the testing will be quick once he stops by.

He has some more „flaws“ I migt look into:

- none of the 12V plugins seem to work. According to wiring diags they should be attched to fuse D10 in the right back panel, but there‘ not socket hence no fuse in that place..

- his headlights stay on all the time once ignition is on, regardless of light switch position. Not sure this is a coding issue related to some region settings or simply a defect switch. I don‘t think this is normal behaviour for a US car?!

The analysis log I pulled has close to 1.000 pages, so it might take a while to browse and check. I guess I might try an automated compare of his car vs mine for some ECUs, the logs are in xml format.
since mine is fully loaded, my own log has around 1.300 pages (landscape format).

@asellus : you might run into license issues with your maps given the FEC code of **22 in your case. If I remember correctly the last 2 digits are map lifetime, 99 means endless. Region is defined by digits 3-5 (000 for Europe, 100 for US). Afaik you should set the FEC code for your map to 6310099 (mine is 6300099). You can of course wait until 01 Jan 2023 to see if your map fails ;-)

asellus

Awesome, @ me with the results when you get 'em!