Darkpower

To avoid the confusion this time, this time I will post the project I have been working on for last two years on the PCM5. Just in case this post will not be recognised as a spam.

Background:I am a software engineer and It was just a hobby initially with my car as I felt really annoy when use the CarPlay half screen in my car back in 2020.
I was really suppressed that Porsche only developed 800x600 resolution on 12” screen for CarPlay, and looks silly that only half screen can be used when in CarPlay mode.

So I set up my testing bench and started this project, just trying to enlarge the CarPlay screen to use the full screen




Getting start:

Well things didn’t go really well as the gain root access to the system is the first problem I need to overcome before starting any analysing work can be carried out.

The hardware is made my Alpine


And I have found the multimedia board is called MMX which is based on Tegra K1 soc which holds QNX6.6 embedded system. And for start up, it run from a Nor flash which is integrated with soc and ram







There is no way I can take that Nor flash out to modify the data for root access, then I have found that system also has software update mode, you can get into this mode by using two fingers to tap on right top corner of the screen and hold for few secs, system will boot into the software update mode



This is for updating factory firmware and this is boot from the emmc on the board, this emmc can be removed for data reading and changing, although it is really hard for removing the bga chip and placing 0.3mm size of soldering ball on emmc scared hell out of me in the beginning, but still possible, so I took the risk removed the chip




To gain access via emmc removal is not secret anymore, people post this on internet long time ago. So after the chip is removed, I have modified the data to allow login, now I can log into the system with root under software update mode



After I can log into the system, I had found that is very similar to PCM4 system (QNX6.5) . However all apps are signed so there is not easy as before that you can patch any app in PCM4.

But still the way you can bypass the checking and I made android auto work by patching the app.

For full screen CarPlay, it is not too easy as the UI design has locked the resolution. Even there is testing script allow to customise the resolution but the UI frame is locked so need to reverse engineer the UI design to change the whole layout for the CarPlay display.

After few months try and error, I have made the full screen but only by stretching the image larger, the icon size still stays, compare with PCM6, it looks quite different and the resolution is not normal and not optimised for a lot of app.




Before the new PCM6 announced, I didn’t know the CarPlay screen can be so much better and CarPlay icon on PCM6 is optimised as well for full screen display.

So I was happy with it until the day that PCM6 is announced, the CarPlay screen in PCM6 looks much better optimised, especially the icon size is optimised for full screen display




Then I have to restart the project again and found the way to change the whole layout to utilise the whole screen and then I can see everything looks better and screen image looks exactly the same as PCM6




Finding the way to gain access:

Now the problem is by doing all of that requires more skill and experience on chip soldering which makes not practical and it is impossible to do remotely.


After few months research I have found there are some ways to gain root access without taking the emmc off board, one of them is by using the vulnerability that K1 has which is the same vulnerability on X1 on Nintendo switch

https://www.tomshardware.com/amp/new...tch,36942.html
It uses the buffer overflow to run arbitrary code via boot room of K1 chip.



have more study and learned more about Bare mental programming, after 1 month learning and Nintendo switch heck source code, I have found:
sourcecode for T124 code injection on GitHub
https://github.com/LordRafa/ShofEL2-for-T124

but I have to modify it to run on K1 VID and changed the iRAM addressing map to allow it work on PCM5,
Modified the code and successfully injected my code in and can run hello world on it.

Later on also added serial driver to output log.


However it is a mission to write the driver for emmc so that I can access emmc via RCM mode of the PCM5.






The down site is that when the PCM5 in RCM mode, it will keeps rebooting every 2 mins because the watch dog on RCC board keeps scanning the availability of MMX Nvidia Board.

Since the MMX board is in RCM mode, RCC will trigger a reboot.

Also the vulnerability has been patched by Nvidia in 2020 chip production, all PCM5 produced after that won’t have this back door anymore.


Then, some clever guy in Europe has developed a sd tool which can use the challenge response algorithm to enable the root access, I have approached him and tested that works. Because the PCM5 has this by default but we don’t have private key to generate response code, someone used firmware update to replace the public key in system so that can generate own response code for root access.





This has made the access more practical and can be done remotely. And because of that I put the post here to let others know that now enable full screen CarPlay and android auto activation can be done remotely.

the whole thing too me two years with my spare time and I am glad that all worked out nicely and I don’t really consider to upgrade my car at least in next 2 years

androidcn

Thanks for your great work
free for us?

Darkpower

I wish I could, but it is so costly to obtain the root access by using the challenge / response SD

Drleith

How do I work out which PCM version I have?

Darkpower

carguyz

Hello,

Do you happen to have the method / tutorial on which files to patch after you've done the update to receive the root access?
thanks

Darkpower

This is just standard linux password format with DES encryption, so changing the password or disable password is just standard linux procedure, you can google it how to change linux password

CanuckGT4

Wireless AA before Fullscreen anything would be a better idea imho.

carguyz

Sorry, I meant the procedure after having the password changed / sorted.

Darkpower

you mean sharing how to enable full screen and android auto to public?

carguyz

Yes, or even the root password generator if you have?

innovativesoft

yes, to generate toke for root acces

TrueaAndOnlyTrue

You have to be kidding , this guy who try act here sell fairy tales about "big" project , "hacking" , about big brain guy, etc etc. is only purpose to catch new victims which will sell his piracy sw "solution" which is crime acting and forbidden by VAG, anyone can report him to VAG for breaking their copyrights , intelectual property etc . selling here at forum stories "software way activation is best way activation carplay, aa" and arguing by guys who say best way is buy FEC by Porsche oficial dealer, and activate there by Piwis, ODIS whatever for almost same amount money as they charge.

If this guy had good intention, and honest intention, will share his findings by forum's members, same like chris2 did for pcm 4x,

https://rennlist.com/forums/991/1049...l#post16022781

but, no, this guy just try advertise himself and show people that he is much "smart" and had 2 years spend to solve Carplay full screen , to look more serious "project" , even it's 1 day job for well skilled system engineer, with some unix backround and solid reverse-engineering skills, same as guys "three happy friends" solved access to mh2p units =pcm5, and then just use dlink copy right file with right permission, to right place at fs, that's all.

So, don't expect by such types guys any share, they are here advertise theirself to sell piracy stuff .

Darkpower

1. For getting the root access o that unit does take long time to develop. Unfortunately I can only do that by removing the chip or using Tegra chip RCM to do.
people like Three happy friend, they somehow got the file signed for customised fw update file, which can replace the public key and use challenge and response to unlock.

2. Porsche has never made CarPlay to show full screen resolution In PCM5 system, they did improve that on PCM6, so I found the way to make it full resolution of PCM5, is that a good thing for all forum members who had PcM5?

3. Both development will take very long time to figure out, especially writing program to access Emmc via Tegra back door. Not sure anyone can just do that in one day, you may need to look at the nintendo switch hack.

4. Try to figure out the full screen resolution does require some good tools and understanding of how UI been compiled. To properly recompile it in factory way and don’t let UI load multiple times after boot is the key. So if you think that is just copy and past job, then you probably think that too simple.

5. I have never argued people buying genuine code, but you have know there is no genuine code for android auto with PCM4 and PCM5 system. It does NOT exist. And the way how it works is to use your VCRN number and generate by them own, obviously they have the private key for it to generate Swap code.
And the injection is not done by piwis, it can be injected by Odis engineering. I guess you do need to do more research on this. Adding a FEC code that your car not suppose to have will have a risk to void the warranty. If the FEC code was purchased from Porsche, it will be sorted on server side as well, and each online recovery will download it to head unit.

6. If you want technical info, you can ask for it and I am more than happy to discuss, but I have no idea your purpose of insulting other by putting some comments that not true and mislead others as well.

TrueaAndOnlyTrue

Stop write bull****, you offer piracy purchased by real authors, mostly BG,RU,PL and some of them elebeste Singapore, those stories need remove chip bla bla you can sell unskilled guys, all you do = replacing simple .jar file , which nowdays can do it anyone, console, root pass, copy-paste .jar file for full screen carplay - done, and all those is longer time available and free in public, but owners of Porsche here at forum didn't find it, and you use chance overcharge them for stuff which free and in public longer time ago . Those stories about explanation how swap codes are entered by odis-e anyone who deal with VAG knows, don't get things literally, word code is just descriptive , sure i mean swap-fec codes, connected to vin-vcrn etc, and which entered by odis-e. I don't need any info by you,as solved by myself longer time ago, as all those you sell here is just solutions by other guys, and you are guy with 2 nick names here at rennlist, inovativesoft-nz + darkpower, forums are for sharing stuff, informations, helping other free of charge, not using them to make profit for yourself, go at ebay, aliex, amazon and resell solutions you purchased by ru,bg,or steal by other authors.