|
MMCS HDD Unlock -- Success!
4 Attachment(s)
Disclaimer: I drive an 08 Lancer, but i'm 99.999% sure this applies to the outlander with navi, too.
[Edit: This post describes the procedures we went through to discover the MMCS password. To unlock the drive yourself, which is [b]much easier, see this post] A friend & I have managed to unlock the Hard Disk Drive in the MMCS over the weekend. Here is a very brief overview of what we did: First, we made what we'll call an "Interposer" card -- basically a board that you insert into the hard drive slot in the MMCS to expose the data lines for the hard drive communications with the real hard drive attached to the other end. We did this by measuring the size & depth of the opening and cutting a copper board to size, etching off some traces on the top to connect to some 44-pin headers on each end (one to go in the MMCS, the other to connect the original hard drive to), and connecting jumper pins so we can attach an oscilloscope to the data lines. Here is the finished Interposer card installed in my MMCS unit with the digital scope probes attached: Attachment 13720 And here is the oscilloscope sitting on the roof of the car with the wires going through the sunroof (so they don't get in our way): Attachment 13721 Once everything was connected, we set the scope to trigger when the "SECURITY UNLOCK" command was sent per the ATA specifications (0xF2). At first, we weren't seeing any data -- after a lot of troubleshooting, it turns out it is because the MMCS sends the SECURITY UNLOCK command and rather than polling the status bits (as it technically should) it just has a very long time delay before it starts sending the password bytes. Once we figured that out, we captured the part of the password on the scope: Attachment 13722 Since our scope only had 16 digital inputs and the data words are 16 bits wide, we had to remove some of the extra signals. Since the MMCS is an embedded system, it is very predictable on startup -- so we simply triggered on the first occurrence of "F2" on the data pins and the 2nd DIOW pulse (indicating the start of the data). Here is a scope screenshot of the HDD unlock password in its entirety: Attachment 13723 Success! Effectively, after staring at the waveform for a while, you come up with this as the HDD password: BAB2 BCB3 DFB0 BEAC BBB1 DFBE ADB1 CDD2 CEC9 B2AA B1DF 899E DF96 8CAA 8D9A DFDF Before we move on, I realized there are some interesting facts about this password though. The D7 and D15 pins are held high through the entire password sequence. The password is 32 bytes long but transferred at 16 -sixteen-bit words, so the MSB of each byte is high. It turns out that if you invert all of the bits of the password you get this: 454D 434c 204f 4153 444e 2041 524e 322d 3136 4d55 4e20 7661 2069 7355 7265 2020 That looks like ASCII! Decoded it reads "EMCL OASDN ARN2-16MUN va isUre " ... but that doesn't make any sense. After swapping the byte ordering around you get: 4D45 4C43 4F20 5341 4E44 4120 4E52 2D32 3631 554D 204E 6176 6920 5573 6572 2020 which in ASCII is: "MELCO SANDA NR-261UM Navi User " W00t! Now we know the HDD password and how it is derived. The next step was to install the HDD into my computer and boot linux. It turns out hdparm's --security-unlock command only takes ASCII passwords from the console (remember, our password is the inverted ascii text). So I booted with a linux-based XBOX unlocking CD. The password I had to give to the 'unlockhd' command was actually byte swapped, so if you try it, use this as your password: b2bab3bcb0dfacbeb1bbbedfb1add2cdc9ceaab2dfb19e8996 dfaa8c9a8ddfdf Sucess 2! The hard drive was now unlocked and security disabled. I rebooted back into "normal" linux and made a disk image for a backup -- and now all the experiments can begin! Also note that I did NOT have to relock the hard drive before reinstalling it in the MMCS, saving a step. I believe the MMCS just relocks it for you. [/align] [/align] The disk has 6 partitions (3 primary partitions + a logical partition containing 3 more partitions). It appears to be separated into partitions for Map data, unknown, navi software (loading.kwi), screen resources animations images and text, gracenote CDDB, and finally the music server. Oh, and to answer the question: Only 5.4GB of the disk is used for the Music Server! The music is in a proprietary format (but appear to be similar to an mp3 in a RIFF/WAVE container but with DRM or something and a .sc file extension). All the bootup animations and backgrounds are bitmaps or gifs (animated). All the navigation data appears to be similar to most other OEM navigation units out there and is littered with ".kwi" and ".idx" files. Aside from the "loading.kwi" file I found, which I suspect is only loaded after the system boots up (which may explain why some navigation options are unavailable immediately after power-on for a few seconds), I guess the operating system is entirely stored in flash. |
RE: MMCS HDD Unlock -- Success!
Dude, where did you learn this crap?
|
RE: MMCS HDD Unlock -- Success!
What does this mean for us? Are you going to utilize this information to install a larger HDD?
|
RE: MMCS HDD Unlock -- Success!
Congrat again! This is a giant step forward!:D:D
The file loading.kwi and google lead me to such conclusions: 1. The MMCS uses a Hitachi processor. Did you havesome photos for the board and the processor? 2. The operation system is QNX® Neutrino® RTOS, a sort of Unix based real time system. [blockquote] http://www.qnx.com/news/pr_1681_4.html http://www.qnx.com/products/neutrino_rtos/[/blockquote] Here is some of the earlier detective work that is very helpful: http://forums.corvetteforum.com/show...36&page=12 |
RE: MMCS HDD Unlock -- Success!
Thereis a tool for analyzing the kiwi file:
http://www.datawest.co.jp/en/seihin-.../map/tool.html http://www.datawest.co.jp/en/seihin-...Eng-latest.pdf |
RE: MMCS HDD Unlock -- Success!
Guys,what are you smoking?
Just kidding!I guess you didn't like this system too much,just go aftermarket!Ciao! |
RE: MMCS HDD Unlock -- Success!
|
RE: MMCS HDD Unlock -- Success!
It looks like it's even possible to add POIs. Wow. And does this mean we can upgrade map data too by simply obtaining the latest kwi files? And so there is even hope of loading a different navigation interface just like the ones used in Japan (with 3D images)? Looks like this is a big discovery you guys made. Opens a whole new arena for tweaking and modding the MMCS.[8D]
|
RE: MMCS HDD Unlock -- Success!
ORIGINAL: rcpax It looks like it's even possible to add POIs. Wow. And does this mean we can upgrade map data too by simply obtaining the latest kwi files? And so there is even hope of loading a different navigation interface just like the ones used in Japan (with 3D images)? Looks like this is a big discovery you guys made. Opens a whole new arena for tweaking and modding the MMCS.[8D] I think the hard drive version of Denso Navi system as in Outlander is a better target than the DVD version. Reverse engineering tools are needed for such hacks, especially the tools from Denso. And of course, a lot of work! |
RE: MMCS HDD Unlock -- Success!
And of course, the long awaited "proper" fix for the DVD playback while in motion.:)
|
RE: MMCS HDD Unlock -- Success!
ORIGINAL: rcpax And of course, the long awaited "proper" fix for the DVD playback while in motion.:) http://www.naviedit.de/ |
RE: MMCS HDD Unlock -- Success!
ORIGINAL: evoracer What does this mean for us? Are you going to utilize this information to install a larger HDD? For more information, the MMCS drive is a "TOSHIBA MK3029GAC" |
RE: MMCS HDD Unlock -- Success!
ORIGINAL: brian360 the drive in the MMCS is an automotive grade drive -- it can withstand insane temperatures and shocks versus normal laptop drives. So a replacement drive will likely fail sooner than the original. For more information, the MMCS drive is a "TOSHIBA MK3029GAC" Shock is not a big issue for laptop drive either. |
RE: MMCS HDD Unlock -- Success!
Worthy Automotive HDD upgrade? http://www.hitachigst.com/portal/sit...beb82eac4f0a0/
20GB additional space than the current OEM drive capacity Here's Seagate's offering with 40GB top capacity: http://www.seagate.com/ww/v/index.js...;reqPage=Model |
RE: MMCS HDD Unlock -- Success!
Seagate40GB ST940813AM
Ambient Temperature Operating -30 to 85 degrees C Nonoperating -40 to 95 degrees C $169 from CDW, not bad http://www.cdw.com/shop/products/spe...ecs-_-Main+Tab |
RE: MMCS HDD Unlock -- Success!
The Hitachi Durastar J4K50 is actually 50GB. But no one is selling it yet?
|
RE: MMCS HDD Unlock -- Success!
ORIGINAL: brian360 As I said in the other thread,withstanding low temperature is the key for harddrive automotive application. Shock is not a big issue for laptop drive either. Ended it up sending it back without the hard drive. Now I know my data and password are safe and cannot be recreated Puddy |
RE: MMCS HDD Unlock -- Success!
I dont think I understand 1 word in this trend.
|
RE: MMCS HDD Unlock -- Success!
I think I am smarter now from just opening this thread.
|
RE: MMCS HDD Unlock -- Success!
[sm=hail.gif]
I don't even have a MMCS, but props to a damn fine hack! Want to work on disabling the TPMS in the ECU next? |
RE: MMCS HDD Unlock -- Success!
That is awesome!
|
RE: MMCS HDD Unlock -- Success!
So I've been doing some ASCII dumps of the "Loading.kwi" file and revealed this text -- looks like our navi system runs Windows CE:
. .T.h.i.s. .K.e.r.n.e.l. .w.a.s. .b.u.i.l.d. .f.o.r. .S.H.-.4. .C.a.r. .N.a.v.i.g.a.t.i.o.n. .S.y.s.t.e.m.........W.i.n.d.o.w.s. .C.E. .F.i.r.m.w.a.r.e. .I.n.i.t.........K.e.r.n.e.l. .V.e.r.s.i.o.n. .:. .%.s.......O.S.-.N.R.2.6.1.-.1...2.1... Hopefully someone can find a tool to extract .kwi files -- I found one but it just crashed while parsing our loading.kwi file. |
RE: MMCS HDD Unlock -- Success!
Can i ask how the hell you educated yourself about this?
|
RE: MMCS HDD Unlock -- Success!
my guess it's called some kind of engineering school and passion for hacking :)
|
RE: MMCS HDD Unlock -- Success!
ORIGINAL: Sebba Can i ask how the hell you educated yourself about this? ORIGINAL: klas my guess it's called some kind of engineering school and passion for hacking :) School and both of us work in the tech industry where we deal with this sort of stuff on a daily basis. Your comment cracked us up, btw. Plus, we've been fiddling around with stuff like this most of our lives. It took us less than 48 hours to create the interposer, solder, test, capture, and analyze the data. The two hardest parts were figuring out why the damned MMCS took so long to send the unlock password and the twos compliment of the captured data. |
RE: MMCS HDD Unlock -- Success!
ORIGINAL: brian360 So I've been doing some ASCII dumps of the "Loading.kwi" file and revealed this text -- looks like our navi system runs Windows CE: . .T.h.i.s. .K.e.r.n.e.l. .w.a.s. .b.u.i.l.d. .f.o.r. .S.H.-.4. .C.a.r. .N.a.v.i.g.a.t.i.o.n. .S.y.s.t.e.m.........W.i.n.d.o.w.s. .C.E. .F.i.r.m.w.a.r.e. .I.n.i.t.........K.e.r.n.e.l. .V.e.r.s.i.o.n. .:. .%.s.......O.S.-.N.R.2.6.1.-.1...2.1... Hopefully someone can find a tool to extract .kwi files -- I found one but it just crashed while parsing our loading.kwi file. If MMCS is really a set of applications running on customized WinCE system, thingsmight look even more promising. There are tons of tools in the Windows world. The Audi tool is no good for it because it assumes the image is for unix. Pleaseupload the loading.kwi to somewhere like rapidshare so that other membersincluding me can take a look at it. |
RE: MMCS HDD Unlock -- Success!
Here is some info about Hitachi SH-4 Architecture:
http://en.wikipedia.org/wiki/SuperH SH-4 on WinCE .NET 4.2 notes from Microsoft: http://msdn2.microsoft.com/en-us/library/ms864152.aspx |
RE: MMCS HDD Unlock -- Success!
great jobguys!:)
personally, I wouldn't want to temper with my navi for warranty reasons and being lazy of course.Besides, not even once I used it to save audio files. I just use free sirius radio and once"free" is over I will pay for subscription. If I want to listen to my own music I would just use external mp3. |
RE: MMCS HDD Unlock -- Success!
Here is a disassembler:
http://www.datarescue.com/idabase/overview.htm http://www.datarescue.com/idabase/52preview/index.htm Yet another: http://www.delosoft.com/fs.exe?actio...ir=/dev/disasm More Info about Hitachi SH-4 processor: http://www.hitachi.com/New/cnews/E/1997/971110B.html Assembly example: http://msdn2.microsoft.com/en-us/library/ms881414.aspx |
RE: MMCS HDD Unlock -- Success!
ORIGINAL: rcpax The Hitachi Durastar J4K50 is actually 50GB. But no one is selling it yet? http://www.span.com/catalog/product_...oducts_id=8414 But it seems that you have to order 5, that's 5 * £117.00 excluding VAT. The deal is not as good as CDW offer. |
RE: MMCS HDD Unlock -- Success!
In other words about 230 bucks : )
|
RE: MMCS HDD Unlock -- Success!
I don't think we'll have a problem with numbers, because I'm sure we can easily have 5 for a group buy. But of course we still await what scraps fall off the table of our engineer overlords on this thread.:) I am really hoping we could get something useful out of this, because from what it seems, the tech guys have figured out a lot about the MMCS. I'm just here standing by and trying to understand what I can.:eek:
|
RE: MMCS HDD Unlock -- Success!
I feel you on the trying to understand part lol
|
RE: MMCS HDD Unlock -- Success!
ORIGINAL: rcpax I don't think we'll have a problem with numbers, because I'm sure we can easily have 5 for a group buy. ORIGINAL: rcpax I'm just here standing by and trying to understand what I can. As mentioned in many other places, the loader.kwi loades the fw image onto the 'mmcs.' It appears to control the DSP (audio), touch screen, phone, climate control, etc... The funniest error that could appear on the mmcs screen: <some> error. Turn the engine key off to retry. I'm guessing that the mmcs embedded WindowsCE has another SDK platform that has a network adapter in it: Ethernet loading in progress The loader.kwi also seems to support multiple types of embedded systems. Most of these seem to be after-market Mitsubishi navigation systems: CUH9000 H9000.SCE (some sort of include) CUH9000M H9000M.SCE CUH9700 H9700.SCE CUH9700M H9700M.SCE NR060JH NR060JH.SCE CUP2006 CUP2006.SCE NR261EM NR261EM.SCE NR261UM NR261UM.SCE |
RE: MMCS HDD Unlock -- Success!
ORIGINAL: brian360 So I've been doing some ASCII dumps of the "Loading.kwi" file and revealed this text -- looks like our navi system runs Windows CE: . .T.h.i.s. .K.e.r.n.e.l. .w.a.s. .b.u.i.l.d. .f.o.r. .S.H.-.4. .C.a.r. .N.a.v.i.g.a.t.i.o.n. .S.y.s.t.e.m.........W.i.n.d.o.w.s. .C.E. .F.i.r.m.w.a.r.e. .I.n.i.t.........K.e.r.n.e.l. .V.e.r.s.i.o.n. .:. .%.s.......O.S.-.N.R.2.6.1.-.1...2.1... Hopefully someone can find a tool to extract .kwi files -- I found one but it just crashed while parsing our loading.kwi file. If you want to put your loading.kwi up somewhere, I'll try and identify the cause of the crash. ATB O. |
RE: MMCS HDD Unlock -- Success!
Kay.
Got it sorted : should be an update on the site tomorrow, if I get a chance .. Reverse engineering the firmware, for whatever reason, should not be _that_ big a job - looks like a fairly standard build, with a couple of custom apps. HTH O. |
RE: MMCS HDD Unlock -- Success!
Thank you so much Otaku! I'll definately take a look as soon I can!
|
RE: MMCS HDD Unlock -- Success!
Just an update everyone, with special thanks to Otaku I've got the Loading.KWI file extracted with his tool and the image files contained within extracted thanks to tools listed here (specifically the Bysin tool). We can now load the Windows CE files into a dissassembler and start seeing how this thing works! We keep inching closer (to what, I'm not sure... haha)!
Btw, has anybody else tried unlocking their hard drive yet? |
RE: MMCS HDD Unlock -- Success!
|
RE: MMCS HDD Unlock -- Success!
Keep up the good work. I love everything about the MMCS in my Lancer except the 6 gig music partition. I would def. pay for a service that ghosted my current data to a larger HD and gave me, say 10 gigs more room for music. That would be about the perfect size for me.
|
| All times are GMT -5. The time now is 10:51 AM. |
© 2024 MH Sub I, LLC dba Internet Brands