Continued – Loading.kwi – Analyzing (patching?) the Denso Navigation firmware…

So now that I had a little more time I moved a little further into this (also a friendly forum member loaned me a release 5.1 DVD which happens to have a difference firmware). I’ve found that the “Program Block’s” within the hardware modules have a 32bit checksum as the last 4 bytes of each block. So if you patch changes you’d need to update the checksum to convince the NAV to accept them…

Now to try and find the section the factory override uses to open up full control!

foglem@sixcore:~/kiwi/U20 5.1/out$ md5sum *
e345f67c276a87b61aa8b4e2f8085b02 AC08
1e43fce6a7000c8a9eb72d9d1341112a AC10
7718e1ebc472194368cd2f56c7e4c898 AC12
c411131f758792e6beae9a000c7e8260 TY00

crc_denso


Updated:

Now that I know a little more what I’m looking for with the CRC of the program blocks but failing to find a checksum for the MIUT blocks I’ve googled around a bit more with actual strings from the unknown blocks and found some more reading material. Linking here:

More Reading…

Posted in: News by Shadowmite Comments Off , , ,

Loading.kwi – Analyzing (patching?) the Denso Navigation firmware…

I purchased a used Lexus not terribly long ago with Factory navigation. I also had a Mitsubishi which had it. And both apparently used the same Navigation software, done by Denso. The lockouts and nag screen have finally pushed me to the edge of starting to dig into the mechanisms by which these work. I will update this posting with new details as I find them, so feel free to watch this post if interested.

First off I did my due diligence and Googled around. There have been a few hacks on this over the years, but no major advancements into how it works that are openly disclosed. On the Misubishi front the most successful of these attempts actually accomplishes all my objective goals, however the author sells his exploit and thus I suspect I might not get much information from him. Regardless I have sent an email requesting some pushes in the right direction.

The primary target file which these units use is the file “loading.kwi” which appears to contain firmware for the hardware of the various cars. In most cases this file seems to include multiple similar firmware modules (embedded) for slightly different hardware that would utilize the same Nav DVD. I’ve found the original python script by Bert (http://biot.com/blog/navigation-dvd-hacking) and with a small bug fix it properly parses these newer files.

So far I have now identified that the U25 (10.1) and U27 (12.1) releases have identical firmware modules for the 4 hardware iterations embedded in them:


foglem@sixcore:~/kiwi/U25 10.1/out$ md5sum *
0a61788053d3bc32c47e1043a4428d1e AC08
f3fa006e5d35bd754d1bcd462166b721 AC10
8071072c0a53048ef5713b612e864546 AC12
a10a9240c2bb94c447b691c2f8db8d09 TY00

foglem@sixcore:~/kiwi/U27 12.1/out$ md5sum *
0a61788053d3bc32c47e1043a4428d1e AC08
f3fa006e5d35bd754d1bcd462166b721 AC10
8071072c0a53048ef5713b612e864546 AC12
a10a9240c2bb94c447b691c2f8db8d09 TY00

This of course indicates the hybrid discs (Google if you don’t understand what this is) for release 12.1 are just as effective as the 10.1. I’d be curious about testing previous releases of loading.kwi if anyone has them to split into these files. I wonder when the changes (if any) actually occured.

Next up is looking for the loading address and entry points to load this up in IDA and start working out what is what.

In addition I’ve seen references to indicate the firmware files are most likely checksum’d or hashed so that the Nav can validate the software. I’ll have to perform some tests to confirm.

Posted in: News by Shadowmite Comments Off , , ,

Citicard and Stupidity…

So the other day I got the itch to finally correct some ancient passwords of mine to secure single use passwords. Citicard was among those needing to be updated. I go and set the new password (20 alphanumeric chars) and the page kicks back at me stating my password doesn’t meet the requirements! Needless to say I tried many variants and insuring my password chosen does in fact meet the guidelines before I go digging in the page source javascript. Low and behold I find this in a return value:

passwordPatternValidation(myForm.currentPassword) &&
passwordPatternValidation(myForm.password));

They are CHECKING THE OLD PASSWORD AND THE NEW ONE! So I could do a few things here, I could try to jailbreak the javascript prison since that’s run on the user side, or I could take the time to try and inform them of their error. As should be guessed by now I tried to do the right thing and inform them and get the issue fixed and the solution to them was to delete my entire profile and have me re-register! Shame.

Posted in: News by Shadowmite Comments Off , , , ,

Windows Tablets – Terrible?!

So I finally picked up a Windows tablet to try one out. I refused to even consider a RT device as what good is a windows computer that can’t run backwards compatible windows applications without source to port to a new cpu!? As a result I got a Acer W510 32gb tablet with Windows 8 full version. I can’t fault the hardware, the tablet is decent and runs quite quickly.

The software however is another story. Yes it’s true, this is a real windows computer that can essentially run any windows app ever. However the tablet functionality is horrid at best. Even with the start menu and windows tablet native apps it’s just a horrible experience compared to any other tablet I’ve ever used. I have to honestly wonder, did Microsoft developers on this project ever actually USE a iPad or Android tablet? The usefulness is just terrible. From buggy and glitchy software scrolling to almost nagging procedures needed to accomplish basic tasks for a tablet this is just less useful as a tablet while being more useful as a notebook. If only it had a keyboard. Essentially I would rate this as a excellent travel computer if you plan to use a dock and keyboard and mouse. If you need a tablet, look elsewhere and you’ll be much happier.

Posted in: News by Shadowmite Comments Off , , , , ,

Buying digital music still is basically not possible…

So before I get started on my rant I’m sure someone will argue “Why not just buy MP3′s?” Honestly, because I CARE about sound quality and I want the lossless music a CD would have.

I’ve been looking for several weeks now to purchase a copy of The Birthday Massacre’s Pins and Needles album. If you add “flac” into the search instead of finding ANY vendor at all willing to sell you a copy of the digital lossless album you find nothing but piracy links… It’s so difficult to actually pay for music in the media formats we want yet the piracy is easy to find… No wonder the music industry is failing as they know it…

Would anyone like to offer to sell FLAC formatted music besides Bandcamp (excellent organization, too bad they don’t have the music I’m after)…

Posted in: News by Shadowmite Comments Off , , ,

Rosen Navigation systems

So for the Toyota Highlander I bought a few months back my wife wanted a navigation system. We agreed that OEM would be best but toyota pretty much doesn’t even offer the stereo as a supported upgrade once a car is delivered and piecing together a system was going to cost me over $3000 it appeared. So I looked into other options to keep the OEM look. It came down to known chinese units on eBay that ran $500 to $800 or this other 3rd party companies product “Rosen”.

Rosen appeared to be better (if solely due to marketing) as it integrated with the factory steering wheel controls and amp etc. I decided I’d buy the unit (DSTY0830H11) and ordered from the lowest price vendor I could find (toolfetch). All in all it was a little over $1000 to get a OEM look navigation system. If only I knew then what I know now.

The system “ok” if you really just want a CD/DVD player with Nav and radio. The software is nothing well done for those options but not terrible either. However if you want to use MP3 playback, oh man it gets bad! Apparently the software allows only up to 2gb non-sdhc microsd cards and if you have a bunch of folders of music… Well… It plays tracks one at a time, in alphabetical order. You can’t choose tracks in anyway shape or form other than choosing next or previous tracks. When you finish the LAST song in a folder you get a menu to choose a new folder. Once that’s done you have no way to choose again until you finish THAT folder too. Needless to say this is un-usable and I decided to look into what could be done.

Upgrading the stereo appears to be offered only if you send the system in and there is no way to tell if they might have better software now or not. Upon thinking about the poor functionality in the software it becomes quite obvious the system IS a $500 chinese player that’s been tooled up to have a really nice install and integration. So knowing this I would have preferred to get the cheap one to start and work on software. Since I already have this we’re going to have to modify it.

The system appears to have 2 distinct sides. The GPS/WinCE side (with 1 SDHC enabled slot), and a Radio/DVD side (with DVD, bluetooth, radio, and 1 non-sdhc slot) which I currently know little about.

The SD card has the map software on it. Looking briefly into how it works we can see it’s got iGo 2006 software and calls it via a maplaunch.ini file specifying \nng\nngnavi.exe to run. With a quick attempt at tossing in total commander’s .exe as this file we get into total commander for wince and can launch up explorer. We now can see we are actually running WinCE 5.0 with 100mb ram. I intend to later test if we can run mp3′s from the wince enviroment and possibly find some better software like TomTom etc. From the explorer I can see there is a second memory slot/unit of some kind called Nand Flash2 which appears to have nothing in it. I will have to spend some time looking into the options from here and will post back when I find something more.

Posted in: Hack Related, News by Shadowmite Comments Off , , , , ,

Why Apple and the iPhone are still second in the smartphone market…

So I got a little bored with Android lately and decided to play with a iPhone 4 on verizon since I haven’t seen it yet. First impressions, I liked it, though it’s quite small. Thats not really a problem, I’m just ready for a 4 or 4.3″ screen since I’ve had a 3.7 for over a year now.

But now that I’ve had a few days and tried to customize it a bit let me just put this out there:

HOW THE HECK DOES APPLE NOT REALIZE AFTER OVER 3 YEARS THAT PEOPLE JUST MIGHT WANT TO BE ABLE TO CHANGE THE DARN NOTIFICATION SOUNDS FOR SMS/EMAIL!???!! I mean this is NOT rocket science. It’s the most common thing imaginable and they STILL don’t support it. How do they expect to be able to conquer the market when they can’t even get a BASIC feature taken care of? More to come later…

Posted in: News by Shadowmite 1 Comment , , , ,

Trend Micro is TERRIBLE

So recently it appears Trend Micro has rated this website as “hacking” which I don’t argue with. And a sub-rating of “dangerous” thus blocking it in their AV program. This is needless to say quite annoying. Lets see. Have we ever in the history of this site tried to trick and/or hack a user? No. We provide information only. And recently not much is even active hacks!

It seems to me if you want a good AV that actually looks into the information they are trying to protect/block then you should stay away from Trend Micro. Any recommendations on “good” products which do their research first?

Posted in: News by Shadowmite Comments Off , , , ,

HTC Announces Open Bootloader Policy

As of last night HTC posted on twitter and facebook that they intend to open up the bootloader for all future devices. It remains to be seen if this will be retroactive to current new devices and/or soon to be released (already designed) devices. Unrevoked may soon be obsoleted with respect to HTC at least and we are thankful to them. Everyone let them know, this is the RIGHT thing to do!

Of course this makes the current poll obsolete, I will replace it when I decide what to put up next…

Posted in: News by Shadowmite Comments Off , , ,

Lenovo Q100 memory upgrade

So over the weekend I finally got around to looking at upgrading my Lenovo Q100 nettop. Yea, it’s a old little tiny computer with not a whole lotta power and a trashy GPU. But it’s a excellent extremely low power server to run 24×7 and only for only 105kwh a year, or about $10! Regardless Lenovo claims it can’t have a memory upgrade but since I’ve had it running over a year it was time to clean out the dust and prep it for another couple years. I popped the case and there IS a socketed ddr2-667 (pc5300) SO-DIMM slot. Tossed in a 2gb chip for now, maybe in the future I’ll try a 4gb just to see if bios will take it.

Q100 Internals