Difference between revisions of "Honda Navigation Hacking"

From Hive13 Wiki
Jump to navigation Jump to search
(Reversing existing binaries)
m
 
Line 122: Line 122:
 
* Windows Automotive PDF http://download.microsoft.com/.../Windows%20Automotive50SP2_Technical%20Overview.pdf
 
* Windows Automotive PDF http://download.microsoft.com/.../Windows%20Automotive50SP2_Technical%20Overview.pdf
 
* SH-4 Techsheet http://www.st.com/stonline/products/literature/um/13061.htm
 
* SH-4 Techsheet http://www.st.com/stonline/products/literature/um/13061.htm
 +
 +
[[Category:InactiveProjects]]

Latest revision as of 18:03, 26 August 2019

Overview

I have a Honda Civic 2009 with Navigation (NavTeq) builtin. After a year of having my car I decided it was time to start digging into the Navigation system to see if I could make it do more things. After some research I saw lots of work was done by AngryDad in 2006 for the Honda Civic/Accord system. There appears to be no real work since then.

Getting Started

First you need to get to the DVD for the Navigation software. It is under the CDROM. Press the Open button for the screen to come down. Under the CDROM is a black cover. Pop that down with the tab and then you should see the hidden DVD-ROM. Press eject (or 'map') and it should eject a DVD. The version should be on the DVD but they are also color coded.

  • v3.x - Orange Disk (See AngryDad's forum below)
  • v4.x - White Disk (See guicide's info below)
  • v6.x - Teal Disk (This is mine...lucky me :)

The system runs the Hitatchi SuperH SH-4 Processor. This processor is specially designed for floating point and vector math and was made popular by the Dreamcast Gameconsole. Today it's mainly used for a few media terminals and automobile dashboard units. It's a 64-bit processor. The software is Windows CE (wince). The tools from v3.x don't really work on v6 but the update tool for v4 is a good jumping point for our work.

I'll attempt to repost any relevant info from the other forums here as well.

Copy from the CD

You'll need these files from the CD to do an update (basically the same as v4.x)

  • 09AVN2.bin
  • 09AVN.bin
  • A0000_00.MNG
  • PRG_INFO.MNG
  • DCA0.REG
  • UPDATE_APL.exe

We will be working with 09AVN2.bin for all of our changes but you'll need the other files when it's time to burn your 'update' disk.

NOTE: It is possible to copy the whole DVD to a DVD-R(w) and run from that. I don't like popping in my original DVD all the time so I've made a backup. There is a test the navigation system does to ensure you don't run pirated copies which unfortunately also prevents you from running legitimate backups of your original media. I have a patch that will allow me to use a DVD-R instead of the original.

FYI, My version according the the Teal lable and the "DISCLBL.INF" file is "BATMA 6.72B". The BATMA is short for Batman, and more specifically 'Batman Forever'. Not sure what the deal is with the naming conversion but several of their compiled binaries were compiled under a batman_forever directory. So you'll see strange references to Batman if you delve into the RE of this firmware.

Working with the firmware

For windows you can download the Bysin.zip file from the v4.x site. This will list and extract all the files and can update non-module files (non-exe/dlls) for v6.x. Because I only have a windows box at work (and it does not have an internet connection) I mainly use Linux. The source was available for Bysin and it's in VC++ and uses CECompressv4.dll. I decided I could fairly easily port the code (minus the windows DLL) to linux. THe CECompress stuff is just Microsofts LZX compression stuff (like in CAB files) but with it's own proprietary structure for the .bin files. Ideally I'll just write the LZX algo into my linux code and then it will be cross-platform compatible w/o the need of any DLLs.

When porting a fixed some small bugs with the original Bysin code and more importantly added the ability to update modules. You don't need this feature to change images but you do if you want to change text or the way the actual program behaves.

Working with compressed modules

cerom linux port doesn't handle compressed modules.

When listing the contents of the DLLs the modules will often times be marked as compressed (they start with a 'C' in the listing) but when you inspect the headers they actually are not. Go ahead and try to update even the ones marked as compressed. If you see a TODO message about compression then do NOT upload it to your car and just revert back. So far I haven't ran into any modules that truly are compressed.

The bysin code has been updated to handle compressed modules, and you can get the code from the github dumpnavi repository and built it yourself, or a compiled binary may be provided at some point.

Reversing existing binaries

Ida Pro 64 can read the binaries but you will have to select the SH-4 processor (Renesas: SH4) yourself because the flag for the CPU is wrong in the binaries. For details on the SH-4 Process you can read this PDF doc [1]

NOTE: LINK BROKEN!

Compiling your own binaries

Instead of modifying a binary it should be possible to compile my own. I haven't gotten to this yet but I think the CE binaries are Embedded Visual C and they used Microsofts Automotive Platform Development kit. I'll post more when I get to this step.

Uploading Hacks

You can use just a CD-R (no need to use a DVD-R). Just copy the above files (Including your modified 09AVN2.bin of course!) to the CD-R. Replace the Navigation DVD with the CD-R. When the car is turned on it will show you an error message about contacting your dealer or something.

Press: Map & Menu & Cancel buttons all at the same time for 5 seconds until you hear a beep.

Then a dialog should pop up. Pick the bottom button (I think it says diagnostic)

Then pick "Version"

Then push the button that says "Download"

(NOTE: See guicides tutorials for step by step details [2])

It should then read your CD and 'download' your new changes. This takes almost 5 minutes for the progress bar to complete...sloooow. But once it's done it should reboot and your changes should be there. You will need to replace the original Navigation DVD for anything but the Splash Screen to work. But once the original DVD is in all your custom code would work (hopefully) fine.

My Hacks

Here are the hacks I've done with my linux code w/o details. I will try to duplicate the older hacks as well as add my own.

Splash Screen Hack

You will find a file called OpeningBase.bmp. This is the background image (The Earth's horizon on mine) For some reason Gimp can not view this image but I noticed that M$ paint could. I need to figure out what's up with that. Anyhow you can however create an image with the same dimensions as save it as a 16-bit BMP file (In gimp use the Advanced drop down when saving). Then Choose A1 R6 G5 B5. If this option is greyed out, then go back and add an Alpha channel to the pic and try again.

Also the radio will overlay the Honda logo and text over this image. These files are called Honda_emblem.bmp and Navi_Title.bmp respectively. The transparencies are not working very well for me at the moment. I'm not sure why I need to save an Alpha channel but can't use a true transparent background :/

Another method I may revert to is to simply make the two overlaid images 1x1 pixels and make them the same color as my background...even though that's cheating.

I cheated to move Honda...

Nag Screen Text Hack

The Text for the Nag screen that tells you something about the operations manual or something...never read it... Can be found in HMIManager.dll. You can use a hexeditor to change it. Just make sure the file is the same size before you upload it. HMIManager.dll is a 'module' in 09AVN2.bin and that code is very alpha so be careful :)

Use Backup DVD-R Image Hack

The navigation software checks for a "stamped" DVD disc to try and prevent piracy. Unfortunately it also prevents you from making a legitimate backup of your DVD. This sucks and for the the price of a replacement DVD I didn't want to take the chance of damaging my DVD while working on this project so I modified the firmware to allow burned DVDs to be used. I'm really glad I did because during the hot summer we had here my DVD got warped and stopped working after being in the parking lot all day. This would have sucked but luckily it was a DVD-R and not my original.

The software checks the DVD media info. If you have linux you can play with dvd+rw-mediainfo which can dump the raw DVD info. The software checks the BookType, Layers and OTP. It uses this info to determine if the DVD is stamped (from the factory) or a burnable disk.

These checks happen in the CDiscPhysicalInfo::IsDiscDVD_R() method of HMIManager.dll. You can see the checks and where it branches here. Replace the branching with NOPs (0900) and the checks will fall down to the successful message. The strings you see in the binary are for the debugging output. This is normally not visible on the console but really handy that it's still in the binary files ;D

IDANavHack.png

Actual patch details for the 3 checks

NavDVD-Patch.png

Software

Gallery

References