Sonestads hemsida

Findings

Updated: 2019-03-11, newest info at the bottom of the page

I now have a copy of the Navi-DVD.

The name of the DVD is DW464210-7680. If one compares that to the old Denso navigation in the og9-5, that DVD's named 464210-7550 (for the Mazda6/Subaru/Land Rover 2014 map DVD). 

This is the structure of the first DVD:

The HASHLIST.DAT-files, contain crc32 for the files in that folder. My guess is, the navi uses these pre-calculated crc32s to make sure the files copied to the internal harddrive are OK:

Comparing the DVD to the 464210-7550, one can tell that there are no HASHLISTS as the files are not to be copied from the DVD rather used directly so there's no need for those crc32-checks that the files were copied correctly:

The one file that stands out to me is the MUINFDVD.BIN as "special". I found a list of the contents of the USB-stick used to update Jaguar XJs:

https://www.jaguarforum.com/archive/index.php/t-71490.html

Observe, the filelisting is quite similar to the ng9-5-DVD, but the MUINFDVD.BIN is replaced by MUINFUSB.BIN. Aha, the SAAB updates via DVD and the Jag via USB. Also, some files are in "zz1"-format instead of KWI-format as on the 9-5 DVD (some kind of compression?).

The Jaguar XJ also uses an activation code to copy the files from the USB to the internal harddrive.

 The MUINFDVD.BIN is quite similar to the UPDATE.INF:

There's just a lot more "padding" in the MUINFDVD-file. This differs from the Jaguar USB as the UPDATE.INF is bigger than MUINFUSB.BIN as can be seen in the above filelisting (67 bytes vs 160 bytes). Observe that the UPDATE.INF is of the same size on both the Jaguar USB as on the SAAB (Opel) DVD.

The contents of the file MUINFODVD (as well as UPDATE) starts with a timestamp (file creation date?) 20120416 which coinceds with the date on the file as can be seen in the file listing. There are then 7 groups of 8 HEX characters (7x32bit) of data before there's a listing of files padded with some zeroes.

The activation code is a 8 character HEX code (32-bit) which somehow is calculated from the VIN of the car the update is sold to.

My guess is that the code is a crc32 calculated combining something on the DVD with the VIN of the car. When updating the Navigation, the VIN is stored in the Navi, and the file is on the DVD inserted for update. The Navi then combines the stored VIN and the file on the DVD and asks for the "code" which is a crc32 the Navi calculates. If the code coincides with the calulated crc32 then the update is applied.

The resoning is that car electronics usually aren't equipped to do a lot of "computing" and the crc32 functions is clearly implemented so why not use that again? I don't think they have "hardened" this copy protection especially well. Obviously, this is something that is common to several models using more or less the same navi hardware but it's sufficiently obfuscated so that it is not immediatley apparent how one would calculate a new code.

I will try and see if I come up with an idea to combine the VIN and the MUINFDVD-file to get the right code. The owner of this DVD was nice and supplied both VIN and code for his car.

Stay tuned!

UPDATE: It seems it works just as I imagined. This Spanish forum (for Volvo) uses this method to re-use a code for an older update:

https://www.volvo4life.es/threads/actualización-mapas-gps-por-usb-en-sensus-2011-2014.84254/

• Replace UPDATE.BIN with older one (for which you have the activation code) to the the new media
• Recalculate crc32 for the old UPDATE.BIN and edit HASHLIST for the root.
• Insert media (they use USB) and re-use the code you bought for the old update.

UPDATE 2: Looking at the E800 FW one can tell that the sat nav supports update from USB as well as DVD (it looks for MUINFUSB.BIN on a USB-stick mounted at the USB-port).

I'm trying to find what maps could be compatible with the navi. Looking at ALLDATA.KWI you can see that the version for the ng9-5 is: 

AFEU:4.04,AGEU:4.04
FORMAT VERSION KI¢01-22-00
DATA VERSION 12/04/13/01
EU A-Format4.04
20.12.02

And, comparing this to a few others, it seems quite common that the format i 2.64, which is older. I've looked at the following:

• Jaguar InTouch uses a different setup overall
• Volvo MMM2 uses 2.64
• Old Denso in og9-5 uses 2.64
• Ng9-3 is Aisin (not Denso), uses 2.45

UPDATE 3: Still looking at the E800 firmware, I have concluded that the sat nav runs on top of the iTRON (T-engine) RTOS. Also funny, there are no references to CANBUS or GMLAN, instead there are references to AVC-LAN, Audio-Video Communication, a Toyota Protocol. I'm using that to start looking into Toyota navi systems to try and find compatible maps.

What's more interesting, I think I may have found some clues to the code-checking in the binary file. It's not easy to use the information, but one step closer, at least.

UPDATE 4: The harddrive in the navigation is a Hitachi Endurastar 40GB PATA-drive. Searching eBay for the same P/N gives a few identical harddrives, with Denso-sticker, but for Toyota/Lexus Generation 6. SAAB HDD have "DENSO DW413700-5240", while the Toyota/Lexus have "DENSO DW413700-0684". I'd say that is close enough to warrant further investigation!

More on the Toyota-connection: Here's an instruction on how to clone the hard drive in a Toyota 

UPDATE 5: Ok, I now have a navi unit to play a little with, especially the hard drive.
I immediately got my screwdriver out and took it apart, as far as I dared. It is a quite densly packed unit, 2 big circuit boards, the DVD-reader and the harddrive.

Unit from front side, cover off:

Unit side, cover off:

Back side, cover off:

CPU is tightly stuck to huge heat sink with fan, I opted to not try and remove all that and risk ruin anything:

Denso sticker on main logic board:

Underside of top circuit board (contains radio-reciever):

Largest IC on top board underside:

Top side of top circuit board:

Largest IC on top board topside:

Hang on! Look at that round hole next to the IC! RX, TX and Gnd. Now, that sounds like serial port. I wonder what would greet someone who got connected to that port... Hm, I will have to try that :D

The famous Hard drive:

Trying to read the hard drive got me stuck. The drive does not want to be read, and from what I've discovered during hours of googling, it is locked by ATA Security. Some of the Toyota units have had their passwords revealed using intricate techniques to read what is being sent over the ATA-line. I'm hoping that the E800 firmware will give me the clues to the password. From what I can tell, if we had that password, the drive would open up and it would be trivial to replace maps. The search continues!

Finally an update. I've spend more hours than I could possibly count trying to unravel the mysteries of the E800 binary, so far with limited success. The most interesting thing I've done is to list the stuff in the binary. All parts start with "MIUT" and contain code for a special function of the navigation.

Finally some progress! I got hold of the Toyota update 2014-2015 with their program too. The bad news is that the hardware is made by Aisin AW instead of Denso, so I can't use the (known) Toyota password present in the files to locate the password in the E800 firmware. BUT, the map data is of version 4.03 which is by far the best match for the 4.04 the SAAB uses. Now, if I could only crack the password for the harddrive, I could try the maps out!

The serial port I located in the unit is probably useless (for our purposes). It's connected to the Fujitsu Ten-IC which is a big DSP responsible for Radio, XM and a lot of other sound-related tasks. I also removed the big heatsink on the CPU, and it turns out that there are 2 very similar CPUs underneath. They are Denso Naviem-CPUs which are Denso branded Toshiba TX49 MIPS-CPUs. I have worked hours and hours on decompiling the E800 FW, but so far no luck. I will probably need help from someone knowledgable about decompiling MIPS to actually be able to get anywhere. My next task is to try to locate someone with a good logical analyzer and see if I can extract the HDD password sniffing the PATA bus at device boot. Looking at the Toyota-update, one partition of the harddrive is used for the firmware, and at least on these Toyotas (which are Aisin-AW), the different parts of the firmware are separated into files for different functions. As long as I can't see what's on the SAAB HDD, I can't tell if that is similar to how it's done on the SAAB-Denso-unit.

I'm waiting for my new logical analyzer to arrive. I have deemed it to be my best bet at the moment. Finding the password for the drive will allow me to actually edit what's on the drive, and could give me vital clues to how the software works

One thing that has bothered me is the E800/803-updates that were made to fix the "Belgium-problem". The rumor has it that the problem was due to faulty flash circuits. If that is/was the case, it is quite possible that the hard drive is much more of "vital part" of the navigation as it stands. If the hard drive fails, the unit will be broken beyond repair as all the programming that used to be held by flash, now resides directly on the hard drive. Unlocking the drive will allow one to make a complete backup of the internal hard drive and make it possible to get the unit working again, should the hard drive fail. I'm also working on a SSD upgrade for the navigation unit. If I find the password, I will try this out and see if I can construct an upgrade drive. It's not straight forward, since PATA SSDs are pretty unusual, but I will try to use special SATA-PATA converters I've previously used with success in old RAID systems.